SlideShare uma empresa Scribd logo

International Perspectives on Data Breach

Transferir como PPTX, PDF
Constantine Karbaliotis
Constantine Karbaliotis

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).

TecnologiaNegócios
1 de 10
International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead
US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2
Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3
Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4
Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5
Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6
Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7
Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8
Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9
Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873

Recomendados

Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Artera Design and Creative
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationBradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unpreparedhaynormania
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Browne Jacobson LLP
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesEvents2018
 
Cyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesCyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesBajaj Allianz General Insurance Company Limited
 
CyberCoverage basics
CyberCoverage basicsCyberCoverage basics
CyberCoverage basicsPhilip Eifert
 

Recomendados

Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Artera Design and Creative
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationBradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unpreparedhaynormania
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Browne Jacobson LLP
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesEvents2018
 
Cyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesCyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesBajaj Allianz General Insurance Company Limited
 
CyberCoverage basics
CyberCoverage basicsCyberCoverage basics
CyberCoverage basicsPhilip Eifert
 
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationBrent Hillyer
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2Kenny Boddye
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointBucacci Business Solutions
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...David Cunningham
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and InsuranceEric Dean
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Accellis Technology Group
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHUREShan Budesha
 
What to do after a data breach
What to do after a data breachWhat to do after a data breach
What to do after a data breachOregon Law Practice Management
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc.
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentialityTaylorCannon8
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalVivek Ahuja
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOIDan Michaluk
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016Kimo David
 
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Constantine Karbaliotis
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During DownsizingConstantine Karbaliotis
 

Mais conteúdo relacionado

Mais procurados

FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationBrent Hillyer
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Dan Michaluk
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2Kenny Boddye
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointBucacci Business Solutions
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...David Cunningham
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and InsuranceEric Dean
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesMeg Weber
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Accellis Technology Group
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHUREShan Budesha
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Lawtravismd
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentialityTaylorCannon8
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalVivek Ahuja
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOIDan Michaluk
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016Kimo David
 

Mais procurados (20)

FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business Powerpoint
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and Insurance
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURE
 
What to do after a data breach
What to do after a data breachWhat to do after a data breach
What to do after a data breach
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. Solutions
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentiality
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-final
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan Cotter
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016
 

Destaque

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Constantine Karbaliotis
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011Constantine Karbaliotis
 

Destaque (6)

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Analytics Store for Hybrid Cloud
Analytics Store for Hybrid CloudAnalytics Store for Hybrid Cloud
Analytics Store for Hybrid Cloud
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Semelhante a International Perspectives on Data Breach

Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachFinancial Poise
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetIngenico ePayments
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)canadianlawyer
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White PaperTodd Ruback
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paperspencerharry
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Quarles & Brady
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Lawguest8b10a3
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsPeter Henley
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jacksonaiimnevada
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 

Semelhante a International Perspectives on Data Breach (20)

Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach Factsheet
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jackson
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 

Último

Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 

Último (20)

Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 

International Perspectives on Data Breach

  • 1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead
  • 2. US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2
  • 3. Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3
  • 4. Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4
  • 5. Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5
  • 6. Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6
  • 7. Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7
  • 8. Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8
  • 9. Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9
  • 10. Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873