SlideShare une entreprise Scribd logo

Privacy and Data Security: Risk Management and Avoidance

Télécharger en tant que PPT, PDF
A
Amy Purcell
TechnologieBusiness
1  sur  66
© 2013 Fox Rothschild Privacy and Data Security Risk Management and Avoidance
Topics For Discussion • What is a “data security breach”? • Why do you need a response plan? • Responding to a data security breach • State statutory requirements • Regulatory update • Regulatory enforcement actions and litigation 2
2012 Statistics • According to Verizon’s 2013 Data Breach Investigations Report, in 2012, there were 621 confirmed data breaches and 47,000 reported security incidents. – 92% perpetrated by outsiders. – 76% caused by exploiting weak or stolen passwords. 3
2012 Statistics • The FTC instituted 109 consumer protection enforcement actions. – Up from 83 enforcement actions in 2011. • The FTC ordered civil penalties totaling $63.6 million. – Up from $9.75 million in 2011. • Identity theft represents the largest category of consumer complaint received by the FTC (approximately 18%). 4
Cost Of A Data Security Breach • In 2011, data breaches cost organizations an average of $5.5 million. – $222 per record – Includes direct costs (communications, investigations, legal) and indirect costs (lost business, public relations) – Compare to costs of having preventative measures in place (e.g., policies related to passwords, firewalls, mobile devices), training employees and encrypting sensitive information 5
Types of Data Security Breaches • Devices are lost or stolen • Insider or employee misuse • Unintended disclosure • Security patches are not installed • Malware • Hacking 6
What Is The Objective? Fill In The Gap • Protection • Compliance • Audits • Criminal prosecution • Civil liability How to Manage the Data Security Breach 7
Why Do You Need A Response Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss 8
Collect Relevant Information • Data location lists • Confidentiality agreements • Customer contracts • Third-party vendor contracts • Privacy policy • Information security policy • Ethics policy • Litigation hold template • Contact list 9
Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Human resources (private employee information health & medical, payroll, tax, retirement) 10
Create A First Response Team (cont’d) • Legal counsel (in-house and/or outside counsel) • Compliance • Business heads (consumer information) • Public relations/investor relations 11
Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical 12
Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Determine type of information that may have been compromised • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity 13
Understand Data Breach Notice Laws • State laws: – What constitutes personal information? – When is a notice required? – Who must be notified? (e.g.,State Attorney General) – Timing? – What information must be included in the notice? – Method of delivering notice? – Other state specific requirements? • Applicable industry-specific laws • Applicable international laws 14
Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies (State Attorney General) • Consumer reporting agencies • Business partners • Insurers • Media 15
Data Security Breach Notification • Alabama, Kentucky, New Mexico and South Dakota are the only states that do not have a data security breach notification statute. • California statute served as a model for later state statutes. – State involvement began in California, after series of breaches received national attention. – Passed in 2002, went into effect in mid-2003. 16
Data Security Breach Notification • “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.29. 17
Data Security Breach Notification • “Personal information” – First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes. 18
Data Security Breach Notification • Some states have expanded the definition of “personal information” to include: • Medical information or health insurance information (California); • Biometric data (Indiana); • Mother’s maiden name, birth/death/marriage certificate and electronic signature (North Dakota). 19
Data Security Breach Notification • Last month, the California Senate passed S.B. 46 to expand the definition of “personal information” to include: – “a username or email address, in combination with a password or security question and answer that would permit access to an online account.” – S.B. 46 is now before the Assembly. 20
Data Security Breach Notification • “Breach of the security of the system” – Some states expressly require notice of unauthorized access to non-computerized data • New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied” • Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)” 21
Data Security Breach Notification • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements. – Certain states require risk or harm • Arkansas: no notice if “no reasonable likelihood of harm to customers” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft” 22
Data Security Breach Notification • Distinguish between entity that “owns or licenses” data and entity that “maintains” data – Data owner has ultimate responsibility to notify consumers of a breach – Non-owners required to notify owners 23
