Privacy and Cyber Risk - CPO FORUMcpoforum.or.kr/privacy2015/pdf/Keynote1.pdf · Privacy and Cyber...

Privacy and Cyber Risk staying ahead of emerging trends

April 2015


Privacy Regulation Landscape

Common Causes of Data Privacy Breaches

Best Practises for Protecting Personal Data & Complying with Privacy Legislation

Q&A

Agenda 1

2

3


Privacy Regulation

Landscape

1


Background

▶ It is now over 40 years since Sweden enacted the world‟s first comprehensive data

privacy legislation on a national scale i.e. the Data Act of 1973, that set the tone for

growth in national and cross border privacy regulations

▶Today, globally there is well in excess of 100 nations or autonomous territories with

some form of data privacy legislation or regulation, with at least 12 of them in Asia and

growing rapidly

▶Not only is the number of nations adopting data privacy legislation growing, the depth

and complexity of the legislation is increasing, with, for example countries that have

already embedded data privacy legislation, now adding further regulations around

mandatory breach disclosure.


Regulatory Trends

Mandatory Breach Disclosure (MBD)

► Leading data privacy jurisdictions such as Australia, Canada & the EU either

actively planning for, or have enacted MBD requirements, with significant

penalties for non compliance

► Cross Border Privacy Regulations (CBPR)

► Striving for a degree of standardization of approaches to protecting personal data

within a region or economic grouping of nations e.g. APEC Cross Border Privacy

Rules System

► The regulatory onus on organizations within a jurisdiction to ensure the privacy

standards within that jurisdiction are applied to personal data when it is transmitted

or used outside of the jurisdiction e.g. Australian Privacy Principle 8


Case Study – Australia New obligations imposed in 2014 on top of existing regulations

Privacy Reform

New

Responsibilities

New

Principles

New

Opportunities

New

Powers


Case Study – Australia

►New Powers:

► Privacy Commissioner can impose fines of up to $AUD 1.7m

► Enhanced powers to initiate “own motion” investigations, without any

basis for suspicion

► Organisations need to be able demonstrate how compliance has been

achieved

► Privacy Commissioner taking a proactive stance to compliance

New obligations imposed in 2014 on top of existing regulations



►New Responsibilities:

► Incident Management/ Breach notification

► 3rd parties and liabilities: legal liability for breaches by vendors/ partners

► Public concerns about privacy may have overtaken legal obligations




►New Principles:

► APP1 & 5 – Openness, Transparency, Notification: Privacy policies and

collection statements need to be accurate, explicit, and granular

► APP7 – Direct Marketing (DM): More limitations. Individuals have greater

power to opt out and request the organisation to provide the source of

their information.

► APP8 – Cross-border disclosure of Personal Information: Organisations

have greater liability for personal customer information that is accessed

offshore, even if the data remains on Australian servers




►New Opportunities for Impacted Organizations:

► Privacy as a differentiator to create/ build on a trusted brand

► Big Data – what data can be matched internally and externally for greater

insights?

► Move to positive reporting of Credit data – opportunity for better customer

due diligence

► More allowed uses, e.g. to investigate fraud

► Re-evaluate use/ controls over third parties/ vendor management



Common Causes of Data Privacy Breaches

2


Threat Vectors

►Third Parties (You are only as strong as the weakest link in

your chain):

► Third party leakage of data, either intentionally or unintentionally and often

through human acts, can have catastrophic impacts for the client

organization

► Third party outsourcers often don‟t adhere to the same data security

control frameworks that you do

► Organizations often only conduct cursory assessments of their

outsourcers‟ data security control frameworks, typically self assessment

and only annual in frequency

►Organizations don’t always have adequate data protection

controls in place, not knowing where their data resides and

who has access to it


Threat Vectors

► Increasingly Sophisticated Cyber Attacks:

► Conventional perimeter and other Cyber defences are proving inadequate to

prevent the most determined Cyber attacks

► Security Operating Centre‟s are overwhelmed with 1000‟s of alerts per day and

unable to identify the real attacks

► Advanced Persistent Threats (APT‟s) stay undetected in the network, transmitting

confidential data out to attackers

► Scams such as phishing emails also increasing in sophistication

acting as launch pads to introduce malware into the network

► Employee access controls inadequate to prevent intentional or

unintentional data breaches, especially for privileged users


Best Practises for Protecting Personal Data & Complying with Privacy Legislation

3


Six actions for commercial and sustainable compliance with Privacy legislation

1

2

3

4

5

Identify and map all personal information collected and handled throughout the

information lifecycle to create a Data Inventory

Identify opportunities to better use / gain insights from data: already held by you, or

available from other organisations or individuals themselves

Third Parties: Assess if they are your weakest link

Prepare for both a data breach and the resulting questions from the Privacy Regulator

Perform a „three way match‟ between your policies, business activities and legal

requirements/ customers‟ expectations

6 Test the effectiveness of your approach to privacy management


Case Study: Sony ► Some sort of breach is almost inevitable,

there is no such thing as being 100% secure

► The Privacy Commissioner will also examine

you and you‟ll need to show that reasonably

expected controls were in place prior

Best Practise

► Smart companies have rehearsed incident

management procedures to reduce breach

impact severity

► Organisations will need to be able to

demonstrate how they achieved compliance

with Legislation

►Structured programme to assess & remediate

►Tone from the top, clear roles/ responsibilities

►Staff awareness of impact of key changes

20

22

24

26

28

30

32

34

36

38

Sta

rt o

f ye

ar

Wa

r a

nn

oun

ce

d to

bring

do

wn

as

much

of

Son

y's

we

b p

resen

ce

Multip

le S

ony w

eb

sites g

o d

ow

n

Son

y s

huts

do

wn t

he

Pla

yS

tatio

nne

two

rk

Ha

ckers

cla

im t

o h

ave

access to

PS

Ncu

sto

me

rs' c

red

it c

ard

nu

mbers

Phis

hin

g s

ite

fo

un

d o

n a

Son

y s

erv

er

Atta

cke

rs a

nn

ou

nce

1 m

illio

n u

ser

accou

nts

com

pro

mis

ed

Son

ey E

uro

pe

data

ba

se le

ake

d

Son

y P

ictu

res R

ussia

da

tab

ase

lea

ke

d

Son

y P

ort

uga

l att

acke

d

17

7k e

-ma

ils s

tole

n a

nd le

aked f

rom

Son

y P

ictu

res F

rance

1-Jan-11

2-Apr-11

14-Apr-11

20-Apr-11

29-Apr-11

20-May-11

2-Jun-11

3-Jun-11

5-Jun-11

8-Jun-11

20-Jun-11

http://www.bloomberg.com/news/2011-05-15/sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an-

hour.html

http://www.makeuseof.com/tag/sony-playstation-network-breach-infographic/

► Breach of information for 100M customers: names,

addresses, credit card details, April - June 2011

► 33% decline in share price over period

1 – Data breaches are a reality: prepare for the worst case scenario in advance


► The most common mistake is to

underestimate the extent and nature of

personal data collected and handled

► It is impossible to adequately protect

anything if you don‟t know where it is

Best Practise

► The first step of any privacy programme is to

map all personal data and data flows across

the Information Lifecycle to understand:

►Volume, type and nature of data

►Business processes that access/ use the data

►Supporting systems, databases, and

infrastructure

►Trans-border transfer and overseas access

► A difficult task: Top down and bottom up

analysis is the best approach

2 – Data Inventory and the information lifecycle : the foundation of good Privacy Management

The Information Lifecycle

Use and internal sharing

Retention and disposal

Collection

Disclosure


Creating a personal data inventory is the necessary first step for adequate data protection. The lack of a complete understanding of ‘where the data is’ is a primary cause of compliance failure.

Overview of key activities Analyse, identify, and document the upstream and downstream data flows of data assets through ‘known’ systems to other locations where Personal Information may reside by: ► Top down analysis – understand and document the data lifecycle,

commencing with data collection at all points of customer interaction through analysis of business process documentation (where available), interviews/ surveys with business process and system owners, and walkthroughs of end-to-end processes if required.

► Bottom up analysis – analysis of flows of data assets through review of technical system and interface documentation and, where required, interviews/surveys with key technical stakeholders with knowledge of relevant systems to fully understand flows of PII assets.

Need to iteratively review and update draft versions of the data inventory and the data flow diagrams, and meet with key stakeholders to agree and finalise.

Example: Creation of Personal Information lifecycle and Data Inventory


► Legislation will change what you are allowed

to do with personal data

► Public expectations are also rising given

increased concerns and breaches

► Legislation increases obligations over

transparency and openness, e.g. ► If/ where data is transferred to

►Activities performed with the data

► Maintaining customer trust is key

Best Practice ► Organisations require greater detail in privacy

statements (balance with readability)

► Organisations should perform a “Three Way

Match” between Laws (incl. expectations),

Policy Statements and actual activities

► Resolve any exceptions

► Keep accurate and up to date

What you must/ must

not do

(Regulation)

What you say you do

(Privacy Policy)

What you actually do

(Business activities)

The Three Way

Match

3 - Ensure Transparency, Openness, and Compliance: with Law and Customer expectations


► Explosion of data available, e.g. through:

►Purchasing / spending patterns

►Mobile applications

►Social media

►Behavioral tracking (cookies)

►GPS/ location tracking

► Internally obtainable / available from third

parties and data brokers

► „Big data‟ techniques allow analysis and

visualisation not previously possible

Best Practises

► Privacy should not be a blocker – early

consideration (Privacy by Design) allows

issues to be resolved upfront (e.g. consent,

anonymisation)

► What data can you match internally or

externally for greater insight?

4 – Leverage available data to gain better/ increased insights

Vendor/ Employee data

visualisation


► Increasing dependence upon

partners, vendors, suppliers and

outsourcers and their sub-

contractors

► Losing a clear line of sight over

where data goes to

► „Out of sight should not be out of

mind‟ – businesses remain liable for

any breaches

Best Practises

► Good privacy management includes:

► Identifying all flows of data/ access by

third parties

►Due diligence

►Contractual obligations

►Definition of specific requirements

►Secure transfer of data

►Gaining regular assurance

► 63% of data breaches involved IT outsourcing providers.

► Almost all the information hackers targeted was personal data Trustwave's 2013 Global Security Report

5 – Third Parties: are they your weakest link?

►Vendors►Suppliers►Outsourcers

►Partners

Business Customers

Data

Data

Data

Data

Data

Exch

an

ges

Data

Exch

an

ges

Third Party Risk Management

Transparency/ Openness


► Privacy is a business risk that cannot be

ignored

► Compliance can not be coincidental

► Organisations need to be able to respond to

complaints or questions about their approach to

privacy management

► If the Privacy Commissioner comes knocking,

how will you demonstrate compliance?

Best Practises

► Compliance needs far more than just policies

► Good practice is to assess the effectiveness of

controls – internal or external assurance

Privacy Management

Framework

6 – Test the effectiveness of your Privacy management framework and controls


► Don‟t think “a breach won‟t happen to me”. It can, it might... it may already have.

► Don‟t underestimate complexity of achieving, demonstrating and maintaining compliance.

If you haven't started preparing, you may have left it too late.

► Don‟t treat Privacy management as a ‟one-off‟ process, it needs: ►budget, resources and ongoing focus on training/ awareness/ culture

►upfront involvement in new product / service development and ongoing process analysis

► regular assurance – internally and at third parties

► Don‟t manage Privacy in a silo. Integrate with existing processes such as information security,

PCI, Spam/ DNCR Act compliance, records management or broader risk management and

assurance processes (Internal / External).

► Don‟t hide from the regulator – or your customers - if something goes wrong. Don‟t think the

Privacy Commissioner is still a „toothless tiger‟.

► Don‟t think your staff are incapable of making „honest mistakes‟, being stupid or malicious... and

they are not immune to social engineering .

► Don‟t automatically think “I can‟t do that because of the Privacy Act”. Research shows that

people will gladly trade personal information for products and services, but maintenance of

Trust is critical.

Common mistakes: things to avoid


1

2

3

4

5

Do you have a complete and accurate picture of all instances where you collect,

handle, store and transfer personal data?

What „big data‟ opportunities exist to better leverage existing data - and gain greater

insights - within the rules?

How confident are you that all your partners, suppliers and outsourcers won‟t expose

you to the possibility of reputational loss and hefty fine?

What would you do if you realised a breach had occurred or when the Commissioner

asks how you have achieved compliance?

Are you confident that, in all cases, how you handle personal data aligns with what your

customers expect, and your legal requirements?

6 What comfort are you giving to the Board and your customers that personal

information is being protected ?

Takeaway: Six questions to ask

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and advisory

services. The insights and quality services we deliver help build trust and

confidence in the capital markets and in economies the world over. We

develop outstanding leaders who team to deliver on our promises to all

of our stakeholders. In so doing, we play a critical role in building a better

working world for our people, for our clients and for our communities.

EY refers to the global organization and may refer to one or more of the member

firms of Ernst & Young Global Limited, each of which is a separate legal

entity. Ernst & Young Global Limited, a UK company limited by guarantee,

does not provide services to clients. For more information about our

organization, please visit ey.com.

ⓒ 2015 Ernst & Young Han Young

ⓒ 2015 Ernst & Young Advisory, Inc.

All Rights Reserved.

This material has been prepared for general informational purposes only and is not intended to

be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for

specific advice.

ey.com/kr

Privacy and Cyber Risk - CPO FORUMcpoforum.or.kr/privacy2015/pdf/Keynote1.pdf · Privacy and Cyber...

Documents

Transcript of Privacy and Cyber Risk - CPO FORUMcpoforum.or.kr/privacy2015/pdf/Keynote1.pdf · Privacy and Cyber...