Upload
satyakambiswas
View
712
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
1
Best Practices in Corporate Privacy & Information Security Policies & Compliance
Satyakam Biswas
2
Topics Introduction Privacy Fundamentals Legal Compliance Physical & Electronic Security
Issues General Privacy Specific
Questions & Conclusion
3
Introduction Why Should You Worry About Privacy Laws?
Regulatory Enforcement EU-Privacy Commissioners Announce Increased
Enforcement FTC Actions
Unfair Competition Provisions of the Lanham Act ( 15 USC 1125 (a))
Collegenet, Inc. v. XAP Corp 2006 WL 2307457 (D. Or.) Criminal Liability Civil Litigation Suspension of Business Activity Loss of Rights to Use Data Adverse Publicity – Choice Point Employee Issues
Union/Work Council Leverage Transfer of Data
Gap Between Privacy/Security Policies and Reality!!Gap Between Privacy/Security Policies and Reality!!
4
Introduction
Why Should You Worry About Security? “Adequate Security” Requirements in
EU FTC Actions in US BJ Case Breach of Notification Laws in US HIPAA Requirements GLB Requirements SOX Issues General Theories of Negligence in Civil
Actions
5
Introduction
Goals Avoid Damage to Company or Brand
Image Assure Business Continuity Protect Value of Data Usability Strengthen Business Relationships Avoid Civil and Criminal Liability
6
Introduction
Modern Corporate Practice Business Units Run Globally Share Information Globally IT & BPO Outsourcing
Distributed Information Management Systems Servers Replicate Everywhere 24/7 Seamless Networks Not Able to Trace Data Flow
Comply with Strictest Law Where Company Does Business on a Global Basis
7
Fundamentals: General Privacy
Model Common Elements Of Most Legislation
Definition & Scope of Personal Identifier Information Notice Consent
Unambiguous Opt Out for Direct Marketing Opt In for Sensitive Warning: Direct Marketing!!!
Opt Out from EU Privacy Directive Opt In For EU Unsolicited Electronic Mail
Registrations DPA Approvals or Notifications Work Council Approval
8
Fundamentals: General Privacy
Model Common Elements of Most Legislation
Includes Paper or Electronic Data Right to Review & Correct Adequate Security Registration Transfer DPA or Work Council Notice or Consent Warming: Extraterritorial Reach of EU
Directive !! Privacy Laws - Global and Not Consistent
EAA South America – Argentina Asia - Japan Canada US??
9
Fundamentals: Notice and Consent Flowchart
Personal InformationProcessing
Exclusions
Other Uses
CollectionSensitive
Information
Unambiguous Consent
ConsentOpt Out
Right to Object
Use
Direct Marketing
Explicit Consent
Opt In
Transfer Data Transfer Chart
Use Beyond Scope of
Original Use Notice
10
Fundamentals: Trans-border Data Transfer
Directive 95/46/EC
EU expressly recognises “adequate protection” by national rules
11
Fundamentals: Trans-border Data Transfer to US
Safe Harbor Program
Contract (Model Clauses) or Binding Corp Rules
12
Legal Compliance
Data Transfer Agreements Must Sign If Personal Data Being Transferred
Even If Local Law Does Not Require DuPont Policy Extraterritorial Reach of EU Directive
Scope Employees Vendors ( Supply Chain ) Customers Whenever Transfer Personal Information
Little Room For Negotiation Do Not Connect DTA to Substantive Agreement
Avoid Limitation of Liability/Damages Avoid Other Disclaimer Language
13
Legal Compliance
New DTA – See Form Use EU Model Clauses (Controller to Controller)
Set 2 for Controller to Controller Set 1 for Controller to Processor
Affiliates Hub and Spoke Model
List of All Affiliates Updates Adopt Global Corporate Privacy and Electronic Security
Policies Suppliers, Customers, ASP’s, BPO’s, Other Outsourcing
All Required to Sign a DTA if Personal Information Being Transferred
All Required to Sign a DISO 4 E If 3rd Party Needs Access to Intranet Through Firewall
14
Legal Compliance
Data Transfer Agreements Surprising How Few Companies Are Aware of Privacy Issues
Don’t Understand Need for DTA Some Think that Signing HIPAA Agreement is Sufficient Even If Aware, Don’t Want to Sign Key Is to Have DTA Signed Before Substantive Contract is
Awarded Administrative Burden to Manage 1000’s of Contracts with
Negotiated Terms List Signed DTA’s at Privacy Central Intranet Website Problem is Possible Changing Nature of Data Flow
Checkboxes Attempt to Address Annex of Model Clauses Very Difficult to Manage
Not Know When Data Flow Changes Changes in Contract Scopes of Work
Normal Route is Sourcing Buyer and Then In House Counsel
15
Legal Compliance
DISO 4 E (See Form) Used When 3rd Party Given Access To Intranet
Through Firewall Requires Company Sponsor DISO Screening Periodic Sunsets Includes Divested Business Access During
Transitional Services Period Data Base of Signed DISO 4E at DISO Intranet
Website Normal Route Is Either Sourcing Buyer or DISO Rep
and then Legal Counsel
16
Legal Compliance Anticipate Rather Than React
I-4 for eSecurity CPO Council of Conference Board IAPP ABA
Cyberspace Law Committee of Business Law Section
SciTech CLE Programs BNA and Other Reporters Outside Counsel Briefings Networking
17
Legal Compliance
Make Sure Privacy & Security Policies Implemented “Sourcing IT”
Dedicated Group for IT Procurement Other Sourcing Buyers Same Lawyer As DISO, Privacy, and CRIM
Lawyer Negotiate with Vendors To Make Sure Policy
Compliance Commercial Businesses
Educate Commercial Lawyers Imbed eSecurity and Privacy Coordinators in
each Business and Function Work With IT Coordinators in each Business
and Function
18
Legal Compliance
Regional In House Lawyer Accountable and Responsible For eSecurity &
Privacy Legal Issues in Region Coordinate with Other Regional In House Counsel Keep Up to Date on Regional
Legislation/Enforcement Participate in Creating Policies Same In House Lawyer for Both Privacy and
eSecurity Work With Regional Outside Counsel as Needed
19
Legal Compliance
Make Sure Business Does Due Diligence On Potential 3rd Parties Vendors
D & B References Credit Experience Criminal Background Checks Lexis Searches Warranties in Contracts RFP Questions Make Sure 3rd Party is Substantial and
Reputable
20
Legal Compliance
eSecurity Pre Screening and Audits For 3rd Party Vendors (Supply Chain)
Self Audit Question On Site Visit DISO and IT Representatives Contract Language Re Changes or Problem
Reporting Sponsor Risk/Benefit Analysis At Corporate Level
Must Pass Screen Before Can Bid On Contracts
21
Legal Compliance Supplier [Goods, Services, BPO, Outsourcing, etc.] Contract
Terms Preapproved Templates ( See ASP Contract As Example] Physical & Electronic Security Language Privacy Language Must Conform to DuPont Policies and Guidelines, as They
Change Criminal Background Checks- Where Legal Drug Testing Requirements – Where Legal Key is Treat Virtual Access to Plants, etc. the Same as Physical
Access. Site by Site Policies Based on Risks, Legal
Requirements/Prohibitions Indemnity for 3rd Party Claims re Privacy or Security Breaches Limitation of Liability/Damages Carve Outs for Security and
Privacy Breaches Generally Comply With Law
22
Developing & Implementing Comprehensive Written Security
Policies
General
23
Developing & Implementing Comprehensive Written Security
Policies
Information Classification & Protection Information Classification Information Retention Anti-Virus Software & Hardware Application/Software Development Information Disposal Apply “Right to Know” Principle Back-ups Encryption Fax Transmissions Use of Copiers & Area Printers Company Developed Software Ownership Vulnerability Migration Equipment Inventory
24
Developing & Implementing Comprehensive Written Security
Policies
Identification & Authentication Unique Identification Shared Account 2 Factor Authentication Passwords Access Requests Access Deletions Lockout Following Login Failures Activity Logs Password Resets
25
Developing & Implementing Comprehensive Written Security
Policies
Information Security Responsibilities DISO Line Management Responsibilities Asset Owners Custodians Users
26
Developing & Implementing Comprehensive Written Security
Policies
Personal Computer Policy Personal Firewalls Web Hosting Software Computer Lock Protection Boot-Up Protection Portable PC Precautions Shared PC’s
Personally Owned Hardware & Software Workplace Relocation & Site Shutdown Policy Disaster Recover & Potential Impact
27
Developing & Implementing Comprehensive Written Security
Policies
Telephone Policy Telephones Voice Mail Audio Bridge Conferences Off Net Forwarding
Physical Security Policy Physical Security Visitors
Internal Network Connections Policy Intranet Connection Controls Process Control Networks Network Directory
28
Developing & Implementing Comprehensive Written Security Policies
External Network Interface Controls Internet Network Interface Controls Inter-Company Network Interface Controls Remote Access
Non-Employee Measures Policy & DuPont Sponsorship Incident Reporting Policy Mail Use Policy
E Mail Use Expectation of Privacy Paper Mail Practices
Traveling Policy Outsourcing Policy Monitoring Policy
Company Right to Monitor Policies Pre-Logon Warning Banner (See Form ) See Delaware Law Monitoring Controls
Wireless Data Communication Policy
29
Preparedness/Response for Security Breaches
Key Is To Have System To Detect Possible Breaches Reports to DISO From
Corporate, Business, or Function IT Coordinator
DISO Rep Physical Security Organization 3rd Parties
IT or BPO Outsourcer Vendors
30
Preparedness/Response for Security Breaches
Key Triggers Lost or Stolen Portables Breach of Vendor or Customer Security Employee Unauthorized Access and Use 3rd Party Hacking Detected Reports of ID Theft
Have A Process For Dealing With Security Breaches Notify In All States/Countries Whether Legally
Required or Not Global Privacy Manager Accountable for Process Include Legal, DISO, Physical Security, etc. as Needed Make Sure That Public Affairs Is Included
Stand By Press Statement All Inquiries to Public Affairs
Written Process Accountability and Responsibility Allocation Pre Approved Templates Update as Needed
31
Preparedness/Response For Security Breaches
Training & Employee Awareness DuPont Makes Available a Number of Privacy and E Security
Educational Offerings to Employees: Introduction to Privacy Requirements Introduction to Information Privacy and Integrating
Information Privacy at DuPont Global Legislation Concerning Privacy Information Privacy Implementation Communications Package DISO-U Privacy Course for DISO Officers EU Data Protection and Privacy Module in Legal EagleTM
DISO U For A Range of Electronic Security On Line Courses Employee Ethic’s Survey Legal Briefings to Commercial, HR, and IP Attorneys & Paralegals Yearly Presentations to Top Level Management
32
Developing & Implementing Comprehensive Written Security
Policies
Privacy Specific
33
Security
Privacy Specific Requirements Many Confusing Country or Statutory Standards More on the Way Key: Encryption, Encryption, Encryption!!! Some Unique Requirements: Must Check Applicable Laws
Need To Have: A Written Security Program
Administrative Safeguards Technical Safeguards Physical Safeguards Nature and Scope of Activities Sensitivity of PII Requires Annual Updates See Spanish Law For More Specifics (As An Example)
Vendor Will Appoint a Security Officer No Right to Delegate Security Compliance to a
Subcontractor Without Customer Approval
34
Security
Privacy Specific Requirements Authentication & Authorization
Two Factor Authentication Technology System Access Must Be Logged Access Logs Retained for At Least 90 Days Registration & Access Privilege Process Must Be Documented Outsourcing Vendor Agrees to Audit At Least Quarterly The List
of System Administration * Support Users Disable Access to Users No Longer Need to Support Contract Unique User ID for Each User Password Life No Longer than 90 days Outsourcing Vendor Must Audit Password Policy Compliance at
least Every 6 months and Report Weaknesses Outsourcing Vendor Must Notify Customer with 24 Hours of Any
Compromise Automatic Lockouts after 4 Consecutive Unsuccessful Tries Only Unlock Account with Customer Permission Limit Access to Authorized Users
35
Security
Privacy Specific Requirements Transmission & Storage of PII
Encrypt Transmissions of PII Stored PII Encrypted Encryption Must be Integral and Enforced by the Application
( Not At Option of User) Master Keys Under Exclusive Control of Customer
Application Development Separate, Distinct Computing Environment
Production System Development Environment
Policies & Procedures to Prevent Introduction of Untested or Unapproved Changes into the Production System
Not Use Actual Production System for Development, Testing or
Troubleshooting Without Customer Destroy Development Data
36
Security
Privacy Specific Requirements Event Logging
Virus Infections System Administrative Rights Usage System Support Logins System Shutdowns and Restarts
Security Patches and Viruses Protection Where Technically Feasible, Vendor installs Virus
Protection Software Apply Virus Updates Within 24 Hours Apply Security Patches Within 24 Hours
37
Security
Privacy Specific Requirements Access Restrictions
Limit Physical Access to Equipment Storing PII on “Need” Basis Upon Contract Termination, Documentation Destroyed or
Rendered Unreadable Equipment Sanitization
Termination of Agreement or Replacement of Equipment Storing PII
Render Data Unreadable and Unrecoverable Includes Equipment and Storage Media
Audit Requirements Audit System at least Every 2 Years Results of Audits and Corrective Actions Made Available to
Customer and Possibly Regulatory Agencies Backup Requirements
Replicate All PII on Backup System Locate Backup Facilities At Different Geographic Location Allow Data To Be Reconstructed Within Specified Timeframe
3rd Party Notification of Breaches
38
Questions and Conclusion