privacy, risk and regulations - scope, rights, penalties

Privacy, Risk and Regulations - Scope, Rights, Penalties and Process across the Ohio DPA, CCPA, and GDPR

The growing need for privacy and legal risk professionals serving multi-jurisdictional or international organizations has been heightened by the November 2, 2018 deadline

mandated by the Ohio Data Protection Act (“DPA”). This workshop will provide intensive, hands-on instruction integrating the frameworks of the Ohio DPA, the Californian

Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR) which became effective May 25, 2018. The workshop will focus on understanding the

business, legal and technology processes with the ultimate goal preparing for current or future client representation with formal professional certification goals.

The workshop will provide an explicit path to follow in order to lessen exposure for clients and organizations, including discussing:

•State, Federal and International breach notification regulations;

•Breach response evaluation procedures, including safe harbor defenses;

•Confidentiality, liability and privilege protections (specific focus on professional ethics, responsibilities and technical competency);

•Risk matrix and assessment tools;

•Process and decision flow charts (risk, security, privacy, information, marketing, customer, data processors);

•Contract provisions (Consumer, Vendor, Technology and 3rd Party);

•New Technology Opportunities (Blockchain, identity and AI) and the Technology Associated Risks.

3.5 CLE approved in OH and IN (pending in KY).

Privacy, Risk and Regulations - Scope, Rights, Penalties and Process

across the Ohio DPA, CCPA, and GDPR

Presented by Thomas Doty, JD, LLMNuStrategies, LLC – October 11, 2018

#nkucyber11

About Me - Thomas Doty, Esq., LLM

Presenter:

As General Counsel for TaxToken, he advises on cryptocurrency compliance/regulatory issues of Blockchain/AI technology transactions.

A recent panelist at the NEXT Conference presenting non-fungible tokenization concepts supporting “Artists, Creatives and Intermediaries in the 21st Century Blockchain World”.

In his role as Intellectual Asset Protection Director for NuStrategies, he develops strategy on human capital supply chain risks of Blockchain ERP, VMS, HRIS legacy systems and AI advanced technologies. He also

advises the federal bench on technical competence, cybersecurity awareness associated with the 21st century practice of law.

Past 10 years on legal and technology strategies advising law entities and Fortune 100 companies on issues concerning cyber securi ty, data privacy, information management and cyber governance matters.

Internationally certified in IP mediation and commercial arbitration,

A military veteran DARPA trained technologist and startup advisor holding several technical credentials.

He has held strategic and C-level public, private and government positions within technology, software and human capital industries.

He will be delivering the keynote at the Fourth Annual IP Mosaic Conference - IP Unbundled: Theory, Policy, and Practice.

He also presented essential information and planning guidelines for corporate counsel, HR professionals and compliance managers exploring 21st century legal challenges, the promise of Blockchain, HR data

security, and workforce disruptions at the 2018 Littler Executive Employer Conference session - "The Future Workplace: From Gig Workers to Virtual Workers: How the AI and Robotics Revolution Will Shape the

Employment and Labor Law Landscape".

As 21st century practice of law techno/legal evangelist he frequently speaks on international legal entity/trusted third party vendor risk exposure of talent sourcing technologies focusing on Blockchain and technical

competency effects upon client representation. Over the past year he has also presented:

•“Security, Regulations and Artificial Intelligence Have Transformed Governance, Risk and Compliance to Integrated Risk Management”;

•“AI/Blockchain Opportunities in Law: From Lex Mercatoria to Lex Cryptographica”;

•“AI/Blockchain Opportunities in Law: Creative Economy Assets & The First Sale Doctrine”;

•“A Strategic Briefing on the Human Capital Industry: AI / Blockchain Opportunities in HC Supply Chain VMS”;

•“Tech Competence, Confidentiality, and Cyber Ethics for Lawyers and Law Firms”

•“The Issues of Professionalism and the Use of Technology in the 21st Century Practice of Law”

•“The Lawyers Ethics Deployment, Use and Protection of Social Media Brands”

•“Information Security, Confidentiality, and Cyber Ethics for Law Entities”

•“The Rapidly Changing Need of Cyber Insurance: Why doesn’t my policy cover that?”

Past chairman and board member of the Arts, Communications, Entertainment and Sports Section, directs the board’s current focus on creative rights management and use of AI, ML and Blockchain technologies for

democratization and tokenization. He also serves on the boards of the Information Technology section, Privacy Committee and State Bar of Michigan Awards Committee.

Licensed in California, Michigan and Virginia, Mr. Doty is admitted to the U.S. Court of Appeals for the Federal Circuit, U.S. Court of Appeals for the Sixth and Ninth Circuits, U.S. Court of International Trade, U.S.

District Court for the Eastern District of Michigan and the Northern District of California. He holds a B.S.I.T. from Southern Illinois University and received his Master of Laws in Intellectual Property from Franklin Pierce

Law Center (UNH).

Thomas Doty, JD, LLMDirector, Intellectual Asset Protection

NuStrategies, LLC

[email protected]

Privacy, Risk and Regulations - Scope, Rights, Penalties and Process across the Ohio DPA, CCPA, and GDPR

Thursday, October 11, 2018

1:00 PM - 4:30 PM

Northern Kentucky University

Griffin Hall 201 (Digitorium)




#nkucyber11

Goals and Objectives

Understanding the business, legal and technology risk assessment

processes associated with current or future client representation

– Local / State (Ohio DPA – November 2, 2018)

– Interstate / Nationally (CaCPA – January 2019 / 2020)

– Internationally / Cross Border (GDPR – May 25, 2018)

Breach assessment, evaluation, response and notification

Integrate Risk Management Process and Tools

New Technology Opportunity and Associated Risks

Ethical and Legal Considerations (competence, contracts & bias)




#nkucyber11

Glossary

GDPR

Ohio DPA

CaCPA / CCPA

NIST SP 800-171

NIST 800-53

ISO 27001

SOX

GLBA

FTC

SEC

FCRA

• HiTECH

• HIPAA

• CIRP

• DOD 858201

• FinTech

• KYC

• AML

• VMS

• COPPA

• PIPEDA

• FOIPA

• CFPB

• CIRP

• Dodd-Frank

• Anonymization

• Pseudonymization

• DPO

• IRM

• KRI

• USA-PATRIOT

• TSR

• CAN-SPAM

• DRM

• VRM

• BCM

• AM

• CCO

• ELM

• NAI

• OWASP

• OECD

• CIPA

• CALEA

• FACTA

• FTCA

• DPPA

• FERPA

• PPA

• CISA

• TCPA




#nkucyber11

Getting to Know You…




#nkucyber11

Rank Company

Market Cap

(Billions, as of

May 11, 2017)

Primary Revenue Driver

#1 Apple $804 Hardware

#2 Alphabet $651 Advertising

#3 Microsoft $536 Software

#4 Amazon $455 Online Retail

#5 Facebook $434 Advertising

TOTAL $2,880

Money + Media = Advertising

Chart: Here’s How 5 Tech Giants Make Their Billions, Jeff Desjardins on May 12, 2017 at 1:03 pm




#nkucyber11

Money + Media = Advertising

During a search for “laundry detergent” on Amazon’s site,

an ad for Tide and Gain popped up.

Amazon has long sold sponsor listings and other ads tied to search keywords on its site.

Due to the vast amount of data Amazon collects from its customers, targeting ads beyond basic

demographics

During a search for “dog food” on

Amazon, a Purina Pro Plan ad

appeared.




#nkucyber11

Climbing the Chart with a Bullet




#nkucyber11

GDPR as Business Opportunity

34.5 % maintain GDPR practices

32.7 % hope to be compliant within 2018

11.7% plan to take a “wait and see” approach

56% haven’t performed an audit

Still scrambling to demonstrate a defensible

position on GDPR compliance

POLL SHOWS GDPR COMPLIANCE LACKING

September 10, 2018

State of third-party data accessExtent artificial intelligence is applied data

Deloitte “EU General Data Protection Regulation: Practical steps for compliance” June 22, 2018. 490+ respondents




#nkucyber11

GDPR Compliance Components

2017 Deloitte Seminar -General Data Protection Regulation A New Era for Privacy




#nkucyber11

GDPR Compliance Workshop Does your organization have a physical or virtual operation of EU consumers/customers?

Potential Question: Who could be asked?

Who is accountable for your GDPR compliance efforts? Privacy, Legal, and IT How are you planning for the requirements of the GDPR? Privacy, Legal, Compliance,

and IT How has the C-suite responded regarding potential fines to be imposed by the GDPR?

Privacy

Do you have an inventory as to where your personal data is? What about within your “shadow IT” environment? Transfer?

Privacy, Business teams, and IT

Do you know which of your third-party vendors have your data? What about past vendors? Do you conduct pre-contract assessments? Do you audit as a routine?

Privacy, Business teams, and IT

Where are you imbedding the PIA process within your operations? Who is leading the associated remediation?

Privacy and IT

How are you preparing to respond to requests from a consumer to delete their records? What about access and provisions in an electronic format?

Privacy and IT

Privacy and ITHow confident are you that the organization can meet the 72-hour breach notification requirement?

Privacy and IT

Do your data mining activities comply with the GDPR's requirements? Do you use automated methods to make decisions without human intervention?

Privacy, Legal, Business teams, and IT




#nkucyber11

DPIA – Data Processing Impact Assessment

DPIAs are an essential part of your

accountability obligations.

Conducting a DPIA is a legal requirement for

any type of processing, including certain

specified types of processing, that are likely

to result in a high risk to the rights and

freedoms of individuals.

Failing to carry out a DPIA in these cases

may leave you open to enforcement action,

including a fine of up to €10 million, or 2%

global annual turnover if higher.




#nkucyber11

Planning – Pre and Post Breach

Preliminary Asset Evaluation

Legal Assets (Crown Jewels)

Intellectual Property – People Information (PHI / PII) – Financial Information

– Business Information (strategy, performance, transactions, experts, witnesses)

Do you know

what you

have

or

others may

want?

Do you know how your business

processes make these assets more vulnerable?

Do you understand how these

assets could be accessed

or

disrupted?

Would you know if you were being

attacked

or

if the assets were compromised?

Do you have a plan

to react and

minimize loss caused

by any disruption?




#nkucyber11

Privacy vs. Security – Is there a difference?

Privacy is all about the use of information, the policies and

practices that dictate what data is collected, and how that data

is used.

Security is all about how you control and protect that data.

Here’s another way to think about it




#nkucyber11

Privacy & Security – It Crosses All Borders




#nkucyber11

Privacy & Security – Regulatory Issues




#nkucyber11

Privacy & Security – GDPR Specifics




#nkucyber11

Which is the Greater Risk?

Trusted

Insider

Unknown

Outsider

Trusted 3rd Party

Vendor




#nkucyber11

The Risk Documented – Insider Threat 51%




#nkucyber11

Human error as a major risk management and

security issue: Accidental loss, consisting of

improper disposal of records, misconfigured

databases and other unintended security issues,

caused 1.9 billion records to be exposed. A

dramatic 580% increase in the number of

compromised records from 2016.

Internal threats are increasing: The number of

records stolen increased to 30 million, a 117%

increase from 2016.

Identity theft is still the number one type of data

breach: Identity theft was 69% of all data breach

incidents.

Over 600 million records were impacted resulting in

a 73% increase from 2016.

Data Records Compromised in 2017




#nkucyber11

Breach Level Index (BLI), in 2017,

the number of data records

compromised in publicly disclosed

data breaches surpassed 2.5 billion,

up 88% from 2016.

The only year in BLI’s history to

surpass this total was 2013.

The world didn’t learn that until 2017

when Verizon Communications

confirmed the exposure of all three

billion Yahoo users’ accounts in a

2013 breach.

Breach Level Index

https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html




#nkucyber11

Trusted 3rd Party Vendors




#nkucyber11

Cybersecurity Expectations of Law Entities

• Vendor Risk Assessments (VRA) are a

standard compliance requirement for all

vendors on the “approved vendors” list.

• Onsite inspection and policy review by the

corporate client (not just the insurer) insisting

verified evaluations of a law firm’s security

protocols, technical competence and data

protection standards.




#nkucyber11

Courts consider whether entity took reasonable steps

to keep communication confidential.

Unintentional waivers frequently involve situations in which the disclosure

is inadvertent (such as an overheard conversation, a misdirected email. A

lost device or a document mistakenly distributed or produced).

The analysis as to whether the unintentional disclosure will be deemed a

waiver rests largely on whether the entity took reasonable and appropriate

steps to keep the communication confidential. See FED. R. EVID. 502(b);

United States v. de la Jara, 973 F.2d 746, 750 (9th Cir. 1992).

Client-Lawyer Relationship –

Waiving Confidentiality

Attorneys have an ethical duty to preserve confidentiality

unless the client waives the protection




#nkucyber11

ABA Model Rule 1.1 – Competence

– A lawyer shall provide competent representation to a client.Competent representation requires the legal knowledge,skill, thoroughness and preparation reasonably necessaryfor the representation.

Comment [8]

– To maintain the requisite knowledge and skill, a lawyershould keep abreast of changes in the law and its practice,including the benefits and risks associated with relevanttechnology, engage in continuing study and education andcomply with all continuing legal education requirements towhich the lawyer is subject.

Your Ethical Duties




#nkucyber11

The attorney-client privilege will

protect confidential communications

between the attorney and client in

cases of inadvertent disclosure

ONLY if the attorney and client act

reasonably to protect that privilege.

A lack of reasonable care to

protect against disclosing privileged

and protected information when

handling ESI can be deemed a

waiver of the attorney-client

privilege.


Confidentiality of Information

Duty of Confidentiality - Rule 1.6 - Confidentiality of Information

(a) A lawyer shall not reveal information relating to the representation of a client

unless the client gives informed consent, the disclosure is impliedly authorized

in order to carry out the representation…




#nkucyber11

Rule 1.6 - Confidentiality of Information

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or

unauthorized disclosure of, or unauthorized access to, information relating

to the representation of a client. See Rule 1.0(h)

Comment 18[18] Paragraph (c) requires a lawyer to act competently to safeguard

information relating to the representation of a client against unauthorized

access by third parties and against inadvertent or unauthorized disclosure by

the lawyer or other persons who are participating in the representation of the

client or who are subject to the lawyer’s supervision*…The unauthorized

access to, or the inadvertent or unauthorized disclosure of, information relating to

the representation of a client does not constitute a violation of paragraph (c) if the

lawyer has made reasonable efforts to prevent the access or disclosure.

* Breach or disclosure of a client’s information invokes Rule 1.4






#nkucyber11

Rule 1.6 - Confidentiality of Information (Comments)

Acting Competently to Preserve Confidentiality

[18] … Whether a lawyer may be required to take additional steps to

safeguard a client’s information in order to comply with other law, such as

state and federal laws that govern data privacy or that impose notification

requirements upon the loss of, or unauthorized access to, electronic

information, is beyond the scope of these Rules.

For a lawyer’s duties when sharing information with nonlawyers outside the

lawyer’s own firm, see Rule 5.3, Comments [3]-[4].






#nkucyber11

Vendor Due Diligence Checklist

Auditing

Financial records audit.

A review of data transactions and data processing.

Regulatory compliance with any government (HIPAA, GLBA) or

Industry (PCI-DSS) regulations that may apply to your business.

Ongoing security monitoring.

Ongoing security due diligence.

CIRP tabletop simulations with client IT staff present.

Basic and advanced security policies and compliance.

Computer acceptable use policies

Computer incident response plan (CIRP)

Interviews with key personnel.

Network vulnerability assessment or penetration test.

If you are in the DOD supply chain, you have been required to comply with NIST SP 800-171

and DOD 858201p

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171.pdf

http://www.esd.whs.mil/DD/




#nkucyber11


Secure Access

Two factor authentication

Permission based network segmentation and access.

Use of secure connections such as VPNs

The presence of security devices on your network, such as firewalls,

Intrusion dection and prevention devices (IDS or IPS),

Unified threat management platforms such as AlienVault.

Training

Ongoing monthly, quarterly, or annual cybersecurity awareness training program.

Phishing simulation

On-site live, online, or video training

CIRP tabletop simulations with your internal staff only.

If you are in the DOD supply chain, you have been required to comply with NIST SP 800-171

and DOD 858201p

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171.pdf

http://www.esd.whs.mil/DD/




#nkucyber11


Governmental and third-party requests: Immediate notification of all requests for disclosure of data by any party with provision to control the response.Service level agreements: Uptime guarantees and monetary credits for failure to comply. Suspension of services: The vendor should provide sufficient notification, with time to cure, before suspending services for any breach of contract.Indemnity and Cyber Insurance: The entity must require indemnity for harm caused to third parties by the vendor's breach of confidentiality obligations, data security or privacy requirements, or noncompliance with laws. Entities also should require vendors to have adequate cyber insurance covering both data loss and data breach response. Business continuity/disaster recovery: Vet the vendor’s business including all information, business continuity and disaster recovery plans, incorporated and attached into the contract.Dispute resolution: Arbitration clauses should be considered as an efficient and cost-effective means to resolve disputes arising under the vendor agreement.




#nkucyber11


Integrate Cyber Risk Management into Vendor Management

Identify all systems that you utilize which any external vendors provides including: Vendors used to help manage the IT systems at your main headquarter and each location; IT system dedicated to processing payment cards; Systems utilized for employee payroll processing; Cloud sourcing of corporate data including sensitive and confidential information; Security vendors or systems utilized for cameras, access control and security monitoring; Mechanical Vendors utilized for watering or cooling control system; Also review physical and electronic access systems vendors (locksmiths and keycard vendors).

TRUST BUT VERIFY – ALL VENDOR RELATIONSHIPSThe business dependencies of the vendor and the current vendor agreement, including the vendor’s agreement with external parties. These agreements should outline: Business roles, responsibilities, liabilities, and determinations for breach notification Conduct a site visit to key vendors to review and insure compliance Review the current signed non-disclosure agreement (NDA) with necessary vendors




#nkucyber11

Preemptive Guide1. Cybersecurity Policies and Procedures.

A. Incident response plan

B. Business continuity plans in case of a cyber-attack

C. Personnel continuity. Competition for talent in the information

security space is intense

D. PCI Compliance plan

E. A/C protection & control (including cyber vendor oversight during

litigation or investigation);

F. Employee Awareness Training Programs

G. Cybersecurity threat information sharing processes (CISA) – FBI,

DOHS, US Secret Service, State AG, Regulatory agencies

Guide For Trusted Third Party Vendors




#nkucyber11

Preemptive Guide

2. A Digital Forensics/Data Breach Response Firm on Call - will require immediate assistance and there will not be time for the usual due diligence and contractual review of the engagement of an incident response firm – so having an agreement, such as a master service agreement, in place makes sense.

3. When negotiating cyber insurance policies, some insurance policies will seek “panel” and “prior consent” provisions that purport to mandate that an insured hire a specific digital forensic/data breach response firm (even if the victim firm already has a prior existing relationship with a particular vendor). Insured should consider such a provision carefully; much like choosing one’s own surgeon for a heart procedure, an insured might want the same freedom of choice when it comes to selecting a digital forensics/data breach response firm.

Guide For Trusted Third Party Vendors




#nkucyber11

Is the House On Fire? - Cyber Risk Profile

A cyber risk profile is a measure of an organization's security posture. It is a

picture of your risk related to technical aspects such as network and system

security liability and network interruption, as well as more organizational

aspects such as cyber defense maturity.

1. Create a profile - Performing a baseline audit of hardware and software

and then performing a business impact analysis (BIA) to understand

which applications contribute the greatest financial or reputational

exposure.

2. Review defenses and the strength of technical controls

3. Review security policies and user training, and assess how those align

with compliance and operational goals.

4. Develop quantitative results, insurers do not need qualitative analysis.




#nkucyber11

Cyber Liability Risks

1st & 3rd Party Liability

You may be liable for costs incurred by customers and other third parties as a result of a cyber

attack or other IT-related incident.

System Recovery

Repairing or replacing computer systems or lost data can result in significant costs. In

addition, your company may not be able to remain operational while your system is down,

resulting in further losses.

Notification Expenses

In 48 states, if your business stores customer data, you’re required to notify customers if a

data breach has occurred or is even just suspected. This can be quite costly, especially if you

have a large number of customers.

Regulatory Fines

Several federal and state regulations require businesses and organizations to protect

consumer data. If a data breach results from your business’s failure to meet compliance

requirements, you may incur substantial fines.

Class Action Lawsuits

Large-scale data breaches have led to class action lawsuits filed on behalf of customers

whose data and privacy were compromised




#nkucyber11

Threat x Vulnerability = Risk

Cost of Implementing Controls

– Cost of not Implementing Controls

= Cost

Cost vs. Risk Assessment

One risk that law firms must anticipate involves security breaches.

There are three major categories of reported data loss breaches involving

lawyers and law firms: (1) disposal of client records, (2) mobile device theft

or loss, and (3) misuse of firm systems and security protocols.

Other Risks – physical security, password management, lack of encryption,

lax policies, inadequate training, or the inattention of system users.




#nkucyber11

Judge Learned Hand described the “calculus of negligence”

or the Hand Test (classic example of a balancing test)

Judge Hand's formula, C > GL (cost is greater than gravity of loss) BPL

If (Burden < Cost of Injury × Probability of occurrence) then…

the accused will not have met the standard of care required.

If (Burden ≥ Cost of injury × Probability of occurrence) then…

the accused may have met the standard of care.

Tort of Negligence - Reasonable Care

The Hand Test

United States v. Carroll Towing Co.

159 F.2d 169 (2d. Cir. 1947)

Risk = Threat X Vulnerability X Impact




#nkucyber11

Privacy & Security – Common Requirements

Category Requirement Commonalities

Organization Includes requirements to establish management accountability and responsibility for privacy and the specific organizational roles and responsibilities for legal entities and/or individuals. The category also includes obligations to train employees, define, document and communicate privacy policies and procedures and notify, register, and/or file processing activities with local DPAs.

Notice Includes requirements to notify and disclose to data subjects details of the organization’s data privacy practices including how data subjects’ information is protected and the purposes for which their personal information is collected, used and disclosed. Such requirements include the presentation of privacy notice prior to the collection of personal information as well as those surrounding the form and content of such notice.

Choice Includes requirements to obtain consent from data subjects or to otherwise provide choice, for the use of personal information for primary or secondary purposes. Such requirements include those surrounding the form and content of the consent provided by the data subject, consent revocation procedures as well as opt-out and opt-in process management.

Access Includes requirements to permit data subject’s access to personal information that the organization may have about them. Closely tied to these requirements are the data subject’s right to amend incorrect details and to reasonably request the deletion of unauthorized, unnecessary or inaccurate information subject to certain exceptions. Such requirements include the rights of data subjects to request, obtain, rectify, update and, when applicable, suppress or keep confidential their information.

Security for Privacy

Includes requirements to provide administrative, technical and/or physical security controls to prevent unauthorized or accidental loss, corruption or disclosure of personal information related to data subjects. Such requirements include those surrounding the development and implementation of written information security policies and procedures as well as implementation of physical and electronic access controls, transmission controls, monitoring controls, availability controls and third-party controls.

Transfer Includes data protection requirements for the transfer of personal information to third parties or to other countries. Such requirements include the identification of current data transfers, the security of the transfer, compliance with local registration requirements, and documented business need for the transfer of personal data.

Data Integrity Includes requirements that relate to the quality of information the organization has about its data subjects. Such requirements include those related to the organization’s efforts to confirm that personal information collected, used or disclosed by or on behalf of an organization is relevant, accurate, complete, and up-to-date.

Information Mgt Includes data protection requirements on the collection, use, storage and destruction of personal information. Such requirements include those surrounding the manner in and purpose for which data is obtained, the retention period of such data, the use of such data as it relates to the purpose for which it was obtained or the manner in which such data is deleted, made anonymous or returned.

Breach Notification

Includes requirements which provide specific notification procedures in the event of a privacy/security breach. Includes those surrounding breach assessment and the need for notification as well as timing, form, content and distribution of the notification.




#nkucyber11

Cyber Insurance and Risk

1. Determining what costs, expenses and incidents need coverage.

2. Identifying your organizational ‘first-party’ costs and the costs that others may claim against you following an incident

3. Identify what ‘third-party costs,’ is crucial to ensure that your coverage tower is suitable. Develop and deploy a “holistic cybersecurity program incorporating cyber risk management, technology, cybersecurity practices and incident response plans, awareness and training, self-assessment and vendor testing.

4. Create a Business Impact Assessment to compare the anticipated data breach costs with the limits of liability available and the associated costs. The costs of responding to a data breach can be substantial and often prohibitive.




#nkucyber11


5. Incident Response Plan must include key requirements in including notification requirements and other stipulations.

6. Establish an Insider Threat Program - Insider threats are critical threats, acting as perpetrators, they are authorized to access systems and sensitive data. Some insider threats are malicious, some are caused by misuse of equipment, or compliance with established security protocols.

7. Establish Policies and Procedures outlining best practices for security internally while demonstrating to your vendors and clients that your entity takes security seriously. Identified industry standard policies and procedures include roadmaps (sector specific or NIST 800-53 rev 4) or best practice (e.g., SANS Critical Controls, ISO 27000 series).




#nkucyber11


8. Establish, develop and deploy an Awareness Program: Train your entity on the types of cyber threats that are targeting their organization. Develop a security-minded culture. Less ‘shock and awe’ and more reinforcement of the best practices and guidelines outlined in the policies and procedures.

9. Asset Management: Asset management gets left behind. Simple inventory with a spreadsheet of individuals and the assigned corporate devices and software licenses is a security and human resource; the IT department updates software as needed and the HR department expedites termination or resignation process by rapidly identifying what needs to be collected from the employee.

10. Drills, “Table Top” exercises, Phishing assessment and training. Phishing exercises help users to spot suspicious emails and train users to inform IT through the appropriate mechanisms in the event of a phishing email.

11. Risk Management each business unit should identify the key business, legal, and brand risks to their systems or operations.




#nkucyber11


12. Identify external resources and talent. - dedicate security personnel to handle onsite incidents and coordinate all parties internal and external to the organization.

13. Annual Penetration Testing - Pentests reveal weaknesses and attack vectors. Pen Testing alone should not be the main method of security testing.

14. Auditing - Monitor systems, servers, workstations throughout the security lifecycle to understanding the security risk, the types of threats targeting, the types of applications and software operating, and the connections internally and externally on your network.




#nkucyber11

Risk Profile

Source: NIST Impact areas




#nkucyber11

Risk Appetite – Costs of a Data Breach




#nkucyber11

What Do Underwriters Value

in Assessing Cyber Risk?




#nkucyber11

What Do Insurers Ask About in Their Applications?

Sourced from: Travelers CyberRisk Coverage Application

Does the Applicant have a formal program in place to test or audit

network security controls?

How often are internal audits performed?

How often are outside/third party audits performed?

Does the Applicant use firewall technology?

Does the Applicant use anti-virus software?

Is anti-virus software installed on all of the Applicant’s computer

systems, including laptops, personal computers, and networks?

Does the Applicant use intrusion detection software to detect

unauthorized access to internal networks and computer systems?




#nkucyber11



Is it the Applicant’s policy to upgrade all security software as new

releases or improvements become available?

Is a multi-factor authentication process (multiple security measures

used to reliably authenticate/verify the identity of a customer or other

authorized user) or a layered security approach required to access

secure areas of Applicant’s website? Please describe

authentication/verification methods used.

Is all valuable/sensitive data backed-up by the Applicant on a daily

basis?

o If No, please describe exceptions:




#nkucyber11



Does the Applicant conduct training regarding security issues and

procedures for employees that utilize computer systems?

Does the Applicant publish and distribute written computer and

information systems policies and procedures to its employees?

Does the Applicant terminate all associated computer access and

user accounts as part of the regular exit process when an

employee leaves the company?

Does the Applicant have a formal documented procedure in place

regarding the creation and periodic updating of passwords used by

employees or customers?




#nkucyber11

American Tooling Center Inc. v.

Travelers Casualty and Surety Company of America

• The vice president received emails purportedly from the vendor

instructing ATC to send payment for several legitimate outstanding

invoices to a new bank account, according to the ruling.

• Without verifying the new banking instructions, ATC wire-transferred

about $800,000 to a bank account that was not, in fact, controlled by the

vendor.

• The Judge granted Summary Judgment for Traveler’s since:

• There was no infiltration or ‘hacking’ of ATC’s computer system,

• The emails themselves did not directly cause the transfer of funds;

rather, ATC authorized the transfer based upon the information

received in the emails,”




#nkucyber11

Cyber Insurance Claim Denial

A Rhode Island law firm has filed a lawsuit against its insurer over coverage for a ransomware attack that locked

down the firm’s computer files for three months. Moses Afonso Ryan, a 10-lawyer law firm in Providence, says it

paid $25,000 in ransom, but the amount is far less than its lost billings. A review of records for the same three

months last year shows the firm had more than $700,000 in billings during the time period. It claims that Sentinel

Insurance Co. is responsible for the loss under policy coverage for lost income.

Moses Afonso Ryan’s computers became infected with the ransomware virus last year as a result of a lawyer

clicking on an email attachment

The virus disabled the firm’s computer network, along with all of the documents and information on the network.

As a result, lawyers and staffers “were rendered essentially unproductive,” according to the suit.

Sentinel denies an unjustified refusal to provide coverage under the law firm’s business owner’s policy.

Sentinel says it has paid the law firm the policy maximum of $20,000 for losses caused by computer viruses,

which are covered under a computers and media endorsement.

The insurer says it has no legal obligation to cover other ransomware losses.

The policy coverage for lost business income applies only when there is physical loss or damage to property at

the business premises

Moses Afonso Ryan LTD v. Sentinel Insurance Company

(1:17-cv-00157), Rhode Island District Court, Filed: 04/21/2017




#nkucyber11

SONY Revisited

• General property insurance policy for cyber-attack coverage is risky

• Directors should not rely on a Commercial General Liability policy to cover a data breach

• Sony breach - Zurich American stated in court papers that as a result, Sony was the defendant in over 50 class action lawsuits.

• Sony policy required the policyholder (Sony) to perpetrate or commit the act of publication of the personal information, the judge stated, “Paragraph E (oral or written publication in any manner of the material that violates a person’s right to privacy) requires some kind of act or conduct by the policyholder in order for coverage to present.”

• This decision highlights the hazards of relying on traditional CGL coverage policies for potential data breach coverage. See, Zurich American Insurance Co. v. Sony Corp. of America, et al (Supreme Court , State of New York 651982/2011)




#nkucyber11

Duty to Supervise - Rule 5.1This duty can be met through association with

outside attorney, outside vendor, subordinate

attorney or even the client.

• Attorney must maintain overall

responsibility for and remain engaged in

the work of the expert;

• The attorney must educate everyone

involved about:• The legal issues in the case;

• The factual matters impacting discovery,

witnesses and key evidentiary issues;

• The obligations around discovery imposed

by law or the court;

• Any risks associated with the case tasks at

hand.

Supervision & Associations – The New Legal Model




#nkucyber11

Rule 5.3: Responsibilities Regarding Non-lawyer Assistant

A lawyer’s duties when sharing information with non-lawyers outside the

lawyer’s own firm

With respect to a non-lawyer employed or retained by or associated with a

lawyer:

(a) a partner, and a lawyer who individually or together with other lawyers

possesses comparable managerial authority in a law firm shall make

reasonable efforts to ensure that the firm has in effect measures giving

reasonable assurance that the person's conduct is compatible with the

professional obligations of the lawyer;

see Rule 5.3, Comments [3]-[4].

Supervision & Associations

Sharing Confidential Information




#nkucyber11

Rule 5.3: Responsibilities Regarding Nonlawyer Assistant

A lawyer’s duties when sharing information with nonlawyers outside the

lawyer’s own firm (Comments [3]-[4])

Nonlawyers Outside the Firm

[3] A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client.Examples include the retention of an investigative or paraprofessional service, hiring a document management company to

create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and

using an Internet-based service to store client information. When using such services outside the firm, a lawyer must make

reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional

obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and

reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of

client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly

with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6

(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law). When retaining or

directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give

reasonable assurance that the nonlawyer's conduct is compatible with the professional obligations of the lawyer.

[4] Where the client directs the selection of a particular nonlawyer service provider outside the firm, the lawyer ordinarily should

agree with the client concerning the allocation of responsibility for monitoring as between the client and the lawyer.

Law Firms and Associations –

Responsibilities Regarding Nonlawyer Assistance




#nkucyber11

Technical Competence –

Protection of Confidentiality of Information

Competence and the Technological Issues Associated With Hiring

Service Providers

Many lawyers and clients partner with service providers to assist with the legal

support and litigation. An attorney is responsible for the conduct of a service

provider or non-lawyer working under their supervision. 7 Accordingly, an attorney

should ensure that a service provider they retains to assist with the discovery of ESI

is competent to undertake the tasks assigned, and to ensure compliance with the

attorneys' other ethical obligations, such as protection of confidential client

data 8 and adversaries' data. 9 The tools used by service providers vary significantly

in their functionality, sophistication, and cost.7 See MRPC 5.3.8 See MRPC 1.6.9 See MRPC 3.4.

http://ediscovery.bna.com/edrc/7082/doc_display.adp?fedfid=65924195&vname=ddeenotallissues&jd=a0g2z0t0n8&split=0#a0g2z0t0y3



http://ediscovery.bna.com/edrc/7082/doc_display.adp?fedfid=65924195&vname=ddeenotallissues&jd=a0g2z0t0n8&split=0#a0g2z0t0y3_reffirst_footref






#nkucyber11

Technical Competence:

Co-Council, Consultants & Experts

To be competent in working with co-counsel and consultants:

• Understand the responsibility of co-counsel and consultants/experts;

• Understand the technological experience of co-counsel and experts;

• Confirm that client data is being stored and transmitted securely;

• Confirm that confidentiality protections are being maintained;

• Ensure that confidentiality agreements and protective orders are

implemented and followed;

• Keep well-informed of the discovery process and supervise decisions;

• Understand, at least generally, any technology that is the focus of an

expert's opinion or advice.




#nkucyber11

Regulatory –

ABA opinions fail to discuss regulatory requirements

The Alphabet Soup of Regulations & Regulatory Entities

• FTC – Federal Trade Commission

• SEC – Securities and Exchange Commission

• FCRA – Fair Credit Reporting Act

• Myriad of State Online Privacy Acts (COPPA

• International Regulation

• Canada – PIPEDA (Personal Information Protection and Electronic Document Act)

• British Columbia – FOIPA (Freedom of Information and Privacy Act)

• European Inion – Data Protection Directive

• European Union - GDPR

• Consumer Financial Protection Bureau - CFPB Bulletin 2012-03

• As codified under Dodd-Frank Wall Street Reform Act – Requires

thorough due diligence to verify compliance with Federal consumer

financial law;




#nkucyber11

Regulations Affecting Legal Entities

HIPAA (applies to covered entities and business associates)

• Administrative Safeguards (164.308)

• Security Management Process

• Assigned Responsibility

• Workforce Security

• Information Access Management

• Physical Safeguards (164.310)

• Facility Access

• Workstation Use

• Workstation Security

• Device & Media Controls

• Technical Safeguards (164.308)

• Access Controls

• Audit Controls

• Integrity

• Personal Authentication

• Transmission Security




#nkucyber11

1. Use firewalls between networks;

2. Encrypt stored credit card information;

3. Use industry standard password complexity;

4. Employ reasonable measures to detect and prevent unauthorized access;

5. Implement security updates on a timely basis;

6. Follow incident response procedures;

7. Adequately restrict vendor access; and

8. Fix existing security issues.

Avoiding FTC Actions - 2015

FTC published data security guidance titled Start With Security: A

Guide for Business.




#nkucyber11

1. Perform risk assessments;

2. Conduct regular testing and monitoring of privacy controls;

3. Conduct regular reviews of privacy statements/notices for correlation to actual practices and disclosures;

4. Obtain user consent with respect to new data or products;

5. Require strong user credentials and password policies and procedures;

6. Segment servers and limit employee access to PII;

7. Implement reasonable data storage policies and procedures;

8. Encrypt data in transit and at rest;


FTC enforcement actions include the failure to:




#nkucyber11

9. Implement policies and procedures for data retention, destruction and disposal;

10. Implement controls and security reviews for new software and products;

11. Require and implement contractual requirements for service providers;

12. Reasonably oversee service providers;

13. Perform cybersecurity audits;

14. Assess network vulnerabilities;

15. Evaluate the risk of third party access;

16. Implement reasonable measures to assess and enforce compliance with policies

and procedures; and

17. Implement policies and procedures for the prevention and detection of

unauthorized access.


FTC enforcement actions include the failure to:




#nkucyber11

Industry-Specific Rules and Guidance

KY Bar ethics resource - https://www.kybar.org/?page=EthicsHotline

Ruth Baxter Lawyers Mutual - http://www.lmick.com/component/contact/contact/16-general/2-ruth-h-baxter

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.

https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.


https://www.sec.gov/rules/final/2013/34-69359.pdf.

http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.

https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

http://www.sec.gov/investment/im-guidance-2015-02.pdf.


http://transition.fcc.gov/pshs/advisory/csric4/CSRIC_WG4_Report_Final_March_18_2015.pdf.

http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0520/DA-15-603A1.pdf.

Minimal Standard of Care Government Resources

https://www.kybar.org/?page=EthicsHotline

http://www.lmick.com/component/contact/contact/16-general/2-ruth-h-baxter

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf


https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.


https://www.sec.gov/rules/final/2013/34-69359.pdf.

http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.

https://www.finra.org/sites/default/files/p602363 Report on Cybersecurity Practices_0.pdf.

http://www.sec.gov/investment/im-guidance-2015-02.pdf.


http://transition.fcc.gov/pshs/advisory/csric4/CSRIC_WG4_Report_Final_March_18_2015.pdf.

http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0520/DA-15-603A1.pdf.




#nkucyber11

EU General Data Protection Regulations

The GDPR




#nkucyber11

What About the 800lb Gorilla - GDPR

General Data Protection Regulations (EU GDPR)Requires private or government entities to notify individuals of security

breaches of information involving PII:

• Definitions of PII (e.g., name combined with SSN, drivers license

or state ID, account numbers, etc.);

• What constitutes a breach (e.g., unauthorized acquisition of data);

• Requirements for notice (e.g., timing or method of notice, who

must be notified);

Exemptions (e.g., for encrypted information)

Security breach notification laws also typically have provisions regarding

who must comply with the law:

• Businesses, data/ information brokers, government entities &

vendors;




#nkucyber11

GDPR, DPA, CaCPA & Beyond“Consumers deserve clear answers and standards on data privacy protection,” - John Thune

Federal privacy law - preemption

rather than a patchwork of different

state privacy laws;

FTC as regulator for a federal

privacy law;

Protecting consumer privacy;

Establish clear regarding the

responsible use of data; and

Key principles that should be

included in any federal privacy law.

Witnesses:

Global Public Policy, AT&T Inc.

Associate General Counsel, Amazon.com, Inc.

Chief Privacy Officer, Google LLC

Global Data Protection Officer and Associate Legal Director, Twitter, Inc.

Software Technology, Apple Inc.

Policy & External Affairs, Charter Communications, Inc.




#nkucyber11

54 Breach Notification Laws – April 2018

With last month’s passage of the Alabama Data Breach Notification Act of 2018 (SB 318), all 50 states will have laws requiring companies to notify individuals when their personal information is exposed as a result of a data breach.

It took 15 years from the first data breach notification law passed in California (2003).

Ohio Data Protection Act did not remove or modify any of the existing statutory notice obligations upon discovery of a breach event (Ohio Rev. Code § 1349.19

Ohio businesses entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach

http://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2018/04/02/alabama-governor-signs-data-breach-notification-law




#nkucyber11

“Internet” Bill of Rights - Rep. Ro Khanna (D-Calif.)

You should have the right:

1. to have access to and knowledge of all collection and uses of personal data by companies;

2. to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;

3. where context is appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;

4. to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;

5. to move all personal data from one network to the next;

6. to access and use the Internet without Internet service providers blocking, throttling, engaging in paid prioritization orotherwise unfairly favoring content, applications, services or devices;

7. to Internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;

8. to have access to multiple viable, affordable Internet platforms, services and providers with clear and transparent pricing;

9. not to be unfairly discriminated against or exploited based on your personal data; and

10. to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.




#nkucyber11

The GDPR, CaCPA & Ohio DPA

GDPR CaCPA

General Data Protection Regulation California Consumer Privacy Act of 2018

Regulation (EU) 2016/679 SB 1121 AB 375

Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of

the California Civil Code Section 1798.198

'Regulation' directly applicable and has consistent effect in all Member

States.

50+ areas covered by GDPR allow Member States to legislate differently in

their own domestic data protection laws.

Reinforcing and expanding individual citizen’s privacy rights

GDPR has extra-territorial effect.

An organization not established within the EU will still be subject to the

GDPR if it processes personal data of data subjects who are in the Union

where the processing activities are related "to the offering of goods or

services" (Article 3(2)(a)) (no payment is required) to such data subjects in

the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their

behaviour takes place within the EU.

WHO IS PROTECTED?

Any data subject that is an EU resident. A data subject is any person whose

personal data is being collected, held or processed. The regulation protects

the rights and interests of individuals.

Uses the term “Consumer” rather than “data subject.” Consumer/natural

person who is a California resident. Includes every individual who is in the

State for any reason other than a temporary or transitory purpose, and

every individual who is domiciled in the State who is outside the State for

a temporary or transitory purpose.

https://www.ficlaw.com/data-security-privacy/archives/california-consumer-privacy-act-amazon-pill-pack-making-sense-recent-developments-long-term-consequences-privacy-interests/




#nkucyber11


GDPR CaCPA

DEFINITION OF PERSONAL INFORMATION

Any information that identifies a natural person directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location number, an

online identifier or to one or more factors specific to the physical, physiological, genetic,

mental, economic, cultural or social identity of that natural person.

Sensitive information: Racial or ethnic origin, political opinions, religious or philosophical

beliefs, or trade union membership, and the processing of genetic data, biometric data

for uniquely identifying a natural person, data concerning health or data concerning a

natural person’s sex life or sexual orientation.

Contains a broader definition of “personal data” and also covers information

pertaining to households and devices and any information that relates to a particular

consumer or household.

Includes: consumer’s name (first and last); postal address; e-mail address; social

security number; identification card number; biometric data; internet activity; and

geolocation.

Unique identifiers or unique personal identifier:

Information that be used to recognize a consumer, family, or device such as an IP

address, cookies, beacons, pixel tags, mobile ad identifiers, customer number, phone

numbers.

“Personal information” does not include publicly available information. For these

purposes, “publicly available” means information that is lawfully made available from

federal, state, or local government records, if any conditions associated with such

information. “Publicly available” does not mean biometric information collected by a

business about a consumer without the consumer’s knowledge. Information is not

“publicly available” if that data is used for a purpose that is not compatible with the

purpose for which the data is maintained and made available in the government

records or for which it is publicly maintained. “Publicly available” does not include

consumer information that is deidentified or aggregate consumer information.

“Pseudonymize” or “Pseudonymization” means the processing of personal

information in a manner that renders the personal information no longer attributable

to a specific consumer without the use of additional information, provided that the

additional information is kept separately and is subject to technical and organizational

measures to ensure that the personal information is not attributed to an identified or

identifiable consumer.




#nkucyber11


GDPR CaCPA

WHO NEEDS TO COMPLY?

Data controllers and processors who process data of an EU resident,

including organizations outside the EU.

Companies that process the data of at least 50,000 California residents

annually or have more than $25 million in annual revenue.

PROCESSING THE DATA OF MINORS

When the child is below the age of 16 years, such processing shall be lawful

only if and to the extent that consent is given or authorized by the holder of

parental responsibility over the child.

Member States may provide by law a lower age of consent, provided that

such lower age is not below 13 years.

Businesses are prohibited from selling the personal information of

consumers who the businesses know are under 16 years old and for

whom they do not have appropriate opt-in consent.

INDIVIDUAL RIGHTS

Right to information

Right to access

Right to rectification

Right to withdraw

Right to be forgotten

Right to object

Right for data portability

Right to know what data a business collects on you.

Right to say no to the sale of your information.

Right to delete your data.

Right to be informed of what categories of data will be collected about

you prior to its collection, and to be informed of any changes to this

collection.

Right to know the categories of third parties with whom your data is

shared.

Right to know the categories of sources of information from whom your

data was acquired.

Right to know the business or commercial purpose of collecting your

information




#nkucyber11


GDPR CaCPA

DATA SUBJECT REQUESTS

Organizations are expected to respond within 30 days either by providing the data

requested, asking for further documentation proving a data subject’s identity, or

replying with an answer as to why the data cannot be provided.

Responses to requests for data access, deletion and portability must be made

within 45 days.

Organizations must verify the identity and authorization of persons who make

requests for data access, deletion, or portability. The bill also states that

organizations must provide two methods for consumers to place their

requests: 1.) Toll-free number 2.) Website address or form.

Organizations must also avoid requesting opt-in consent for 12 months after a

California resident opts out.

PENALTIES

Any consumer whose nonencrypted or nonredacted personal information, as

defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section

1798.81.5, is subject to an unauthorized access and exfiltration, theft, or

disclosure as a result of the business’ violation of the duty to implement and

maintain reasonable security procedures and practices appropriate to the

nature of the information to protect the personal information may institute a

civil action

The GDPR is enforced by EU Member State DPAs, and the penalties can range

from 10-20 million euros or 2%-4% of global annual revenue.

Enforced by the Attorney General, and the penalties are up to $7,500 per

violation, including failure to address a request within 30 days.

25 May 2018 January 1, 2020 - Amendments passed as SB 1121 on Aug. 31 and signed into

law by Gov. Brown on Sept. 23 extend the time for the California attorney

general (CaAG) to promulgate regulations to July 1, 2020 (no enforcement

actions may be taken by the Attorney General until the earlier of six months

after final regulations are adopted)

To comply with the 12-month look back for consumer requests as of the law’s

effective date, businesses will need to start data mapping and record keeping

of personal information as of Jan. 1, 2019.




#nkucyber11

Data Protection Act 2018 - UK

The UK's third generation of data protection law has now received the Royal Assent and its main

provisions will commence on 25 May 2018. The new Act aims to modernize data protection laws

to ensure they are effective in the years to come.

What is the difference between the DPA 2018 and the GDPR?

The GDPR has direct effect across all EU member states and has already been passed. This

means organizations will still have to comply with this regulation and we will still have to look to the

GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to

make provisions for how it applies in their country. One element of the DPA 2018 is the details of

these. It is therefore important the GDPR and the DPA 2018 are read side by side.




#nkucyber11

Data Protection Act 2018 - UK

What else does the DPA 2018 cover?

•The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is

related to immigration. It applies GDPR standards but it has been amended to adjust those that would not

work in the national context.

•It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive)

into domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part

3 of the DPA 2018sets out the requirements for the processing of personal data for criminal ‘law enforcement

purposes’. The ICO has produced a detailed Guide to Law Enforcement Processing in addition to a

helpful 12 step guide for quick reference.

•National security is also outside the scope of EU law. The Government has decided that it is important the

intelligence services are required to comply with internationally recognised data protection standards, so

there are provisions based on Council of Europe Data Protection Convention 108 that apply to them.

•There are also separate parts to cover the ICO and our duties, functions and powers plus the enforcement

provisions. The Data Protection Act 1998 is being repealed so it makes the changes necessary to deal with

the interaction between FOIA/EIR and the DPA.

https://ico.org.uk/for-organisations/guide-to-law-enforcement-processing-part-3-of-the-dp-act-2018/

https://ico.org.uk/media/for-organisations/documents/2014918/dp-bill-12-steps-infographic.pdf




#nkucyber11

The Ohio DPA – A “Legal Safe Harbor”

On November 2, 2018 Ohio law SB220 provides a “legal safe harbor” from tort claims related to

a data breach, to entities that have implemented and comply with specified cybersecurity

frameworks. Ohio Rev. Code §§ 1354.01-.05

Designed to “proactively” protect the security and confidentiality of information, protect against any

anticipated threats or hazards to the security or integrity of information, and protect against

unauthorized access/acquisition of information that is likely to result in a material risk of identity theft or

other fraud.

Showing that the covered entity obtained a certification from a third-party auditor of compliance with a

framework/standard at some point in time may not be sufficient to meet a defendant’s burden of proof.

Thank you to Carol Furnish - NKU Chase College of Law Library




#nkucyber11



SB 220 provides covered entities with an affirmative defense to any tort action (e.g., negligence,

invasion of privacy, etc.) brought under Ohio law (or in an Ohio court) that alleges a breached entity

failed to implement reasonable information security controls - Ohio Rev. Code § 1354.02(D)(1).

Eligible for the Safe Harbor under § 1354.02(B) requires:

An Ohio entity will need to establish that it designed, implemented, and maintained its cybersecurity

program to:

protect the security and confidentiality of the information;

protect against any anticipated threats or hazards to the security or integrity of the information; and

protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

https://www.law.cornell.edu/wex/affirmative_defense

https://www.law.cornell.edu/wex/tort




#nkucyber11



§ 1354.03(A)(1) - Non-regulated entities (e.g., those whose security is not regulated by the state or

federal government), are required to implement a security program that conforms "reasonably" to one

of the following:

• one of the National Institute of Standards and Technology frameworks/publications;

• the Federal Risk and Authorization Management program security assessment framework;

• the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or

• ISO 27000 family – information security management systems

§ 1354.03(B)(1). Regulated entities (one whose security is regulated by the state or federal government)

are required to implement a security program that conforms "reasonably" to, as applicable, the:

• Health Insurance Portability and Accountability Act's security requirements;

• Gramm-Leach-Bliley Act of 1999;

• Federal Information Security Modernization Act of 2014; or

• Health Information Technology for Economic and Clinical Health Act.

https://www.nist.gov/cyberframework

https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Assessment_Framework.pdf

https://www.cisecurity.org/controls/

https://www.iso.org/isoiec-27001-information-security.html




#nkucyber11



An entity that wishes to take advantage of the Safe Harbor should consider the following steps:

• Gain an understanding of the information in its possession (what is collected; how it is collected,

stored, and shared) in order to ascertain the necessary scope of its security program;

• Determine if the entity is subject to any statutory and/or regulatory information security control

requirements, and its current compliance status with respect to those requirements;

• If the entity is not adhering to one of the articulated standards, identify an appropriate standard to

adopt in developing the program, and then identify any gaps the entity has;

• Design a cybersecurity program that adheres to the applicable standard, and to the extent that such

a program necessarily involves a risk-based approach, document the entity's risk assessment and

decision-making process in order to help prove at a later date that its program is within SB 220's

Safe Harbor; and

• Implement the program and maintain it over time, including conducting ongoing risk assessments

and updating security measures to the extent mandated by applicable security standards.




#nkucyber11

Data Breach Reporting Requirements

Requirements of General Data Protection

Regulation (GDPR)

Regulation (EU) 2016/679, Arts. 33-34.

Effective May 25, 2018

Ohio Rev. Code § 1349.19

H.B. 104 ,amended by S.B. 126

Effective February 17, 2006

Cal. Civ. Code § 1798.29; 1798.80 et seq.

S.B. 1386

Effective July 1, 2003

Ind. Code § 4-1-11 et seq.; § 24-4.9-1 et seq.

S.B. 503


KY Rev. Stat. §365.732

H.B. 232


Time After Discovery of Breach Action Required

10 Calendar Days Puerto Rico Department of Consumer Affairs

14 Business Days Vermont AG preliminary notification

15 Business Days California residents, California AG, and California Department of Public

Health must be notified of the disclosure of PHI by a clinic, health facility,

home health agency, or hospice licensed by the California Department of

Public Health (“CDPH”)

30 Calendar Days Florida residents, AG (500+ residents) (Can request 15 day extension) (60

Days for PHI/HIPAA incidents).

Indiana AG will open an investigation if not notified within 30 days

45 Calendar Days Ohio residents

Tennessee residents (60 Days for PHI/HIPAA incidents)

Vermont residents, AG

Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA

incidents)

Wisconsin residents (60 Days for PHI/HIPAA incidents

New Mexico residents, AG (500+ residents)

Maryland residents (60 Days for PHI/HIPAA incidents)

60 Calendar Days Delaware (effective 4/14/18), AG (500+ residents)

Individuals and HHS OCR for PHI disclosure

90 Calendar Days Connecticut residents (60 days for PHI/HIPAA incidents)

Most expedient time and without

unreasonable delay

AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC,

GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY,

NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY

As soon as possible NE, NH, TX

Days After Confirmation

of Breach

Action Required

45 Calendar Days Rhode Island residents, AG (500+ residents) (60 Days for PHI/HIPAA

incidents).




#nkucyber11

GDPR Compliance Workshop Compliance Demonstration is required

Privacy by design PIA Process Privacy by default

Consider privacy at start

of process

Prior to processing Adopt privacy friendly

settings

Account for end-to-end

data lifecycle

High-risk / sensitive data

/ systematic / large-scale

No pre-checked box

Consider context Description of PI Minimum storage time

Minimum volume

Define and implement

privacy enhancing

controls

Assessment of PI Necessary purpose only

Right to be forgotten Document measures Strictly necessary

purposes only




#nkucyber11

GDPR Compliance Workshop Lawful Basis – Article 6

At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a

specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or

because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including

contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for

your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the

legitimate interests of a third party unless there is a good reason to protect the individual’s

personal data which overrides those legitimate interests. (This cannot apply if you are a public

authority processing data to perform your official tasks.)




#nkucyber11

GDPR Compliance Workshop Lawful Basis – Consent

• The lawful basis for your processing

can also affect which rights are

available to individuals.

• An individual always has the right to

object to processing for the purposes

of direct marketing, whatever lawful

basis applies.

• Your lawful basis may affect how

provisions relating to automated

decisions and profiling apply

• If you are relying on legitimate

interests you need more detail in your

privacy notice to comply with the right

to be informed.




#nkucyber11

GDPR Compliance Workshop 9 Lawful Basis

CONTRACT

Processing is necessary

due to fulfillment of a contract. NEW CONTRACT In order to complete a new contract or fulfill an existing

contract, processing is necessary.

SALES PROCESS A potential customer’s

information is needed as part of the pre-contractual process.

LEGITIMATE INTERESTProcessing is necessary to the legitimate

interests of an

organization or third-party affiliate. MARKET RESEARCH The situation calls for the transfer of

personal data to a third party for analysis as part of market research.

FRAUD PREVENTION

Processing is necessary for direct marketing or fraud prevention

purposes.

INTERNAL OPERATIONS

Personal data must be processed within the organization for internal

operations like payroll.

LEGAL OBLIGATION

Processing is necessary to comply

with an EU Member State’s law.HEALTH AND SAFETY

Information reports require processing for health and

safety records.

CRIMINAL INVESTIGATION

A criminal investigation requires the processing of

personal data.

COURT ORDERS Court orders or subpoenas require the processing of

personal data.

EMPLOYEE INFORMATION

Employee information (salary, etc.) is needed by a regulatory or

government body.




#nkucyber11

GDPR - Anonymization vs. Pseudonymization

Two distinct techniques that permit data controllers and processors to use de-identified data.

The difference between the two techniques rests on whether the data can be re-identified.

These benefits will make the pseudonymization of personal data an attractive opportunity to simultaneously achieve GDPR compliance and expand

the uses of collected data.

Ultimately, the hallmark of both anonymization and pseudonymization is that the data should be nearly impossible to re-identify. This theory, however,

has its practical and mathematical limits.

As a well known study shows, it’s possible to personally identify 87 percent of the U.S. population based on just three data points: five-digit ZIP code,

gender, and date-of-birth. So, even though each of these data points on their own would be non-identifiable, storing them together makes it possible

to uniquely identify an individual. This presents a major concern for data controllers that seek to anonymize or pseudonymize data.

The effectiveness (and legality) of both anonymization and pseudonymization hinge on their abilities to protect data subjects from re-identification. In

Recital 26, the GDPR limits the ability of a data handler to benefit from pseudonymized data if re-identification techniques are “reasonably likely to be

used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”

The Health Insurance Portability and Accountability Act has provided clear guidance for anonymizing data. HIPAA treats data as anonymized if 18

specific data elements are removed. The removal of these same 18 elements, however, may not be enough to achieve anonymization or even

pseudonymization in the EU.




#nkucyber11

Anonymization - Recital 26 of the GDPR defines anonymized data as “data rendered anonymous in

such a way that the data subject is not or no longer identifiable.”

- anonymized data must be stripped of any identifiable information, making it impossible to derive

insights on a discreet individual, even by the party that is responsible for the anonymization.

- When done properly, anonymization places the processing and storage of personal data outside the

scope of the GDPR.

The Article 29 Working Party has made it clear, though, that true data anonymization is an extremely

high bar, and data controllers often fall short of actually anonymizing data.

GDPR - Anonymization v. Pseudonymization

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf




#nkucyber11

Pseudonymization - Article 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a way that

the data can no longer be attributed to a specific data subject without the use of additional information.” By holding the de-

identified data separately from the “additional information,” the GDPR permits data handlers to use personal data more liberally

without fear of infringing the rights of data subjects. This is because the data only becomes identifiable when both elements are

held together.

By rendering data pseudonymous, controllers can benefit from new, relaxed standards under the GDPR. For instance, Article

6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was originally collected.

Additionally, the GDPR envisions the possibility that pseudonymization will take on an important role in demonstrating compliance

under the GDPR. Both Recital 78 and Article 25 list pseudonymization as a method to show GDPR compliance with requirements

such as Privacy by Design. These benefits will make the pseudonymization of personal data an attractive opportunity to

simultaneously achieve GDPR compliance and expand the uses of collected data.

Ultimately, the hallmark of both anonymization and pseudonymization is that the data should be nearly impossible to re-identify.

This theory, however, has its practical and mathematical limits. As a well known study shows, it’s possible to personally identify 87

percent of the U.S. population based on just three data points: five-digit ZIP code, gender, and date-of-birth. So, even though each

of these data points on their own would be non-identifiable, storing them together makes it possible to uniquely identify an

individual. This presents a major concern for data controllers that seek to anonymize or pseudonymize data.


https://dataprivacylab.org/projects/identifiability/paper1.pdf




#nkucyber11

Pseudonymization - Article 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a

way that the data can no longer be attributed to a specific data subject without the use of additional information.”

By holding the de-identified data separately from the “additional information,” the GDPR permits data handlers to use

personal data more liberally without fear of infringing the rights of data subjects. This is because the data only

becomes identifiable when both elements are held together.

By rendering data pseudonymous, controllers can benefit from new, relaxed standards under the GDPR.

Article 6(4)(e) permits the processing of pseudonymized data for uses beyond the purpose for which the data was

originally collected.

The GDPR envisions the possibility that pseudonymization will take on an important role in demonstrating

compliance under the GDPR.

Both Recital 78 and Article 25 list pseudonymization as a method to show GDPR compliance with requirements such

as Privacy by Design.





#nkucyber11

Recital 40 of the GDPR states that in order

for processing to be lawful, personal data

should be processed on the basis of the

consent of the data subject concerned or

some other legitimate basis.

That legitimate basis should be laid down by

law with the law being the General Data

Protection Regulation itself or other laws of the

EU or its member states.

Although consent (which is not strictly the

same as explicit consent, even if de facto

the line can be really thin) is the best known

of the legal grounds as they are summed up

in GDPR Article 6 of the GDPR text on

lawfulness of processing, it is not always

the best path to take.

Lawfulness of Processing – Recital 40

https://www.i-scoop.eu/gdpr/consent-gdpr/

https://www.i-scoop.eu/gdpr/explicit-consent/




#nkucyber11

Lawfulness of Processing – Recital 40




#nkucyber11

•The GDPR sets out seven key principles:

• Lawfulness, fairness and transparency

• Purpose limitation

• Data minimisation

• Accuracy

• Storage limitation

• Integrity and confidentiality (security)

• Accountability

•These principles should lie at the heart of your approach

to processing personal data.

7 Key Principles of Processing




#nkucyber11

In accordance with GDPR Has proposed a derogation





#nkucyber11

GDPR Article Austria

*

Czech

Republic

France Germany

*

Netherlands United

Kingdom

Right to Access 15

Right to Erasure 19

16 - Age of

Consent

Appointment of

a DPO

Fines &

Penalties

20m €

or 4%

Processing of

Data^

Has proposed derogations In accordance with GDPR

An organization must keep track of EU

Member States’ privacy bill drafts.

(1) Determine EU Member State

jurisdictions applicable to your

organization’s processing activities.

(2) Identify country-specific requirements;

(3) Perform a gap analysis; and

(4) Maintain a flexible approach to

compliance.

Article 30 data-mapping initiatives

Understanding Your Data

What types of personal data are collected

- where the data is located

- where data subjects reside. * Germany and Austria enacted laws supplementing the GDPR





#nkucyber11

Art. 5 GDPR Principles relating to processing of personal data

1.Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be

considered to be incompatible with the initial purposes (‘purpose limitation’);

3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to

the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific

or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and

organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Suitable Recitals

(39) Principles of data processing

Article 5 – Processing of Personal Data

https://gdpr-info.eu/art-89-gdpr/

https://gdpr-info.eu/art-89-gdpr/

https://gdpr-info.eu/recitals/no-39/




#nkucyber11

Process Planning - ADTOC

Assess

Design

Transform

Operate

Conform




#nkucyber11

Assess

Privacy requirements for the Assess phase

• Review existing privacy policies and statements and document how they compare with GDPR requirements

• Assess data subject rights to consent, use, access, correct, delete and transfer personal data

• Discover and classify personal data assets and affected systems

• Identify potential access risks

Security requirements for the Assess phase

• Assess the current state of your security policies, identifying gaps, benchmarking maturity and establishing conformance roadmaps

• Identify potential vulnerabilities, supporting security and privacy by design

• Discover and classify personal data assets and affected systems in preparation for designing security controls




#nkucyber11

Design

Privacy requirements for the Design phase

• Create a roadmap that details your GDPR remediation and implementation plan

• Design the policies, business processes and supporting technologies you’ll need to implement your plans

• Create a GDPR reference architecture

• Evaluate controller or processor governance

Security requirements for the Design phase

• Create a security remediation and implementation plan

• Create a security reference architecture

• Design technical and organizational measures (TOMs) to reduce risk, including encryption, pseudonimization, access control and monitoring, for example




#nkucyber11

Transform

Privacy requirements for the Transform phase

• Implement and execute policies, processes and technologies

• Automate data subject access requests

Security requirements for the Transform phase

• Implement privacy-enhancing controls, including encryption, tokenization and dynamic masking, for example

• Boost protection by implementing security controls; mitigate access risks and security vulnerabilities




#nkucyber11

Operate

Privacy requirements for the Operate phase

• Manage GDPR data governance practices, including information lifecycle governance

• Manage GDPR enterprise conformance programs, including those for data use, consent activities and data subject requests

• Monitor personal data access

• Govern roles and identities

• Develop GDPR metrics and reporting schemas

Security requirements for the Operate phase

• Manage and implement security program practices, including those for risk assessment, roles and responsibilities, and program effectiveness

• Monitor security operations and intelligence to help detect, respond to and mitigate threats

• Govern incident response and forensics practices




#nkucyber11

Conform

Privacy requirements for the Conform phase

• Record personal data access audit trails, including individuals’ rights to access, modify, delete and transfer data

• Perform data processor and controller governance, including providing processor guidance, tracking data processing activities, providing audit trails and preparing for data subject access requests

• Document and manage your compliance program, including ongoing monitoring, assessment, evaluation and reporting of GDPR activities

• Respond to and manage breaches

Security requirements for the Conform phase

• Demonstrate technical and organizational measures to ensure security appropriate to processing risk

• Document your security program, including ongoing monitoring, assessment, evaluation and reporting of security controls and activities

• Respond to and manage breaches




#nkucyber11

Containing the breach and recovering from the impact

Assessing the risk

Deciding who you need to inform

Learning from the incident

Breach Management – First 4 steps




#nkucyber11

Containing the breach:

Establish a lead – this will often be the data protection officer or team, or it might be an external consultant. The main thing is that there is a point of contact for staff and customers and for the ICO if necessary.

Contain the Breach




#nkucyber11

Risk Assessment:

Are there any safeguards in place that could lower the risk? For example, is the data encrypted? Has it gone to a trusted body?

Are there more safeguards you can put in place now?

Assess the Risk




#nkucyber11

Containing the breach:

They should also be thinking about who will need to be informed, including the ICO, the data subjects, industry regulators and the police.

Who Needs to Be Informed




#nkucyber11

C.I.A. (Not the Deep State Type)




#nkucyber11

Confidentiality Breach




#nkucyber11

Integrity Breach




#nkucyber11

Availability Breach




#nkucyber11

Breach Assessment

What happened?

When did it happen?

How did it happened.

How many people could be affected?

What sort of data has been breached?

What did you have in place that could have stopped it?

What have you done to help the people this affects?

What have you learned?

How can you stop similar breaches in the future?




#nkucyber11

Personal Data Breach Defined

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data (or a combination of these).




#nkucyber11

What is a personal data breach?

The GDPR defines a personal data breach as:

“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

This includes breaches that are the result of accidental or deliberate causes. It also means that a breach is more than just about losing personal data.




#nkucyber11

Personal Data Breach Defined

In short, there will be a personal data breach whenever:

- someone accesses the data or passes it on without proper authorization;

- the data is (maliciously or accidentally) corrupted, lost, or destroyed;

- or if the data is made unavailable (eg encrypted by ransomware, or lost)




#nkucyber11

Breach Awareness

The Article 29 Working Party considers that a controller has

become aware of a breach when it has a “reasonable degree

of certainty that a security incident has occurred that has led to

personal data being compromised”.

If you (the controller) use a processor and it experiences a

breach, then under Article 33(2) it must inform you without

undue delay as soon as it becomes aware.




#nkucyber11

72 Hours – The Clock is ticking

You must report a notifiable breach to the ICO

without undue delay, but not later than 72 hours

after becoming aware of it, where feasible.

If you take longer than this,

you must give reasons for

the delay.




#nkucyber11

When telling individuals about a breach you need to

describe, in clear and plain language, the nature of the personal data breach

and, at least:

• the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;

• a description of the likely consequences of the personal data breach; and

• a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

• You should tell individuals what you’re doing to mitigate the breach, and how they can protect themselves from the impact of the breach.




#nkucyber11

If you fail to report…

Failing to notify a breach when required

to do so can result in a significant fine

up to 10 million euros or 2% of your

global turnover. The fine can be

combined the ICO’s other corrective

powers under Article 58.

So it’s important to make sure you

have a robust breach-reporting

process in place to ensure you can

detect and notify a breach, on time;

and to provide the necessary details.

Reporting a breach

• a description of the nature of the personal data breach including,

where possible: the categories and approximate number of

individuals concerned; and the categories and approximate

number of personal data records concerned

• the name and contact details of the data protection officer (if

your organisation has one) or other contact point where more

information can be obtained

• a description of the likely consequences of the personal data

breach and

• a description of the measures taken, or proposed to be taken, to

deal with the personal data breach, including, where

appropriate, the measures taken to mitigate any possible

adverse effects.




#nkucyber11

Processor Contract

If you use a processor the

requirements about breach

reporting should be detailed

in the contract between you

and your processor, as

required under Article 28.




#nkucyber11

Risk assessment

Not every breach needs to be

reported…

…but you will need to notify unless it’s unlikely to

result in a risk to individuals’ rights and freedoms

(and you can demonstrate this).




#nkucyber11

A combination of

the severity

and

likelihood

of the potential

negative consequences

of a breach.

When assessing risk, you should be considering…




#nkucyber11

Do you have a process in place to assess the likelihood and

severity of the risk to individuals’ rights and freedoms?

Think of the consequences… what are the potential effects of a breach on individuals; how severe are these, and how likely are they to happen?




#nkucyber11

the potential or actual consequences for individuals is

more severe.

This is part of the reason for telling individuals about a

breach involving their personal data – to help them take

steps to protect themselves from its effects.

High Risk




#nkucyber11

Some factors to consider include:

• the type of breach

• the nature, sensitivity and volume of

personal data

• the ease of identification of individuals

• the severity of the consequences

• any special characteristics of the

individual / controller




#nkucyber11

Breach Management – From 4 to 5 key steps




#nkucyber11

Integrated Risk Management




#nkucyber11

What is RISK?




#nkucyber11

What is RISK?

What compels most of us to avoid risk?What compels others to run straight into the fire?

Insurance industry - risk is all about math.

War – military leaders rely on statistical analysis to assess risk vs. forecasts of causalities vs costs (munitions, transportation, food)

Law - (marriage & divorce) financial devastation vs locked in purgatory that drags on (months or years)

Is risk a necessary component of progress?

Can risk ever be eliminated?

Will predictive analytics reduce or remove Risk?




#nkucyber11

Integrated Risk Management

Integrates risk Management enables an organization to advance more sustainable strategic decision making.

IRM is a set of practices and processes supported by a risk-aware culture and enabling technologies that

improves decision-making and performance through an integrated view of risk.

For most organizations, building an IRM program means blowing up traditionally siloed risk areas and replacing

them with a single, holistic view of enterprise risk. By integrating siloed risk under one centralized risk

management framework, an organization can view and analyze every risk metric simultaneously.

Linking the overall corporate risk reduction strategy to distinct, quantifiable business objectives, which can be

met by deploying specific risk mitigation actions across the organization with support of the IT infrastructure.

An organization must apply this “integrated” view across a variety of risk management activities that take on

distinct perspectives of risk.

A legal department has its own definition of risk and its own series of mitigation plans, but that legal definition of

risk varies drastically from the way IT-related risk is being addressed.




#nkucyber11

Corporate Compliance and Oversight (CCO)

Business Continuity Management (BCM)

Third-party Risk Management

/ Vendor Risk Management (VRM)

Digital / IT Risk Management (DRM)

Identity Risk Management

Audit Management (AM)

Enterprise Legal Management (ELM)

Risk Management Components




#nkucyber11


Corporate Compliance and Oversight (CCO)

The job of compliance managers only becomes more complicated as new regulations, like GDPR, come

into effect, and organizational compliance requirements (social and environmental responsibility, for

example) begin to accumulate. As compliance management scope increases, regulatory compliance and

change management becomes more complicated. An increase in focus on commercial compliance

(increasingly required by business partners) and organizational compliance requirements (such as ethics

and corporate social responsibility). CCO provides policy development and management, compliance risk

assessment, control rationalization, assessment and attestation, regulatory change management and

investigative case management.

Strategic question: What is the impact of incidents on my compliance obligations?




#nkucyber11


Business Continuity Management (BCM)

Business continuity management is the practice of coordinating, facilitating and executing activities to

identify risks of business disruptions, implement disaster recovery solutions and recovery plans, respond to

disruptive events and recover mission-critical business operations. The ability to identify, respond to, and

recover from business disruptions is critical to the success of the modern digital business. BCM includes

processes such as risk assessment, business impact analysis (BIA), and recovery plan development,

exercising and invocation. Critical and enhanced capabilities that address BCM help organizations to

initiate BCM programs and improve overall continuity capability.

• Strategic question: Does the business impact analysis align with the overall risk




#nkucyber11


Third-party Risk Management / Vendor Risk Management (VRM)

Managing complex vendor supply chains is one of the biggest challenges facing security and risk

management leaders today. Recent third-party breaches and new compliance mandates make the issue

even more pressing. Vendor risk management programs help organizations manage the risks of third

parties with adequate controls for business continuity management, performance, viability, security and

data protection. Failure to comply with these mandates can have significant customer- and service-related,

audit-related, and, for some industries, regulatory repercussions that can undermine shareholder value and

corporate viability. The VRM use case addresses risks to regulatory compliance, information security and

vendor performance arising from enterprises' increased use of, and reliance on, service providers and IT

vendors. Solutions geared toward this use case have capabilities such as risk assessment, risk monitoring

and/or risk rating.

• Strategic question: What is the impact on business continuity management or identity access

management if the third-party risk for a particular vendor is high?




#nkucyber11


Digital / IT Risk Management (DRM)

The risk associated with new and growing technologies continues to evolve. The Internet of Things (IoT),

machine learning, social media, big data, and mobile devices (among many others) disrupt traditional risk

management models and present new challenges for enterprise decision makers. DRM technology

integrates the management of risks of digital business components, such as cloud, mobile, social and big

data, and third-party technologies like artificial intelligence and machine learning, operational technology

(OT), and the Internet of Things (IoT).

Strategic question: What is the impact of vulnerability management on IT risk?

Identity Risk Management - IdRM is the set of processes to mitigate the access risk in an organization

through the Identity Access Management process (infrastructure for creating, maintaining, and using digital

identities). When integrated within the broader technology risk posture of the organization, it will provide

substantial improvements in an organization’s ability to measure and mitigate overall enterprise risk.




#nkucyber11


Audit Management (AM)

Auditors independently and objectively evaluate, analyze and assess the effectiveness of an organization's

system of internal control, governance processes and risk management capability. The auditors provide

assurance, insight and recommendations on operational improvements to the board of directors, senior

management and business process owners. Auditors do this through both auditing and consulting activities.

The audit management solution market automates internal audit operations, such as audit planning,

scheduling, work paper management, time and expense management, reporting, and issue management.

Enterprise Legal Management (ELM)

Enterprise legal management is focused on supporting legal, contracting and compliance departments,

corporate secretaries, boards of directors and senior management. ELM provides better documentation,

spend management, information availability and collaboration via an integrated set of applications. These

applications include matter management, e-billing, financial/spend management, legal document

management and business process management.




#nkucyber11

Trend No. 1: The Spotlight is On

Security breaches threaten C-level jobs and cost organizations millions of dollars,

as proven by Equifax and Maersk.

As a result, business leaders and senior stakeholders now focus much more on

what is going on in the security department.

Strategic Risk Management (SRM) leaders should capitalize on this increased

attention and work closely with business stakeholders to link security strategy

with business initiatives.

This is also a perfect opportunity to address skill shortages and increase

professional development of the internal security workforce.

“Speak the language of the business and don’t lose yourself in technical terms when you deal with the C-suite.”




#nkucyber11

Trend No. 2: Regulations Enforce Change

The rise of data breaches forces enterprises to comply with an increasingly complex legal and regulatory

environment, including Europe’s General Data Protection Regulation.

Data is both an asset and a potential liability.

Digital business plans must weigh both and seek innovative solutions to lower costs and liabilities.

The message Strategic Risk Management leaders must communicate to CEOs is that data protection has

both costs and risk but can also be used as a business differentiator.

Leading organizations are focused on how compliance

programs can act as a business enabler




#nkucyber11

Trend No. 3: Machine learning becomes the watchdog




#nkucyber11

Trend No. 3: Machine learning becomes the watchdog

By 2025, machine learning (ML) will be a normal part of security practice and will

offset some skills and staffing shortfalls.

ML is better at addressing narrow and well-defined problem sets, such as classifying

executable files.

We can’t escape the fact that humans and machines complement each other, and

together they can outperform each alone.

Machine learning reaches out to humans for assistance to address uncertainty and

aids them by presenting relevant information.

Keep in mind that ML requires human assistance, the key question is where that

assistance comes from.




#nkucyber11

Trend No. 4: Concentrations of Digital Power

Digital trust has been consolidated and rests with a few big players — in form of certificates, domains and

email providers — which raises security concerns.

As centralization gives way to monopolies and monocultures, the risk of disruptions and undesirable

outcomes increases.

Consequently, we see a rise in efforts to create decentralized alternatives such as blockchain and edge

computing, which moves computing resources away from centralized servers. The ultimate goal of these

decentralization approaches is to increase availability, security and privacy for users. Security and risk

management leaders envisioning constraints on digital business plans as a result of a concentration of

resources should:

•Evaluate the security implications of centralization on availability, confidentiality and resiliency on digital

business plans.

•Explore an alternative decentralized architecture in digital business planning initiatives where centralization

increases the risks to the business goals.




#nkucyber11

Infonomics

The theory, study and discipline of asserting economic

significance to information

Applies both economic and asset management

principles and practice to the valuation, handling and

deployment of information assets.




#nkucyber11

Seven questions legal teams should ask to understand their privacy risk exposure

1) How heavily does our business model depend on the use of high-risk data?

2) Does our business strategy document and subsequently manage potential privacy risks created by

that strategy?

3) Are we being as transparent as possible with our customers in communicating how we use their

data?

4) How effective are the controls we’ve put in place to manage our privacy risks, especially those in

our highest-risk areas?

5) Are we using all possible information sources to understand risk at our organization?

6) How effectively are we monitoring ongoing third-party compliance with our standards?

7) What’s our third-party strategy?




#nkucyber11

Six Areas of Privacy Risk Response




#nkucyber11

• Establish governance and organization — understand key business drivers and obtain senior management support for a robust cybersecurity program;

establish roles and responsibilities; agree strategy, develop policies and standards; enable reporting.

• Identify what matters most — map business objectives/products/services to supporting people, processes, technology and data infrastructure, and rank by

criticality to your business. This includes the ecosystem/supply chain in which you operate: both third parties who supply you and those that you supply.

• Understand the threats — understand who might want to attack you, why, and how they might carry out an attack; focus your efforts on how to respond to

the most likely threats.

• Define your risk appetite — understand what the most likely cyber attacks could cost your business through simplified cyber risk quantification coupled

with a cyber risk management framework, which forms part of your overall operational risk management processes; set your risk appetite and reporting

mechanisms to ensure you operate within it.

• Focus on education and awareness — establish an education and awareness program, ensuring all employees, contractors and third parties can identify

a cyber attack and are aware of the role they play in defending your business.

• Implement basic protections — secure your business at the technology level by deploying basic protections including secure configuration, patch

management, firewalls, anti-malware, removable media controls, remote access controls, and encryption; establish a Vulnerability Management (VM)

program which manages vulnerabilities from identification through to remediation; establish an effective Identity and Access Management (IAM) program to

control access to your information; focus on data protection and privacy (technical and compliance) as well as managing third parties who have access

to/control of your data.

good basic cybersecurity.

Processes Organizations Should Implement to Minimize their Risk exposure




#nkucyber11

• Be able to detect an attack — establish a security monitoring capability that can detect an attack through monitoring activity at various levels

within your business; this could be a basic system whereby an alert is generated and emailed when suspicious activity is detected on a firewall,

through to a 24x7x365 Security Operations Center (SOC) monitoring networks, operating systems, applications and end users.

• Be prepared to react — establish a formal cyber incident management team who have been trained in and are following a documented plan,

which is tested at least annually.

• Adopt a risk-based approach to resilience — establish recovery plans (including comprehensive backups) for all processes and supporting

technologies in line with their criticality to the survival of the business.

• Implement additional automated protections — mature existing capabilities (for example, automate VM and IAM processes using specific

technology), in addition to implementing complimentary capabilities/technologies such as Intrusion Prevention Systems (IPS), Intrusion Detection

Systems (IDS), Web Application Firewalls (WAF) and Data Loss Prevention (DLP) systems.

• Challenge and test regularly — carry out a cyber incident simulation exercise to test your executive management’s ability to manage the

response to a significant cyberattack; carry out an initial red team exercise (a planned attack, carried out by professional ethical hackers) to test

your technical ability to detect and respond to sophisticated attacks.

• Create a cyber risk management life cycle — reflect on all areas of your cyber risk management program and identify areas for ongoing

improvement; repeat risk assessments on a regular basis; consider compliance with relevant regulations.

good basic cybersecurity.

Processes Organizations Should Implement to Minimize their Risk exposure




#nkucyber11

Processes Capability and Maturity




#nkucyber11

Processes Capability and Maturity

A clear understanding of process maturity levels and your organization’s current process capabilities and practices will help frame the work

effort and change management required to improve information economics and achieve defensible disposal. The twenty-two information

maturity processes incorporate the way an organization defines demand (what information is needed, why and for how long) and how it

manages supply (what is provisioned, managed, decommissioned, and disposed).

At the highest level of maturity and capability, there is a closed loop between supply and demand, information cost is aligned with its value

over time and risk is limited or removed. More precise and rigorous legal holds and retention as well as consistent, defensible disposal are

designed into processes at maturity level 4

.

Level 1 is an ad hoc, manual and unstructured process performed differently by each practitioner. Only the individual practitioner has

access to the process facts or results. These processes are highly unreliable and difficult to audit.

Level 2 is a manual process with some consistency in how it is performed across practitioners within a particular function or department.

Only the department has access to the process facts and results, and often these are embedded in multiple spreadsheets and seldom

accessed. These processes can be more reliable, but still very difficult to audit.

Level 3 is a semi-automated process performed consistently within a department with process facts and results readily accessible to

departmental stakeholders. Stakeholders beyond the department who participate in or are dependent upon the process are not integrated.

These interdepartmental processes are more consistent and can readily be audited. However audit results may reflect their lack of

intradepartmental collaboration.

Level 4 is an automated and cross-functional process that is performed consistently with inclusion of dependent stakeholders across

multiple departments. Process facts and results are readily available across organizations. These processes have the lowest risk, highest

reliability and are readily and successfully audited.




#nkucyber11

Third Party Risk Intelligence - Supplier risk review

Third-Party Risk Management Must Go Beyond Assessments

1) Understanding where your supplier data is being kept – all the certifications and verifications,

licenses, etc. – Identify duplication;

2) Determine which suppliers are your most critical, making sure to involve all the relevant

stakeholders – as mentioned above, supplier management has many more departments

involved, so this is highly likely to include multiple business owners with competing

goals/needs.

3) Concentrate on specific risks that are applicable to products or services provided by those

suppliers.

You're only as strong as your weakest third party. Most risk professionals can't easily find their weakest links -




#nkucyber11

Third Party Risk Intelligence - Supplier risk review




#nkucyber11

IRM Critical Capabilities

Provides business leaders with effective means of assessing risk and control effectiveness, identifying risk

events, managing remediation efforts, and quantifying the associated risk exposure across the organization.

Risk and Control Documentation/Assessment

Risk statements and the related controls required to mitigate them to an acceptable level must be documented

sufficiently to satisfy a number of key internal and external stakeholders — including regulators, external auditors,

business partners/associates, suppliers, senior executives and board members. Statements and controls must also

provide the basis for performing a comprehensive risk assessment at a strategic, operational and technological level.

Features within this capability include:

• Risk-related content, including a risk framework, taxonomy/library, key risk indicator (KRI) catalog, and legal,

regulatory and organizational compliance requirements

• Risk assessment methodology and calculation capabilities (for example, bow tie risk assessment)

• Policy documentation and control mapping

• Documentation workflow including authoring, versioning and approval

• Business impact analysis/recovery plan documentation

• Audit work paper and testing management

• Third-party control evaluation

• Contract management




#nkucyber11

Incident Management

Proactive management of risk incidents can lead to a reduction in business impact and inform future risk

mitigation efforts. A record of incidents can be used to inform the risk assessment process and facilitate the

identification of event causes. In addition, IRM solutions can integrate with external systems to identify

potential risk events related to third-party risk profiles and known incidents. Features within this capability

include:

• Incident data capture

• Incident management workflow and reporting

• Root cause analysis

• Crisis management

• Emergency mass notification

• Investigative case management

• Legal matter management





#nkucyber11

Risk Mitigation Action Planning

When risks are assessed to be beyond defined risk tolerance levels, action plans must be developed to ensure that the

appropriate mitigation steps are taken to meet the risk appetite set by the board of directors or other governance body.

IRM solutions can provide support to risk professionals and business leaders in managing and testing the associated

risk mitigation efforts. Features within this capability include:

• Project management capabilities to track progress on risk-related initiatives, audits or investigations

• Risk control testing capabilities, such as continuous control monitoring

• Control mapping to risks, business processes and technology assets

• Control mapping to legal requirements and compliance mandates

KRI Monitoring/Reporting

To effectively monitor risks across the organization, companies can utilize IRM solutions to aggregate and report a wide

array of risk levels using key risk indicators (KRIs). Features within this capability include:

• Risk scorecard/dashboard capabilities

• External data integration (for example, information security vulnerability assessment data)

• The ability to link KRIs to performance metrics





#nkucyber11

Risk Quantification and Analytics

• Beyond the exercise of assessing risk from a qualitative perspective, companies in many industries (including banking,

insurance and securities) seek to measure risk on a quantitative basis. Some of the quantitative analysis is used to

support capital calculation requirements driven by regulatory mandates, such as Basel III and Solvency II. Other

quantitative analysis methods are used to develop more precise predictive models to determine the potential for

certain operational risk events, such as fraud or theft. As such, the features within this capability include:

• "What if" risk scenario analysis capabilities

• Statistical modeling capabilities (for example, Monte Carlo simulation, value at risk, and Bayesian statistical

inference)

• Predictive analytics

• Capital allocation/calculation

• Fraud detection capabilities





#nkucyber11

Driving Compliance

Data & Behavioral Science: A New Approach to Risk Management

The research identifies several trends:

61% said clear guidance regarding laws and regulations is one of their top considerations when

helping employees understand compliance

57% cited culture of a country or region as a major obstacle to the implementation an effective

compliance framework.

66% said requests from government officials are the biggest challenge in asset management

83% use informal background checks conducted internally to carry out third-party diligence




#nkucyber11

THREAT ACTORS

FINANCIAL

SERVICES RETAIL LEGAL ENERGY HEALTHCARE

TECH /

ENTERTAINMENT TELECOM

GOV’T /

MILITARY

NGO’S /

CIVIL

SOCIETY CAPABILITY

POTENTIAL

IMPACT

CHINAX X X X X X X X TIER 6

CATASTROPHIC

FIVE EYES*X X X X TIER 6

CATASTROPHIC

IRANX X X X X TIER 4 MODERATE/SEVERE

NORTH KOREAX X X X X X TIER 4** SEVERE

RUSSIAX X X X X X X TIER 6 CATASTROPHIC

DISRUPTIVE/

ATTENTION-

SEEKING

ACTORS

X X TIER 3 MODERATE

CYBERCRIMIN

ALS X X X X X X TIER 4 SEVERE

HACKTIVISTSX X X X X X X TIER 3 MODERATE

JIHADI

HACKERS X X X X TIER 2 NEGLIGIBLE

Threat Matrix




#nkucyber11

TIER 1 The cyber actor(s) possess extremely limited technical capabilities and largely

makes use of publicly available attack tools and malware. Sensitive data

supposedly leaked by the attackers are often linked back to previous breaches

and publicly available data.

TIER 2 Attackers can develop rudimentary tools and scripts to achieve desired ends in

combination with the use of publicly available resources. They may make use of

known vulnerabilities and exploits.

TIER 3 Actors maintain a moderate degree of technical sophistication and can carry out

moderately damaging attacks on target systems using a combination of custom

and publicly available resources. They may be capable of authoring rudimentary

custom malware.

TIER 4 Attackers are part of a larger and well-resourced syndicate with a moderate-to-

high level of technical sophistication. The actors are capable of writing custom

tools and malware and can conduct targeted reconnaissance and staging prior to

conducting attack campaigns. Tier 4 attackers and above will attempt to make use

of publicly available tools prior to deploying more sophisticated and valuable

toolkits.

TIER 5 Actors are part of a larger and well-resourced organization with high levels of

technical capabilities such as those exhibited by Tier 4 actor sets. In addition, Tier

5 actors have the capability of introducing vulnerabilities in target products and

systems, or the supply chain, to facilitate subsequent exploitation.

TIER 6 Nation-state supported actors possessing the highest levels of technical

sophistication reserved for only a select set of countries. The actors can engage in

full-spectrum operations, utilizing the breadth of capabilities available in cyber

operations in concert with other elements of state power, including conventional

military force and foreign intelligence services with global reach.

FLASHPOINT CAPABILITY SCALE FLASHPOINT POTENTIAL IMPACT SCALE

NEGLIGIBLE Damage from these attacks is highly unlikely or is unable to adversely affect the

targeted systems and infrastructure. Such incidents may result in minor

reputational damage. Sensitive systems and data remain intact, confidential, and

available.

LOW Attacks have the capacity to disrupt some non-critical business functions, and the

impact is likely intermittent and non-uniform across the user base. User data and

sensitive information remain protected.

MODERATE Attacks have the potential to disrupt some core business functions, although the

impact may be intermittent and non-uniform across the user base. Critical assets

and infrastructure remain functional, even if they suffer from moderate

disruption. Some non-sensitive data may be exposed. Actors at this level might

also expose sensitive data.

SEVERE Cyber-attacks at this level have the capacity to disrupt regular business operations

and governmental functions severely. Such incidents may result in the temporary

outage of critical services and the compromise of sensitive data.

CATASTROPHI

C

Kinetic and cyber-attacks conducted by the threat actor(s) have the potential to

cause complete paralysis and/or destruction of critical systems and infrastructure.

Such attacks have the capacity to result in significant destruction of property

and/or loss of life. Under such circumstances, regular business operations and/or

government functions cease and data confidentiality, integrity, and availability are

completely compromised for extended periods.




#nkucyber11

Discussion – Future Technology Opportunities




#nkucyber11

Thank you!

Thomas Doty, JD, LLMDirector, Intellectual Asset Protection

NuStrategies, LLC

[email protected]

mailto:[email protected]

privacy, risk and regulations - scope, rights, penalties

Documents