Surviving the Era of Hack Attacks Cyber Security on a Global Scale

Transcription

1 Surviving the Era of Hack Attacks Cyber Security on a Global Scale Dr. Adriana Sanford ASU Lincoln Professor of Global Corporate Compliance and Ethics Clinical Associate Professor of Law and Ethics This presentation represents my own views and not those of any other person. Information Society Environments where new technologies can threaten the right to privacy Camera Phones Video Surveillance Spyware 2 1

2 Data-Driven Society 2013 Telefonica analysis based on Social and Digital Media Statistics 2013 from Mistmediagroup 3 Hack Attacks A wake of high profile data breaches Hacking and data breaches at major retailers Hackers breached the Twitter and the YouTube accounts of the U.S. military's Central Command, which oversees the war against Islamic State militants in Iraq and Syria (according to the Pentagon) 4 2

3 U.S. President Barack Obama January 2015 Speech at Federal Trade Commission Direct threat to the economic security of American families Proposed legislation to require companies to notify customers within 30 days of discovering customers personal information was exposed to hackers Federal protection for information collected from students, who increasingly are using computers, tablets and other electronic devices in the classroom 5 Financial Institutions The aftermath of these retail breaches Fraudulent charges made on compromised payment cards Cancellation and reissuance of compromised payment cards Lost profits Lost business opportunities 6 3

4 Companies/ Multinationals The aftermath of these retail breaches Implement global privacy programs Closely monitor compliance Raise awareness in connection with the cross-border data transfers that accompany international assignments marketing strategies internal investigations legal actions other business activities 7 Senior Executives & Supply Chain Leaders Need a sophisticated understanding of data information risk Many corporate cybersecurity attacks come through third parties that handle personal and confidential information --- often stealing credentials from those suppliers Companies can no longer financially afford to track only their top 25 suppliers, as legal expenses associated with a massive data breach can become insurmountable Companies must vigilantly manage every step of the information life cycle to ensure adequate protection along the supply chain and supporting systems 8 4

5 Senior Executives & Supply Chain Leaders Safeguards against cyber attacks Identify smaller or less significant suppliers that may have previously fallen off the radar and any servers that may be owned by subcontractors in foreign countries Check whether these suppliers have a history of data security breaches (such information is available by consulting industry sources) Request recent third-party audit reports on their data security systems to ensure that appropriate safeguards are in place to protect personal information 9 Criminal Hackers Motivations of attackers can be varied and complex Employ anonymous networks Encrypt communications Use virtual currencies in private forums referred to as darknets 10 5

6 Criminal Hackers An 83 page comprehensive report by RAND Corp. and Juniper Networks Inc. Hackers from the U.S., Russia and Ukraine hawk computer exploits for as much as US$300,000 on an underground market fueled by digital currencies (like Bitcoin) U.S. government and industry officials warn that digital attacks are becoming more sophisticated and dangerous 11 Data Brokers Often lack direct interaction with consumers. Consumers often lack the ability to correct inaccurate personal data or opt out of having personal information sold or shared Buy and sell consumer data (commercial, government, or other publicly available resources) Intertwine information to form a more detailed composite of consumers lifestyles, likes and dislikes Provide data not only to endusers, but also to a series of other data brokers in the industry 12 6

7 Pushing Privacy In The Name of Collecting Data Online services are developing at a rapid rate and businesses differ significantly in terms of how and why they collect your data Many data brokers have access to some of the most intimate details about your life, which they obtain from various different resources 13 A Data Broker s Database The problem is that some of them not only combine information, but then analyze the data to make inferences about consumers, including potentially sensitive inferences regarding consumer interests to then place consumers into categories Potentially cover one trillion dollars in consumer transactions Some of these businesses have the ability to add three billion new records each month to their databases 14 7

8 The Challenge Can potentially create security risks identity thieves may use information to predict passwords, challenge questions, or authenticate credentials Most consumers are not be aware of these categories Consumers generally do not have the ability to access this information Information can sometimes be stored indefinitely 15 Some Businesses that Collect Data Background research companies provide law enforcement information they collect by cameras mounted on parking garages, bridges and roads Other businesses provide credit information to businesses and consumers As you surf the web, others companies collect your computer s IP address or provide you information on your eighth-grade crush 16 8

9 Fragmented Data Protection Rules A global approach is necessary to alleviate operational challenges Make compliance costly for businesses Create uneven levels of protection for individuals Make it difficult to sell or shop cross-border for small and medium-sized companies 17 The Future of Privacy A global approach is necessary to alleviate operational challenges from the perspective of a global business Intercompany shared services Handling of HR and customer data Outsourcing to third-party providers Product development 18 9

10 Europe Data protection since the 1970s Strasbourg Convention of 1981 (Protection of Individuals with regard to Automatic Processing of Personal Data) EU Data Protection Directive 95/46 E-Privacy Directive 2002/58 (Privacy and Electronic Communications) 19 Europe Data protection since the 1970s Article 8 of the Charter of Fundamental Rights of EU (2009) Upcoming EU Data Protection Regulation 20 10

11 EU Data Protection Directive U.S. multinationals should not only be careful to abide by the EU directive, but also by each of laws of the EU countries Under the current EU system, each EU member has a data protection czar with responsibility for implementing the law There are civil and criminal penalties for violations The U.K. Information Commissioner s Office, for example, has the authority to fine companies up to 500,000 for noncompliance with the U.K. s Data Protection Act 21 The Future of Privacy Upcoming EU Data Protection Regulation Broad Extra-Territorial Application One-Stop-Shop Data Protection Officer The Right-To-Be-Forgotten Shorter Breach Notification Privacy by Design Privacy by Default Heftier Fines 22 11

12 Upcoming EU Data Protection Regulation Benefits of the reform Assure businesses and EU consumers alike consistent legislation and adequate protection Strengthen individual rights Tackle some of the current challenges to privacy 23 Providing a Basic Framework It is anticipated that upcoming EU Data Protection Reform will provide a basic framework for data privacy legislation to other regions and countries around the globe 24 12

13 The Future of Privacy Must be familiar with various new initiatives for cross border data transfers Companies must not only comply with local laws, but also often with the privacy laws of the jurisdictions where the individuals identified in the data reside In addition to the EU, a number of other countries have also recently enacted their own privacy legislation More than 89 countries have laws and regulations protecting data privacy 25 The Weak Link Vulnerabilities of digital information A single point of failure in one application can potentially give corporate hackers access to sensitive data Customer data could potentially be hosted on any of hundreds of servers owned by suppliers subcontractors around the world A weak link can create a direct threat to the economic security of American families 26 13

14 THANK YOU 27 14