Florida Breach Notification Statute F.S.A. §817.5681 • Applies to “any person who conducts business in this state and maintains computerized data in a system that includes personal information.” • Requires business to “provide notice of any breach of the security of the system . . . to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” 24
Florida Breach Notification Statute F.S.A. §817.5681 • Requires notification to consumers “without unreasonable delay” and “no later than 45 days following the determination of the breach.” – Permits an “administrative fine” not to exceed $500,000 for failing to comply with this section. • Allows delay in notification “upon a reasonable request by law enforcement”. 25
Florida Breach Notification Statute F.S.A. §817.5681 • “Breach of the security of the system” means an “unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information.” 26
Florida Breach Notification Statute F.S.A. §817.5681 • “Personal information” means “an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: – Social security number; – Driver’s license number or Florida Identification Card number; – Account number, credit card number, or debit card number in combination with any security code, access code or password. 27
Florida Breach Notification Statute F.S.A. §817.5681 • Does not require notification if “after an appropriate investigation or after consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach has not and will not likely result in harm.” – Determination must be documented in writing and maintained for 5 years. 28
Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity) 29
Prepare State Law Notices • Delivery method (e.g., certified letters, e-mail, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices 30
Prepare Answers To Inquiries • Draft FAQ’s with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers 31
Prepare Press Release • Include the following information: – Facts surrounding the incident – Actions to prevent further unauthorized access – Steps to prevent future data security breaches – Contact Information for questions • Review by legal counsel 32
Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline 33
Regulatory Update The FTC And Mobile Applications • In February 2013, the FTC issued a Staff Report titled “Mobile Privacy Disclosures: Building Trust Through Transparency.” • The Staff Report recommends ways that key players in the mobile marketplace can better inform consumers about their data practices. 34
Regulatory Update The FTC And Mobile Applications • The recommendations ensure that consumers get timely and easy-to-understand disclosures about what data they collect and how the data is used. • The Report makes specific recommendations to: – Mobile platform developers; – Application developers; – Advertising networks and analytics companies; and – Application developer trade associations. 35
Regulatory Update California’s Right To Know Act • Assembly Bill 1291 • Would require businesses that collect consumer information to provide customers with the names and addresses of all data brokers, advertisers and others who were granted access to the information, as well as details regarding the data that was disclosed. • Businesses would have 30 days to answer a request for the information. 36
Regulatory Update California’s Right To Know Act • Applies to businesses who “retain” personal data or disclose the information to a third party. • Defines “retain” to mean “store or otherwise hold personal information” whether the information is collected or obtained directly from the consumer or any third party. 37
Regulatory Update California’s Right To Know Act • Faced opposition by companies such as Google and Facebook. • Assemblywoman Bonnie Lowenthal delayed action on the bill by turning it into a two-year bill. • Lowenthal plans to spend the remainder of the year educating her colleagues about the importance of the proposed legislation. • Assembly will consider AB 1291 again in 2014. 38
Regulatory Update California And Mobile Applications • In 2012, the California Attorney General entered into an agreement with 6 companies whose platforms comprise the majority of the mobile apps market (i.e., Amazon, Apple, Google, Hewlett-Packard, Microsoft and RIM). • The agreement is designed to ensure that mobile apps comply with the California Online Privacy Protection Action (CalOPPA). 39
Regulatory Update California And Mobile Applications • CalOPPA requires operators of commercial websites and online services, including mobile apps, who collect personal information about California residents to conspicuously post a privacy policy. • In October 2012, the California Attorney General issued 100 enforcement letters to companies like Delta Airlines who operate mobile apps. • In December 2012, the California Attorney General filed its first mobile app enforcement lawsuit against Delta based upon alleged lack of privacy disclosures in its app. 40
Regulatory Update California And Mobile Applications • On January 10, 2013, the California Attorney General issued a report titled “Privacy On the Go: Recommendations for the Mobile Ecosystem.” • The Report announced suggested changes in how companies address consumer privacy in their mobile applications. 41
