The document summarizes key points from a presentation on privacy for tech startups. It discusses why privacy is important for startups to consider, providing practical information security controls startups can implement, and new privacy principles from the GDPR that startups should be aware of. Some highlights include: - Privacy should be a priority from the start and can help startups win trust among users and investors. - Practical security controls include encrypting data, patching systems, training employees, and monitoring for vulnerabilities. - The GDPR introduces new principles like data protection by design, security of processing, breach notification requirements, data protection impact assessments, and data protection officers.

1. Privacy for Tech Startups
Barcelona KnowledgeNet
June, 18 - 2014
#iappbcn

2. IAPP Presentation
•Marc Gallardo: Why is Privacy important for a Startup?
•Jay Libove: Practical Information Security controls for Startups
•Victor Roselló: New Privacy Principles for Startups
PART 1: Keynotes
•Marta Ruiz (Air Products)
•Tiago Henrique (opscaling, gnuine)
•Ferran Julià (Undertile)
PART 2: Panel
Q & A session
Program

3. IAPP Presentation

4.  Founded in 2000
 Over 15,000 members in 83 countries
 Largest privacy association in the world
 IAPP Europe – created to address the specific needs
of European data protection professionals – counts
almost 2,000 members
IAPP

5. Members’ opportunities
EDUCATE NETWORK CERTIFY

6. Educational resources
IAPP publications keep members up to date on
the latest privacy and data protection news
worldwide.

7. Online community
 IAPP Privacy List
 Web Conferences
 Social Buzz
 Blogs and Website
Resource Center
Samples, Tools and Templates
Privacy Research
Career Center
IAPP Articles and Presentations
Privacy Glossary
Data Protection Authorities
Privacy Discussions

8. Connecting the industry
More than a professional association, the IAPP provides
a home for privacy professionals around the world to
share experiences—working to promote career readiness
and improve job effectiveness

9. Setting the industry standard
IAPP certification is the global standard for privacy
and data protection professionals.
• Launched nearly 10 years ago, the CIPP has become the preeminent
credential in the field of privacy and educates on privacy laws and
regulations (variants /US, /E, /CA, /G)
• The CIPM training demonstrates how to embed privacy into an
organization through process and technology
• The CIPT is the world’s only privacy certification designed for IT, security
and engineering pros

10. Privacy for Tech Startups
In short, think of privacy as a good opportunity
to win trust among users and customers

11. Common attitude of startup founders
Privacy and Data Security is usually not a
priority from the start !
Respecting Privacy and safeguarding data is a
core value and a trust enabler for your
customers & investors

12. Privacy attitudes of consumers
• The need to protect
personal data online
is a consumer priority
against the benefits of
convenient online
services

13. EMC Privacy Index - June 12, 2014
 15.000 consumers from 15 countries
 Three Paradoxes emerged:
• “We want it all”
• “Take no action”
• “Social Sharing”
 Viewpoints on privacy vary by persona

14. Be proactive & go beyond compliance
• Make privacy top of mind: consumers do
care and investors are concerned
• Know your data
• Be fully transparent:
- Simplify the language
- Use ‘transparency statements’
- Do as your privacy notice says
• Secure your data and train your people

15. Thank you!
marc.gallardo@lexing.es
@marc_gallardo

16. Practical Information Security
controls for Startups
Or, how to get some useful Data Protection
while helping your business …

17. Practical Approach to Privacy
• We have a bad habit in Spain
– DP viewed as legal exercise, not business enabler*
– L.O.P.D. trailer on website is (not) enough
• .. And as much as imitation is the sincerest form of flattery…
• So, why would you bother? †
• Focus on business: Do security and get compliance
– Don’t do “compliance for compliance’s sake”
– Do well with practical DP, and if/when you have a problem, you
have some defence
• Information Security is a part of Privacy/DP, necessary but not
sufficient

18. Organizational
• Don’t put privacy/DPO in your Legal department *
• Make sure your outside counsel understands your
business! **
• Do have an internal IT leader
• Have department heads meet regularly, as a group,
with your privacy leader (cross-pollenate disciplines)
• Fund professional memberships and
training/certifications (such as my CISSP, CIPP, CISM) †

19. Policies, Procedures* (philosophy)
• Privacy by Default/ Privacy by Design (operationalize)
• Privacy Impact Assessments (operationalize)
• Limit your IT Footprint, & only buy what you’ll use
• Re-Use, standardise – don’t reinvent †
– Open source, commercial Libraries
– OWASP libraries
– Commercial Emailer services
• Stay on Supported Versions

20. Policies, Procedures* (philosophy, cont’d)
• Use 2-Factor/ Multi-Factor/ Strong/ Two-Step
authentication wherever practical
• Leverage Amazon AWS IAM and similar
• Know Before You Go (learn before using, especially
OAuth)
• Insurance (general business, also “Cyber”)*
• Procedures, Checklists for when people leave your
company
• Change Management

21. Awareness
• People, Process and Technology
– Acceptable Use Policy
• Subscribe everyone in your company to
– SANS OUCH*, and/or
– CyberHeist† newsletter, and/or
– Front Page of the New York Times, El Mundo, …
• Test your people
– Phishing email test
– Not just .EXE attachments, but .PDF, even . JPG, .MP3*
– USB drive left sitting around with autorun binary on it, …
• Check your Credit Card & Bank statements carefully

22. USB phishing test
• Particularly if your company is Ayatollah, Inc.

23. Techie Things To Do
• Change default passwords!
• Encrypt everywhere where it’s easy to do
– Disks, Android & iOS mobile devices
– Network traffic (Web SSL, VPN)
– Wi-Fi infrastructure
– VoIP / SIP gateways
• do Backups*,**
• run Anti-Virus
• have Vulnerability awareness/ perform Patching

24. Techie Things To Do (cont’d)
• UAC, sudo – Don’t compute as Root!
• install Microsoft EMET
• if you create Windows code, opt-in to
– DEP, SEHOP, SafeSEH, ASLR
• buy (and use!) a UTM appliance
• enable Logging (& direct to different server)*
• consider subscribing to Anti-DDoS protection
• give your CFO a separate computer to do on-line banking…

25. Patching, Vulnerability awareness
(desktop/client)
• Windows – WSUS, InTune *
• Secunia SmallBusiness* (beta), LANDesk Patch Manager*,
BeyondTrust Retina free 256-IP edition
• Deploy everything you can with auto-updating
– More attacks come against apps today than against
platforms
– But make sure you trust the software vendor†
• Choose commonly used, actively maintained products

26. Patching, Vulnerability awareness
(server)
• Canonical (ubuntu) Landscape*, RedHat
Network*
• Qualys free online vulnerability scan
• Auto-updating may not be appropriate
(but vulnerability management is still critical)
• Have a Test environment
– Use it for testing patches too

27. Some Great Free Tools
• LastPass † (Freemium model)
• Android, iOS Device Encryption*
• WSUS
• NTP
• SSH, RDP
• Microsoft EMET
• Windows Firewall, Linux iptables

28. More Great Free Tools
• OWASP code libraries (ESAPI)
• File Vault 2, TrueCrypt, BitLocker*, Windows
8.1 Device Encryption †
• Google Mobile Device Management
• EFF’s “HTTPS Everywhere” (Firefox, Chrome,
Opera)**

29. … and some Not-So-Great “Free” tools
• Pirated software is NEVER a good idea
– It’s illegal, and it should go without saying that you
should not do illegal things
– You don’t others to steal YOUR stuff
– Pirated software very often comes with “extras”
• Viruses, Trojan horses
• Back doors, Spyware

30. Synergies
• Use the Cloud †
– AWS EC2 ELB, etc provides
security front-end
– Cloud SaaS (anti-virus,
IT management; converged
services – buy one, more
available for small add-on cost)
– Backup (Mozy*, Carbonite, …)

31. Targeted Training
• Developers – to avoid common tech errors
– Re-review the OWASP Top 10 every year
– Send one or two top developers to SANS training
• Marketing – to avoid creepy/annoying uses
– Meet with people like your presenters today
• Data Protection Official (IAPP CIPP, CIPM, CIPT!)

32. Human Things to To
• Use Bookmarks/Favorites
– no typos, can include https:// explicitly

33. Thank you!
Jay Libove
libove@felines.org

34. New Privacy principles
for Tech Startups
So, what’s next?

35. • Data protection by design & by default (art. 23).
• Security of processing (art. 30).
• Data breach notification to DPA (art. 31) & to DS (art. 32).
• Data Protection Impact Assessment (art. 33).
• Data Protection Officer (art. 35).
GDPR “new” principles

36. DP by design
•Data controller and processor.
• At the time of purposes and means determination.
• Appropriate and proportionate technical and organizational
measures.
• Ensure data subject rights.
• Entire lifecycle.
• Accuracy, confidentiality, integrity, physical security and
deletion of personal data.
DP by default
• No personal data processing beyond the minimum
necessary for a predetermined purpose.
Data protection by design & by default

37. • A level appropriate to the risks. Nature of processing and of
personal data (DPIA).
• Integrity, confidentiality, availability and resilience of
systems.
• Reliable Back up process.
• Sensitive information?
• PII only accessed by authorized personnel.
• PII protected against accidental or unlawful destruction.
Security of processing

38. To DPA
• No undue delay.
• Nature of breach (categories and number of PII affected).
• DPO contact details.
• Measures recommended to mitigate effects.
• Consequences.
• Describe measures taken to mitigate effects.
• Document and public register.
To DS
• Notification to DS in case of adverse affect to personal data
and privacy.
• Comprehensive and clear plain language.
Breach notification to DPA and DS

39. • Analyze potential risks (more than 5000 DS in 12-month
period, sensitive PII).
• Description of processing operations and purposes of
processing.
• Proportionality in relation to purposes.
• Risks to DS rights.
• How to minimize PII to be processed.
• Security measures.
• Data retention period.
• DP by design and by default.
• Categories and recipients of personal data.
• Data transfers to third countries.
• Context of data processing.
Data Protection Impact Assessment

40. • More than 5000 DS in 12-month period.
• Regular and systematic monitoring of DS.
• Special categories of PD.
• Inform and advise controller of processor.
• Monitor and implement policies, train staff and audit.
• DP by design and by default.
• Data breaches.
• DPIA.
• Co-operate with DPA.
• At least two years term. Might be reappointed. Employee or
external contractor.
Data Protection Officer

41. Thank you!
vrosello@esferalegal.cat
@vic_rosello

42. Panel

43. Presentation

44. 1.- Privacy as a competitive advantage

45. 2.- Preparing for a data breach

46. 3.- Supplier governance

47. 4.- S.O.S. Compliance Team

49. Thank you!