Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Similar documents
Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Islam21c.com Data Protection and Privacy Policy

General Data Protection Regulation (GDPR) Key Facts & FAQ s

General Data Protection Regulation (GDPR)

The GDPR Are you ready?

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

GDPR: A QUICK OVERVIEW

Cybersecurity Considerations for GDPR

Technical Requirements of the GDPR

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

Arkadin Data protection & privacy white paper. Version May 2018

DATA PROTECTION POLICY THE HOLST GROUP

Cyber Risks in the Boardroom Conference

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

GDPR and the Privacy Shield

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

EU General Data Protection Regulation (GDPR) Achieving compliance

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

OBTAINING CONSENT IN PREPARATION FOR GDPR

General Data Protection Regulation (GDPR) The impact of doing business in Asia

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

DATA PROTECTION POLICY

A Homeopath Registered Homeopath

Privacy Policy Hafliger Films SpA

2017 INVESTMENT MANAGEMENT CONFERENCE NEW YORK Big Data: Risks and Rewards for Investment Management

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Knowing and Implementing the GDPR Part 3

GDPR: A technical perspective from Arkivum

General Data Protection Regulation (GDPR)

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Data Protection Policy

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NEWSFLASH GDPR N 8 - New Data Protection Obligations

GDPR is coming in less than 2 months Are you ready?

Altitude Software. Data Protection Heading 2018

ADIENT VENDOR SECURITY STANDARD

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

All you need to know and do to comply with the EU General Data Protection Regulation

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

PS Mailing Services Ltd Data Protection Policy May 2018

Eco Web Hosting Security and Data Processing Agreement

MNsure Privacy Program Strategic Plan FY

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Employee Security Awareness Training Program

Motorola Mobility Binding Corporate Rules (BCRs)

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

GDPR Compliance. Clauses

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

The Role of the Data Protection Officer

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

1. Right of access. Last Approval Date: May 2018

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

GDPR. What is GDPR? GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

GDPR & FOSS. Marc Jones CIPP/US, CISSP Compliance Engineer & In-House Counsel

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

A practical guide to using ScheduleOnce in a GDPR compliant manner

Accelerate GDPR compliance with the Microsoft Cloud

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

NYDFS Cybersecurity Regulations

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Emsi Privacy Shield Policy

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Creative Funding Solutions Limited Data Protection Policy

CYBER RISK MANAGEMENT

Data Breach Preparation and Response. April 21, 2017

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Implementing the new GDPR: what does it mean for Universities?

Cybersecurity Auditing in an Unsecure World

EXAM PREPARATION GUIDE

HPE DATA PRIVACY AND SECURITY

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Countdown to GDPR. Impact on the Security Ecosystem and How to Prepare

PTLGateway Data Breach Policy

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

The Data Breach: How to Stay Defensible Before, During & After the Incident

Keeping It Under Wraps: Personally Identifiable Information (PII)

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Data Protection and Privacy Policy PORTOBAY GROUP Version I

Introductory guide to data sharing. lewissilkin.com

SCHOOL SUPPLIERS. What schools should be asking!

Contract Services Europe

Transcription:

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World September 20, 2017

The information and opinions expressed by our panelists today are their own, and do not necessarily represent the views of their employers or of PLUS. The contents of these materials may not be relied upon as legal advice. A copy of the presentation slides will be available following this webinar, on the PLUS website at: www.plusweb.org

Meet The Presenters Winston Krone Global Managing Director, Amsterdam Office Kivu Consulting Cinthia Granados Motley Partner, Chair Data Privacy & Security Practice Sedgwick LLP Kim Holmes SVP, Counsel, Cyber Insurance, Liability & Emerging Risks ID Experts

Agenda GDPR - BRIEF OVERVIEW IF YOUR ORGANIZATION IS SUBJECT TO GDPR PREPARING FOR GDPR: ARE CURRENT PRACTICES COMPLIANT? USING FORENSICS PRE-BREACH TO PREPARE FOR GDPR ATTORNEY-CLIENT PRIVILEGE BEST PRACTICES TO CONSIDER 4

GDPR: (General Data Protection Regulation) Brief Overview

Key Concepts Strict global privacy requirements standardizing how personal data of EU citizens is processed, managed and stored, in tandem with individuals choice wherever personal data is managed, sent, processed or stored Transparency required re: handling and use of personal data Limitations as to specific, legitimate purposes Data processing 6

Key Concepts Limitations to intended purposes (i.e., storage and data collection: only as long as needed for intended purpose) Individuals right to correct/request erasure (deletion) of their personal data Appropriate security practices required Significant potential fines for non-compliance Up to 4% of global Net Revenue for willful violations 7

APPLICABLE TO WHOM? GDPR Organizations with an establishment in the EU regardless of where they process personal data. Organizations based outside the EU that provide services or goods to the EU (different than before). Organization offering goods and services to EU citizens or that collect, store, or analyze data on EU citizens no matter where they are in the world. 8

APPLICABLE TO WHAT? GDPR Personal Data any information relating to an identified or identifiable natural person data subject ; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Sensitive Personal Data ( SPD )- genetic and biometric data 9

