20160310_iguards - ensuring digital trust
Post on 16-Apr-2017
111 Views
Preview:
TRANSCRIPT
Digital Trust ©2016 iGuards
February 2016
DIGITAL TRUST
2 Digital Trust ©2016 iGuards
Executive SummaryThe challenge• As people and businesses become more connected and lead increasingly ‘smart’
or digitalized lives, the risks of data breach have grown exponentially.• EU Data Protection Regulation: enforcing a secure way of doing business and
handling personal data (Belgian & European dimension)
The impact of a data breach on your business• Financial & Image Risk
– Outage resulting in revenues lost + remediation costs– Legal actions and penalities– Damage to your reputation & loss of customer confidence
Recent examples• Medical data becomes publicly available after human archiving fault at
document management supplier of various hospitals• Duplicata of telecom bills transmitted to unauthorized persons based on
misleading/malicious calls to call center
3 Digital Trust ©2016 iGuards
Executive Summary• Our society is going Digital…• This is massive change, and will not stop... • Hence regulators now start to impose measures, as this is a
‘must’ / and it is ‘serious’.• We need to embrace this Digital evolution. We need to
enable such new processes. We all need trust in this new Digital world.
• iGuards offers you a full solution in gaining & keeping the trust in your Digital world.
4 Digital Trust ©2016 iGuards
Data protection legal framework• EU “AS IS” legal framework:
– Data Protection Directive 95/46– ePrivacy Directive 2002/58: applicable to electronic communications– Regulation 611/2013 of 24 June 2013: notification data breach rules, applicable to electronic communications
• Belgium: – Belgian Privacy Act of 8 December 1992, consolidated = transposition of Directive 95/46 in Belgium– Belgian Privacy Commission = competent controlling body
• EU: “TO BE” legal framework:– General Data Protection Regulation: political agreement has been reached end 2015– Final texts still to be published – Applicable as of publication date + 2 years (“grace period”) – note: current legal framework continues to apply– Directly applicable across all EU countries!– This Regulation will replace Data Protection Directive 95/46 (and the Belgian Privacy Act)
5 Digital Trust ©2016 iGuards
Data protection legal framework• How to be compliant with data protection legislation : 7 key principles
– Notice: subjects whose data is being collected should be given notice of such collection.– Purpose: data collected should be used only for stated purpose(s) and for no other purposes.– Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).– Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.– Disclosure: subjects whose personal data is being collected should be informed as to the party or parties
collecting such data.– Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.– Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of
these principles.
“ It's not a matter of IF a business is going to be breached.
In today's networked world, it's a matter of WHEN”
6 Digital Trust ©2016 iGuards
Our solutionWe offer a variety of Risk Management and Compliance Services to help you evaluate your existing security practices, needs and gaps against your business requirements and objectives.
We offer a one-stop-shop service covering all your security aspects:
• Data Privacy Officer–as-a-service • Chief Information Security Officer-as-a-service• Information Security Program & Governance• Recruitment, training and coaching• Forensic IT• Legal Advice
7 Digital Trust ©2016 iGuards
How we can help to prevent… A series of services covering all your cyber security needs
– Security Maturity Scan (As-Is)– Implement Information Security Governance framework (To-Be)– Data Protection Officer services: provision/recruit/train/coach DPO’s– Testing (ethical hacking, …)– Security education and training– Tooling RFP guidance and selection– Legal advice on
– Drafting Privacy Policy– Data archiving obligations– Data processing agreements– Regulatory compliance training– Streamlining notification obligations– Sector specific legislation
– banking and payment, medial sector, e-commerce, etc.– Reviewing/implementing privacy and security law issues
– in various contrats and business processes
8 Digital Trust ©2016 iGuards
Help, our data has been breached !How can we help you ?
– Remediation services– Close the security gaps– Provide security staffing
– Forensic IT: who dunnit ? – E-Discovery / Forensic Data Analysis / e-mail research
– Legal Counselling and guidance– Compliance with general data protection legal framework– Data breach notification obligations– Contacts with BE Privacy Commission– Follow-up litigation
9 Digital Trust ©2016 iGuards
Data breaches are reality…
International National
50% of Belgian companies are not aware of the DPA (Beltug)
10 Digital Trust ©2016 iGuards
Recent Belgian data leaks...NMBS (2x), VREG, JobAt, Defensie, ...
11 Digital Trust ©2016 iGuards
Recent Belgian data leaks...
12 Digital Trust ©2016 iGuards
Yearly avg. 80M/year paid by belgian banks…
Everything is ‘settled’ and kept out of the press...
Crelan alone is now already 70M.
13 Digital Trust ©2016 iGuards
A few famous hacks in 2015…
14 Digital Trust ©2016 iGuards
15 Digital Trust ©2016 iGuards
Contact
iGuards, a Devenyn & Partners companyEdward Pynaertkaai 1069000 Gent
T +32 9 231 28 53jeroen@iguards.eu
www.devenyn.be
T +32 475 904 781jan@iguards.eu
16 Digital Trust ©2016 iGuards
Backup
17 Digital Trust ©2016 iGuards
iGuards References
18 Digital Trust ©2016 iGuards
Key Data Protection Obligations in case of a Data Breach• Recommendation of BE Privacy Commission
Data breach notifications are considered to be an inherent part of the general security obligations of ANY data controllerAny incident in which data gets lost, destroyed, altered or disclosed to the public should be notified to the Privacy
Commission When? within 48 hours!What info? summary of the incident, concerned data, number of subscribers involved, measures taken, possible
consequences, …
• Regulation 611/2013Electronic communication providers to respect even stricter deadline: 24 hours after detection of an incident!Notification via agreed form
• Quid notification to the data subject?
Yes, if the data breach is likely to adversely affect the personal data or privacy of an individual, When? A.S.A.P. What info? info on the incident, measures taken, etc.
top related