SlideShare una empresa de Scribd logo

Privacy Security Data Breach - Regulatory Compliance for Financial Institutions Nov 20 2014 Canadian Institute

Descargar como PPT, PDF
L
Lisa Abe-Oldenburg, B.Comm., JD.
1 de 30
Addressing Privacy, Security and Evolving Data Breach Obligations Presented By: Lisa Abe-Oldenburg Regulatory Compliance for Financial Institutions November 20, 2014
Addressing Privacy, Security and Evolving Data Breach Obligations 1. Evolution of Payments Technology and Risk 2. Responding to Data Breaches – Understanding the changes to Canadian Data breach notification law 3. Organizational Data Practices 4. Due Diligence of Third Parties
Evolution of Payments Technology and Risk • Storage, provisioning and management of card credentials and other personal information • Movement from NFC to Cloud-based software and databases NFC Model • ID stored locally/physically (e.g. cards and chips) • Complex issuance •TSM and Secure Element ecosystem • Standards based •Transactions treated as "Card Present" Cloud Model • ID stored centrally/online (app on device with data connection) • Simpler issuance • No standards or security model yet fully defined •Transactions treated as "Card Not Present"
Evolution of Payments Technology and Risk • PCI DSS, EMV and ISO standards provide some security, reliability and interoperability • Compliance vs. Security • Contracts to be reviewed – existing and new • Security also impacted by equipment, premises, personnel, processes • Risk at point of data collection, storage, use, disclosure, transfer • Transitioning to third parties (e.g. end of term, sale of business, outsourcing, subcontracting, affiliates) & knowledge transfer by employees • Big data issues • Must deal with changes to technology and risk over time
Third party risk Problem: • loss of control, risk of liability, data breaches and leaks • You remain responsible for your outsourcers Resolution: • Keep core business and data in-house or encrypted • Need reports, notification, testing, monitoring, management oversight, auditing, control, return, change process, confidentiality, security, segregation, export controls, disaster and continuity/recovery planning, early termination • Have clear service/security level requirements; consider benchmarking • Negotiate limitations on liability and disclaimers, warranties and indemnities, guarantees, hold-backs, alternative dispute resolution, performance bonds, insurance • Thresholds of risk tolerance will affect negotiations
Risk Analysis • Examine all stages: asset transfer, new development or technology implementation, testing phase, transitioning in phase, operational/services phase, transitioning out phase, business continuity/disaster management, etc. • Construct a responsibilities matrix to clarify each party’s obligations and dependencies (e.g. on other parties) • Analyze what could go wrong at each stage • Assess risks, liabilities and remedies • Business operational risk, financial risk, regulatory compliance risk, liability risk, reputational risk
Risk Mitigation • Preparation is key to prevention of data loss or breach • Due diligence and risk assessments • Internal governance structures and policies in place • Know the business (data assets), points of access/control • Consult with all stakeholders and legal counsel • Legal contracts in place with terms that address risk, risk mitigation, compliance and security
Responding to Data Breaches • What are your legal obligations if there is a data breach? • Note, this presentation only covers data breaches in the private sector and not breaches with respect to public sector, health or employee information. • Under federal private sector privacy law, PIPEDA, breach notification is currently voluntary - to notify individuals of breaches involving their personal information, or to notify the OPC
Responding to Data Breaches (cont.) • The Canadian Data Breach Guidelines drafted in 2007 in consultation with commissioners' offices, advocacy groups and representatives from industry, encourage organizations to: • Contain the breach and conduct a preliminary assessment of what occurred; • Evaluate the risks associated with the breach; • Notify the parties affected by the breach; • Take adequate steps to ensure that such an incident does not recur in the future.
Responding to Data Breaches (cont.) • The OPC encourages organizations to notify the office or appropriate provincial privacy commissioners of “material” breaches of security safeguards that involve personal information—determining whether a breach is “material” involves, among other considerations, assessing the sensitivity of personal information and the number of individuals affected. • PIPEDA does include requirements around adequately safeguarding personal information through the use of physical, technological and organizational measures. • Absence of “appropriate” controls resulting in breaches currently does not trigger any regulatory consequences, such as fines or penalties.
Responding to Data Breaches (cont.) • Proposed amendments to Canada's federal privacy legislation (PIPEDA) under Bill S-4 (Digital Privacy Act) will require businesses and organizations to track data breaches and report them to individuals and the OPC if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual • The Bill sets out factors to assess risk, requirements for the content and timing of the notification and record keeping requirements of all breaches • Also an obligation to report to other organizations or government if risk could be reduced • Non-compliance would be punishable by fines of up to $100,000
Responding to Data Breaches (cont.) • The Bill also gives new powers to the privacy commissioner to: • negotiate voluntary but binding compliance agreements with organizations that commit to taking action on privacy violations; • extend the period within which a complainant may apply to the Federal Court of Canada to order compliance or award damages; and • release information about non-compliant organizations if it is in the public interest.
Responding to Data Breaches (cont.) • Alberta enacted amendments to its private sector Personal Information Protection Act (PIPA) to address incidents involving the “loss of or unauthorized access to or disclosure of the personal information” including mandatory breach reporting. • SCC decision (Alberta (Information and Privacy Commissioner ) v. United Food and Commercial Workers, Local 401, 2013 SCC 62) struck down Alberta's PIPA in its entirety as unconstitutional • Declaration of invalidity was stayed for 12 months (to Nov. 15 2014) in order to provide enough time to legislators to decide how to make this act constitutional • Motion to extend suspension filed by AG of Alberta on Oct. 1, 2014 • SCC granted 6 month extension on Oct 30 2014
Responding to Data Breaches (cont.) • Other provinces, e.g. Ontario, New Brunswick and Newfoundland and Labrador, only require breach notification with respect to personal health information. • Alberta PIPA requires notice to the province’s Privacy Commissioner of loss of, or unauthorized access to, personal information under the organizations' control - only if a reasonable person would consider that there exists a real risk of significant harm to an individual. Commissioner decides whether individuals should be notified.
Responding to Data Breaches (cont.) • “real risk of harm” must be more than merely speculative and not simply hypothetical or theoretical. A breach relating to highly sensitive personal information, such as financial information, is more likely to meet this standard and require reporting. • The commissioner has interpreted “significant harm” to mean “a material harm...[having] non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”
Responding to Data Breaches (cont.) • Manitoba recently enacted Personal Information Protection and Identity Theft Prevention Act (PIPITPA) – private sector law (Bill 211) not yet in force (awaiting proclamation) • PIPITPA will generally require breach notification to an individual directly if personal information is lost, accessed or disclosed without authorization – no harm threshold • Also fines of up to $10,000 for individual and $100,000 for other persons (companies) guilty of an offence under PIPITPA
Responding to Data Breaches (cont.) • PIPITPA will also create a private right of action for an individual to sue an organization for damages arising from its failure to: • protect personal information that is in its custody or control; or • provide reasonable notice if the organization was not satisfied that the lost, stolen or accessed information would be used lawfully. • In Québec, the Commission d'accès à l'information du Québec ("CAI") in its 2011 Quinquennial Report entitled "Technology and Privacy, in a Time of Societal Choices" recommends to include, in both its public sector and private sector data protection laws, mandatory security breach reporting. • Jurisdictions outside Canada may have extraterritorial implications, e.g. California has its own breach notification law
Organizational Data Practices • Designate privacy and technology officers to ensure compliance under Canadian and foreign laws • Consult with the regulators when in doubt about systems and privacy policies • Have a data breach protocol plan in place - how to notify, who, and when? E.g. the regulators, individuals, ASAP • Limit access to electronic records to a need-to-know basis and password protect; control dissemination of apps • Draft and keep records of proper consents prior to collecting, using or disclosing any personal information or providing apps
Organizational Data Practices (cont.) • Identify purposes for the collection, use and disclosure, and limit collection, use and disclosure to those purposes, which must be reasonable • Develop, implement and review privacy and security policies, CASL policy (see new CRTC Bulletin 2014-326), technology policy, including procurement, software, BYOD and services policies • Train employees and get acknowledgments • Protect personal information and data from theft, modification, and unauthorized access
Organizational Data Practices (cont.) • Keep personal information only for as long as reasonable to carry out the business or legal purpose or as required by law and destroy or anonymize records once no longer needed • Develop a procedure for information requests/access, correction and deletion • Review and revise all contracts with third parties to ensure obligations flow through • “Stress test” data and app operations - privacy and data policies can be a marketing opportunity • After a data breach occurs, comply with data breach guidelines and notification requirements • Offer credit monitoring to clients
Due Diligence of Third Parties • Policies, procedures and standards, privacy, security and data practices • Governance, Board and C-suite involvement/priorities • Promises, commitments, warranties, contracts • Technology and facilities • Certification • Contingency capability • People, management, training, supervision, minimum proficiency levels • Legislative and regulatory compliance • References, history of breaches, attacks, business interruptions and reporting • Foreign legal, political, economic and social implications
Contract Due Diligence and Terms to Negotiate • Data and personal information • Costs, insurance, change management (e.g. in legislation) • Obligations, duties, restrictions and controls • Ownership and transferability of data; proper consents , tracking, monitoring and data storage • Service/performance levels • Breadth of warranties, indemnities, given and received • Disclaimers and limitations on liability - exclusions • Audit rights (technology and security), reporting • Force Majeure • Subcontracting and affiliates • Territories and legal jurisdiction • Assignment, change of control • Term, termination, remedies
Confidentiality and Security Terms • Confidentiality and security standards • Which party has responsibility for protection mechanisms? • Who owns the data? • Definition of confidential information of each party • Scope of information to be protected? • Background checks of employees and subcontractors • Training obligations • Powers of each party to change security procedures and requirements?
Confidentiality and Security Terms • Obligations: • non-disclosure of other party’s confidential info • technologically isolate customer data and records at all times • location of records and data storage • security/retention • return/destruction • exclusions, e.g. permitted disclosures • notification and mitigation • Term for each obligation • Liability for losses if security breach • Injunctive remedies • Notification of potential or actual security breaches
Confidentiality and Security Terms • Third party validation, audit of procedures, policies and practices • Requirements of OSFI guidelines • Security controls, firewalls, compliance person • Record return and destruction • Privacy and security policies, compliance with laws/regs • Termination and survival
Privacy Terms • Specify which party shall be responsible for obtaining the necessary consents • Who should retain control over data management • Both parties to comply with all privacy requirements • Handling of specific requests, corrections, etc. • Retention time limits and protecting the personal information • Specify protection, encryption, security and segregation of the personal information • Require appropriate notices • Include warranties and covenants that reflect applicable privacy laws’ compliance, during term of contract, transitioning and thereafter
Privacy Terms • Restrict use of data only for specific purposes –for which consent was obtained • Prohibit subcontracting, assignment (without consent) • Require agreements with employees, subcontractors, affiliates • Deal with limited/authorized access, use, disclosure, retention periods, disposal, audit and inspection rights and training of all relevant employees • Require compliance with applicable laws and customer privacy, security and data management policies • Consider other provisions such as termination, survival, remedies, indemnities
Privacy Terms • Consider retention of personal information in Canada • Restrict cross-border data flow, require storage and processing in specified countries • Segregate any personal info from non-personal data • Isolate any data that may be subject to disclosure • Deal with potential conflicts between foreign and Canadian privacy laws
Summary of Best Practices and Tips • Insist on provider transparency: participants/subcontractors, jurisdictions, data flow and processing, type of cloud and who has access • Engage all organizational teams that may have input to the protection of privacy and security, e.g. operational, procurement, contracts negotiation, privacy, employment (HR), compliance, audit, insurance, IT, security, risk, Board of Directors • Directors' liability for breach of their duties in risk management and oversight • Have proper testing, plans and policies in place • Get early involvement of experienced legal counsel
Lisa K. Abe- Oldenburg, B.Comm., J.D. Abe-oldenburgL@bennettjones.com Tel.: 416-777-7475 www.bennettjones.com • This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.

Recomendados

Canadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewCanadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and Overview
Resilient Systems
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
pdewitte
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
Uc Man
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 

Recomendados

Canadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and OverviewCanadian Breach Regulations: Introduction and Overview
Canadian Breach Regulations: Introduction and Overview
Resilient Systems
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
pdewitte
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
Uc Man
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Financial Poise
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
primeteacher32
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
An information management update for in house counsel
An information management update for in house counselAn information management update for in house counsel
An information management update for in house counsel
Dan Michaluk
 
Personally owned devices at work
Personally owned devices at workPersonally owned devices at work
Personally owned devices at work
ERADAR
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
7wounders
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
SecureDocs
 
Implications of acts in organizations
Implications of acts in organizations Implications of acts in organizations
Implications of acts in organizations
Swarupa Rani Sahu
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2
HealthCo Information Systems
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
guest8b10a3
 
Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009
brentcarey
 
Building a cybercrime case
Building a cybercrime caseBuilding a cybercrime case
Building a cybercrime case
Online
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
Dealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response PlanDealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response Plan
benefitexpress
 
The Sedona Canada Panel on Privacy and E-Discovery
The Sedona Canada Panel on Privacy and E-DiscoveryThe Sedona Canada Panel on Privacy and E-Discovery
The Sedona Canada Panel on Privacy and E-Discovery
Dan Michaluk
 
Otieno antony rethinking internet shutdown
Otieno antony rethinking internet shutdownOtieno antony rethinking internet shutdown
Otieno antony rethinking internet shutdown
Otieno Antony
 
Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law Firm
Next Dimension Inc.
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 

Más contenido relacionado

La actualidad más candente

2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
7wounders
 
Implications of acts in organizations
Implications of acts in organizations Implications of acts in organizations
Implications of acts in organizations
Swarupa Rani Sahu
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009
brentcarey
 

La actualidad más candente (20)

2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
Legal Issues for Innovators & Inventors (Series: Intellectual Property 201)
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
An information management update for in house counsel
An information management update for in house counselAn information management update for in house counsel
An information management update for in house counsel
 
Personally owned devices at work
Personally owned devices at workPersonally owned devices at work
Personally owned devices at work
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Implications of acts in organizations
Implications of acts in organizations Implications of acts in organizations
Implications of acts in organizations
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2HealthCo Accelerate 2016 speaker deck #2
HealthCo Accelerate 2016 speaker deck #2
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009Privacy presentation for regional directors july 2009
Privacy presentation for regional directors july 2009
 
Building a cybercrime case
Building a cybercrime caseBuilding a cybercrime case
Building a cybercrime case
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Dealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response PlanDealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response Plan
 
The Sedona Canada Panel on Privacy and E-Discovery
The Sedona Canada Panel on Privacy and E-DiscoveryThe Sedona Canada Panel on Privacy and E-Discovery
The Sedona Canada Panel on Privacy and E-Discovery
 
Otieno antony rethinking internet shutdown
Otieno antony rethinking internet shutdownOtieno antony rethinking internet shutdown
Otieno antony rethinking internet shutdown
 

Similar a Privacy Security Data Breach - Regulatory Compliance for Financial Institutions Nov 20 2014 Canadian Institute

What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
catherinecoulter
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 

Similar a Privacy Security Data Breach - Regulatory Compliance for Financial Institutions Nov 20 2014 Canadian Institute (20)

Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law Firm
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 

Más de Lisa Abe-Oldenburg, B.Comm., JD.

LEXPERT Payments Oct 29 2014 - CASL Implications for Payment Systems
LEXPERT Payments Oct 29 2014 - CASL Implications for Payment SystemsLEXPERT Payments Oct 29 2014 - CASL Implications for Payment Systems
LEXPERT Payments Oct 29 2014 - CASL Implications for Payment Systems
Lisa Abe-Oldenburg, B.Comm., JD.
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeSecuring Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Lisa Abe-Oldenburg, B.Comm., JD.
 
Cardware Conference presentation on BIG DATA June 17-18 2014
Cardware Conference presentation on BIG DATA June 17-18 2014Cardware Conference presentation on BIG DATA June 17-18 2014
Cardware Conference presentation on BIG DATA June 17-18 2014
Lisa Abe-Oldenburg, B.Comm., JD.
 

Más de Lisa Abe-Oldenburg, B.Comm., JD. (11)

13756360_1.PPT
13756360_1.PPT13756360_1.PPT
13756360_1.PPT
 
13594800_2.PPT
13594800_2.PPT13594800_2.PPT
13594800_2.PPT
 
13530912_2.PPT
13530912_2.PPT13530912_2.PPT
13530912_2.PPT
 
Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014Mining IT Summit Nov 6 2014
Mining IT Summit Nov 6 2014
 
LEXPERT Payments Oct 29 2014 - Mobile Payments Regulation
LEXPERT Payments Oct 29 2014 - Mobile Payments RegulationLEXPERT Payments Oct 29 2014 - Mobile Payments Regulation
LEXPERT Payments Oct 29 2014 - Mobile Payments Regulation
 
LEXPERT Payments Oct 29 2014 - CASL Implications for Payment Systems
LEXPERT Payments Oct 29 2014 - CASL Implications for Payment SystemsLEXPERT Payments Oct 29 2014 - CASL Implications for Payment Systems
LEXPERT Payments Oct 29 2014 - CASL Implications for Payment Systems
 
Internet of Things TCLG Oct 23 2014
Internet of Things TCLG Oct 23 2014Internet of Things TCLG Oct 23 2014
Internet of Things TCLG Oct 23 2014
 
Copyright Monetization (IPIC McGill Aug 8 2014)
Copyright Monetization (IPIC McGill Aug 8 2014) Copyright Monetization (IPIC McGill Aug 8 2014)
Copyright Monetization (IPIC McGill Aug 8 2014)
 
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of TradeSecuring Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
Securing Apps and Data in the Cloud - July 23 2014 Toronto Board of Trade
 
CIPS ON CASL presentation Mar 20 2014
CIPS ON CASL presentation Mar 20 2014CIPS ON CASL presentation Mar 20 2014
CIPS ON CASL presentation Mar 20 2014
 
Cardware Conference presentation on BIG DATA June 17-18 2014
Cardware Conference presentation on BIG DATA June 17-18 2014Cardware Conference presentation on BIG DATA June 17-18 2014
Cardware Conference presentation on BIG DATA June 17-18 2014
 

Privacy Security Data Breach - Regulatory Compliance for Financial Institutions Nov 20 2014 Canadian Institute

  • 1. Addressing Privacy, Security and Evolving Data Breach Obligations Presented By: Lisa Abe-Oldenburg Regulatory Compliance for Financial Institutions November 20, 2014
  • 2. Addressing Privacy, Security and Evolving Data Breach Obligations 1. Evolution of Payments Technology and Risk 2. Responding to Data Breaches – Understanding the changes to Canadian Data breach notification law 3. Organizational Data Practices 4. Due Diligence of Third Parties
  • 3. Evolution of Payments Technology and Risk • Storage, provisioning and management of card credentials and other personal information • Movement from NFC to Cloud-based software and databases NFC Model • ID stored locally/physically (e.g. cards and chips) • Complex issuance •TSM and Secure Element ecosystem • Standards based •Transactions treated as "Card Present" Cloud Model • ID stored centrally/online (app on device with data connection) • Simpler issuance • No standards or security model yet fully defined •Transactions treated as "Card Not Present"
  • 4. Evolution of Payments Technology and Risk • PCI DSS, EMV and ISO standards provide some security, reliability and interoperability • Compliance vs. Security • Contracts to be reviewed – existing and new • Security also impacted by equipment, premises, personnel, processes • Risk at point of data collection, storage, use, disclosure, transfer • Transitioning to third parties (e.g. end of term, sale of business, outsourcing, subcontracting, affiliates) & knowledge transfer by employees • Big data issues • Must deal with changes to technology and risk over time
  • 5. Third party risk Problem: • loss of control, risk of liability, data breaches and leaks • You remain responsible for your outsourcers Resolution: • Keep core business and data in-house or encrypted • Need reports, notification, testing, monitoring, management oversight, auditing, control, return, change process, confidentiality, security, segregation, export controls, disaster and continuity/recovery planning, early termination • Have clear service/security level requirements; consider benchmarking • Negotiate limitations on liability and disclaimers, warranties and indemnities, guarantees, hold-backs, alternative dispute resolution, performance bonds, insurance • Thresholds of risk tolerance will affect negotiations
  • 6. Risk Analysis • Examine all stages: asset transfer, new development or technology implementation, testing phase, transitioning in phase, operational/services phase, transitioning out phase, business continuity/disaster management, etc. • Construct a responsibilities matrix to clarify each party’s obligations and dependencies (e.g. on other parties) • Analyze what could go wrong at each stage • Assess risks, liabilities and remedies • Business operational risk, financial risk, regulatory compliance risk, liability risk, reputational risk
  • 7. Risk Mitigation • Preparation is key to prevention of data loss or breach • Due diligence and risk assessments • Internal governance structures and policies in place • Know the business (data assets), points of access/control • Consult with all stakeholders and legal counsel • Legal contracts in place with terms that address risk, risk mitigation, compliance and security
  • 8. Responding to Data Breaches • What are your legal obligations if there is a data breach? • Note, this presentation only covers data breaches in the private sector and not breaches with respect to public sector, health or employee information. • Under federal private sector privacy law, PIPEDA, breach notification is currently voluntary - to notify individuals of breaches involving their personal information, or to notify the OPC
  • 9. Responding to Data Breaches (cont.) • The Canadian Data Breach Guidelines drafted in 2007 in consultation with commissioners' offices, advocacy groups and representatives from industry, encourage organizations to: • Contain the breach and conduct a preliminary assessment of what occurred; • Evaluate the risks associated with the breach; • Notify the parties affected by the breach; • Take adequate steps to ensure that such an incident does not recur in the future.
  • 10. Responding to Data Breaches (cont.) • The OPC encourages organizations to notify the office or appropriate provincial privacy commissioners of “material” breaches of security safeguards that involve personal information—determining whether a breach is “material” involves, among other considerations, assessing the sensitivity of personal information and the number of individuals affected. • PIPEDA does include requirements around adequately safeguarding personal information through the use of physical, technological and organizational measures. • Absence of “appropriate” controls resulting in breaches currently does not trigger any regulatory consequences, such as fines or penalties.
  • 11. Responding to Data Breaches (cont.) • Proposed amendments to Canada's federal privacy legislation (PIPEDA) under Bill S-4 (Digital Privacy Act) will require businesses and organizations to track data breaches and report them to individuals and the OPC if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual • The Bill sets out factors to assess risk, requirements for the content and timing of the notification and record keeping requirements of all breaches • Also an obligation to report to other organizations or government if risk could be reduced • Non-compliance would be punishable by fines of up to $100,000
  • 12. Responding to Data Breaches (cont.) • The Bill also gives new powers to the privacy commissioner to: • negotiate voluntary but binding compliance agreements with organizations that commit to taking action on privacy violations; • extend the period within which a complainant may apply to the Federal Court of Canada to order compliance or award damages; and • release information about non-compliant organizations if it is in the public interest.
  • 13. Responding to Data Breaches (cont.) • Alberta enacted amendments to its private sector Personal Information Protection Act (PIPA) to address incidents involving the “loss of or unauthorized access to or disclosure of the personal information” including mandatory breach reporting. • SCC decision (Alberta (Information and Privacy Commissioner ) v. United Food and Commercial Workers, Local 401, 2013 SCC 62) struck down Alberta's PIPA in its entirety as unconstitutional • Declaration of invalidity was stayed for 12 months (to Nov. 15 2014) in order to provide enough time to legislators to decide how to make this act constitutional • Motion to extend suspension filed by AG of Alberta on Oct. 1, 2014 • SCC granted 6 month extension on Oct 30 2014
  • 14. Responding to Data Breaches (cont.) • Other provinces, e.g. Ontario, New Brunswick and Newfoundland and Labrador, only require breach notification with respect to personal health information. • Alberta PIPA requires notice to the province’s Privacy Commissioner of loss of, or unauthorized access to, personal information under the organizations' control - only if a reasonable person would consider that there exists a real risk of significant harm to an individual. Commissioner decides whether individuals should be notified.
  • 15. Responding to Data Breaches (cont.) • “real risk of harm” must be more than merely speculative and not simply hypothetical or theoretical. A breach relating to highly sensitive personal information, such as financial information, is more likely to meet this standard and require reporting. • The commissioner has interpreted “significant harm” to mean “a material harm...[having] non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”
  • 16. Responding to Data Breaches (cont.) • Manitoba recently enacted Personal Information Protection and Identity Theft Prevention Act (PIPITPA) – private sector law (Bill 211) not yet in force (awaiting proclamation) • PIPITPA will generally require breach notification to an individual directly if personal information is lost, accessed or disclosed without authorization – no harm threshold • Also fines of up to $10,000 for individual and $100,000 for other persons (companies) guilty of an offence under PIPITPA
  • 17. Responding to Data Breaches (cont.) • PIPITPA will also create a private right of action for an individual to sue an organization for damages arising from its failure to: • protect personal information that is in its custody or control; or • provide reasonable notice if the organization was not satisfied that the lost, stolen or accessed information would be used lawfully. • In Québec, the Commission d'accès à l'information du Québec ("CAI") in its 2011 Quinquennial Report entitled "Technology and Privacy, in a Time of Societal Choices" recommends to include, in both its public sector and private sector data protection laws, mandatory security breach reporting. • Jurisdictions outside Canada may have extraterritorial implications, e.g. California has its own breach notification law
  • 18. Organizational Data Practices • Designate privacy and technology officers to ensure compliance under Canadian and foreign laws • Consult with the regulators when in doubt about systems and privacy policies • Have a data breach protocol plan in place - how to notify, who, and when? E.g. the regulators, individuals, ASAP • Limit access to electronic records to a need-to-know basis and password protect; control dissemination of apps • Draft and keep records of proper consents prior to collecting, using or disclosing any personal information or providing apps
  • 19. Organizational Data Practices (cont.) • Identify purposes for the collection, use and disclosure, and limit collection, use and disclosure to those purposes, which must be reasonable • Develop, implement and review privacy and security policies, CASL policy (see new CRTC Bulletin 2014-326), technology policy, including procurement, software, BYOD and services policies • Train employees and get acknowledgments • Protect personal information and data from theft, modification, and unauthorized access
  • 20. Organizational Data Practices (cont.) • Keep personal information only for as long as reasonable to carry out the business or legal purpose or as required by law and destroy or anonymize records once no longer needed • Develop a procedure for information requests/access, correction and deletion • Review and revise all contracts with third parties to ensure obligations flow through • “Stress test” data and app operations - privacy and data policies can be a marketing opportunity • After a data breach occurs, comply with data breach guidelines and notification requirements • Offer credit monitoring to clients
  • 21. Due Diligence of Third Parties • Policies, procedures and standards, privacy, security and data practices • Governance, Board and C-suite involvement/priorities • Promises, commitments, warranties, contracts • Technology and facilities • Certification • Contingency capability • People, management, training, supervision, minimum proficiency levels • Legislative and regulatory compliance • References, history of breaches, attacks, business interruptions and reporting • Foreign legal, political, economic and social implications
  • 22. Contract Due Diligence and Terms to Negotiate • Data and personal information • Costs, insurance, change management (e.g. in legislation) • Obligations, duties, restrictions and controls • Ownership and transferability of data; proper consents , tracking, monitoring and data storage • Service/performance levels • Breadth of warranties, indemnities, given and received • Disclaimers and limitations on liability - exclusions • Audit rights (technology and security), reporting • Force Majeure • Subcontracting and affiliates • Territories and legal jurisdiction • Assignment, change of control • Term, termination, remedies
  • 23. Confidentiality and Security Terms • Confidentiality and security standards • Which party has responsibility for protection mechanisms? • Who owns the data? • Definition of confidential information of each party • Scope of information to be protected? • Background checks of employees and subcontractors • Training obligations • Powers of each party to change security procedures and requirements?
  • 24. Confidentiality and Security Terms • Obligations: • non-disclosure of other party’s confidential info • technologically isolate customer data and records at all times • location of records and data storage • security/retention • return/destruction • exclusions, e.g. permitted disclosures • notification and mitigation • Term for each obligation • Liability for losses if security breach • Injunctive remedies • Notification of potential or actual security breaches
  • 25. Confidentiality and Security Terms • Third party validation, audit of procedures, policies and practices • Requirements of OSFI guidelines • Security controls, firewalls, compliance person • Record return and destruction • Privacy and security policies, compliance with laws/regs • Termination and survival
  • 26. Privacy Terms • Specify which party shall be responsible for obtaining the necessary consents • Who should retain control over data management • Both parties to comply with all privacy requirements • Handling of specific requests, corrections, etc. • Retention time limits and protecting the personal information • Specify protection, encryption, security and segregation of the personal information • Require appropriate notices • Include warranties and covenants that reflect applicable privacy laws’ compliance, during term of contract, transitioning and thereafter
  • 27. Privacy Terms • Restrict use of data only for specific purposes –for which consent was obtained • Prohibit subcontracting, assignment (without consent) • Require agreements with employees, subcontractors, affiliates • Deal with limited/authorized access, use, disclosure, retention periods, disposal, audit and inspection rights and training of all relevant employees • Require compliance with applicable laws and customer privacy, security and data management policies • Consider other provisions such as termination, survival, remedies, indemnities
  • 28. Privacy Terms • Consider retention of personal information in Canada • Restrict cross-border data flow, require storage and processing in specified countries • Segregate any personal info from non-personal data • Isolate any data that may be subject to disclosure • Deal with potential conflicts between foreign and Canadian privacy laws
  • 29. Summary of Best Practices and Tips • Insist on provider transparency: participants/subcontractors, jurisdictions, data flow and processing, type of cloud and who has access • Engage all organizational teams that may have input to the protection of privacy and security, e.g. operational, procurement, contracts negotiation, privacy, employment (HR), compliance, audit, insurance, IT, security, risk, Board of Directors • Directors' liability for breach of their duties in risk management and oversight • Have proper testing, plans and policies in place • Get early involvement of experienced legal counsel
  • 30. Lisa K. Abe- Oldenburg, B.Comm., J.D. Abe-oldenburgL@bennettjones.com Tel.: 416-777-7475 www.bennettjones.com • This presentation contains statements of general principles and not legal opinions and should not be acted upon without first consulting a lawyer who will provide analysis and advice on a specific matter.