Regulatory Update California And Mobile Applications • Examples of the recommendations in the California Attorney General’s Report: – Personal information is not limited to name and email address. – Maintain list of what information app will collect, as well as how it will be used and stored. – Only collect personal information necessary to an app’s functionality. – Privacy policies must be “readable.” – Companies should not rely upon their general privacy policy. 42
Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act – Enforce privacy policies and challenge data security practices deemed “deceptive” or “unfair.” • State Attorney General – State Notification Statutes – Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” – Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages.” • Litigation in federal and state courts. 43
Federal Trade Commission • In June 2012, the FTC instituted litigation in federal court against Wyndham Worldwide Corporation. • In its complaint, the FTC alleges that, beginning in April 2008 and through January 2010, cybercriminals hacked into Wyndham’s computer network and the networks of certain Wyndham hotels, exposing credit card information of hotel guests. 44
Federal Trade Commission • The FTC alleges that hackers compromised administrator accounts and installed memory- scraping malware to access credit card information. • The FTC contends that hackers compromised over 619,000 credit card account numbers and that the incidents caused more than $10.6 million in fraud losses. 45
Federal Trade Commission • Under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices,” the FTC alleges that: – Wyndham’s data security protections amounted to “unfair” trade practices because they were not “reasonable and appropriate”; and – Wyndham “deceived” consumers by stating on its website that it used “commercially reasonable efforts” to secure credit card information that it collects from consumers. 46
Federal Trade Commission • In an unprecedented move, Wyndham refused to settle this dispute and filed a motion to dismiss the complaint. – Wyndham argues that the FTC is overreaching its authority because “Section 5’s prohibition on ‘unfair’ trade practices does not give the FTC authority to prescribe data-security standards for all private businesses.” – Wyndham argues that, because Congress has not yet passed data security legislation, the FTC has the authority to regulate data security in limited contexts (e.g., Gramm- Leach-Bliley Act). 47
Federal Trade Commission – Wyndham further argues that Section 5 of the FTC Act “provides no meaningful notice to regulated parties” because it does not contain any guidance about what practices might be deemed “unfair” or “deceptive.” Similarly, the FTC has not published any rules or regulations “explaining what data security practices a company must adopt to be in compliance with the statute.” – As such, “businesses are left to guess as to what they must do to comply with the law.” – This case is pending in the United States District Court for the District of New Jersey (Civil Action No. 13-01887). 48
Federal Trade Commission • This is the first litigated case challenging the FTC’s authority under Section 5 of the FTC Act related to data security. • Generally, FTC enforcement actions result in a settlement. – FTC provides a defendant with a proposed draft complaint. – FTC “negotiates” the terms of a consent order. 49
State Attorney General • Last month, the Connecticut and Maryland Attorneys General questioned LivingSocial Inc. about the specifics of a recent data breach that exposed the personal information of approximately 50 million users. • The Connecticut and Maryland Attorneys General issued to LivingSocial 15 written questions regarding the scope of the breach, as well as its privacy and security policies. 50
State Attorney General • Examples of questions posed by Attorneys General include: – Detailed timeline of the incident – Number of affected individuals in each state – Types of personal information compromised – Steps taken to determine that no financial or credit card information was compromised – Steps taken to protect user passwords – How the company collects user data and how long it retains such data – Copies of any privacy policies – Plans developed to prevent another breach 51
State Attorney General • Both Connecticut and Maryland have statutes that require a company to report a data security breach to the Attorney General, as well as to individual consumers. • Questions posed by these Attorneys General provide guidance on issues companies should consider in responding to a data security breach. 52
Litigation Typical Claims By Plaintiffs • Plaintiffs (consumers or employees) typically allege the following causes of action: – Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty. – Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts. • Historically, courts have dismissed these cases based upon lack of standing. 53
Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal. 2012): – Plaintiffs filed complaint against LinkedIn in connection with a data breach incident in which approximately 6.5 million users’ passwords and email addresses were stolen and posted on the Internet. – Plaintiff argued that they had standing to sue because they suffered economic harm by not receiving the full benefit of the bargain they paid for premium memberships. – The Court granted LinkedIn’s motion to dismiss the complaint. 54
Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal. 2012): – The Court held that, “[t]o satisfy Article III standing, plaintiff must allege: • (1) an injury-in-fact that is concrete and particularized, as well as actual and imminent; • (2) that injury is fairly traceable to the challenged action of the defendant; and • (3) that it is likely (not merely speculative) that injury will be redressed by a favorable decision.” 55
Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal. 2012): – Plaintiffs failed to allege that “included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of scrutiny that was not part of the free membership.” – Plaintiffs did not allege that they relied upon (or even read) LinkedIn’s representations regarding safeguarding personal information. – Plaintiffs’ allegation that their LinkedIn passwords were “publicly posted on the Internet” does not amount to a “legally cognizable injury, such as, for example, identity theft or theft of her personally identifiable information.” 56
Litigation Plaintiffs Have Standing • Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (increased risk of identity theft constituted sufficient “injury in fact” for purposes of standing). • Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir. 2010) (“a credible threat of real and immediate harm stemming from theft of a laptop containing unencrypted personal information” sufficient to demonstrate standing). 57
Litigation Plaintiffs Cannot Allege Damages • Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir. 2010). – “[O]ur holding that Plaintiffs-Appellants pled an injury-in- fact for purposes of Article III standing does not establish that they adequately pled damages for purposes of their state-law claims.” – “[A]ctual loss or damage is an essential element in the formulation of the traditional elements necessary for a cause of action in negligence.” – Court dismissed case because Plaintiffs alleged “no loss.” 58
Litigation Plaintiffs Cannot Allege Damages • In re: Sony Gaming Networks and Customer Data Security Breach Litig., MDL No. 2258 (S.D. Cal. 2011): – Hackers accessed the personal information of millions of Sony’s customers. – Plaintiffs did not allege any identity theft or unauthorized use of personal information “causing a pecuniary loss.” – The Court granted Sony’s motion to dismiss and found that, “without specific factual statements that Plaintiffs’ Personal Information has been misused, in the form of an open bank account, or un-reimbursed charges, the mere danger of future harm unaccompanied by present damage, will not support a negligence action.” 59
Litigation Plaintiffs Cannot Allege Damages • Holmes v. Countrywide Fin. Corp., No. 08-0205, 2012 U.S. Dist. LEXIS 96587 (W.D. Ky. 2012) (court dismissed case where “scant evidence exists demonstrating that [the theives] misused the customers’ information or engaged in any kind of financial fraud”). • Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill. 2012) (court dismissed negligence claim because plaintiff did not allege that his personal information was “misused”). 60
Litigation Plaintiffs Allege Damages • Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011): – Hackers stole 4.2 million credit and debit card numbers, and security codes. – Defendant acknowledged that more than 1,800 incidents of identity theft resulted from the breach. – Many victims had to pay to cancel their cards or purchase credit monitoring services. Others incurred unauthorized charges. – Court denied motion to dismiss. 61
Litigation Plaintiffs Allege Damages • Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012): – Thieves stole 2 laptops containing names, addresses, phone numbers and social security numbers of 1.2 million AvMed customers. – Ten months after the incident, a bank account was opened and credit card issued in the name of one of the AvMed customers. – Four months later, an E*Trade account was opened in the name of another AvMed customer. – Unauthorized purchases were made from both accounts. – Court denied motion to dismiss because plaintiffs alleged “financial injury.” 62
Avoid Future Data Security Breaches • Understand what types of personal information is collected, how, where and how long it is stored, and who has access to it. • Collect only personal information necessary to conduct business. • Retain personal information for shortest time necessary to conduct business. • Limit access to personal information. • Encrypt data. 63
Avoid Future Data Security Breaches • Establish internal policies to protect personal information. – e.g., robust passwords, usage policies for laptops and mobile phones, secure disposal policies. • Comply with promises made to consumers or employees regarding privacy and security of personal information. – Disclosures about collection, maintenance, use and dissemination of personal information must be accurate and complete. 64
Avoid Future Data Security Breaches • Train employees. • Conduct periodic audits. • Update and revise policies and procedures regularly. • Enhance technology to strengthen security and reduce risk. – e.g., strong firewalls, scans for vulnerabilities, up-to-date anti-virus software. • Use care when engaging third-party vendors and hold them to high standards. 65
Amy Purcell, Esq. 215.299.2798 apurcell@foxrothschild.com 66

