Data Security Issues - PDF document

1 Data Security Issues Moderated by:Paul M
Data Security Issues Moderated by:Paul M. SchwartzBerkeley Law SchoolFourth Annual BCLT Privacy ForumMarch 13, 2015 Roadmap Introduction: Data Se

2 curityTop Three Data Security Issues or
curityTop Three Data Security Issues or Trendsof the Next 18 MonthsPragmatic Data Security AdviceQuestions and Answers roblem withcomputer security i

3 s that most of the advice we are given i
s that most of the advice we are given is absurd.” The CyberSummit(Feb. 13) “Mr. Obama...made clear that his six years in the presidency ha

4 d given him a new appreciation of how th
d given him a new appreciation of how the government will be called upon to protect citizens against the most severe [cyber] attacks...” Sourc

5 e (text and image): N.Y. Times; http://w
e (text and image): N.Y. Times; http://www.nytimes.com/2015/02/14/business/obamaurgestechcompaniescooperateinternetsecurity.html?_r=0 The White Hou

6 se, CyberSummit(Feb. 13) “[O]ur con
se, CyberSummit(Feb. 13) “[O]ur connectivity brings extraordinary benefits to our daily lives, but also brings risks.” The White Hous

7 e CyberSummit(Feb. 13)‘“People
e CyberSummit(Feb. 13)‘“People have entrusted us with their most personal and precious information . . . We owe them nothing less than the

8 best protections that we can possibly pr
best protections that we can possibly provide.” Source: http://www.nytimes.com/2015/02/14/business/obamaurgestechcompaniescooperateinternetsecur

9 ity.html?_r=0 Verizon Data Breach Repor
ity.html?_r=0 Verizon Data Breach Report (2014)://www.verizonenterprise.com/DBIR/2014/ New York Attorney General’s Data Breach Report://www.ag.

10 ny.gov/pdfs/data_breach_report071414.pdf
ny.gov/pdfs/data_breach_report071414.pdf California Attorney General’s Data Breach Reporthttps://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2

11 014data_breach_rpt.pdf Target Data Breac
014data_breach_rpt.pdf Target Data Breach Costs Source: http://www.law360.com/privacy/articles/625014?nl_pk=eb8638788a06aeef03a5c4a3 Sony Data Hack S

12 ony Data Hack Jan. 23, 2015 Data Securit
ony Data Hack Jan. 23, 2015 Data Security: Looking into the Future Ruby Zefo, Intel Corp.Vice President of Law andPolicy Group, Chief Privacy & Secur

13 ity Counsel Ruby Zefo| Top Three Data Se
ity Counsel Ruby Zefo| Top Three Data Security Trends | Trend 3Big Data. And Cloud Security. Ruby Zefo| Top Three Data Security Trends | Trend Data b

14 reach preparedness and management:Standa
reach preparedness and management:Standards and enforcement against “unreasonable” security measures (NIST, FTC, class ctions, etc.). Ruby

15 Zefo| Top Three Data Security Trends | T
Zefo| Top Three Data Security Trends | Trend Internet of Things ecosystem security not just consumer devices Disclaimer from Moderatorhotographs of c

16 elebrities used solely for educational p
elebrities used solely for educational purposesndorsement of celebrities notimplied Right of publicity “fair use” safeguarded by the Califo

17 rnia Supreme Court Winter v. DC Comics,
rnia Supreme Court Winter v. DC Comics, 30 Cal. 4th881(2003Comedy III Productions, Inc. v. Gary SaderupInc25 Cal. 4th387 (2001 Travis LeBlanc, FCCChi

18 ef of the Bureau ofEnforcement Travis Le
ef of the Bureau ofEnforcement Travis Leblanc | Top Three Data Security Trends | Trend 3Calls for increased security for connected devices as the Int

19 ernet of Things gains popularity. Travis
ernet of Things gains popularity. Travis Leblanc | Top Three Data Security Trends | Trend More sharing of information as regards data security threat

20 s (whether with the government or betwee
s (whether with the government or between companies). Travis Leblanc | Top Three Data Security Trends | Trend 3 More nation state attacks on U.S. b

21 usinesses. Randy Sabett, PartnerCooley L
usinesses. Randy Sabett, PartnerCooley LLPVice Chair of thePrivacy and Data SecurityPractice Group Randy Sabett| Top Three Data Security Trends | Tre

22 nd 3Increased adoption ofbut some confus
nd 3Increased adoption ofbut some confusion overthe NIST framework as a common data protection mechanism. Randy Sabett| Top Three Data Security Trend

23 s | Trend The “sensorization ”
s | Trend The “sensorization ” of humanity and the difficulties of finding the right balance between privacy and security. Some emerging

24 business models are vigilant about priva
business models are vigilant about privacy and securityothers, not so much. Randy Sabett| Top Three Data Security Trends | Trend A more restrictive f

25 ederal approach plus sectorbased (as opp
ederal approach plus sectorbased (as opposed to broad national) data security mandates. Michelle VisserPartner, Ropes and Gray Michelle Visser| Top

26 Three Data Security Trends | Trend 3Will
Three Data Security Trends | Trend 3Will we see greater clarity, or perhaps more of a split, regarding what Clappermeans for consumers trying to esta

27 blish standing in data security actions?
blish standing in data security actions? Michelle Visser| Top Three Data Security Trends | Trend How will the FTC’s efforts to regulate the 

28 7;Internet of Things” impact the en
7;Internet of Things” impact the enforcement and litigation landscape? Michelle Visser| Top Three Data Security Trends | Trend 1 Will regulato

29 rs and plaintiffs continue to try and ex
rs and plaintiffs continue to try and expand the categories of consumer information that are considered “sensitive?” Kurt Wimmer, PartnerCo

30 vington and Burling LLPChair, Privacy an
vington and Burling LLPChair, Privacy and DataSecurity Practice Group Kurt Wimmer| Top Three Data Security Trends | Trend 3 International: Will th

31 e EU pass the Regulation? Will more coun
e EU pass the Regulation? Will more countries decide not to wait and enact their own breach notification requirements? Kurt Wimmer| Top Three Data S

32 ecurity Trends | Trend Legislation: Will
ecurity Trends | Trend Legislation: Will the parties in Congress be able to work together? Will they preempt the states? Kurt Wimmer| Top Three Data

33 Security Trends | Trend Insurance covera
Security Trends | Trend Insurance coverage for breach costs will become even more contentious. Pragmatic Advice Ruby Zefo, Intel Corp.Vice President

34 of Law andPolicy Group, Chief Privacy &
of Law andPolicy Group, Chief Privacy & Security Counsel Ruby ZefoPragmatic Advice3. Not enough to have an untesteddata breach preparedness plan Ruby

35 ZefoPragmatic Advice2. Document “r
ZefoPragmatic Advice2. Document “reasonable” security measures1. Communicate clearlyfrom the top downwhat your brand is going to mean rega

36 rding data privacy and security. Be con
rding data privacy and security. Be consistent across the company and all of its products. Randy Sabett, PartnerCooley LLPVice Chair of thePrivacy

37 and Data SecurityPractice Group Randy Sa
and Data SecurityPractice Group Randy SabettPragmatic Advice3. If you don’t have a tiger team, form one. If you have a team, talk to them. If yo

38 u talk to them, act on what you talk abo
u talk to them, act on what you talk about. Wash, rinse, repeat. Randy SabettPragmatic Advice2. Buy Framoil filters. Framad campaign: “You can p

39 ay me now or you can pay me later.”
ay me now or you can pay me later.” 100,000 investment today could save millions later on.1. Consider cyber insurance...but vet your agent care

40 fully and read your policy closely. Ther
fully and read your policy closely. There are many misaligned policies out there, with people thinking that they are covered when they are not. Kurt

41 Wimmer, PartnerCovington and Burling LLP
Wimmer, PartnerCovington and Burling LLPChair, Privacy and DataSecurity Practice Group Kurt WimmerPragmatic Advice 3. Have an incident response plan

42 in place beforean incident. Create lin
in place beforean incident. Create lines of authority so that privilege is preserved. Line up advisors, particularly technical experts for remediat

43 ion. Negotiate a master services agreeme
ion. Negotiate a master services agreement so you can hit the ground running. Kurt WimmerPragmatic Advice2. Review your insurance policies. Insure

44 rs are increasingly likely to deny cover
rs are increasingly likely to deny coverage under general policiesassess whether you ought to have cyberinsurance policies.1. Train, train, train. So

45 many breaches are clever phishing attac
many breaches are clever phishing attacks, social hacks and human error. Secure your human resourcesby raising the education level among the user po

46 pulation of your organization. Michelle
pulation of your organization. Michelle VisserPartner, Ropes and Gray Michelle VisserPragmatic Advice3. Ensure that your incident response plan is dr

47 afted with an eye towards litigation and
afted with an eye towards litigation and/or governmental inquiries, and test it. Understand the facts before you disclose an incident Michelle Visser

48 Pragmatic Advice2. Do risk assessments r
Pragmatic Advice2. Do risk assessments regularly, and ensure that resulting action items are addressed. Consider the value of using an outside assess

49 or, working with legal counsel.Know wher
or, working with legal counsel.Know where your data is(Yes, this is still an issue) Travis LeBlanc, FCCChief of the Bureau ofEnforcement Travis LeBla

50 nc | Pragmatic Advice3. For companies, r
nc | Pragmatic Advice3. For companies, require data security standards for any contractor or agent who has access to, or possession of, personal data

51 that your company collects from custome
that your company collects from customers.2. For outside counsel, review your firm’s data security practices. If you don’t have a CIO, hir

52 e one. If you do, begin to work on a pla
e one. If you do, begin to work on a plan for how you can simultaneously accommodate the differing data security concerns and requirements of multipl

53 e clients Travis LeBlanc | Pragmatic Adv
e clients Travis LeBlanc | Pragmatic Advice1. For companies, develop a breach response plan nowDon’t wait until a breach occurs. Assume it will

54 Question and Answers Why so many data
Question and Answers Why so many data breaches in 2014? Source: http://www.csoonline.com/article/2847269/businesscontinuity/nearlybillionrecordswer

55 ecompromised2014.html What did some of
ecompromised2014.html What did some of 2014’s data security breaches look like? Source: http://hackmageddon.com/2014/11/25/fortunecyberattackst