Integrating Security and Privacy Considerations into Client Services, Products and Day-To-Day Operations. WMACCA September 16, 2014

Size: px

Start display at page:

Download "Integrating Security and Privacy Considerations into Client Services, Products and Day-To-Day Operations. WMACCA September 16, 2014"

Archibald Page
8 years ago
Views:

1 Integrating Security and Privacy Considerations into Client Services, Products and Day-To-Day Operations WMACCA September 16, 2014

2 Panel Moderator: Mary Ellen Callahan of Jenner & Block; (Former Chief Privacy Officer, U.S. Department of Homeland Security) Panelists: Maureen Kelly, Assistant General Counsel and Corporate Counsel, Enterprise Shared Services, Northrop Grumman Corporation C.M. Tokë Vandervoort, Vice President & Assistant General Counsel Technology, Privacy & Security Chief Privacy Officer, XO Communications Christina Ayiotis, Adjunct Faculty, Department of Computer Science, The George Washington University; (Former Deputy General Counsel Information Governance, CSC) 1

3 AGENDA Discuss strategic ways to work collaboratively within your company on issues involving privacy, cybersecurity, insider threats, training, transition to cloud computing, and information governance, including creating appropriate awareness at the C-Suite level. 2

threats, training, transition to cloud computing, and information

4 Relationships Internal Relationships to foster: CEO Board of Directors CIO CISO HR/personnel Records and Information Management Product Managers/Business Leaders Marketing/Sales 3

5 Training Employee Training and Education Engagement Consistency Accountability Documentation Leading by Example Insider Threat Those who get hired intending to do harm Human Error Mitigation through technology settings/process (idiot proofing) Third-Party Risk Employee to include contractors, business partners, etc. who have been given access to networks, systems or data. 4

Mitigation through technology settings/process (idiot proofing) Third-Party Risk Employee to

6 C-Suite How do you engage the C-Suite on privacy and security issues? Hand over copies of The Wall Street Journal, or The Economist or send links to Bloomberg or Forbes Ensure clear lines of communication and accountability, especially up to the Board of Directors (Audit Committee or Risk Committee) 5

to Bloomberg or Forbes Ensure clear lines of communication and

7 TAKEAWAYS

8 Takeaways Get in early and often. Build privacy protections and security considerations into products and services at the conception stage (as opposed to trying to shoe horn them in during pre-launch/beta review, development of customer facing terms or, worse, during negotiations for their sale). Be clear. Whether setting internal requirements or communicating customer expectations, knowing what information is collected, understanding why it s being collected, articulating how it s used, shared, protected and destroyed are all important to establish the credibility and defensibility of your practices. Do not underestimate the risk 3 rd parties present. Enforcement authorities (e.g., FTC, PCI) increasingly look for pre- and post-engagement due diligence and holding companies accountable for over-relying on, ignoring, or overstating the level of protection provided by or oversight given to 3 rd party business partners that have sensitive data. Train. Train. And then train some more. Getting the C-suite and major stakeholders on board is a big step, but working these and other privacy and security concepts into the collective mindset and DNA of a business takes time and repetition across nearly all, if not all, functions. Find allies within the company to help convey the privacy and security message. You cannot do it alone; find allies and others throughout the company who understand the privacy and security mission ( canaries in a coalmine ) 7 7

customer facing terms or, worse, during negotiations for their sale). Be clear.

9 Takeaways, Con t Build relationships and stay connected. Learn about your internal networks and monitoring capabilities and make sure you understand the technology s capabilities. You want to make sure that you are part of the team before and not after changes in systems or processes occur. Stay up to date. Information sharing and external relationships are crucial not only to effective in-house cyber teams but also to being an effective in-house cyber lawyer. This is an evolving field, with evolving technologies and risks. Be prepared. Have a plan and conduct exercises to deal with information spills and/or cyber incidents. Focus on the fundamentals. A lot of cyber incidents and privacy breaches occur because of human error and failure to abide basic safeguards. Lessons learned. If something does go wrong, make sure that after the immediate response, lessons learned are identified and corrective actions taken to mitigate future risks. Review our Cybersecurity Checklist handout for questions to ask! 8

Information sharing and external relationships are crucial not only to effective in-house cyber teams but also to being an effective in-house cyber lawyer.

10 Questions? Contact Information: Moderator: Mary Ellen Callahan of Jenner & Block, Panelists: Maureen Kelly, Assistant General Counsel and Corporate Counsel, Enterprise Shared Services, Northrop Grumman Corporation, C.M. Tokë Vandervoort, Vice President & Assistant General Counsel Technology, Privacy & Security Chief Privacy Officer, XO Communications Christina Ayiotis, Adjunct Faculty, Department of Computer Science, The George Washington University; (Former Deputy General Counsel Information Governance, CSC), 9

com C.M. Tokë Vandervoort, Vice President & Assistant General Counsel Technology, Privacy & Security Chief Privacy Officer, XO Communications catharina.

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary