Add to collection(s) Add to saved
  1. Business
  2. Management

Best_Practices_Data_..

advertisement 
Best Practices for Data
Security and Data Breach
Protocol
Gabriel M.A. Stern, Fasken Martineau DuMoulin LLP
Jason Green, PricewaterhouseCoopers
PwC
Your presenters
Gabriel M.A. Stern
Jason Green
Senior Associate
Director
Fasken Martineau
DuMoulin LLP
PricewaterhouseCoopers
 Senior Associate with Fasken Martineau
DuMoulin LLP, practicing in the area of
Information Technology Law
 Broad experience with information technology,
privacy, consumer protection, health sector,
and intellectual property-related matters.
 Has drafted/negotiated a wide range of
agreements, including outsourcing
agreements, software agreements, ecommerce and website terms and conditions,
privacy agreements, and procurement
documents (requests for proposals, master
service agreements and related materials).
PwC
 Director with PwC LLP, and National Lead for
Breach and Incident response. Part of the
broader Cyber Resilience practice
 25 background encompassing information
security, investigations and digital forensics.
 Led and driven large multi-functional, end-toend security teams to address tactical and
strategic security and risk needs across
multiple industries
2
Overview
1.
Current risks and challenges – the new reality
2. Current risks and challenges – adapting to the new reality
3. Data breaches – some facts
4. Strategies to reduce vulnerability
5. Crisis management & incident response
6. The role for lawyers –notification requirements
7.
The role for lawyers – vendor/contract management
8. The role for lawyers – helping when breaches occur
The key message for lawyers = we have an important role to play in managing data breaches and
data security, but to effectively advise on such issues, the business and IT elements of these issues
must be understood and engaged.
PwC
Current Risks and Challenges
The new reality
PwC
Putting cyber security into perspective
•
•
Cyber security represents many things to many different people
Key characteristics and attributes of cyber security:
─ Broader than just information technology and not limited to just the enterprise
─ Increasing attack surface due to technology connectivity and convergence
─ An ‘outside-in view’ of the threats and potential impact facing an
organization
─ Shared responsibility across the enterprise which requires cross functional
disciplines in order to plan, protect, defend and respond
─ Need to involve legal, IT, and business groups, all of which have a role to
play in managing these risks
It is no longer just an IT challenge – it is a business imperative with important legal obligations and
consequences
PwC
5
The digital world has got bigger
The evolution:
•
Technology-led innovation is transforming the
business models.
•
Companies operate in a dynamic environment
that is increasingly hyper-connected and
interdependent.
•
The ecosystem is built around a model of open
collaboration and trust.
•
Constant information flow is the lifeblood of the
business ecosystem.
Leading to:
PwC
•
Legal compliance regimes that must be identified
and adhered to
•
Legal risk mitigation strategies that affect all
parts of an enterprise
•
Benefits of same technological advances are
being exploited by an increasing number of global
adversaries.
•
Adversaries are actively targeting critical assets
throughout the ecosystem.
•
Data is distributed and disbursed, increasing
the potential for loss and exposure.
•
Changing business drivers and threats are creating
opportunities and risks.
6
Organizations today face four main types of cyber
adversaries…
Adversary motives and tactics evolve as business strategies change and business activities are executed;
‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.
Adversary
Nation state
Organized
crime
Hacktivists
Insiders
PwC
Targets
Motives
Trade secrets
Sensitive business information
Emerging technologies
Critical infrastructure
Impact
• Loss of competitive advantage
• Disruption to critical
infrastructure
• Military, economic or
political advantage
•
•
•
•
• Immediate financial gain
• Collect information for
future financial gains
• Financial / payment systems
• Personally Identifiable
Information
• Payment Card Information
• Protected Health Information
• Costly regulatory inquiries and
penalties
• Consumer and shareholder
lawsuits
• Loss of consumer confidence
• Influence political and /or
social change
• Pressure business to
change their practices
• Corporate secrets
• Sensitive business information
• Information related to key
executives, employees,
customers & business partners
• Disruption of business
activities
• Brand and reputation
• Loss of consumer confidence
• Personal advantage,
monetary gain
• Professional revenge
• Bribery or coercion
• Critical infrastructure
• Operational technologies
• Highly visible venues
• Destabilize, disrupt, and
destroy physical and logical
assets
7
…Including “accidental insiders”
Accidental insiders do not realize the risk they can cause in a business. The damage they can cause can
be as significant as any targeted attack.
Adversary
Insiders
?
PwC
Accidental
Insiders
Motives
Targets
Impact
• Personal advantage,
monetary gain
• Professional revenge
• Bribery or coercion
• Critical infrastructure
• Operational technologies
• Highly visible venues
• Destabilize, disrupt, and
destroy physical and logical
assets
• None – these are data
breaches where no malice
is involved
• E.g. uploading confidential
company documents to file
sharing sites due to
Limewire settings.
• All systems
• Costly regulatory inquiries and
penalties
• Consumer and shareholder
lawsuits
• Loss of consumer confidence
• Disruption of business
activities
• Brand and reputation
• Destabilize, disrupt, and
destroy physical and logical
assets
8
Considerations for businesses adapting to the new reality
Scope of the challenge
Governance
Threat actor
characteristics
Threat focus
Security risk equation
Protection strategy
Defense posture
Control model
Threat intelligence &
information sharing
Risk management
approach
PwC
Historical perspectives
Today’s leading insight
Limited to your “four walls” and the extended
enterprise
Spans your interconnected global and hyperconnected business ecosystem and complex supply
chain
IT led and operated
CEO and Board accountable; Business-aligned and
owned; Cross-functional governance; Legal
properly engaged when appropropriate
One-off and opportunistic; motivated by notoriety,
technical challenge, and individual gain
Organized, funded and targeted; motivated by
economic, monetary and political gain
Primarily external
External and internal
Static or less dynamic
Extremely dynamic and broad
One-size-fits-all approach
Prioritize and protect your key assets based on
threat modelling and intelligence
Protect the perimeter; respond if attacked
Layered defense; contextual threat intelligence;
real-time detection; rapidly respond when attacked
Primarily focused on prevention
Predict, Prevent, Detect, Respond, Correct, and
Recover
Keep to yourself
Share internally (fraud, corporate security, ops risk)
and externally (government, industry peers) … and
sometimes you have no choice but to share
Primarily focused on minimizing likelihood
Accepts breaches will occur often; focused on
minimizing business impact; Lawyers can assist
with this by, for example, properly managing
9
vendor relationships
Current Risks and Challenges
Adapting to the new reality
PwC
Keeping pace with the new reality
Operating in the global business ecosystem requires organizations to think differently
about their security investments.
Engage and commit with the business
• Leadership, ownership, awareness and
accountability for addressing the security risks that
threaten the business
• Alignment and enablement of business objectives
• Engage your legal department before a problem
happens (e.g. when contracting) as well as after (e.g.
understanding breach notification obligations)
Board, Audit Committee, and Executive Leadership
Investment Activities
Projects and Initiatives
Functions and Services
Security Strategy and Roadmap
Security Program, Resources and Capabilities
PwC
Resource Prioritization
Risk and Impact Evaluation
Business Alignment and Enablement
Rationalize and prioritize investments
• Critical assets are constantly evaluated given they
are fundamental to the brand, business growth and
competitive advantage
• Threats and impact to the business are considered
as investment activities are contemplated
Transform and execute the security program
• New and enhanced capabilities are needed to
meet the ever changing security challenges
• A comprehensive program must be built on a strong
foundation and include proactive coordination and
collaboration with the business
• The security implications related to the
convergence of Information Technology,
Operational Technology and Company Products and
Services are addressed
11
Cyber security isn’t just about technology
• Vendor management and contract protection
PwC
Confidential & Proprietary
• Not all breaches are intentional
12
Why organizations have not kept pace
Years of underinvestment in certain areas has left many organizations unable to adequately adapt and
respond to dynamic security risks.
Board, Audit Committee, and Executive Leadership Engagement
Product & Service
Security
Threat
Modeling
& Scenario
Planning
Critical Asset
User
Identification and
Administration
Protection
Technology
Adoption and
Enablement
Ecosystem &
Supply Chain
Security
Notification
and
Disclosure
Threat
Intelligence
Public/Private
Information
Sharing
Monitoring
and Detection
Process and
Technology
Fundamentals
Technology
Debt
Management
Privileged Access
Management
Incident
and Crisis
Management
Global
Security
Operations
Patch &
Configuration
Management
Secure Mobile
and Cloud
Computing
Operational
Technology
Security
Physical
Security
Insider
Threat
Breach
Investigation
and Response
Security
Technology
Rationalization
Compliance
Remediation
Resource Prioritization
Risk and Impact Evaluation
Business Alignment and Enablement
consectetur
Security
Culture
adipiscing
elit
and
Mindset
Security Strategy and Roadmap
Security Program, Functions, Resources and Capabilities
PwC
Confidential & Proprietary
13
Data Breaches – Some Facts
PwC
Attacks on the rise
PwC
Confidential & Proprietary
15
Attacks Sources
PwC
16
Attacks Sources
PwC
Confidential & Proprietary
17
Impacts – Cost per Incident
PwC
Confidential & Proprietary
18
Impacts – Downtime
PwC
Confidential & Proprietary
19
Strategies to Reduce Vulnerability
PwC
Key focus points
• Keep the organization ahead of threats likely to target critical assets
• Align and prioritize security initiatives to enable strategic objectives
• Obtain buy-in from key stakeholders on the security program direction
• Compare security capabilities against industry peers
• Understand the maturity of the security program
• Identify strengths, weaknesses, opportunities and threats
• Establish a multi-year plan for enhancing security
• Vendor relationship management
• Contract terms and conditions (governance, audit rights, insurance, etc.)
• Understand the levels of potential liability that may arise for each of your systems
PwC
Confidential & Proprietary
21
Key Activities
Phases
Align cyber security programs to business strategy and
emerging threat landscape
Strategic Driver
Analysis
Target Operating
Model Design
Gap Analysis &
Benchmarking
Roadmap
Development
· Identify Consumers/
Stakeholders (Internal &
External)
· Define Mission, Vision,
Drivers, Guiding Principles
for the Security Program
· Perform Current State
Capability Assessment
· Define Security Projects/
Initiatives
· Understand Existing Business
Strategy
· Define Solutions & Services
· Perform Gap Analysis
· Define Case for Change
· Prioritize Projects/Initiatives
& Map Inter-dependencies
· Conduct Voice of the
Stakeholder (VoS)
· Evaluate External Business
Ecosystem Pressures and
Threats
· Map Consumers (Internal &
External) with Solutions &
Services
· Perform Peer-Comparison/
Benchmarking
· Define Sourcing & Delivery
Models
· Map Solutions & Services to
Capabilities
· Define High Level Cost
Estimates
· Define High Level Resourcing
Requirements
· Define Change Management
& Communications Plan
· Define Solution & Service
Offering Ownership
· Document Solutions &
Services Interdependencies
· Document Security
Organization Structure
· Define Performance Metrics
PwC
Confidential & Proprietary
22
Security functional domains
Align with the business
Prioritize investments, allocate
resources, and align security
capabilities with the strategic
imperatives and initiatives of
the organization.
Strategy,
Governance &
Management
Security
Security
Architecture &
Strategy
Services
Adapt to the future
Assess the opportunities and security
related risks of new technology
adoption and dynamically changing
business models.
Create sustainable security solutions to provide
foundational capabilities and operational discipline.
Threat,
Security&
Intelligence
Governance
and
Vulnerability
Management
Compliance
Emerging
Sustainable
Trends &
Security
Innovation
Behaviours
Strategy
through
Execution
Manage risk and regulations
Efficiently and effectively identify,
evaluate and manage risk to the
business while addressing the
evolving regulatory requirements.
Secure by design
Cyber
Risk &
Crisis
Compliance
Management
Response
Plan, detect, investigate, and react timely and thoroughly to
security incidents, breaches and compromises.
PwC
Anticipate changes in the risk
landscape through situational
awareness of the internal and
external factors impacting the
business ecosystem.
Enable secure access
Identity
&
Cyber
Threat
Access
Assessment
Management
Incident &
Anticipate and respond to security crises
Address threats and weaknesses
Technology
Crisis
Management
Provide integrated and secure
processes, services, and
infrastructure to enable appropriate
controls over access to critical
systems and assets.
Safeguard critical assets
Information
& Privacy
Protection
Confidential & Proprietary
Identify, prioritize, and protect
sensitive or high value
business assets.
23
Crisis Management &
Incident Response
PwC
Cyber Crisis and Business Continuity Integration
Effective Data Breach Response preparation activities augment existing Business Continuity
program activities in each stage of the BCM lifecycle.
Integrated Business Continuity Program
RETURN TO NORMAL OPERATIONS
Restoration
Activities
PwC
Issues
Assessment
Risk
Management
OPERATIONAL
IMPROVEMENT
Continuity Plan &
Resiliency
Improvement
Recovery procedures
Location & resources
Business Continuity
Program (BCP)
People
Data recovery
Applications
Disaster Recovery
Program (DRP)
Technical
infrastructure
Command & control
Communication &
coordination
Crisis Management
(CM)
Emergency response
Business continuity
Disaster recovery
Business Continuity
Management (BCM)
Crisis management
RM optimization
Risk monitoring
Risk response
Risk assessment
Enterprise Risk
Management (ERM)
Incident Response
Companies must comply with existing and emerging regulations, identify and secure sensitive
information that is constantly in motion, investigate breaches and data theft, manage the insider
threat, and reduce the gamut of cyber security risks
As such organizations must be prepared to:
(1) Forensically investigate cyber intrusions, data theft, and insider malfeasance in order to manage legal, regulatory,
reputational, and other risks and comply with requirements;
(2) Assess business and customer impact and mitigate risk; and,
(3) Rebound stronger through long-term remediation planning, strategic information security program development,
and executive support.
Extended the approach beyond immediate technical remediation to business impact analysis, regulatory and customer
notification support, strategic remediation planning, security program roadmaps, and litigation defense.
PwC
26
The Role for Lawyers
Notification requirements
PwC
Breach Notification Generally
• Privacy law primer:
• For private sector organizations generally, the federal Personal
Information Protection and Electronic Documents Act
(PIPEDA) governs the collection, use and disclosure of personal
information.
• Certain provinces have privacy legislation that has been deemed
substantially similar to PIPEDA.
• One of those provinces, Alberta, has in force rules regarding the
notification that is required in the event of privacy breaches.
• Breach notification requirements have also been proposed for
PIPEDA - different versions have been proposed over time.
PwC
• If such PIPEDA requirements were to ever be adopted, breach
notification obligations would apply across the majority of the
country.
28
Alberta’s PIPA Breach Notification Requirement
• Alberta’s Personal Information Protection Act (PIPA) includes
both a reporting and a notification regime in respect of security
breaches.
• Under this regime, certain privacy breaches must be reported to
the Alberta Information and Privacy Commissioner, and under very
similar circumstances, affected individuals must be notified of such
breaches.
PwC
29
Alberta’s PIPA Breach Notification Requirement
con’t
• Threshold for reporting a breach: whether, objectively, “a
reasonable person would consider that there is a real risk of significant
harm to an individual.”
• Threshold for notifying affected individuals: where “there is a
real risk of significant harm.”
• What is “significant harm?”:
• (i) A “significant harm” is a “material harm” having “non-trivial
consequences or effects” (examples may include “possible”
“financial loss, identity theft, physical harm, humiliation to one’s
professional or personal reputation”); and
• (ii) “real risk” is one where there is a “reasonable degree of
likelihood that the harm could result.”
PwC
30
Other Breach Notification Issues
• Even absent any statutory breach notification obligations, might the
business nonetheless what to report/notify?
• E.g. for goodwill purposes.
• Practical challenges can exist in determining whether breaches have
even occurred.
• E.g. unsecured beta version of e-commerce site. But unclear if any
actual privacy breach. Difficult to tell even through forensics.
PwC
31
The Role for Lawyers
Vendor/contract management
PwC
Vendor/contract management – overview
• In contracting with vendors, lawyers have the opportunity to build a
toolset to help their clients manage data breach/security issues.
• The scope of relevant vendors can be quite wide – not just IT
vendors.
• HVAC vendors may be given overly broad system access rights,
which could pose a threat.
• Encourage clients to ask the right questions:
• What systems will the service impact?
• Where will my data be?
PwC
33
Vendor/contract management – overview con’t
• Educating vendors is often one of the key roles customers play.
• E.g. US vendors not being familiar with Canadian privacy law
obligations.
• Let the data/system guide your drafting: the nature, sensitivity, etc.
of the data/system should influence the type of agreement you draft.
• Doing so will provide your client with an appropriate toolset.
PwC
34
Vendor/contract management – some key terms
• Unlimited liability for when breaches occur.
• E.g. exclusion from liability caps/disclaimer of indirect damages.
• Parental guarantee?
• Such breaches can be costly – will you be able to collect damages
from the actual contracting counterparty?
• Insurance.
• Restricting location of data.
• Alternatively, disclosure regarding location of data.
PwC
35
Vendor/contract management – some key terms
• Express privacy compliance (where applicable to the data).
• Audit rights.
• Specific security requirements.
• Often involves a back and forth between customer’s standard
policies and vendor’s standard service offering.
• Expect standard DR/business continuity planning (outside of
any DR service being provided).
• E.g. vendor cannot rely on force majeure unless they have
DR/business continuity plans in place.
PwC
36
The Role for Lawyers
Helping when breaches occur
PwC
Help! There’s been a breach! What do I do?
• What do lawyers need to think about when they get that call from
their IT department?
• Understand what data was lost – e.g. if personal information was
breached, the aforementioned breach notification issues must be
considered.
• Retention issues – e.g. when to freeze all data.
• Discuss with litigators as appropriate.
• Is there an “adversary” against whom action should/can be
taken?
PwC
38
Help! There’s been a breach! What do I do? con‘t
• Figure out what contractual tools with vendors may be helpful.
• Exercise audit rights?
• Consider whether damages should be sought.
PwC
39
Thank you
Related documents
Job Offer - strategy& (pwc network) - Consultant
Job Offer - strategy& (pwc network) - Consultant
SAMPLE COVER LETTER (EMAIL SAMPLE)
SAMPLE COVER LETTER (EMAIL SAMPLE)
Application-for-Creating-Brilliant-Futures-PwCs-National
Application-for-Creating-Brilliant-Futures-PwCs-National
The Opportunity: Manager, IPF Infrastructure & Project
The Opportunity: Manager, IPF Infrastructure & Project
Partner Num 2 Hierarchy
Partner Num 2 Hierarchy
普华永道信息技术(上海)2016年校园招聘
普华永道信息技术(上海)2016年校园招聘
Thought leadership hangouts Session 2: How to
Thought leadership hangouts Session 2: How to
Nina Creech, Vice President of Operations
Nina Creech, Vice President of Operations
Download
advertisement