Protecting Personal Data from Cyber-Attacks

Similar documents
Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Our Data Protection Officer is Andrew Garrett, Operations Manager

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Plus500UK Limited. Website and Platform Privacy Policy

Cyber Security. Building and assuring defence in depth

PS Mailing Services Ltd Data Protection Policy May 2018

ADMA Briefing Summary March

NYDFS Cybersecurity Regulations

Data Protection and GDPR

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

The GDPR Are you ready?

Cyber Risks in the Boardroom Conference

Canada Life Cyber Security Statement 2018

Version 1/2018. GDPR Processor Security Controls

Motorola Mobility Binding Corporate Rules (BCRs)

Cyber Security Law --- Are you ready?

The Role of the Data Protection Officer

FIRESOFT CONSULTING Privacy Policy

Please note that throughout this Privacy Statement the word "website" refers to any web page hosted under the walkersglobal.com domain.

Google Cloud & the General Data Protection Regulation (GDPR)

General Data Protection Regulation

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Information Security Incident

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Information Security Strategy

Data Protection Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Cyber Security Incident Response Fighting Fire with Fire

Privacy Policy Wealth Elements Pty Ltd

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Data Processor Agreement

2. Who we collect information (data) from & why we collect it

Cyber Security Strategy

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

Data Protection Policy

GDPR Compliance. Clauses

Privacy Policy Inhouse Manager Ltd

PRIVACY POLICY. [Last updated : May 24th, 2018]

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

Cybersecurity Considerations for GDPR

Sage Data Security Services Directory

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Information Security Controls Policy

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

SCHOOL SUPPLIERS. What schools should be asking!

Data Protection policy (GDPR)

An overview of mobile call recording for businesses

1. Muscat & Co Mortgage Solutions Ltd - Privacy Notice

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Ferrous Metal Transfer Privacy Policy

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Introductory guide to data sharing. lewissilkin.com

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Privacy and Spam Policy Ten Tigers Grain Marketing Pty Ltd

Emerging Technologies The risks they pose to your organisations

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Data Management and Security in the GDPR Era

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Token Sale Privacy Policy

1 Privacy Statement INDEX

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

CYBER INSURANCE: MANAGING THE RISK

Emsi Privacy Shield Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

POMONA EUROPE ADVISORS LIMITED

EU General Data Protection Regulation (GDPR) Achieving compliance

Legal, Ethical, and Professional Issues in Information Security

General Data Protection Regulation. May 25, 2018 DON T PANIC! PLAN!

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Checklist: Credit Union Information Security and Privacy Policies

Starflow Token Sale Privacy Policy

Information Security Controls Policy

Eight Minute Expert GDPR

Guide to Cyber Security Compliance with GDPR

DIGITAL TRUST Making digital work by making digital secure

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

INFORMATION SECURITY AND RISK POLICY

Are we breached? Deloitte's Cyber Threat Hunting

GDPR is coming in less than 2 months Are you ready?

GDPR AND WHAT IT MEANS FOR CRM AND CUSTOMER ENGAGEMENT MAY. A 7-step practical guide to achieving and maintaining GDPR compliance by 25 May 2018

Data Protection Policy

Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Electronic Communication of Personal Health Information

Transcription:

