Compliance, Defensibility & Usability of Information on a Global Stage Monday, October 19, :00 – 10:30 AM Global Legal Issues 1

2

3

N ORA K URZOVA Chief Privacy Officer, Data Privacy & Records Management Tyco International Management Company A NTHONY M ARTIN Senior Associate General Counsel Privacy & Information Security Wal-Mart Stores M ARTY P ROVIN, CIPP/US Executive Vice President Jordan Lawrence 4 A NDREA A RIAS Attorney, Division of Privacy and Identity Protection Federal Trade Commission 4

5 The views expressed herein do not represent the Federal Trade Commission or anyone of it’s Commissioners. All views and opinions are solely those of the individual speaker for informational purposes and does not constitute legal advise.

“Do The Right Thing” Defensibility of Decisions Comply with Laws & Requirements 6

W HAT D OES A R EGULATOR C ARE A BOUT ?  Federal Agencies, States, ICO, CNIL  Past Experience  Future Experience 7

A NDI ’ S T OP 6 L IST 8

T OP 6 L IST 9 1.Storing information longer than needed when not necessary 2.Using default or easy-to-guess passwords 3.Storing or transmitting information in plain text 4.Failing to take steps to segment or restrict access to data 5.Failing to provide appropriate employee training or oversight 6.Failing to take reasonable steps to detect or investigate breaches

R ISK A NALYSIS C ONSIDERATIONS  Litigation  Regulation  Organizational Structure  Geographic Footprint  Past Experience 10

R ISK A NALYSIS C OMPONENTS  Start with Security 11  What personal information do you have?  Where is it?  How long are you keeping it?

R ISK A NALYSIS C OMPONENTS  Start with Security  Control Access to Data 12  How are you using personal information?  Who has access to sensitive data?

R ISK A NALYSIS C OMPONENTS  Start with Security  Control Access to Data  Require Passwords & Authentication 13  How is sensitive information protected?

R ISK A NALYSIS C OMPONENTS  Start with Security  Control Access to Data  Require Passwords & Authentication  Store Securely & Protect in Transit 14  How is sensitive information being stored?  How is sensitive information protected in transit?

R ISK A NALYSIS C OMPONENTS  Start with Security  Control Access to Data  Require Passwords & Authentication  Store Securely & Protect in Transit  Segment Network & Monitor Intrusion 15  Are you using industry-tested accepted methods?

R ISK A NALYSIS C OMPONENTS  Secure Remote Access to Network 16  Who has access to what?  Information encrypted?

R ISK A NALYSIS C OMPONENTS  Secure Remote Access to Network  Apply Sound Security Practices 17  Are policies written?  Is compliance verified?  Are employees adequately trained?

R ISK A NALYSIS C OMPONENTS  Secure Remote Access to Network  Apply Sound Security Practices  Ensure Vendors do the Same 18  Do you perform vendor risk assessments?

R ISK A NALYSIS C OMPONENTS  Secure Remote Access to Network  Apply Sound Security Practices  Ensure Vendors do the Same  Establish Processes/Procedures 19  What testing are you doing?  Are you up to date on patches?

R ISK A NALYSIS C OMPONENTS  Secure Remote Access to Network  Apply Sound Security Practices  Ensure Vendors do the Same  Establish Processes/Procedures  Secure Paper/Physical Media 20  Do employees securely dispose of sensitive information?

R EPORTING F INDINGS  Who are you reporting to?  How do you report?  How do you make it relevant? 21 Executive Leadership Team Board of Directors

W HAT D OES S UCCESS L OOK L IKE ?  Tone at the Top  Resources  Open Communication 22

I NFORMATION M ANAGEMENT C OMMITTEE  Privacy  Records Retention  Information Security  Litigation  Business Intelligence  Marketing 23

24

25  Federal Trade Commission |  European Commission |  National Association of Corporate Directors |  Federal Trade Commission | R ESOURCES

26 N ORA K URZOVA Tyco International Management Company A NTHONY M ARTIN Wal-Mart Stores M ARTY P ROVIN, CIPP/US Jordan Lawrence A NDREA A RIAS Federal Trade Commission