Recommandé

Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 

Recommandé

Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Cloud primer
Cloud primerCloud primer
Cloud primerZeno Idzerda
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologiessidra batool
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simpleAurora Computer Studies
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyprimeteacher32
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinWhitmeyerTuffin
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 

Contenu connexe

Tendances

Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologiessidra batool
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyimehreenx
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal informationUc Man
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinWhitmeyerTuffin
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 

Tendances (20)

Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologies
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminar
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 

Similaire à Privacy and Data Security: Risk Management and Avoidance

Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmNext Dimension Inc.
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
IDSHield Services and Features
IDSHield Services and FeaturesIDSHield Services and Features
IDSHield Services and FeaturesAntonio Muniz Olan
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber AttackShawn Tuma
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspectiveAnn Treacy
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 

Similaire à Privacy and Data Security: Risk Management and Avoidance (20)

Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 
Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law Firm
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
IDSHield Services and Features
IDSHield Services and FeaturesIDSHield Services and Features
IDSHield Services and Features
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspective
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 

Dernier

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 

Dernier (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 

Privacy and Data Security: Risk Management and Avoidance

  • 1. © 2013 Fox Rothschild Privacy and Data Security Risk Management and Avoidance
  • 2. Topics For Discussion • What is a “data security breach”? • Why do you need a response plan? • Responding to a data security breach • State statutory requirements • Regulatory update • Regulatory enforcement actions and litigation 2
  • 3. 2012 Statistics • According to Verizon’s 2013 Data Breach Investigations Report, in 2012, there were 621 confirmed data breaches and 47,000 reported security incidents. – 92% perpetrated by outsiders. – 76% caused by exploiting weak or stolen passwords. 3
  • 4. 2012 Statistics • The FTC instituted 109 consumer protection enforcement actions. – Up from 83 enforcement actions in 2011. • The FTC ordered civil penalties totaling $63.6 million. – Up from $9.75 million in 2011. • Identity theft represents the largest category of consumer complaint received by the FTC (approximately 18%). 4
  • 5. Cost Of A Data Security Breach • In 2011, data breaches cost organizations an average of $5.5 million. – $222 per record – Includes direct costs (communications, investigations, legal) and indirect costs (lost business, public relations) – Compare to costs of having preventative measures in place (e.g., policies related to passwords, firewalls, mobile devices), training employees and encrypting sensitive information 5
  • 6. Types of Data Security Breaches • Devices are lost or stolen • Insider or employee misuse • Unintended disclosure • Security patches are not installed • Malware • Hacking 6
  • 7. What Is The Objective? Fill In The Gap • Protection • Compliance • Audits • Criminal prosecution • Civil liability How to Manage the Data Security Breach 7
  • 8. Why Do You Need A Response Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss 8
  • 9. Collect Relevant Information • Data location lists • Confidentiality agreements • Customer contracts • Third-party vendor contracts • Privacy policy • Information security policy • Ethics policy • Litigation hold template • Contact list 9
  • 10. Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Human resources (private employee information health & medical, payroll, tax, retirement) 10
  • 11. Create A First Response Team (cont’d) • Legal counsel (in-house and/or outside counsel) • Compliance • Business heads (consumer information) • Public relations/investor relations 11
  • 12. Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical 12
  • 13. Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Determine type of information that may have been compromised • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity 13
  • 14. Understand Data Breach Notice Laws • State laws: – What constitutes personal information? – When is a notice required? – Who must be notified? (e.g.,State Attorney General) – Timing? – What information must be included in the notice? – Method of delivering notice? – Other state specific requirements? • Applicable industry-specific laws • Applicable international laws 14
  • 15. Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies (State Attorney General) • Consumer reporting agencies • Business partners • Insurers • Media 15
  • 16. Data Security Breach Notification • Alabama, Kentucky, New Mexico and South Dakota are the only states that do not have a data security breach notification statute. • California statute served as a model for later state statutes. – State involvement began in California, after series of breaches received national attention. – Passed in 2002, went into effect in mid-2003. 16
  • 17. Data Security Breach Notification • “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.29. 17
