October 15, 2019 Date Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills Name Chris Hydak Organization Microsoft 1 Name Kall Loper Organization Protiviti
Speaker Tilly Lang Data Protection Director and Corporate Governance Counsel Qualified solicitor in England, Wales and Ireland, focused on corporate governance excellence, working on diverse projects including legal entity simplification, regulatory implementation and corporate restructures.
Speaker Chris Hydak Attorney, Global Privacy and Data Protection Privacy attorney with ten years experience. Advises product attorneys in Cloud and AI and Marketing and Consumer Business groups on global privacy and data protection issues.
Speaker Dr. Kall Loper National Lead for Incident Response Over 20 years of experience in Digital Forensics and Incident Response, including Big 4 Lead Responder on Sony Pictures Hack and MDL Lead for digital evidence in four states on Deep Water Horizon. Professor of Computer Science at SMU. Published author.
Overview Defining “Breach” The Data Protection Officer’s (DPO) role Notifications Case Study: a global e-retailer Conclusion
Date Session Title Name Organization Defining “Breach” Name Organization Name Organization
Defining “Breach” Informational item: any observed occurrence Informational Item Event: any observed occurrence that meets an established threshold for an alert Event Incident: any event meeting alert criteria justifying investigation and response Incident Compromise: an incident or event that results in the loss of secure control over confidential data or IT resources Compromise Breach: a legally defined loss of secure control over confidential data or IT resources Breach
Date Session Title Name Organization The DPO’s role Name Organization Name Organization
The DPO’s role - The concept of a Data Protection Officer (DPO) for organizations processing personal data is well-established. It is already a mandatory requirement in some jurisdictions and considered best practice in others - With the introduction of the General Data Protection Regulation (GDPR) in May 2018, the appointment of a DPO is mandatory under EU law for many organizations, regardless of their size or whether they are processing personal data as a controller or a processor.
The DPO’s role A DPO is responsible for monitoring compliance with the data protection requirements. One of their core tasks is to inform and advise employees who carry out the actual processing of personal data about their obligations. The DPO also cooperates with the relevant Supervisory Authorities (Regulators), serving as an interface between them and relevant individuals. Companies are required to appoint a DPO under the GDPR when: - they regularly or systematically monitor individuals or process special categories of data; - this processing is a core business activity; and - they do it on a large scale 10
The DPO’s role The GDPR – one year on: - Out of 281,088 cases reported to Supervisory Authorities, 89,271 were data breach notifications - There is an intention to issue fines totalling approximately €372,120,990 eg, – BA – Marriott Source: htttps://www.itgovernance.co.uk/dpa-and-gdpr-penalties
The DPO’s role The DPO must be involved in a timely manner in order to: – Arrange the initial investigation of the breach – Form part of the ‘war room’ – Execute immediate preventative steps – Report the breach to the supervisory authorities and the data subjects where necessary – Identify and deliver remediation plan – Carry out on-going measures eg testing and monitoring is essential
Date Session Title Name Organization Notifications Name Organization Name Organization
Notifications Supervisory Authorities (Regulators) and Data Subjects – Timing – Harm threshold – Content – Cross-border processing and non-EU establishments – Processors (third-parties) – Others
Notifications Our experience - Accountability and recordkeeping - Volume of notifications - Supervisory Authorities’ resources and capacity - Course of dealing - Enforcement - Co-ordinating foreign notifications - US/EU experience
Case Study
Case Study War Room Client - Full response for an extended period, - Four vendors worked with the client months to respond to an Australian incident - Normal IT uplift operations disrupted - Large vendor - Supportive Executive Team - Protiviti - Boutique vendor Acquiring Banks - Small vendor - Accused client of stalling - Provided small numbers of PANs - DPO involvement (Primary Account Numbers) - AmLaw top 50 Law Firm - Disjointed globally
Case Study PCI Fraud Detected Australia New Zealand United Kingdom Ireland Austria Belgium Germany Denmark Finland France Netherlands Norway Poland Sweden Turkey
Case Study Source: RiskIQ Beware of threat intelligence providers. They didn’t disclose all details to their clients.
Case Study 1. User requests web page from Retailer’s Retailer’s servers servers 2. Retailer’s webservers send content and SaaS Provider tag code back to the user 3. User’s 6. The browser renders 4. SaaS Provider malicious Retailer’s Web tag code instructs script is site and the browser to go 7. When executed, the malicious script executed executes SaaS download a script sends data it finds in form fields on the by the provider’s tag from checkout page to user’s code SaaS Provider’s SaaS Provider’s WEBFOTCE.ME domain WEBFOTCE.ME domain browser server server 5. A maliciously modified 8. An unknown attacker has collected script is sent back to the user data intended for Retailer’s Website
Case Study Outcome Impact - Informed risk-based decision to - Global security teams overloaded for notify users as a precaution 6 months, impact continues to this day - No penalties assessed, no current - Normal IT uplift disrupted indication - Brand/reputation impact
Conclusion
Conclusion Aggravating factors Mitigating factors - Having a mature Privacy Program in - Breaches concerning sensitive data place - Ignoring warnings signs - Establishing a robust corporate - Delaying to fix known security governance structure problems - Ongoing testing and monitoring - Failure to cooperate with - Ability to self-report investigations by supervisory - Cooperation with Supervisory Authorities/ transparency authorities - Implementing fixes/enhanced - Failure to document security security measures quickly incidents
Questions and contacts Tilly Lang Chris Hydak Dr. Kall Loper Data Protection Director and Attorney, Global Privacy and National Lead for Incident Corporate Governance Counsel Data Protection Response +44 7887 536057 +1 (425) 707 5568 +1 (469) 374 2425 tilly@hewardmills.com chris.hydak@microsoft.com kall.loper@Protiviti.com
Recommend
More recommend