We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byDavid Griffin
Modified over 2 years ago
Data Protection What Are We Doing? Alan Calder IT Governance Ltd NITES 24 February 2009 TM
© IT Governance Ltd 2006 Welcome Alan Calder – my background and perspective –Businessman, not a lawyer –First ISO accredited certification in 1999 –IT Governance: a Managers Guide to Data Security and ISO 27001/ISO 27002, 4 th Edition (Open University Text Book) One-stop-shop for IT governance, risk management, compliance and information security: –Data Breaches: Trends, Costs and Best Practices provides lnformation on data breaches together with worldwide legal overview and best-practice guidance for staying on the right side of the law
TM © IT Governance Ltd 2006 Agenda International Compliance Environment Overview of the DPA and current requirements Best Practice compliance actions Enforcement Data Breaches – the current environment A closer look at the UK ICO Whats going wrong Some proposals for improvement Questions and answers.
TM © IT Governance Ltd International Compliance Environment Global information economy Internet-based threats – international exposure Outsourcing, e-commerce EU Data Protection Directive National Data Protection Acts UK Data Protection Act 1998 – US Regulation EU Safe Harbor Regulations (SEC) HIPAA, GLBA, SOX SB 1386, OPPA, state-level breach laws – Canada PIPEDA – OECD – Japan, Australia, South Africa and emerging economies Public companies: SOX Contractual requirements –PCI DSS
TM © IT Governance Ltd Data Protection – Europe & UK EU Data Protection Directive 1995 Data Protection Act 1998 Deals with personal information – related to living individuals (data subjects) –Eight Data Protection Principles 1.Fairly and lawfully processed; 2.Fairly and lawfully obtained; 3.Adequate, relevant and not excessive; 4.Accurate and up-to-date; 5.Not kept longer than necessary; 6.Processed only in accordance with the data subjects rights; 7.Kept safe and secure (appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) 8.Not transferred to a country outside the EU unless there is at least a similar level of data protection available there. –7 th Principle compliance is critical for all EU organizations –8 th Principle affects any businesses with operations outside the EU US Safe Harbor regulations designed to assist, but very few US corporations meet the requirements Intersection with –Freedom of Information Act –Human Rights Act –Regulation of Investigatory Powers Act
TM Compliance Action & Best Practice Comply with the 8 principles of the DPA 1. Bring current practices into line with DPA a)Audit of current practices & analysis of gap between DPA and current practices a)The basics – is your registration up to date? b)Identify where information is stored, and how it is classified c)Ensure you can respond to an SAR d)Assess all mobile devices and extent of encryption e)Assess all technical & procedural aspects of data security management b)Remedial action 2. Maintain DPA compliance regime a)Internal audit plan b)Staff training and awareness c)Incident reporting and resolution 3. Develop an ISO27001 ISMS – demonstrates best practice in DPA compliance as well as achieving other business and information objectives 4. Prepare for BS10012 Specification for the Management of Personal Information in compliance with the DPA 6 © IT Governance Ltd 2005
TM Prepare for the worst Develop & test a data breach response plan a)Escalation and reporting procedures b)Breach response team c)Consider potential remedial measures d)Prepare PR and communications plan e)Review and learning points 7 © IT Governance Ltd 2005
TM All Time Top 10 Data Breaches 1. TJX – 94 million records – outside attack 2. US Dept of Veterans Affairs – 26.5 million records – outside attack 3. HMRC – 25 million records – internal incompetence 4. T-Mobile/Deutsche Telekom – 17 million records – lost disk 5. Archive Systems/Bank of New York – 12.5 million – lost backup tapes 6. GS Caltex – 11 million - lost CD 7. Dai Nippon Printing – 8.6 million – insider theft 8. Certegy Check Services/Fidelity Information Services – 8.5 million – insider theft 9. TD Ameritrade – 6.3 million – outside attack 10. Chilean Ministry of Education – 6 million – outside attack Source: 8 © IT Governance Ltd 2005
TM Data Breaches – the UK Breaches since the HMRC incident in Nov 07 (ICO Press release 23 April 08): –Almost 100 data breaches notified 66% Public sector 30% private sector 4% voluntary sector –1/3 rd in central govt and related agencies –1/5 th in NHS organisations –Private sector: 50% in financial institutions Missing information includes: –Unencrypted laptops, computer discs, memory sticks –Paper records –Stolen, lost in the mail and while in transit with a courier –Includes financial and health details ICO Investigations –16 organisations required to make procedural changes to improve security 9 © IT Governance Ltd 2005
TM Data Breaches - Ireland Bank of Ireland –Lost unencrypted memory stick with the personal details of nearly 1,000 customers (Nov 2008) Bank of Ireland –Four unencrypted laptops stolen with the personal records of 10,000 customers (April 2008) HSE –Two unencrypted laptops gone missing (Sept 2008) Dept of Social & Family Affairs –Laptop with details of 390,000 citizens lost or stolen at the bus stop 10 © IT Governance Ltd 2005
TM Number of Incidents - Trend 11
TM Types of Data Breach 12
TM The Poynter Report Two major institutional deficiencies at HMRC: –Information security simpy wasnt a management priority –HMRC has an organisational design...which did not clearly focus on management accountability 45 separate high-level recommendations –Stronger policy and procedures –Stronger authorisation requirements –Better internal communication –Education, training & awareness –new systems –hundreds of detailed recommendations y.gov.uk/d/poynter_review pdf © IT Governance Ltd 2008 – this slide is published strictly without liability of any sort and does not provide specific legal guidance or advice and any user must therefore seek legal advice on the DPA and any associated issues from their own professional advisers 13
TM Whats going on? DPA Compliance cannot be demonstrated, so there is no way of improving the brand by claiming compliance DPA non-compliance brings: –No penalties –Cost savings CEOs and Top Management simply dont care No clear accountability for data security Inadequate investment in data security management –Minimal procedures for fair processing –Minimal training for data controllers –Minimal awareness and education for all users –Inadequate security Unencrypted laptops Unencrypted removable media Inadequate perimeter security –Minimal supervision and audit of third parties, third party agreements –PCI non-compliance 14 © IT Governance Ltd 2005
TM Costs of Identify Theft/Fraud Cybercrime – international $150 billion + industry US Identity theft up 22% in 2008 (Javelin Strategy & Research 2009 Report) –9.9 million cases –Total Cost US$48 billion Success – CIFAS 2008 (www.cifas.org.uk)www.cifas.org.uk –214,000 Fraud cases identified –£848 million losses avoided 15 © IT Governance Ltd 2005
TM ICO Legal Powers The Information Commissioner's Office has the following powers for enforcing DPA: –conduct assessments to check organisations are complying with the Act; –serve information notices requiring organisations to provide the Information Commissioner's Office with specified information within a certain time period; –serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law; –prosecute those who commit criminal offences under the Act; –conduct audits to assess whether organisations processing of personal data follows good practice. © IT Governance Ltd
TM DPA – Criminal Offences Persistent breaches of the Act –A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates' court and an unlimited fine in the Crown Court. –Steps: Breach reported, enforcement notice served, only then can failure to comply lead to prosecution and maximum £5k fine Notification offences –A data controller who fails to notify the Information Commissioner's Office of the processing being undertaken or of any changes to that processing can be prosecuted. Failure to notify is a strict liability offence. This means that if a data controller has to notify, they must notify. Being unaware of the law is not an excuse. Unlawful obtaining or disclosing of personal information –It is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, without the consent of the data controller. 17 © IT Governance Ltd 2005
TM ICO Data Protection Activity ICO Data Protection Case Load 2008: 25,000 cases The business areas generating the most complaints are: –Lenders 33% –Public sector 18% Policing and criminal records 5% Central government 5% Local government 4% Health 4% –Other 7% –General business 7% –Telecoms 5% –Direct marketing 4% –Internet 3% Source: ICO Annual Report © IT Governance Ltd 2009
TM Reporting of breaches No legal obligation for data controllers to report breaches the Information Commissioner believes serious breaches should be brought to the attention of his Office Serious breaches are not defined Criteria for assessing seriousness: –Potential harm to data subjects –Volume of personal data lost/released/corrupted –Sensitivity of the data lost/released/unlawfully corrupted 19 © IT Governance Ltd 2009
TM DPA Enforcement – ICO Response ICO published guidance 27 March 2008 What will the Information Commissioners Office do when a breach is reported? The nature and seriousness of the breach and the adequacy of any remedial action will be assessed and a course of action determined. The ICO may: –Record the breach and take no further action, or –Investigate the circumstances of the breach and any remedial action. –This could lead to: 1. no further action, or 2.a requirement on the data controller to undertake a course of action to prevent further breaches, and/or 3.formal enforcement action turning such a requirement into a legal obligation The Information Commissioner does not have the power to impose a fine or other penalty as punishment for a breach. The regulators powers only extend to imposing obligations as to future conduct. 20 © IT Governance Ltd 2009
TM ICO Approach to Enforcement ICO published guidance 27 March 2008 We do not see it as our responsibility to publicise security breaches not already in the public domain or to inform any individuals affected. In so far as they arise these are the responsibilities of the data controller. However, the ICO may recommend the data controller to make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. Where the Information Commissioner takes regulatory action, it is policy to publicise such action, unless there are exceptional reasons not to do so. This policy on publication extends to any formal undertakings provided to the Commissioner by a data controller. However the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public. Such a need is most likely to arise where the circumstances of the breach are already in the public domain. 21 © IT Governance Ltd 2009
TM ICO Achievements Enforcement notices for data protection breaches –Carphone Warehouse –Greater Manchester Police –Humberside Police –Lothian and Borders Police –Marks & Spencer –Northumbria Police –Staffordshire Police –Talk Talk Telecom –West Midlands Police. 9 Formal Undertakings not to breach the DPA –Dipesh Ltd – Littlewoods Shop Direct Home Shopping – Orange Personal Communications Services Limited – Phones 4 U – Skipton Financial Services – Sunfield – The Department of Health – The Foreign and Commonwealth Office – The Northern Ireland Office. 22 © IT Governance Ltd 2005
TM 23 ICO – New Enforcement Powers Criminal Justice and Immigration Act – royal assent in April 08 – two relevant clauses: 1. Increases penalties for data theft and trading in stolen information to a prison sentence –Requires a Ministerial order and resolutions from both Houses to come into force –ICO will have first have to prove that the trade in stolen information is widespread and pervasive. 2. Gives ICO powers to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the DPA. –Substantial: Nationwide £980k, Norwich Union £1.26m from FSA –Ministry of Justice now determining level of fines –Not retrospective –No custodial sentence (but Opposition parties narrowly averted from bringing this in!) © IT Governance Ltd 2005
TM Comparative budgets & resources HSEICO Front Line Staff1,325 Total Staff3, Total Annual Budget£214 million17 million (DPA & FOI) Date of report1 April © IT Governance Ltd 2005
TM What needs to happen? 1. ICO needs a real budget, with real resources - £200 million + 2. ICO needs powers to inspect and fine 3. BS10012 compliance should be explicitly recognised as DPA compliance 4. Loss of personal data on an unencrypted laptop or removable media should be prima facie evidence of reckless disregard of the DPA 5. Data Breach Legislation 1.With central notification 2.With cost indemnity and full support for victims 6. Custodial sentences for reckless breaches – for CEOs and senior civil servants 7. Custodial sentences for data theft and trading in stolen data. 25 © IT Governance Ltd 2009
TM 26 THANK YOU! Questions and Answers
1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010
Data Protection Update 15 May 2014 Mairead O’Reilly Joanna Stokes.
Freedom of Information Act 2000 Sarah Hanson Partner CMS Cameron McKenna LLP Tel: +44 (0) 20.
Funded by: Accredit UK Conference, 24 th June 2008 The Heritage Motor Centre.
Copyright, 2001, ePrivacy Group HIPAA Summit IV Preconference III Basic Privacy and HIPAA.
Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: Confident in Compliance.
ARHM – Winter Seminar 28 November Health and Safety Update and Dos and Don’ts Esme Saynor and Rebecca Roffe – 28 November 2013.
FOIA at UEA - Implementation FOIA Contact Training 14 February 2005.
Boston Springfield Albany Enter Presentation Title Here Presenter Name © 2009 Wolf & Company, P.C. Presentation date Location 1 Boston Springfield Albany.
UNIVERSITY OF ALABAMA V HIPAA Privacy and Security Training For Employees Compliance is Everyones Job 1 INTERNAL USE ONLY For UA Health Care Components,
Communication for the open minded Study on user identification methods in card payments, e-payments and mobile payments Summary of recommendations (WP5)
1 Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule Information Security Program University of Minnesota (Adapted from the Federal Trade.
Introduction Principle 3: Disclosure Principle 3: Disclosure Principle 2: Plea agreements Principle 2: Plea agreements Very High Cost Cases: A guide to.
Legal Framework Chapter 5. Learning outcomes Explain difference between patent and copyright Computer Miss use Act List 8 principles of Data protection.
©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Privacy & Security for Electronic Medical Records Delivered to: [Insert Name.
Breach vs. Incident – a Guided Discussion Sharon Blanton, PhD Craig Schiller, CISSP-ISSMP, ISSAP Chief Information Officer Chief Information Security Officer.
Freedom of Information Briefing Todays topics..... Introduction Benefits of FOI Countries with FOI Legislation Legislative context The RGU approach.
Information Law/ Data Protection Briefing 2007 Keith G Fraser University Records Manager.
1 IAPP Privacy Certification Workplace Privacy Certified Information Privacy Professional (CIPP) James Koenig Practice Co-leader, Privacy Strategy and.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
1 DWP: Our Reform Story For more information contact: Follow us: twitter.com/dwppressoffice facebook.com/DWP linkedin.com/company/dwp.
1 Toronto Head Office: 350 Bay Street Suite 1000 Toronto, Ontario M5H 2S6 Mississauga Office: 2 Robert Speck Pkwy. Suite 750 Mississauga, Ontario L4Z 1H8.
Copyright © 2011 Pearson Education, Inc. publishing as Prentice Hall 14-1 MANAGING INFORMATION TECHNOLOGY 7 th EDITION CHAPTER 14 INFORMATION SECURITY.
2014 Early Childhood Privacy and Confidentiality Workshop 2014 Early Childhood Privacy and Confidentiality Workshop April 16th, Baron Rodriguez,
The Legal Framework for Creating Trust in Cyberspace: Security and Privacy Skopje March 2006 James X. Dempsey Center for Democracy & Technology Global.
1 Adapted for the LSSA - Prof Daniel N Erasmus Tax Administration Act 2011.
Karnika Seth, Managing Partner SETH ASSOCIATES ADVOCATES AND LEGAL CONSULTANTS © Seth Associates, 2007 All Rights Reserved LEGAL PROCESS OUTSOURCING IN.
Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008.
Slide 1 Friday, 15 March 2013 Confident in Data Protection Compliance Ayrshire College.
PwC Rogue Trading How to successfully manage this risk Informational presentation for our clients February 2008 Strictly private and confidential *connectedthinking.
© 2016 SlidePlayer.com Inc. All rights reserved.