SlideShare ist ein Scribd-Unternehmen logo

Privacy Breaches - The Private Sector Perspective

C
canadianlawyer

privacy data breach preparation

TechnologieNews & Politik
1 von 18
Privacy Breaches – The Private Sector Perspective OBA, June 8, 2009 Mark S. Hayes Partner, Hayes eLaw LLP
Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Everything is much easier if proper steps taken in advance
Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only actual breach focuses senior management on privacy
The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of risk and responsibility • Internal resources and priorities at other organizations may conflict
Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on basis of dynamics of organization
Why Does This Matter? • Regulators must try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
Questions? For a digital copy of these slides, just ask! mark@hayeselaw.com

Empfohlen

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
Emily2014
 
Crisis slide deck draft
Crisis slide deck draftCrisis slide deck draft
Crisis slide deck draft
EvanClarke9
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
pbhugenberg3
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to Waste
Dave Steer
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
Levi Shapiro
 
Independent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerIndependent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm Manager
LexisNexis Software Division
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The Ceo
Dan Keeney
 

Empfohlen

Privacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector PerspectivePrivacy Breaches - The Private Sector Perspective
Privacy Breaches - The Private Sector Perspective
canadianlawyer
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
Emily2014
 
Crisis slide deck draft
Crisis slide deck draftCrisis slide deck draft
Crisis slide deck draft
EvanClarke9
 
Common and Concerning Risks In IT
Common and Concerning Risks In ITCommon and Concerning Risks In IT
Common and Concerning Risks In IT
pbhugenberg3
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to Waste
Dave Steer
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
Levi Shapiro
 
Independent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerIndependent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm Manager
LexisNexis Software Division
 
Crisis And The Ceo
Crisis And The CeoCrisis And The Ceo
Crisis And The Ceo
Dan Keeney
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
Past Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingPast Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm Billing
LexisNexis Software Division
 
SmallBusinessWhite Final
SmallBusinessWhite FinalSmallBusinessWhite Final
SmallBusinessWhite Final
Stephen Jeske
 
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas FinalBehavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
ksteadman
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Quarles & Brady
 
HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your Business
Andrea Dove
 
37_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_037_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_0
Eric Hubbard, MBA
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBs
Carbonite
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 video
ArcadiaAlive
 
2015 Corporate general counsel survey results
2015 Corporate general counsel survey results2015 Corporate general counsel survey results
2015 Corporate general counsel survey results
Grant Thornton LLP
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report
Hewlett Packard Enterprise Business Value Exchange
 
The four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanThe four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelman
Leon Kappelman
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORS
Michel Rochette
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBs
Carbonite
 
Chief Litigation Summit 2009
Chief Litigation Summit 2009Chief Litigation Summit 2009
Chief Litigation Summit 2009
guested3c50
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
balejandre
 
Legally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLegally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operations
LexisNexis Software Division
 
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Grant Thornton
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.
Universidad Cenfotec
 
Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010
canadianlawyer
 
Guadalaviar
GuadalaviarGuadalaviar
Guadalaviar
pasvimon
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009
canadianlawyer
 

Weitere ähnliche Inhalte

Was ist angesagt?

Past Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingPast Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm Billing
LexisNexis Software Division
 
SmallBusinessWhite Final
SmallBusinessWhite FinalSmallBusinessWhite Final
SmallBusinessWhite Final
Stephen Jeske
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Quarles & Brady
 
37_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_037_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_0
Eric Hubbard, MBA
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report
Hewlett Packard Enterprise Business Value Exchange
 
Chief Litigation Summit 2009
Chief Litigation Summit 2009Chief Litigation Summit 2009
Chief Litigation Summit 2009
guested3c50
 
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Grant Thornton
 

Was ist angesagt? (19)

The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Past Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm BillingPast Due: The Discomfort of Collections in Law Firm Billing
Past Due: The Discomfort of Collections in Law Firm Billing
 
SmallBusinessWhite Final
SmallBusinessWhite FinalSmallBusinessWhite Final
SmallBusinessWhite Final
 
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas FinalBehavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
Behavioral Economics At Work Nunnally, Steadman, Baxter Las Vegas Final
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
 
HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your Business
 
37_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_037_116_legal-needs-of-small-business_0
37_116_legal-needs-of-small-business_0
 
2014 State of Backup for SMBs
2014 State of Backup for SMBs2014 State of Backup for SMBs
2014 State of Backup for SMBs
 
Arcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 videoArcadia alive operational decision making may 2014 video
Arcadia alive operational decision making may 2014 video
 
2015 Corporate general counsel survey results
2015 Corporate general counsel survey results2015 Corporate general counsel survey results
2015 Corporate general counsel survey results
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report
 
The four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelmanThe four horsemen of IT project doom -- kappelman
The four horsemen of IT project doom -- kappelman
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORS
 
eBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBseBook: State of Data Backup for SMBs
eBook: State of Data Backup for SMBs
 
Chief Litigation Summit 2009
Chief Litigation Summit 2009Chief Litigation Summit 2009
Chief Litigation Summit 2009
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Legally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operationsLegally Optimistic: A study on legal departments and legal department operations
Legally Optimistic: A study on legal departments and legal department operations
 
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
Chief Audit Executive Survey 2011 - perspectives and trends from internal aud...
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.
 

Andere mochten auch

Andere mochten auch (8)

Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010Hayes Privacy And Social Media Paper, October 29, 2010
Hayes Privacy And Social Media Paper, October 29, 2010
 
Guadalaviar
GuadalaviarGuadalaviar
Guadalaviar
 
"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009"Some 2009 Copyright Issues" June 4 2009
"Some 2009 Copyright Issues" June 4 2009
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
Beauty of-mathematics
Beauty of-mathematicsBeauty of-mathematics
Beauty of-mathematics
 
Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010Hayes Privacy And Social Media PowerPoint, October 29, 2010
Hayes Privacy And Social Media PowerPoint, October 29, 2010
 
Sawatdee 'สวัสดี'
Sawatdee 'สวัสดี'Sawatdee 'สวัสดี'
Sawatdee 'สวัสดี'
 
Leveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright LitigationLeveraging Jurisdictional Differences in Copyright Litigation
Leveraging Jurisdictional Differences in Copyright Litigation
 

Ähnlich wie Privacy Breaches - The Private Sector Perspective

Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
Hewlett Packard Enterprise Business Value Exchange
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT Projects
ITPSB Pty Ltd
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
2012 protecting your business
2012 protecting your business2012 protecting your business
2012 protecting your business
Alan Greggo
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Alexandre Sieira
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
Financial Poise
 
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Gradytl
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
Nathan Desfontaines
 

Ähnlich wie Privacy Breaches - The Private Sector Perspective (20)

Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
 
Critical Issues in School Board Cyber Security
Critical Issues in School Board Cyber SecurityCritical Issues in School Board Cyber Security
Critical Issues in School Board Cyber Security
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
 
Introducing a whistleblower_hotline
Introducing a whistleblower_hotlineIntroducing a whistleblower_hotline
Introducing a whistleblower_hotline
 
IT Project Success through Corporate Profiling
IT Project Success through Corporate ProfilingIT Project Success through Corporate Profiling
IT Project Success through Corporate Profiling
 
Minimizing Business Risk in IT Projects
Minimizing Business Risk in IT ProjectsMinimizing Business Risk in IT Projects
Minimizing Business Risk in IT Projects
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
2012 protecting your business
2012 protecting your business2012 protecting your business
2012 protecting your business
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience10 Questions Every Company Should Be Asking Itself About its Business Resilience
10 Questions Every Company Should Be Asking Itself About its Business Resilience
 
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
 
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
Security Regulations & Guidelines: Is Your Business on the Path to Compliance? Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
Security Regulations & Guidelines: Is Your Business on the Path to Compliance?
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Privacy Breaches - The Private Sector Perspective

  • 1. Privacy Breaches – The Private Sector Perspective OBA, June 8, 2009 Mark S. Hayes Partner, Hayes eLaw LLP
  • 2. Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
  • 3. Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Everything is much easier if proper steps taken in advance
  • 4. Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
  • 5. However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
  • 6. A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
  • 7. Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
  • 8. The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
  • 9. The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only actual breach focuses senior management on privacy
  • 10. The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
  • 11. The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
  • 12. The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
  • 13. The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of risk and responsibility • Internal resources and priorities at other organizations may conflict
  • 14. Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on basis of dynamics of organization
  • 15. Why Does This Matter? • Regulators must try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
  • 16. Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
  • 17. Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
  • 18. Questions? For a digital copy of these slides, just ask! mark@hayeselaw.com