260 likes | 379 Views
Data Risk Management (PRIVACY) Orange County RIMS Chapter Presentation Tuesday, June 11 th , 2013. Presented by Eduard Goodman, J.D., LL.M., CIPP Chief Privacy Officer. Exponential Nature of Digital Technology. Moore ’ s Law, 1965- Gordon Moore, Intel Founder
E N D
Data Risk Management (PRIVACY)Orange County RIMS Chapter PresentationTuesday, June 11th, 2013 Presented byEduard Goodman, J.D., LL.M., CIPP Chief Privacy Officer
Exponential Nature of Digital Technology • Moore’s Law, 1965- • Gordon Moore, Intel Founder • “the number of transistors on integrated circuits doubles approximately every two years.”
Exponential Nature of Digital Technology Moore’s Law • Decoding the human genome originally took 10 years to process; now it can be achieved in one week.
Exponential Nature of Digital Technology How far have we come? vs. 1982 2012
Exponential Nature of Digital Technology OSBORNE 1 • 4MHz CPU (Zilog Z80) • Weighs 100X more • 500X larger • 64 KB of Memory • ‘Executive’ had 124 KB • Screen- 5-inch, 52 character × 24 line monochrome CRT • Available 300 baud modem • Equal to 0.002197266 Mbps • Avg. WiFi speed is 24-36 Mbps • 11 software options iPhone 4/5 • 412 MHz CPU (ARM11) • 100X CPU clock speed • 64 GB of Memory or • 68,719,476,736 KB • Costs 10X less (adjusted) • Screen- 4-inch, 640 x 1136 pixel, 326ppi, 16,777,216 color touch screen • WiFi, Bluetooth, 4G LTE • 700,000 Apps as of 9/12 • Also includes: • Camera (still/video) • Audio Play/Record • Integrated GPS • Etc.
State Data Breach Notification Laws What is it? • Under state breach notification laws, businesses must notify consumers if there has been a breach that exposes their Personally Identifiable Information (PII). • Required in 46 states, the District of Columbia, Puerto Rico, the Virgin Islands and even New York City. • Depending upon the applicable state law, this covers various forms of information/data: • Digital and hard copy data, • Encrypted/unencrypted data • Data lost by the business and data lost by third party vendor
State Data Breach Notification Laws General Rules • All require that notice be made to people whose PII have been compromised • Time frames vary from “reasonable” amount of time to specific period from time of breach discovery (45 days for instance) to 10 days from date of discovery (Puerto Rico) • Some require notification be made to other parties beside the affected consumers: • Credit Bureaus • Regulators such as local State Offices of Consumer Affairs, etc. • Most allow for alternate forms of notice (from written letter notice) if breach is in excess of certain thresholds. (both cost and number of recipients.)
State Data Breach Notification Laws • In addition to notification requirements, most states typically have (broad) language around the treatment, security and/or disposal of personal information wrapped up into their data breach notification regulations
State Data Breach Notification Laws For example: • When disposing of records that contain personal information, a business and a governmentalagency shall take all reasonable measures necessary to protect against unauthorized access to or use of the records. (Alaska)
State Data Breach Notification Laws For example: • A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (California)
The Massachusetts Data Security Regulations • 201 CMR 17.00: Standards for the protections of personal information of residents of the commonwealth
The Nevada Encryption and PCI-DSS “adoption” statue • NRS 603A.215 Security measures for data collector that accepts payment card; use of encryption; liability for damages; applicability
Current Federal Security Regulations • Health Insurance Portability and Accountability Act (HIPAA) • §5 of the Federal Trade Commission Act • Gramm-Leach-Bliley Act of 1999 • Other acts • Video Privacy Protection Act • Children’s Online Privacy Protection Act • Etc.
Self Regulatory Security Requirements Payment Card Industry Data Security Standards (PCI-DSS)– Set of security requirements and standards promulgated by the payment card issuers (Visa, MasterCard, Discover, American Express, and JCB) regarding the storage and security of payment card related data.
Data Protection and Privacy as a global trade issue Privacy as a Right the United Nations Universal Declaration of Human Rights, article 12, states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Data Protection and Privacy as a global trade issue Privacy as a Right Article 8 of the European Convention on Human Rights: “Article 8 – Right to respect for private and family life …Everyone has the right to respect for his private and family life, his home and his correspondence…”
Data Protection and Privacy as a global trade issue • Privacy as a Right • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Key Principles for National Application): • Collection Limitation Principle • Data Quality Principle • Purpose Specification Principle • Use Limitation Principle • Security Safeguards Principle • Openness Principle • Accountability Principle
Europe/E.U. NEW Potential Privacy/Data Protection Rules in the E.U.- • “Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)”
Immediate To-Do List(To reduce risk/exposure) • Don’t collect data on customers or employees unless you need it • Get rid of any data you collect as soon as you no longer need it. Its toxic. (Its not an asset, it’s liability) • Encrypt any private personal data
Immediate To-Do List(Assess and Cover Risk) • Complete high level “data” audit to determine • Type of personal information you retain • What states do your customers/employees live in • Complete a Security audit to determine weaknesses • Determine if you have adequate insurance coverage foryour risk • 1st Party Costs (mailing, consults, mail-house, forensics, etc.) • 3rd Party Costs (Regulatory or Civil Liability and defense)
Immediate To-Do List(Documentation/Programs) • Written Information Security Program • Breach Response Plan • Business Continuity Plan • Data/Document Retention and Destruction Plan • Data Security and Privacy Awareness Program
General Best Practices in Data Privacy (From a Global perspective) Develop a “privacy framework” that With privacy in your business from a: • philosophical standpoint; • business standpoint; and • operational standpoint
General Best Practices in Data Privacy (From a Global perspective) Integrate a Privacy by Design (PbD) Approach: • 1. Proactive not Reactive; • 2. Privacy as the Default Setting • 3. Privacy Embedded into Design • 4. Full Functionality -Positive-Sum, not Zero-Sum • 5. End-to-End Security — Full Lifecycle Protection • 6. Visibility and Transparency — Keep it Open • 7. Respect for User Privacy — Keep it User-Centric http://www.privacybydesign.ca/
Thank you! Eduard Goodman, J.D., LL.M., CIPPChief Privacy OfficerScottsdale, Arizona 480.355.4940 direct EGoodman@identitytheft911.com