Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America Dana Simberkoff, JD, CIPP/US, Vice President, Risk Management and Compliance, AvePoint
The Landscape Prevention and Response Planning The Event Looking Backwards and Forwards Key Takeaways
00010000 1010101 10010 010 1 010 10010 1010101 00010000
Per Breached Record Per Breached Event
Balancing Act
$ Vs.
Risk Management 1 2 Compliance Reports Business Processes IT Operations Identify Sensitive Data (PII) Act Move Delete - Classify 4 5 6 Process improvement Address Access 7 3 Protect Data Policies Procedures Monitor Real Time or Scheduled 8
Privacy Impact Assessments Program, Policies and Technology It takes a village A structured and automated approach to data breach prevention and response Measurement and Validation with trends analysis, historical reporting and a point in time view of target repositories for roll up reporting to stake holders Automated forensic analysis of breaches Proof to authority that measures and actions are being taken to address compliance - avoid and reduce fines
Content contributors: Internal and External Process owners Legal PR CPO $ IT Data Security (CISO/CSO, IA, IRM) Records Management Officers Social Governance committee
Transparency and Collaboration People Policy & Process Technology Data Protection and Management Training Governance & Oversight Technical Enforcement
1-Detect 2-Track 3-Respond 4-Resolve
The Privacy Event Management Process should provide a documented, controlled and consistent approach to identify, mitigate, track and report privacy events. Identify & Report Mitigate & Control Track & Decision Escalation & Notification Event Detected Monitor for events Report privacy event Resolution Team Assembled Contain and investigate event Assess risk Event Escalation Key stakeholders Exec Management escalation process Customer Notification Decision whether notification required Execute notifications Event Closure Define/ Monitor remediation Document event details Review/verify event documentation for closure Reporting/ Regulator Notification Trend/metric reporting Notify regulators, as needed
Data breach notification increasingly a global requirement U.S. interagency guidance addresses response programs for unauthorized access to customer information maintained by financial institutions and their service providers. Almost all U.S. states (forty-six) have enacted breach notification laws. Growing number of countries developing data breach notification rules. Varies by country, but the breach notification laws generally relate to: breaches involving personal information which typically involves an individual s name and sensitive information such as a Social Security number, a driver s license, credit card, PIN or other information that is likely to be involved in identity theft or results in the potential compromise of the confidentiality or integrity of the data
Know the right questions to ask in order to ensure applicable law is followed Have standard questions/ checklists ready Have inventory and assessment of laws readily available Understand where the variables may be Conflicting triggers, time frames, notice content, delivery mechanisms. Know which regulators and other parties you may need to contact and when Regulators, States, FTC, credit bureaus, law enforcement. Work on response ahead of time to get to the common denominator Documented response plan with defined roles and responsibilities Draft notices to comply with as many laws/regulations as possible.
Predictive Measures Reporting, Metrics and Measures Actions to look into more broadly Emerging Trends
General Classes/Categories of Breaches Checklists Considerations around disruptive technologies Cloud/Social/Mobile/Online Document and Automate Tell them what you are going to do, Do it, Prove it!
Technology can help you Detect Track Respond Resolve Prevent Prove it!
Irresponsibility
Content needs to be monitored in both real time and on a schedule using rule based automated processes in such a way as to provide systematic protection of information. Classify content using metadata about the document; where authors can add the metadata but the system has controls which allow the system to override the user s classification if it is in question. Basically, Enable business users to do the right thing while Preventing them from doing the wrong thing (i.e. user assisted tagging/ Trust and Verify )) Evaluate Risk according to your organizations logic to provide multiple perspectives on potential risk within content and risk related to the delivery and transport of data. Perform ongoing audits for compliance/run regularly scheduled scans of SharePoint sites Measure progress over time to demonstrate priority, success of compliance initiatives and modify as necessary Work with stakeholders, content authors to prioritize areas for improvement and address issues and concerns Link compliance improvements to any migration programs (Scan data on your file shares before it is migrated to SharePoint) All new initiatives should require compliance - Get Compliant/Stay compliant Educate your staff as to what is sensitive information and the steps they need to do to protect the information Use proper notifications on sites as related to privacy and security for internal and external data.
Thank you!