EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS
MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product Marketing Manager, Gemalto
IN TODAY S DIGITAL WORLD, WE ARE ALL DATA SUBJECTS Critical aspects of our lives are determined by the data that is held about us Threats are increasing as technologies distribute sensitive data farther across locations, devices, and repositories
CYBERCRIME IS A GROWTH INDUSTRY
EU GDPR AND NY DATA PROTECTION AND PRIVACY REQUIREMENTS ARE USHERING IN A NEW ERA OF ACCOUNTABILITY
Poll Question: HOW FAR ALONG DO YOU THINK YOUR ORGANIZATION IS IN ITS COMPLIANCE PLAN? a) Beginning stages b) Well underway c) Fully compliant d) Not sure
EU GDPR MANDATES Fines Companies that violate certain provisions such as the basic processing principles or the rules relating to cross-border data transfers may face fines amounting to four percent of the company s annual gross revenue, and up to two percent for violations such as failing to meet the breach notification rule. Right to be Forgotten A right to erasure, also known as the right to be forgotten, gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data without undue delay when the data is no longer necessary in relation to the purposes for which it was gathered or processed. Data Protection Officer (DPO) Companies whose core activities involve large-scale processing of special categories of data information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health or sexual orientation need to designate a data protection officer. Companies who collect some of this information strictly for internal human resources purposes may also be subject to this requirement. Breach Notification A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it.
NY CYBERSECURITY MANDATES Program and Policy Establishment and adoption of a cybersecurity policy and program, including adequate funding and staffing, a CISO, cybersecurity awareness training, limitations on data retention, and periodic reporting to the most senior governing body of the organization. Security Controls Risk-based minimum standards for technology systems including access controls such as multifactor authentication, data protection (including encryption or an alternate CISO-approved compensating control), and vulnerability assessment/penetration testing. Data Breach Response Adherence to minimum standards for addressing data breaches, including incident response plans, the preservation of data for investigations, and notice to DFS of material events within 72 hours. Additionally, organizations need to maintain audit trails for reconstruction of financial transactions, and cybersecurity incidents. Maintaining Accountability Identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance. Additionally, organizations need to implement written policies and procedures designed to ensure the privacy and security of information systems, and sensitive data accessible to third-party providers.
3 KEYS TO SUCCESS
ONE DATA-CENTRIC SECURITY The development of a datacentric security program is invaluable to all data protection and data privacy efforts
Determine where and what type of data is stored DATA DISCOVERY Continuous process to provide visibility, outline risk, and validate employee role assignment Confirm awareness level and policy compliance as well as enhancement
Policy Data handling procedures Report/detect/protect IR /forensics Risk-based approach CLASSIFICATION Identify business owners
Consider SSL decryption at gateway points of access Data-in-motion ENCRYPTION STRATEGIES Data-at-rest Data-in-use
Directory unification Access management Federation privileged access Access governance and authentication IDENTITY MANAGEMENT
TWO INCIDENT RESPONSE The GDPR and NY requirements contain 72-hour data-breach notification mandates
Poll Question: IS YOUR ORGANIZATION READY TO RESPOND TO INCIDENTS WITHIN STRICT TIMELINES? a) Yes b) No c) Not sure
QUESTIONS TO CONSIDER 1 2 3 4 5 Are employees aware of what constitutes an incident to begin with, and how to report and manage an incident? Have you optimized the tools you re using today to protect against and detect incidents? Has your program been updated and tested to support today s cyber threats and compliance with breach notification requirements? Do you have the tools and relationships in place to accelerate your response to a serious security incident for containment and public management? Does your plan include considerations for retaining forensic and PR firms that directly align to your cybersecurity insurance policy?
THREE THIRD PARTY-RISK Third parties can present your greatest area of risk exposure
3 RD PARTY RISK PROGRAM ELEMENTS Map your data. Understand which third parties have access to data, what categories of data they have, and what they are doing with it. Make sure you collect only the minimum amount of personal data required for the product or service, and review legal grounds for collection and processing. Ensure you have appropriate budget and resources allocated for completing assessments of third parties, and for remediation projects. Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains requirements for contracts with data processors, as well as between data controllers), and with your own security policies. Complete assessments of all third parties that have access to, handle or touch your client/personal data to ascertain their awareness of specific requirements, and to ensure that they have appropriate technical and organizational measures in place to comply. Ensure third parties are scored based on risk-assessment results and other due diligence. For high-risk third parties, identify audit partners for the assessment of processes, and set the scope of remediation programs and ongoing monitoring requirements.
PEOPLE Adhere to regulation-specific staffing requirements, such as GDPR s DPO, and NY s CISO (drives accountability) Education & awareness Changing behaviors around the collection and use of data Establishing appropriate consent controls Ensure suitable technical (security analysts, IR team) & non-technical (business leadership, legal, PR) staff is in place and is trained appropriately PROCESS Perform risk assessment (utilizing framework like NIST, ISO, etc.) Identify and manage collection of sensitive data Set processing/dissemination rules Ensure means to address inquiries and adhere to 72-hour notification req s Establish data lifecycle management (inventory, classify, track the movement of, and disposal of, data) Set IR processes (preparation, detection/ reporting, triage/analysis, containment/ neutralization and post-incident activity) Develop third-party risk program TECHNOLOGY Visibility (identify data and its location: endpoint, DB/shares, cloud, structured/unstructured) Analytics (when, where, and how data is moving) Data protection tools (discovery, classification, DLP, encryption, IAM, CASB, and gateway controls) Detection tools (IDS/IPS, NGFW, UEBA) Containment tools: Endpoint Detection and Response, and Forensics tools Third-party risk and security scoring tools
WE RE ALL GOING TO HAVE TO CHANGE THE WAY WE THINK ABOUT DATA PROTECTION. Elizabeth Denham, UK Information Commissioner
DAVID O'LEARY doleary@forsythe.com QUESTIONS THOMAS ECK teck@forsythe.com Or contact your Forsythe Account Manager