data breach in the eu session title the new landscape
play

Data Breach in the EU Session Title The New Landscape Name Tilly - PowerPoint PPT Presentation

Aug 25, 2022 •161 likes •417 views

October 15, 2019 Date Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills Name Chris Hydak Organization Microsoft 1 Name Kall Loper Organization Protiviti Speaker Tilly Lang Data

  1. October 15, 2019 Date Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills Name Chris Hydak Organization Microsoft 1 Name Kall Loper Organization Protiviti

  2. Speaker Tilly Lang Data Protection Director and Corporate Governance Counsel Qualified solicitor in England, Wales and Ireland, focused on corporate governance excellence, working on diverse projects including legal entity simplification, regulatory implementation and corporate restructures.

  3. Speaker Chris Hydak Attorney, Global Privacy and Data Protection Privacy attorney with ten years experience. Advises product attorneys in Cloud and AI and Marketing and Consumer Business groups on global privacy and data protection issues.

  4. Speaker Dr. Kall Loper National Lead for Incident Response Over 20 years of experience in Digital Forensics and Incident Response, including Big 4 Lead Responder on Sony Pictures Hack and MDL Lead for digital evidence in four states on Deep Water Horizon. Professor of Computer Science at SMU. Published author.

  5. Overview Defining “Breach” The Data Protection Officer’s (DPO) role Notifications Case Study: a global e-retailer Conclusion

  6. Date Session Title Name Organization Defining “Breach” Name Organization Name Organization

  7. Defining “Breach” Informational item: any observed occurrence Informational Item Event: any observed occurrence that meets an established threshold for an alert Event Incident: any event meeting alert criteria justifying investigation and response Incident Compromise: an incident or event that results in the loss of secure control over confidential data or IT resources Compromise Breach: a legally defined loss of secure control over confidential data or IT resources Breach

  8. Date Session Title Name Organization The DPO’s role Name Organization Name Organization

  9. The DPO’s role - The concept of a Data Protection Officer (DPO) for organizations processing personal data is well-established. It is already a mandatory requirement in some jurisdictions and considered best practice in others - With the introduction of the General Data Protection Regulation (GDPR) in May 2018, the appointment of a DPO is mandatory under EU law for many organizations, regardless of their size or whether they are processing personal data as a controller or a processor.

  10. The DPO’s role A DPO is responsible for monitoring compliance with the data protection requirements. One of their core tasks is to inform and advise employees who carry out the actual processing of personal data about their obligations. The DPO also cooperates with the relevant Supervisory Authorities (Regulators), serving as an interface between them and relevant individuals. Companies are required to appoint a DPO under the GDPR when: - they regularly or systematically monitor individuals or process special categories of data; - this processing is a core business activity; and - they do it on a large scale 10

  11. The DPO’s role The GDPR – one year on: - Out of 281,088 cases reported to Supervisory Authorities, 89,271 were data breach notifications - There is an intention to issue fines totalling approximately €372,120,990 eg, – BA – Marriott Source: htttps://www.itgovernance.co.uk/dpa-and-gdpr-penalties

  12. The DPO’s role The DPO must be involved in a timely manner in order to: – Arrange the initial investigation of the breach – Form part of the ‘war room’ – Execute immediate preventative steps – Report the breach to the supervisory authorities and the data subjects where necessary – Identify and deliver remediation plan – Carry out on-going measures eg testing and monitoring is essential

  13. Date Session Title Name Organization Notifications Name Organization Name Organization

  14. Notifications Supervisory Authorities (Regulators) and Data Subjects – Timing – Harm threshold – Content – Cross-border processing and non-EU establishments – Processors (third-parties) – Others

  15. Notifications Our experience - Accountability and recordkeeping - Volume of notifications - Supervisory Authorities’ resources and capacity - Course of dealing - Enforcement - Co-ordinating foreign notifications - US/EU experience

  16. Case Study

  17. Case Study War Room Client - Full response for an extended period, - Four vendors worked with the client months to respond to an Australian incident - Normal IT uplift operations disrupted - Large vendor - Supportive Executive Team - Protiviti - Boutique vendor Acquiring Banks - Small vendor - Accused client of stalling - Provided small numbers of PANs - DPO involvement (Primary Account Numbers) - AmLaw top 50 Law Firm - Disjointed globally

  18. Case Study PCI Fraud Detected Australia New Zealand United Kingdom Ireland Austria Belgium Germany Denmark Finland France Netherlands Norway Poland Sweden Turkey

  19. Case Study Source: RiskIQ Beware of threat intelligence providers. They didn’t disclose all details to their clients.