  • 18. Data Security Breach Notification • “Personal information” – First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes. 18
  • 19. Data Security Breach Notification • Some states have expanded the definition of “personal information” to include: • Medical information or health insurance information (California); • Biometric data (Indiana); • Mother’s maiden name, birth/death/marriage certificate and electronic signature (North Dakota). 19
  • 20. Data Security Breach Notification • Last month, the California Senate passed S.B. 46 to expand the definition of “personal information” to include: – “a username or email address, in combination with a password or security question and answer that would permit access to an online account.” – S.B. 46 is now before the Assembly. 20
  • 21. Data Security Breach Notification • “Breach of the security of the system” – Some states expressly require notice of unauthorized access to non-computerized data • New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied” • Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)” 21
  • 22. Data Security Breach Notification • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements. – Certain states require risk or harm • Arkansas: no notice if “no reasonable likelihood of harm to customers” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft” 22
  • 23. Data Security Breach Notification • Distinguish between entity that “owns or licenses” data and entity that “maintains” data – Data owner has ultimate responsibility to notify consumers of a breach – Non-owners required to notify owners 23
  • 24. Florida Breach Notification Statute F.S.A. §817.5681 • Applies to “any person who conducts business in this state and maintains computerized data in a system that includes personal information.” • Requires business to “provide notice of any breach of the security of the system . . . to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” 24
  • 25. Florida Breach Notification Statute F.S.A. §817.5681 • Requires notification to consumers “without unreasonable delay” and “no later than 45 days following the determination of the breach.” – Permits an “administrative fine” not to exceed $500,000 for failing to comply with this section. • Allows delay in notification “upon a reasonable request by law enforcement”. 25
  • 26. Florida Breach Notification Statute F.S.A. §817.5681 • “Breach of the security of the system” means an “unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information.” 26
  • 27. Florida Breach Notification Statute F.S.A. §817.5681 • “Personal information” means “an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: – Social security number; – Driver’s license number or Florida Identification Card number; – Account number, credit card number, or debit card number in combination with any security code, access code or password. 27
  • 28. Florida Breach Notification Statute F.S.A. §817.5681 • Does not require notification if “after an appropriate investigation or after consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach has not and will not likely result in harm.” – Determination must be documented in writing and maintained for 5 years. 28
  • 29. Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity) 29
  • 30. Prepare State Law Notices • Delivery method (e.g., certified letters, e-mail, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices 30
  • 31. Prepare Answers To Inquiries • Draft FAQ’s with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers 31
  • 32. Prepare Press Release • Include the following information: – Facts surrounding the incident – Actions to prevent further unauthorized access – Steps to prevent future data security breaches – Contact Information for questions • Review by legal counsel 32
  • 33. Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline 33
  • 34. Regulatory Update The FTC And Mobile Applications • In February 2013, the FTC issued a Staff Report titled “Mobile Privacy Disclosures: Building Trust Through Transparency.” • The Staff Report recommends ways that key players in the mobile marketplace can better inform consumers about their data practices. 34
  • 35. Regulatory Update The FTC And Mobile Applications • The recommendations ensure that consumers get timely and easy-to-understand disclosures about what data they collect and how the data is used. • The Report makes specific recommendations to: – Mobile platform developers; – Application developers; – Advertising networks and analytics companies; and – Application developer trade associations. 35
  • 36. Regulatory Update California’s Right To Know Act • Assembly Bill 1291 • Would require businesses that collect consumer information to provide customers with the names and addresses of all data brokers, advertisers and others who were granted access to the information, as well as details regarding the data that was disclosed. • Businesses would have 30 days to answer a request for the information. 36
  • 37. Regulatory Update California’s Right To Know Act • Applies to businesses who “retain” personal data or disclose the information to a third party. • Defines “retain” to mean “store or otherwise hold personal information” whether the information is collected or obtained directly from the consumer or any third party. 37
  • 38. Regulatory Update California’s Right To Know Act • Faced opposition by companies such as Google and Facebook. • Assemblywoman Bonnie Lowenthal delayed action on the bill by turning it into a two-year bill. • Lowenthal plans to spend the remainder of the year educating her colleagues about the importance of the proposed legislation. • Assembly will consider AB 1291 again in 2014. 38
  • 39. Regulatory Update California And Mobile Applications • In 2012, the California Attorney General entered into an agreement with 6 companies whose platforms comprise the majority of the mobile apps market (i.e., Amazon, Apple, Google, Hewlett-Packard, Microsoft and RIM). • The agreement is designed to ensure that mobile apps comply with the California Online Privacy Protection Action (CalOPPA). 39
  • 40. Regulatory Update California And Mobile Applications • CalOPPA requires operators of commercial websites and online services, including mobile apps, who collect personal information about California residents to conspicuously post a privacy policy. • In October 2012, the California Attorney General issued 100 enforcement letters to companies like Delta Airlines who operate mobile apps. • In December 2012, the California Attorney General filed its first mobile app enforcement lawsuit against Delta based upon alleged lack of privacy disclosures in its app. 40
  • 41. Regulatory Update California And Mobile Applications • On January 10, 2013, the California Attorney General issued a report titled “Privacy On the Go: Recommendations for the Mobile Ecosystem.” • The Report announced suggested changes in how companies address consumer privacy in their mobile applications. 41
  • 42. Regulatory Update California And Mobile Applications • Examples of the recommendations in the California Attorney General’s Report: – Personal information is not limited to name and email address. – Maintain list of what information app will collect, as well as how it will be used and stored. – Only collect personal information necessary to an app’s functionality. – Privacy policies must be “readable.” – Companies should not rely upon their general privacy policy. 42
  • 43. Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act – Enforce privacy policies and challenge data security practices deemed “deceptive” or “unfair.” • State Attorney General – State Notification Statutes – Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” – Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages.” • Litigation in federal and state courts. 43
  • 44. Federal Trade Commission • In June 2012, the FTC instituted litigation in federal court against Wyndham Worldwide Corporation. • In its complaint, the FTC alleges that, beginning in April 2008 and through January 2010, cybercriminals hacked into Wyndham’s computer network and the networks of certain Wyndham hotels, exposing credit card information of hotel guests. 44
  • 45. Federal Trade Commission • The FTC alleges that hackers compromised administrator accounts and installed memory- scraping malware to access credit card information. • The FTC contends that hackers compromised over 619,000 credit card account numbers and that the incidents caused more than $10.6 million in fraud losses. 45
  • 46. Federal Trade Commission • Under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices,” the FTC alleges that: – Wyndham’s data security protections amounted to “unfair” trade practices because they were not “reasonable and appropriate”; and – Wyndham “deceived” consumers by stating on its website that it used “commercially reasonable efforts” to secure credit card information that it collects from consumers. 46
  • 47. Federal Trade Commission • In an unprecedented move, Wyndham refused to settle this dispute and filed a motion to dismiss the complaint. – Wyndham argues that the FTC is overreaching its authority because “Section 5’s prohibition on ‘unfair’ trade practices does not give the FTC authority to prescribe data-security standards for all private businesses.” – Wyndham argues that, because Congress has not yet passed data security legislation, the FTC has the authority to regulate data security in limited contexts (e.g., Gramm- Leach-Bliley Act). 47
  • 48. Federal Trade Commission – Wyndham further argues that Section 5 of the FTC Act “provides no meaningful notice to regulated parties” because it does not contain any guidance about what practices might be deemed “unfair” or “deceptive.” Similarly, the FTC has not published any rules or regulations “explaining what data security practices a company must adopt to be in compliance with the statute.” – As such, “businesses are left to guess as to what they must do to comply with the law.” – This case is pending in the United States District Court for the District of New Jersey (Civil Action No. 13-01887). 48
  • 49. Federal Trade Commission • This is the first litigated case challenging the FTC’s authority under Section 5 of the FTC Act related to data security. • Generally, FTC enforcement actions result in a settlement. – FTC provides a defendant with a proposed draft complaint. – FTC “negotiates” the terms of a consent order. 49
  • 50. State Attorney General • Last month, the Connecticut and Maryland Attorneys General questioned LivingSocial Inc. about the specifics of a recent data breach that exposed the personal information of approximately 50 million users. • The Connecticut and Maryland Attorneys General issued to LivingSocial 15 written questions regarding the scope of the breach, as well as its privacy and security policies. 50
  • 51. State Attorney General • Examples of questions posed by Attorneys General include: – Detailed timeline of the incident – Number of affected individuals in each state – Types of personal information compromised – Steps taken to determine that no financial or credit card information was compromised – Steps taken to protect user passwords – How the company collects user data and how long it retains such data – Copies of any privacy policies – Plans developed to prevent another breach 51
  • 52. State Attorney General • Both Connecticut and Maryland have statutes that require a company to report a data security breach to the Attorney General, as well as to individual consumers. • Questions posed by these Attorneys General provide guidance on issues companies should consider in responding to a data security breach. 52
  • 53. Litigation Typical Claims By Plaintiffs • Plaintiffs (consumers or employees) typically allege the following causes of action: – Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty. – Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts. • Historically, courts have dismissed these cases based upon lack of standing. 53