News Alert May 2017 Protecting Personal Data from Cyber-Attacks Last week the world woke up to the latest cyber-attack of 2017. Initially striking the NHS in the UK, the malicious WannaCrypt ransomware then quickly spread across the globe with more than 200,000 computers infected across 150 countries. Once infected, the malware prevents organisations from accessing their data holdings unless a ransom is paid. The story is becoming increasingly familiar and with each high profile attack the protection of personal data held by businesses becomes an ever increasing concern. Cybercrime is fuelled by the sheer volume of data now available, and the increasing use of offsite and cloud storage systems has dispersed that data giving criminals many more points to access it. Faced with such threats, businesses have been encouraged to review their cyber security and upgrade their IT systems. But technology on its own cannot stop a cyber-attack unless the organisation fully understands the data assets that the technology is trying to protect. An effective cyber security strategy requires a legal analysis of an organisation s whole approach to data protection - how the organisation controls the collection, use and sharing of its data. Data protection and cyber security are no longer just IT concerns; they are now board level issues. Do not delay All businesses located outside the EU who offer goods and services to EU citizens will need to ensure compliance with the EU s General Data Protection Regulation (GDPR) which comes into effect in May 2018. The GDPR includes requirements for personal data security and, in the event of a data breach, notification to the relevant regulatory authority and any affected individual data subjects. Comprehensive data protection legislation has also recently been passed in Bermuda and the Cayman Islands. Drafted around a set of EU-style data privacy principles, both laws are expected to come into force during 2018 and will apply to all organisations processing personal data in those jurisdictions. Organisations operating in offshore centres need to get it right reputations, large fines (in some cases up to the greater of 20 million or 4% of global annual turnover) and criminal liability are now at stake. Developing a cyber security compliance plan: At a high level, the steps towards developing an effective compliance plan are as follows: What personal data does the business hold and in what format paper, electronic, tape? How was that personal data captured, and for what purposes is it being used and processed by the business? Is that personal data being transferred to any other company within the group or to third parties for any purpose? If yes, into which jurisdictions is the data being sent? What data protection and cyber security regulatory regimes apply to the organisation s personal data holdings, considering both the location in or from which the data was collected and the locations where it is being processed?

Are the organisation s existing policies and procedures compliant with applicable data protection laws? Where are the gaps? In the event of a data breach, are systems in place to ensure that the breach can be quickly identified and the appropriate authorities and any affected data subjects notified? Looking to the future, what plans does the business have for processing personal data, having regard to new business lines, new jurisdictions, new technologies, new business models and other opportunities for commercialising its data holdings? Identifying vulnerabilities Offshore financial centres represent an attractive target for cyber criminals because of the large and often highly sensitive data holdings being collectively managed by those centres. As organisations increasingly outsource a significant part of their day-to-day operations to external service providers, these transfers also leave them vulnerable to attack. Cyber criminals can easily identify and exploit weak links in the flow of information between the organisation and its external providers. Data that may have been anonymised or aggregated by an organisation will still require careful handling. The rise of social media and the increase in online public data sources means cyber criminals are now easily able to re-identify individuals by combining that information with the anonymised or aggregated datasets. Transferring data to third parties In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties. There is no substitute for proper due diligence on the systems, policies and procedures of third party providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider s controls would also be advisable. Contractual provisions should be put in place between the organisation and the third party service provider to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Use of unauthorised subcontractors by the service provider should be prohibited without the prior approval of the transferor. Data protection and new technologies Financial technologies or FinTech are emerging technologies that have the potential to supplement or disrupt the offshore financial services industry. FinTech solutions also raise data protection and cyber security concerns that need to be carefully considered before they are adopted. Blockchain, or distributed ledger technology, is starting to be used to centralise a number of back-office and compliance functions. Designed to keep a permanent, immutable record of all transactions that have taken place, the technology is at odds with the requirement under modern data protection legislation to ensure that all personal data is securely purged once the purpose of use has been fulfilled. As users of the ledgers may be anonymous, there is also the potential for criminal organisations to apply powerful data analytics to these datasets to match data that appears to be clear of personally identifiable information to those which are not, thereby allowing the re-identification of individuals from that data. The attraction of flexible working has led to a growth in the popularity of bring-your-own-device (BYOD) policies. While some organisations are issuing smartphones and tablets for employees, other employees may be using their personal devices for business purposes without approval. Where BYOD is offered, a careful balance needs to be struck between employee satisfaction and protecting personal data. Organisations should put in place a clear BYOD strategy that sets out minimum do s and don ts for using a device. Data should be encrypted and the organisation should have the ability to remotely access, monitor and wipe the data and prevent data access from third party apps.

