Presentation is loading. Please wait.

Presentation is loading. Please wait.

Subpoenas Regulations and Law Internal Policy.

Similar presentations

Presentation on theme: "Subpoenas Regulations and Law Internal Policy."— Presentation transcript:






6 Subpoenas Regulations and Law Internal Policy

7 Who It Applies ToIn a NutshellMore detailWhat, and where software can help 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).[[ States have ruled that even zip codes fall into this category: California in 2011, Massachusetts in 2013 The Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently also COPPA Publicly Traded Companies “Don’t play games with your financial reporting” CXOs are responsible Your favorite consultant and best friend can’t be your auditor Analysts shouldn’t talk to investment bankers Sarbanes Oxley 302, 404: Disclose and assess Internal Controls 401:Disclose Off-balance sheet items Many Countries, including USA, Australia, Canada, EU “Don’t disclose enough info to be able to identify a person” If you can figure out who it is with the information disclosed even if it’s vague, it was TMI PII NSIT (Dept of Commerce): Any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." Privacy Act of 1974, California OPP Act of 2003 Websites and online services “Be careful what you do, website, with stuff typed in by children under 13” Post a privacy policy for children Protect the information and get rid of it when it no longer applies Do you best to provide parent’s notice and a change to review Children’s Online Privacy Protection Act Not CIPA: K-12 schools and libraries need to protect against harmful online content Organizations who handle personal health information “Don’t share someone’s health info” The company I work for“Don’t give away valuable intellectual property” Don’t share this new product code word with anyone All docs for the new awesome device we’re building can only be stored here Employer Confidentiality Agreements Data Loss Prevention rules before the fact Ediscovery + Auditing after the fact Patients own their health data It can be released without patients consent in a limited and well-defined set of circumstances HIPAA Didn’t know? $100-$25K Reasonable? $1K-$100K Willfull neglect, corrected <30 days? $10K-$250K Willful neglect? $50K-$1.5 million


9 Put Controls in Place Archive and Hold: Keep what you need Deletion Policies: Get rid of what you need to get rid of DLP and Encryption: Control, and help user control, sensitive content Show Compliance, Investigate a User EDiscovery: Search for important content Auditing: Show that people did the right thing, or didn’t

10 Internal Policies Regulations and Law Subpoenas Demonstrate Reporting ComplianceSampling Investigate a Search User I need to: I do this via: “I followed the Legal Discovery process” “Only doctors viewed this HIPAA doc” “All PPTs marked ‘Microsoft Confidential’ were viewed only by FTEs” Financial Policy Violation, Confidentiality Breach Insider Trading Sensititive Data Loss to public Wrongful Termination

11 HIPAA Business Associate Agreement (HIPAA BAA) FISMA authority to operate (ATO) from a federal agency FERPA use and disclosure restrictions related to student data EU model clause addressing international transfers of data CJIS Security Policy 5.2 requirements met for CA and TX law enforcement DPA (Data Processing Agreement) to address the privacy, security, and handling of customer data Supporting Customer Compliance ISO 27001: First major business productivity public cloud service to have implemented ISO 27001 mgmt. controls SAS 70 Type I and Type II attestation O365 Accreditations Protecting Against Government Snooping: snooping.aspx Transparency Advocacy: DC Ops Auditing Numbers of govt requests for data government-requests-for-customer-data.aspx Law enforcement requests report: us/reporting/transparency/ Transparency and Government Snooping “We are committed to notifying business and government customers if we receive legal orders related to their data. Where a gag order attempts to prohibit us from doing this, we challenge it in court. “ “ n-us/business/office-365- security-and-privacy-verified- by-a-third-party- FX103089231.aspx

12 CountryPIIFinancialHealth US US State Security Breach Laws, US State Social Security Laws, COPPA GLBA & PCI-DSS (Credit, Debit Card, Checking and Savings, ABA, Swift Code) Limited Investment: US HIPPA, UK Health Service, Canada Health Insurance card Rely on Partners and ISVs Germany EU data protection, Drivers License, Passport National Id EU Credit, Debit Card, IBAN, VAT, BIC, Swift Code UK Data Protection Act, UK National Insurance, Tax Id, UK Driver License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Canada PIPED Act, Social Insurance, Drivers License Credit Card, Swift Code France EU data protection, Data Protection Act, National Id (INSEE), Drivers License, Passport EU Credit, Debit Card, IBAN, BIC, VAT, Swift Code Japan PIPA, Resident Registration, Social Insurance, Passport, Driving License Credit Card, Bank Account, Swift Code Australia Drivers License, Passport, Social InsuranceCredit Card, Bank Account, Swift Code Predefined rules targeted at sensitive data types Advanced content detection Combination of regular expressions, dictionaries, and internal functions (e.g. validate checksum on credit card numbers) Extensibility for customer and ISV defined data types

13 Why Compliance Subpoenas Laws and Regulations Internal Policy Today’s Challenges Duplicate storage Add-ons for users Complex experience The Asks Lower the cost One experience Easier to manage Content Lifecycle Compliance


15 EX SP Default Retention: 3 months Default Retention: 1 month





20 EX SP Default Retention: 3 months Default Retention: 1 month Roadmap Calendar and delegate changes SP Tenant Admin and O365 AD Activity OneDrive for Business Auditing Sharepoint Sharing User and Item Pivoted Reporting Report when Content became Sensitive Simple, Unified Configuration Unified Reporting Years and Years of Storage



23 Workload (Exchange) Backend FFO/EOP UCC – Auditing console Policy Store Policy WebService Policy cmdlet Arbitration Mailbox (per tenant policy store) Local Queue, Uploader (per BE server) Policy DAL Policy Sync Service Backend 1 Backend N Exchange Auditing Hooks Workload (SharePoint) Backend Policy Store (per tenant policy store) Local Queue, Uploader (per BE server) Policy Sync Service Content FE SP Content Front End Node Audit Storage (EXO) Audit Long Term Storage Audit Upload Web Service FFO/EOP UCC – Auditing console Reporting cmdlets Reporting UX Reporting Web Service Content BE SQL Long term storage Reports, while you wait: 1 hour freshness, 15 second wait Anything manual, including bulk events, shown as individual events System Events are captured by the cmdlet that enabled them

24 Contoso Site Activity ACTION Viewed Modified Viewed Modified Shared Modified Deleted Modified Deleted Viewed Visa Application (Turkey) Gene W… Visa Application (Turkey) Gene W… Visa Application (Turkey) Gene W… OFFER FORM.docx OFFER FORM.docx Visa Application (Turkey) Gene W… Visa Application (Turkey) Walter T… PricingInfo-November2014.xlsx PaulsDocumentAppendix.docx DocumentAppendix.docx TARGET 2/24/2014 4:28 2/24/2014 6:21 2/25/2014 7:17 2/25/2013 14:14 2/25/2013 22:44 2/26/2013 13:40 2/26/2013 23:27 2/27/2013 3:15 2/28/2013 9:57 2/28/2013 16:35 2/28/2013 21:36 3/1/2013 1:00 3/1/2013 3:07 3/1/2013 20:16 3/2/2013 8:41 3/2/2013 13:20 3/2/2013 19:06 TIME Cem Aykan Olaf Hubel Julia White Olaf Hubel Cem Aykan Michal Gideoni Paul Andrew Julia White PERSON IP Address: from Word Web Viewer IP Address: IP Address: IP Address: Saved from Word Web Viewer Shared with Shared with Saved from Word desktop IP Address: Saved from PowerPoint Web IP Address: IP Address: IP Address: DETAILS





Download ppt "Subpoenas Regulations and Law Internal Policy."

Similar presentations

Ads by Google