SlideShare ist ein Scribd-Unternehmen logo

International Perspectives on Data Breach

‱Als PPTX, PDF herunterladen‱
‱
Constantine Karbaliotis
Constantine Karbaliotis

International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).

TechnologieBusiness
1 von 10
International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead
US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2
Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3
Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4
Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5
Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6
Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7
Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8
Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9
Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873

Empfohlen

Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1
Artera Design and Creative
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
Bradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unprepared
haynormania
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Browne Jacobson LLP
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Events2018
 
Cyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesCyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & Coverages
Bajaj Allianz General Insurance Company Limited
 
CyberCoverage basics
CyberCoverage basicsCyberCoverage basics
CyberCoverage basics
Philip Eifert
 

Empfohlen

Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1Primeshare overview -_jun_2013-1
Primeshare overview -_jun_2013-1
Artera Design and Creative
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
Bradley Arant Boult Cummings LLP
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
Data Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being UnpreparedData Breaches: The Cost of Being Unprepared
Data Breaches: The Cost of Being Unprepared
haynormania
 
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Managing and insuring cyber risks - Chamber of Commerce seminar 21 May 2015, ...
Browne Jacobson LLP
 
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jonesTech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Tech Connect Live 30th May 2018 ,GDPR Summit Hugh jones
Events2018
 
Cyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & CoveragesCyber Insurance Policy - Understanding the Premiums & Coverages
Cyber Insurance Policy - Understanding the Premiums & Coverages
Bajaj Allianz General Insurance Company Limited
 
CyberCoverage basics
CyberCoverage basicsCyberCoverage basics
CyberCoverage basics
Philip Eifert
 
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
Brent Hillyer
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Dan Michaluk
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
Kenny Boddye
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business Powerpoint
Bucacci Business Solutions
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
David Cunningham
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and Insurance
Eric Dean
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
Meg Weber
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Accellis Technology Group
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
HNI Risk Services
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURE
Shan Budesha
 
What to do after a data breach
What to do after a data breachWhat to do after a data breach
What to do after a data breach
Oregon Law Practice Management
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
travismd
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. Solutions
Business Controls, Inc.
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentiality
TaylorCannon8
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-final
Vivek Ahuja
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan Cotter
ButlerRubin
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
Dan Michaluk
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
Dan Michaluk
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
Dan Michaluk
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016
Kimo David
 
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
Constantine Karbaliotis
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
Constantine Karbaliotis
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
Kenny Boddye
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
David Cunningham
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURE
Shan Budesha
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
travismd
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. Solutions
Business Controls, Inc.
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan Cotter
ButlerRubin
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016
Kimo David
 

Was ist angesagt? (20)

FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
 
Cyber for Beginners v2
Cyber for Beginners v2Cyber for Beginners v2
Cyber for Beginners v2
 
FTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business PowerpointFTC Protecting Info A Guide For Business Powerpoint
FTC Protecting Info A Guide For Business Powerpoint
 
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
Ilta 2011 balancing km with data privacy facilitated by dave cunningham aug...
 
Cyber Threats and Insurance
Cyber Threats and InsuranceCyber Threats and Insurance
Cyber Threats and Insurance
 
Working with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security StrategiesWorking with Law Enforcement on Cyber Security Strategies
Working with Law Enforcement on Cyber Security Strategies
 
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
Rules of Professional Conduct and Cybersecurity presented by Accellis Technol...
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
TMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURETMI CYBER INSURANCE BROCHURE
TMI CYBER INSURANCE BROCHURE
 
What to do after a data breach
What to do after a data breachWhat to do after a data breach
What to do after a data breach
 
MA Privacy Law
MA Privacy LawMA Privacy Law
MA Privacy Law
 
Business Controls, Inc. Solutions
Business Controls, Inc. SolutionsBusiness Controls, Inc. Solutions
Business Controls, Inc. Solutions
 
Human resources protecting confidentiality
Human resources protecting confidentialityHuman resources protecting confidentiality
Human resources protecting confidentiality
 
Cybersecurity pres 05-19-final
Cybersecurity pres 05-19-finalCybersecurity pres 05-19-final
Cybersecurity pres 05-19-final
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan Cotter
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
 
The Current State of FOI
The Current State of FOIThe Current State of FOI
The Current State of FOI
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
 
Kimo David.resume 2016
Kimo David.resume 2016Kimo David.resume 2016
Kimo David.resume 2016
 

Andere mochten auch

Andere mochten auch (6)

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Analytics Store for Hybrid Cloud
Analytics Store for Hybrid CloudAnalytics Store for Hybrid Cloud
Analytics Store for Hybrid Cloud
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Ähnlich wie International Perspectives on Data Breach

Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
Financial Poise
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
Glenn E. Davis
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Quarles & Brady
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Financial Poise
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
Law Practice Strategy
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
John Loveland
 

Ähnlich wie International Perspectives on Data Breach (20)

Data Breach Response: Before and After the Breach
Data Breach Response: Before and After the BreachData Breach Response: Before and After the Breach
Data Breach Response: Before and After the Breach
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
GlobalCollect Data Breach Factsheet
GlobalCollect Data Breach FactsheetGlobalCollect Data Breach Factsheet
GlobalCollect Data Breach Factsheet
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...Business Law Training: Crisis Communications: Finding Out What Happened and C...
Business Law Training: Crisis Communications: Finding Out What Happened and C...
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
 
Powerpoint mack jackson
Powerpoint mack jacksonPowerpoint mack jackson
Powerpoint mack jackson
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 

KĂŒrzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

KĂŒrzlich hochgeladen (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navi Mumbai Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

International Perspectives on Data Breach

  • 1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead
  • 2. US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2
  • 3. Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3
  • 4. Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4
  • 5. Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5
  • 6. Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6
  • 7. Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7
  • 8. Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8
  • 9. Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9
  • 10. Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873