SlideShare uma empresa Scribd logo

International Perspectives on Data Breach

Transferir como PPTX, PDF
Constantine Karbaliotis
Constantine Karbaliotis

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).

TecnologiaNegócios
1 de 10
International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead
US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2
Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3
Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4
Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5
Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6
Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7
Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8
Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9
Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873

Recomendados

Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Artera Design and Creative
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationBradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unpreparedhaynormania
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Browne Jacobson LLP
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesEvents2018
 
Cyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesCyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesBajaj Allianz General Insurance Company Limited
 
CyberCoverage basics
CyberCoverage basicsCyberCoverage basics
CyberCoverage basicsPhilip Eifert
 

Recomendados

Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Artera Design and Creative
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationBradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unpreparedhaynormania
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Browne Jacobson LLP
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesEvents2018
 
Cyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesCyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesBajaj Allianz General Insurance Company Limited
 
CyberCoverage basics
CyberCoverage basicsCyberCoverage basics
CyberCoverage basicsPhilip Eifert
 
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationBrent Hillyer
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2Kenny Boddye
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointBucacci Business Solutions
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...David Cunningham
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and InsuranceEric Dean
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Accellis Technology Group
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHUREShan Budesha
 
What to do after a data breach
What to do after a data breachWhat to do after a data breach
What to do after a data breachOregon Law Practice Management
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc.
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentialityTaylorCannon8
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalVivek Ahuja
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOIDan Michaluk
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016Kimo David
 
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Constantine Karbaliotis
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During DownsizingConstantine Karbaliotis
 

Mais conteúdo relacionado

Mais procurados

FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationBrent Hillyer
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2Kenny Boddye
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointBucacci Business Solutions
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...David Cunningham
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and InsuranceEric Dean
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Accellis Technology Group
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHUREShan Budesha
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentialityTaylorCannon8
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalVivek Ahuja
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOIDan Michaluk
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016Kimo David
 

Mais procurados (20)

FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business Powerpoint
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and Insurance
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURE
 
What to do after a data breach
What to do after a data breachWhat to do after a data breach
What to do after a data breach
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. Solutions
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentiality
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-final
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan Cotter
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016
 

Destaque

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Constantine Karbaliotis
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011Constantine Karbaliotis
 

Destaque (6)

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Analytics Store for Hybrid Cloud
Analytics Store for Hybrid CloudAnalytics Store for Hybrid Cloud
Analytics Store for Hybrid Cloud
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Semelhante a International Perspectives on Data Breach

Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetIngenico ePayments
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)canadianlawyer
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White PaperTodd Ruback
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paperspencerharry
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Quarles & Brady
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Lawguest8b10a3
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsPeter Henley
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jacksonaiimnevada
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 

Semelhante a International Perspectives on Data Breach (20)

Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach Factsheet
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jackson
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 

Último

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Último (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

International Perspectives on Data Breach

  • 1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead
  • 2. US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2
  • 3. Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3
  • 4. Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4
  • 5. Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5
  • 6. Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6
  • 7. Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7
  • 8. Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8
  • 9. Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9
  • 10. Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873