Top-down compliance Effective data protection starts with knowing your data, but in the era of mobile devices and cloud computing, identifying the full extent of an organisation s personal data holdings can be difficult, as the databases are not always clearly marked out as such. A data audit should be conducted to establish a clear view of the data, both proprietary data and client-specific personal data. Implementing a data protection and cyber security compliance programme involves engagement with the right stakeholders across the organisation. An effective governance regime for approving, overseeing, implementing and reviewing the various policies also needs to be established. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is also recommended. Compliance training will be required for personnel at all levels, including key external service providers, to emphasise the importance of compliance to the organisation. Serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority. The compliance programme should be reviewed regularly reflecting changes in the law and regulation, changes in the types of data being collected and used, and any changes in the technologies utilised by the organisation. Protecting personal data is now business critical. Even if monetary losses are not sustained as a result of a cyber-attack, the reputational damage to an organisation following a data breach could be devastating. At Appleby we offer advice to clients on all aspects of data protection and cyber security compliance, including: Privacy impact assessments, which includes a general framework for the organisation to assess privacy impacts due to proposals for organisational, technological or policy change; Data collection and capture, including policies concerning the mechanics of collecting consents; Advising on the transfer of personal data as part of business merger and acquisition and joint venture activity; Structuring cross-border data transfers including as part of shared services and cloud arrangements; Human resources management, including policies dealing with job applicant data, retention of and access to employee files, employee monitoring, management of sensitive employee data and the use of external vendors for functions such as payroll and counselling; Data subject access, including procedures for assessing and verifying requests and responding to those requests; Data analytics, including policies specifying the types of profiling data that may be used, and anonymisation/aggregation principles; Responding to data requests from foreign regulators; Data breach management, including policies for escalating, containing and remediating breaches and making breach notifications to regulators and affected parties; Complaints handling, including complaints from customers, employees and other affected individuals; and Data quality management, including procedures for updating and correcting databases and determining if data is to be erased.

If you have any questions, please do not hesitate to contact a member of the Technology and Cyber Team. Technology and Cyber Team Steven Rees Davies Bermuda +1 441 298 3296 sreesdavies@applebyglobal.com Andrew Jowett British Virgin Islands +1 284 393 5316 ajowett@applebyglobal.com Claire Milne WS Isle of Man +44 (0)1624 647 698 cmilne@applebyglobal.com Richard Sheldon Counsel Dispute Resolution Guernsey +44 (0)1481 755 904 rsheldon@applebyglobal.com Peter Colegate Senior Associate Cayman Islands +1 345 814 2745 pcolegate@applebyglobal.com Melissa Virahsawmy Senior Associate Mauritius +230 203 4312 mvirahsawmy@applebyglobal.com Katherine Johnson Associate Isle of Man +44 (0)1624 647 971 kjohnson@applebyglobal.com Paul Worsnop Associate Jersey +44 (0)1534 818 225 pworsnop@applebyglobal.com Offshore Legal Services applebyglobal.com

Appleby Global Group Services Limited 2017 All Rights Reserved This ealert is published by APPLEBY and is not intended to be, nor should it be used as, a substitute for specific legal advice on any particular transaction or set of circumstances. It does not purport to be comprehensive or to render legal advice and is only intended to provide general information for the clients and professional contacts of Appleby as of the date hereof. Appleby (Bermuda) Limited (the Legal Practice) is a limited liability company incorporated in Bermuda and approved and recognised under the Bermuda Bar (Professional Companies) Rules 2009. is a title referring to a director, shareholder or an employee of the Legal Practice. A list of such persons can be obtained from your relationship partner. Appleby (Cayman) Ltd. (the Legal Practice) is a limited liability company incorporated in the Cayman Islands and approved and recognised under the Legal Practitioners (Incorporated Practice) Regulations 2006 (as amended). is a title referring to a director, shareholder or an employee of the Legal Practice. A list of such persons can be obtained from your relationship partner. Appleby (Guernsey) LLP is a limited liability partnership with registration number 53, incorporated in Guernsey, that converted from a Guernsey ship of Advocates, known as Appleby, Guernsey Office, on 15 March 2016. Its registered office is Regency Court, Glategny Esplanade, St Peter Port, Guernsey, GY1 1WW. Appleby (Isle of Man) LLC (the Legal Practice) is a limited liability company with company number 000944L incorporated in the Isle of Man with its registered office at 33-37 Athol Street, Douglas, Isle of Man, IM1 1LB. is a title referring to a member or employee of the Legal Practice. A list of such persons can be obtained from your relationship partner.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback