SlideShare una empresa de Scribd logo
1 de 60
Descargar para leer sin conexión
Privacy & Pwnage
Privacy, Data Breaches and Lessons for Security Pros
Nicholas Van Exan
A Few Disclaimers
• I’m a lawyer.
• I’m not your lawyer.
• This is not legal advice.
• If you have legal questions specific to your
business, get in touch with your legal counsel.
Overview
• Main Sources of Privacy Law re Data Breaches
• PIPEDA
• The Ashley Madison Hack
• What’s New: Digital Privacy Act + GDPR
• Common Law
• Trends & Recent Developments
• Intrusion Upon Seclusion
• Home Depot: A Counterpoint to Ashley Madison
• Key Takeaways for Security Pros
Sources of Privacy Law re
Data Breaches
• Statutory Law
• Federally: PIPEDA
• Provincially: B.C. PIPA, AB PIPA, Quebec Act Respecting the Protection of
Personal Information in the Private Sector, etc.
• Internationally: GDPR
• Common Law
• Tort (Negligence, Breach of Confidence, Intrusion Upon Seclusion, Public
Disclosure of Private Facts, etc.)
• Contract (e.g. privacy policies, controller / processor agreements)
• Waiver of Tort
** We’ll focus on bolded items today
PIPEDA
Application
• Application (s. 4)
• Applies to every organization in respect of
personal information that the organization
collects, uses or discloses in the course of
commercial activities
• But see s. 26(2): substantially similar legislation
Personal Information
• Personal Information => information about an
identifiable individual
• Information is about an identifiable individual
where there is a "serious possibility" that an
individual could be identified through the use of
that information, alone or in combination with
other available information.
• PI can range from more to less sensitive
Principles
• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting use, disclosure,
retention
• Accuracy
• Safeguards
• Openness
• Individual Access
• Challenging Compliance
Safeguards
• 4.7 - Principle 7 (Safeguards)
• Personal information shall be protected by security
safeguards appropriate to the sensitivity of the information.
• The security safeguards shall protect personal information
against loss or theft, as well as unauthorized access, disclosure,
copying, use, or modification. Organizations shall protect
personal information regardless of the format in which it is held.
• The nature of the safeguards will vary depending on the
sensitivity of the information that has been collected, the amount,
distribution, and format of the information, and the method of
storage. More sensitive information should be safeguarded by a
higher level of protection.
Breach Defined
• Breach of security safeguards =>
• the loss of, unauthorized access to or
unauthorized disclosure of personal
information that either results from a breach of
an organization’s administrative, technical or
physical security safeguards or from a failure
to establish those safeguards.
The Ashley Madison Hack
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Timeline
• July 15, 2015: notified by “The Impact Team” it
had been hacked - threat to expose PI if AM not
shut down
• July 20, 2015: after media reports, ALM reported
breach to OPC
• August 18-20, 2015: Impact Team publishes PI
for 36 million accounts
Attack Strategy
• The attackers’ initial path of intrusion involved
the compromise and use of an employee’s valid
account credentials
• The attacker then used those credentials to
access ALM’s corporate network and
compromise additional user accounts and
systems
Attack Strategy
• The attacker took a number of steps to avoid detection and to obscure its
tracks. For example…
• accessed the VPN network via a proxy service that allowed it to ‘spoof’
a Toronto IP address
• accessed the ALM corporate network over a long period of time in a
manner that minimized unusual activity or patterns in the ALM VPN
logs that could be easily identified
• once the attacker gained administrative access, it deleted logs to
further cover its tracks
• ALM was unable to fully determine the path the attacker took but believes
that the attacker had some level of access to ALM’s network for at
least several months before its presence was discovered in July 2015
Several. Months.
Several.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Safeguards
• Nature of information: account information,
profile information, billing information
• OPC: assessment of level of security safeguards
required should not focus solely on financial risk
• OPC: must also consider physical and social
well-being at stake, including potential impacts
on relationships and reputational risks,
embarrassment or humiliation.
“Harm to reputation is a potentially high-
impact risk as it can affect an individual’s long
term ability to access and maintain
employment, critical relationships, safety, and
other necessities depending on the nature of
the information held… even information that in
isolation might be regarded as innocuous in
a different context (such as names or email
addresses) can take on a more sensitive
nature when connected with the Ashley
Madison website.”
Key Facts / Findings
• ALM could have reasonably foreseen that the disclosure
of the information held by it to an unauthorized person, or to
the world at large, could have significant adverse
consequences for the many people who could be identified
• Discretion and security were marketed and highlighted
to its users as a central part of the service it offered and
undertook to provide, in particular on the Ashley Madison
website
• At the time of the data breach, the front page of the Ashley
Madison website included a series of trust-marks which
suggested a high level of security and discretion
100%!
When was the last time you had a
100% guarantee of anything, let
alone information security?
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Key Facts / Findings
• At the time of the incident, ALM did not have documented
information security policies or practices for managing
network permissions
• ALM did undertake patch management and quarterly
vulnerability assessments as required for an organization to
accept payment card information (to be PCI-DSS compliant).
However, it could not provide evidence that it had undertaken
any structured assessment of the overall threats facing it, or
that it had assessed its information security framework
through standard exercises such as internal or external
audits or evaluations.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Key Facts / Findings
• ALM noted that prior to the breach, it had, at one
point, considered retaining external cybersecurity
expertise to assist in security matters, but
ultimately elected not to do so
• ALM did not implement multi-factor authentication
=> “Given the risks to individuals’ privacy faced
by ALM, ALM’s decision not to implement
multi-factor authentication for administrative
remote access in these circumstances is a
significant concern.”
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Conclusions / Key Takeaways
• ALM did not have appropriate safeguards in place considering the sensitivity
of the personal information under PIPEDA
• Security framework was lacking the following key elements:
• documented information security policies or practices, as a
cornerstone of fostering a privacy and security aware culture including
appropriate training, resourcing and management focus;
• an explicit risk management process — including periodic and pro-
active assessments of privacy threats, and evaluations of security practices
to ensure ALM’s security arrangements were, and remained, fit for purpose;
and
• adequate training to ensure all staff (including senior management) were
aware of, and properly carried out, their privacy and security obligations
appropriate to their role and the nature of ALM’s business.
Aftermath
• ALM suffered very public investigation by OPC
and is now subject to compliance obligations /
undertakings
• ALM is also now subject of $750,000,000 class
action in Canada
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
But that was then and
this is now.
And things are about to
get a lot more real
(legislatively speaking)
Hold on to your Sprite website…
Coming Soon to PIPEDA: 

Data Breach Notification Requirements
• Amendments to PIPEDA via Digital Privacy Act will create new
mandatory breach notification requirements:
• organizations must keep records of any breach of security
safeguards - must be produced to OPC if requested
• if reasonable to believe breach creates a real risk of
significant harm to individual, organization must report breach
to the OPC as soon as 'feasible' after the org determines a
breach has occurred
• the organization must also notify the individual if it is reasonable
to believe that the breach creates a real risk of significant
harm to the individual - must also be made as soon as feasible
The General Data Protection
Regulation (GDPR)
GDPR
• The EU's new omnibus data protection law
• Set to replace the existing 20-year-old Data
Protection Directive 95/46/ec on May 25, 2018
• Huge fines and penalties - up to $20 million or
4% of company revenue, whichever is higher!
GDPR
• Also has data breach notification requirements:
• Article 33 requires controllers to notify the
appropriate supervisory authority of the personal
data breach "without undue delay" and in any
event within 72 hours of learning about a breach
• Article 34 requires controllers to notify data subjects
of breaches "[w]hen the personal data breach is
likely to result in a high risk [to] the rights and
freedoms of individuals". Data subjects must also
be notified of the breach "without undue delay."
GDPR
• A data controller does not have to provide notice to data subjects,
however, if:
• the controller has implemented appropriate technical and
organizational protection measures, and those measures were
applied to the personal data affected by the personal data breach, in
particular those that render the personal data unintelligible to any
person who is not authorised to access it, such as encryption;
• has taken subsequent measures which ensure that the high risk to the
rights and freedoms of data subjects is no longer likely to materialise; or
• it would involve disproportionate effort. In such a case, there shall
instead be a public communication or similar measure whereby the
data subjects are informed in an equally effective manner.
The GDPR has extra-territorial application and
Canadian businesses can be subject to it.
Common Law
Trends & Recent
Developments
• Historically at common law there was no specific
cause of action for invasion of privacy
• Basic principle of civil liability that one must
prove actual harm, compensable in damages,
before requiring someone else to pay for a
commitment of a wrong
• This all changed in 2012 with ONCA’s landmark
ruling in Jones v. Tsige
Intrusion Upon Seclusion
• To succeed in a claim for intrusion upon seclusion, one
must demonstrate:
• an intentional act (which includes recklessness);
• an invasion, without lawful justification, of the plaintiff's
private affairs or concerns; and
• a reasonable person would regard the invasion as highly
offensive causing distress, humiliation or anguish.
• Personal and sensitive nature of the information and lawful
justification are key issues
Intrusion Upon Seclusion
• Proof of harm to a recognized economic
interest is not an element of the cause of
action
• Given the intangible nature of the interest
protected, damages for intrusion upon seclusion
will ordinarily be measured by a modest
conventional sum
• But… damages should be sufficient to "mark the
wrong that has been done"
Trends
• Increase in privacy class actions since 2013
• Being fuelled by novel claims of intrusion upon
seclusion and waiver of tort
• Potentially large awards
• Less barriers to certification
Some Recent Hacking Cases
• Maksimovic v. Sony - $1 billion claim
• Settlement providing for various benefits, depending in part on an
individual’s account type, as well as ability to prove harm and obtain up to
$2,500 out of pocket costs, and counsel fee $265,000.
• Lozanski v. Home Depot - $500 million claim
• Court approved settlement, value of $400,000
• Shore v. Avid Life - $750 million claim
• Pending
• Zuckerman v. Target Corporation
• Class action was certified earlier this year
Home Depot

A Counterpoint to Ashley Madison
Home Depot
• April 11 - September 13, 2014: Home Depot’s
card payment system was hacked by criminals
who used custom malware to access customer
information at self-checkout terminals
• September 9, 2014: Home Depot notified OPC
and Privacy Commissioners in Alberta, B.C. and
Quebec
• Also issued press releases and directly notified
500,000 potentially affected customers
Home Depot
• Home Depot apologized for breach, confirmed
removal of malware and assured customers they
would not have to pay for fraudulent charges to
their accounts
• Also offered free credit monitoring and identity
theft insurance
• Class actions commenced in Ontario,
Saskatchewan, B.C., Newfoundland and Quebec
Home Depot
• National Settlement reached April 25, 2016
• Terms of settlement:
• Home Depot agreed to create $250,000 settlement
fund to compensate any documented losses arising
from breach, max of $5,000 per claimant
• Also agreed to pay for credit monitoring up to a
maximum of $250,000 and to cover costs of
notifying class members and administering the fund
Home Depot
• Court approved the settlement and assessed maximum
value of settlement at $400,000
• Noted that case was very weak:
• breach was due to criminal hackers, not wrongdoing
by Home Depot
• Home Depot openly and promptly notified customers
and sought to lessen potential harm arising from
breach
• Little documented losses
“Home Depot… responded in a responsible,
prompt, generous, and exemplary fashion to
the criminal acts perpetrated on it by the
computer hackers”
Home Depot
• Home Depot was also subject to class action
litigation by certain banks and other financial
institutions
• March 8, 2017: settlement agreement was
submitted for court approval
• Home Depot agreed to pay $25 million to a
settlement fund
Home Depot
• Home Depot also agreed that for 2 years it would adopt and
implement measures to reduce risks of future data breach:
• safeguards to manage risks identified through data security
risk assessments, tracked and managed using a risk exception
process that involves Home Depot leadership and is reviewed
on an annual basis;
• annually assess, including with on-site visits, service providers
and vendors with access to payment card information to
validate compliance with security practices; and
• design and implement an industry recognized security control
framework
Takeaways
• Home Depot shows that it can be helpful even in
absence of data breach notification requirements
to adopt proactive measures to notify and assist
potentially affected individuals
• Timely notification can be helpful in mitigating
liability - need to look at your security protocols to
ensure you can react swiftly in event of breach
• Timely detection is also important to limit potential
class size
Takeaways
• Super important to have a comprehensive data
security incident response plan (“IRP”) and a
trained incident response team
• IRPs = written plans designed to enable an
organization to respond to data security
incidents in a way that minimizes harm, reduces
recovery time and costs, and allows the
organization to benefit from lessons learned
Takeaways
• IRP basic requirements:
• identify the incident response team members and
their respective roles and responsibilities
• set out the procedures they should follow to
respond to and recover from a data security
incident
• cover all phases of a data security incident:
discovery, containment, recovery, post-recovery
investigation / review and report
Takeaways
• IRP best practices:
• Keep it short, simple, actionable, practicable
• Follow guidance from regulators
• Plan for legal privilege protection
• Include procedures for record keeping,
evidence collection and notification (to public
and regulators)
Takeaways
• Pay special attention to sensitive PI => ensure it is
encrypted, anonymous or at least pseudonymous
• Conduct routine pen testing
• Advocate for active management of security findings to
compliance
• Ensure data breaches are discovered as early as
possible
• Ensure systems / procedures in place to report data
breaches as soon as possible
Thanks!
• More questions / resources?
• http://nicholasvanexan.com

Más contenido relacionado

La actualidad más candente

Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayDan Michaluk
 
Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Napier University
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSInteraktiv
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program  Hire A Great Iso!!How Do You Create A Successful Information Security Program  Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...The University of Texas (UTRGV)
 

La actualidad más candente (20)

Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
 
Cybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys todayCybersecurity and data loss - It's not just about lost USB keys today
Cybersecurity and data loss - It's not just about lost USB keys today
 
Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program  Hire A Great Iso!!How Do You Create A Successful Information Security Program  Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Privacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam CompliancePrivacy, Data Security and Anti-Spam Compliance
Privacy, Data Security and Anti-Spam Compliance
 
Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...Information Security and Privacy - Public Sector actions, policies and regula...
Information Security and Privacy - Public Sector actions, policies and regula...
 

Similar a Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros

The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinWhitmeyerTuffin
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119David Doughty
 

Similar a Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros (20)

The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119
 

Último

ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...Anadi Tewari
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Dr. Oliver Massmann
 
Patents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsPatents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsAurora Consulting
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditSHRADDHA PANDIT
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateBTL Law P.C.
 
Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsSyedaAyeshaTabassum1
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfNo One
 
xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.mike689707
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...SHRADDHA PANDIT
 

Último (10)

ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 
Patents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsPatents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future Solutions
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
 
Criminalizing Disabilities & False Confessions
Criminalizing Disabilities & False ConfessionsCriminalizing Disabilities & False Confessions
Criminalizing Disabilities & False Confessions
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a Template
 
Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business Regulations
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
 
xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
 

Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros

  • 1. Privacy & Pwnage Privacy, Data Breaches and Lessons for Security Pros Nicholas Van Exan
  • 2. A Few Disclaimers • I’m a lawyer. • I’m not your lawyer. • This is not legal advice. • If you have legal questions specific to your business, get in touch with your legal counsel.
  • 3. Overview • Main Sources of Privacy Law re Data Breaches • PIPEDA • The Ashley Madison Hack • What’s New: Digital Privacy Act + GDPR • Common Law • Trends & Recent Developments • Intrusion Upon Seclusion • Home Depot: A Counterpoint to Ashley Madison • Key Takeaways for Security Pros
  • 4. Sources of Privacy Law re Data Breaches • Statutory Law • Federally: PIPEDA • Provincially: B.C. PIPA, AB PIPA, Quebec Act Respecting the Protection of Personal Information in the Private Sector, etc. • Internationally: GDPR • Common Law • Tort (Negligence, Breach of Confidence, Intrusion Upon Seclusion, Public Disclosure of Private Facts, etc.) • Contract (e.g. privacy policies, controller / processor agreements) • Waiver of Tort ** We’ll focus on bolded items today
  • 6. Application • Application (s. 4) • Applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities • But see s. 26(2): substantially similar legislation
  • 7. Personal Information • Personal Information => information about an identifiable individual • Information is about an identifiable individual where there is a "serious possibility" that an individual could be identified through the use of that information, alone or in combination with other available information. • PI can range from more to less sensitive
  • 8. Principles • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting use, disclosure, retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance
  • 9. Safeguards • 4.7 - Principle 7 (Safeguards) • Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. • The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. • The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
  • 10. Breach Defined • Breach of security safeguards => • the loss of, unauthorized access to or unauthorized disclosure of personal information that either results from a breach of an organization’s administrative, technical or physical security safeguards or from a failure to establish those safeguards.
  • 13. Timeline • July 15, 2015: notified by “The Impact Team” it had been hacked - threat to expose PI if AM not shut down • July 20, 2015: after media reports, ALM reported breach to OPC • August 18-20, 2015: Impact Team publishes PI for 36 million accounts
  • 14. Attack Strategy • The attackers’ initial path of intrusion involved the compromise and use of an employee’s valid account credentials • The attacker then used those credentials to access ALM’s corporate network and compromise additional user accounts and systems
  • 15. Attack Strategy • The attacker took a number of steps to avoid detection and to obscure its tracks. For example… • accessed the VPN network via a proxy service that allowed it to ‘spoof’ a Toronto IP address • accessed the ALM corporate network over a long period of time in a manner that minimized unusual activity or patterns in the ALM VPN logs that could be easily identified • once the attacker gained administrative access, it deleted logs to further cover its tracks • ALM was unable to fully determine the path the attacker took but believes that the attacker had some level of access to ALM’s network for at least several months before its presence was discovered in July 2015
  • 19. Safeguards • Nature of information: account information, profile information, billing information • OPC: assessment of level of security safeguards required should not focus solely on financial risk • OPC: must also consider physical and social well-being at stake, including potential impacts on relationships and reputational risks, embarrassment or humiliation.
  • 20. “Harm to reputation is a potentially high- impact risk as it can affect an individual’s long term ability to access and maintain employment, critical relationships, safety, and other necessities depending on the nature of the information held… even information that in isolation might be regarded as innocuous in a different context (such as names or email addresses) can take on a more sensitive nature when connected with the Ashley Madison website.”
  • 21. Key Facts / Findings • ALM could have reasonably foreseen that the disclosure of the information held by it to an unauthorized person, or to the world at large, could have significant adverse consequences for the many people who could be identified • Discretion and security were marketed and highlighted to its users as a central part of the service it offered and undertook to provide, in particular on the Ashley Madison website • At the time of the data breach, the front page of the Ashley Madison website included a series of trust-marks which suggested a high level of security and discretion
  • 22. 100%!
  • 23. When was the last time you had a 100% guarantee of anything, let alone information security?
  • 25. Key Facts / Findings • At the time of the incident, ALM did not have documented information security policies or practices for managing network permissions • ALM did undertake patch management and quarterly vulnerability assessments as required for an organization to accept payment card information (to be PCI-DSS compliant). However, it could not provide evidence that it had undertaken any structured assessment of the overall threats facing it, or that it had assessed its information security framework through standard exercises such as internal or external audits or evaluations.
  • 27. Key Facts / Findings • ALM noted that prior to the breach, it had, at one point, considered retaining external cybersecurity expertise to assist in security matters, but ultimately elected not to do so • ALM did not implement multi-factor authentication => “Given the risks to individuals’ privacy faced by ALM, ALM’s decision not to implement multi-factor authentication for administrative remote access in these circumstances is a significant concern.”
  • 29. Conclusions / Key Takeaways • ALM did not have appropriate safeguards in place considering the sensitivity of the personal information under PIPEDA • Security framework was lacking the following key elements: • documented information security policies or practices, as a cornerstone of fostering a privacy and security aware culture including appropriate training, resourcing and management focus; • an explicit risk management process — including periodic and pro- active assessments of privacy threats, and evaluations of security practices to ensure ALM’s security arrangements were, and remained, fit for purpose; and • adequate training to ensure all staff (including senior management) were aware of, and properly carried out, their privacy and security obligations appropriate to their role and the nature of ALM’s business.
  • 30. Aftermath • ALM suffered very public investigation by OPC and is now subject to compliance obligations / undertakings • ALM is also now subject of $750,000,000 class action in Canada
  • 32. But that was then and this is now.
  • 33. And things are about to get a lot more real (legislatively speaking)
  • 34. Hold on to your Sprite website…
  • 35. Coming Soon to PIPEDA: 
 Data Breach Notification Requirements • Amendments to PIPEDA via Digital Privacy Act will create new mandatory breach notification requirements: • organizations must keep records of any breach of security safeguards - must be produced to OPC if requested • if reasonable to believe breach creates a real risk of significant harm to individual, organization must report breach to the OPC as soon as 'feasible' after the org determines a breach has occurred • the organization must also notify the individual if it is reasonable to believe that the breach creates a real risk of significant harm to the individual - must also be made as soon as feasible
  • 36. The General Data Protection Regulation (GDPR)
  • 37. GDPR • The EU's new omnibus data protection law • Set to replace the existing 20-year-old Data Protection Directive 95/46/ec on May 25, 2018 • Huge fines and penalties - up to $20 million or 4% of company revenue, whichever is higher!
  • 38. GDPR • Also has data breach notification requirements: • Article 33 requires controllers to notify the appropriate supervisory authority of the personal data breach "without undue delay" and in any event within 72 hours of learning about a breach • Article 34 requires controllers to notify data subjects of breaches "[w]hen the personal data breach is likely to result in a high risk [to] the rights and freedoms of individuals". Data subjects must also be notified of the breach "without undue delay."
  • 39. GDPR • A data controller does not have to provide notice to data subjects, however, if: • the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption; • has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  • 40. The GDPR has extra-territorial application and Canadian businesses can be subject to it.
  • 42. Trends & Recent Developments • Historically at common law there was no specific cause of action for invasion of privacy • Basic principle of civil liability that one must prove actual harm, compensable in damages, before requiring someone else to pay for a commitment of a wrong • This all changed in 2012 with ONCA’s landmark ruling in Jones v. Tsige
  • 43. Intrusion Upon Seclusion • To succeed in a claim for intrusion upon seclusion, one must demonstrate: • an intentional act (which includes recklessness); • an invasion, without lawful justification, of the plaintiff's private affairs or concerns; and • a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. • Personal and sensitive nature of the information and lawful justification are key issues
  • 44. Intrusion Upon Seclusion • Proof of harm to a recognized economic interest is not an element of the cause of action • Given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum • But… damages should be sufficient to "mark the wrong that has been done"
  • 45. Trends • Increase in privacy class actions since 2013 • Being fuelled by novel claims of intrusion upon seclusion and waiver of tort • Potentially large awards • Less barriers to certification
  • 46. Some Recent Hacking Cases • Maksimovic v. Sony - $1 billion claim • Settlement providing for various benefits, depending in part on an individual’s account type, as well as ability to prove harm and obtain up to $2,500 out of pocket costs, and counsel fee $265,000. • Lozanski v. Home Depot - $500 million claim • Court approved settlement, value of $400,000 • Shore v. Avid Life - $750 million claim • Pending • Zuckerman v. Target Corporation • Class action was certified earlier this year
  • 47. Home Depot
 A Counterpoint to Ashley Madison
  • 48. Home Depot • April 11 - September 13, 2014: Home Depot’s card payment system was hacked by criminals who used custom malware to access customer information at self-checkout terminals • September 9, 2014: Home Depot notified OPC and Privacy Commissioners in Alberta, B.C. and Quebec • Also issued press releases and directly notified 500,000 potentially affected customers
  • 49. Home Depot • Home Depot apologized for breach, confirmed removal of malware and assured customers they would not have to pay for fraudulent charges to their accounts • Also offered free credit monitoring and identity theft insurance • Class actions commenced in Ontario, Saskatchewan, B.C., Newfoundland and Quebec
  • 50. Home Depot • National Settlement reached April 25, 2016 • Terms of settlement: • Home Depot agreed to create $250,000 settlement fund to compensate any documented losses arising from breach, max of $5,000 per claimant • Also agreed to pay for credit monitoring up to a maximum of $250,000 and to cover costs of notifying class members and administering the fund
  • 51. Home Depot • Court approved the settlement and assessed maximum value of settlement at $400,000 • Noted that case was very weak: • breach was due to criminal hackers, not wrongdoing by Home Depot • Home Depot openly and promptly notified customers and sought to lessen potential harm arising from breach • Little documented losses
  • 52. “Home Depot… responded in a responsible, prompt, generous, and exemplary fashion to the criminal acts perpetrated on it by the computer hackers”
  • 53. Home Depot • Home Depot was also subject to class action litigation by certain banks and other financial institutions • March 8, 2017: settlement agreement was submitted for court approval • Home Depot agreed to pay $25 million to a settlement fund
  • 54. Home Depot • Home Depot also agreed that for 2 years it would adopt and implement measures to reduce risks of future data breach: • safeguards to manage risks identified through data security risk assessments, tracked and managed using a risk exception process that involves Home Depot leadership and is reviewed on an annual basis; • annually assess, including with on-site visits, service providers and vendors with access to payment card information to validate compliance with security practices; and • design and implement an industry recognized security control framework
  • 55. Takeaways • Home Depot shows that it can be helpful even in absence of data breach notification requirements to adopt proactive measures to notify and assist potentially affected individuals • Timely notification can be helpful in mitigating liability - need to look at your security protocols to ensure you can react swiftly in event of breach • Timely detection is also important to limit potential class size
  • 56. Takeaways • Super important to have a comprehensive data security incident response plan (“IRP”) and a trained incident response team • IRPs = written plans designed to enable an organization to respond to data security incidents in a way that minimizes harm, reduces recovery time and costs, and allows the organization to benefit from lessons learned
  • 57. Takeaways • IRP basic requirements: • identify the incident response team members and their respective roles and responsibilities • set out the procedures they should follow to respond to and recover from a data security incident • cover all phases of a data security incident: discovery, containment, recovery, post-recovery investigation / review and report
  • 58. Takeaways • IRP best practices: • Keep it short, simple, actionable, practicable • Follow guidance from regulators • Plan for legal privilege protection • Include procedures for record keeping, evidence collection and notification (to public and regulators)
  • 59. Takeaways • Pay special attention to sensitive PI => ensure it is encrypted, anonymous or at least pseudonymous • Conduct routine pen testing • Advocate for active management of security findings to compliance • Ensure data breaches are discovered as early as possible • Ensure systems / procedures in place to report data breaches as soon as possible
  • 60. Thanks! • More questions / resources? • http://nicholasvanexan.com