Society of Corporate Compliance & Ethics Data Security Technology 101 for Compliance Professionals

Size: px

Start display at page:

Download "Society of Corporate Compliance & Ethics Data Security Technology 101 for Compliance Professionals"

Daniella Lindsey
8 years ago
Views:

1 Society of Corporate Compliance & Ethics Data Security Technology 101 for Compliance Professionals Jonathan Armstrong 29 th March 2015, London Cordery in 2005 Facebook didn t exist for most people, twitter was still a sound, the cloud was something in the sky, 3G was a parking space, applications were what you sent to colleges, and Skype was a typo. Thomas Friedman Cordery

exist for most people, twitter was still a sound, the cloud was something in the sky, 3G was a

2 Data Security Landscape Personal data has a value Different political reactions Different legal systems worldwide Different enforcement even within Europe Contrasting approach Europe v. US Snowden has changed the game Cordery Target 2 nd largest discount retailer in the US December 2013: data breach of Target's systems affected up to 110 million customers Russian teenager suspected 10% storewide discount in run up to Christmas Credit reporting Sales still down 3 4% (c.$17bn turnover company) 475 positions went in early 2014 including CIO CEO resigned in May Interim CEO "We're in a place when it comes to the data breach where we don't have visibility yet to potential third party liabilities and operating expenses they've incurred" $10 million class action settlement announced in March 2015 Shareholder actions to follow? Cordery Cordery

suspected 10% storewide discount in run up to Christmas Credit reporting Sales still down 3 4% (c.

3 Privacy a view from Europe Profiling is a modern EVIL.... Technical social sorting is now so aggressive that it looks like the processes involved in the identification, ghettoization and elimination of the Jews in the 1940's... this group of people.. are actually now starving and they are often pushed into suicide. Their need for the Right to be Forgotten, executed as a physical erasure of all past data from all sources, is essential...the next class action should be taken by the old, who are also being pushed into destitution and who will be nudged into assisted suicide by the use of covert profiling. There is nothing trivial about the breaching or circumvention of data protection laws in these über technical times.. Cordery EU data protection law Principles based Local law varies Enforcement varies Prior registration can be required to collect data Steps must be taken if transferring data to the US (or most other non EU countries) Cordery Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Cordery

. are actually now starving and they are often pushed into suicide. Their need for the Right to be Forgotten, executed as a physical erasure of all past data from all sources, is essential.

4 Example: Bank of Scotland Robbie Hastie Revealed details of Hibs players wages Pleaded guilty to DP offence of knowingly or recklessly disclosing information without consent 400 fine Bank of Scotland co operated Cordery Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Cordery Example: Deutsche Bahn Monitoring employees as anti corruption measures c.173,000 employees affected Reconciliation of employee data with data on 80,000 suppliers Collection of bank data of employees Interception of traffic Overall fines of 1.1m Cordery

purpose or purposes for which they are processed. Cordery 2015 10 Example: Deutsche Bahn Monitoring employees as anti corruption measures c.

5 Principle 6 Personal data shall be processed in accordance with the rights of data subjects Cordery Example: Big Brother 1,081,822 total fine 150,250 fine for lack of IS training, policy etc Appeal failed Cordery Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Cordery

2015 13 Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or

6 Example: UK ICO fine for MoJ Visitor to prison received with inmate s details Investigation revealed 2 other occasions when this happened One clerk responsible who had accidentally pasted the file into the s No proper DLP system in place Training inadequate ICO issues monetary penalty of 140,000 in October 2013 Cordery Example: Co Op Life Planning Software subcontractor uploaded customer details to cloud 82,000 records Details unencrypted & online No really sensitive data Co Op had appropriate policies ICO announced settlement on undertakings 26 th May 2011 Cordery Example: Sony Hack 2011 hack: Software not patched Hackers exploited known vulnerability 250,000 monetary penalty 2014 hack: Employees resigned Disruption to film schedules Talent protests ICO action? 99m fine under new EU rules? Cordery

uploaded customer details to cloud 82,000 records Details unencrypted & online No really sensitive data Co Op had appropriate policies ICO announced settlement on undertakings 26 th May 2011 Cordery

7 Example: Dark Hotel Significant threats to corporate networks and executives Outlook diaries rarely protected Issues around battery power and connectivity as the new opium Phishing spear phishing watering hole VPN compromise Cordery Prevention Dutch CBP: Contingency plan Every organisation should have a contingency plan indicating exactly what is to happen in the event of an emergency. However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation... Cordery Questions Jonathan Armstrong Cordery jonathan.armstrong@corderycompliance.com +44 (0) Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP. Duane Morris Firm and Affiliate Offices New York London Singapore Los Angeles Chicago Houston Hanoi Philadelphia San Diego San Francisco Baltimore Boston Washington, D.C. Las Cordery Vegas Atlanta is a trading Miami Pittsburgh name of Newark Cordery Boca Raton Compliance Wilmington Limited. Cherry Hill Authorised Lake Tahoe Ho and Chi regulated Minh City Duane by the Morris Solicitors LLP A Delaware Regulation limited liability Authority. partnership SRA number Company number registered in England and Wales. VAT number: Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom 7

However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation... Cordery 2015 19 Questions Jonathan Armstrong Cordery jonathan.

8 New EU data rules Suppliers outside EU in scope Right to be forgotten More SARs & removal of the SARs fee Cordery New EU data rules Proposed Regulation not Directive Fines of 2% of global turnover Toughened enforcement bodies Consent less of an option Breach reporting in 24 hours? Cordery Right to be forgotten Google case Extra territorial reach including US corporations Huge increase in burden on companies in all sectors Not limited to search engines o Internal investigations o AML o Due diligence o Employment Bad boy s charter? Cordery

9 Privacy class actions Proposed new German law The Schrems case Cordery Reduced ability to do background checks New UK law applies from 10 March 2015 Bans forced SARs Criminal offence unlimited fine in the Crown Court Cordery Demographics LinkedIn Specimen Company in 2010 Over 2,000 employees signed up 5,907 followers Average age 33 years Average tenure 3 years Cordery

unlimited fine in the Crown Court Cordery 2015 25 Demographics LinkedIn Specimen Company in 2010

10 Security issues Less job security Ability to do more damage Volatile stock prices Lower trading volumes Quicker spread of information Cordery Cyber insurance Emerging market in Europe More mature market in the US Are some sectors uninsurable e.g. retail? Check carefully the policy you are buying Do proper due diligence on the insurer/underwriter Unlikely to be the whole answer Cordery The Perfect Storm More (& Less) More Reliance on 3 rd parties, e.g. outsourcing; SaaS; Cloud Cost pressure Regulation and enforcement Geography Social networking Value in stolen data Speed Whistleblowers Chance of getting caught Focus on investigations Subject militancy e.g. Google case People trying to rewrite the past because they can Less Care Compliance and legal resources Attention to contractual terms Vendor accountability Sympathy from courts & regulators Cordery

Check carefully the policy you are buying Do proper due diligence on the insurer/underwriter Unlikely to be the whole answer Cordery 2015 28 The Perfect Storm More (& Less) More Reliance on 3 rd

11 Resources Book Podcasts itunes New EU Data Rules Dark hotel The right to be forgotten Background checks Privacy class actions LinkedIn Cordery Questions Jonathan Armstrong Cordery +44 (0) Come and see us in the Exhibition Hall on table Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP. Duane Morris Firm and Affiliate Offices New York London Singapore Los Angeles Chicago Houston Hanoi Philadelphia San Diego San Francisco Baltimore Boston Washington, D.C. Las Cordery Vegas Atlanta is a trading Miami Pittsburgh name of Newark Cordery Boca Raton Compliance Wilmington Limited. Cherry Hill Authorised Lake Tahoe Ho and Chi regulated Minh City Duane by the Morris Solicitors LLP A Delaware Regulation limited liability Authority. partnership SRA number Company number registered in England and Wales. VAT number: Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom 11

com/in/jparmstrong Cordery 2015 30 Questions Jonathan Armstrong Cordery jonathan.armstrong@corderycompliance.com +44 (0)207 075 1784 www.twitter.

Big Data, Big Issues: Global Challenges and Effective Solutions

Big Data, Big Issues: Global Challenges and Effective Solutions Thomas Obermaier and Jonathan Armstrong SCCE Annual Compliance & Ethics Institute October 7, 2015 Las Vegas What is big data? Big data is