8. Sources
Achieving Data Privacy in the Enterprise, Safenet Derek Tumulak, April 8, 2010
Regulatory Information Architecture, Steven Alder, IBM, 2010
The source of much of my research, Sue Hammer, IBM, 2010
California Data Privacy Laws: Is Compliance Good Enough?, Lumension, Chris Merritt, May 2010
Privacy Law & Financial Advisors, Proskauer, Brendon M. Tavelli, Nov 20, 2009
Medical Records on the Run: Protecting Patient Data with Device Control and Encryption, Sept 2009
2010 Data Breach Report, Verizon
Five Countries: Cost of Data Breach Sponsored by PGP Corporation, Dr. Larry Ponemon, April 19, 2010
How secure is your confidential data?, By Alastair MacWillson, ACCENTURE
The Leaking Vault, Five Years of Data Breaches, Suzanne Widup, Digital Forensics, July 2010
Top 10 Big Brother Companies: Ranking the Worst Consumer Privacy Infringers, Focus Editors
First Annual Cost of Cyber Crime Study, Ponemon, July 2010
States failing to secure personal data, By Kavan Peterson, Stateline.org
National Archives & Records Administration in Washington
2010 Annual Identity Protection Services Scorecard, Javelin Strategy & Research
A New Era of Compliance - Raising the Bar for Organizations Worldwide, RSA, Oct12, 2010
Evolve or Die, Bunger & Robertson, 2010
Compliance With Clouds: Caveat Emptor, by Chenxi Wang, Ph.D. , August 26, 2010
Obscured by Clouds, Ross Cooney, 2010
Digital Trust in the Cloud, Liquid Security in Cloudy Places, CSC, 2010
Making Data Governance as simple as possible, but not simpler, Dalton Servo
9. Let me be crystal clear,
Brian is NOT a lawyer
DISCLAIMER
13. Business is concerned with RISK
Risk from Regulation,
Organized Crime,
Reduced Staffing,
Sloppy Performance,
Lack of Training,
New Technologies,
and even ...
Clients/Customers
... is creating an EROSION in TRUST!
17. Loss of data is one of the biggest regulator concerns
Loss, theft, mistakes, under protected, ...
... a Breach of Trust – Over 500,000,000 U.S. records since 2005
18. 90% from external sources
48% insider help
85% from organized criminals
94% targeted financial data or sector
98% of records stolen produced by hack
96% of Trojans found were: "Crimeware-as-a-Service."
19. We can do better
96% avoidable by simple controls
86% had evidence in log files
66% on devices NOT aware contain SPI
5% loss to shareholders after breach
43% higher breach cost in U.S.
20. Financial Service
providers have a
39% confidence factor
for their ability to protect
your data from
Insider Threats
vs.
71% for External Threats
Deloitte – 2010 Financial Services Global Security Study – the faceless threat
21. A reputation is easy to lose, not so easy to recover
- 60% of companies that lose their data will shut down within 6 months of the disaster.
- 93% of companies that lost their data center for 10 days or more due to a disaster
filed for bankruptcy within one year of the disaster.
- 50% of businesses that found themselves without data management for this same
time period filed for bankruptcy immediately.
22. What can business do?
Restrict and monitor privileged users
Watch for 'Minor' Policy Violations
Implement Measures to Thwart Stolen Credentials
Monitor and Filter Outbound Traffic
Change Your Approach to Event Monitoring and Log Analysis
Share Incident Information
23. What is the Customer's view?
...what is causing this Erosion of Trust
24. Identity Theft #1 Consumer Complaint - FTC
10M Victims in the U.S.
$5K loss per business, $50B total
$500 loss per victim, $5B total
30 hours to recovery, 297M hours
all numbers are approximate or rounded up
26. Riskiest places for SSN#
Universities and colleges
Banking and financial institutions
Hospitals
State governments
Local government
Federal government
Medical (supply) businesses
Non-profit organizations
Technology companies
Health insurers and medical offices
Symantec – Nov, 2010
27. 45% of businesses disagree to customer data control
47% of businesses disagree the customer has a right to control
50% of businesses did not see need to limit distribution of PII
>50% of customers believe they have a right to control their data
Trust Me – I'm lying?
1 There is a notable difference between organizations’ intentions regarding
data privacy and how they actually protect it.
North Carolina attempting to get 50M records from Amazon on citizens
28. <-Diverse
Deliberate->
Accountability – who's is looking out for me?
