Best Practices In Corporate Privacy & Information Security

1

Best Practices in Corporate Privacy & Information Security Policies & Compliance

Satyakam Biswas

2

Topics Introduction Privacy Fundamentals Legal Compliance Physical & Electronic Security

Issues General Privacy Specific

Questions & Conclusion

3

Introduction Why Should You Worry About Privacy Laws?

Regulatory Enforcement EU-Privacy Commissioners Announce Increased

Enforcement FTC Actions

Unfair Competition Provisions of the Lanham Act ( 15 USC 1125 (a))

Collegenet, Inc. v. XAP Corp 2006 WL 2307457 (D. Or.) Criminal Liability Civil Litigation Suspension of Business Activity Loss of Rights to Use Data Adverse Publicity – Choice Point Employee Issues

Union/Work Council Leverage Transfer of Data

Gap Between Privacy/Security Policies and Reality!!Gap Between Privacy/Security Policies and Reality!!

4

Introduction

Why Should You Worry About Security? “Adequate Security” Requirements in

EU FTC Actions in US BJ Case Breach of Notification Laws in US HIPAA Requirements GLB Requirements SOX Issues General Theories of Negligence in Civil

Actions

5

Introduction

Goals Avoid Damage to Company or Brand

Image Assure Business Continuity Protect Value of Data Usability Strengthen Business Relationships Avoid Civil and Criminal Liability

6

Introduction

Modern Corporate Practice Business Units Run Globally Share Information Globally IT & BPO Outsourcing

Distributed Information Management Systems Servers Replicate Everywhere 24/7 Seamless Networks Not Able to Trace Data Flow

Comply with Strictest Law Where Company Does Business on a Global Basis

7

Fundamentals: General Privacy

Model Common Elements Of Most Legislation

Definition & Scope of Personal Identifier Information Notice Consent

Unambiguous Opt Out for Direct Marketing Opt In for Sensitive Warning: Direct Marketing!!!

Opt Out from EU Privacy Directive Opt In For EU Unsolicited Electronic Mail

Registrations DPA Approvals or Notifications Work Council Approval

8

Fundamentals: General Privacy

Model Common Elements of Most Legislation

Includes Paper or Electronic Data Right to Review & Correct Adequate Security Registration Transfer DPA or Work Council Notice or Consent Warming: Extraterritorial Reach of EU

Directive !! Privacy Laws - Global and Not Consistent

EAA South America – Argentina Asia - Japan Canada US??

9

Fundamentals: Notice and Consent Flowchart

Personal InformationProcessing

Exclusions

Other Uses

CollectionSensitive

Information

Unambiguous Consent

ConsentOpt Out

Right to Object

Use

Direct Marketing

Explicit Consent

Opt In

Transfer Data Transfer Chart

Use Beyond Scope of

Original Use Notice

10

Fundamentals: Trans-border Data Transfer

Directive 95/46/EC

EU expressly recognises “adequate protection” by national rules

11

Fundamentals: Trans-border Data Transfer to US

Safe Harbor Program

Contract (Model Clauses) or Binding Corp Rules

12

Legal Compliance

Data Transfer Agreements Must Sign If Personal Data Being Transferred

Even If Local Law Does Not Require DuPont Policy Extraterritorial Reach of EU Directive

Scope Employees Vendors ( Supply Chain ) Customers Whenever Transfer Personal Information

Little Room For Negotiation Do Not Connect DTA to Substantive Agreement

Avoid Limitation of Liability/Damages Avoid Other Disclaimer Language

13

Legal Compliance

New DTA – See Form Use EU Model Clauses (Controller to Controller)

Set 2 for Controller to Controller Set 1 for Controller to Processor

Affiliates Hub and Spoke Model

List of All Affiliates Updates Adopt Global Corporate Privacy and Electronic Security

Policies Suppliers, Customers, ASP’s, BPO’s, Other Outsourcing

All Required to Sign a DTA if Personal Information Being Transferred

All Required to Sign a DISO 4 E If 3rd Party Needs Access to Intranet Through Firewall

14

Legal Compliance

Data Transfer Agreements Surprising How Few Companies Are Aware of Privacy Issues

Don’t Understand Need for DTA Some Think that Signing HIPAA Agreement is Sufficient Even If Aware, Don’t Want to Sign Key Is to Have DTA Signed Before Substantive Contract is

Awarded Administrative Burden to Manage 1000’s of Contracts with

Negotiated Terms List Signed DTA’s at Privacy Central Intranet Website Problem is Possible Changing Nature of Data Flow

Checkboxes Attempt to Address Annex of Model Clauses Very Difficult to Manage

Not Know When Data Flow Changes Changes in Contract Scopes of Work

Normal Route is Sourcing Buyer and Then In House Counsel

15

Legal Compliance

DISO 4 E (See Form) Used When 3rd Party Given Access To Intranet

Through Firewall Requires Company Sponsor DISO Screening Periodic Sunsets Includes Divested Business Access During

Transitional Services Period Data Base of Signed DISO 4E at DISO Intranet

Website Normal Route Is Either Sourcing Buyer or DISO Rep

and then Legal Counsel

16

Legal Compliance Anticipate Rather Than React

I-4 for eSecurity CPO Council of Conference Board IAPP ABA

Cyberspace Law Committee of Business Law Section

SciTech CLE Programs BNA and Other Reporters Outside Counsel Briefings Networking

17

Legal Compliance

Make Sure Privacy & Security Policies Implemented “Sourcing IT”

Dedicated Group for IT Procurement Other Sourcing Buyers Same Lawyer As DISO, Privacy, and CRIM

Lawyer Negotiate with Vendors To Make Sure Policy

Compliance Commercial Businesses

Educate Commercial Lawyers Imbed eSecurity and Privacy Coordinators in

each Business and Function Work With IT Coordinators in each Business

and Function

18

Legal Compliance

Regional In House Lawyer Accountable and Responsible For eSecurity &

Privacy Legal Issues in Region Coordinate with Other Regional In House Counsel Keep Up to Date on Regional

Legislation/Enforcement Participate in Creating Policies Same In House Lawyer for Both Privacy and

eSecurity Work With Regional Outside Counsel as Needed

19

Legal Compliance

Make Sure Business Does Due Diligence On Potential 3rd Parties Vendors

D & B References Credit Experience Criminal Background Checks Lexis Searches Warranties in Contracts RFP Questions Make Sure 3rd Party is Substantial and

Reputable

20

Legal Compliance

eSecurity Pre Screening and Audits For 3rd Party Vendors (Supply Chain)

Self Audit Question On Site Visit DISO and IT Representatives Contract Language Re Changes or Problem

Reporting Sponsor Risk/Benefit Analysis At Corporate Level

Must Pass Screen Before Can Bid On Contracts

21

Legal Compliance Supplier [Goods, Services, BPO, Outsourcing, etc.] Contract

Terms Preapproved Templates ( See ASP Contract As Example] Physical & Electronic Security Language Privacy Language Must Conform to DuPont Policies and Guidelines, as They

Change Criminal Background Checks- Where Legal Drug Testing Requirements – Where Legal Key is Treat Virtual Access to Plants, etc. the Same as Physical

Access. Site by Site Policies Based on Risks, Legal

Requirements/Prohibitions Indemnity for 3rd Party Claims re Privacy or Security Breaches Limitation of Liability/Damages Carve Outs for Security and

Privacy Breaches Generally Comply With Law

22

Developing & Implementing Comprehensive Written Security

Policies

General

23


Policies

Information Classification & Protection Information Classification Information Retention Anti-Virus Software & Hardware Application/Software Development Information Disposal Apply “Right to Know” Principle Back-ups Encryption Fax Transmissions Use of Copiers & Area Printers Company Developed Software Ownership Vulnerability Migration Equipment Inventory

24


Policies

Identification & Authentication Unique Identification Shared Account 2 Factor Authentication Passwords Access Requests Access Deletions Lockout Following Login Failures Activity Logs Password Resets

25


Policies

Information Security Responsibilities DISO Line Management Responsibilities Asset Owners Custodians Users

26


Policies

Personal Computer Policy Personal Firewalls Web Hosting Software Computer Lock Protection Boot-Up Protection Portable PC Precautions Shared PC’s

Personally Owned Hardware & Software Workplace Relocation & Site Shutdown Policy Disaster Recover & Potential Impact

27


Policies

Telephone Policy Telephones Voice Mail Audio Bridge Conferences Off Net Forwarding

Physical Security Policy Physical Security Visitors

Internal Network Connections Policy Intranet Connection Controls Process Control Networks Network Directory

28

Developing & Implementing Comprehensive Written Security Policies

External Network Interface Controls Internet Network Interface Controls Inter-Company Network Interface Controls Remote Access

Non-Employee Measures Policy & DuPont Sponsorship Incident Reporting Policy Mail Use Policy

E Mail Use Expectation of Privacy Paper Mail Practices

Traveling Policy Outsourcing Policy Monitoring Policy

Company Right to Monitor Policies Pre-Logon Warning Banner (See Form ) See Delaware Law Monitoring Controls

Wireless Data Communication Policy

29

Preparedness/Response for Security Breaches

Key Is To Have System To Detect Possible Breaches Reports to DISO From

Corporate, Business, or Function IT Coordinator

DISO Rep Physical Security Organization 3rd Parties

IT or BPO Outsourcer Vendors

30

Preparedness/Response for Security Breaches

Key Triggers Lost or Stolen Portables Breach of Vendor or Customer Security Employee Unauthorized Access and Use 3rd Party Hacking Detected Reports of ID Theft

Have A Process For Dealing With Security Breaches Notify In All States/Countries Whether Legally

Required or Not Global Privacy Manager Accountable for Process Include Legal, DISO, Physical Security, etc. as Needed Make Sure That Public Affairs Is Included

Stand By Press Statement All Inquiries to Public Affairs

Written Process Accountability and Responsibility Allocation Pre Approved Templates Update as Needed

31

Preparedness/Response For Security Breaches

Training & Employee Awareness DuPont Makes Available a Number of Privacy and E Security

Educational Offerings to Employees: Introduction to Privacy Requirements Introduction to Information Privacy and Integrating

Information Privacy at DuPont Global Legislation Concerning Privacy Information Privacy Implementation Communications Package DISO-U Privacy Course for DISO Officers EU Data Protection and Privacy Module in Legal EagleTM

DISO U For A Range of Electronic Security On Line Courses Employee Ethic’s Survey Legal Briefings to Commercial, HR, and IP Attorneys & Paralegals Yearly Presentations to Top Level Management

32


Policies

Privacy Specific

33

Security

Privacy Specific Requirements Many Confusing Country or Statutory Standards More on the Way Key: Encryption, Encryption, Encryption!!! Some Unique Requirements: Must Check Applicable Laws

Need To Have: A Written Security Program

Administrative Safeguards Technical Safeguards Physical Safeguards Nature and Scope of Activities Sensitivity of PII Requires Annual Updates See Spanish Law For More Specifics (As An Example)

Vendor Will Appoint a Security Officer No Right to Delegate Security Compliance to a

Subcontractor Without Customer Approval

34

Security

Privacy Specific Requirements Authentication & Authorization

Two Factor Authentication Technology System Access Must Be Logged Access Logs Retained for At Least 90 Days Registration & Access Privilege Process Must Be Documented Outsourcing Vendor Agrees to Audit At Least Quarterly The List

of System Administration * Support Users Disable Access to Users No Longer Need to Support Contract Unique User ID for Each User Password Life No Longer than 90 days Outsourcing Vendor Must Audit Password Policy Compliance at

least Every 6 months and Report Weaknesses Outsourcing Vendor Must Notify Customer with 24 Hours of Any

Compromise Automatic Lockouts after 4 Consecutive Unsuccessful Tries Only Unlock Account with Customer Permission Limit Access to Authorized Users

35

Security

Privacy Specific Requirements Transmission & Storage of PII

Encrypt Transmissions of PII Stored PII Encrypted Encryption Must be Integral and Enforced by the Application

( Not At Option of User) Master Keys Under Exclusive Control of Customer

Application Development Separate, Distinct Computing Environment

Production System Development Environment

Policies & Procedures to Prevent Introduction of Untested or Unapproved Changes into the Production System

Not Use Actual Production System for Development, Testing or

Troubleshooting Without Customer Destroy Development Data

36

Security

Privacy Specific Requirements Event Logging

Virus Infections System Administrative Rights Usage System Support Logins System Shutdowns and Restarts

Security Patches and Viruses Protection Where Technically Feasible, Vendor installs Virus

Protection Software Apply Virus Updates Within 24 Hours Apply Security Patches Within 24 Hours

37

Security

Privacy Specific Requirements Access Restrictions

Limit Physical Access to Equipment Storing PII on “Need” Basis Upon Contract Termination, Documentation Destroyed or

Rendered Unreadable Equipment Sanitization

Termination of Agreement or Replacement of Equipment Storing PII

Render Data Unreadable and Unrecoverable Includes Equipment and Storage Media

Audit Requirements Audit System at least Every 2 Years Results of Audits and Corrective Actions Made Available to

Customer and Possibly Regulatory Agencies Backup Requirements

Replicate All PII on Backup System Locate Backup Facilities At Different Geographic Location Allow Data To Be Reconstructed Within Specified Timeframe

3rd Party Notification of Breaches

38

Questions and Conclusion

Documents

Best Practices In Corporate Privacy & Information Security