White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as...
Transcript of White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as...
![Page 1: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/1.jpg)
White Squall: Big Data & The Evolving Data Privacy Imperative in Financial Services
Moderator:
Daniel B. Garrie, Executive Managing Partner, Law & Forensics LLC; Partner, Global Head of Cyber Practice, Zeichner Ellman & Krause LLP
Panelists:
Nancy L. Perkins, Counsel, Arnold & Porter LLP
James Quinn, Vice President of Security Architecture, Deutsche Bank
Jeffrey C. Sharer, Partner & Co-Chair, Data Law Practice, Akerman LLP
![Page 2: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/2.jpg)
Mr. Daniel Garrie is the Executive Managing Partner at Law and Forensics LLC, a consulting firm that works with clients across industries to address cyber security, cyber warfare, e-discovery, and digital forensics challenges. He is also a Partner at Zeichner Ellman and Krause where he heads their cyber security and data breach practice. Mr. Garrie has built and sold several Internet security, e-commerce, and search technology startups. Prior to his time at Pulse Advisory, Daniel Garrie was the Worldwide Director of Electronic Discovery & Information Governance at Charles River Associates. He also works as a Strategic Partner for Quorumm Ventures and a Board of Governors member for the Organization of Legal Professionals. He is a nationally recognized educator and lecturer on various topics including computer software, cyber security, e-discovery, forensics, emerging internet and mobile technologies, and cyber warfare. He is the Editor in Chief of the Journal of Law & Cyber Warfare, a fellow at the Ponemon Information Privacy Institute, a distinguished neutral with CPR, and on the editorial board of the Beijing Law Review. Mr. Garrie's scholarship in e-discovery, forensics, and cyber security is frequently cited by the bench and the bar, including: Arrivalstar v. US, US v. Briggs, Coast Professional, Inc. v. US, Genger v. TR Investors, LLC, John B. v. Goetz, and Northruop Grumman Computing Systems, Inc. v. US. Mr. Garrie is also frequently quoted by leading publications including the New York Times, Fortune, Forbes, and the Wall Street Journal on issues relating to cyber security and cyberwarfare.
B.A., Computer Science, Brandeis Uni. M.A., Computer Science Brandies Uni. J.D., Rutgers School of Law
Daniel B. Garrie, Esq. Law & Forensics -- Executive Managing Partner Zeichner Ellman and Krause LLP – Partner, Global Head of Cyber Security and Data Breach Practice Contact: W: (855) 529 - 2466 M: (215) 280 – 7033 E: [email protected] URL: www.lawandforensics.com
2 (c) Law and Forensics 2016. All Rights Reserved 2
![Page 3: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/3.jpg)
firm’s Data Privacy and Security practice. She focuses her
Nancy L. Perkins Counsel, Arnold & Porter LLP Contact: W: (202) 942-5065 E: [email protected] URL: www.aporter.com
(c) Law and Forensics 2016. All Rights Reserved 3
Nancy L. Perkins, counsel at Arnold & Porter LLP in Washington, D.C., advises clients on a
wide range of data protection issues at the federal and state levels, as well as on cross-border data
privacy and security matters. Ms. Perkins assists clients in responding to data security breaches,
including through notifications to individuals and government authorities, as well as in defending
against related litigation. Ms. Perkins frequently provides counsel on the Telephone Consumer
Protection Act, the Children’s Online Privacy Protection Act, the Video Privacy Protection Act,
the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information
Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Fair Credit
Reporting Act (as amended by the Fair and Accurate Credit Transactions Act), as well as state
privacy, security, and data breach notification laws. A graduate of Harvard Law School,
Harvard’s Kennedy School of Government, and Harvard College, she is the author of numerous
articles on data privacy and security regulation, and is an Adviser on the American Law
Institute’s current project to create a Restatement of Information Privacy Principles. She has
been ranked among America’s Leading Lawyers for Privacy & Data Security by Chambers USA
every year since 2009, and ranked among the World’s Leading Lawyers for Privacy & Data
Security (USA) by Chambers Global since 2010.