2 A majority (58%) of companies have lost sensitive personal information...
Insider involved in over 48% of data breaches
29. 3 Regulatory compliance – No confidence they can keep pace
Many organizations believe complying with existing regulations is sufficient to protect their data.
31. 1 Top 10 Big Brother Companies
Ranking the Worst Consumer Privacy Infringers, Focus Editors
32. 48% of breaches caused by insiders
48% involved privileged misuse
61% were discovered by a 3rd party
Third parties – you sent my data to who?
4 Companies should be careful about the company they keep. It is crucial they
understand the perspective on and approach to data protection and privacy taken by
their third-party partners.
33. 5 Culture
Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely
to experience security breaches.
34. How to reverse the spin?
Build a Data Protection
and Privacy Strategy
Assign ownership
Develop comprehensive governance program
Evaluate data protection and privacy technologies
Build a culture
Reexamine investments
Choose business partners with care
35. You own some of this – Giving away your PRIVACY
Google
Social networking
RFID tags/loyalty cards
The Patriot Act
GPS
The Kindle
37. Privacy
Which comes 1st?
Breach Data
Notification Protection
38. Protect the consumer
Punish the breach
If the
Carrot
isn't working Promote compliance
it's time to ....
39. U.S. Breach
Notification
Laws
46 States,
the District of
Columbia,
Puerto Rico and
the Virgin
Islands
States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota
.http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx
44. The “Rules” of Rulemaking – Kings have rules
Regulatory agencies create regulations according to rules and processes defined by another law
known as the Administration Procedure Act (APA).
The APA defines a "rule" or "regulation" as...
”[T]he whole or a part of an agency statement of general or particular applicability and future effect
designed to implement, interpret, or prescribe law or policy or describing the organization, procedure,
or practice requirements of an agency.
The APA defines “rulemaking” as…
“[A]gency action which regulates the future conduct of either groups of persons or a single person; it
is essentially legislative in nature, not only because it operates in the future but because it is primarily
concerned with policy considerations.”
Under the APA, the agencies must publish all proposed new regulations in the Federal Register at
least 30 days before they take effect, and they must provide a way for interested parties to
comment, offer amendments, or to object to the regulation.
Once a regulation takes effect, it becomes a "final rule" and is printed in the Federal Register, the
Code of Federal Regulations (CFR) and usually posted on the Web site of the regulatory
agency.
(c)Tomo.Yun (www.yunphoto.net/en/)"
67. More Regulator Activity & more to Come
45 states have enacted anti-bullying laws - http://www.bullypolice.org/
Without: Hawaii, South Dakota, Michigan, New York, Montana, North Dakota and Missouri
(SEC), and (FINRA), issued guidance on use of social media sites
Securities and Exchange Commission, Financial Industry Regulatory Authority
UK (ASA), issued guidance on social media marketing
Advertising Standard Authority
FTC, Final Guides governing social media endorsements
Federal Trade Commission
Maryland leads the way in social media campaign regulations
CA – (FPPC), “regulate the same as traditional media”
Fair Political Practices Commission
68. Future Regulatory Focus
Amateur Data Controllers
Right to not be over-regulated
Right to demand co-operation
Privacy Policies
Right to be better informed
Right to be forgotten
Right to have policies monitored
Right to Data Portability
End of online anonymity
Processing of data by 3rd parties
Duties for data controllers
Behavioral advertising
Right to opt-in vs. have to opt-out
The rights of minors
71. What is Data Governance?
An operating discipline for managing data and information as a key enterprise
assets
Organization, processes and tools for establishing and exercising decision rights
regarding valuation and management of data
Elements of data governance
Decision making authority
Compliance
Policies and standards
Data inventories
Full life-cycle management
Content management
Records management,
Preservation and disposal
Data quality
Data classification
Data security and access
Data risk management
Data valuation
74. Bitmap83
Why is Data Governance important?
