Compliance and a Culture of Integrity

Data and PrivacyOctober 29, 2014

www.pwc.com

PwC

• Increase in the Security and Privacy regulatory mandates in recent years, as well as expected changes in upcoming years

• Emerging technologies and reliance on third parties have created a borderless infrastructure

• Growing demand by business leaders to understand how privacy (“what” data is sensitive to the business) and security (“how” to protect the data deemed sensitive) is integrated

• Increase in threats and vulnerabilities to sensitive data and corporate assets

• Even companies that place great emphasis on securing their business processes can become the victim of cybercrime. Cybercrime can manifest in many ways

• Having a documented, demonstrated and regularly tested program helps in the event of regulator oversight

2

Cyber security and Privacy…..

. . . a Board level issue

PwC

. . . a strategic imperative

Global Business Ecosystem

Pressures and changes which create opportunity and risk 3

Traditional boundaries have shifted

• The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.

• Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.

• Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.

Cyber security . . .

PwC

Nation State

Insiders

Organized Crime

Hacktivists

• Economic, political, and/or military advantage

• Immediate financial gain

• Collect information for future financial gains

• Personal advantage, monetary gain

• Professional revenge

• Patriotism

• Influence political and /or social change

• Pressure business to change their practices

MotivesAdversary

• Trade secrets• Business

information• Emerging

technologies• Critical

infrastructure• Financial / Payment Systems

• PII• PCI• PHI

• Sales, deals, market strategies

• Corporate secrets, IP, R&D

• Business operations• Personnel

information

• Corporate secrets• Business information• Information of key

executives, employees, customers, partners

Targets

• Loss of competitive advantage

• Disruption to critical infrastructure

• Regulatory inquiries and penalties

• Lawsuits• Loss of confidence

• Trade secret disclosure

• Operational disruption• Brand and reputation• National security

impact

• Disruption of business activities

• Brand and reputation• Loss of consumer

confidence

Impact

4

Motivated Adversaries

PwC 5

Current cybersecurity risks and trends

Even companies that place great emphasis on securing their business processes can become the victim of cybercrime.

• large organizations (those with gross annual revenues of $1 billion or more) detected 44% more incidents compared with last year.

Source: 2014 PwC Global State of Information Security Survey

PwC 62009 2010 2011 2012 2013 2014

The average number of annual detected incidents has increased, evidencing today’s elevated threat environment. As a result, total financial losses due to incidents has risen given the cost and complexity of responding to threats.

Current cybersecurity risks and trends

Source: 2014 PwC Global State of Information Security Survey

PwC 7

• Mobile security is an area of continued vulnerability. Mobility has generated a deluge of data, but deployment of mobile security has not kept pace

• Companies are increasingly sharing data with third parties. While services can be outsourced, accountability for security and privacy cannot

• Compromises attributed to third parties with trusted access increases while due diligence weakens:

• Very few organizations have true visibility into third party business partners

• Changing relationship between the organization and consumers- multiple channels/consumer touch points (e.g. website/mobile site/app/store) without centralized oversight and “control”

Current cybersecurity risks and trends

55% have security baselines for external partners, suppliers, and vendors (60% in 2013)

50% perform risk assessments on third-party vendors (53% in 2013)

PwC 8

• Current and former employees are the most-cited culprits of security incidents, but implementation of key insider-threat safeguards is declining:

• While less frequent, incidents attributed to nation-states, organized crime, and competitors increased sharply in 2014:

Current cybersecurity risks and trends

56% have privileged user-access tools (65% in 2013) 51% monitor user compliance with security policies (58%

in 2013) 51% have an employee security training and awareness

program (60% in 2013)

86% jump in incidents by nation-states

64% rise in compromises by competitors

26% increase in incidents by organized crime

PwC 9

Average cost of a compromised record: $188*

Average cost of a data breach: $5.4M *

Estimated annual losses to business from data and identity theft: $150B**

Publicized breaches of personal information:

1,097 1,631

2011 2012

1390

2013Estimates at $3M in lost business per incident*

Average cost of post breach response activities (legal fees, forensics) - $1.5M*

Each card brand can assess fines for PCI non-compliance. Examples include:• Visa (pre breach)$5K-$25K per

month• MasterCard (related to breach)

$100K for each PCI violation

*Source: Ponemon Institute’s “2013 Annual Study: U.S. Cost of a Data Breach”**Source: McAfee 2013 Study: “The Economic Impact of Cybercrime and Cyber Espionage”

Data breaches are costly and on the rise

PwC 10

State Breach Notification Laws

Generally, the laws mandate that if there is:• unauthorized access to

or disclosure of unencrypted personally identifiable information (PII) that

• threatens the security of such PII and

• creates a risk of identity theft

The person that "owns" such PII must notify affected:• state residents• state agencies and/or• consumer protection

agencies

Forty seven US states plus DC, Guam, Puerto Rico and the Virgin Islands

• Alabama, New Mexico and South Dakota have no law

PwC 11

State Security Breach Laws – a quick comparison

Scope of Personal Information covered

Key data such as name plus SSN< bank account number, credit card number (Illinois)

Passwords, PINS and other access codes (Alaska)

Date of birth, electronic signature (North Dakota)

Biometric data such as fingerprints, voice print and retinal images (Nebraska, North Carolina)

Trigger for notification obligation

No notice unless misuse of the data is likely (Colorado)

Notice if breach creates a substantial risk of ID theft or fraud (Maine)

Notice if there is reason to know that personal information was acquired (Mass)

Recipient of Notice

Impacted resident (all states)

Consumer reporting agencies if > 500 (Minnesota)

Consumer reporting agencies if > 1000 (Michigan, Nevada)

Consumer reporting agencies if > 10000 (Georgia)

Content of Notice

Describe nature of the incident (North Carolina)

Don’t describe nature of the incident (Mass)

Timing of Notice

As soon as practicable (Mass)

Five days (California)

After a reasonable investigation has been conducted (Arizona)

PwC 12

Most incidents are not cyber security or hacking events, for example:

• Lost or stolen employee laptop (encryption will help)

• HR employee accidentally sending spreadsheet to the wrong person

• Vendor accidentally uploading file to the wrong server

Even the small ones take time to address:

Typical Data Breach Legal Response

What data was involved?

Was it encrypted?

Who accessed it? How trustworthy are they?

How can it be used by the person who accessed it?

Is there a likelihood of harm? (some states don’t care)

Finding the individuals’ names and contact information

Drafting letters based on state requirements

PwC 13

Need to do analysis to determine if notice is required:

• Look at the various state laws

• Look at your customer contracts (for B to B)

• Comply with your privacy notices

Even if notice is not required, it may be appropriate:

• Is there an ethical responsibility to notify?

• If notify in one state, should you notify in all?

• Could it be a bad PR move not to notify, even if not required?

• But over-notification also has its issues

A robust Incident Response Plan is necessary to enable prompt reaction. Prompt reaction is key to a successful response.

Typical Data Breach Legal Response

PwC 14

How to monitor for data loss and potential threats

• While organizations have made significant security improvements, they have not kept pace with today’s determined adversaries – many rely on yesterday’s security practices to combat today’s threats

• Even the most advanced blocking techniques are inadequate against motivated and targeted attacks. Reduce reliance on prevention-only capabilities

• Spend less on prevention, invest in detection, response and predictive capabilities

• Assume a state of continuous compromise, necessitating continuous monitoring, response and remediation

• Architect for monitoring at all levels of IT stack – network, OS, application, content, transactions and user behaviors – and develop security operations center responsible for continuous monitoring, detection and response

• Chose context-aware network, endpoint and application security solutions that provide prevention, detection, prediction and response capabilities

PwC

Historical IT Security Perspectives

Today’s Leading Cybersecurity

Insights

Scope of the challenge • Limited to your “four walls” and the extended enterprise

• Spans your interconnected global business ecosystem

Ownership and accountability

• IT led and operated • Business-aligned and owned; CEO and board accountable

Adversaries’ characteristics

• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain

• Organized, funded and targeted; motivated by economic, monetary and political gain

Information asset protection

• One-size-fits-all approach

• Prioritize and protect your “crown jewels”

Defense posture • Protect the perimeter; respond if attacked

• Plan, monitor, and rapidly respond when attacked

Security intelligence and information sharing

• Keep to yourself • Public/private partnerships; collaboration with industry working groups 15

Evolving perspectives - adapting to the new reality

PwC

Building a Cyber Security & Privacy Program

16

PwC 17

1. An effective governance structure

2. A strong culture and attitude at all levels

3. An effective risk assessment process

4. A complete, dynamic, current lifecycle data inventory that includes third parties

5. Controls aligned with a selected framework

6. An effective training and awareness program

7. An effective team that ensures compliance with laws and regulations

8. An effective auditing and monitoring function

9. Policies and procedures that are current, communicated, and followed

10. An effective, documented, and tested incident response plan

11.An effective, documented, and tested Business Continuity and Disaster Recovery plan

17

• Creating a robust strategy that accounts for a complex, multi-regulatory & changing environment

• Managing individual concerns and perceptions across differing cultures

• Understanding the information the organization collects & processes

• Managing information across the data lifecycle, within and outside your organization

• Building secure networks and systems

• Standardizing practices across all entities and regions, including all channels

• Coordinating incident response

• Driving policy and controls into business practices and technology

• Adopting privacy values throughout the enterprise

• Ensuring Business Continuity & Disaster Recovery strategies are in place

Common challenges and keys to an effective program

PwC 18

C – Suite Focus Areas

Secure information is power

• Align with the business

Strategy, Governance & Management

• Security by design

Security Architecture &

Services

• Address threats & weaknesses

Threat, Intelligence & Vulnerability Management

• Enable Secure Access

Identity & Access

Management

• Adapt to the future

Emerging Technologies & Market Trends

• Manage risk and regulations

Risk & Compliance

Management

• Anticipate & respond to security crises

Incident & Crisis

Management

• Safeguard critical assets

Data Protection & Privacy

Cyber Security program components

PwC 19

4Assess cybersecurity of third parties and supply chain partners, and ensure they adhere to your security policies and practices

2Identify your most valuable information assets, and prioritize protection of this high-value data

1Ensure that your cybersecurity strategy is aligned with business objectives and is strategically funded

3Understand your adversaries, including their motives, resources, and methods of attack to help reduce the time from detect to respond

5Collaborate with others to increase awareness of cybersecurity threats and response tactics

Taking action: 5 steps toward a strategic cyber program

PwCPwC

Contacts

Bonnie L. YeomansVP, Assistant General Counseland Privacy OfficerCA Technologies(631) 342-2678bonnie.yeomans@ca.com

Ariel LitvinDirector - IT Risk & Security AssurancePwC(646) 471-0999ariel.litvin@us.pwc.com

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Jacqueline T WagnerManaging Director – New York Privacy LeaderPwC(646) 471-5644jacqueline.t.wagner@us.pwc.com

20