Data Privacy for Information Security Professionals Part 1

Data Privacy for Information Security Professionals Part 1

• 1.
  DataPrivacyfor InformationSecurityProfessionals (Part1) Dione McBride, CISSP,CIPP/E Data Protection, Privacy, and Security Lead PS Innovations Linkedin.com/in/DMcBinDallas October, 2017
• 2.
  2 2000's Growing needto prevent terrorism but concerns with Surveillance1990's Growth of the Internet & Databases 1980's Growth of Federal Privacy Regulations 1970's Growth of Government Surveillance 2020 OCT 2017 1970 1976 1982 1988 1994 2000 2006 2012 2018 Fair Credit Reporting Act - 1970 Bank Secrecy Act - 1970 US Health & Human Services - Code of Fair Information Principles - 1971 Sweden's National Privacy Law - 1973 Privacy Act of 1974 Foreign Intelligence Surveillance Act - 1978 Right to Financial Privacy Act - 1978 OECD (US, EU, Japan) - 1981 Cable Communications Policy Act - 1984 Electronic Communications Privacy Act - 1986 Computer Matching and Privacy Protection Act - 1988 Employee Polygraph Protection Act - 1988 Video Privacy Protection Act - 1988 Do Not Call Registry - 1991 Driver's Privacy Protection Act - 1994 HIPAA - 1996 COPPA - 1998 GLBA - 1999 US - EU Safe Harbor - 2000 USA PATRIOT Act - 2001 Homeland Security Act - 2002 California SB 1386 - 2003 FACTA - 2003 Asia Pacific (APEC) Privacy Framework - 2004 PCI Standard - 2004 Edward Snowden NSA Revelations - 2013 Canada Anti-Spam (CASL) - 2014 Equifax Data Breach - 2017 7/29/2017 Family Educational Rights & Privacy Act - 1974 Privacy Protection Act - 1980 Convention of Europe (COE) - 1981 EU Directive - 1995 CAN-SPAM Act - 2003 Real ID Act - 2005 US - EU Safe Harbor Invalidated - 2015 General Data Protection Regulation (GDPR) 05/25/2018 Privacy/dataprotectionregulationsandevents 2
• 3.
  3 GDPRisanupdate When May 25,2018 Why Twenty five year evolution • Directive 95/46/EC – 1995 • GDPR Proposal - 2012 • Two CJEU cases in 2015 o Weltimmo – one-stop shop on regulations o Shrems – collapse of EU-US Safe Harbor program • Adopted April, 2016 (173 reasons/recitals) Scope Regardless of physical company or processing location 1. Processing EU citizen data 2. Offer goods/services 3. Monitor behavior in EU Primary changes 1. Extra-territorial applicability 2. Penalties 3. Consent 4. Data Subject rights (including damages) 5. Unexpected design and security impacts for most 2 year advance notice
• 4.
  4 GDPRScope Expanded definition ofPersonal Data (PD) “…an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…” • Enforcement • Applies equally to data controllers and processors • No minimum number of subjects • Not limited to digital data 4
• 5.
  5 Specificpenalties • The higherof €10m or 2% annual global revenue onTOMs and breach notification)1 • The higher of €20m or 4% annual global revenue for violations of2 • Basic principles • Data subject rights • Transfers third countries or internal organization • Member state laws 1 Articles 8, 11, 25 – 39 , 42 – 43 2 Articles 5 – 7, 9, 12 – 22, 44-49,
• 6.
  6 Impact#1-Protections • AppropriateTOM • Stateof the art • Cost • Nature, scope, context and purpose • Risk and severity for data subject rights • Requires data controller and data processor • Pseudonymization and encryption of personal data • Ensure ongoingCIA and system resilience • Timely restoration of availability and access after incidents • Regularly test effectiveness ofTOMs • Ensures those authorized to access do not process except on instructions from the controller • Encourages certifications recognized by DPAs
• 7.
  7 Impact#2-DataSubjectrights Rights Operational Impact TransparencyData collected, purpose, protections in place, retention, recipients Information Where collected from data subject Where obtained by third parties if combined Access Design new user interfaces (online) Extracting all data (offline) Rectification New user interfaces (online) Written procedures completed with 30 days (offline) Restrict processing Flag data /hold future processing (other than storage) Erasure (Right to be Forgotten) No overriding legitimate interests, unlawfully processed, legal purpose Reasonable steps to remove links to publically available data and inform data recipients to delete Portability Where applicable, extract of all data Object Object to processing, and for direct marketing – default isOpt-out Restrict automated decisions Restrict profiling & automated decisions In particular special categories of data require suitable safeguards
• 8.
  8 Impact#2–supportingDataSubjectrights • Identification/verification foraccess • Response w/in 30 days (explain if/when it will be > 30 days) • Address 1:1 vs. 1:many • Free (unless excessive or unfounded) • Additional technical/customer staff access • Cross compliance challenges (PCI, HIPAA) • Higher insider risk
• 9.
  9 Impact#3–Processingrecords • Processing records(registers) • Name/contact of controllers/co-controllers • Purpose of processing • Categories of data subjects • Data elements (flag sensitive data) • Recipients • If applicable  Transfers to third country or international organization (named)  Documented safeguards • Retention for different categories or data • TOMs • Available upon DPA request • Likely required for breach notification
• 10.
  10 Impact#4-breachnotification • Authorizes classaction lawsuits against large data controllers and processors • Controllers & processor records must show processing conforms to the GDPR • Required notification to DPA • Nature of breach • Numbers/categories of data subjects & records • DPO contact • Likely consequence for data subjects • Plans to address issue &/or mitigation • Proof of limited data risk for data subjects • Data processors must inform the controllers ASAP 72 Hours
• 11.
  11 Impact#4–EUvsU.Sbreachlaws GDPR U.S. statelaws (examples) “ A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” TX “ unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data” Notification to a DPA within 72 hrs. Notification to state government • Only 29 states requireAG or agency notice • Only 10 states have prescribed notification period ranging from 5 to 90 days and most are to citizens Controller may have to prove absence of risk to DPA to avoid citizen notice Most states specify conditions that eliminate citizen notice All citizens have private right of action • Actions can be taken against the controller or processors (whichever may be in country) Only 16 states allow citizens a private right of action • Actions are limited to the company collecting/owning the data
• 12.
  12 Impact#5–Newsystemsorapplications • Security andprivacy options enabled by default • Data lifecycle use cases/ stories for all SaaS products • New functionality • Data subject identification, access, and request processes (technical/operational support) • Data retention and erasure throughout  Databases and data warehouses  Logs  Backups and archives • Data portability options (where applicable) • Tokenization and encryption at rest Genuine design prowess required!
• 13.
  13 Summary GDPR > Dataprotection > compliance • Evidence based accountability • Data subject rights b4 business wants • Data breach notification by default • Protection & Privacy by Design – PPbD • Don’t retain data • Encryption &/or pseudonymization expected