![Page 4: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/4.jpg)
James Quinn has more than 20 years’ experience in IT Security, Incident Response, and IT Engineering and Architecture. He is currently a vice-president responsible for IT Security Architecture, Governance, and Innovation for Deutsche Bank. Before joining Deutsche Bank, he was an independent consultant for more than 10 years, during which he formed and managed the world-wide Incident Response Team for Credit Suisse in Zürich, Switzerland. He is a board certified Information Systems Security Professional, and is active in several professional organizations, including the High Technology Crime Investigators Association, InfraGard, and the Greater New York Area Electronic Crimes Task Force. Mr. Quinn grew up in Europe, attending schools in five different countries, holds a Bachelor of Arts in History from the University of Washington, and a Master of Arts in Security Studies from Georgetown University. He lives in New York City and spends his spare time working with the Civil Air Patrol, as Treasurer of the Chaîne des Rôtisseurs, the international gastronomic society, and is active in several community organizations. In a previous career, Mr. Quinn sang and conducted opera professionally, which explains his ability and willingness to make a fool of himself in front of audiences.
James Quinn Vice President of Security Architecture, Deutsche Bank Contact: W: (201) 593-3587 E: [email protected] URL: www.db.com
(c) Law and Forensics 2016. All Rights Reserved 4
![Page 5: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/5.jpg)
Jeffrey Sharer is a partner in the Chicago office of Akerman LLP and co-chair of Akerman's Data Law Practice. He concentrates his practice in the increasingly business-critical area of information law. His practice encompasses information governance, privacy and data protection, and electronic discovery. Jeffrey combines deep understandings of both law and technology to help clients navigate the "digital deluge" and mitigate risk, reduce cost, and create business value through sound, end-to-end governance of enterprise data. Jeffrey advises clients on a wide range of U.S. and cross-border privacy and data protection issues; the development and implementation of records retention policies and schedules; litigation preparedness and discovery strategy; defensible disposition of electronic and hard copy information; and myriad other issues associated with electronic records, big data, and cybersecurity. Jeffrey also is a leading proponent of "collaborative disaggregation" of legal services, proactively partnering with alternative service providers and leveraging artificial intelligence and other forms of technology to meet clients' needs better, faster, and at lower cost than could be achieved under traditional models based directly or indirectly on billable hours. Jeffrey represents clients across a wide range of industries.
Jeffrey C. Sharer Partner & Co-Chair, Data Law Practice, Akerman LLP Contact: W: (312) 634-5730 E: [email protected] URL: www.akerman.com
(c) Law and Forensics 2016. All Rights Reserved 5
![Page 6: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/6.jpg)
Agenda
Legal Overview
Third Part Risks: Filling the Gaps and
Managing Vendors
Future Predictions
Summary/Takeaways
Questions
(c) Law and Forensics 2016. All Rights Reserved 6
![Page 7: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/7.jpg)
Legal Overview
(c) Law and Forensics 2016. All Rights Reserved 7
![Page 8: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/8.jpg)
Gramm Leach Bliley Act (GLBA)
Gramm Leach Bliley Act – enacted in 1999, it is the
main governing law for privacy in financial institutions.
The goal of GLBA’s privacy provisions is to:
1. to ensure the security and confidentiality of customer records and information;
2. to protect against any anticipated threats or hazards to the security or integrity of such records; and
3. to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Two main compliance rules:
1. Financial Privacy Rule 2. Safeguards Rule
(c) Law and Forensics 2016. All Rights Reserved 8
![Page 9: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/9.jpg)
GLBA Privacy Rule
•(1) Financial Privacy Rule:
• Requires financial institutions to provide consumers with NOTICE explaining what information is collected, where it is shared, how it is used, and how it is protected
• Notice is required at the time the relationship is established and, subject to certain exceptions, annually
• Must give the consumer the right to OPT OUT of certain data-sharing practices
• Must inform consumers of changes in privacy policy
• Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance"
Different requirements for Customers and Consumers
• Consumer: “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.”
• Customer: A "customer relationship" is a continuing relationship with a consumer.
• Consumers have very limited privacy rights under the GLBA:
• “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ non- public personal information.”
(c) Law and Forensics 2016. All Rights Reserved 9
![Page 10: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/10.jpg)
GLBA Safeguards Rule
•(2) Safeguards Rule:
• Requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. Must include:
• Denoting at least one employee to manage the safeguards;
• Constructing a thorough risk analysis on each department handling the nonpublic information;
• Develop, monitor, and test a program to secure the information; and,
• Change the safeguards as needed with the changes in how information is collected, stored, and used.
(c) Law and Forensics 2016. All Rights Reserved 10
![Page 11: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/11.jpg)
Implementing GLBA Safeguards Requirements
Designate employee(s) to coordinate IT security program
Identify and assess risks; evaluate effectiveness of current
safeguards
Design and implement a safeguards program; regularly monitor and
test
Select service providers that can maintain appropriate safeguards,
require security by contract, and oversee handling of customer
information
Evaluate and adjust program in light of relevant circumstances
(c) Law and Forensics 2016. All Rights Reserved 11
![Page 12: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/12.jpg)
Other Regulatory Standards
Safe & Sound Banking Practices
Bank Service Company Act
FCRA Red Flags Rules
PCI Standards
FFIEC IT Examination Handbook
NIST Cybersecurity Framework
Federal Trade Commission Actions
State Law
(c) Law and Forensics 2016. All Rights Reserved 12
![Page 13: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/13.jpg)
Federal and State banking regulators increasingly see
cybersecurity practices as integral to safe and sound banking
―Unsafe and unsound‖ banking practices may include:
– Failure to identify data security threats and vulnerabilities
– Lack of planned procedures for responding to a security incident
– Inadequate management of third-party relationships, including data
and technology service providers
(c) Law and Forensics 2016. All Rights Reserved 13
Safe and Sound Banking Practices
![Page 14: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/14.jpg)
Bank Service Company Act
Banks must exercise adequate oversight to ensure data protection by
their service providers, including IT vendors and data processors
Bank oversight responsibility requires regular assessments of vendors’
management of cybersecurity risks, including:
– protection against unauthorized use and sharing of consumer information
– disaster recovery
– record retention and proper disposal
– reporting protocols
Service providers are also subject to direct examination and enforcement
action by the federal banking agencies
(c) Law and Forensics 2016. All Rights Reserved 14
![Page 15: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/15.jpg)
Red Flags Rule
Financial institutions must have programs to identify
and respond to ―red flags‖ of possible identity theft:
1. Mechanisms to detect red flags
2. Procedures for responding to red flags
3. Policy to stay current with respect to new potential threats
(c) Law and Forensics 2016. All Rights Reserved 15
![Page 16: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/16.jpg)
PCI Standards
1. Build & Maintain Secure Network – Firewalls
– Passwords (do not use defaults)
2. Protect Cardholder Data – Protect stored data
– Encrypt transmissions
3. Maintain a Vulnerability Management Program – Anti-virus software
– Maintain secure systems/applications
4. Implement Strong Access Controls – Need-to-Know
– Unique IDs
– Restrict Physical Access
5. Regularly Monitor and Test Networks – Track and monitor all access
– Regularly test systems and processes
6. Maintain an Information Security Policy
(c) Law and Forensics 2016. All Rights Reserved 16
![Page 17: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/17.jpg)
NIST Cybersecurity Framework
Executive Order 13636 directed NIST to work w/ stakeholders to
develop voluntary cybersecurity framework for ―critical
infrastructure‖
1. Framework Core Functions: Identify, Protect, Detect, Respond, Recover
2. Implementation Tiers: Companies select appropriate Cybersecurity posture
from ―Partial‖ and reactive (Tier 1) to ―Adaptive‖ and risk-informed (Tier 4)
3. Profile: The outcomes selected based on business needs—can be used to
perform self assessments and to set goals
(c) Law and Forensics 2016. All Rights Reserved 17
![Page 18: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/18.jpg)
FTC Enforcement Authority
Broad authority under Sec. 5(a) of the FTC Act
– The FTC has the authority to enforce violations of unfair and deceptive
acts in the commercial marketplace
The FTC has asserted violations of numerous statutes in its
data security enforcement actions, including the GLBA and
FCRA
Over 60 data security enforcement actions over the past 12
years, affecting nearly all sectors of the economy
(c) Law and Forensics 2016. All Rights Reserved 18
![Page 19: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/19.jpg)
FFIEC IT Booklet Information Security
The member agencies of the Federal Financial
Institutions Examination Council (FFIEC)
implemented section 501(b) of the Gramm-Leach-
Bliley Act of 1999 (GLBA) by defining a process-
based approach to security in the "Interagency
Guidelines Establishing Information Security
Standards" (501(b) guidelines)
The 501(b) guidelines afford the FFIEC agencies
enforcement options if financial institutions do not
establish and maintain adequate information
security programs
The Guidelines require that Financial institutions
maintain an ongoing information security risk
assessment program that effectively considers and
acts on potential information security threats.
