TRAINING AND AWARENESS - Association of Corporate … · resources to spread the word. ... integrates GPS capabilities so you never get lost, ... Rebecca Shore-Suslowitz, Under Armour

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part

of the international BDO network of independent member firms.

TRAINING AND AWARENESSTIPS AND TRICKS FOR GETTING THE

MESSAGE TO STICK

Deena Coffman

Jessica Geller

Rebecca Shore-Suslowitz

ACC NATIONAL CAPITAL REGION

2017 DATA PRIVACY AND SECURITY CONFERENCE

The handouts for this presentation were prepared and used to accompany a panel discussion given on

September 13, 2017. Neither the information contained herein or the accompanying comments of the

presenters should be construed as the provision of legal advice. Views expressed are those of the

specific presenter. They do not necessarily reflect the views of BDO, Blackboard or Under Armour

respectively.

TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK2

Evolving role of a privacy officer – Privacy program advocate

General Data Protection Regulation

(GDPR)

Privacy Shield

Federal Trade Commission (FTC)

expectations and European Data

Protection Authorities (DPAs)

Health Insurance Portability and

Accountability Act (HIPAA)

NY State Department of Financial Services

(NYDFS)

Family Educational Rights and Privacy Act

(FERPA) and state-specific student data

privacy laws

Payment Card Industry (PCI) standards


Using what’s at your fingertips

Awarenessis key to program success

Leverage

existing

resources to spread the word


Using what’s at your fingertips


Prioritizing privacy within the organization

Risk assessment

Understanding where privacy sits within your risk profile Who, What, How, Where, When, and Why?

Ongoing awareness and interaction

Designing a program that encourages privacy-by-design and by-default Talking to stakeholders

Incorporating into project planning, change control and product design

Role based training

Delivered throughout the year – point-in-time

Creating a culture of security and privacy

Training/Execution

1

2

3


Risks and your environments are dynamic

Regularly assessRisk assessment results drive training content. Train on

what is relevant to your environment and emphasize

the greatest risks for the best ROI

Training specific to risk areas and roles

Awareness activities to stay top of mindRegularly align awareness and training with the

exposures identified in the assessment

Documentation to support client audits

or compliance

Refresh!

Information gathering

Analysis

Develop strategy,

plan and content

Deliver and document


Techniques and best practices

Non-traditional communication

methods Social Media, Videos, Cartoons

Conducting a Consent Summit

Regular Touchpoints with Business Units

“Privacy” Inbox

“MBWA”

Gamification

Repurposing Materials Consulting Firms and Outside Counsel Materials

and Newsletters

IAPP Materials

ICO Materials

ACC Materials


Techniques and best practices - Obtaining budget

January, 2015, Xoom, $30 million (US)

In January of 2015, Xoom Corp., an international

money transfer company acquired by PayPal in the

summer of 2015, reported that it had suffered from a

$30.8 million loss in the fourth quarter of 2015.

Stock for the low cost payments company, which

competes with Western Union, dipped 14%, or $31

million, after the loss was announced, but later

recovered. The CFO resigned.

February, 2015, Scoular, $17.2 million (US)

Scoular Co., an Omaha based commodities trader (and

one of the top privately held companies in the U.S.),

lost $17.2 million in a spear phishing wire fraud scam.

Sidenote: The Financial Times provides an in-depth

version of the Scoular attack that can be found here.

August, 2015, Ubiquiti Networks, $46.7 million

(US)

Months later, in August, Ubiquiti Networks, a San

Jose based networking technology company, fell

victim to a $46.7 million attack, wiring this sum to a

Hong Kong bank account controlled by the attackers.

2015

January, 2016, FACC, $54 million (Austria)

Fraudsters topped all previous records, making off

with $54 million from FACC, an Austrian aerospace

parts manufacturer that designs and supplies parts

to Airbus and Boeing.

February, 2016, Crelan Bank, $76 million

(Belgium)

The record for the largest loss from a targeted

spear phishing wire fraud attack was broken

when Crelan Bank in Belgium reported it lost

$76 million.

2016



Making the cybersecurity team an extension of your own phishing exercises


Demonstrating awareness program effectiveness



Tabletop exercises

Cross-functional privacy meetings

Pop-up messages when risky activities

are performed

Email header alerting that a message

is from an external sender

Self-promotion

Make it fun!


For the audio learner

Live presentation or webinars

Security awareness elearning modules *CBT* (SANS, onguard)


For the visual learner

Short, targeted computer tutorials placed at

the “point in time”

Intranet information page

Details elements of the security program

Links to:

• Policies

• Training materials

• Archived copies of newsletters

Live CLE-approved security awareness

training

Leverage existing resources: e.g., ICO

Resources - https://ico.org.uk/

Effective techniques: Short messages,

delivered in a timely manner, are more

effective than 60 minutes of annual training.


For the kinesthetic learner

Anti-phishing

Simulate today’s sophisticated fraudulent messages designed to:• Entice users to click

• Entire users to reveal passwords

Engaging, interactive session where participants discuss common threats

Tabletop exercises


For the fierce competitor

(Not that we have any of

these personalities…)

Brief the user community

on how well they did in

attendance, compliance,

and so forth

Quasi-gamification

TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK16 TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK16

Congrats, you’re all Digital

Denim Global (DDG) employees

COMPANY OVERVIEW

DDG is the world’s leader in digital denim

production. The company’s success is due in

large part to its newest release – Smarty Pants

– which not only comes in several washes and

cuts to suit every fashionista, but also

integrates GPS capabilities so you never get

lost, tracks how many steps you have taken,

and sends an alert to your phone suggesting

you stop eating if the waistband sensor is

engaged.

The company is headquartered in and operates

from the United States, but through its e-

commerce site, has a global presence,

including a large customer base in the

European Union.

Table topicYou have limited resources and want to

highlight your program between now and

January 1, 2018.

Members of your table make up the DDG

privacy council (GC, CIO, CISO, CPO, and HR

Lead).

Outline the one thing you’d do to

promote privacy at DDG.

Assumptions You’re a digital company and have some social networking

services available, although adoption has not taken off

across the company.

Your CISO is new to the company and doesn’t have

additional budget to allocate to your efforts.

TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK17 TRAINING AND AWARENESS: TIPS AND TRICKS FOR GETTING THE MESSAGE TO STICK17

Outside the privacy

awareness box

What did you decide to do, and why?


Takeaways – Short term

1. Be pro-active – use internal company

communications channels to sell the

privacy story.

Go back tomorrow and set up a #privacy

channel – check out ACC or IAPP and post a

link to one article that your organization

might be interested in.

Check out this article. This is something the privacy

team is keeping an eye on and will let you know

if/how it impacts us in the future. Reach out if you

have any questions.

2. Create a privacy mailbox -

[email protected]

3. Set up a recurring meeting with your

head of cybersecurity (at least monthly)

4. Ask for the summary of your company’s

Risk Assessment and Data Map to start

focusing your awareness and training

efforts on the company’s key risk areas

5. Talk to HR about onboarding and role

transition training – open up

communications about adding privacy in

6. Ask the cybersecurity team for an

update on your company’s phishing

training and the related management

report


Takeaways – Long term

1. Future-proof your policies and

notices

2. Set up your first annual privacy

summit

3. Update annual cybersecurity training

to include privacy

4. Find opportunities to work with

your colleagues in areas throughout

the information lifecycle – consider

establishing an information

governance committee

5. Work with cybersecurity to establish

a phishing awareness and training

program


Deena Coffman, BDOManaging Director

EXPERIENCE SUMMARY

Deena Coffman is a Managing Director in BDO Consulting’s Technology Advisory Services practice, leading data privacy and protection

with more than 20 years of experience serving in technology, risk and compliance executive management roles.

Previously a COO of a global risk management firm, Deena established its data analytics practice and led cybersecurity and information

assurance teams, providing computer forensics, incident response, data analytics, data privacy and compliance services. She also led

the global discovery program for a major pharmaceutical company, where she worked closely with international counsel and local data

protection authorities (DPAs) to comply with EU and APAC data privacy requirements when moving evidence across international

borders.

While at a Big Four accounting firm, Deena served as a secondee to a global financial institution leading its e-discovery program,

managing evidence on global and domestic matters in coordination with international counsel and local DPAs to comply with data

privacy directives in Asia and the EU.

Prior to joining BDO, Deena was CEO of a boutique consulting firm providing information security and data privacy services, and CISO

for the parent company of an international supplier of insurance products related to cyber liability and data breach coverage.

PROFESSIONAL TRAINING AND AFFILIATIONS

Global Information Assurance Security Essentials Certification (GSEC)

International Association of Privacy Professionals (CIPP/US, CIPP/E, CIPM, FIP)

Microsoft Certified Systems Engineer (MCSE)

Microsoft Certified Professional + Internet (MCP+Internet)

EDUCATION

M.B.A., Cornell University

B.A., University of Illinois

Contact Information: [email protected]


Jessica Geller, Blackboard Inc.Global Privacy and Commercial Transactions Counsel

EXPERIENCE SUMMARY

• Jessica Geller serves as lead counsel for U.S. federal and state student data privacy, breach notification, and data

security regulations. Jessica works closely with the company's Data Privacy Officer to develop and implement a global

privacy program and GDPR compliance.

• Jessica also advises business and technology stakeholders on creation and implementation of policies for data

collection/processing and product development to meet global data privacy regulations.

• Prior to joining Blackboard, Jessica worked for the Discovery Channel and supported its subsidiary company, Discovery

Education with student data privacy and data security related matters.

PROFESSIONAL CERTIFICATIONS

• International Association of Privacy Professionals (CIPP/US)

EDUCATION

• J.D., University of Denver

• B.A., University of Colorado - Boulder



Rebecca Shore-Suslowitz, Under ArmourAssociate Counsel, Senior Manager – Global Privacy

Rebecca Shore is a global privacy specialist and strategic planner focused on data privacy,

policy development, and strategic and operational privacy planning. Most recently,

concentrating on the evaluation of digital mobile privacy issues, and the development and

implementation of solutions that meet global requirements.

In 2014, Rebecca established Under Armour’s formal privacy program. In this role, Rebecca

supports Under Armour Connected Fitness (i.e., MyFitnessPal, MapMyFitness, Endomondo,

UA Record, etc.), eCommerce (North America and International), Retail, Human Resources,

Marketing, Legal, and Information Technology at Under Armour.

Prior to joining Under Armour, Rebecca worked for ai solutions as a Senior Security Analyst

providing cybersecurity and privacy support to the National Aeronautics and Space

Administration (NASA) Office of the Chief Information Officer, Information Technology

Security Division.

PROFESSIONAL CERTIFICATIONS

• International Association of Privacy Professionals (CIPP/G)

EDUCATION

• J.D., University of Maryland School of Law

• B.A., University of Delaware


This photo was taken while hiking in Iceland

and decked out in Under Armour gear.

Rebecca used this image in an internal privacy

message focused on navigating across privacy

waters.

Documents

TRAINING AND AWARENESS - Association of Corporate … · resources to spread the word. ... integrates GPS capabilities so you never get lost, ... Rebecca Shore-Suslowitz, Under Armour