SlideShare ist ein Scribd-Unternehmen logo

Siskinds | Incident Response Plan

Als PPTX, PDF herunterladen
Next Dimension Inc.
Next Dimension Inc.

The document discusses PIPEDA, Canada's private sector privacy law, and the importance of having an Incident Response Plan (IRP) to respond to data breaches. It provides an overview of PIPEDA's 10 fair information principles and requirements regarding data breaches. It emphasizes that an IRP outlines the steps to detect, respond to, and reduce the risk of future incidents. It also stresses engaging legal counsel to maintain privilege and avoid liability when developing, implementing, and responding to breaches according to the IRP.

Technologie
1 von 62
PIPEDA & The IRP WHAT YOU NEED TO KNOW | WHAT YOU NEED TO DO This presentation does not constitute legal advice, nor should it be construed as such. The opinions expressed herein are solely mine, and they do not necessarily represent the views of Siskinds LLP, its partners, associates or affiliates.
Bio Drew is an associate in Siskinds’ Technology, Privacy and Franchise Group. His practice focuses on providing legal services to businesses involved in the manufacture and distribution of goods and services via franchising, multi-level marketing, and technology transfer, development, distribution and licensing. He advises clients on matters relating to cybersecurity, data protection, privacy and anti- spam, including PIPEDA, Privacy Shield and GDPR compliance. Practice Areas Data protection | Cybersecurity | Privacy Drew Johnson, Technology and Cyber Security Group
What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activities.
What does PIPEDA apply to? PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
What does PIPEDA not apply to? Organizations that do not engage in commercial, for-profit activities.
Geographic Scope Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within: • Alberta • British Columbia • Quebec
What is personal information? Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.
What Does Personal Information Include? • Age • Credit card numbers • Race, national or ethnic origin • DNA • Social Insurance number or driver’s license • Opinions, comments or view about you as an employee
What is generally not considered personal information? • Information that is not about an individual because the connection to a person is too weak or far removed. • Information about a business or organization. • A person’s business contact information.
10 Principles of PIPEDA The 10 fair information principles that businesses must follow: Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure and Retention Accuracy Safeguards Openness Individual Access Provide Recourse
1. Accountability • Appointment of individual as Chief Privacy Officer. • Establishment of a “privacy team”. • Development of policies and procedures for the collection and protection of personal information.
2. Identifying Purposes • Purpose must be clearly identified. • Collection must be confined to what is necessary to complete the purpose. • Inform of purpose at the time personal information is collected.
3. Consent • Express v. Implied Consent. • Sensitivity of information. • Must be obtained from customers/clients to the collection and use of their personal information.
4. Limiting Collection • Need to consider carefully whether information that is being collected is reasonably necessary for the purposes.
5. Limiting Use, Disclosure and Retention • If purposes change, new consent is required. • If information will be disclosed to third parties, consent must be obtained. • Personal information should only be retained for so long as is reasonably necessary to satisfy the purposes for which it was collected.
6. Accuracy • Obligation to keep personal information up to date, complete and accurate. • Make corrections as necessary.
7. Safeguards • Develop and implement a security policy to protect personal information. • PIPEDA does not specify particular security safeguards that must be used. Rather, the onus is on organizations to ensure that personal information is adequately protected.
More on Safeguarding…. • Degree of security to be exercised will depend on a number of factors: • sensitivity • amount • extent of distribution • format • type of storage
8. Openness • Employees need to be aware of the policies and the procedures regarding privacy matters. • Customers/clients need to be informed of the existence of privacy policies and what the practices are. • Responsiveness to customers’ privacy related requests.
9. Individual Access • Individuals are entitled to review their personal information on request. • Corrections may be requested and should be made if appropriate. • Response within 30 days of request.
10. Challenge Compliance/Provide Recourse • Development of complaint procedures. • Should be straight forward and easily accessible. • Responsiveness to complaints. • Investigation. • Corrective measures. • Satisfaction of individual complainant.
Most Common Complaints • Improper collection, use and/or disclosure of personal information. • Difficulty obtaining access to personal information. • Refusal to correct personal information. • Inadequate safeguards.
Your Responsibility as a Business • Comply with all 10 of the Principles. • Protect personal information against loss or theft. • Protect personal information regardless of the format in which it is held. • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
Breach of Security Safeguards.
A breach of security safeguards is defined in PIPEDA as: • the loss of, • unauthorized access to or • unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
Duty to report to OPC - RROSH Reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual.
Timing of Report to the OPC As soon as feasible after determination that the breach has occurred.
Notification to Individual & Organizations In a RROSH breach of security safeguards involving an individual’s personal information, you must notify: • The individual affected. • Organizations that may be able to assist in mitigation.
Timing of Notifications As soon as feasible after determination that the breach has occurred.
Contents of Notification The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm
Form and Manner of Notice The notification must be conspicuous and shall be given directly to the individual in the prescribed form and manner.
Maintenance of Records You must keep and maintain a record of every breach of security safeguards involving personal information under your control.
Access by OPC You must, on request, provide the Commissioner with access to, or a copy of, a record.
Offences: • Fail to comply with breach notification requirements. • Fail to maintain a record of breaches of security safeguards. • Destroy personal information that an individual has requested. • Obstruct a complaint investigation or audit by the Commissioner or their delegate.
Significant Harm Significant harm includes: • bodily harm, • humiliation, • damage to reputation or relationships, • loss of employment, • business or professional opportunities, • financial loss, • identity theft, • negative effects on the credit record and • damage to or loss of property.
Relevant Factors - RROSH Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include: • the sensitivity of the personal information and • the probability the personal information has been/is/will be misused.
Sensitivity PIPEDA does not define sensitivity. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.
Circumstances • Certain information may on its face be clearly sensitive. Other information may not be. • The circumstances of the breach may make the information more or less sensitive. The potential harms that could accrue to an individual are also an important factor.
Probability of Misuse Several questions you need to consider: • What happened and how likely is it that someone would be harmed by the breach? • Who actually accessed or could have accessed the personal information? • How long has the personal information been exposed? • Is there evidence of malicious intent (e.g., theft, hacking)? • Were a number of pieces of personal information breached? • Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? • Was the information exposed to limited/known entities who have committed to destroy and not disclose the data?
Incident Response Plans The Keystone of Data Breach Response
What is an Incident Response Plan? The IRP is the keystone internal policy necessary to help an organization detect and react to computer security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring.
What does an Incident Response Plan do? An IRP address issues like cybercrime, data loss, and service outages that threaten your network and work to reduce the response times for addressing each of the goals listed above.
Why Does an Organization Need an IRP? An IRP is necessary policy for all organizations who hold confidential information (PD, organizational, or otherwise) to respond to a data incident in a timely manner, reducing reputational damage and potential liability.
Why Does an Organization Need an IRP? During the course of a data breach, small mistakes can lead to significant amplification of liability and reputational damage. • The number of publicly disclosed data breaches rose by almost 50% in 2017 over 2016.* • 61 percent of breach victims in 2017 were businesses with under 1,000 employees.* • By responding quickly to and containing a data breach, companies average a savings of over $1 million.* Source: 1. Identity Theft Resource Centre 2017 Annual Data Breach Year-End Review 2. 2017 Verizon Data Breach Investigations Report 3. 2018 Cost of a Data Breach Study by Ponemon
What is Included in an IRP? The plan should, in exhaustive detail, outline the steps for responding to an incident and should be stored in electronic and paper format.
What is Included in an IRP? An IRP will often include: • A list of the members of the Incident Response Team (IRT); • 24 hour contact information; • Roles and responsibilities for the members of the IRT; • A list of critical network and data recovery processes; • A list of the tools, technologies, and resources that are available to assist the response; and, • A business continuity plan.
What is an Incident Response Team? Your Incident Response Team (IRT) is the designated group of internal and external individuals assigned to navigate the IRP when a data incident is declared.
Who is on an Incident Response Team? C-Suite Executives/Chief Privacy Officer • declare an incident, thereby triggering the activation of the IRP. IT Professionals/Computer Security Incident Response Team • identify the source of the incident, contain the incident, and document the response. External Legal Counsel • provide solicitor-client privilege over the response, coordinate law enforcement, and advise on any disclosures to the public or to regulators. External Consultants • provide media relations, forensic audits, etc.
When Do We Call Our Lawyer? By engaging external counsel prior to creating an IRP and immediately upon identifying a data incident, a company can utilize solicitor client, work-product, or litigation privilege as necessary to minimize these disclosures.
When Do We Call Our Lawyer? Pre-Incident Any communication or document relating to a data security incident has the potential of becoming part of the evidentiary record in future litigation, increasing the chance of the organization being found liable.
When Do We Call Our Lawyer? Pre-Incident A company cannot argue that communications/documents are protected by privilege by involving its counsel at a later date. Audit and investigative reports should be addressed to and delivered to counsel. In developing the IRP, legal counsel should engage third party service providers to maintain privilege.
When Do We Call Our Lawyer? Pre-Incident An organization’s cyber risk management activities may result in the production of sensitive communications and documents, such as: • threat risk assessments, • legal compliance assessments, and • data security incident investigation reports.
When Do We Call Our Lawyer? During the Incident The immediate aftermath of a data security incident is hectic and some of the most damaging communications or documents can be created due to the lack of information and time to reflect on the incident. A strictly-enforced communication guideline is an important part of any incident response plan.
When Do We Call Our Lawyer? During the Incident An organization’s ability to keep cybersecurity efforts privileged is stronger where the organization has taken each of these steps: • Follow counsel’s directions for action; • Set clear rules regarding communication; and • Hire and manage outside vendors through counsel.
When Do We Call Our Lawyer? Post-Incident Following a data security incident, there are various disclosure and reporting obligations imposed on organizations. Important role of legal counsel is to provide an organization with advice on disclosure obligations and in drafting appropriate communications.
When Do We Call Our Lawyer? Post-Incident Failure to give timely notice of a data security incident may result in serious adverse consequences, including statutory sanctions, liability for breach of contract or breach of a duty to warn and loss of insurance coverage.
How Often Should IRP Training Occur? An IRP is useless unless all of the members the IRT understand it and are able to implement it.
How Often Should IRP Training Occur? Ongoing cyber-security training for the IRT and annual or semi-annual tabletop exercises for issue identification and rectification by the IRT are critical to the effective implementation of the IRP and reducing liability.
How Often Should IRP Training Occur? Beyond the IRT, all members of your staff are your front line against a data security incident and should understand the importance of the IRP and full cooperation with the IRT in identifying and rectifying a data incident.
Can the IRP Stand on Its Own? Privacy-by-design is not a buzzword. An IRP needs to be bolstered by additional policies and procedures that assist the organization in preventing the access, loss and corruption of confidential information, including: • Mobile Device Policy; • Acceptable Use and Social Media Policy; • Password Policy; • Physical Security Policy; • Security Infrastructure Policy; • Data Protection Policy; and, • Disaster Recovery/Business Continuity Plan
Contact Us Peter Dillon, Head of Technology and Cyber Security Group Email: peter.dillon@siskinds.com Phone: 519-660-7818 Drew Johnson Technology and Cyber Security Group Email: andrew.Johnson@siskinds.com Phone: 519-660-7848

Empfohlen

Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension Inc.
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
Scott Suhy
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 

Empfohlen

Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension Inc.
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
Scott Suhy
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Cas cyber prez
Cas cyber prezCas cyber prez
Cas cyber prez
Dan Michaluk
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
Lawley Insurance
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
Baltimax
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
Dan Michaluk
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
Dan Michaluk
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
Dan Michaluk
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
Cyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsCyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEs
E Radar
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
PECB
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
PECB
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
centralohioissa
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Digital Guardian
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
Dan Michaluk
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Dan Michaluk
 
Enterprise Data Privacy Quiz
Enterprise Data Privacy QuizEnterprise Data Privacy Quiz
Enterprise Data Privacy Quiz
Druva
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Nicholas Van Exan
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension Inc.
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 

Weitere ähnliche Inhalte

Was ist angesagt?

New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
PECB
 

Was ist angesagt? (20)

Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016Canadian Association of University Solicitors - Privacy Update 2016
Canadian Association of University Solicitors - Privacy Update 2016
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Cyber legal update oct 7 2015
Cyber legal update oct 7 2015Cyber legal update oct 7 2015
Cyber legal update oct 7 2015
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Cyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEsCyber Liability Insurance And Protecting SMEs
Cyber Liability Insurance And Protecting SMEs
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
 
One hour cyber july 2013
One hour cyber july 2013One hour cyber july 2013
One hour cyber july 2013
 
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
Cyber security for the regulator and regulated - Ontario Regulatory Authorit...
 
