Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Published byCalvin Doncaster Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction."— Presentation transcript:

1 Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction

2 What is a Privacy Breach? Privacy breach is the unintended and unconsented-to loss of personal data held by an organization Can result from intentional act (e.g. theft), negligence or simply system failure Under privacy laws organizations have an obligation to protect the personal information held by them and to disclose or release it only in accordance with purposes consented to by the data subjects A privacy breach involves a failure of the organization’s systems to protect such information  which may indicate a failure to comply with the law 2

3 Obligations to Protect Personal Information – The Security Requirement An organization is required to protect personal information using security safeguards appropriate in the circumstances This obligation means that the type of information and its sensitivity will dictate the nature of the security systems: more sensitive information must be protected by a higher level of security Organizations are required to use: −Physical measures (e.g. passcard access restrictions) −Organizational measures (e.g. confidentiality agreements) −Technological measures (e.g. password protection, encryption) 3

4 Why Privacy Breaches are a Concern A privacy breach involves the potential loss of information that for both competitive and regulatory reasons the organization seeks to keep confidential However, the more critical issue is that the compromised personal information may be used to injure customers or others (e.g. fraud, identity theft) The breach may indicate a failure of the organization to comply with its security obligations under the privacy law, or at common law, which could have serious financial and regulatory impact, as well as a loss of public (i.e. consumer) trust 4

5 Due Diligence – the Organization’s Responsibilities Most importantly, an organization should ensure that its security systems are adequate and meet or exceed recognized standards It should continually review (i.e. audit) its security systems and conduct threat, vulnerability and risk assessments When a deficiency is identified, it should address that and rectify it Training of staff both in respect to privacy and security compliance as well in responding to breaches should be conducted 5

6 Due Diligence – Risk Reduction Compliance with the security principle under PIPEDA is a strict liability requirement, which is satisfied by the organization taking due care – due diligence satisfies this requirement If the organization takes appropriate steps to comply with recognized security standards it should be able to minimize or avoid liability in the event of a breach 6

7 Security Compliance Standards Payment card industry data security Standard (PCI DSS) ISO/IEC 27000 series of standards – provide best practice recommendations for the management of information security and risks, and potential controls: 7 −ISO/IEC 27001 – Specification for Information Security Management System provides a standard for systems against which certification can be obtained −ISO/IEC 27002 – Code of Practice for Information Security – listing of potential control mechanisms for implementation with guidance from ISO/IEC 27001 – categories include: o Risk assessment and treatment ○ Asset management o Security policy ○ HR Security o Organization of information systems ○ Access Controls

8 ISO/IEC 27001 Requires that management within an organization must: Systematically assess the organization's information security risks, taking account of the threats, vulnerabilities and impacts Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that it deems unacceptable Adopt an all-encompassing management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis 8

9 ISO/IEC 27001 The standard has a long-term outlook and incorporates the “Plan-Do-Check-Act” approach: Plan: Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives Do: Implement and operate the ISMS policy, controls, processes, and procedures Check: Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review Act: Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS 9

10 What Should an Organization do to Respond to a Privacy Breach? If a privacy breach occurs, the organization must respond both immediately to remedy the source of the breach and mitigate the potential damage and must subsequently evaluate its systems for future prevention How an organization responds to a breach is part of its compliance with the security principle under the privacy law Diligent and effective response including notification of affected persons will reduce risk 10

11 11 Response to a Breach – The Key Steps 1)Internal notification – implement breach protocol 2)Contain the breach and preliminary assessment 3)Evaluate the risks 4)Reporting to law enforcement and regulatory authorities 5)Notification of affected individuals 6)Investigation and Remediation

12 12 Investigation and Remediation Following completion of its immediate breach response actions, an organization must thoroughly investigate the cause of the breach This should involve an audit of all systems and procedures that may have had an impact on the breach (e.g. faxing procedures, credit card usage security, mobile transport of sensitive data)

13 13 Investigation and Remediation – cont’d The objective is to learn from the breach to improve procedures and systems so as to prevent a reoccurrence of the breach or similar breaches New procedures/systems should be established, appropriate training of staff conducted and an audit/review completed at the end of the process to ensure the intended objective is met These actions address the organization’s on-going and future compliance with the security principle in the privacy laws and address due diligence

14 THANK YOU David Young Direct: 416.307.4118 david.young@mcmillan.ca McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3

Download ppt "Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction."

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
2 1.Client protection principles 2.Principle #6 in practice 3.The client perspective 4.Participant feedback 5.Tools for improving practice 6.Conclusion.

2 1.Client protection principles 2.Principle #6 in practice 3.The client perspective 4.Participant feedback 5.Tools for improving practice 6.Conclusion.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
IS Audit Function Knowledge

IS Audit Function Knowledge
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!

Similar presentations

Ads by Google