Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie
|
|
- Chester Mills
- 8 years ago
- Views:
Transcription
1 Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie
2 Rewriting the Past Oisin Tobin
3 Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A data controller c) The right to be forgotten 3
4 Background The Timeline 1998 Auction notices published Content digitized, appeared in Google search 2010 Complaint filed with the Spanish Data Protection Authority 4
5 Background - Spanish DPA Decision The original notice was lawfully published However, Google s linking to that notice violated González s data protection rights 5
6 Background CJEU appeal Google appealed decision to CJEU Not within jurisdiction Google search is not a data controller Advocate General Google was not a data controller CJEU Disagreed affirmed Spanish DPA No appeal possible deleting the index cards 6
7 Issue 1: Jurisdiction Applicable law 2 Jurisdictional tests in EU Data Protection Law (Article 4) DC is established in member state and processes personal data in the context of that establishment (Article 4(1)(a)) DC has no EU establishment, but uses equipment in Europe (Article 4(1)(c)) 7
8 Issue 1: Jurisdiction Google s case Google search is provided by Google, Inc. Google, Inc. has no presence in the EU Google Spain promotes the sale of ads (an unrelated activity) No evidence of servers located in EU Therefore: No relevant establishment in the EU (per Article 4(1)(a)) No equipment (per Article 4(1)(c)) No jurisdiction 8
9 Issue 1: Jurisdiction Court s Response An economic link between Google search and the ads sold by Google Spain (one pays for the other) The separate legal personality of Google, Inc. and Google Spain can be disregarded Google Spain deemed to be an establishment of Google Inc. that processes personal data in the context of the activities of Google search Therefore, jurisdiction (per Article 4(1)(a)) 9
10 Issue 1: Jurisdiction Court s Response It cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive s effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure 10
11 Issue 1: Jurisdiction Practical Impact The establishment, by a non-eu company, of an EU marketing sub may cause EU privacy law to apply to the operations of the non-eu company. Even where the EU sub is not factually involved in the processing of personal data Risk of overlapping regulators (one per marketing sub) Strategic decision: Concede that an EU data protection law is to apply and have a designated data controller or subsidiary responsible for DP issues in a member state 11
12 Issue 1: Jurisdiction Questions If a multinational company ask: Do we have a clear EU data controller? Where do we have marketing subs? Do our parent s operations comply with applicable local law? Where necessary - consider data protection jurisdiction risk when expanding operations 12
13 Issue 2: Data Controller Applicable Law Data Protection obligations fall on data controllers An entity that determines the purposes and means of processing personal data 13
14 Issue 2: Data Controller Google s case Scan and cache content to provide access No real control over that information. Advocate General agreed A proportionate reading of DP law 14
15 Issue 2: Data Controller Court s finding Google programmed the software that scanned, indexed and cached content (including personal data) Sufficient to show Google was a data controller 15
16 Issue 2: Data Controller Impact Search engines are responsible in data protection law, for the results they return Any business could be treated as a data controller in respect of data it collects/obtains in course of trade Even where the business is not really concerned about the content of that data 16
17 Issue 2: Data Controller Questions Have we considered all circumstances where we may be acting as a data controller? 17
18 Issue 3: Right to be Forgotten Law Controllers need to ensure a pre-condition to processing has been met, e.g. consent, legitimate interests Compliance with general data protection principles (i.e. not excessive, limited retention etc ) 18
19 Issue 3: Right to be Forgotten Google Principle of Proportionality: Any request for removal of content should be made to the website, not Google (a mere intermediary) 19
20 Issue 3: Right to be Forgotten Court Google lacks consent Must rely on legitimate interests Balancing test Public interest v privacy rights Must also comply with general DP principles (data not excessive, up to date etc ) As a rule privacy rights take precedence over public s interest in accessing information Where a data subject objects to search results those should be removed, save in limited circumstances (e.g. public figures) 20
21 Issue 3: Right to be Forgotten Impact Does not create a general right to demand deletion of data Ruling was based on Articles 12 and 14 of the Directive Article 12 allows deletion where a breach of DP law (akin to Section 6 of Irish DP Act) Article 14 - a right to object where processing based on legitimate interests (akin to Section 6A of Irish DP Act) 21
22 Issue 3: Right to be Forgotten Impact Right to be forgotten does not arise where: Data is being lawfully processed; AND There is an alternative basis to justify the processing including: Consent Necessary to perform a contract with data subject (NB for difficult customers) Necessary to comply with a legal obligation 22
23 Issue 3: Right to be Forgotten Questions If a right to be forgotten request comes in, check: What s our justification for keeping this data? Are we happy that this data generally complies with data protection law? If: Relying on consent, contract or legal obligations as a justification; and Satisfied that data otherwise complies with the DP Acts Deletion should not be required No proactive screening requirement 23
24 Issue 3: Right to be Forgotten Policy Increased ability of individuals to manage their online reputations Broader trends towards human rights style data protection decisions: SABAM; Digital Rights Ireland; Schrems Likely to lead to more litigation in this space Potential Trade implications TTIPs Divergence between US and EU law 24
25 Conclusions Marketing subs can ground data protection jurisdiction over parent An expansive definition of data controller has been adopted The right to be forgotten only arises in limited circumstances Seminal judgment will shape future policy and case law. 25
26 Defending your Data Rob McDonagh
27 Some Quick Facts Average cost is $3.5 million / 145 per record Biggest hit from loss of reputation and customers Incident response plan shown to reduce cost = take security breaches seriously 27
28 Managing a Security Incident You cannot be prepared for a security incident without having prepared for it! 28
29 3 Important Points Data controller primarily responsible, even if caused by data processor what are you? Security breach: not necessarily a breach of dp law could still be a breach of contract You need to consider laws of other countries too 29
30 Key Management Tools Security Breach Policy (and training) IT Security Policy Acceptable Usage Policy Firewalls Logs / red flags Supplier due diligence Contractual measures Insurance 30
31 Security Breach Policy Create a Security Breach Policy Reporting lines Incident management team (and deputies) compliance/audit/legal/it/security/pr/business control etc include senior officer so can make quick decisions Third party advisers Include contact details Identify key action points Training for incident management team 31
32 Key Action Points Initial Steps Act quickly Assemble incident response team Internal escalation Stop or mitigate breach Information lockdown Preserve evidence NB. remember litigation is possible 32
33 Key Action Points - Investigation Identify data controller Determine your status Investigate facts data affected individuals affected cause resulting harm / damage use legal counsel legal privilege? Remember things move and change quickly 33
34 Key Action Points - Implications Consider exposure liability and fines contract termination audit / escalation Contractual obligations? Consider any wider business critical implications Tolling agreement 34
35 Key Action Points - Notifications Notify insurers if required under policy Consider regulatory notifications in Ireland and abroad, e.g. DPC, Gardai, foreign DPC etc Consider data subject / customer / dc notifications Check relevant contracts confidentiality preservation of rights 35
36 Key Action Points Customer Relations Create customer relations strategy Press release Customer relationship management Mitigation measures: hotline, online helpdesk, monitoring service, discounts etc 36
37 Key Action Points Corrective Action Audit Disaster recovery / business continuity etc Implement corrective / disciplinary action 37
38 Should you Notify DPC? No express obligation (except ECSPs / ECNPs) No fines in Ireland (except ECNPs / ECSPs) different in other countries Negative PR resulting from failure to disclose can incident be contained? Have you notified other regulators? Draft EU Regulation 38
39 Should you Notify DPC? DPC has a statutory obligation of confidentiality General practice not to disclose except in response to inquiry by media or concerned person However, may issue press release or notify other DPCs if significant incident 39
40 Should you Notify DPC? Before making disclosure, also consider: is disclosure permitted by contract? must you notify insurers first? implications of DPC finding for third party litigation? other implications? similar issues apply to other notifications, e.g. to individuals Notification based on current information Remember DPC has statutory enforcement powers 40
41 Voluntary Code Applies if personal data put at risk Also earlier DoF public sector guidance Code only applicable if DC or DP subject to DPA Code is not legally binding (unless incorporated into contract) Not applicable to ECNP / ECSP as separate legislation applies 41
42 Voluntary Code DC and DPC Notifications DP must report to DC all incidents of loss of control of data DC must report to DPC incidents in which data put at risk within 2 working days unless: individuals already informed; no more than 100 data subjects; and does not include sensitive personal data or financial data Keep summary record even if don t notify DPC brief description why chose not to notify 42
43 Voluntary Code Notifying Individuals DC must give immediate consideration to informing those affected No obligation if no risk to data due to technological measures of high standard Risk of over notification or more harm than good Audit trail for reasons not to notify 43
44 Steps in a DPC Investigation 1. Initial call / 2. Written submission - amount and nature of personal data - action to secure / recover personal data - action to inform those affected or reasons for the decision not to do so - action to limit damage or distress to those affected - chronology of events leading up to incident - measures to prevent repetition 44
45 Steps in a DPC Investigation 3. Additional Materials - Contract - Recruitment process - Relevant policies - Training documents - Log of training for relevant staff - expressly state it is confidential and commercially sensitive NB: remember your confidentiality obligations 45
46 Steps in a DPC Investigation 4. Site visit - systems - procedures - live demonstrations - questions - (enforcement notice?) 5. Draft finding or report / recommendations 6. Right of reply 7. Final finding or report 46
47 Third Party Contracts Diligence Notification of incident Control of incident Co-operation / information / preservation obligations Right to interrogate devices / data Right to interview personnel 47
48 Third Party Contracts Notification of policies to others Restoration of data Confidentiality clause Indemnity / cap subject to law qualifications 48
49 Covering your bases Ailbhe Gilvarry
50 Civil Liability for Breach Michael Collins v FBD DP complaint and investigation Circuit Court High Court 50
51 Insurance Third Party Claims First Party Expenses
52 Third Party Claims Disclosure Content Reputational Conduit Impaired Access
53 First Party Claims Notification Regulator Reputation and Response Costs Cyber Extortion Network Interruption
54 Q&A
Mitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationIntroduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationFactsheet on the Right to be
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
More informationProfessional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules
Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationHIPAA Privacy Rule Policies
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationBHF Southern African Conference
BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act
More informationHOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU
HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationData Privacy & Security: Essential Questions Every Business Must Ask
Data Privacy & Security: Essential Questions Every Business Must Ask Presented by: Riddell Williams P.S. Riddell Williams P.S. May 6, 2015 #4841-4703-9779 Innocent? 2 Overview 3 basic questions every business
More informationPanel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices
Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationEvolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :
Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationCybersecurity y Managing g the Risks
Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking
More informationTHE TRANSFER OF PERSONAL DATA ABROAD
THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationCredit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
More informationInformation Integrity & Data Management
Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is
More informationTODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures
TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures Trends/Victimology ADVERSARY CLASSIFICATIONS SOCIAL ENGINEERING DATA SOURCES COVERT INDICATORS - METADATA METADATA data providing
More informationCyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen
Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationCyber and data Policy wording
Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationSTANDARD ADMINISTRATIVE PROCEDURE
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
More informationPRIVACY NOTICE. Last Updated: March 24, 2015
PRIVACY NOTICE Your access to and use of this website is governed by the TERMS OF WEBSITE USE and the following PRIVACY NOTICE. Please read them carefully as they constitute a legally binding agreement
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationHong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014
CLIENT MEMORANDUM Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014 August 28, 2014 Mandatory application of e-discovery Mandatory application of e-discovery to
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationDean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage
Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationInternational Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States
International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States Presentation to: Ninth Annual Pharmaceutical Regulatory and Compliance
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationCCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
More informationOffice of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority.
Citation: Arkansas Code Annotated 21-1-601 through 608, 21-1-610; 21-1-123 and 124 Office of Personnel Management Policy 1 Forms: Fraud Reporting Complaint Form Definitions Adverse action: To discharge,
More informationInsurance for Data Breaches in the Hospitality Industry
The Academy of Hospitality Industry Attorneys The Pl Palmer House Hilton Chicago, IL April 25, 2014 Insurance for Data Breaches in the Hospitality Industry Presenters: David P. Bender, Jr. dbender@andersonkill.com
More informationCyber and Data Security. Proposal form
Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationSample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )
Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationInformation security due diligence
web applications and websites W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com Identifying information security risk for web applications
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationBig Data for Mutuals. Marc Dautlich 25 November 2013
Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?
More informationCoverage is subject to a Deductible
Frank Cowan Company Limited 75 Main Street North, Princeton, ON N0J 1V0 Phone: 519-458-4331 Fax: 519-458-4366 Toll Free: 1-800-265-4000 www.frankcowan.com CYBER RISK INSURANCE DETAILED APPLICATION Notes:
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationAnatomy of a Cloud Computing Data Breach
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
More informationRequirements made under the Intermediaries Byelaw
Chapter 2 Requirements made under the Intermediaries Byelaw Section 1 Delegated Underwriting Registers of coverholders and registered binding authorities Part B of the Intermediaries Byelaw Format and
More informationNOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS. The following definitions and rules of interpretation shall apply:
NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS 1. Definitions and interpretation The following definitions and rules of interpretation shall apply: 1.1 Agent means any person appointed by a Client
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More information3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.
Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot
More informationHacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows
Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber
More informationEU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.
EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in
More informationManaging Cyber Risk through Insurance
Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes
More informationStatutory Liability Insurance
Statutory Liability Insurance December 2015 Statutory Liability Insurance is designed to provide cover to the company and its directors, officers and employees for defence costs and fines/penalties in
More informationA s a covered entity or business associate, you have
Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)
More informationThe Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
More informationData Protection and Cloud Computing: an Overview of the Legal Issues
Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,
More informationPosition of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015
2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection
More informationCorporate Policy and Procedure
Page Page 1 of 9 TAB: SECTION: SUBJECT: ROADS AND TRAFFIC TRAFFIC OPERATIONS CLOSED CIRCUIT TELEVISION (CCTV) TRAFFIC MONITORING SYSTEMS POLICY STATEMENT POLICY PURPOSE The City of Mississauga may install
More informationData Privacy in the Cloud: A Dozen Myths & Facts
Data Privacy in the Cloud: A Dozen Myths & Facts March 7-9 Washington DC Presented by: Barbara Cosgrove, Chief Security Officer, Workday, Inc. Lothar Determann, Partner, Baker & McKenzie LLP We re taking
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationEU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?
EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security
More informationProposed guidance for firms outsourcing to the cloud and other third-party IT services
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationPrivacy Rules for Customer, Supplier and Business Partner Data
Privacy Rules for Customer, Supplier and Business Partner Data Contact details Philips Privacy Office c/o Philips International BV, Amstelplein 2, 1096 BC, the Netherlands. E-mail: Philips_Privacy_Office@philips.com
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More information005ASubmission to the Serious Data Breach Notification Consultation
005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation
More informationCERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015
CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION Presented by Sophie More O Ferrall 9 February 2015 DATA SECURITY LEGAL REQUIREMENTS SECTOR SPECIFIC ISSUES INTERNATIONAL TRANSFERS DATA SECURITY
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationWhat would you do if your agency had a data breach?
What would you do if your agency had a data breach? 80% of businesses fail to recover from a breach because they do not know this answer. Responding to a breach is a complicated process that requires the
More informationDefinitions. Catch-all definition:
BUSINESS ASSOCIATE AGREEMENT THESE PROVISIONS MAY STAND ALONE AS A BUSINESS ASSOCIATE AGREEMENT, OR MAY BE INCORPORATED INTO A LARGER, MORE COMPREHENSIVE CONTRACT WITH THE BUSINESS ASSOCIATE TO COVER OTHER
More informationJoe A. Ramirez Catherine Crane
RIMS/RMAFP PRESENTATION Joe A. Ramirez Catherine Crane RISK TRANSFER VIA INSURANCE Most Common Method Involves Assessment of Risk and Loss Potential Risk of Loss Transferred For a Premium Insurance Contract
More informationEffective Date: Oct. 27, 2009... 1
Policy Title: Office of Information Technology Email Usage and Retention Policy Policy No.: 7010 Rev.: 0 Effective Date: Oct. 27, 2009 Last Revision: Oct. 27, 2009 Responsible Office: Responsible Official:
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationMorgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationON CIRCULATION OF CREDIT INFORMATION AND ACTIVITIES OF CREDIT BUREAUS THE REPUBLIC OF ARMENIA LAW
THE REPUBLIC OF ARMENIA LAW ON CIRCULATION OF CREDIT INFORMATION AND ACTIVITIES OF CREDIT BUREAUS Adopted October 22, 2008 Article 1. Subject of Law CHAPTER 1 GENERAL PROVISIONS 1. This law regulates terms
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More information