(c) Law and Forensics 2016. All Rights Reserved 19
![Page 20: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/20.jpg)
SEC OCIE Cybersecurity Initiative
How does it work? The U.S. Securities and Exchange Commission’s
Office of Compliance Inspections and Examinations
(OCIE) announced that its 2014 Examination Priorities
included a focus on technology, including cybersecurity
preparedness
OCIE’s cybersecurity initiative is designed to assess
cybersecurity preparedness in the securities industry
and to obtain information about the industry’s recent
experiences with certain types of cyber threats.
As part of this initiative, OCIE will conducted
examinations of more than 50 registered broker-
dealers and registered investment advisers
(c) Law and Forensics 2016. All Rights Reserved 20
![Page 21: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/21.jpg)
SEC OCIE Cybersecurity Initiative
• Physical devices and systems within the firm.
• Software platforms and applications within the firm.
• Maps of network resources, connections, and data flows (including locations where customer data is housed).
• Connections to the firm’s network from external sources.
• Resources (hardware, data, and software) are prioritized for protection based on their sensitivity and business value.
• Logging capabilities and practices are assessed for adequacy, appropriate retention, and secure maintenance.
The SEC will look at the following:
These examinations will help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats.
(c) Law and Forensics 2016. All Rights Reserved 21
![Page 22: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/22.jpg)
SEC OCIE Examinations
The U.S. Securities and Exchange Commission’s
Office of Compliance Inspections and Examinations
(OCIE) announced that its 2016 Examination
Priorities include a focus:
Examining matters of importance to retail investors;
Assessing issues related to market-wide risks; and
Using its ability to analyze data to identify and examine registrants that may be engaged in illegal activity.
(c) Law and Forensics 2016. All Rights Reserved 22
![Page 23: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/23.jpg)
SEC OCIE Examination Priorities for 2016 Assessing Market Wide Risk
• Cybersecurity: In 2016 the SEC will test and assess “firms’ implementation of procedures and controls” relating to cybersecurity compliance and controls.
• Regulation Systems Compliance and Integrity (“SCI”) : The SEC “will examine SCI entities to evaluate whether they have established, maintained, and enforced written policies and procedures reasonably designed to ensure the capacity, integrity, resiliency, availability, and security of their SCI systems.” Included in this are “assessing the resiliency of their primary and back-up data centers, evaluating whether computing infrastructure components are geographically diverse, and assessing whether security operations are tailored to the risks each entity faces.”
• Liquidity Controls: Clearing Agencies
There are four main focuses
that the OCIE will examine when
determining market wide,
structural risks:
(c) Law and Forensics 2016. All Rights Reserved 23
![Page 24: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/24.jpg)
Financial Services – Information Sharing and Analysis Center (FS-ISAC)
FS-ISAC is a private-sector nonprofit information-sharing forum
established by financial services industry participants in response
to the federal government’s efforts to facilitate the public and
private sectors’ sharing of physical and cybersecurity threat and
vulnerability information.
Allows financial institutions to share threat information among one
another; however, the report also links to government resources so
that private financial institutions can share information with the
government:
• FBI Infraguard
• U.S. Computer Emergency Readiness Team at US-CERT
• U.S. Secret Service Electronic Crimes Task Force
Financial institutions with less than $1 billion in assets may
subscribe to free limited critical notifications
(c) Law and Forensics 2016. All Rights Reserved 24
![Page 25: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/25.jpg)
Compliance vs. Security
(c) Law and Forensics 2016. All Rights Reserved 25
Encrypt all data using FIPS-140-2 compliant
encryption
• Full disk encryption with keys stored on same disk
• SSL encryption with no TLS monitoring or protection against man-in-the-middle attacks
• Full disk encryption with independent key management
• TLS encryption that forces SSL over TLS and monitors for MIM threats
Compliance Requirement Compliant but Insecure Compliant and Secure
![Page 26: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/26.jpg)
How Do You Know You’re Secure?
