SlideShare una empresa de Scribd logo

Privacy Breaches - The Private Sector Perspective

Descargar como PPT, PDF
C
canadianlawyer

Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.

TecnologíaNoticias y política
1 de 18
Privacy Breaches – The Private Sector Perspective Mark S. Hayes Blake, Cassels & Graydon LLP PIPA Conference 2008 Calgary, Alberta November 17, 2008
Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Completely agree with Catherine’s “Thing’s You Wish You’d Done” – Everything is much easier if proper steps taken in advance
Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only breach focuses senior management on privacy
The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of the risk and responsibility • Internal resources and priorities at other organizations may conflict
Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but as a starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on the basis of dynamics of organization
Why Does This Matter? • Regulators must often try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
Questions? For a digital copy of these slides, just ask! mark.hayes@blakes.com

Recomendados

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018jadams6
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerBay Area Consultants Network
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerBay Area Consultants Network
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingITPSB Pty Ltd
 
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk 7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk Case IQ
 
Anti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the RisksAnti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the RisksEthisphere
 
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Case IQ
 

Recomendados

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018jadams6
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerBay Area Consultants Network
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerBay Area Consultants Network
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingITPSB Pty Ltd
 
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk 7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk Case IQ
 
Anti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the RisksAnti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the RisksEthisphere
 
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Case IQ
 
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...centralohioissa
 
Iid infoshare exec_summary final
Iid infoshare exec_summary finalIid infoshare exec_summary final
Iid infoshare exec_summary finalAndrew_Goss
 
Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13Middle East Public Relations Association
 
2. Human and Organizational Performance
2. Human and Organizational Performance2. Human and Organizational Performance
2. Human and Organizational PerformanceLeslie Casner
 
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley
 
Sustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessSustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessShane Molinari
 
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityData Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityCase IQ
 
ATJ Safeguard article 2013
ATJ Safeguard article 2013ATJ Safeguard article 2013
ATJ Safeguard article 2013Aaron Tait-Jones
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadiaAlive
 
Five social media issues for employers lawyers
Five social media issues for employers lawyersFive social media issues for employers lawyers
Five social media issues for employers lawyersDan Michaluk
 
Access governance en
Access governance enAccess governance en
Access governance enMaurizio Milazzo
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hourcentralohioissa
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The CeoDan Keeney
 
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...Steven Wardell
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William Tanenbaum
 
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesTunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesEnterprise Management Associates
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...centralohioissa
 
Auxiliar Contable Y Fro
Auxiliar Contable Y FroAuxiliar Contable Y Fro
Auxiliar Contable Y Froiejcg
 
Aumento No Hay
Aumento No HayAumento No Hay
Aumento No Hayiejcg
 

Más contenido relacionado

La actualidad más candente

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...centralohioissa
 
Iid infoshare exec_summary final
Iid infoshare exec_summary finalIid infoshare exec_summary final
Iid infoshare exec_summary finalAndrew_Goss
 
2. Human and Organizational Performance
2. Human and Organizational Performance2. Human and Organizational Performance
2. Human and Organizational PerformanceLeslie Casner
 
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley
 
Sustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessSustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessShane Molinari
 
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityData Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityCase IQ
 
ATJ Safeguard article 2013
ATJ Safeguard article 2013ATJ Safeguard article 2013
ATJ Safeguard article 2013Aaron Tait-Jones
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadiaAlive
 
Five social media issues for employers lawyers
Five social media issues for employers lawyersFive social media issues for employers lawyers
Five social media issues for employers lawyersDan Michaluk
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hourcentralohioissa
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The CeoDan Keeney
 
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...Steven Wardell
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William Tanenbaum
 
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesTunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesEnterprise Management Associates
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...centralohioissa
 

La actualidad más candente (20)

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
 
Iid infoshare exec_summary final
Iid infoshare exec_summary finalIid infoshare exec_summary final
Iid infoshare exec_summary final
 
Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13
 
2. Human and Organizational Performance
2. Human and Organizational Performance2. Human and Organizational Performance
2. Human and Organizational Performance
 
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
 
Sustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessSustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and Business
 
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityData Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and Security
 
ATJ Safeguard article 2013
ATJ Safeguard article 2013ATJ Safeguard article 2013
ATJ Safeguard article 2013
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 video
 
Five social media issues for employers lawyers
Five social media issues for employers lawyersFive social media issues for employers lawyers
Five social media issues for employers lawyers
 
Access governance en
Access governance enAccess governance en
Access governance en
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hour
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The Ceo
 
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
 
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesTunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
 

Destacado

Auxiliar Contable Y Fro
Auxiliar Contable Y FroAuxiliar Contable Y Fro
Auxiliar Contable Y Froiejcg
 
Aumento No Hay
Aumento No HayAumento No Hay
Aumento No Hayiejcg
 
Solo Vivimos Una Vez
Solo Vivimos Una VezSolo Vivimos Una Vez
Solo Vivimos Una Veziejcg
 
TTFCM's Work
TTFCM's WorkTTFCM's Work
TTFCM's Workscoopny16
 
7steps Flatten Classroom - NCTIES 1145
7steps Flatten Classroom - NCTIES 11457steps Flatten Classroom - NCTIES 1145
7steps Flatten Classroom - NCTIES 1145Vicki Davis
 
Lenguaje de marcado MathML
Lenguaje de marcado MathMLLenguaje de marcado MathML
Lenguaje de marcado MathMLjucarmarsa
 

Destacado (7)

Auxiliar Contable Y Fro
Auxiliar Contable Y FroAuxiliar Contable Y Fro
Auxiliar Contable Y Fro
 
Aumento No Hay
Aumento No HayAumento No Hay
Aumento No Hay
 
A Vidaem2070
A Vidaem2070A Vidaem2070
A Vidaem2070
 
Solo Vivimos Una Vez
Solo Vivimos Una VezSolo Vivimos Una Vez
Solo Vivimos Una Vez
 
TTFCM's Work
TTFCM's WorkTTFCM's Work
TTFCM's Work
 
7steps Flatten Classroom - NCTIES 1145
7steps Flatten Classroom - NCTIES 11457steps Flatten Classroom - NCTIES 1145
7steps Flatten Classroom - NCTIES 1145
 
Lenguaje de marcado MathML
Lenguaje de marcado MathMLLenguaje de marcado MathML
Lenguaje de marcado MathML
 

Similar a Privacy Breaches - The Private Sector Perspective

Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOBrowne Jacobson LLP
 
Not-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 EnvironmentNot-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 EnvironmentCitrin Cooperman
 
Week 1. intro to ethics
Week 1. intro to ethicsWeek 1. intro to ethics
Week 1. intro to ethicsmujahid kamal
 
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid ThemCase IQ
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdfGaneshsomvanshi1
 
Your're Special (But Not That Special)
Your're Special (But Not That Special)Your're Special (But Not That Special)
Your're Special (But Not That Special)Sandra (Sandy) Dunn
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptxRavindra Babu
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast Logikcull.com
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 

Similar a Privacy Breaches - The Private Sector Perspective (20)

Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
 
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPO
 
Not-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 EnvironmentNot-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 Environment
 
UWL-PRC
UWL-PRCUWL-PRC
UWL-PRC
 
Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)
Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)
Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)
 
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
 
Week 1. intro to ethics
Week 1. intro to ethicsWeek 1. intro to ethics
Week 1. intro to ethics
 
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
 
Your're Special (But Not That Special)
Your're Special (But Not That Special)Your're Special (But Not That Special)
Your're Special (But Not That Special)
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast
 
It hit the fan presentation
It hit the fan presentationIt hit the fan presentation
It hit the fan presentation
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 

Más de canadianlawyer

Privacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For LawyersPrivacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For Lawyerscanadianlawyer
 
Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010canadianlawyer
 
Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010canadianlawyer
 
Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009canadianlawyer
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009canadianlawyer
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)canadianlawyer
 
Internet Copyright Law
Internet Copyright LawInternet Copyright Law
Internet Copyright Lawcanadianlawyer
 
User Generated Content And Copyright
User Generated Content And CopyrightUser Generated Content And Copyright
User Generated Content And Copyrightcanadianlawyer
 
Leveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright LitigationLeveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright Litigationcanadianlawyer
 

Más de canadianlawyer (10)

Privacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For LawyersPrivacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For Lawyers
 
Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010
 
Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010
 
Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
Internet Copyright Law
Internet Copyright LawInternet Copyright Law
Internet Copyright Law
 
User Generated Content And Copyright
User Generated Content And CopyrightUser Generated Content And Copyright
User Generated Content And Copyright
 
Leveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright LitigationLeveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright Litigation
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Privacy Breaches - The Private Sector Perspective

  • 1. Privacy Breaches – The Private Sector Perspective Mark S. Hayes Blake, Cassels & Graydon LLP PIPA Conference 2008 Calgary, Alberta November 17, 2008
  • 2. Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
  • 3. Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Completely agree with Catherine’s “Thing’s You Wish You’d Done” – Everything is much easier if proper steps taken in advance
  • 4. Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
  • 5. However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
  • 6. A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
  • 7. Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
  • 8. The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
  • 9. The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only breach focuses senior management on privacy
  • 10. The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
  • 11. The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
  • 12. The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
  • 13. The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of the risk and responsibility • Internal resources and priorities at other organizations may conflict
  • 14. Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but as a starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on the basis of dynamics of organization
  • 15. Why Does This Matter? • Regulators must often try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
  • 16. Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
  • 17. Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
  • 18. Questions? For a digital copy of these slides, just ask! mark.hayes@blakes.com