IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope March 6, 2014 Victoria King UPS (404) 828-6550 vking@ups.com Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com

What is Privacy and Data Security? Privacy is the appropriate use of information as defined by: Laws and regulations Individuals expectations Security is the protection of information Protection of data Confidentiality Data integrity 2

Privacy and Data Security Risks Privacy Risks Legal compliance Reputation Investment Reticence Security Risks Loss of sensitive or business confidential data Data corruption Disruption of business processes / systems Reputation 3

Threat actors Cybersecurity Landscape Threat vectors Information and systems targeted 4

Numerous bills proposed U.S. Legislative Landscape Key privacy-related provisions Information sharing Liability protections Reasons for failure 5

U.S. Policy Landscape February 2013: the President announced two new initiatives 1) Executive Order 13636: Improving Critical Infrastructure Cybersecurity 2) Presidential Policy Directive 21: Critical Infrastructure Security and Resilience Together, they create an opportunity to work together to effect a comprehensive national approach to security and risk management Implementation efforts will drive action toward system and network security and resiliency 6

Executive Order 13636: Improving Critical Infrastructure Cybersecurity Directs the Executive Branch to: Develop a technology-neutral, voluntary cybersecurity framework Promote and incentivize the adoption of cybersecurity practices Increase the volume, timeliness and quality of cyber threat information sharing Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure Explore the use of existing regulation to promote cyber security 7

Executive Order Privacy Provisions Section 5 requires that privacy and civil liberties protections be incorporated into the various activities required of agencies under the EO Protections should be based on FIPPs CPO of DHS must assess against FIPPs privacy risks of DHS programs The same is required of other agencies privacy officials Data submitted voluntarily by private entities under the EO will be protected from disclosure to the fullest extent permitted by law Framework must include methodologies to protect privacy 8

Cybersecurity Framework Developed by NIST and industry stakeholders Intended to provide guidance on managing cybersecurity risk Reliance on existing standards, guidance and best practices Risk-based approach Composed of three parts: Framework Core Framework Profile Framework Implementation Tiers Significance of Framework 9

A Life-Cycle Methodology 10

NIST Core Framework Structure Function Category Subcategory Industry Standards IDENTIFY PROTECT DETECT RESPOND RECOVER 11

Function Categories 6 Functions, 22 Categories, 98 Sub Categories Identify Asset management, business environment, governance, risk assessment, risk management Protect Access control, awareness & training, data security, process & procedures, maintenance, protective technologies Detect Anomalies & events, continuous monitoring, detection processes Respond Response planning, communications, analysis, mitigation, improvement Recover - Recovery planning, improvements, communications 12

Executive Information * This same roadmap visualization can be applied to the categories and subcategories within each function. 13

Background Appendix B Framework Privacy Provisions Workshop discussions Final framework addresses privacy in the How to Use section Now a general set of considerations 14

EU Cybersecurity Issues eprivacy Directive breach notification requirements, but limited to telecos and ISPs Some breach notification requirements at Member State level NIS Directive draft Member states must adopt NIS strategy and designate a national NIS authority Creation of network for governments to share threat information Critical infrastructure and information services companies (e.g., social networks) must implement security measures and report significant incidents to NIS Authority Overlap with proposed General Data Protection Regulation Requires reporting of personal data breaches to DPA 15

DHS CRADA U.S. Information Sharing Required for private-sector entities to participate in NCCIC and CISCP Facilitates information sharing FBI MOA MOA delineates expectations and obligations for participating companies So FBI can share actionable cyber information with industry partners Industry partners are encouraged to share data with FBI Privacy risks associated with information sharing 16

Managing the Changing Landscape This is a governance issue, not an IT issue Senior executives set the tone Cybersecurity used to be the CISO s responsibility Those days are over Interdisciplinary efforts are key CISO, IT, CPO, GR, Communications, other stakeholders The issue has now spread throughout the organization and the CPO s involvement is crucial 17

Organizational Shift is Needed Managing cybersecurity implicates privacy at every turn Data identification and classification is necessary to manage cyber risks Sharing data is necessary for incident prevention Access controls are key Use of data often is required for response actions 18

Integrating Privacy Into the CISO s Suite Coordinated governance between CISO and CPO Formalized issue review process Integration of privacy into information security s risk assessment process Cross-functional team reviews Privacy by design for new products and processes Periodic review of current processes Cross-training Communication 19

Training and Awareness Proselytize early and often so personnel have an understanding of global privacy considerations Tailored approach: no one-size-fits-all Formal training Creative communications tools Knowing communication tricks Measuring effectiveness 20

Protecting PII in an Insecure World Identify categories of PII stored and know locations Identify key threats to PII and plug vulnerabilities Focus on most sensitive data Ensure strict access controls to databases containing sensitive PII Frequently revisit PII access permissions Ensure other strong safeguards to PII in your system Also consider vendor systems Practice data minimization 21

Privacy Considerations During an Event Anonymize or delete PII before sharing in connection with a cybersecurity investigation or remediation activities Limit disclosure of PII to what is necessary to mitigate the incident When performing forensics, retain only the PII necessary to the investigation Understand global breach reporting obligations 22

Key Privacy Issues When Interacting with Law Enforcement Collection limitation Purpose specification Use limitation Disclosure limitation Data integrity Retention limitation 23

1 Event Data Breach Response Timeline 2 Mobilize 3 Stabilize 4 Investigate 5 Notify 6 Review & Improve 7 Regulatory Response PwC 8 Lawsuits March 2011 24

Contacts Victoria King Global Privacy Officer UPS (404) 828-6550 vking@ups.com Lisa Sotto Partner Hunton & Williams LLP lsotto@hunton.com www.huntonprivacyblog.com 25

Karen Neuman Chief Privacy Officer.48 Privacy in the DHS Cybersecurity Enterprise Privacy Process Embed People Establish Policy Conduct PIAs Conduct PCRs Privacy Protections Limit collection Protection at the edge (re)enforce oversight Drive Transparency www.dhs.gov/cybersecurity-and-privacy