Society of Corporate Compliance & Ethics Data Security Technology 101 for Compliance Professionals



Similar documents
Big Data, Big Issues: Global Challenges and Effective Solutions

The UK Concept of Base Cost Shift

U.S. ERISA QPAM Exemption

Investment Company Act of 1940 Private Funds

Investment Advisers Act of 1940

Private Equity Fund Expenses

FATCA & Beyond - Global Information Sharing and Private Equity Funds

Transfer of Limited Partnership Interests

Private Equity Fund Fees Barry Steinman August 2014

Private Equity Funds Clawbacks and Investor Givebacks

Private Equity Fund Distribution Waterfalls

US Tax Issues for Foreign Partners: US Withholding Taxes & Tax Treaties

INVESTMENT IN WIND ENERGY IN VIETNAM: THE RIGHT TIME HAS COME?

WIND PROJECT DEVELOPMENT : BUSINESS OPPORTUNITIES AND SUITABLE BUSINESS MODELS FOR VIETNAM

Cybercrime: risks, penalties and prevention

Certain Investor Tax Considerations for Investing in U.S. Funds David Sussman August 2014

Private Equity Fund Formation Conflicts of Interest

DUANE MORRIS IMMIGRATION PRACTICE

CYBER RISK SECURITY, NETWORK & PRIVACY

Cyber-Security Risk in the Global Organization:

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

Liberating the Power of Service The right of establishment The case of lawyers

Liberating the Power of Service The right of establishment The case of lawyers. Second Bruges European Business Conference College of Europe

Big Data for Mutuals. Marc Dautlich 25 November 2013

Mitigating and managing cyber risk: ten issues to consider

Crossing Borders New Guidance on the Transfer of Personal Data outside Hong Kong

Cyber and Data Security. Proposal form


CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Corporate ICT & Data Management. Data Protection Policy

Telecommunications / Real Estate

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Cyber/ Network Security. FINEX Global

On the edge Lexis PSL Restructuring & Insolvency

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Who s next after TalkTalk?

Thompson Jenner LLP Last revised April 2013 Standard Terms of Business

Cyber Risk Management

JUDGMENT ON THE SPANISH TAX LEASE SYSTEM

QBE Trade Credit Trade Credit Insurance proposal form

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

MANAGING Cybersecurity Risk AND DISCLOSURE OBLIGATIONS

Privacy and Electronic Communications Regulations

Defining and Managing Reputation Risk

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Firm Registration Form

2014 Employment Law Update South Central Industrial Association. November 6, 2014 Houma, Louisiana

Cyber Security Risks for Banking Institutions.

Wireless (In)Security Trends in the Enterprise

Data controllers and data processors: what the difference is and what the governance implications are

PENETRATION TESTING GUIDE. 1

EU Competition Law. Article 101 and Article 102. January Contents

Information Disclosure on the Securities Market

Data Protection Policy

The Cloud and Cross-Border Risks - Singapore

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Data, Privacy, Cookies and the FTC in Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Environment, Health And Safety. Ensuring Your Company s European Operations are Compliant with New EU Regulations and Enforcement Measures

Cybersecurity: Protecting Your Business. March 11, 2015

How Can the Automotive Industry Strengthen Its Regulatory Compliance Process and Reduce Its Compliance Risks?

Business Interruption Factsheet

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

How To Cover A Data Breach In The European Market

After the Event Insurance and Funding Solutions in International Arbitration

Theft, Fraud & Dishonest Employees. An Employee Fraud Case Study. Presented by Jon Coley, Partner, Employment

SEC s Proposed Rules for Implementing Dodd-Frank Whistleblower Provisions: Important Implications for Employers. November 12, 2010

Financial services regulation in Australia

Data Protection and Cloud Computing: an Overview of the Legal Issues

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Transcription:

Society of Corporate Compliance & Ethics Data Security Technology 101 for Compliance Professionals Jonathan Armstrong 29 th March 2015, London Cordery 2015 1 in 2005 Facebook didn t exist for most people, twitter was still a sound, the cloud was something in the sky, 3G was a parking space, applications were what you sent to colleges, and Skype was a typo. Thomas Friedman Cordery 2015 2 1

Data Security Landscape Personal data has a value Different political reactions Different legal systems worldwide Different enforcement even within Europe Contrasting approach Europe v. US Snowden has changed the game Cordery 2015 3 Target 2 nd largest discount retailer in the US December 2013: data breach of Target's systems affected up to 110 million customers Russian teenager suspected 10% storewide discount in run up to Christmas Credit reporting Sales still down 3 4% (c.$17bn turnover company) 475 positions went in early 2014 including CIO CEO resigned in May Interim CEO "We're in a place when it comes to the data breach where we don't have visibility yet to potential third party liabilities and operating expenses they've incurred" $10 million class action settlement announced in March 2015 Shareholder actions to follow? Cordery 2015 4 Cordery 2015 5 2

Privacy a view from Europe Profiling is a modern EVIL.... Technical social sorting is now so aggressive that it looks like the processes involved in the identification, ghettoization and elimination of the Jews in the 1940's... this group of people.. are actually now starving and they are often pushed into suicide. Their need for the Right to be Forgotten, executed as a physical erasure of all past data from all sources, is essential...the next class action should be taken by the old, who are also being pushed into destitution and who will be nudged into assisted suicide by the use of covert profiling. There is nothing trivial about the breaching or circumvention of data protection laws in these über technical times.. Cordery 2015 6 EU data protection law Principles based Local law varies Enforcement varies Prior registration can be required to collect data Steps must be taken if transferring data to the US (or most other non EU countries) Cordery 2015 7 Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Cordery 2015 8 3

Example: Bank of Scotland Robbie Hastie Revealed details of Hibs players wages Pleaded guilty to DP offence of knowingly or recklessly disclosing information without consent 400 fine Bank of Scotland co operated Cordery 2015 9 Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Cordery 2015 10 Example: Deutsche Bahn Monitoring employees as anti corruption measures c.173,000 employees affected Reconciliation of employee data with data on 80,000 suppliers Collection of bank data of employees Interception of email traffic Overall fines of 1.1m Cordery 2015 11 4

Principle 6 Personal data shall be processed in accordance with the rights of data subjects Cordery 2015 12 Example: Big Brother 1,081,822 total fine 150,250 fine for lack of IS training, policy etc Appeal failed Cordery 2015 13 Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Cordery 2015 14 5

Example: UK ICO fine for MoJ Visitor to prison received email with inmate s details Investigation revealed 2 other occasions when this happened One clerk responsible who had accidentally pasted the file into the emails No proper DLP system in place Training inadequate ICO issues monetary penalty of 140,000 in October 2013 Cordery 2015 15 Example: Co Op Life Planning Software subcontractor uploaded customer details to cloud 82,000 records Details unencrypted & online No really sensitive data Co Op had appropriate policies ICO announced settlement on undertakings 26 th May 2011 Cordery 2015 16 Example: Sony Hack 2011 hack: Software not patched Hackers exploited known vulnerability 250,000 monetary penalty 2014 hack: Employees resigned Disruption to film schedules Talent protests ICO action? 99m fine under new EU rules? Cordery 2015 17 6

Example: Dark Hotel Significant threats to corporate networks and executives Outlook diaries rarely protected Issues around battery power and connectivity as the new opium Phishing spear phishing watering hole VPN compromise Cordery 2015 18 Prevention Dutch CBP: Contingency plan Every organisation should have a contingency plan indicating exactly what is to happen in the event of an emergency. However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation... Cordery 2015 19 Questions Jonathan Armstrong Cordery jonathan.armstrong@corderycompliance.com +44 (0)207 075 1784 www.twitter.com/armstrongjp 2013 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP. Duane Morris Firm and Affiliate Offices New York London Singapore Los Angeles Chicago Houston Hanoi Philadelphia San Diego San Francisco Baltimore Boston Washington, D.C. Las Cordery Vegas Atlanta is a trading Miami Pittsburgh name of Newark Cordery Boca Raton Compliance Wilmington Limited. Cherry Hill Authorised Lake Tahoe Ho and Chi regulated Minh City Duane by the Morris Solicitors LLP A Delaware Regulation limited liability Authority. partnership SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520 Registered office: Lexis House, www.duanemorris.com 30 Farringdon Street, London, EC4A 4HH, United Kingdom 7

New EU data rules Suppliers outside EU in scope Right to be forgotten More SARs & removal of the SARs fee Cordery 2015 21 New EU data rules Proposed Regulation not Directive Fines of 2% of global turnover Toughened enforcement bodies Consent less of an option Breach reporting in 24 hours? Cordery 2015 22 Right to be forgotten Google case Extra territorial reach including US corporations Huge increase in burden on companies in all sectors Not limited to search engines o Internal investigations o AML o Due diligence o Employment Bad boy s charter? Cordery 2015 23 8

Privacy class actions Proposed new German law The Schrems case Cordery 2015 24 Reduced ability to do background checks New UK law applies from 10 March 2015 Bans forced SARs Criminal offence unlimited fine in the Crown Court Cordery 2015 25 Demographics LinkedIn Specimen Company in 2010 Over 2,000 employees signed up 5,907 followers Average age 33 years Average tenure 3 years Cordery 2015 26 9

Security issues Less job security Ability to do more damage Volatile stock prices Lower trading volumes Quicker spread of information Cordery 2015 27 Cyber insurance Emerging market in Europe More mature market in the US Are some sectors uninsurable e.g. retail? Check carefully the policy you are buying Do proper due diligence on the insurer/underwriter Unlikely to be the whole answer Cordery 2015 28 The Perfect Storm More (& Less) More Reliance on 3 rd parties, e.g. outsourcing; SaaS; Cloud Cost pressure Regulation and enforcement Geography Social networking Value in stolen data Speed Whistleblowers Chance of getting caught Focus on investigations Subject militancy e.g. Google case People trying to rewrite the past because they can Less Care Compliance and legal resources Attention to contractual terms Vendor accountability Sympathy from courts & regulators Cordery 2015 29 10

Resources Book www.tinyurl.com/jpa001 Podcasts www.bit.ly/techlaw10 itunes www.bit.ly/techlaw10i New EU Data Rules http://bit.ly/1mjm1up Dark hotel http://bit.ly/1milqy2 The right to be forgotten http://bit.ly/1bf9ly1 Background checks http://bit.ly/1bpwob8 Privacy class actions http://bit.ly/1gwyphv LinkedIn www.linkedin.com/in/jparmstrong Cordery 2015 30 Questions Jonathan Armstrong Cordery jonathan.armstrong@corderycompliance.com +44 (0)207 075 1784 www.twitter.com/armstrongjp Come and see us in the Exhibition Hall on table 14 2013 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP. Duane Morris Firm and Affiliate Offices New York London Singapore Los Angeles Chicago Houston Hanoi Philadelphia San Diego San Francisco Baltimore Boston Washington, D.C. Las Cordery Vegas Atlanta is a trading Miami Pittsburgh name of Newark Cordery Boca Raton Compliance Wilmington Limited. Cherry Hill Authorised Lake Tahoe Ho and Chi regulated Minh City Duane by the Morris Solicitors LLP A Delaware Regulation limited liability Authority. partnership SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520 Registered office: Lexis House, www.duanemorris.com 30 Farringdon Street, London, EC4A 4HH, United Kingdom 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information