1 / 26

Data Risk Management (PRIVACY) Orange County RIMS Chapter Presentation Tuesday, June 11 th , 2013

Data Risk Management (PRIVACY) Orange County RIMS Chapter Presentation Tuesday, June 11 th , 2013. Presented by Eduard Goodman, J.D., LL.M., CIPP Chief Privacy Officer. Exponential Nature of Digital Technology. Moore ’ s Law, 1965- Gordon Moore, Intel Founder

isaac-robinson
Download Presentation

Data Risk Management (PRIVACY) Orange County RIMS Chapter Presentation Tuesday, June 11 th , 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Risk Management (PRIVACY)Orange County RIMS Chapter PresentationTuesday, June 11th, 2013 Presented byEduard Goodman, J.D., LL.M., CIPP Chief Privacy Officer

  2. Exponential Nature of Digital Technology • Moore’s Law, 1965- • Gordon Moore, Intel Founder • “the number of transistors on integrated circuits doubles approximately every two years.”

  3. Exponential Nature of Digital Technology Moore’s Law • Decoding the human genome originally took 10 years to process; now it can be achieved in one week.

  4. Exponential Nature of Digital Technology How far have we come? vs. 1982 2012

  5. Exponential Nature of Digital Technology OSBORNE 1 • 4MHz CPU (Zilog Z80) • Weighs 100X more • 500X larger • 64 KB of Memory • ‘Executive’ had 124 KB • Screen- 5-inch, 52 character × 24 line monochrome CRT • Available 300 baud modem • Equal to 0.002197266 Mbps • Avg. WiFi speed is 24-36 Mbps • 11 software options iPhone 4/5 • 412 MHz CPU (ARM11) • 100X CPU clock speed • 64 GB of Memory or • 68,719,476,736 KB • Costs 10X less (adjusted) • Screen- 4-inch, 640 x 1136 pixel, 326ppi, 16,777,216 color touch screen • WiFi, Bluetooth, 4G LTE • 700,000 Apps as of 9/12 • Also includes: • Camera (still/video) • Audio Play/Record • Integrated GPS • Etc.

  6. Explosion of information accessibility:Data storage growth

  7. State Data Breach Notification Laws What is it? • Under state breach notification laws, businesses must notify consumers if there has been a breach that exposes their Personally Identifiable Information (PII). • Required in 46 states, the District of Columbia, Puerto Rico, the Virgin Islands and even New York City. • Depending upon the applicable state law, this covers various forms of information/data: • Digital and hard copy data, • Encrypted/unencrypted data • Data lost by the business and data lost by third party vendor

  8. State Data Breach Notification Laws General Rules • All require that notice be made to people whose PII have been compromised • Time frames vary from “reasonable” amount of time to specific period from time of breach discovery (45 days for instance) to 10 days from date of discovery (Puerto Rico) • Some require notification be made to other parties beside the affected consumers: • Credit Bureaus • Regulators such as local State Offices of Consumer Affairs, etc. • Most allow for alternate forms of notice (from written letter notice) if breach is in excess of certain thresholds. (both cost and number of recipients.)

  9. State Data Breach Notification Laws • In addition to notification requirements, most states typically have (broad) language around the treatment, security and/or disposal of personal information wrapped up into their data breach notification regulations

  10. State Data Breach Notification Laws For example: • When disposing of records that contain personal information, a business and a governmentalagency shall take all reasonable measures necessary to protect against unauthorized access to or use of the records. (Alaska)

  11. State Data Breach Notification Laws For example: • A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (California)

  12. The Massachusetts Data Security Regulations • 201 CMR 17.00: Standards for the protections of personal information of residents of the commonwealth

  13. The Nevada Encryption and PCI-DSS “adoption” statue • NRS 603A.215 Security measures for data collector that accepts payment card; use of encryption; liability for damages; applicability

  14. Current Federal Security Regulations • Health Insurance Portability and Accountability Act (HIPAA) • §5 of the Federal Trade Commission Act • Gramm-Leach-Bliley Act of 1999 • Other acts • Video Privacy Protection Act • Children’s Online Privacy Protection Act • Etc.

  15. Self Regulatory Security Requirements Payment Card Industry Data Security Standards (PCI-DSS)– Set of security requirements and standards promulgated by the payment card issuers (Visa, MasterCard, Discover, American Express, and JCB) regarding the storage and security of payment card related data.

  16. Data Protection and Privacy as a global trade issue Privacy as a Right the United Nations Universal Declaration of Human Rights, article 12, states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

  17. Data Protection and Privacy as a global trade issue Privacy as a Right Article 8 of the European Convention on Human Rights: “Article 8 – Right to respect for private and family life …Everyone has the right to respect for his private and family life, his home and his correspondence…”

  18. Data Protection and Privacy as a global trade issue • Privacy as a Right • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Key Principles for National Application): • Collection Limitation Principle • Data Quality Principle • Purpose Specification Principle • Use Limitation Principle • Security Safeguards Principle • Openness Principle • Accountability Principle

  19. Europe/E.U. NEW Potential Privacy/Data Protection Rules in the E.U.- • “Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”

  20. How do I get my head around all of this??

  21. Immediate To-Do List(To reduce risk/exposure) • Don’t collect data on customers or employees unless you need it • Get rid of any data you collect as soon as you no longer need it. Its toxic. (Its not an asset, it’s liability) • Encrypt any private personal data

  22. Immediate To-Do List(Assess and Cover Risk) • Complete high level “data” audit to determine • Type of personal information you retain • What states do your customers/employees live in • Complete a Security audit to determine weaknesses • Determine if you have adequate insurance coverage foryour risk • 1st Party Costs (mailing, consults, mail-house, forensics, etc.) • 3rd Party Costs (Regulatory or Civil Liability and defense)

  23. Immediate To-Do List(Documentation/Programs) • Written Information Security Program • Breach Response Plan • Business Continuity Plan • Data/Document Retention and Destruction Plan • Data Security and Privacy Awareness Program

  24. General Best Practices in Data Privacy (From a Global perspective) Develop a “privacy framework” that With privacy in your business from a: • philosophical standpoint; • business standpoint; and • operational standpoint

  25. General Best Practices in Data Privacy (From a Global perspective) Integrate a Privacy by Design (PbD) Approach: • 1. Proactive not Reactive; • 2. Privacy as the Default Setting • 3. Privacy Embedded into Design • 4. Full Functionality -Positive-Sum, not Zero-Sum • 5. End-to-End Security — Full Lifecycle Protection • 6. Visibility and Transparency — Keep it Open • 7. Respect for User Privacy — Keep it User-Centric http://www.privacybydesign.ca/

  26. Thank you! Eduard Goodman, J.D., LL.M., CIPPChief Privacy OfficerScottsdale, Arizona 480.355.4940 direct EGoodman@identitytheft911.com

More Related