Enterprise Data Privacy Quiz
Enterprise Data Privacy QuizEnterprise Data Privacy Quiz
Enterprise Data Privacy Quiz
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 

Ähnlich wie Siskinds | Incident Response Plan

How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
Asad Zaman
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
Resilient Systems
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Clasify information in education field
Clasify information in education fieldClasify information in education field
Clasify information in education field
Nebojsa Stefanovic
 
A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection Programs
Michael Annis
 

Ähnlich wie Siskinds | Incident Response Plan (20)

Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 
005. Ethics, Privacy and Security
005. Ethics, Privacy and Security005. Ethics, Privacy and Security
005. Ethics, Privacy and Security
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
Clasify information in education field
Clasify information in education fieldClasify information in education field
Clasify information in education field
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
[MU630] 005. Ethics, Privacy and Security
[MU630] 005. Ethics, Privacy and Security[MU630] 005. Ethics, Privacy and Security
[MU630] 005. Ethics, Privacy and Security
 
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...
 
A Case For Information Protection Programs
A Case For Information Protection ProgramsA Case For Information Protection Programs
A Case For Information Protection Programs
 

Mehr von Next Dimension Inc.

Mehr von Next Dimension Inc. (8)

Veeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and AvailabilityVeeam: Cybersecurity protection solutions through Backup and Availability
Veeam: Cybersecurity protection solutions through Backup and Availability
 
Cybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law FirmCybersecurity and the Law: Fasken Law Firm
Cybersecurity and the Law: Fasken Law Firm
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next Dimension
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Next Dimension IIoT Presentation
Next Dimension IIoT PresentationNext Dimension IIoT Presentation
Next Dimension IIoT Presentation
 
Next Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart ManufacturingNext Dimension + Cisco Smart Manufacturing
Next Dimension + Cisco Smart Manufacturing
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Siskinds | Incident Response Plan

  • 1. PIPEDA & The IRP WHAT YOU NEED TO KNOW | WHAT YOU NEED TO DO This presentation does not constitute legal advice, nor should it be construed as such. The opinions expressed herein are solely mine, and they do not necessarily represent the views of Siskinds LLP, its partners, associates or affiliates.
  • 2. Bio Drew is an associate in Siskinds’ Technology, Privacy and Franchise Group. His practice focuses on providing legal services to businesses involved in the manufacture and distribution of goods and services via franchising, multi-level marketing, and technology transfer, development, distribution and licensing. He advises clients on matters relating to cybersecurity, data protection, privacy and anti- spam, including PIPEDA, Privacy Shield and GDPR compliance. Practice Areas Data protection | Cybersecurity | Privacy Drew Johnson, Technology and Cyber Security Group
  • 3.
  • 4. What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activities.
  • 5. What does PIPEDA apply to? PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
  • 6. What does PIPEDA not apply to? Organizations that do not engage in commercial, for-profit activities.
  • 7. Geographic Scope Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within: • Alberta • British Columbia • Quebec
  • 8. What is personal information? Personal information is data about an “identifiable individual”. It is information that on its own or combined with other pieces of data, can identify you as an individual.
  • 9. What Does Personal Information Include? • Age • Credit card numbers • Race, national or ethnic origin • DNA • Social Insurance number or driver’s license • Opinions, comments or view about you as an employee
  • 10. What is generally not considered personal information? • Information that is not about an individual because the connection to a person is too weak or far removed. • Information about a business or organization. • A person’s business contact information.
  • 11. 10 Principles of PIPEDA The 10 fair information principles that businesses must follow: Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure and Retention Accuracy Safeguards Openness Individual Access Provide Recourse
  • 12. 1. Accountability • Appointment of individual as Chief Privacy Officer. • Establishment of a “privacy team”. • Development of policies and procedures for the collection and protection of personal information.
  • 13. 2. Identifying Purposes • Purpose must be clearly identified. • Collection must be confined to what is necessary to complete the purpose. • Inform of purpose at the time personal information is collected.
  • 14. 3. Consent • Express v. Implied Consent. • Sensitivity of information. • Must be obtained from customers/clients to the collection and use of their personal information.
  • 15. 4. Limiting Collection • Need to consider carefully whether information that is being collected is reasonably necessary for the purposes.
  • 16. 5. Limiting Use, Disclosure and Retention • If purposes change, new consent is required. • If information will be disclosed to third parties, consent must be obtained. • Personal information should only be retained for so long as is reasonably necessary to satisfy the purposes for which it was collected.
  • 17. 6. Accuracy • Obligation to keep personal information up to date, complete and accurate. • Make corrections as necessary.
  • 18. 7. Safeguards • Develop and implement a security policy to protect personal information. • PIPEDA does not specify particular security safeguards that must be used. Rather, the onus is on organizations to ensure that personal information is adequately protected.
  • 19. More on Safeguarding…. • Degree of security to be exercised will depend on a number of factors: • sensitivity • amount • extent of distribution • format • type of storage
  • 20. 8. Openness • Employees need to be aware of the policies and the procedures regarding privacy matters. • Customers/clients need to be informed of the existence of privacy policies and what the practices are. • Responsiveness to customers’ privacy related requests.
  • 21. 9. Individual Access • Individuals are entitled to review their personal information on request. • Corrections may be requested and should be made if appropriate. • Response within 30 days of request.
  • 22. 10. Challenge Compliance/Provide Recourse • Development of complaint procedures. • Should be straight forward and easily accessible. • Responsiveness to complaints. • Investigation. • Corrective measures. • Satisfaction of individual complainant.
  • 23. Most Common Complaints • Improper collection, use and/or disclosure of personal information. • Difficulty obtaining access to personal information. • Refusal to correct personal information. • Inadequate safeguards.
  • 24. Your Responsibility as a Business • Comply with all 10 of the Principles. • Protect personal information against loss or theft. • Protect personal information regardless of the format in which it is held. • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
  • 26. A breach of security safeguards is defined in PIPEDA as: • the loss of, • unauthorized access to or • unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.
  • 27. Duty to report to OPC - RROSH Reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual.
  • 28. Timing of Report to the OPC As soon as feasible after determination that the breach has occurred.
  • 29. Notification to Individual & Organizations In a RROSH breach of security safeguards involving an individual’s personal information, you must notify: • The individual affected. • Organizations that may be able to assist in mitigation.
  • 30. Timing of Notifications As soon as feasible after determination that the breach has occurred.
  • 31. Contents of Notification The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm
  • 32. Form and Manner of Notice The notification must be conspicuous and shall be given directly to the individual in the prescribed form and manner.
  • 33. Maintenance of Records You must keep and maintain a record of every breach of security safeguards involving personal information under your control.
  • 34. Access by OPC You must, on request, provide the Commissioner with access to, or a copy of, a record.
  • 35. Offences: • Fail to comply with breach notification requirements. • Fail to maintain a record of breaches of security safeguards. • Destroy personal information that an individual has requested. • Obstruct a complaint investigation or audit by the Commissioner or their delegate.
  • 36. Significant Harm Significant harm includes: • bodily harm, • humiliation, • damage to reputation or relationships, • loss of employment, • business or professional opportunities, • financial loss, • identity theft, • negative effects on the credit record and • damage to or loss of property.
  • 37. Relevant Factors - RROSH Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include: • the sensitivity of the personal information and • the probability the personal information has been/is/will be misused.
  • 38. Sensitivity PIPEDA does not define sensitivity. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context.
  • 39. Circumstances • Certain information may on its face be clearly sensitive. Other information may not be. • The circumstances of the breach may make the information more or less sensitive. The potential harms that could accrue to an individual are also an important factor.
  • 40. Probability of Misuse Several questions you need to consider: • What happened and how likely is it that someone would be harmed by the breach? • Who actually accessed or could have accessed the personal information? • How long has the personal information been exposed? • Is there evidence of malicious intent (e.g., theft, hacking)? • Were a number of pieces of personal information breached? • Is the breached information in the hands of an individual/entity that represents a reputation risk to the individual(s) in and of itself? • Was the information exposed to limited/known entities who have committed to destroy and not disclose the data?
  • 41. Incident Response Plans The Keystone of Data Breach Response
  • 42. What is an Incident Response Plan? The IRP is the keystone internal policy necessary to help an organization detect and react to computer security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring.
  • 43. What does an Incident Response Plan do? An IRP address issues like cybercrime, data loss, and service outages that threaten your network and work to reduce the response times for addressing each of the goals listed above.
  • 44. Why Does an Organization Need an IRP? An IRP is necessary policy for all organizations who hold confidential information (PD, organizational, or otherwise) to respond to a data incident in a timely manner, reducing reputational damage and potential liability.
  • 45. Why Does an Organization Need an IRP? During the course of a data breach, small mistakes can lead to significant amplification of liability and reputational damage. • The number of publicly disclosed data breaches rose by almost 50% in 2017 over 2016.* • 61 percent of breach victims in 2017 were businesses with under 1,000 employees.* • By responding quickly to and containing a data breach, companies average a savings of over $1 million.* Source: 1. Identity Theft Resource Centre 2017 Annual Data Breach Year-End Review 2. 2017 Verizon Data Breach Investigations Report 3. 2018 Cost of a Data Breach Study by Ponemon
  • 46. What is Included in an IRP? The plan should, in exhaustive detail, outline the steps for responding to an incident and should be stored in electronic and paper format.
  • 47. What is Included in an IRP? An IRP will often include: • A list of the members of the Incident Response Team (IRT); • 24 hour contact information; • Roles and responsibilities for the members of the IRT; • A list of critical network and data recovery processes; • A list of the tools, technologies, and resources that are available to assist the response; and, • A business continuity plan.
  • 48. What is an Incident Response Team? Your Incident Response Team (IRT) is the designated group of internal and external individuals assigned to navigate the IRP when a data incident is declared.
  • 49. Who is on an Incident Response Team? C-Suite Executives/Chief Privacy Officer • declare an incident, thereby triggering the activation of the IRP. IT Professionals/Computer Security Incident Response Team • identify the source of the incident, contain the incident, and document the response. External Legal Counsel • provide solicitor-client privilege over the response, coordinate law enforcement, and advise on any disclosures to the public or to regulators. External Consultants • provide media relations, forensic audits, etc.
  • 50. When Do We Call Our Lawyer? By engaging external counsel prior to creating an IRP and immediately upon identifying a data incident, a company can utilize solicitor client, work-product, or litigation privilege as necessary to minimize these disclosures.
  • 51. When Do We Call Our Lawyer? Pre-Incident Any communication or document relating to a data security incident has the potential of becoming part of the evidentiary record in future litigation, increasing the chance of the organization being found liable.
  • 52. When Do We Call Our Lawyer? Pre-Incident A company cannot argue that communications/documents are protected by privilege by involving its counsel at a later date. Audit and investigative reports should be addressed to and delivered to counsel. In developing the IRP, legal counsel should engage third party service providers to maintain privilege.
  • 53. When Do We Call Our Lawyer? Pre-Incident An organization’s cyber risk management activities may result in the production of sensitive communications and documents, such as: • threat risk assessments, • legal compliance assessments, and • data security incident investigation reports.
  • 54. When Do We Call Our Lawyer? During the Incident The immediate aftermath of a data security incident is hectic and some of the most damaging communications or documents can be created due to the lack of information and time to reflect on the incident. A strictly-enforced communication guideline is an important part of any incident response plan.
  • 55. When Do We Call Our Lawyer? During the Incident An organization’s ability to keep cybersecurity efforts privileged is stronger where the organization has taken each of these steps: • Follow counsel’s directions for action; • Set clear rules regarding communication; and • Hire and manage outside vendors through counsel.
  • 56. When Do We Call Our Lawyer? Post-Incident Following a data security incident, there are various disclosure and reporting obligations imposed on organizations. Important role of legal counsel is to provide an organization with advice on disclosure obligations and in drafting appropriate communications.
  • 57. When Do We Call Our Lawyer? Post-Incident Failure to give timely notice of a data security incident may result in serious adverse consequences, including statutory sanctions, liability for breach of contract or breach of a duty to warn and loss of insurance coverage.
  • 58. How Often Should IRP Training Occur? An IRP is useless unless all of the members the IRT understand it and are able to implement it.
  • 59. How Often Should IRP Training Occur? Ongoing cyber-security training for the IRT and annual or semi-annual tabletop exercises for issue identification and rectification by the IRT are critical to the effective implementation of the IRP and reducing liability.
  • 60. How Often Should IRP Training Occur? Beyond the IRT, all members of your staff are your front line against a data security incident and should understand the importance of the IRP and full cooperation with the IRT in identifying and rectifying a data incident.
  • 61. Can the IRP Stand on Its Own? Privacy-by-design is not a buzzword. An IRP needs to be bolstered by additional policies and procedures that assist the organization in preventing the access, loss and corruption of confidential information, including: • Mobile Device Policy; • Acceptable Use and Social Media Policy; • Password Policy; • Physical Security Policy; • Security Infrastructure Policy; • Data Protection Policy; and, • Disaster Recovery/Business Continuity Plan
  • 62. Contact Us Peter Dillon, Head of Technology and Cyber Security Group Email: peter.dillon@siskinds.com Phone: 519-660-7818 Drew Johnson Technology and Cyber Security Group Email: andrew.Johnson@siskinds.com Phone: 519-660-7848