Personally Identifiable Information An individual s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver s license number or state issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information. Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. 10

If Your Organization is Subject To GDPR

GDPR: Individual Rights Individual data subjects rights: to know if organization is processing their data; to understand purpose of same; to have data deleted/corrected or ask to have processing stopped; to object to direct marketing; to revoke consent for certain uses of their data; to portability (moving their data and assistance from organization in doing so)

Notification Requirements WHO must be notified? Data Privacy Authority (DPA) Supervisory Authority (SA) Role of Data Privacy Officer (DPO) WHEN must notification occur? No longer than 72 hours from discovery Unless unlikely to result in a risk

Notification Requirements Notification must include: Categories and approximate number of individuals affected identify users, their relationship to organization (customers, business partners, employees, etc.)? Categories and approximate number of personal data records concerned Question: how approximate will regulators want?

Notification Requirements Description of likely consequences of personal data breach akin to US likelihood of harm analysis Description of mitigation/remediation efforts What has been done, or what will be done to mitigate the personal data breach and/or to reduce the potential impact of the breach

Other Specific Requirements Data protection/impact assessments Predicting privacy impact of projects and efforts to mitigate risk Records maintenance All processing activities, consents to data processing, compliance with GDPR Legal basis for processing personal data Individuals consent must be freely given, specific, informed and unambiguous"

Preparing for GDPR: Are Current Practices Compliant?

Mapping Sensitive Information Implementing a Data Diet Are You GDPR-Compliant Today? Evaluating Maximum Probable Loss Based on Number of Records Determining Adequacy of Organization s Insurance Ensuring Vendors Have Adequate Cyber Insurance for Data Updating AND TESTING Incident Response Plan Addressing Vendor/Business Partner Cyber Hygiene Beyond Warranties/Indemnification Agreements Considering M&A Issues

Using Forensics to Prepare for GDPR

The Good News Most of the GDPR notification requirements above are already relevant to US forensic breach investigations. With pre-emptive planning, an organization can set up its auditing and logging capabilities to specifically address many of these requirements and assist with the forensic investigation - critically important given the time constraints to carry out the investigation under GDPR. As in the US, the ultimate cost of forensics is often more dependent on the pre-breach measures adopted by the organization (e.g. the amount of logging, auditing) and less to number of records affected.

The Bad News In the US, forensics is usually phased with much of the granular analysis (determining exactly whose data was taken and the likely impact) only AFTER certain threshholds have been triggered. Years of experience allows us to know what specific state/federal regulators expect in terms of the forensics investigation. In the US, this allows for a phased approach, triaging expenditure over time with some forensic analysis ultimately deemed to be not necessary.

The Bad News In the EU, the upfront investigations may need to be more detailed/wider than US and EU regulators will (at least in the first year?) seek answers to all the above questions. Insurers should be ready for the forensics phase to be larger than comparable US breaches, at least until guidance is obtained from the EU regulators as to what they will be expecting.

Attorney-Client Privilege: Be Mindful

ATTORNEY-CLIENT PRIVILEGE Cybersecurity consultants work product and communications Like that of other retained experts are subject to confidentiality under the attorney-client privilege and/or the work product doctrine when counsel retains the consultants for the purpose of obtaining technical assistance to enable counsel to render legal advice to a client Validates the decision by organizations to designate legal counsel as the lead in key cybersecurity activities, such as scoping and directing proactive security risk assessments and directing reactive forensic investigations and response efforts following a data breach

Thinking About GDPR-Prep Best Practices Going Forward...

GDPR PREP: BEST PRACTICES Revise your incident response plan to allow for a possible 72 hour notification Design your cyber defenses not only to keep hackers out but, in the case of an intrusion, to explain what hackers did Establish clear and sound policies that meet the data protection standards of adequacy required by GDPR Establish privacy by design- conscious, considered policies and implementation to comply and respect data privacy Analyze legal basis on which data processing is providedis your basis documented?

GDPR PREP: BEST PRACTICES Have established security breach processes and policies BREACH NOTIFICATION is required if risk to rights and freedoms of data subjects exists. (within 72 hours of discovery) Make sure privacy notices and policies are clear and in plain language, understandable to all affected Review disclosure about CONSENT to make sure it is explicit for SPD. ENSURE CONSENT is understood to be freely given by data subjects - not coerced (CLICKWRAP AGREEMENTS) Be knowledgeable & able to respond to data subjects Respect rights of data subjects Ensure: (1) organization s clients are aware of new compliance with Regulation and (2) Data Processors understand their role

Questions? Please submit using the question tool on user dashboard 28

Thank You Presenters Winston Krone Global Managing Director, Amsterdam Office KIVU Forensic Consulting Cinthia Granados Motley Partner, Chair Data Privacy & Security Practice Sedgwick LLP Kim Holmes SVP, Counsel,Cyber Insurance, Liability & Emerging Risks ID Experts 29

30

Thank you for your time. A replay of this webinar will be available to PLUS Members at: www.plusweb.org 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback