SlideShare a Scribd company logo

Swiss Re data_privacy_27_01_2016

AltheimPrivacy
AltheimPrivacy

The increasing Risk of Data Privacy on the Enterprise - How Data Privacy Liability poses a distinct and separate Cyber Risk for the enterprise alongside the risks posed by Information Security Breaches

Economy & Finance
1 of 22
© 2016 IBM Corporation Monique Altheim Jayne Golding IBM Security Services January 29th, 2016 The Increasing Risk of Data Privacy On the Enterprise Swiss Re - Expert Forum on Cyber Risk
© 2016 IBM Corporation  Data Privacy and Cyber Risk  Data Privacy must be a priority for your business  GDPR as a Risk Engine 2/9/2016 IBM Data Privacy Services Agenda 2
© 2016 IBM Corporation Data Privacy and Cyber Risk 2/9/2016 IBM Data Privacy Services 3
© 2016 IBM Corporation Cyber Risk 2/9/2016 IBM Data Privacy Services Data Security Data Privacy Scope Crown Jewels (Business Sensitive Data, Personal Data) Personal Data Objective Guaranteeing Confidentiality, Integrity and Availability (C.I.A.) of the Organization’s Crown Jewels  ID Theft Prevention  Individual Control over Personal Data  Protection of Individual’s Reputation  Protection of Individual’s Freedoms Authority  International Industry Standards (eg. ISO/IEC 27001; ENISA; PCI DSS)  National Privacy Laws & Regulations – Personal data (eg. EU Data Protection Directive)  National Critical Infrastructure Legislation (eg. German IT Security Law 2015; NIS Directive)  National Laws and Regulations (eg. The Swiss Federal Data Protection Act)  National Constitutions (eg. Art 13 Swiss Federal Constitution)  Human Rights (eg. Art. 8, Charter of Fundamental Rights of the EU)  Best Practices (ex. ISO 27018; ISO 29100 ) 4
© 2016 IBM Corporation Cyber Risk 2/9/2016 IBM Data Privacy Services Scope Data Security Business Sensitive Data Personal Data Data Privacy Personal Data 5
© 2016 IBM Corporation Cyber Risk 2/9/2016 IBM Data Privacy Services Data Security Data Privacy Principles Organizational, Technical and Physical Controls; mostly as per Industry Standards: Some Examples:  Security Policy  Incidence Response Plan  IAM (Identity and Access Management)  SIEM (Security Information and Event Management)  Firewalls  Encryption  Locks, guards, video surveillance  Collection Minimization  Transparency  Notice, Choice, Consent  Purpose Specification  Use Limitation  Data Security  Access, Rectification and Erasure Rights of Data Subjects  Retention Periods  3rd Party Vendor Requirements  Cross-border Export Restrictions  Cross-border Access Restrictions  Data Breach Notification 6
© 2016 IBM Corporation Data Privacy Security Other Privacy Principles Cyber Risk 2/9/2016 IBM Data Privacy Services Principles 7
© 2016 IBM Corporation Mexico Federal Law on the Protection of Personal Data US Federal HIPAA, GLBA, COPPA, CAN- SPAM, Do Not Call, Safe Harbor Principles; Possible Cybersecurity Legislation, Student Privacy Legislation; California Requirements Argentina Personal Data Protection Act of 2000, Confidentiality of Information Law Chile Law for the Protection of Private Life South Africa The Protection of Personal Information Act 2013 (POPIA) Canada PIPEDA and Provincial Privacy Laws Switzerland Federal Act on Data Protection Dubai Data Protection Act 2007 United Kingdom UK Data Protection Act 1998 European Union EU Data Protection Directive. Imminent adoption of the General Data Protection Regulation (GDPR) Russia Federal Law of July 27tth 2006 No 152-FZ on personal data Australia Amended Privacy Act and Spam Act Japan Personal Information Protection Act (PIPA) South Korea Personal Information Protection Act 2011 (PIPA) India Information Technology Act of 2000 Philippines Data Privacy Act 2012 Comprehensive data protection law enacted Pending effort or obligation to enact law No comprehensive law Singapore Personal Data Protection Act 2012 (PDPA) China - New Data Protection Requirements HIPAA: Health Insurance Portability and Accountability Act GLBA: Gramm Leach Bliley Act COPPA: Children Online Privacy Protection Act CAN-SPAM: Controlling the Assault of Non- Solicited Pornography And Marketing Act Source: http://dlapiperdataprotection.com/#handbook/world-map-section/c1_SG Nearly 100 countries around the world have adopted data protection and privacy laws 2/9/2016 IBM Data Privacy Services Selected Comprehensive Data Protection/Privacy Laws and Bills as of 1/2016 8
© 2016 IBM Corporation Cyber Coverage Overview 2/9/2016 IBM Data Privacy Services Security Breach - Non Privacy Privacy Breach - Security and Non-Security First Party Coverage  Forensic Investigation  Business Interruption  Data Loss/Destruction  Cyber extortion  Business Interruption  Data Loss/Destruction  Cyber extortion Privacy-Security Breach - Additional Coverage:  Data Breach Notification Costs  Credit Monitoring of Customers Third Party Coverage  Legal Defense  Settlements, Damages and Judgments  Legal Defense  Settlements, Damages and Judgments  Regulatory Fines and Penalties 9
© 2016 IBM Corporation Data Privacy must be a priority for your business 2/9/2016 IBM Data Privacy Services 10
© 2016 IBM Corporation 1. Increase in collection and storage of personal data (what you don’t have cannot be breached) - Big data & data analytics, Internet of Things - esp. IoT consumer products ex. Smart homes 2. Loss of control over data and devices - Outsourcing of processing of personal information to service providers (Cloud), BYOD 3. Globalization of the economy - Global personal data transfers 3. Increase in global privacy legislation eg. GDPR 4. Increase in cyber attacks 2/9/2016 IBM Data Privacy Services Recent trends that have increased privacy liability risk 11
© 2016 IBM Corporation Netdiligence 2015 Cyber Claims Study Study of Cyber Insurance Claims as a result of data breaches that occurred between 2012 – 2015; (data set 160 cyber claims; numbers are “payouts-to-date”)  Personal data was the most frequently exposed data – 86% (includes PII, PHI, PCI)  Average claim per record: $964.31; Median claim per record: $13  Total Claims spent on:  Crisis Services: 78% – Forensics – Data breach notification – Credit/ID monitoring – Legal guidance – Public relations • Legal Defense: 8% • Legal Settlement: 9% • Regulatory Defense: 1% • Regulatory Fines: 1% • PCI Fines: 3% Numbers 2/9/2016 IBM Data Privacy Services Source: http://www.netdiligence.com/downloads/netdiligence_2015_cyber_claims_study_093015.pdf 12
© 2016 IBM Corporation General Data Protection Regulation as a Risk Engine Is your enterprise prepared? 2/9/2016 IBM Data Privacy Services 13
© 2016 IBM Corporation The new General Data Protection Regulation (GDPR) has arrived! 2/9/2016 IBM Data Privacy Services 14  New European Union General Data Protection text was finalized in December of 2015  New rules will be formally adopted in early 2016 and will be applicable in 2018 to any organization which operates in the EU market  GDPR will fundamentally change the way companies must manage their data The majority of companies are not ready for the new privacy requirements of the GDPR
© 2016 IBM Corporation  Unlike the existing 1995 Data Protection Directive (95/46/EC), the Regulation will create a unified data protection law for all 28 European Countries. – It will also have international reach - applying to organizations that handle personal data of any EU resident (data subjects)  The objectives of the GDPR are twofold: – To enhance the level of personal data protection for EU residents – To modernize the law in line with existing and emerging technologies (e.g. social networks and cloud computing) and to clarify responsibility for the handling and storage of data, making it easier for organizations to comply and avoid fines. 2/9/2016 IBM Data Privacy Services 15 Key Aspects of the New General Data Protection Regulation Non-compliance could lead to regular and periodic audits and/or a fine of € 20 million or 4% of the company’s annual worldwide turnover, whichever is greater
© 2016 IBM Corporation  Expansion of Applicability of EU Privacy Framework  Data Breach Notification Requirement  Privacy by Design, Privacy by Default  Privacy Impact Assessments  Data Privacy Officers  Expansion of Obligations of Data Processors  Major Increase of Fines 2/9/2016 IBM Data Privacy Services Major Changes 16
© 2016 IBM Corporation  Understand your obligations – Become familiar with the proposed GDPR requirements and monitor its development  Know what data you have and where it is located – Conduct a data inventory and mapping initiative to assist in understanding and evaluating the operational and technological changes required for compliance  Appoint a Data Protection Officer – Create a structured privacy office and appoint, at minimum, a data protection officer (DPO) who has expert knowledge on data protection law  Review all privacy notices – Confirm all privacy notices are presented in clear and plain language and are transparent and easily accessible to data subjects.  Review customer consent and choice mechanisms – Ensure that the appropriate consent and choice mechanisms are in place and/or are updated to meet the express consent requirements and to easily facilitate customer choice (e.g. Right to Erasure, Portability) 2/9/2016 IBM Data Privacy Services GDPR Readiness – Understand your risk 17
© 2016 IBM Corporation  Implement a Privacy By Design approach to new systems and services – Create a Privacy By Design framework to ensure that privacy requirements are embedded, by default and design, from the very outset of the development of new systems and services.  Document your privacy compliance activities – Adequately document all processing operations involving personal data through the use of Data Privacy Impact Assessments (DPIAs)  Implement and document appropriate security measures – Provide technical, physical and administrative security measures 'appropriate' to the risks identified by DPIAs  Create breach response and notification protocols – Implement data breach investigation, containment and response processes and procedures, and be sure to test their effectiveness  Develop audit capabilities and processes – Establish a robust audit plan and process to monitor ongoing compliance and to mitigate risk 2/9/2016 IBM Data Privacy Services GDPR Readiness – Mitigate your risk 18
© 2016 IBM Corporation  Review all cross border data transfers – Confirm that you have a legitimate basis for transferring data to jurisdictions outside the EU that do not have adequate data protection regulations  Assess external contracts, both as a controller and/or as a processor – Determine whether contractual obligations need to be amended to reflect any changes in services and/or costs in in line with the enhanced responsibilities on controllers and processors  Train your employees – Create training programs to educate employees on their obligations when accessing or processing personal data.  Make sure the appropriate budgets are in place to support the changes – Prepare to invest in data protection 2/9/2016 IBM Data Privacy Services 19 GDPR Readiness – Mitigate your risk Be proactive! Build a robust, auditable, privacy compliance program to manage GDPR compliance and to reduce risk
© 2016 IBM Corporation Questions? 2/9/2016 IBM Data Privacy Services 20
© 2016 IBM Corporation2/9/2016 IBM Data Privacy Services IBM Data Privacy Services Contacts Monique Altheim Global Privacy Managing Consultant malthei@us.ibm.com 1-347-628-1479 Jayne Golding European Privacy Lead jgoldin1@uk.ibm.com +44 7584 202302 21
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Legal notices and disclaimers

Recommended

Public-Private Partnerships in Risk Management
Public-Private Partnerships in Risk ManagementPublic-Private Partnerships in Risk Management
Public-Private Partnerships in Risk ManagementGlobal Risk Forum GRFDavos
 
Swiss Re sigma catastrophe database by Lucia Bevere
Swiss Re sigma catastrophe database by Lucia BevereSwiss Re sigma catastrophe database by Lucia Bevere
Swiss Re sigma catastrophe database by Lucia BevereOECD Governance
 
4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...
4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...
4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...OECD Governance
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Global Risk Forum GRFDavos
 
Special Swiss Re session on economics of disasters – costs and financing mech...
Special Swiss Re session on economics of disasters – costs and financing mech...Special Swiss Re session on economics of disasters – costs and financing mech...
Special Swiss Re session on economics of disasters – costs and financing mech...Global Risk Forum GRFDavos
 
Munich RE Naturkatastrophen 2013 Überblick
Munich RE Naturkatastrophen 2013 ÜberblickMunich RE Naturkatastrophen 2013 Überblick
Munich RE Naturkatastrophen 2013 Überblickhaemmerle-consulting
 
Warren Buffett Slideshow
Warren Buffett SlideshowWarren Buffett Slideshow
Warren Buffett SlideshowAJDloveland
 
2015 Ocean Marine Trends
2015 Ocean Marine Trends2015 Ocean Marine Trends
2015 Ocean Marine TrendsGen Re
 

Recommended

Public-Private Partnerships in Risk Management
Public-Private Partnerships in Risk ManagementPublic-Private Partnerships in Risk Management
Public-Private Partnerships in Risk ManagementGlobal Risk Forum GRFDavos
 
Swiss Re sigma catastrophe database by Lucia Bevere
Swiss Re sigma catastrophe database by Lucia BevereSwiss Re sigma catastrophe database by Lucia Bevere
Swiss Re sigma catastrophe database by Lucia BevereOECD Governance
 
4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...
4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...
4th Workshop on Strategic Crisis Management, Panel 1 - Risk and crisis antici...OECD Governance
 
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Microsoft power point risk governance-schreckenberg_swissre_idrc_2012
Microsoft power point risk governance-schreckenberg_swissre_idrc_2012Global Risk Forum GRFDavos
 
Special Swiss Re session on economics of disasters – costs and financing mech...
Special Swiss Re session on economics of disasters – costs and financing mech...Special Swiss Re session on economics of disasters – costs and financing mech...
Special Swiss Re session on economics of disasters – costs and financing mech...Global Risk Forum GRFDavos
 
Munich RE Naturkatastrophen 2013 Überblick
Munich RE Naturkatastrophen 2013 ÜberblickMunich RE Naturkatastrophen 2013 Überblick
Munich RE Naturkatastrophen 2013 Überblickhaemmerle-consulting
 
Warren Buffett Slideshow
Warren Buffett SlideshowWarren Buffett Slideshow
Warren Buffett SlideshowAJDloveland
 
2015 Ocean Marine Trends
2015 Ocean Marine Trends2015 Ocean Marine Trends
2015 Ocean Marine TrendsGen Re
 
Genre presentation
Genre presentationGenre presentation
Genre presentationrdeable
 
American Urbanization: New York City
American Urbanization: New York CityAmerican Urbanization: New York City
American Urbanization: New York Citymeggss24
 
Applying technology to school
Applying technology to schoolApplying technology to school
Applying technology to schoolAditi Sameer
 
2011 annual audited financial statements
2011 annual audited financial statements2011 annual audited financial statements
2011 annual audited financial statementsProphecy Corp
 
Power is Everywhere
Power is EverywherePower is Everywhere
Power is EverywhereNoel Hatch
 
How the Americas Change (ass. 4)
How the Americas Change (ass. 4)How the Americas Change (ass. 4)
How the Americas Change (ass. 4)03ram
 
Government Publications and Research_What You Need to Know 2015 (7)
Government Publications and Research_What You Need to Know 2015 (7)Government Publications and Research_What You Need to Know 2015 (7)
Government Publications and Research_What You Need to Know 2015 (7)Mary Howrey
 
Hist.141 (Little Ice Age)
Hist.141 (Little Ice Age)Hist.141 (Little Ice Age)
Hist.141 (Little Ice Age)03ram
 
Nation Report: Brazil
Nation Report: BrazilNation Report: Brazil
Nation Report: Brazilmeggss24
 
Senior Health Insurance_DVU_September 12 2013
Senior Health Insurance_DVU_September 12 2013Senior Health Insurance_DVU_September 12 2013
Senior Health Insurance_DVU_September 12 2013Mary Howrey
 
Need for speed undercover
Need for speed undercoverNeed for speed undercover
Need for speed undercoverLucciodavid
 
Urban Games to Make a Living
Urban Games to Make a LivingUrban Games to Make a Living
Urban Games to Make a LivingNoel Hatch
 
Stimulants Workshop
Stimulants WorkshopStimulants Workshop
Stimulants WorkshopNoel Hatch
 
Assignment 8 Article Sets
Assignment 8 Article SetsAssignment 8 Article Sets
Assignment 8 Article Setsmeggss24
 
Day ın the Lıfe Template
Day ın the Lıfe TemplateDay ın the Lıfe Template
Day ın the Lıfe TemplateNoel Hatch
 
Metro lite guided tour2.0
Metro lite guided tour2.0Metro lite guided tour2.0
Metro lite guided tour2.0Chandra Vikash
 
Plan your Activity
Plan your ActivityPlan your Activity
Plan your ActivityNoel Hatch
 
European Alternatives London
European Alternatives LondonEuropean Alternatives London
European Alternatives LondonNoel Hatch
 
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)Tom Trewinnard
 
2011 AGM Circular
2011 AGM Circular2011 AGM Circular
2011 AGM CircularProphecy Corp
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
NYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationNYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationAltheimPrivacy
 

More Related Content

Viewers also liked

Genre presentation
Genre presentationGenre presentation
Genre presentationrdeable
 
American Urbanization: New York City
American Urbanization: New York CityAmerican Urbanization: New York City
American Urbanization: New York Citymeggss24
 
Applying technology to school
Applying technology to schoolApplying technology to school
Applying technology to schoolAditi Sameer
 
2011 annual audited financial statements
2011 annual audited financial statements2011 annual audited financial statements
2011 annual audited financial statementsProphecy Corp
 
Power is Everywhere
Power is EverywherePower is Everywhere
Power is EverywhereNoel Hatch
 
How the Americas Change (ass. 4)
How the Americas Change (ass. 4)How the Americas Change (ass. 4)
How the Americas Change (ass. 4)03ram
 
Government Publications and Research_What You Need to Know 2015 (7)
Government Publications and Research_What You Need to Know 2015 (7)Government Publications and Research_What You Need to Know 2015 (7)
Government Publications and Research_What You Need to Know 2015 (7)Mary Howrey
 
Hist.141 (Little Ice Age)
Hist.141 (Little Ice Age)Hist.141 (Little Ice Age)
Hist.141 (Little Ice Age)03ram
 
Nation Report: Brazil
Nation Report: BrazilNation Report: Brazil
Nation Report: Brazilmeggss24
 
Senior Health Insurance_DVU_September 12 2013
Senior Health Insurance_DVU_September 12 2013Senior Health Insurance_DVU_September 12 2013
Senior Health Insurance_DVU_September 12 2013Mary Howrey
 
Need for speed undercover
Need for speed undercoverNeed for speed undercover
Need for speed undercoverLucciodavid
 
Urban Games to Make a Living
Urban Games to Make a LivingUrban Games to Make a Living
Urban Games to Make a LivingNoel Hatch
 
Stimulants Workshop
Stimulants WorkshopStimulants Workshop
Stimulants WorkshopNoel Hatch
 
Assignment 8 Article Sets
Assignment 8 Article SetsAssignment 8 Article Sets
Assignment 8 Article Setsmeggss24
 
Day ın the Lıfe Template
Day ın the Lıfe TemplateDay ın the Lıfe Template
Day ın the Lıfe TemplateNoel Hatch
 
Metro lite guided tour2.0
Metro lite guided tour2.0Metro lite guided tour2.0
Metro lite guided tour2.0Chandra Vikash
 
Plan your Activity
Plan your ActivityPlan your Activity
Plan your ActivityNoel Hatch
 
European Alternatives London
European Alternatives LondonEuropean Alternatives London
European Alternatives LondonNoel Hatch
 
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)Tom Trewinnard
 

Viewers also liked (20)

Genre presentation
Genre presentationGenre presentation
Genre presentation
 
American Urbanization: New York City
American Urbanization: New York CityAmerican Urbanization: New York City
American Urbanization: New York City
 
Applying technology to school
Applying technology to schoolApplying technology to school
Applying technology to school
 
2011 annual audited financial statements
2011 annual audited financial statements2011 annual audited financial statements
2011 annual audited financial statements
 
Power is Everywhere
Power is EverywherePower is Everywhere
Power is Everywhere
 
How the Americas Change (ass. 4)
How the Americas Change (ass. 4)How the Americas Change (ass. 4)
How the Americas Change (ass. 4)
 
Government Publications and Research_What You Need to Know 2015 (7)
Government Publications and Research_What You Need to Know 2015 (7)Government Publications and Research_What You Need to Know 2015 (7)
Government Publications and Research_What You Need to Know 2015 (7)
 
Hist.141 (Little Ice Age)
Hist.141 (Little Ice Age)Hist.141 (Little Ice Age)
Hist.141 (Little Ice Age)
 
Nation Report: Brazil
Nation Report: BrazilNation Report: Brazil
Nation Report: Brazil
 
Senior Health Insurance_DVU_September 12 2013
Senior Health Insurance_DVU_September 12 2013Senior Health Insurance_DVU_September 12 2013
Senior Health Insurance_DVU_September 12 2013
 
Need for speed undercover
Need for speed undercoverNeed for speed undercover
Need for speed undercover
 
Urban Games to Make a Living
Urban Games to Make a LivingUrban Games to Make a Living
Urban Games to Make a Living
 
Stimulants Workshop
Stimulants WorkshopStimulants Workshop
Stimulants Workshop
 
Assignment 8 Article Sets
Assignment 8 Article SetsAssignment 8 Article Sets
Assignment 8 Article Sets
 
Day ın the Lıfe Template
Day ın the Lıfe TemplateDay ın the Lıfe Template
Day ın the Lıfe Template
 
Metro lite guided tour2.0
Metro lite guided tour2.0Metro lite guided tour2.0
Metro lite guided tour2.0
 
Plan your Activity
Plan your ActivityPlan your Activity
Plan your Activity
 
European Alternatives London
European Alternatives LondonEuropean Alternatives London
European Alternatives London
 
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
Checkdesk @ IPI News Innovation Platform, London (Sep 13, 2013)
 
2011 AGM Circular
2011 AGM Circular2011 AGM Circular
2011 AGM Circular
 

More from AltheimPrivacy

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 
NYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationNYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationAltheimPrivacy
 
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data PrivacyRipped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data PrivacyAltheimPrivacy
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...AltheimPrivacy
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
 
How to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social AdsHow to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social AdsAltheimPrivacy
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...AltheimPrivacy
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...AltheimPrivacy
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Three Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on FacebookThree Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on FacebookAltheimPrivacy
 
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West CoastAltheimPrivacy
 
Facebook New Changes 2011
Facebook New Changes 2011Facebook New Changes 2011
Facebook New Changes 2011AltheimPrivacy
 

More from AltheimPrivacy (12)

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 
NYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentationNYCLA Privacy CLE_october_1_2014_presentation
NYCLA Privacy CLE_october_1_2014_presentation
 
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data PrivacyRipped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
 
How to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social AdsHow to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
How to Hide Your Page "Likes" from Facebook Graph Search and Social Ads
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
 
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
Threats to Privacy in the Management of Data Stored in Computer Systems by Gu...
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Three Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on FacebookThree Easy Steps To Basic Privacy/Security on Facebook
Three Easy Steps To Basic Privacy/Security on Facebook
 
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
Cross Border Ediscovery vs. EU Data Protection at LegalTech West Coast
 
Facebook New Changes 2011
Facebook New Changes 2011Facebook New Changes 2011
Facebook New Changes 2011
 

Recently uploaded

Vp Girls near me Delhi Call Now or WhatsApp
Vp Girls near me Delhi Call Now or WhatsAppVp Girls near me Delhi Call Now or WhatsApp
Vp Girls near me Delhi Call Now or WhatsAppmiss dipika
 
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.ppt
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.pptAnyConv.com__FSS Advance Retail & Distribution - 15.06.17.ppt
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.pptPriyankaSharma89719
 
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170Sonam Pathan
 
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证rjrjkk
 
House of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview documentHouse of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview documentHenry Tapper
 
(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)twfkn8xj
 
SBP-Market-Operations and market managment
SBP-Market-Operations and market managmentSBP-Market-Operations and market managment
SBP-Market-Operations and market managmentfactical
 
project management information system lecture notes
project management information system lecture notesproject management information system lecture notes
project management information system lecture notesongomchris
 
Economics, Commerce and Trade Management: An International Journal (ECTIJ)
Economics, Commerce and Trade Management: An International Journal (ECTIJ)Economics, Commerce and Trade Management: An International Journal (ECTIJ)
Economics, Commerce and Trade Management: An International Journal (ECTIJ)ECTIJ
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...Amil baba
 
The AES Investment Code - the go-to counsel for the most well-informed, wise...
The AES Investment Code - the go-to counsel for the most well-informed, wise...The AES Investment Code - the go-to counsel for the most well-informed, wise...
The AES Investment Code - the go-to counsel for the most well-informed, wise...AES International
 
NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...
NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...
NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...Amil baba
 
2024 Q1 Crypto Industry Report | CoinGecko
2024 Q1 Crypto Industry Report | CoinGecko2024 Q1 Crypto Industry Report | CoinGecko
2024 Q1 Crypto Industry Report | CoinGeckoCoinGecko
 
Economic Risk Factor Update: April 2024 [SlideShare]
Economic Risk Factor Update: April 2024 [SlideShare]Economic Risk Factor Update: April 2024 [SlideShare]
Economic Risk Factor Update: April 2024 [SlideShare]Commonwealth
 
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...amilabibi1
 
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证jdkhjh
 
Kempen ' UK DB Endgame Paper Apr 24 final3.pdf
Kempen ' UK DB Endgame Paper Apr 24 final3.pdfKempen ' UK DB Endgame Paper Apr 24 final3.pdf
Kempen ' UK DB Endgame Paper Apr 24 final3.pdfHenry Tapper
 
PMFBY , Pradhan Mantri Fasal bima yojna
PMFBY , Pradhan Mantri Fasal bima yojnaPMFBY , Pradhan Mantri Fasal bima yojna
PMFBY , Pradhan Mantri Fasal bima yojnaDharmendra Kumar
 

Recently uploaded (20)

🔝+919953056974 🔝young Delhi Escort service Pusa Road
🔝+919953056974 🔝young Delhi Escort service Pusa Road🔝+919953056974 🔝young Delhi Escort service Pusa Road
🔝+919953056974 🔝young Delhi Escort service Pusa Road
 
Vp Girls near me Delhi Call Now or WhatsApp
Vp Girls near me Delhi Call Now or WhatsAppVp Girls near me Delhi Call Now or WhatsApp
Vp Girls near me Delhi Call Now or WhatsApp
 
Q1 2024 Newsletter | Financial Synergies Wealth Advisors
Q1 2024 Newsletter | Financial Synergies Wealth AdvisorsQ1 2024 Newsletter | Financial Synergies Wealth Advisors
Q1 2024 Newsletter | Financial Synergies Wealth Advisors
 
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.ppt
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.pptAnyConv.com__FSS Advance Retail & Distribution - 15.06.17.ppt
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.ppt
 
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
 
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
 
House of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview documentHouse of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview document
 
(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)
 
SBP-Market-Operations and market managment
SBP-Market-Operations and market managmentSBP-Market-Operations and market managment
SBP-Market-Operations and market managment
 
project management information system lecture notes
project management information system lecture notesproject management information system lecture notes
project management information system lecture notes
 
Economics, Commerce and Trade Management: An International Journal (ECTIJ)
Economics, Commerce and Trade Management: An International Journal (ECTIJ)Economics, Commerce and Trade Management: An International Journal (ECTIJ)
Economics, Commerce and Trade Management: An International Journal (ECTIJ)
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
 
The AES Investment Code - the go-to counsel for the most well-informed, wise...
The AES Investment Code - the go-to counsel for the most well-informed, wise...The AES Investment Code - the go-to counsel for the most well-informed, wise...
The AES Investment Code - the go-to counsel for the most well-informed, wise...
 
NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...
NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...
NO1 Certified kala jadu karne wale ka contact number kala jadu karne wale bab...
 
2024 Q1 Crypto Industry Report | CoinGecko
2024 Q1 Crypto Industry Report | CoinGecko2024 Q1 Crypto Industry Report | CoinGecko
2024 Q1 Crypto Industry Report | CoinGecko
 
Economic Risk Factor Update: April 2024 [SlideShare]
Economic Risk Factor Update: April 2024 [SlideShare]Economic Risk Factor Update: April 2024 [SlideShare]
Economic Risk Factor Update: April 2024 [SlideShare]
 
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
 
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
 
Kempen ' UK DB Endgame Paper Apr 24 final3.pdf
Kempen ' UK DB Endgame Paper Apr 24 final3.pdfKempen ' UK DB Endgame Paper Apr 24 final3.pdf
Kempen ' UK DB Endgame Paper Apr 24 final3.pdf
 
PMFBY , Pradhan Mantri Fasal bima yojna
PMFBY , Pradhan Mantri Fasal bima yojnaPMFBY , Pradhan Mantri Fasal bima yojna
PMFBY , Pradhan Mantri Fasal bima yojna
 

Swiss Re data_privacy_27_01_2016

  • 1. © 2016 IBM Corporation Monique Altheim Jayne Golding IBM Security Services January 29th, 2016 The Increasing Risk of Data Privacy On the Enterprise Swiss Re - Expert Forum on Cyber Risk
  • 2. © 2016 IBM Corporation  Data Privacy and Cyber Risk  Data Privacy must be a priority for your business  GDPR as a Risk Engine 2/9/2016 IBM Data Privacy Services Agenda 2
  • 3. © 2016 IBM Corporation Data Privacy and Cyber Risk 2/9/2016 IBM Data Privacy Services 3
  • 4. © 2016 IBM Corporation Cyber Risk 2/9/2016 IBM Data Privacy Services Data Security Data Privacy Scope Crown Jewels (Business Sensitive Data, Personal Data) Personal Data Objective Guaranteeing Confidentiality, Integrity and Availability (C.I.A.) of the Organization’s Crown Jewels  ID Theft Prevention  Individual Control over Personal Data  Protection of Individual’s Reputation  Protection of Individual’s Freedoms Authority  International Industry Standards (eg. ISO/IEC 27001; ENISA; PCI DSS)  National Privacy Laws & Regulations – Personal data (eg. EU Data Protection Directive)  National Critical Infrastructure Legislation (eg. German IT Security Law 2015; NIS Directive)  National Laws and Regulations (eg. The Swiss Federal Data Protection Act)  National Constitutions (eg. Art 13 Swiss Federal Constitution)  Human Rights (eg. Art. 8, Charter of Fundamental Rights of the EU)  Best Practices (ex. ISO 27018; ISO 29100 ) 4
  • 5. © 2016 IBM Corporation Cyber Risk 2/9/2016 IBM Data Privacy Services Scope Data Security Business Sensitive Data Personal Data Data Privacy Personal Data 5
  • 6. © 2016 IBM Corporation Cyber Risk 2/9/2016 IBM Data Privacy Services Data Security Data Privacy Principles Organizational, Technical and Physical Controls; mostly as per Industry Standards: Some Examples:  Security Policy  Incidence Response Plan  IAM (Identity and Access Management)  SIEM (Security Information and Event Management)  Firewalls  Encryption  Locks, guards, video surveillance  Collection Minimization  Transparency  Notice, Choice, Consent  Purpose Specification  Use Limitation  Data Security  Access, Rectification and Erasure Rights of Data Subjects  Retention Periods  3rd Party Vendor Requirements  Cross-border Export Restrictions  Cross-border Access Restrictions  Data Breach Notification 6
  • 7. © 2016 IBM Corporation Data Privacy Security Other Privacy Principles Cyber Risk 2/9/2016 IBM Data Privacy Services Principles 7
  • 8. © 2016 IBM Corporation Mexico Federal Law on the Protection of Personal Data US Federal HIPAA, GLBA, COPPA, CAN- SPAM, Do Not Call, Safe Harbor Principles; Possible Cybersecurity Legislation, Student Privacy Legislation; California Requirements Argentina Personal Data Protection Act of 2000, Confidentiality of Information Law Chile Law for the Protection of Private Life South Africa The Protection of Personal Information Act 2013 (POPIA) Canada PIPEDA and Provincial Privacy Laws Switzerland Federal Act on Data Protection Dubai Data Protection Act 2007 United Kingdom UK Data Protection Act 1998 European Union EU Data Protection Directive. Imminent adoption of the General Data Protection Regulation (GDPR) Russia Federal Law of July 27tth 2006 No 152-FZ on personal data Australia Amended Privacy Act and Spam Act Japan Personal Information Protection Act (PIPA) South Korea Personal Information Protection Act 2011 (PIPA) India Information Technology Act of 2000 Philippines Data Privacy Act 2012 Comprehensive data protection law enacted Pending effort or obligation to enact law No comprehensive law Singapore Personal Data Protection Act 2012 (PDPA) China - New Data Protection Requirements HIPAA: Health Insurance Portability and Accountability Act GLBA: Gramm Leach Bliley Act COPPA: Children Online Privacy Protection Act CAN-SPAM: Controlling the Assault of Non- Solicited Pornography And Marketing Act Source: http://dlapiperdataprotection.com/#handbook/world-map-section/c1_SG Nearly 100 countries around the world have adopted data protection and privacy laws 2/9/2016 IBM Data Privacy Services Selected Comprehensive Data Protection/Privacy Laws and Bills as of 1/2016 8
  • 9. © 2016 IBM Corporation Cyber Coverage Overview 2/9/2016 IBM Data Privacy Services Security Breach - Non Privacy Privacy Breach - Security and Non-Security First Party Coverage  Forensic Investigation  Business Interruption  Data Loss/Destruction  Cyber extortion  Business Interruption  Data Loss/Destruction  Cyber extortion Privacy-Security Breach - Additional Coverage:  Data Breach Notification Costs  Credit Monitoring of Customers Third Party Coverage  Legal Defense  Settlements, Damages and Judgments  Legal Defense  Settlements, Damages and Judgments  Regulatory Fines and Penalties 9
  • 10. © 2016 IBM Corporation Data Privacy must be a priority for your business 2/9/2016 IBM Data Privacy Services 10
  • 11. © 2016 IBM Corporation 1. Increase in collection and storage of personal data (what you don’t have cannot be breached) - Big data & data analytics, Internet of Things - esp. IoT consumer products ex. Smart homes 2. Loss of control over data and devices - Outsourcing of processing of personal information to service providers (Cloud), BYOD 3. Globalization of the economy - Global personal data transfers 3. Increase in global privacy legislation eg. GDPR 4. Increase in cyber attacks 2/9/2016 IBM Data Privacy Services Recent trends that have increased privacy liability risk 11
  • 12. © 2016 IBM Corporation Netdiligence 2015 Cyber Claims Study Study of Cyber Insurance Claims as a result of data breaches that occurred between 2012 – 2015; (data set 160 cyber claims; numbers are “payouts-to-date”)  Personal data was the most frequently exposed data – 86% (includes PII, PHI, PCI)  Average claim per record: $964.31; Median claim per record: $13  Total Claims spent on:  Crisis Services: 78% – Forensics – Data breach notification – Credit/ID monitoring – Legal guidance – Public relations • Legal Defense: 8% • Legal Settlement: 9% • Regulatory Defense: 1% • Regulatory Fines: 1% • PCI Fines: 3% Numbers 2/9/2016 IBM Data Privacy Services Source: http://www.netdiligence.com/downloads/netdiligence_2015_cyber_claims_study_093015.pdf 12
  • 13. © 2016 IBM Corporation General Data Protection Regulation as a Risk Engine Is your enterprise prepared? 2/9/2016 IBM Data Privacy Services 13
  • 14. © 2016 IBM Corporation The new General Data Protection Regulation (GDPR) has arrived! 2/9/2016 IBM Data Privacy Services 14  New European Union General Data Protection text was finalized in December of 2015  New rules will be formally adopted in early 2016 and will be applicable in 2018 to any organization which operates in the EU market  GDPR will fundamentally change the way companies must manage their data The majority of companies are not ready for the new privacy requirements of the GDPR
  • 15. © 2016 IBM Corporation  Unlike the existing 1995 Data Protection Directive (95/46/EC), the Regulation will create a unified data protection law for all 28 European Countries. – It will also have international reach - applying to organizations that handle personal data of any EU resident (data subjects)  The objectives of the GDPR are twofold: – To enhance the level of personal data protection for EU residents – To modernize the law in line with existing and emerging technologies (e.g. social networks and cloud computing) and to clarify responsibility for the handling and storage of data, making it easier for organizations to comply and avoid fines. 2/9/2016 IBM Data Privacy Services 15 Key Aspects of the New General Data Protection Regulation Non-compliance could lead to regular and periodic audits and/or a fine of € 20 million or 4% of the company’s annual worldwide turnover, whichever is greater
  • 16. © 2016 IBM Corporation  Expansion of Applicability of EU Privacy Framework  Data Breach Notification Requirement  Privacy by Design, Privacy by Default  Privacy Impact Assessments  Data Privacy Officers  Expansion of Obligations of Data Processors  Major Increase of Fines 2/9/2016 IBM Data Privacy Services Major Changes 16
  • 17. © 2016 IBM Corporation  Understand your obligations – Become familiar with the proposed GDPR requirements and monitor its development  Know what data you have and where it is located – Conduct a data inventory and mapping initiative to assist in understanding and evaluating the operational and technological changes required for compliance  Appoint a Data Protection Officer – Create a structured privacy office and appoint, at minimum, a data protection officer (DPO) who has expert knowledge on data protection law  Review all privacy notices – Confirm all privacy notices are presented in clear and plain language and are transparent and easily accessible to data subjects.  Review customer consent and choice mechanisms – Ensure that the appropriate consent and choice mechanisms are in place and/or are updated to meet the express consent requirements and to easily facilitate customer choice (e.g. Right to Erasure, Portability) 2/9/2016 IBM Data Privacy Services GDPR Readiness – Understand your risk 17
  • 18. © 2016 IBM Corporation  Implement a Privacy By Design approach to new systems and services – Create a Privacy By Design framework to ensure that privacy requirements are embedded, by default and design, from the very outset of the development of new systems and services.  Document your privacy compliance activities – Adequately document all processing operations involving personal data through the use of Data Privacy Impact Assessments (DPIAs)  Implement and document appropriate security measures – Provide technical, physical and administrative security measures 'appropriate' to the risks identified by DPIAs  Create breach response and notification protocols – Implement data breach investigation, containment and response processes and procedures, and be sure to test their effectiveness  Develop audit capabilities and processes – Establish a robust audit plan and process to monitor ongoing compliance and to mitigate risk 2/9/2016 IBM Data Privacy Services GDPR Readiness – Mitigate your risk 18
  • 19. © 2016 IBM Corporation  Review all cross border data transfers – Confirm that you have a legitimate basis for transferring data to jurisdictions outside the EU that do not have adequate data protection regulations  Assess external contracts, both as a controller and/or as a processor – Determine whether contractual obligations need to be amended to reflect any changes in services and/or costs in in line with the enhanced responsibilities on controllers and processors  Train your employees – Create training programs to educate employees on their obligations when accessing or processing personal data.  Make sure the appropriate budgets are in place to support the changes – Prepare to invest in data protection 2/9/2016 IBM Data Privacy Services 19 GDPR Readiness – Mitigate your risk Be proactive! Build a robust, auditable, privacy compliance program to manage GDPR compliance and to reduce risk
  • 20. © 2016 IBM Corporation Questions? 2/9/2016 IBM Data Privacy Services 20
  • 21. © 2016 IBM Corporation2/9/2016 IBM Data Privacy Services IBM Data Privacy Services Contacts Monique Altheim Global Privacy Managing Consultant malthei@us.ibm.com 1-347-628-1479 Jayne Golding European Privacy Lead jgoldin1@uk.ibm.com +44 7584 202302 21
  • 22. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Legal notices and disclaimers