Privacy and Cyber Risk staying ahead of emerging trends
April 2015
Page 2 Privacy and Cyber Risk staying ahead of emerging trends
Privacy Regulation Landscape
Common Causes of Data Privacy Breaches
Best Practises for Protecting Personal Data & Complying with Privacy Legislation
Q&A
Agenda 1
2
3
Page 3 Privacy and Cyber Risk staying ahead of emerging trends
Privacy Regulation
Landscape
1
Page 4 Privacy and Cyber Risk staying ahead of emerging trends
Background
▶ It is now over 40 years since Sweden enacted the world‟s first comprehensive data
privacy legislation on a national scale i.e. the Data Act of 1973, that set the tone for
growth in national and cross border privacy regulations
▶Today, globally there is well in excess of 100 nations or autonomous territories with
some form of data privacy legislation or regulation, with at least 12 of them in Asia and
growing rapidly
▶Not only is the number of nations adopting data privacy legislation growing, the depth
and complexity of the legislation is increasing, with, for example countries that have
already embedded data privacy legislation, now adding further regulations around
mandatory breach disclosure.
Page 5 Privacy and Cyber Risk staying ahead of emerging trends
Regulatory Trends
Mandatory Breach Disclosure (MBD)
► Leading data privacy jurisdictions such as Australia, Canada & the EU either
actively planning for, or have enacted MBD requirements, with significant
penalties for non compliance
► Cross Border Privacy Regulations (CBPR)
► Striving for a degree of standardization of approaches to protecting personal data
within a region or economic grouping of nations e.g. APEC Cross Border Privacy
Rules System
► The regulatory onus on organizations within a jurisdiction to ensure the privacy
standards within that jurisdiction are applied to personal data when it is transmitted
or used outside of the jurisdiction e.g. Australian Privacy Principle 8
Page 6 Privacy and Cyber Risk staying ahead of emerging trends
Case Study – Australia New obligations imposed in 2014 on top of existing regulations
Privacy Reform
New
Responsibilities
New
Principles
New
Opportunities
New
Powers
Page 7 Privacy and Cyber Risk staying ahead of emerging trends
Case Study – Australia
►New Powers:
► Privacy Commissioner can impose fines of up to $AUD 1.7m
► Enhanced powers to initiate “own motion” investigations, without any
basis for suspicion
► Organisations need to be able demonstrate how compliance has been
achieved
► Privacy Commissioner taking a proactive stance to compliance
New obligations imposed in 2014 on top of existing regulations
Page 8 Privacy and Cyber Risk staying ahead of emerging trends
Case Study – Australia
►New Responsibilities:
► Incident Management/ Breach notification
► 3rd parties and liabilities: legal liability for breaches by vendors/ partners
► Public concerns about privacy may have overtaken legal obligations
New obligations imposed in 2014 on top of existing regulations
Page 9 Privacy and Cyber Risk staying ahead of emerging trends
Case Study – Australia
►New Principles:
► APP1 & 5 – Openness, Transparency, Notification: Privacy policies and
collection statements need to be accurate, explicit, and granular
► APP7 – Direct Marketing (DM): More limitations. Individuals have greater
power to opt out and request the organisation to provide the source of
their information.
► APP8 – Cross-border disclosure of Personal Information: Organisations
have greater liability for personal customer information that is accessed
offshore, even if the data remains on Australian servers
New obligations imposed in 2014 on top of existing regulations
Page 10 Privacy and Cyber Risk staying ahead of emerging trends
Case Study – Australia
►New Opportunities for Impacted Organizations:
► Privacy as a differentiator to create/ build on a trusted brand
► Big Data – what data can be matched internally and externally for greater
insights?
