Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

Published byGavin Little Modified over 8 years ago

Similar presentations

Presentation on theme: "CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry."— Presentation transcript:

1 CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry

2 The Threat Landscape

3 Session Agenda Data Security Obligations Under the New GDPR Information Security Obligations Under Other Laws/Regulations Managing Cyber Threats Role of IT and other Departments in Implementing New Rules Security Incident Response Plans

4 It Will Never Happen…

5 Data Protection Commissioner Annual Report 2014

6 Data Protection Commissioner Annual Report Case Study: Theft of Unencrypted Laptop  Security standards need to be periodically reviewed  What may have been an acceptable standard five years ago, may not now be acceptable  Don’t forget the little things - human error the biggest cause of breaches

7 - Data Protection - Contracts - Duty of Care - PCI DSS - ISO 27001 - Fiduciary Obligations - Sector Regulation (e.g. CBOI) - The Budapest Convention - Criminal Damage Act 1991 - Criminal Justice (Theft and Fraud Offences) Act 2001 - Criminal Justice Act 2011 - Criminal Justice (Offences Relating to Information Systems) Bill 2016 Victim Suspect The Regulatory & Legal Landscape Network and Information Security Directive

8 EU General Data Protection Regulation

9 EU General Data Protection Regulation (GDPR) EU General Data Protection Regulation : Agreed by the European Parliament, Council & Commission Finalisation of new text - early 2016 Implementation - Spring 2018 Some Key Changes: Breach Notification - 72 hours Sanctions 2% - 4% Annual Global Turnover (or €10m - 20m) Information Notice - security measures and underlying logic in data processing

10 Data Security Obligations: GDPR (Chapter IV, S.2) EU-wide changes Any issues? What’s key? What’s new?

11 Data Security Obligations GDPR Standard Implement appropriate technical and organisational measures - State of the art - Costs - Nature, scope, context and purposes of the processing - Risk to rights and freedoms GDPR Guidelines Pseudonymisation Encryption - Ability to ensure confidentiality, integrity, resilience of system - Ability to restore availability and access - Process for regular testing, assessing and evaluating GDPR Recitals Reflect the relevant provisions set out in the Regulation - Provide guidance on circumstances where breach must be notified to DPA - Provide additional guidance on timing of notification

12 Notification to Data Protection Authority Notify DPA without undue delay and, where feasible, not later than 72 hours after becoming aware of it If reporting late… reasoned justification for late notification Notification not necessary if unlikely to be a risk to rights and freedoms  Personal data breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

13 Notification To Data Protection Authority Nature of personal data breach (categories, number of data subjects, data affected, etc) Contact information for company Data Protection Officer Likely consequences of the personal data breach Proposed strategy to address breach and mitigation measures used (if any) No requirement for a data processor to make a DPA notification – obligation to notify data controller only

14 Notification To Data Subjects Personal data breach is likely to result in a high risk to the rights and freedoms of individuals Must notify data subjects “without undue delay” Recital 67a Provides additional guidance on timing of notification – “as soon as reasonably feasible” Need to mitigate immediate risk of damage – prompt notification Need to implement appropriate measures – may justify longer delay Exceptions Technical and organisational measures implemented (data is unidentifiable) Action taken and high risk no longer likely to materialise Notification would involve disproportionate effort (in which case public communication to be made)

15 Notification To Data Subjects Notification must be in clear and plain language Contact information for company Data Protection Officer Likely consequences of the personal data breach Proposed strategy to address breach and mitigation measures used (if any) Notification should be made in close cooperation with DPA

16 Network and Information Security Directive  Operators of essential services & digital service providers - includes sectors in the areas of banking, energy, digital & financial market infrastructure, health and transport.  Improve network security safeguards  Increase knowledge on cyber threats  Secure networks in order to protect the provision of online services  OESs must notify of security incident likely to have a “significant impact” on the continuity of services  Discretion towards member states to set penalties for infringement of national provisions – must be effective, proportionate and dissuasive  Adopted 18 December 2015 - needs be approved by EU Parliament’s internal market committee and EU Council’s committee  Implementation expected in Spring 2016 – 21 month transposition period Scope Purpose Obligations Timeline

17 Cyber Threats: Prevention Is Better Than Cure Short Term Cybersecurity on board agenda Cross departmental working group (not just the I.T. Department!) Legal & regulatory obligations Medium Term Information security policy Staff training Incident response plan Long Term Audit Ongoing monitoring & testing Relationship with authorities

18 Security Incident Response Plans 1)Mobilise response team 2)Assess scale of attack and information at risk 3)Engage legal counsel 4)Initiate forensics 5)Review insurance cover provisions 6)Monitor bank accounts 7)Consider steps to contain the incident 8)Understand notification requirements 9)Engage PR expertise 10)Undertake post breach remediation 10 Critical Actions

19 Questions & Answers cybersecurity@williamfry.com John Magee Senior Associate D: + 353 81 489 6532 E: john.magee@williamfry.com

Download ppt "CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry."

Similar presentations

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Time for a new standard - AS General Conditions of Contract

Time for a new standard - AS General Conditions of Contract
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Privacy and Security Laws for Health Care Organizations www.ScottandScottllp.com Presented by Robert J. Scott Scott & Scott, LLP 800-596-6176.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Directorate General for Enterprise and Industry European Commission The New Legislative Framework - Market Surveillance UNECE “MARS” Group meeting Bratislava,

Directorate General for Enterprise and Industry European Commission The New Legislative Framework - Market Surveillance UNECE “MARS” Group meeting Bratislava,
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
LATVENERGO GROUP COMPLIANCE AND FRAUD RISK MANAGEMENT Kristine Arensone Compliance officer 2016.02.20.

LATVENERGO GROUP COMPLIANCE AND FRAUD RISK MANAGEMENT Kristine Arensone Compliance officer
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: +64 4 924 3460 Mob: +64 21 310 216

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:

Similar presentations

Ads by Google