Embed Size (px)
Citation preview
In partnership with SCOS
2
IPSWITCH
Paolo FerrariDirector, Solution Sales and Professional Services - EMEA, APAC and LATAM at Ipswitch, Inc.
Sébastien RoquesRegional Sales Manager Northern Europe at Ipswitch, Inc.
3
4
Jonathan Armstrong
Jonathan is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies
Why are we here today ?
6
World’s biggest data breaches In 2015. Showing losses over 30.000 records and up.
SURVEY
9
2016 State of Data Security and Compliance
About us….
11
Ipswitch Company Overview
Company Overview
• Founded 1991• Headquarters:
Lexington, MA• Remote Offices:
• Alpharetta, GA• Madison, WI• Heidelberg,
Germany• 300 Employees
Financials• Privately Held• Revenues of $76M+
in 2015• Over 55% Recurring
Revenue• Over 50% of
Revenues from Indirect Channel
• 30% from International
• Double Digit EBITDA Margin
• No Debt
Customer Overview
• 25,000+ Active customers
• Across 168 countries• Present in a wide
array of industry verticals
• Strong renewal rates on both product lines
13
LARGE AND THRIVING
CUSTOMER BASEOver 25,000 Global SMB, Government & Enterprise Customers
SECURE CONTROL of Business Transactions,Applications and Infrastructure
CORE PRODUCT LINES
IT and Network MonitoringSecure Information and File Transfer
The Pioneer in EASY TO TRY, BUY AND USE IT Management Software
2 Option 2Ipswitch at a Glance
14
MOVEitManaged File Transfer
WS_FTPSecure File TransferMessageWay
B2B File Transfer and IntegrationIpswitch Analytics
SLA and Compliance Analytics
WhatsUp GoldUnified Network, Server & App
Monitoring
Event & Log Management
Collects, store and analyze log files
AlertFoxWeb Performance Monitoring
Secure Information
and File Transfer
Ipswitch Products
IT Monitoringand Management
25,000+ active customers in 116 countries
All you need to know about GDPR but are too afraid to ask...
12 October 2016
Jonathan Armstrong
@CorderyUK17
© Cordery 2016
Data Security - Landscape
• Personal data has a value
• Different political reactions
• Different legal systems worldwide
• Different enforcement even within Europe
• Contrasting approach Europe -v- US
• Snowden has changed the game
• Schrems has had a real impact
• GDPR already a reality
© Cordery 2016 18
Current UK Legislative background
“Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss
or destruction of, or damage to, personal data.”
@CorderyUK19
© Cordery 2016
Section 13 of the Dutch Personal Data Protection Act
“The controller implements appropriate technical and organisational measures to protect personal data against loss or any unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures will guarantee a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. These measures also seek to prevent the unnecessary collection and further processing of personal data.”
* unofficial translation
@CorderyUK20
© Cordery 2016
Example: South Wales Police
• South Wales Police had sensitive films from victims• They recorded the interviews• They moved the videos between offices, courts etc. on
DVD• The DVDs were encrypted & stored in a desk drawer• The DVDs were lost after an office move although the
loss was not reported for two years• Victim made a formal complaint• Prosecution prejudiced• ICO fined South Wales Police £160,000
@CorderyUK21
© Cordery 2016
Prevention
Dutch AP:“Contingency planEvery organisation should have a contingency plan indicating exactly what is to happen in the event of an emergency. However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation...”
@CorderyUK22
© Cordery 2016
New EU data rules
• A = aims• B = benefits• C = consequences
@CorderyUK23
© Cordery 2016
New EU data rules - Aims
• Proposed Regulation not Directive (but with carve-outs)• Data protection by design/default• Data Protection Impact Assessments (aka PIAs)• Suppliers outside EU in scope• Toughened (local not centralised) enforcement bodies -
audits & dawn raids• Breach reporting in 72 hours• Distinction between processor and controller
diminishes• Data Protection Officers• Transfers to 3rd countries - Binding Corporate Rules
@CorderyUK24
© Cordery 2016
New EU data rules - Benefits
• No general registration requirement?• One stop shop?• Consent less of an option?• Right to be forgotten?• Right to portability?• Right to object to profiling?• Enhanced SAR Regime?
@CorderyUK25
© Cordery 2016
New EU data rules - Consequences
• More to do for controllers and processors• Liability & compensation (material or non-material
damage)• Fines of up to 4% of global annual turnover• Shared investigations across the EU• Greater reputational risk• Shareholder/investor engagement
@CorderyUK26
© Cordery 2016
GDPR already a reality
• Data breach reporting laws in Germany, Austria and The Netherlands (but not identical to GDPR)
• Usually a notification in The Netherlands to the AP must be done “immediately” and in any case within 72 hours – AP received 1,500+ notifications in first four months, c.70 regulatory actions
• Increasing fines (for example in The Netherlands €820,000 or 10% of annual net turnover)
• Amendments to introduce parts of GDPR in Belgium• Privacy policy code in the UK• CJEU right to be forgotten case (Dutch Regulator has already
investigated 111 RTBF cases up to May 2016)
@CorderyUK27
© Cordery 2016
EU Cybersecurity Directive (NIS)
New EU Cybersecurity Directive Requires EU Member States to improve their national
cybersecurity capabilities and improve cooperation between them on cybersecurity
Businesses also affected - “operators of essential services” and key “digital service providers” who will be required to:- Assess the risks they face and adopt appropriate and
proportionate measures; and,- Report to regulators major security incidents on their core services - the “incidents” that will have to be reported are broadly defined as “any event having an actual adverse effect on the security of network and information systems.”
@CorderyUK28
© Cordery 2016
Your response
1. Have an action plan• Take a risk based approach
2. Have a proper data breach response plan;3. Invest in proper technology;4. Review vendor contracts – you will need their help to report
security breaches. Check you have the right contract with them. Find vendors who know GDPR;
5. Put in place a DPIA process;6. Get your documents and records ready to produce in a
regulatory inspection – factor this into overhead costs;
@CorderyUK29
© Cordery 2016
Your response continued
7. Think of a world without employee consent and tougher consent generally;
8. Make sure things like the right to be forgotten, the right to not be subject to profiling are all covered in policies and procedures;
9. Brief the Board and look at annual reporting requirements;10. Train staff on all aspects of the law; 11. Set up and undertake regular compliance audits/reviews; and12. Sense check your plans with specialist lawyers.
@CorderyUK30
© Cordery 2016
Resources• EU Cyber Security – www.bit.ly/eucyber • New EU Data Rules – www.bit.ly/gdprfaqs• Privacy Shield -
http://www.corderycompliance.com/privacy-shield-faqs/ • GDPR film – www.bit.ly/gdprfilm• Right to be forgotten – http://bit.ly/1tB8Osb • Cordery news – http://bit.ly/1vnFHJm • Podcasts – www.bit.ly/techlaw10• Weltimmo -
http://www.corderycompliance.com/european-court-weltimmo-ruling-on-the-jurisdiction-of-data-protection-regulators/
• Mossack Fonseca - http://www.corderycompliance.com/mossack-fonseca-panamaleaks-breach-has-significant-compliance-consequences-for-most-businesses/
• LinkedIn – www.linkedin.com/in/jparmstrong• What the Romans teach us about cybersecurity -
https://theanalogiesproject.org/the-analogies/romans-teach-us-cybersecurity/
Questions
Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom
Jonathan ArmstrongCordery
[email protected] +44 (0)207 075 1784
www.twitter.com/armstrongjp