► Move to positive reporting of Credit data – opportunity for better customer
due diligence
► More allowed uses, e.g. to investigate fraud
► Re-evaluate use/ controls over third parties/ vendor management
New obligations imposed in 2014 on top of existing regulations
Page 11 Privacy and Cyber Risk staying ahead of emerging trends
Common Causes of Data Privacy Breaches
2
Page 12 Privacy and Cyber Risk staying ahead of emerging trends
Threat Vectors
►Third Parties (You are only as strong as the weakest link in
your chain):
► Third party leakage of data, either intentionally or unintentionally and often
through human acts, can have catastrophic impacts for the client
organization
► Third party outsourcers often don‟t adhere to the same data security
control frameworks that you do
► Organizations often only conduct cursory assessments of their
outsourcers‟ data security control frameworks, typically self assessment
and only annual in frequency
►Organizations don’t always have adequate data protection
controls in place, not knowing where their data resides and
who has access to it
Page 13 Privacy and Cyber Risk staying ahead of emerging trends
Threat Vectors
► Increasingly Sophisticated Cyber Attacks:
► Conventional perimeter and other Cyber defences are proving inadequate to
prevent the most determined Cyber attacks
► Security Operating Centre‟s are overwhelmed with 1000‟s of alerts per day and
unable to identify the real attacks
► Advanced Persistent Threats (APT‟s) stay undetected in the network, transmitting
confidential data out to attackers
► Scams such as phishing emails also increasing in sophistication
acting as launch pads to introduce malware into the network
► Employee access controls inadequate to prevent intentional or
unintentional data breaches, especially for privileged users
Page 14 Privacy and Cyber Risk staying ahead of emerging trends
Best Practises for Protecting Personal Data & Complying with Privacy Legislation
3
Page 15 Privacy and Cyber Risk staying ahead of emerging trends
Six actions for commercial and sustainable compliance with Privacy legislation
1
2
3
4
5
Identify and map all personal information collected and handled throughout the
information lifecycle to create a Data Inventory
Identify opportunities to better use / gain insights from data: already held by you, or
available from other organisations or individuals themselves
Third Parties: Assess if they are your weakest link
Prepare for both a data breach and the resulting questions from the Privacy Regulator
Perform a „three way match‟ between your policies, business activities and legal
requirements/ customers‟ expectations
6 Test the effectiveness of your approach to privacy management
Page 16 Privacy and Cyber Risk staying ahead of emerging trends
Case Study: Sony ► Some sort of breach is almost inevitable,
there is no such thing as being 100% secure
► The Privacy Commissioner will also examine
you and you‟ll need to show that reasonably
expected controls were in place prior
Best Practise
► Smart companies have rehearsed incident
management procedures to reduce breach
impact severity
► Organisations will need to be able to
demonstrate how they achieved compliance
with Legislation
►Structured programme to assess & remediate
►Tone from the top, clear roles/ responsibilities
►Staff awareness of impact of key changes
20
22
24
26
28
30
32
34
36
38
Sta
rt o
f ye
ar
Wa
r a
nn
oun
ce
d to
bring
do
wn
as
much
of
Son
y's
we
b p
resen
ce
Multip
le S
ony w
eb
sites g
o d
ow
n
Son
y s
huts
do
wn t
he
Pla
yS
tatio
nne
two
rk
Ha
ckers
cla
im t
o h
ave
access to
PS
Ncu
sto
me
rs' c
red
it c
ard
nu
mbers
Phis
hin
g s
ite
fo
un
d o
n a
Son
y s
erv
er
Atta
cke
rs a
nn
ou
nce
1 m
illio
n u
ser
accou
nts
com
pro
mis
ed
Son
ey E
uro
pe
data
ba
se le
ake
d
Son
y P
ictu
res R
ussia
da
tab
ase
lea
ke
d
Son
y P
ort
uga
l att
acke
d
17
7k e
-ma
ils s
tole
n a
nd le
aked f
rom
Son
y P
ictu
res F
rance
1-Jan-11
2-Apr-11
14-Apr-11
20-Apr-11
29-Apr-11
20-May-11
2-Jun-11
3-Jun-11
5-Jun-11
8-Jun-11
20-Jun-11
http://www.bloomberg.com/news/2011-05-15/sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an-
hour.html
http://www.makeuseof.com/tag/sony-playstation-network-breach-infographic/
► Breach of information for 100M customers: names,
addresses, credit card details, April - June 2011
► 33% decline in share price over period
1 – Data breaches are a reality: prepare for the worst case scenario in advance
Page 17 Privacy and Cyber Risk staying ahead of emerging trends
► The most common mistake is to
underestimate the extent and nature of
personal data collected and handled
► It is impossible to adequately protect
anything if you don‟t know where it is
Best Practise
► The first step of any privacy programme is to
map all personal data and data flows across
the Information Lifecycle to understand:
►Volume, type and nature of data
►Business processes that access/ use the data
►Supporting systems, databases, and
infrastructure
►Trans-border transfer and overseas access
► A difficult task: Top down and bottom up
analysis is the best approach
2 – Data Inventory and the information lifecycle : the foundation of good Privacy Management
The Information Lifecycle
Use and internal sharing
Retention and disposal
Collection
Disclosure
Page 18 Privacy and Cyber Risk staying ahead of emerging trends
Creating a personal data inventory is the necessary first step for adequate data protection. The lack of a complete understanding of ‘where the data is’ is a primary cause of compliance failure.
Overview of key activities Analyse, identify, and document the upstream and downstream data flows of data assets through ‘known’ systems to other locations where Personal Information may reside by: ► Top down analysis – understand and document the data lifecycle,
commencing with data collection at all points of customer interaction through analysis of business process documentation (where available), interviews/ surveys with business process and system owners, and walkthroughs of end-to-end processes if required.
► Bottom up analysis – analysis of flows of data assets through review of technical system and interface documentation and, where required, interviews/surveys with key technical stakeholders with knowledge of relevant systems to fully understand flows of PII assets.
Need to iteratively review and update draft versions of the data inventory and the data flow diagrams, and meet with key stakeholders to agree and finalise.
