Data Breach in the EU Session Title The New Landscape Name Tilly - - PowerPoint PPT Presentation

data breach in the eu session title the new landscape
SMART_READER_LITE
LIVE PREVIEW

Data Breach in the EU Session Title The New Landscape Name Tilly - - PowerPoint PPT Presentation

Aug 25, 2022 161 likes •423 views

October 15, 2019 Date Data Breach in the EU Session Title The New Landscape Name Tilly Lang Organization HewardMills Name Chris Hydak Organization Microsoft 1 Name Kall Loper Organization Protiviti Speaker Tilly Lang Data

slide-1
SLIDE 1

Date

Session Title

Name Organization Name Organization Name Organization

October 15, 2019

Data Breach in the EU

The New Landscape

Tilly Lang HewardMills Chris Hydak Microsoft Kall Loper Protiviti

1

slide-2
SLIDE 2

Speaker

Tilly Lang

Data Protection Director and Corporate Governance Counsel Qualified solicitor in England, Wales and Ireland, focused on corporate governance excellence, working on diverse projects including legal entity simplification, regulatory implementation and corporate restructures.

slide-3
SLIDE 3

Speaker

Chris Hydak

Attorney, Global Privacy and Data Protection Privacy attorney with ten years experience. Advises product attorneys in Cloud and AI and Marketing and Consumer Business groups on global privacy and data protection issues.

slide-4
SLIDE 4

Speaker

  • Dr. Kall Loper

National Lead for Incident Response Over 20 years of experience in Digital Forensics and Incident Response, including Big 4 Lead Responder on Sony Pictures Hack and MDL Lead for digital evidence in four states on Deep Water Horizon. Professor of Computer Science at SMU. Published author.

slide-5
SLIDE 5

Overview

Defining “Breach” The Data Protection Officer’s (DPO) role Notifications Case Study: a global e-retailer Conclusion

slide-6
SLIDE 6

Date

Session Title

Name Organization Name Organization Name Organization

Defining “Breach”

slide-7
SLIDE 7

Defining “Breach”

Informational item: any observed occurrence Event: any observed occurrence that meets an established threshold for an alert Incident: any event meeting alert criteria justifying investigation and response Compromise: an incident or event that results in the loss of secure control over confidential data or IT resources Breach: a legally defined loss of secure control

  • ver confidential data or IT resources

Informational Item Event Incident

Compromise

Breach

slide-8
SLIDE 8

Date

Session Title

Name Organization Name Organization Name Organization

The DPO’s role

slide-9
SLIDE 9
  • The concept of a Data Protection Officer (DPO) for organizations processing

personal data is well-established. It is already a mandatory requirement in some jurisdictions and considered best practice in others

  • With the introduction of the General Data Protection Regulation (GDPR) in May

2018, the appointment of a DPO is mandatory under EU law for many

  • rganizations, regardless of their size or whether they are processing personal

data as a controller or a processor.

The DPO’s role

slide-10
SLIDE 10

A DPO is responsible for monitoring compliance with the data protection

  • requirements. One of their core tasks is to inform and advise employees who carry out

the actual processing of personal data about their obligations. The DPO also cooperates with the relevant Supervisory Authorities (Regulators), serving as an interface between them and relevant individuals. Companies are required to appoint a DPO under the GDPR when:

  • they regularly or systematically monitor individuals or process special

categories of data;

  • this processing is a core business activity; and
  • they do it on a large scale

10

The DPO’s role

slide-11
SLIDE 11

The GDPR – one year on:

  • Out of 281,088 cases reported to Supervisory Authorities, 89,271 were data

breach notifications

  • There is an intention to issue fines totalling approximately €372,120,990 eg,

– BA – Marriott

Source: htttps://www.itgovernance.co.uk/dpa-and-gdpr-penalties

The DPO’s role

slide-12
SLIDE 12

The DPO must be involved in a timely manner in order to: – Arrange the initial investigation of the breach – Form part of the ‘war room’ – Execute immediate preventative steps – Report the breach to the supervisory authorities and the data subjects where necessary – Identify and deliver remediation plan – Carry out on-going measures eg testing and monitoring is essential

