SlideShare ist ein Scribd-Unternehmen logo

Privacy Breaches - The Private Sector Perspective

Als PPT, PDF herunterladen
C
canadianlawyer

Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.

TechnologieNews & Politik
1 von 18
Privacy Breaches – The Private Sector Perspective Mark S. Hayes Blake, Cassels & Graydon LLP PIPA Conference 2008 Calgary, Alberta November 17, 2008
Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Completely agree with Catherine’s “Thing’s You Wish You’d Done” – Everything is much easier if proper steps taken in advance
Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only breach focuses senior management on privacy
The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of the risk and responsibility • Internal resources and priorities at other organizations may conflict
Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but as a starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on the basis of dynamics of organization
Why Does This Matter? • Regulators must often try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
Questions? For a digital copy of these slides, just ask! mark.hayes@blakes.com

Empfohlen

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
jadams6
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive Manager
Bay Area Consultants Network
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive Manager
Bay Area Consultants Network
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate Profiling
ITPSB Pty Ltd
 
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk 7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
Case IQ
 
Anti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the RisksAnti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the Risks
Ethisphere
 
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Case IQ
 

Empfohlen

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
jadams6
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive Manager
Bay Area Consultants Network
 
Patrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive ManagerPatrick Reilly: Taming the Abrasive Manager
Patrick Reilly: Taming the Abrasive Manager
Bay Area Consultants Network
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate Profiling
ITPSB Pty Ltd
 
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk 7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
Case IQ
 
Anti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the RisksAnti-Corruption and Third Parties: Mitigating the Risks
Anti-Corruption and Third Parties: Mitigating the Risks
Ethisphere
 
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Case IQ
 
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
centralohioissa
 
Iid infoshare exec_summary final
Iid infoshare exec_summary finalIid infoshare exec_summary final
Iid infoshare exec_summary final
Andrew_Goss
 
Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13
Middle East Public Relations Association
 
2. Human and Organizational Performance
2. Human and Organizational Performance2. Human and Organizational Performance
2. Human and Organizational Performance
Leslie Casner
 
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley
 
Sustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessSustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and Business
Shane Molinari
 
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityData Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Case IQ
 
ATJ Safeguard article 2013
ATJ Safeguard article 2013ATJ Safeguard article 2013
ATJ Safeguard article 2013
Aaron Tait-Jones
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 video
ArcadiaAlive
 
Five social media issues for employers lawyers
Five social media issues for employers lawyersFive social media issues for employers lawyers
Five social media issues for employers lawyers
Dan Michaluk
 
Access governance en
Access governance enAccess governance en
Access governance en
Maurizio Milazzo
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hour
centralohioissa
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
Livingstone Advisory
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
Tammy Clark
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The Ceo
Dan Keeney
 
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
Steven Wardell
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
Sarah Stogner
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
William Tanenbaum
 
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesTunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Enterprise Management Associates
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
centralohioissa
 
Auxiliar Contable Y Fro
Auxiliar Contable Y FroAuxiliar Contable Y Fro
Auxiliar Contable Y Fro
iejcg
 
Aumento No Hay
Aumento No HayAumento No Hay
Aumento No Hay
iejcg
 

Weitere ähnliche Inhalte

Was ist angesagt?

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
centralohioissa
 
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityData Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Case IQ
 
ATJ Safeguard article 2013
ATJ Safeguard article 2013ATJ Safeguard article 2013
ATJ Safeguard article 2013
Aaron Tait-Jones
 
Five social media issues for employers lawyers
Five social media issues for employers lawyersFive social media issues for employers lawyers
Five social media issues for employers lawyers
Dan Michaluk
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
Tammy Clark
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The Ceo
Dan Keeney
 
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
Steven Wardell
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
William Tanenbaum
 
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesTunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Enterprise Management Associates
 

Was ist angesagt? (20)

Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
Chris Clymer & Jack Nichelson - How to Secure Things & Influence People: 10 C...
 
Iid infoshare exec_summary final
Iid infoshare exec_summary finalIid infoshare exec_summary final
Iid infoshare exec_summary final
 
Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13Crisis communications workshop - Abu Dhabi 05.12.13
Crisis communications workshop - Abu Dhabi 05.12.13
 
2. Human and Organizational Performance
2. Human and Organizational Performance2. Human and Organizational Performance
2. Human and Organizational Performance
 
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015Dave Stampley - Reasonable Security - Security BSides NOLA 2015
Dave Stampley - Reasonable Security - Security BSides NOLA 2015
 
Sustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and BusinessSustained IT Governance: Bridging The Gap Between IT and Business
Sustained IT Governance: Bridging The Gap Between IT and Business
 
Data Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and SecurityData Ethics in the Workplace: Beyond AI, Privacy and Security
Data Ethics in the Workplace: Beyond AI, Privacy and Security
 
ATJ Safeguard article 2013
ATJ Safeguard article 2013ATJ Safeguard article 2013
ATJ Safeguard article 2013
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 video
 
Five social media issues for employers lawyers
Five social media issues for employers lawyersFive social media issues for employers lawyers
Five social media issues for employers lawyers
 
Access governance en
Access governance enAccess governance en
Access governance en
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hour
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The Ceo
 
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
TNR2013 Rob Cross, Where Has the Time Gone Addressing Collaboration Overload ...
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
 
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the TreesTunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
Tunnel Vision Is Hurting Your Security: Time to See the Forest for the Trees
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
 

Andere mochten auch

Auxiliar Contable Y Fro
Auxiliar Contable Y FroAuxiliar Contable Y Fro
Auxiliar Contable Y Fro
iejcg
 
Aumento No Hay
Aumento No HayAumento No Hay
Aumento No Hay
iejcg
 
Solo Vivimos Una Vez
Solo Vivimos Una VezSolo Vivimos Una Vez
Solo Vivimos Una Vez
iejcg
 

Andere mochten auch (7)

Auxiliar Contable Y Fro
Auxiliar Contable Y FroAuxiliar Contable Y Fro
Auxiliar Contable Y Fro
 
Aumento No Hay
Aumento No HayAumento No Hay
Aumento No Hay
 
A Vidaem2070
A Vidaem2070A Vidaem2070
A Vidaem2070
 
Solo Vivimos Una Vez
Solo Vivimos Una VezSolo Vivimos Una Vez
Solo Vivimos Una Vez
 
TTFCM's Work
TTFCM's WorkTTFCM's Work
TTFCM's Work
 
7steps Flatten Classroom - NCTIES 1145
7steps Flatten Classroom - NCTIES 11457steps Flatten Classroom - NCTIES 1145
7steps Flatten Classroom - NCTIES 1145
 
Lenguaje de marcado MathML
Lenguaje de marcado MathMLLenguaje de marcado MathML
Lenguaje de marcado MathML
 

Ähnlich wie Privacy Breaches - The Private Sector Perspective

Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
SaskSummit
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
Cornerstone OnDemand
 
Week 1. intro to ethics
Week 1. intro to ethicsWeek 1. intro to ethics
Week 1. intro to ethics
mujahid kamal
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
Evan Francen
 

Ähnlich wie Privacy Breaches - The Private Sector Perspective (20)

Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
Compliance as Culture Strategy
Compliance as Culture StrategyCompliance as Culture Strategy
Compliance as Culture Strategy
 
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPO
 
Not-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 EnvironmentNot-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 Environment
 
UWL-PRC
UWL-PRCUWL-PRC
UWL-PRC
 
Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)
Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)
Data Analytics Ethics: Issues and Questions (Arnie Aronoff, Ph.D.)
 
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
 
Week 1. intro to ethics
Week 1. intro to ethicsWeek 1. intro to ethics
Week 1. intro to ethics
 
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
209-ALL-UNITS-Startup-and-Venture-Management PPTS.pdf
 
Your're Special (But Not That Special)
Your're Special (But Not That Special)Your're Special (But Not That Special)
Your're Special (But Not That Special)
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast ACEDS-Zylab 4-3-15 Webcast
ACEDS-Zylab 4-3-15 Webcast
 
It hit the fan presentation
It hit the fan presentationIt hit the fan presentation
It hit the fan presentation
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 

Mehr von canadianlawyer

Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009
canadianlawyer
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 

Mehr von canadianlawyer (10)

Privacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For LawyersPrivacy, Privilege And Confidentiality For Lawyers
Privacy, Privilege And Confidentiality For Lawyers
 
Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010
 
Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010
 
Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009Social Media And Privacy October 9 2009
Social Media And Privacy October 9 2009
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
Internet Copyright Law
Internet Copyright LawInternet Copyright Law
Internet Copyright Law
 
User Generated Content And Copyright
User Generated Content And CopyrightUser Generated Content And Copyright
User Generated Content And Copyright
 
Leveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright LitigationLeveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright Litigation
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Privacy Breaches - The Private Sector Perspective

  • 1. Privacy Breaches – The Private Sector Perspective Mark S. Hayes Blake, Cassels & Graydon LLP PIPA Conference 2008 Calgary, Alberta November 17, 2008
  • 2. Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
  • 3. Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Completely agree with Catherine’s “Thing’s You Wish You’d Done” – Everything is much easier if proper steps taken in advance
  • 4. Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
  • 5. However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
  • 6. A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
  • 7. Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
  • 8. The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
  • 9. The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only breach focuses senior management on privacy
  • 10. The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
  • 11. The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
  • 12. The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
  • 13. The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of the risk and responsibility • Internal resources and priorities at other organizations may conflict
  • 14. Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but as a starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on the basis of dynamics of organization
  • 15. Why Does This Matter? • Regulators must often try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
  • 16. Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
  • 17. Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
  • 18. Questions? For a digital copy of these slides, just ask! mark.hayes@blakes.com