Value of assets is understood
Known threats and impacts are cataloged
Kinds of attacks and vulnerabilities have been identified
Countermeasures associated with the attacks and vulnerabilities
along with their costs have been estimated
Results can be measured, but it’s important to select good,
meaningful metrics
Real risks drive decisions, not FUD or “security theater”
(c) Law and Forensics 2016. All Rights Reserved 26
![Page 27: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/27.jpg)
Cybersecurity Information Sharing Act of 2015
Broad authorization for federal government to share unclassified cyberthreat indicators with businesses and public
Federal government to release periodic cybersecurity best practices
Businesses authorized to: Share cyberthreat information with enumerated federal agencies
Monitor information systems and information stored on, processed by, or transiting systems for purposes of protecting information and information systems
Immunity for businesses against lawsuits arising from authorized sharing with federal government and compliant monitoring of systems
Privacy protections limit government’s disclosure, retention, and use of shared information to certain enumerated purposes
Also, businesses required to scrub personal information known at time of sharing to exist and not to be directly related to cybersecurity threat
DOJ and DHS to publish policies and procedures to assist in identification of threats and protection of personal information Interim guidelines published in February 2016
Final guidelines to be published by June 2016
(c) Law and Forensics 2016. All Rights Reserved 27
![Page 28: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/28.jpg)
Costs & Security
(c) Law and Forensics 2016. All Rights Reserved 28
• 100% security is impossible, so compliance-driven environments must be slowed by cost drivers
Source: Olavsson 1992, “A Structured Approach to Computer Security”
![Page 29: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/29.jpg)
Third Party Risks: Filling the Gaps and Managing Vendors
(c) Law and Forensics 2016. All Rights Reserved 29
![Page 30: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/30.jpg)
Panama Papers (March 2016) – 11.5 million documents
How it happened: An anonymous source
leaked documents to a German newspaper,
which then shared these documents with the
International Consortium of Investigative
Journalists (ICIJ)
Aftermath: ―It allows a never-before-seen
view inside the offshore world — providing a
day-to-day, decade-by-decade look at how
dark money flows through the global financial
system, breeding crime and stripping national
treasuries of tax revenues‖ - ICIJ
(c) Law and Forensics 2016. All Rights Reserved 30
![Page 31: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/31.jpg)
Panama Papers – Legal Issues/Analysis
Regulations and frameworks triggered
Why were other regulations not triggered?
(c) Law and Forensics 2016. All Rights Reserved 31
![Page 32: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/32.jpg)
Panama Papers – Legal Issues/Analysis (cont’d)
What is different when the third-party vendor is not U.S. domiciled?
Does it matter?
(c) Law and Forensics 2016. All Rights Reserved 32
![Page 33: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/33.jpg)
Panama Papers (cont’d)
What was done correctly in handling the incident?
(c) Law and Forensics 2016. All Rights Reserved 33
![Page 34: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/34.jpg)
Panama Papers (cont’d)
What was done incorrectly in handling the incident?
(c) Law and Forensics 2016. All Rights Reserved 34
![Page 35: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/35.jpg)
Vendor Identification and Assessment
• What analysis should be done when selecting a vendor?
Due Diligence on Cyber-Preparedness
– Review public filings, if any
– Search litigation and enforcement history
– Determine if regulators have expressed any concerns with vendor
(c) Law and Forensics 2016. All Rights Reserved 35
![Page 36: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/36.jpg)
Vendor Contracting
• What provisions should be included in the vendor contract?
Protections against unauthorized use, access and disclosure of data (e.g., customer
data)
Complying with breach notification and remediation/mitigation requirements under
applicable law
– Best practice is to have contractual provisions that impose affirmative covenants on vendors
Compliance with rules on disposal of information/data and media
Business continuity and disaster recovery
Maintenance and transfer of records on contract termination/expiration
Special issues – e.g., vendors’ implementation of anti-money laundering (AML)
programs, or appropriate vendor support for financial institution’s AML efforts
(c) Law and Forensics 2016. All Rights Reserved 36
![Page 37: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/37.jpg)
Risk Allocation with Vendors
• How should risk be allocated in the vendor contract?
Require representations, warranties and indemnities focused on cyber-
security issues
Limitations on liability and carve-outs – Contracting discipline in negotiating such limits and carve-outs
– Importance of contracting policies
Insurance – Coverage and exclusions
– Importance of careful drafting so there is recourse to insurance
(c) Law and Forensics 2016. All Rights Reserved 37
![Page 38: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/38.jpg)
• How to ensure vendor compliance?
Include in contractual obligations and enforce:
Right of access by audit personnel and examiners – E.g., bank service providers subject to examination and administrative action
pursuant to Bank Service Company Act (12 U.S.C. § 1867)
Periodic sharing of vendors’ internal audit reports and regulatory documents
Same requirements for vendor’s subcontractors
Specificity regarding compliance with law and regulatory requirements, and notice of non-compliance
(c) Law and Forensics 2016. All Rights Reserved 38
Ensuring Vendor Compliance
![Page 39: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/39.jpg)
How to Test/Validate Compliance with Cybersecurity Requirements
Not all vendors are the same
Audits and assessments at least annually
(c) Law and Forensics 2016. All Rights Reserved 39
![Page 40: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/40.jpg)
Other Significant Threat Vectors
• Insiders
• Mobile devices and payments
• Social engineering
• Ransomware
• Nation-states
(c) Law and Forensics 2016. All Rights Reserved 40
![Page 41: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/41.jpg)
What and When to Disclose to Regulators
(c) Law and Forensics 2016. All Rights Reserved 41
![Page 42: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/42.jpg)
Suggestions/Recommendations 1 of 2
• What legal instruments should be in place to make the experience less painful?
(c) Law and Forensics 2016. All Rights Reserved 42
![Page 43: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/43.jpg)
Suggestions/Recommendations 2 of 2
• What legal instruments should be in place to make the experience less painful?
(c) Law and Forensics 2016. All Rights Reserved 43
![Page 44: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/44.jpg)
Lessons Learned from the Panama Papers
(c) Law and Forensics 2016. All Rights Reserved 44
![Page 45: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/45.jpg)
Future Predictions
(c) Law and Forensics 2016. All Rights Reserved 45
![Page 46: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/46.jpg)
What should companies be considering that is on the horizon?
Technologies are always evolving. It’s important that our
regulations and policies are not dependent upon the technology.
(c) Law and Forensics 2016. All Rights Reserved 46
![Page 47: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/47.jpg)
What should companies be considering that is on the horizon? (cont’d)
(c) Law and Forensics 2016. All Rights Reserved 47
![Page 48: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/48.jpg)
Summary/Takeaways
(c) Law and Forensics 2016. All Rights Reserved 48
![Page 49: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/49.jpg)
Take Away 1
Compliance is important but security is more so. Since it’s possible
to be completely compliant yet insecure, it’s critical to build a
comprehensive risk based security and privacy program that
balances risks, costs, vulnerabilities, and threats—rather than the
―more security is better‖ approach.
(c) Law and Forensics 2016. All Rights Reserved 49
![Page 50: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/50.jpg)
Take Away 2
(c) Law and Forensics 2016. All Rights Reserved 50
![Page 51: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/51.jpg)
Take Away 3
(c) Law and Forensics 2016. All Rights Reserved 51
![Page 52: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/52.jpg)
Questions
(c) Law and Forensics 2016. All Rights Reserved 52
![Page 53: White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial](https://reader034.fdocuments.us/reader034/viewer/2022042405/5f1e9a7f06d3d4689f0cb09f/html5/thumbnails/53.jpg)
Contact
53
Daniel B. Garrie Phone: 855-529-2466 Email: [email protected] [email protected] URL: www.lawandforensics.com
(c) 2016. Law and Forensics. All Rights Reserved
Jeffrey C. Sharer Phone: 312-634-5730 Email: [email protected] URL: www.akerman.com
Nancy L. Perkins Phone: Email: [email protected] URL: www.aporter.com
James Quinn Phone: 201-593-3587 Email: [email protected] URL: www.db.com