The DPO’s role

slide-13
SLIDE 13

Date

Session Title

Name Organization Name Organization Name Organization

Notifications

slide-14
SLIDE 14

Supervisory Authorities (Regulators) and Data Subjects – Timing – Harm threshold – Content – Cross-border processing and non-EU establishments – Processors (third-parties) – Others

Notifications

slide-15
SLIDE 15

Our experience

  • Accountability and recordkeeping
  • Volume of notifications
  • Supervisory Authorities’ resources and capacity
  • Course of dealing
  • Enforcement
  • Co-ordinating foreign notifications
  • US/EU experience

Notifications

slide-16
SLIDE 16

Case Study

slide-17
SLIDE 17

War Room

  • Four vendors worked with the client

to respond to an Australian incident

  • Large vendor
  • Protiviti
  • Boutique vendor
  • Small vendor
  • DPO involvement
  • AmLaw top 50 Law Firm

Client

  • Full response for an extended period,

months

  • Normal IT uplift operations disrupted
  • Supportive Executive Team

Case Study

Acquiring Banks

  • Accused client of stalling
  • Provided small numbers of PANs

(Primary Account Numbers)

  • Disjointed globally
slide-18
SLIDE 18

United Kingdom Ireland

PCI Fraud Detected

Case Study

Australia New Zealand Austria Belgium Germany Denmark Finland France Netherlands Norway Poland Sweden Turkey

slide-19
SLIDE 19

Case Study

Source: RiskIQ

Beware of threat intelligence providers. They didn’t disclose all details to their clients.

slide-20
SLIDE 20
  • 1. User requests web page from Retailer’s

servers

  • 2. Retailer’s webservers send content and

SaaS Provider tag code back to the user

  • 3. User’s

browser renders Retailer’s Web site and executes SaaS provider’s tag code

  • 4. SaaS Provider

tag code instructs the browser to go download a script from SaaS Provider’s server

  • 5. A maliciously modified

script is sent back to the user

  • 7. When executed, the malicious script

sends data it finds in form fields on the checkout page to WEBFOTCE.ME domain

  • 6. The

malicious script is executed by the user’s browser

  • 8. An unknown attacker has collected

data intended for Retailer’s Website Retailer’s servers SaaS Provider’s server WEBFOTCE.ME domain

Case Study

slide-21
SLIDE 21

Outcome

  • Informed risk-based decision to

notify users as a precaution

  • No penalties assessed, no current

indication Impact

  • Global security teams overloaded for

6 months, impact continues to this day

  • Normal IT uplift disrupted
  • Brand/reputation impact

Case Study

slide-22
SLIDE 22

Conclusion

slide-23
SLIDE 23

Aggravating factors

  • Breaches concerning sensitive data
  • Ignoring warnings signs
  • Delaying to fix known security

problems

  • Failure to cooperate with

investigations by supervisory authorities

  • Failure to document security

incidents Mitigating factors

  • Having a mature Privacy Program in

place

  • Establishing a robust corporate

governance structure

  • Ongoing testing and monitoring
  • Ability to self-report
  • Cooperation with Supervisory

Authorities/ transparency

  • Implementing fixes/enhanced

security measures quickly

Conclusion

slide-24
SLIDE 24

Questions and contacts

Tilly Lang

Data Protection Director and Corporate Governance Counsel +44 7887 536057 tilly@hewardmills.com

Chris Hydak

Attorney, Global Privacy and Data Protection +1 (425) 707 5568 chris.hydak@microsoft.com

  • Dr. Kall Loper

National Lead for Incident Response +1 (469) 374 2425 kall.loper@Protiviti.com