  • 54. Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal. 2012): – Plaintiffs filed complaint against LinkedIn in connection with a data breach incident in which approximately 6.5 million users’ passwords and email addresses were stolen and posted on the Internet. – Plaintiff argued that they had standing to sue because they suffered economic harm by not receiving the full benefit of the bargain they paid for premium memberships. – The Court granted LinkedIn’s motion to dismiss the complaint. 54
  • 55. Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal. 2012): – The Court held that, “[t]o satisfy Article III standing, plaintiff must allege: • (1) an injury-in-fact that is concrete and particularized, as well as actual and imminent; • (2) that injury is fairly traceable to the challenged action of the defendant; and • (3) that it is likely (not merely speculative) that injury will be redressed by a favorable decision.” 55
  • 56. Litigation Plaintiffs Lack Standing • In re LinkedIn User Privacy Litig. (N.D. Cal. 2012): – Plaintiffs failed to allege that “included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of scrutiny that was not part of the free membership.” – Plaintiffs did not allege that they relied upon (or even read) LinkedIn’s representations regarding safeguarding personal information. – Plaintiffs’ allegation that their LinkedIn passwords were “publicly posted on the Internet” does not amount to a “legally cognizable injury, such as, for example, identity theft or theft of her personally identifiable information.” 56
  • 57. Litigation Plaintiffs Have Standing • Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (increased risk of identity theft constituted sufficient “injury in fact” for purposes of standing). • Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir. 2010) (“a credible threat of real and immediate harm stemming from theft of a laptop containing unencrypted personal information” sufficient to demonstrate standing). 57
  • 58. Litigation Plaintiffs Cannot Allege Damages • Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir. 2010). – “[O]ur holding that Plaintiffs-Appellants pled an injury-in- fact for purposes of Article III standing does not establish that they adequately pled damages for purposes of their state-law claims.” – “[A]ctual loss or damage is an essential element in the formulation of the traditional elements necessary for a cause of action in negligence.” – Court dismissed case because Plaintiffs alleged “no loss.” 58
  • 59. Litigation Plaintiffs Cannot Allege Damages • In re: Sony Gaming Networks and Customer Data Security Breach Litig., MDL No. 2258 (S.D. Cal. 2011): – Hackers accessed the personal information of millions of Sony’s customers. – Plaintiffs did not allege any identity theft or unauthorized use of personal information “causing a pecuniary loss.” – The Court granted Sony’s motion to dismiss and found that, “without specific factual statements that Plaintiffs’ Personal Information has been misused, in the form of an open bank account, or un-reimbursed charges, the mere danger of future harm unaccompanied by present damage, will not support a negligence action.” 59
  • 60. Litigation Plaintiffs Cannot Allege Damages • Holmes v. Countrywide Fin. Corp., No. 08-0205, 2012 U.S. Dist. LEXIS 96587 (W.D. Ky. 2012) (court dismissed case where “scant evidence exists demonstrating that [the theives] misused the customers’ information or engaged in any kind of financial fraud”). • Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill. 2012) (court dismissed negligence claim because plaintiff did not allege that his personal information was “misused”). 60
  • 61. Litigation Plaintiffs Allege Damages • Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011): – Hackers stole 4.2 million credit and debit card numbers, and security codes. – Defendant acknowledged that more than 1,800 incidents of identity theft resulted from the breach. – Many victims had to pay to cancel their cards or purchase credit monitoring services. Others incurred unauthorized charges. – Court denied motion to dismiss. 61
  • 62. Litigation Plaintiffs Allege Damages • Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012): – Thieves stole 2 laptops containing names, addresses, phone numbers and social security numbers of 1.2 million AvMed customers. – Ten months after the incident, a bank account was opened and credit card issued in the name of one of the AvMed customers. – Four months later, an E*Trade account was opened in the name of another AvMed customer. – Unauthorized purchases were made from both accounts. – Court denied motion to dismiss because plaintiffs alleged “financial injury.” 62
  • 63. Avoid Future Data Security Breaches • Understand what types of personal information is collected, how, where and how long it is stored, and who has access to it. • Collect only personal information necessary to conduct business. • Retain personal information for shortest time necessary to conduct business. • Limit access to personal information. • Encrypt data. 63
  • 64. Avoid Future Data Security Breaches • Establish internal policies to protect personal information. – e.g., robust passwords, usage policies for laptops and mobile phones, secure disposal policies. • Comply with promises made to consumers or employees regarding privacy and security of personal information. – Disclosures about collection, maintenance, use and dissemination of personal information must be accurate and complete. 64
  • 65. Avoid Future Data Security Breaches • Train employees. • Conduct periodic audits. • Update and revise policies and procedures regularly. • Enhance technology to strengthen security and reduce risk. – e.g., strong firewalls, scans for vulnerabilities, up-to-date anti-virus software. • Use care when engaging third-party vendors and hold them to high standards. 65