20160310_iguards - ensuring digital trust

Digital Trust ©2016 iGuards

February 2016

DIGITAL TRUST

2 Digital Trust ©2016 iGuards

Executive SummaryThe challenge• As people and businesses become more connected and lead increasingly ‘smart’

or digitalized lives, the risks of data breach have grown exponentially.• EU Data Protection Regulation: enforcing a secure way of doing business and

handling personal data (Belgian & European dimension)

The impact of a data breach on your business• Financial & Image Risk

– Outage resulting in revenues lost + remediation costs– Legal actions and penalities– Damage to your reputation & loss of customer confidence

Recent examples• Medical data becomes publicly available after human archiving fault at

document management supplier of various hospitals• Duplicata of telecom bills transmitted to unauthorized persons based on

misleading/malicious calls to call center


Executive Summary• Our society is going Digital…• This is massive change, and will not stop... • Hence regulators now start to impose measures, as this is a

‘must’ / and it is ‘serious’.• We need to embrace this Digital evolution. We need to

enable such new processes. We all need trust in this new Digital world.

• iGuards offers you a full solution in gaining & keeping the trust in your Digital world.


Data protection legal framework• EU “AS IS” legal framework:

– Data Protection Directive 95/46– ePrivacy Directive 2002/58: applicable to electronic communications– Regulation 611/2013 of 24 June 2013: notification data breach rules, applicable to electronic communications

• Belgium: – Belgian Privacy Act of 8 December 1992, consolidated = transposition of Directive 95/46 in Belgium– Belgian Privacy Commission = competent controlling body

• EU: “TO BE” legal framework:– General Data Protection Regulation: political agreement has been reached end 2015– Final texts still to be published – Applicable as of publication date + 2 years (“grace period”) – note: current legal framework continues to apply– Directly applicable across all EU countries!– This Regulation will replace Data Protection Directive 95/46 (and the Belgian Privacy Act)


Data protection legal framework• How to be compliant with data protection legislation : 7 key principles

– Notice: subjects whose data is being collected should be given notice of such collection.– Purpose: data collected should be used only for stated purpose(s) and for no other purposes.– Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).– Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.– Disclosure: subjects whose personal data is being collected should be informed as to the party or parties

collecting such data.– Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.– Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of

these principles.

“ It's not a matter of IF a business is going to be breached.

In today's networked world, it's a matter of WHEN”


Our solutionWe offer a variety of Risk Management and Compliance Services to help you evaluate your existing security practices, needs and gaps against your business requirements and objectives.

We offer a one-stop-shop service covering all your security aspects:

• Data Privacy Officer–as-a-service • Chief Information Security Officer-as-a-service• Information Security Program & Governance• Recruitment, training and coaching• Forensic IT• Legal Advice


How we can help to prevent… A series of services covering all your cyber security needs

– Security Maturity Scan (As-Is)– Implement Information Security Governance framework (To-Be)– Data Protection Officer services: provision/recruit/train/coach DPO’s– Testing (ethical hacking, …)– Security education and training– Tooling RFP guidance and selection– Legal advice on

– Drafting Privacy Policy– Data archiving obligations– Data processing agreements– Regulatory compliance training– Streamlining notification obligations– Sector specific legislation

– banking and payment, medial sector, e-commerce, etc.– Reviewing/implementing privacy and security law issues

– in various contrats and business processes


Help, our data has been breached !How can we help you ?

– Remediation services– Close the security gaps– Provide security staffing

– Forensic IT: who dunnit ? – E-Discovery / Forensic Data Analysis / e-mail research

– Legal Counselling and guidance– Compliance with general data protection legal framework– Data breach notification obligations– Contacts with BE Privacy Commission– Follow-up litigation


Data breaches are reality…

International National

50% of Belgian companies are not aware of the DPA (Beltug)


Recent Belgian data leaks...NMBS (2x), VREG, JobAt, Defensie, ...


Recent Belgian data leaks...


Yearly avg. 80M/year paid by belgian banks…

Everything is ‘settled’ and kept out of the press...

Crelan alone is now already 70M.


A few famous hacks in 2015…


Contact

iGuards, a Devenyn & Partners companyEdward Pynaertkaai 1069000 Gent

T +32 9 231 28 [email protected]

www.devenyn.be

T +32 475 904 [email protected]


Backup


iGuards References


Key Data Protection Obligations in case of a Data Breach• Recommendation of BE Privacy Commission

Data breach notifications are considered to be an inherent part of the general security obligations of ANY data controllerAny incident in which data gets lost, destroyed, altered or disclosed to the public should be notified to the Privacy

Commission When? within 48 hours!What info? summary of the incident, concerned data, number of subscribers involved, measures taken, possible

consequences, …

• Regulation 611/2013Electronic communication providers to respect even stricter deadline: 24 hours after detection of an incident!Notification via agreed form

• Quid notification to the data subject?

Yes, if the data breach is likely to adversely affect the personal data or privacy of an individual, When? A.S.A.P. What info? info on the incident, measures taken, etc.

20160310_iguards - ensuring digital trust

Documents