Regulator shift
OLD NEW
Principles Rule
Based Based
UK FSA, has proposed a “Data Accuracy Scorecard”
Financial Services Authority
Regulators will punish inadequate Data Governance
Breach Notification laws create demand to govern data
75. Ensure that the Right People
have the Right Access
to the Right Data
Restore
doing the Right Things Trust
Efficiently
and Productively
79. Laws & Regulations
• Data Protection Act
• Gambling Act 2005
• Protection from Harassment Act 1997
• Racial, sexual and age discrimination
legislation
• Obscenity Publications Act 1959
• “…obscene if it is intended to corrupt or
deprave persons exposed to it”
Laws & Regulations
• The Terrorism Acts 2000 & 2006
• Money Laundering Regulations
• CAP Codes & the ASA
• Transparency and Honesty
• Careful with trans-national campaigns
• Consumer Protection from Unfair
Commercial Practices Regulations
2008 (CPR’s)
• Contempt of Court
80. High-level International
Overview
• New Basel Capital Accord (Basel-II)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Society for Worldwide Interback Funds Transfer (SWIFT)
• Personal Information Protection Act (PIPA) – Canada
• Personal Information and Electronic Documents Act (PIPEDA) – Canada
• Personal Information Privacy Act (JPIPA) – Japan
• SafeSecure ISP – Japan
• Federal Consumer Protection Code, E-Commerce Act – Mexico
• Privacy and Electronic Communications (EC Directive) Regulations 2003
• Directive 95/46/EC Directive on Privacy and Electronic Communications –
European Union
• Central Information System Security Division (DCSSI) Encryption – France
• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of
2001 – Germany
• Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany
• US Department of Commerce “Safe Harbor”
81. Relevant Laws and
Regulations
• Sarbanes-Oxley Act • Federal Trade Commission (FTC)
• PCAOB Rel. 2004-001 Audit Section • CC1798 (SB1386)
• SAS94 • Federal Information Security Management Act
• Fair Credit Reporting Act (FCRA) (FISMA)
• AICPA Suitability Trust Services Criteria • USA PATRIOT
• SEC CFR 17: 240.15d-15 Controls and • Community Choice Aggregation (CCA)
Procedures • Federal Information System Controls Audit
• NASD/NYSE 240.17Ad-7 Transfer Agent Manual (FISCAM)
Record Retention • General Accounting Office (GAO)
• GLBA (15 USC Sec 6801-6809) 16 CFR 314 • FDA 510(k)
• Appendix: 12 CFR 30, 208, 225, 364 & 570 • Federal Energy Regulatory Commission (FERC)
• Federal Financial Institutions Examination • Nuclear Regulatory Commission (NRC) 10CFR
Council (FFIEC) Information Security Part 95
• FFIEC Business Continuity Planning • Critical Energy Infrastructure Information (CEII)
• FFIEC Audit • Communications Assistance for Law
• FFIEC Operations Enforcement Act (CALEA)
• Health Insurance Portability and Accountability • Digital Millennium Copyright Act (DMCA)
Act (HIPAA) § 164 • Business Software Alliance (BSA)
• 21 CFR Part 11 – FDA Regulation of Electronic • New Basel Capital Accord (Basel-II)
Records and Electronic Signatures • Customs-Trade Partnership Against Terrorism
• Payment Card Industry Data Security Standard (C-TPAT)
(PCI-DSS) • Video Privacy Protection Act of 1988 (codified at
18 U.S.C. § 2710 (2002))
82. US Federal Privacy Laws and US Federal Breach Laws (USA is a member, OECD and a member, CPEA. The
US has also ratified CE ETS 185)
1. Children’s Online Privacy Protection Act (COPPA)
1. Federal Trade Commission's Final COPPA Rule (PDF)
2. Communications Assistance for Law Enforcement Act (CALEA)
3. Depart of Defense Directive 5400.11.R - Privacy Program (May 14, 2007 edition) (PDF)
1. Defense Privacy Office
4. Electronic Communications Privacy Act (ECPA)
5. Fair Credit Reporting Act (FCRA, PDF)
1. As Amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT)
2. Federal Trade Commission's Red Flag Rule (PDF) (DELAYED UNTIL NOVEMBER 1st 2009)
6. Family Educational Rights and Privacy Act (FERPA, The Buckley Amendment)
1. US Department of Education Final Rule (PDF)
2. Protection of Pupil Rights Amendment (PPRA)
3. No Child Left Behind Act (PDF)
7. Genetic Information Nondiscrimination Act 2008 (GINA, PDF)
1. Proposed rule making genetic information covered under PII, HIPAA, and HITECH (PDF)
8. Gramm-Leach-Bliley Act (GLBA)
1. Federal Trade Commission's Final Financial Privacy Rule (PDF)
2. Federal Trade Commission's Final Safeguards Rule (PDF)
9. Health Insurance Portability and Accountability Act (HIPAA, PDF)
10. HITECH Act (Notice: I could not find it consolidated and called out anywhere, so had to create it myself,
PDF)
1. HITECH Breach Notification Guidance and Request for Public Comment (From the US Department of
Health and Human Services, PDF)
11. Federal Trade Commission's Health Breach Notification FINAL Rule (PDF)
12. Safe Harbor Guidelines from the US Department of Commerce