  20. Case Study 1. User requests web page from Retailer’s Retailer’s servers servers 2. Retailer’s webservers send content and SaaS Provider tag code back to the user 3. User’s 6. The browser renders 4. SaaS Provider malicious Retailer’s Web tag code instructs script is site and the browser to go 7. When executed, the malicious script executed executes SaaS download a script sends data it finds in form fields on the by the provider’s tag from checkout page to user’s code SaaS Provider’s SaaS Provider’s WEBFOTCE.ME domain WEBFOTCE.ME domain browser server server 5. A maliciously modified 8. An unknown attacker has collected script is sent back to the user data intended for Retailer’s Website

  21. Case Study Outcome Impact - Informed risk-based decision to - Global security teams overloaded for notify users as a precaution 6 months, impact continues to this day - No penalties assessed, no current - Normal IT uplift disrupted indication - Brand/reputation impact

  22. Conclusion

  23. Conclusion Aggravating factors Mitigating factors - Having a mature Privacy Program in - Breaches concerning sensitive data place - Ignoring warnings signs - Establishing a robust corporate - Delaying to fix known security governance structure problems - Ongoing testing and monitoring - Failure to cooperate with - Ability to self-report investigations by supervisory - Cooperation with Supervisory Authorities/ transparency authorities - Implementing fixes/enhanced - Failure to document security security measures quickly incidents

  24. Questions and contacts Tilly Lang Chris Hydak Dr. Kall Loper Data Protection Director and Attorney, Global Privacy and National Lead for Incident Corporate Governance Counsel Data Protection Response +44 7887 536057 +1 (425) 707 5568 +1 (469) 374 2425 tilly@hewardmills.com chris.hydak@microsoft.com kall.loper@Protiviti.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape

Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape

Prentice Wealth Management Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape Verizon VBIR 2015 Report Cyber Breach Trending Outsider v Insider Threat Personal Identity Protection

819 views • 12 slides
CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an event in which an individuals name plus personal information such as an address, phone number and/or financial record such as a social security

307 views • 16 slides
Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class

Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class

Presenting a live 90 minute webinar with interactive Q&A Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class Claims, Alleging and Challenging Damages, and Evaluating Insurance Coverage WEDNES

735 views • 55 slides
W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether

W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether

LAW Best Practices for Protecting Electronic Business Data Companies are under attack from cyber-criminals, hackers and spies. Is your data at risk? C OMPILED BY M ILES Z. E PSTEIN E DITOR , COMMERCE W ITH THE DATA BREACH AT information for

290 views • 3 slides
In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user data passwords stored in readable format 1B 600M 0.5M Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach

677 views • 35 slides
Beazley Breach Response Select p g Making the connection on data breach complexities P

Beazley Breach Response Select p g Making the connection on data breach complexities P

1 Making the connection on data breach complexities Beazley Breach Response Select p g Making the connection on data breach complexities P Presented by d b Jeffrey Norton underwriter Jeffrey Norton, underwriter, Beazley US Private

533 views • 25 slides
A little bit Dave anatomy of the Blood Service data breach Mr Laurie Joyce Australian Red

A little bit Dave anatomy of the Blood Service data breach Mr Laurie Joyce Australian Red

A little bit Dave anatomy of the Blood Service data breach Mr Laurie Joyce Australian Red Cross Blood Service @HISA_HIC #HIC18 Blood Service Data Breach Laurie Joyce IT Security and Compliance Manager Headlines Introduction In

217 views • 18 slides
ETHICAL DISCLOSURE OF DATA BREACHES COREY TODALEN WHAT IS A DATA BREACH? The

ETHICAL DISCLOSURE OF DATA BREACHES COREY TODALEN WHAT IS A DATA BREACH? The

ETHICAL DISCLOSURE OF DATA BREACHES COREY TODALEN WHAT IS A DATA BREACH? The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the

707 views • 13 slides
Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff

Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff

Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff Surveillance by non-EEA Financial Services Firms Cross Border Group 28 February 2013 39 Offices in 19 Countries Agenda 1) Proposed EU Data Protection

664 views • 25 slides
MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH

MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH

MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH NOTIFICATION AND IPC STATISTICS Fida Hindi, Legal Counsel Office of the Information and Privacy Commissioner of Ontario This presentation is

352 views • 23 slides
PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess

PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess

Office of the Saskatchewan Information and Privacy Commissioner PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess and analyze a privacy some guidance to government institutions, breach. The

291 views • 10 slides
Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and

Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and

Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and E.U. Jonathan P . Armstrong, Eversheds LLP , Leeds and Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP , Washington D.C.

181 views • 7 slides
Trends in Data Security and Privacy Li7ga7on and Insurance 2015 Verizon Data Breach Report

Trends in Data Security and Privacy Li7ga7on and Insurance 2015 Verizon Data Breach Report

4/16/16 Trends in Data Security and Privacy Li7ga7on and Insurance 2015 Verizon Data Breach Report 79,790 security incidents 2,122 confirmed data breaches Top industries affected: Public, Informa7on, and Financial Services (same as

181 views • 14 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17, 2014 For nearly a decade, weve had major data breaches at companies both large and small. Millions of consumers have suffered the

645 views • 46 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014 For nearly a decade, weve had major data breaches at companies both large and small. Millions of consumers have suffered the

891 views • 42 slides
Auditd for the Masses Philipp Krenn @xeraa Learn about a breach From the press or

Auditd for the Masses Philipp Krenn @xeraa Learn about a breach From the press or

Auditd for the Masses Philipp Krenn @xeraa Learn about a breach From the press or users Learn about a breach Attackers asking for a ransom Learn about a breach Cloud provider's bill Learn about a breach Yourself after the

942 views • 51 slides
Java Programming Unit 15 HTTP Sessions and cookies Java

Java Programming Unit 15 HTTP Sessions and cookies Java

Java Programming Unit 15 HTTP Sessions and cookies Java Server Pages (c) Yakov Fain 2014 Synchronous and Asynchronous Servlets Java Servlets run

1.41k views • 32 slides
A pattern language for microservices Chris Richardson Founder of the original CloudFoundry.com

A pattern language for microservices Chris Richardson Founder of the original CloudFoundry.com

A pattern language for microservices Chris Richardson Founder of the original CloudFoundry.com Author of POJOs in Action @crichardson chris@chrisrichardson.net http://plainoldobjects.com http://microservices.io http://eventuate.io

1.32k views • 68 slides
Building Faster Websites WebRTC crash course on web performance Ilya Grigorik - @igrigorik Make

Building Faster Websites WebRTC crash course on web performance Ilya Grigorik - @igrigorik Make

Building Faster Websites WebRTC crash course on web performance Ilya Grigorik - @igrigorik Make The Web Fast Google Web performance in one slide... Critical rendering path HTML DOM Render Network JavaScript Layout Paint Tree CSS

1.54k views • 140 slides
ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to

ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to

ZAP JENKINS PLUGIN Goran Sarenkapa ZAP Jenkins Plugin Project Lead WHAT IS ZAP? An easy to use webapp pentest tool Completely free and open source An OWASP flagship project Ideal for beginners But also used by professionals

386 views • 21 slides
Session 8 Deployment Descriptor Http 1 Reading and Reference Reading

Session 8 Deployment Descriptor Http 1 Reading and Reference Reading

Session 8 Http Session 8 Deployment Descriptor Http 1 Reading and Reference Reading en.wikipedia.org/wiki/HTTP Reference http headers en.wikipedia.org/wiki/List_of_HTTP_headers http status codes

263 views • 11 slides
CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University,

CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University,

CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University, Germany joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller London Restaurants Looking for a restaurant, a bar,

1.05k views • 87 slides
Architecting Java solutions for CICS Architecting Java solutions for CICS Course introduction

Architecting Java solutions for CICS Architecting Java solutions for CICS Course introduction

Architecting Java solutions for CICS Architecting Java solutions for CICS Course introduction Course introduction Reasons for hosting Java in CICS Requirements: Knowledge of transaction processing Experience of Java development What youll

757 views • 56 slides
In Introducing Cyber Effects in C2 Simulation Dr. B. Boltjes 1 , Dr. M. Pullen 2 , Dr. K. L.

In Introducing Cyber Effects in C2 Simulation Dr. B. Boltjes 1 , Dr. M. Pullen 2 , Dr. K. L.

In Introducing Cyber Effects in C2 Simulation Dr. B. Boltjes 1 , Dr. M. Pullen 2 , Dr. K. L. Morse 3 1 TNO Defence Research, The Netherlands 2 George Mason University, C4I Centre. 3 Johns Hopkins University / Applied Physics Laboratory APPROVED

559 views • 30 slides

More recommend