Example: Creation of Personal Information lifecycle and Data Inventory
Page 19 Privacy and Cyber Risk staying ahead of emerging trends
► Legislation will change what you are allowed
to do with personal data
► Public expectations are also rising given
increased concerns and breaches
► Legislation increases obligations over
transparency and openness, e.g. ► If/ where data is transferred to
►Activities performed with the data
► Maintaining customer trust is key
Best Practice ► Organisations require greater detail in privacy
statements (balance with readability)
► Organisations should perform a “Three Way
Match” between Laws (incl. expectations),
Policy Statements and actual activities
► Resolve any exceptions
► Keep accurate and up to date
What you must/ must
not do
(Regulation)
What you say you do
(Privacy Policy)
What you actually do
(Business activities)
The Three Way
Match
3 - Ensure Transparency, Openness, and Compliance: with Law and Customer expectations
Page 20 Privacy and Cyber Risk staying ahead of emerging trends
► Explosion of data available, e.g. through:
►Purchasing / spending patterns
►Mobile applications
►Social media
►Behavioral tracking (cookies)
►GPS/ location tracking
► Internally obtainable / available from third
parties and data brokers
► „Big data‟ techniques allow analysis and
visualisation not previously possible
Best Practises
► Privacy should not be a blocker – early
consideration (Privacy by Design) allows
issues to be resolved upfront (e.g. consent,
anonymisation)
► What data can you match internally or
externally for greater insight?
4 – Leverage available data to gain better/ increased insights
Vendor/ Employee data
visualisation
Page 21 Privacy and Cyber Risk staying ahead of emerging trends
► Increasing dependence upon
partners, vendors, suppliers and
outsourcers and their sub-
contractors
► Losing a clear line of sight over
where data goes to
► „Out of sight should not be out of
mind‟ – businesses remain liable for
any breaches
Best Practises
► Good privacy management includes:
► Identifying all flows of data/ access by
third parties
►Due diligence
►Contractual obligations
►Definition of specific requirements
►Secure transfer of data
►Gaining regular assurance
► 63% of data breaches involved IT outsourcing providers.
► Almost all the information hackers targeted was personal data Trustwave's 2013 Global Security Report
5 – Third Parties: are they your weakest link?
►Vendors►Suppliers►Outsourcers
►Partners
Business Customers
Data
Data
Data
Data
Data
Exch
an
ges
Data
Exch
an
ges
Third Party Risk Management
Transparency/ Openness
Page 22 Privacy and Cyber Risk staying ahead of emerging trends
► Privacy is a business risk that cannot be
ignored
► Compliance can not be coincidental
► Organisations need to be able to respond to
complaints or questions about their approach to
privacy management
► If the Privacy Commissioner comes knocking,
how will you demonstrate compliance?
Best Practises
► Compliance needs far more than just policies
► Good practice is to assess the effectiveness of
controls – internal or external assurance
Privacy Management
Framework
6 – Test the effectiveness of your Privacy management framework and controls
Page 23 Privacy and Cyber Risk staying ahead of emerging trends
► Don‟t think “a breach won‟t happen to me”. It can, it might... it may already have.
► Don‟t underestimate complexity of achieving, demonstrating and maintaining compliance.
If you haven't started preparing, you may have left it too late.
► Don‟t treat Privacy management as a ‟one-off‟ process, it needs: ►budget, resources and ongoing focus on training/ awareness/ culture
►upfront involvement in new product / service development and ongoing process analysis
► regular assurance – internally and at third parties
► Don‟t manage Privacy in a silo. Integrate with existing processes such as information security,
PCI, Spam/ DNCR Act compliance, records management or broader risk management and
assurance processes (Internal / External).
► Don‟t hide from the regulator – or your customers - if something goes wrong. Don‟t think the
Privacy Commissioner is still a „toothless tiger‟.
► Don‟t think your staff are incapable of making „honest mistakes‟, being stupid or malicious... and
they are not immune to social engineering .
► Don‟t automatically think “I can‟t do that because of the Privacy Act”. Research shows that
people will gladly trade personal information for products and services, but maintenance of
Trust is critical.
Common mistakes: things to avoid
Page 24 Privacy and Cyber Risk staying ahead of emerging trends
1
2
3
4
5
Do you have a complete and accurate picture of all instances where you collect,
handle, store and transfer personal data?
What „big data‟ opportunities exist to better leverage existing data - and gain greater
insights - within the rules?
How confident are you that all your partners, suppliers and outsourcers won‟t expose
you to the possibility of reputational loss and hefty fine?
What would you do if you realised a breach had occurred or when the Commissioner
asks how you have achieved compliance?
Are you confident that, in all cases, how you handle personal data aligns with what your
customers expect, and your legal requirements?
6 What comfort are you giving to the Board and your customers that personal
information is being protected ?
Takeaway: Six questions to ask
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust and
confidence in the capital markets and in economies the world over. We
develop outstanding leaders who team to deliver on our promises to all
of our stakeholders. In so doing, we play a critical role in building a better
working world for our people, for our clients and for our communities.
EY refers to the global organization and may refer to one or more of the member
firms of Ernst & Young Global Limited, each of which is a separate legal
entity. Ernst & Young Global Limited, a UK company limited by guarantee,
does not provide services to clients. For more information about our
organization, please visit ey.com.
ⓒ 2015 Ernst & Young Han Young
ⓒ 2015 Ernst & Young Advisory, Inc.
All Rights Reserved.
This material has been prepared for general informational purposes only and is not intended to
be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for
specific advice.
ey.com/kr
Top Related