Data Security Regulatory Lansdcape

Before we begin

If you learn what's in this presentation

You will .........

... spend LESS time preparing for test (IAPP, CISA, CGEIT, etc.)

... have interesting material to impress your friends

Learn the difference between
real risk and just plain fun

Get a keener
perspective of
Operational Risk ,
which is
Risk without
Reward

Sources
Achieving Data Privacy in the Enterprise, Safenet Derek Tumulak, April 8, 2010
Regulatory Information Architecture, Steven Alder, IBM, 2010
The source of much of my research, Sue Hammer, IBM, 2010
California Data Privacy Laws: Is Compliance Good Enough?, Lumension, Chris Merritt, May 2010
Privacy Law & Financial Advisors, Proskauer, Brendon M. Tavelli, Nov 20, 2009
Medical Records on the Run: Protecting Patient Data with Device Control and Encryption, Sept 2009
2010 Data Breach Report, Verizon
Five Countries: Cost of Data Breach Sponsored by PGP Corporation, Dr. Larry Ponemon, April 19, 2010
How secure is your confidential data?, By Alastair MacWillson, ACCENTURE
The Leaking Vault, Five Years of Data Breaches, Suzanne Widup, Digital Forensics, July 2010
Top 10 Big Brother Companies: Ranking the Worst Consumer Privacy Infringers, Focus Editors
First Annual Cost of Cyber Crime Study, Ponemon, July 2010
States failing to secure personal data, By Kavan Peterson, Stateline.org
National Archives & Records Administration in Washington
2010 Annual Identity Protection Services Scorecard, Javelin Strategy & Research
A New Era of Compliance - Raising the Bar for Organizations Worldwide, RSA, Oct12, 2010
Evolve or Die, Bunger & Robertson, 2010
Compliance With Clouds: Caveat Emptor, by Chenxi Wang, Ph.D. , August 26, 2010
Obscured by Clouds, Ross Cooney, 2010
Digital Trust in the Cloud, Liquid Security in Cloudy Places, CSC, 2010
Making Data Governance as simple as possible, but not simpler, Dalton Servo

Let me be crystal clear,
Brian is NOT a lawyer

DISCLAIMER

All
Business
is
Regulated DECLARATION

My FOCUS
On the globe but US Centric

You are
here

DISCLAIMER

What's Inside ?

Erosion in Trust
Industry
Customer
Regulator

Futures

Business is concerned with RISK

Risk from Regulation,
Organized Crime,
Reduced Staffing,
Sloppy Performance,
Lack of Training,
New Technologies,
and even ...
Clients/Customers

... is creating an EROSION in TRUST!

Top Business Concern

Financial Times

New Motivations

E&Y 2010

Geography Implications

The Economist Intelligence Unit

Loss of data is one of the biggest regulator concerns
Loss, theft, mistakes, under protected, ...

... a Breach of Trust – Over 500,000,000 U.S. records since 2005

90% from external sources

48% insider help

85% from organized criminals

94% targeted financial data or sector

98% of records stolen produced by hack

96% of Trojans found were: "Crimeware-as-a-Service."

We can do better
96% avoidable by simple controls

86% had evidence in log files

66% on devices NOT aware contain SPI

5% loss to shareholders after breach

43% higher breach cost in U.S.

Financial Service
providers have a
39% confidence factor
for their ability to protect
your data from
Insider Threats
vs.
71% for External Threats
Deloitte – 2010 Financial Services Global Security Study – the faceless threat

A reputation is easy to lose, not so easy to recover
- 60% of companies that lose their data will shut down within 6 months of the disaster.

- 93% of companies that lost their data center for 10 days or more due to a disaster
filed for bankruptcy within one year of the disaster.

- 50% of businesses that found themselves without data management for this same
time period filed for bankruptcy immediately.

What can business do?
Restrict and monitor privileged users

Watch for 'Minor' Policy Violations

Implement Measures to Thwart Stolen Credentials

Monitor and Filter Outbound Traffic

Change Your Approach to Event Monitoring and Log Analysis

Share Incident Information

What is the Customer's view?

...what is causing this Erosion of Trust

Identity Theft #1 Consumer Complaint - FTC

10M Victims in the U.S.
$5K loss per business, $50B total
$500 loss per victim, $5B total
30 hours to recovery, 297M hours
all numbers are approximate or rounded up

Riskiest places for SSN#
Universities and colleges
Banking and financial institutions
Hospitals
State governments
Local government
Federal government
Medical (supply) businesses
Non-profit organizations
Technology companies
Health insurers and medical offices
Symantec – Nov, 2010

45% of businesses disagree to customer data control
47% of businesses disagree the customer has a right to control
50% of businesses did not see need to limit distribution of PII

>50% of customers believe they have a right to control their data

Trust Me – I'm lying?
1 There is a notable difference between organizations’ intentions regarding
data privacy and how they actually protect it.

North Carolina attempting to get 50M records from Amazon on citizens

<-Diverse

Deliberate->

Accountability – who's is looking out for me?
2 A majority (58%) of companies have lost sensitive personal information...

Insider involved in over 48% of data breaches

3 Regulatory compliance – No confidence they can keep pace
Many organizations believe complying with existing regulations is sufficient to protect their data.

What do these companies have in common?

1 Top 10 Big Brother Companies
Ranking the Worst Consumer Privacy Infringers, Focus Editors

48% of breaches caused by insiders

48% involved privileged misuse
61% were discovered by a 3rd party

Third parties – you sent my data to who?
4 Companies should be careful about the company they keep. It is crucial they
understand the perspective on and approach to data protection and privacy taken by
their third-party partners.

5 Culture
Companies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely
to experience security breaches.

How to reverse the spin?

Build a Data Protection
and Privacy Strategy

Assign ownership

Develop comprehensive governance program

Evaluate data protection and privacy technologies
Build a culture

Reexamine investments

Choose business partners with care

You own some of this – Giving away your PRIVACY

Google

Social networking

RFID tags/loyalty cards

The Patriot Act

GPS

The Kindle

Privacy
Which comes 1st?

Breach Data
Notification Protection

Protect the consumer

Punish the breach
If the
Carrot
isn't working Promote compliance
it's time to ....

U.S. Breach
Notification
Laws
46 States,
the District of
Columbia,
Puerto Rico and
the Virgin
Islands

States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota
.http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

The carrot is now
...avoid the paddle!

NERC - North American Electric Reliability Corporation

Current
Regulator
Take
Focus Reasonable
Measures

Risk
Breach Based
Prevention Approach

Data
Centric

Do the Regulators
have to follow Regulations ?

The “Rules” of Rulemaking – Kings have rules
Regulatory agencies create regulations according to rules and processes defined by another law
known as the Administration Procedure Act (APA).

The APA defines a "rule" or "regulation" as...

”[T]he whole or a part of an agency statement of general or particular applicability and future effect
designed to implement, interpret, or prescribe law or policy or describing the organization, procedure,
or practice requirements of an agency.

The APA defines “rulemaking” as…

“[A]gency action which regulates the future conduct of either groups of persons or a single person; it
is essentially legislative in nature, not only because it operates in the future but because it is primarily
concerned with policy considerations.”

Under the APA, the agencies must publish all proposed new regulations in the Federal Register at
least 30 days before they take effect, and they must provide a way for interested parties to
comment, offer amendments, or to object to the regulation.

Once a regulation takes effect, it becomes a "final rule" and is printed in the Federal Register, the
Code of Federal Regulations (CFR) and usually posted on the Web site of the regulatory
agency.
(c)Tomo.Yun (www.yunphoto.net/en/)"

Establish an
enterprise controls framework

Set/adjust threshold for controls for
"reasonable and appropriate" security

Streamline and automate
compliance processes (GRC)

Fortify third-party risk management

Unify the compliance and business agendas

Educate and influence regulators
and standards bodies

So ...

Regulators

Where are they headed?
What's their next target?

Current... and foreseeable future
Regulator
Take
Focus Reasonable
Measures

Risk
Breach Based
Prevention Approach

Data
Centric

Redux

Privacy or data protection concerns
make Clouds
risky for Regulated data

Requires Risk Based Analysis

FedRamp - Proposed Security Assessment and Authorization for U.S. Government Cloud Computing, Nov 2, 2010

Data Security Regulatory Lansdcape

81% of
Senior
Executives
rate their
knowledge of
laws
regulating
online activity
as
non-existent

Business Investigations of data loss via
social media:
18% by video/audio
17% by social networking
13% by blog posting

Quick tip
Offline laws apply online

copyright
trademark
fraud
contract
trade secrets
theft/conversion
identity theft
privacy laws
torts
crimes
statutory laws
sexual harassment
discrimination
negligence
defamation
...

More Regulator Activity & more to Come
45 states have enacted anti-bullying laws - http://www.bullypolice.org/
Without: Hawaii, South Dakota, Michigan, New York, Montana, North Dakota and Missouri

(SEC), and (FINRA), issued guidance on use of social media sites
Securities and Exchange Commission, Financial Industry Regulatory Authority

UK (ASA), issued guidance on social media marketing
Advertising Standard Authority

FTC, Final Guides governing social media endorsements
Federal Trade Commission

Maryland leads the way in social media campaign regulations

CA – (FPPC), “regulate the same as traditional media”
Fair Political Practices Commission

Future Regulatory Focus
Amateur Data Controllers
Right to not be over-regulated
Right to demand co-operation

Privacy Policies
Right to be better informed
Right to be forgotten
Right to have policies monitored
Right to Data Portability
End of online anonymity

Processing of data by 3rd parties
Duties for data controllers

Behavioral advertising
Right to opt-in vs. have to opt-out

The rights of minors

Where is this all headed?

For us?

For our clients?

What is Data Governance?
An operating discipline for managing data and information as a key enterprise
assets

Organization, processes and tools for establishing and exercising decision rights
regarding valuation and management of data

Elements of data governance
Decision making authority
Compliance
Policies and standards
Data inventories
Full life-cycle management
Content management
Records management,
Preservation and disposal
Data quality
Data classification
Data security and access
Data risk management
Data valuation

Where does (Data Governance) fit?

Data Governance is the weakest link

Bitmap83

Why is Data Governance important?
Regulator shift

OLD NEW
Principles Rule
Based Based

UK FSA, has proposed a “Data Accuracy Scorecard”
Financial Services Authority

Regulators will punish inadequate Data Governance

Breach Notification laws create demand to govern data

Ensure that the Right People
have the Right Access
to the Right Data
Restore
doing the Right Things Trust
Efficiently
and Productively

Future Bottom Line
Regulations will be MORE :

Prescriptive
Prohibitive &
Penalizing

Laws & Regulations
• Data Protection Act
• Gambling Act 2005
• Protection from Harassment Act 1997
• Racial, sexual and age discrimination
legislation
• Obscenity Publications Act 1959
• “…obscene if it is intended to corrupt or
deprave persons exposed to it”

Laws & Regulations
• The Terrorism Acts 2000 & 2006
• Money Laundering Regulations
• CAP Codes & the ASA
• Transparency and Honesty
• Careful with trans-national campaigns
• Consumer Protection from Unfair
Commercial Practices Regulations
2008 (CPR’s)
• Contempt of Court

High-level International
Overview
• New Basel Capital Accord (Basel-II)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Society for Worldwide Interback Funds Transfer (SWIFT)
• Personal Information Protection Act (PIPA) – Canada
• Personal Information and Electronic Documents Act (PIPEDA) – Canada
• Personal Information Privacy Act (JPIPA) – Japan
• SafeSecure ISP – Japan
• Federal Consumer Protection Code, E-Commerce Act – Mexico
• Privacy and Electronic Communications (EC Directive) Regulations 2003
• Directive 95/46/EC Directive on Privacy and Electronic Communications –
European Union
• Central Information System Security Division (DCSSI) Encryption – France
• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of
2001 – Germany
• Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany
• US Department of Commerce “Safe Harbor”

Relevant Laws and
Regulations
• Sarbanes-Oxley Act • Federal Trade Commission (FTC)
• PCAOB Rel. 2004-001 Audit Section • CC1798 (SB1386)
• SAS94 • Federal Information Security Management Act
• Fair Credit Reporting Act (FCRA) (FISMA)
• AICPA Suitability Trust Services Criteria • USA PATRIOT
• SEC CFR 17: 240.15d-15 Controls and • Community Choice Aggregation (CCA)
Procedures • Federal Information System Controls Audit
• NASD/NYSE 240.17Ad-7 Transfer Agent Manual (FISCAM)
Record Retention • General Accounting Office (GAO)
• GLBA (15 USC Sec 6801-6809) 16 CFR 314 • FDA 510(k)
• Appendix: 12 CFR 30, 208, 225, 364 & 570 • Federal Energy Regulatory Commission (FERC)
• Federal Financial Institutions Examination • Nuclear Regulatory Commission (NRC) 10CFR
Council (FFIEC) Information Security Part 95
• FFIEC Business Continuity Planning • Critical Energy Infrastructure Information (CEII)
• FFIEC Audit • Communications Assistance for Law
• FFIEC Operations Enforcement Act (CALEA)
• Health Insurance Portability and Accountability • Digital Millennium Copyright Act (DMCA)
Act (HIPAA) § 164 • Business Software Alliance (BSA)
• 21 CFR Part 11 – FDA Regulation of Electronic • New Basel Capital Accord (Basel-II)
Records and Electronic Signatures • Customs-Trade Partnership Against Terrorism
• Payment Card Industry Data Security Standard (C-TPAT)
(PCI-DSS) • Video Privacy Protection Act of 1988 (codified at
18 U.S.C. § 2710 (2002))

US Federal Privacy Laws and US Federal Breach Laws (USA is a member, OECD and a member, CPEA. The
US has also ratified CE ETS 185)

1. Children’s Online Privacy Protection Act (COPPA)
1. Federal Trade Commission's Final COPPA Rule (PDF)
2. Communications Assistance for Law Enforcement Act (CALEA)
3. Depart of Defense Directive 5400.11.R - Privacy Program (May 14, 2007 edition) (PDF)
1. Defense Privacy Office
4. Electronic Communications Privacy Act (ECPA)
5. Fair Credit Reporting Act (FCRA, PDF)
1. As Amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT)
2. Federal Trade Commission's Red Flag Rule (PDF) (DELAYED UNTIL NOVEMBER 1st 2009)
6. Family Educational Rights and Privacy Act (FERPA, The Buckley Amendment)
1. US Department of Education Final Rule (PDF)
2. Protection of Pupil Rights Amendment (PPRA)
3. No Child Left Behind Act (PDF)
7. Genetic Information Nondiscrimination Act 2008 (GINA, PDF)
1. Proposed rule making genetic information covered under PII, HIPAA, and HITECH (PDF)
8. Gramm-Leach-Bliley Act (GLBA)
1. Federal Trade Commission's Final Financial Privacy Rule (PDF)
2. Federal Trade Commission's Final Safeguards Rule (PDF)
9. Health Insurance Portability and Accountability Act (HIPAA, PDF)
10. HITECH Act (Notice: I could not find it consolidated and called out anywhere, so had to create it myself,
PDF)
1. HITECH Breach Notification Guidance and Request for Public Comment (From the US Department of
Health and Human Services, PDF)
11. Federal Trade Commission's Health Breach Notification FINAL Rule (PDF)
12. Safe Harbor Guidelines from the US Department of Commerce

Data Security Regulatory Lansdcape

More Related Content

What's hot (20)

Viewers also liked (7)

Similar to Data Security Regulatory Lansdcape (20)

Recently uploaded (20)

Data Security Regulatory Lansdcape