SlideShare uma empresa Scribd logo

Privacy Breaches - The Private Sector Perspective

C
canadianlawyer

privacy data breach preparation

TecnologiaNotícias e política
1 de 18
Privacy Breaches – The Private Sector Perspective OBA, June 8, 2009 Mark S. Hayes Partner, Hayes eLaw LLP
Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Everything is much easier if proper steps taken in advance
Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only actual breach focuses senior management on privacy
The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of risk and responsibility • Internal resources and priorities at other organizations may conflict
Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on basis of dynamics of organization
Why Does This Matter? • Regulators must try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
Questions? For a digital copy of these slides, just ask! mark@hayeselaw.com

Recomendados

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
Crisis slide deck draft
Crisis slide deck draftCrisis slide deck draft
Crisis slide deck draftEvanClarke9
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteDave Steer
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
Independent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerIndependent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerLexisNexis Software Division
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The CeoDan Keeney
 

Recomendados

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspectivecanadianlawyer
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
Crisis slide deck draft
Crisis slide deck draftCrisis slide deck draft
Crisis slide deck draftEvanClarke9
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In ITpbhugenberg3
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteDave Steer
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...Levi Shapiro
 
Independent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerIndependent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerLexisNexis Software Division
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The CeoDan Keeney
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Past Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingPast Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingLexisNexis Software Division
 
SmallBusinessWhite Final
SmallBusinessWhite FinalSmallBusinessWhite Final
SmallBusinessWhite FinalStephen Jeske
 
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas FinalBehavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Finalksteadman
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Quarles & Brady
 
HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessAndrea Dove
 
37_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_037_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_0Eric Hubbard, MBA
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBsCarbonite
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadiaAlive
 
2015 Corporate general counsel survey results
2015 Corporate general counsel survey results2015 Corporate general counsel survey results
2015 Corporate general counsel survey resultsGrant Thornton LLP
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research ReportHewlett Packard Enterprise Business Value Exchange
 
The four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanThe four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanLeon Kappelman
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSMichel Rochette
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBsCarbonite
 
Chief Litigation Summit 2009
Chief Litigation Summit 2009Chief Litigation Summit 2009
Chief Litigation Summit 2009guested3c50
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Legally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLegally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLexisNexis Software Division
 
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Grant Thornton
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
 
Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010canadianlawyer
 
Guadalaviar
GuadalaviarGuadalaviar
Guadalaviarpasvimon
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009canadianlawyer
 

Mais conteúdo relacionado

Mais procurados

The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Past Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingPast Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingLexisNexis Software Division
 
SmallBusinessWhite Final
SmallBusinessWhite FinalSmallBusinessWhite Final
SmallBusinessWhite FinalStephen Jeske
 
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas FinalBehavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Finalksteadman
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Quarles & Brady
 
HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessAndrea Dove
 
37_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_037_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_0Eric Hubbard, MBA
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBsCarbonite
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadiaAlive
 
2015 Corporate general counsel survey results
2015 Corporate general counsel survey results2015 Corporate general counsel survey results
2015 Corporate general counsel survey resultsGrant Thornton LLP
 
The four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanThe four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanLeon Kappelman
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSMichel Rochette
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBsCarbonite
 
Chief Litigation Summit 2009
Chief Litigation Summit 2009Chief Litigation Summit 2009
Chief Litigation Summit 2009guested3c50
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Legally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLegally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLexisNexis Software Division
 
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Grant Thornton
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
 

Mais procurados (19)

The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Past Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingPast Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm Billing
 
SmallBusinessWhite Final
SmallBusinessWhite FinalSmallBusinessWhite Final
SmallBusinessWhite Final
 
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas FinalBehavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
 
HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your Business
 
37_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_037_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_0
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBs
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 video
 
2015 Corporate general counsel survey results
2015 Corporate general counsel survey results2015 Corporate general counsel survey results
2015 Corporate general counsel survey results
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report
 
The four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanThe four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelman
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORS
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBs
 
Chief Litigation Summit 2009
Chief Litigation Summit 2009Chief Litigation Summit 2009
Chief Litigation Summit 2009
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Legally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLegally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operations
 
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.
 

Destaque

Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010canadianlawyer
 
Guadalaviar
GuadalaviarGuadalaviar
Guadalaviarpasvimon
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009canadianlawyer
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)canadianlawyer
 
Beauty of-mathematics
Beauty of-mathematicsBeauty of-mathematics
Beauty of-mathematicslynnlove
 
Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010canadianlawyer
 
Sawatdee 'สวัสดี'
Sawatdee 'สวัสดี'Sawatdee 'สวัสดี'
Sawatdee 'สวัสดี'Tanyakamon Manley
 
Leveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright LitigationLeveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright Litigationcanadianlawyer
 

Destaque (8)

Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010
 
Guadalaviar
GuadalaviarGuadalaviar
Guadalaviar
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
Beauty of-mathematics
Beauty of-mathematicsBeauty of-mathematics
Beauty of-mathematics
 
Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010
 
Sawatdee 'สวัสดี'
Sawatdee 'สวัสดี'Sawatdee 'สวัสดี'
Sawatdee 'สวัสดี'
 
Leveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright LitigationLeveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright Litigation
 

Semelhante a Privacy Breaches - The Private Sector Perspective

Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityDan Michaluk
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018jadams6
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingITPSB Pty Ltd
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsITPSB Pty Ltd
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Case IQ
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
2012 protecting your business
2012 protecting your business2012 protecting your business
2012 protecting your businessAlan Greggo
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business ResilienceMichael Bowers
 
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Gradytl
 
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
Security Regulations & Guidelines: Is Your Business on the Path to Compliance? Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
Security Regulations & Guidelines: Is Your Business on the Path to Compliance? Blancco
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 

Semelhante a Privacy Breaches - The Private Sector Perspective (20)

Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
 
Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber Security
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
 
Introducing a whistleblower_hotline
Introducing a whistleblower_hotlineIntroducing a whistleblower_hotline
Introducing a whistleblower_hotline
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate Profiling
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT Projects
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
2012 protecting your business
2012 protecting your business2012 protecting your business
2012 protecting your business
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
 
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
 
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
Security Regulations & Guidelines: Is Your Business on the Path to Compliance? Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Privacy Breaches - The Private Sector Perspective

  • 1. Privacy Breaches – The Private Sector Perspective OBA, June 8, 2009 Mark S. Hayes Partner, Hayes eLaw LLP
  • 2. Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
  • 3. Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Everything is much easier if proper steps taken in advance
  • 4. Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
  • 5. However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
  • 6. A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
  • 7. Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
  • 8. The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
  • 9. The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only actual breach focuses senior management on privacy
  • 10. The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
  • 11. The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
  • 12. The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
  • 13. The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of risk and responsibility • Internal resources and priorities at other organizations may conflict
  • 14. Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on basis of dynamics of organization
  • 15. Why Does This Matter? • Regulators must try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
  • 16. Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
  • 17. Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
  • 18. Questions? For a digital copy of these slides, just ask! mark@hayeselaw.com