ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Similar documents
Cyber Security Issues

Data Compromise Notice Procedure Summary and Guide

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Security Breaches: How to Prepare and Respond

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Cyber Risks in the Boardroom Conference

The Impact of Cybersecurity, Data Privacy and Social Media

Hacking and Cyber Espionage

DeMystifying Data Breaches and Information Security Compliance

What to do if your business is the victim of a data or security breach?

NYDFS Cybersecurity Regulations

Jeff Wilbur VP Marketing Iconix

Data Breach Preparation and Response. April 21, 2017

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Keeping It Under Wraps: Personally Identifiable Information (PII)

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Navigating Regulatory Impacts of a Financial Services Data Breach

Cybersecurity in Higher Ed

U.S. Private-sector Privacy Certification

Online Privacy & Security for the Mortgage Industry

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Understanding the Impact of Data Privacy January 2012

Cybersecurity and Nonprofit

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

How to Establish Security & Privacy Due Diligence in the Cloud

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Data Security: Public Contracts and the Cloud

What is Cybersecurity?

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

The Data Breach: How to Stay Defensible Before, During & After the Incident

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

COMMENTARY. Information JONES DAY

ADIENT VENDOR SECURITY STANDARD

Cybersecurity Auditing in an Unsecure World

Cybersecurity The Evolving Landscape

Regulation P & GLBA Training

Preventing Corporate Espionage: Investigations, Data Analyses and Business Intelligence

Compliance in 5 Steps

Managing Cybersecurity Risk

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

DATA BREACH NUTS AND BOLTS

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Cybersecurity is a Company-Wide Issue

Why you MUST protect your customer data

GLBA. The Gramm-Leach-Bliley Act

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Putting It All Together:

Altitude Software. Data Protection Heading 2018

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Business continuity management and cyber resiliency

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Security Breach Notification Reflections on the U.S. Experience

Cyber Security Updates and Trends Affecting the Real Estate Industry

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

CYBERSECURITY: STAYING ONE STEP AHEAD DANIEL D. WHITEHOUSE, ESQ. WHITEHOUSE & COOPER, PLLC

Chapter 12. Information Security Management

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

CCISO Blueprint v1. EC-Council


Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Privacy Policy Effective May 25 th 2018

Legal Considerations and Case Studies

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

LCU Privacy Breach Response Plan

How will cyber risk management affect tomorrow's business?

TECHNICALLY CHALLENGED BY CYBERSECURITY RISK MANAGEMENT?

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

GLBA, information security and incident response a compliance perspective

Security Takes Center Stage

Privacy, Cyber Threats and Risk Mitigation Mitigating Liability Through the SAFETY Act

Unified Communications Phase 2 Presentation to IT Services Users Group

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

PROFESSIONAL SERVICES (Solution Brief)

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Beam Technologies Inc. Privacy Policy

Electronic Communication of Personal Health Information

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

This Webcast Will Begin Shortly

Building a Business Case for Cyber Threat Intelligence. 5Reasons Your. Organization Needs a Risk-Based 5Approach to Cybersecurity

716 West Ave Austin, TX USA

LBI Public Information. Please consider the impact to the environment before printing this.

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

ecare Vault, Inc. Privacy Policy

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

HIPAA Privacy, Security and Breach Notification

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Transcription:

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW Janis Kestenbaum (Federal Trade Commission) John O Tuel (GlaxoSmithKline) Alfred Saikali (Shook Hardy & Bacon) Christopher Wolf (Hogan Lovells)

2011 Data Breach Statistics 558 breaches 126 million records 76% server exploits 92% avoidable $318 cost per record $7.2 million average cost of each breach $6.5 billion impact to U.S. businesses Source: Online Trust Alliance (2011)

Why Should You Care? 90% of organizations have suffered a breach; 59% experienced two or more breaches in the last year; 41% of those who suffered a breach said it cost their organization at least $500,000 or more. Source: Ponemon Institute (2010). Companies are increasingly storing information electronically (and so are their service providers) Companies are increasingly storing information in the cloud (and so are their service providers) Most companies have suffered or will suffer a data breach, and it will be expensive to resolve The definition of Personally Identifiable Information ( PII ) continues to evolve

What is a Data Breach? Generally -- unencrypted personal information that is acquired by an unauthorized person. Negligence -- lost laptop, hard drive, thumb drive, mobile device, or misdirected information (76% of all U.S. data breaches) Malicious or criminal attack -- phishing, malware, economic espionage, advanced persistent threats, political hacking (24% of all U.S. data breaches) Third party flub -- service provider suffers a data breach (42% of all U.S. data breaches) Source: Ponemon Institute (7/13/10)

First Step: Assessment What information is maintained by the company (and its service providers)? Where is it maintained? How is it maintained? What measures have been taken to protect confidentiality of data? Are there policies/procedures/training about the maintenance of the information and what to do if a breach occurs? Is an incident response team and backup plan in place should a data breach occur? Do you know what legislative and regulatory provisions govern the maintenance of the information and, should a breach occur, the obligation to disclose?

Second Step: Prevention Classify the data Draft policies/procedures regarding proper maintenance of the data Train employees on maintenance of data Adopt measures to maximize security of the data Negotiate contractual provisions with service providers to secure data and limit liability Create an incident response plan Insure against risk of loss (??)

Proactive Technical Remedies Require approved browsers for all employees and partners Proper levels of encryption of files that are transmitted externally and also at rest on portable devices/cloud storage/ routers/access points Password management Monitoring for third-party code, email phishing (links/ advertising), and other malware Always On SSL & EV SSL certificates

Third Step: Response Identify the scope of affected data Identify the source of the intrusion Possible involvement of law enforcement (?) Remediation Disclosure (see next slide) Communication (internally and externally) Credit monitoring (?)

Disclosure Issues Do I need to disclose? What data was affected? How was it affected? What do I disclose? How detailed must the disclosure be? To whom do I need to disclose? Customers? Government entity (state/federal)? Shareholders? Partners/subsidiaries/IP collaborators? How/when do I disclose? Statutes/regulations governing the method of notification?

Civil Lawsuits Examples include Dropbox, Hannaford, and Providence Health Causes of action (Breach of contract? Unfair Trade Practices? Negligence? Fraud?) Defenses (lack of harm, economic loss rule) Damages (credit monitoring, emotional distress for risk of fraud, punitive damages, attorney s fees)

U.S. Data Privacy/Security Laws 47 different state data breach laws Electronic Communications Privacy Act Gramm-Leach-Bliley Act U.S.A. Patriot Act Privacy Protection Act Pending federal Cybersecurity Act HIPAA/Medical information regulation

Privacy by Design Privacy protection is incorporated into a company s products, customs, services, and practices from the beginning where possible. Example -- Google+ -- all contacts placed in nonpublic circles and users are asked to designate the circle to share with for every post. Example -- Apple iphone s purple arrow icon -- appears at the top of the screen letting user know that their location information is being sent to an app.

Issues Relating To The Cloud Single-tenant vs. multi-tenant server Limitations on liability clauses Security measures taken by cloud service provider Location of servers (data privacy/security requirements in jurisdictions of those servers) Government s ability to search data in the cloud

Speaker Information Janis Kestenbaum Federal Trade Commission jkestenbaum@ftc.gov John O Tuel GlaxoSmithKline john.w.o tuel@gsk.com Special thanks to: Craig Spiezle OT Alliance craigs@otalliance.org Alfred Saikali Shook Hardy & Bacon, LLP asaikali@shb.com Christopher Wolf Hogan Lovells U.S. LLP christopher.wolf@hoganlovells. com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback