eu-us privacy shield - safe harbor replacement
TRANSCRIPT
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Privacy Shield: What you
need to know
German American Chamber of Commerce
of the Midwest, Inc.
Nick Graham
PartnerDentons UK
Jan Hertzberg
DirectorBaker Tilly
• European Commission of the European Union (EU) and the US
Department of Commerce reached agreement on a new pact
for data transfers (February 2, 2016)
• “Safe Harbor” agreement was invalidated after the European
Court of Justice found that the US had violated the privacy of
its citizens
• Privacy Shield imposes:
− Stronger obligations on US companies to protect the personal data of EU
citizens
− Stronger monitoring, oversight and enforcement of the agreement
− Limitations and oversight on US government access to data
− US privacy office established to handle complaints of EU citizens
− Annual review of US commitments and performance against the Privacy
Shield agreement
Setting the Scene
2
Privacy Rules (current and future)
Privacy Shield
Securing Personally Identifiable Information (PII)
Wrap-up and takeaways
Q&A
Agenda
3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Privacy Rules:
Current Landscape
EU versus US – Treatment of Privacy
European US
Privacy is a human right Privacy is a consumer
protection issue
"Personal Data" "PII" (Personally Identifiable
Information)
No processing of personal
information is the default
The commercial use of
personal information is
acceptable as the default
• Cultural conflicts: e-discovery/litigation 5
Current German Legal Structure deriving
from EU Directive
Each of the other 27 EU
member states have similar
data protection regimes.
Comparable data protection
laws also apply outside the
EU (e.g. Russia).
EU Data Protection Directive
1995
6
When do the rules apply?
The EU rules apply when there is:
− processing
− of personal data
− by a data controller
− established in the EU (in the context of that establishment) or
(where the data controller is established outside of the EEA) using
equipment in the EU.
7
Controllers and Processors
Data Controller:
A person who determines the purposes and means of the processing of personal data
Data Processor:
A person who processes personal data on behalf of the data controller
ABC KGaA
(Data Controller)
Employee
(Data Subject)
Microsoft
(Data Processor)8
You will be required to:
• Comply with the Data Protection Principles
• Comply with the Rights of Data Subjects
• Notify its data processing to certain regulators
• Take the Consequences if it fails to comply
What does it mean if EU rules apply?
9
• Transparency: privacy policies and notices
• Comply: with one of the conditions for processing (e.g. consent/necessary to
perform a contract)
• Purpose limitation: only use personal data for specified and lawful
purposes; no incompatible purposes
• Proportionality: personal data to be adequate, relevant and not excessive
• Accuracy: personal data to be accurate/kept up-to-date
• Retention: personal data not to be retained for longer than necessary
• Individual rights: to access, correct and object as well as claim
compensation
• Security: appropriate measures to protect data required
• Exports: no transfers of personal data outside of the EEA without adequate
protection
Data Protection Principles
10
• Regulators can fine us
• Regulators may also have the ability to:
− issue an information notice
− issue an enforcement notice
− seek to bring criminal proceedings
• Compensation
• Bad publicity and reputational harm
• Personal liability for individuals who violate the rules
What happens if we get it wrong?
11
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Privacy Rules:
Changing Landscape
EU Data Protection Regulation
• Scope: EEA, overseas and processors
• Model: "one stop shop"
• Governance: DPO and "privacy office;" refresh
policies and procedures; training; audit
• Privacy by design
• Privacy by default
IN FORCE FROM 25 MAY 2018
13
EU Data Protection Regulation
• Enhanced rights and duties of transparency and proportionality
• Data breach notification: to be a legal requirement
• Penalties: fines of up to 4% of annual worldwide revenue or EUR 20 million
(USD 22.6 million)
• Risk control: new "principle of accountability." This requires "control
framework" of polices, procedures, training and audit to manage and mitigate
global privacy risk.
14
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
EU-US Privacy Shield
Max Schrems complaint against
Safe Harbor declared invalid 6 October 2015
Explore alternative transfer tools
Privacy Shield
Safe Harbor: The Case
16
Privacy Shield: The 7 Principles
• Notice
• Choice
• Accountability for onward transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse, Enforcement and Liability
17
Old World: Safe Harbor New World : Privacy Shield
"Essentially
equivalent"
• Annual self-certification
• Notice
• Choice
• Onward Transfer
• Security
• Data Integrity / Purpose
Limitation
• Access
• Much more detailed privacy notices
• Onward transfer accountability:
• Agreement with Controllers
• Liability for Processor non-
compliance
Remedies /
individual
Redress
• Federal Trade Commission
Complaint
• Private dispute resolution
• Direct complaint - 45 days response
• ADR / DP Panel
• DP Authority complaints
• DoC Complaints
• Binding arbitration / Privacy Shield Panel
• Ombudsman for National Security
queries
Oversight • Federal Trade Commission
(but no control over public
authorities)
• Foreign Intelligence Services
Court - ex parte proceedings
• Proactive DoC investigation and extra
resource
• Name & shame for removal
• Release of Privacy Shield sections of
compliance reports
• Annual verification
• DP Authorities (especially HR data)
• Ombudsman: all US transfers
• Annual review of Privacy Shield
• Privacy Shield may be suspended
Safe Harbor v Privacy Shield
18
• Who can apply?
• Effective: Aug 1, 2016
• 9 month grace period on vendor contract review (if signed up by
Sept 30, 2016)
• Who have signed up?
Privacy Shield: Implementation
19
Put in place governance - who will own Privacy Shield?
Update notices to data subjects and create Privacy Shield
Privacy Policy
Set-up procedures to enable customers to opt-out, access
their personal information and the ability to correct, amend
or delete the data
Establish an annual compliance review
Set up a complaint handling process
Choose independent dispute resolution body
Update contracts with vendors/suppliers
Privacy Shield: Checklist for applying
20
Upsides
• Provides "adequate protection"
• Stepping stone for BCRs
• Less cumbersome contract
negotiations
Privacy Shield: Upsides and Downsides
Downsides
• Only transfers to the US
• Regulatory scrutiny
• Upgrade to policies/procedures
• FTC enforcement risk
• Annual verification
• Court challenge21
https://www.privacyshield.gov/welcome
http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-
shield/index_en.htm
Privacy Shield: How to apply?
22
• Consent from individuals - dubious validity
• Model Clauses - "snap shot" only, so require refreshing
• Binding Corporate Rules - Platinum standard; control framework
Alternative Data Transfer Options?
23
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Securing Personally
Identifiable Information (PII)
Society Has Become Highly Digital
Hyper-Connectivity
Hyper-Mobility
Highly Sophisticated
Adversaries
Hyper-Sociability
Cyber-Physical “Things”
Physical Cyber “Things”
Smart fridge
can track what it stores,
alerting when products
expire, & even add items to
smartphone shopping list
Sources: Forbes, Vice, Cisco IBSG, University of Michigan, ABC News, Qmed, Network World
Security cameras & systems
can be remotely armed &
checked, get alerts or review
your security feeds from
any location
Lighting systems
can be controlled using a
smartphone app or via the web, as
can fans, hot tubs, water pumps,
thermostats, even door openers
Personal medical devices
can be implantable or
external & allow remote
monitoring / treatment
Today’s cars
are computer-guided and
wirelessly connected via Bluetooth,
GPS, radio protocols
F-35 fighter jet
has a highly advanced computerized
logistics system designed to minimize
repair and re-equipping turnaround
times by monitoring the plane’s status
and pre-emptively making service
decisions so that ground crews are
ready to go before the plane even lands
Smart TVs
connect to the Internet for web
browsing, image sharing, gaming,
or watching streaming video
Sources: http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/
https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams
From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
Total Exposed Loss =
$2.3 billion since 2013
Business Email Compromise: A Special Kind of “Phish”
The FBI has identified a 270% increase in BEC
attacks victims and exposed loss since Jan. 2015.
Law enforcement globally has received complaints from victims in every U.S. state & 95 countries.
In Arizona the average loss per scam is between $25,000 and $75,000.
Strategies must be Intelligence-Driven
Business Lines
Require AGILITY and fast time
to market to meet business
goals and customer demand
Cyber-Threats
Require us to have MATURE
prevention, detection and
recovery controls to keep pace
Employees
Strive for excellence and are
interested in how and where they
WORK.
Shareholders
Require we protect revenue
to enable GROWTH
CustomersPlace TRUST in us and demand we
are careful stewards of their data and
transactions
Regulators
Expect we provide evidence
of a STRONG information
security program
Client and
Strategies must also be Comprehensive
NETWORKSAre monitored 24x7
IDENTITY & ACCESS Is appropriate based
on job role
INDUSTRY &
PARTNERSHIPSProvide actionable cost-
effective threat and risk
intelligence
DATA &
INFORMATION Is secure at rest
and in transit
APPLICATIONSAre secure in development
and production
CUSTOMERS & CLIENTS Are educated on cyber-risks and
their role protecting their devices
Eight Security Ecosystem
Components
ANTICIPATE emerging threats & risks
ENABLE business growth while protecting existing revenue
SAFEGUARD Information & assets
THIRD PARTIES
& VENDORS Control parity is risk-based and
protections are appropriate
DEVICESAre secure and patched
regularly to keep
secure over time
Information Security ProgramDeveloped, documented, approved, and implemented security
program. Includes the following:
– Risk Assessment and treatment
– Security policy
– Organization of information security
– Asset management
– Human resources security
– Physical and environmental security
– Communications and operations management
– Access control
– Information systems acquisition, development, and maintenance
– Business continuity management
– Compliance
Security for Privacy Requirements
30
Logical Access ControlsAccess to personal information is restricted by procedures that address
the following:
– Authorizing and registering internal personnel
– Identifying & authenticating internal personnel
– Changes and updating access profiles
– Granting permissions for access to IT infrastructure components and
personal information
– Preventing individuals from accessing anything other than their own or
sensitive information
– Limiting access to personal information only to authorized internal
personnel
– Restricting logical access to offline storage, backup data, systems and
media
– Restricting access to system configurations, superuser functionality,
master passwords, powerful utilities, and security devices
– Preventing the introduction of viruses, and malicious code
Security for Privacy Requirements (Cont.)
31
Physical Access Controls• Restricted to personal information in any form (including the
components of the entity’s system(s) that contain or protect
personal information).
• Examples include:
− Theft
− Espionage
− Dumpster diving
− Social engineering (including phishing)
− Shoulder “surfing”
Security for Privacy Requirements (Cont.)
32
Environmental Safeguards• Personal information, in all forms, is protected against accidental
disclosure due to natural disasters and environmental hazards
Security for Privacy Requirements (Cont.)
33
Transmitted Personal Information• Personal information is protected when transmitted by mail or other
physical means such as:
− Emailing data from one person to another
− Faxing data from one person to another
− Updating or editing database information
− Storing data on USB drives, CDs, floppy disks (called “removable
media”)
− Storing data on a computer hard drive or networked drive (called “fixed
media”)
− Deleting information from fixed or removable media
− Scanning of a document and emailing to yourself
• Personal information collected and transmitted over the Internet is
protected by deploying industry-standard encryption technology for
transferring and receiving personal information
Security for Privacy Requirements (Cont.)
34
Personal Information on Portable Media• Personal information stored on portable media or devices is
protected from unauthorized access.
Security for Privacy Requirements (Cont.)
35
Centralized Device ManagementAutomatically register user to devices and implements policies
• Low System overhead and limited support staff required
Manage Multiple Device Types and Brands
• Leverages existing investment
Provide Forensic Level Auditing
File level blocking by type and name
Manage Devices off the network
Remote Kill of Devices
Device Coverage:Optical Products - CD/DVD
USB Flash Drives
External Hard Disk Drives
Multiple Authentication Methods
Password (hardware rules)
Biometric + Password
Validated Encryption
Security for Privacy Requirements (Cont.)
36
Testing Security Safeguards• Test of the effectiveness of the key administrative, technical, and
physical safeguards protecting personal information are conducted
at least annually.
Security Risk Assessment• Understand all information systems at a granular level
• Determine what assets really matter (crown jewels)
• Translate and align to business objectives and priorities
• A clear definition of risk tolerance levels is required
• The assessment must be unique to the company and its industry
• The process must be iterative and dynamic to adopt to constant
change
• Standard frameworks improve effectiveness (e.g., NIST, ISO)
Security for Privacy Criteria (Cont.)
37
NIST Cybersecurity Framework
Framework
Categories
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management
Strategy
Access Control
Awareness and Training
Data Security
Information Protection Processes
Maintenance
Protective Technology
Anomalies and Events
Security Continuous
Monitoring
Response Planning
Detection Processes
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
• Know your data (mapping)
• Check EU compliance
• Implement PIA
• Implement data transfer solution
• Understand the risks based on the agreement
• Evaluate and Implement data transfer solution
• Conduct a Security Assessment
• Closely Monitor developments
Wrap-up and Takeaways
39
Contact
41
NICK GRAHAMPARTNER / GLOBAL CO-CHAIR,
PRIVACY & CYBERSECURITY GROUP
Dentons
44 20 7320 6907
JAN HERTZBERGDIRECTOR,
IL RISK & INTERNAL AUDIT
Baker Tilly
312 729 8067