eu data protection regulation - isaca conference... · 5419/16 dataprotect 2 jai 38 mi 25 digit 21...
TRANSCRIPT
EU Data Protection Regulation – why we have it and what to do about it?
ISACA Malta – 13th May 2016
Sarb Sembhi CISM
Chief Technology Officer & Acting Chief Information Security Officer
Disclaimer
• The views expressed in this presentation are those of the presenter and not ISACA Malta or Noord Group
• Nothing in this presentation is intended to be advice, it is presented as views of the presenter
• Please verify any actions you decide you wish to consider further – I am not a legal expert
• Things are still not final until challenged in the courts … but we’re getting closer
• I am not anti-US or Anti US businesses, but am against abuses of legislation which result in unfair competition against local businesses (especially if those business are in the EU)
Objectives
• Convey that although Data Protection seems complex (and it is) but when you understand the different stakeholders’ positions, it becomes clearer (except that there are too many stakeholders)
• Don’t get caught up in the details right now, there are too many of them – several have yet to be tested
• Although lawyers can help you with the legal bits, you will need to understand and determine the practical and technical implementation aspects yourselves
• Don’t worry, there will be plenty of more detailed information sessions once supervisory authorities start to interpret the Regulation
Agenda
• Why it is all personal?
• Where we were with Data Protection before now?
• What changed and led to the draft EU GDPR?
• What is in the final EU GDPR?
• What about the Privacy Shield?
• What do we do about moving towards compliance?
4
Why it is all personal?
• National stakeholders
• Local differences
• Technology
• Business interests
• Value of data (or lack of it)
• People only likely to relate or react when its personal (sometimes not even then) or remain unaware
5
This is the sort of data that we expect to get stolen
• Equifax, one of the big-three US credit bureaus, has been targeted by fraudsters that search for W-2 data and use it for claiming fraudulent tax returns
• But the company hasn’t been breached. Instead, in an approach similar to the one recently used to steal W-2 data from the ADP customer portal, the crooks misused the fact that not many users change default login credentials they have been assigned, and managed to access random accounts and harvest the data in them
• The real victims are the employees, current and former, of US grocery giant Kroger, Stanford University, Northwestern University, and probably other businesses and institutions, whose data has been stolen and misused.
And we expect this too
• Fast-food chain Wendy’s disclosed it was a victim of a point-of-sale system attack that installed malware on PoS computers affecting 300 franchise restaurants. The disclosure was part the company’s first quarter 2016 SEC filings on Wednesday and is the most complete account to date of a 2015 data breach
• … starting in the fall of 2015, malware was installed through the use of compromised third-party vendor credentials and targeted a PoS system used in a minority of its stores. According to Wendy’s, the breach impacted about 5 percent of the company’s 5,500 North American restaurants
But what about this?
• Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms
• ADP says the incidents occurred because the victim companies all mistakenly published sensitive ADP account information online that made those firms easy targets for tax fraudsters
• ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name
Big breach self-disclosed in the UK
• Kiddicare, a specialist child and baby retailer in the UK, has suffered a data breach and warned close to 800,000 customers that their personal data was exposed by hackers
• … the stolen data, which included names, email addresses, phone numbers and shipping addresses, was taken from a test site that has now been deleted. Payment details were not accessed by hackers as the company does not store such information on its systems
• The company became aware of the data breach after customers reported suspicious text messages that were not sent by Kiddicare and reported itself to the UK's Information Commissioner
How is this different / similar to having an affair?
• A data breach at a sex forum has resulted in the exposure of 107,000 accounts
• More than a third (37 per cent) of those affected by the Rosebutt Board were already included in the Have I Been Pwned? Site
• Info exposed includes usernames, email addresses, IP addresses, and weakly hashed passwords
• … many of whom have been placed at risk of public humiliation or blackmail as a result of their sexual proclivities
This is just plain rude
• Jailed hacker claims that he repeatedly breached the personal email server of US presidential candidate Hillary Clinton in early 2013 when she was Secretary of State
• Other past victims of Guccifer include Colin Powell and a member of the Bush family. Lazar was extradited in early April to a Virginia jail from a Romanian prison where he was serving a seven-year sentence for cyber-crimes.
So, what personal data is out there? 1
• Telephone Call time, date, duration, originating / destination number, possibly content of call (VOIP, wiretapping)
• Unencrypted emails (Gmail, Hotmail, Yahoo, etc.)
• Perhaps even encrypted emails
• Calendar and contact data
• Other unencrypted traffic
• Including: access to all social media sites, uploading utilities, etc.
• Data collected by mobile device applications
12
So, what personal data is out there? 2
• Data collected by mobile operating systems
• Data stored by backup sites
• Data collected by voip services
• Data collected by mobile payment services
• Search request data
• VPN log data
• This is regardless of business cloud services
13
Plus more, with much more to come
• Data collected by Google Glass like products
• Data collected by smart tv’s (which watch you viewing TV)
• Data collected by smart meters & smart grid
• Data collection by driverless cars
• Data collected by Internet of Things devices around the home
• Data collected on wearable & health devices
• Mobile Payments (like all the new pay systems)
• Advanced Big Data analysis and data mining tools
• Criminal use of above tools to create new business models based on data stolen from above sources
14
Yes, it is really personal
• 27 EU members each with different cultures and histories around privacy, ID cards, etc.
• Several EU leaders only interested in the NSA revelations once they knew that they calls and data had likely been intercepted
• Customers and employees may only understand the issues when it happens to them
• When there is compensation involved its personal
15
Where we were with Data Protection before 2012?
• Directive 95/46 EU
• Data Protection Act 1998
• 8 principles – 7th principle “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” relates most obviously to cyber security
• Safe Harbour Agreement 2000
16
What changed and led to the draft EU GDPR?
• Variations in interpretation of the Directive, not only in the legislations themselves, but also in interpretations of wordings
• Burden to pan-European businesses in complying to each location’s interpretation
• Greater amount of personal EU citizen data being held outside of EU
• Great amount of personal data being collected by non-EU data controllers
• Experiences of abuses of fair use, purposes, adequacy, accuracy, retention, recognition of rights, security and transfers
• More case law, less advisories from Supervisory Authorities
17
What else has changed?
• Ease of portability and transportability of data
• Regular (weekly) large scale data breaches
• Issues around control and ownership of personal data
• Recognition of the needs of Y generation to start again
• Economic climate – triple dip recession?
• Unfair competition
• Businesses that collect personal data and can leverage technology, as well as the tax system appear to be the most profitable and challenge existing business models
18
Finally …
• A recognition by many that the 1995 Directive is no longer able to be fit for purpose due to the vast changes in everything
• Draft EU GDPR went public in February 2012
• Causes a great debate that it is too over the top
• Then Snowden effect in June 2013 onwards
• Then the respective amendments by each of the two sides
19
But, don’t forget the Snowden effect!
• Disclosures of mass US government surveillance
• Many large US data controllers considered to be complicit in providing data to intelligence services about EU citizens
• World leaders identified as having been targets of US surveillance activities
20
What happened after Snowden? 1
• The privacy lobbies have been requesting: o clearer extensive rights from the outset and when things go wrong; o greater obligations for data processors
• data processors have been requesting : o less onerous obligations; o greater fuzziness in the language; o greater ease of managing relationship with a SA
• Supervisory Authorities have been requesting : o some of the above; o ease of managing issues in other member states for subjects; o powers to fine larger sums in relation to world wide turnover;
21
What happened after Snowden? 2
• Intelligence agencies have requested: o ability to collect data for nation security purposes – this has overtaken privacy concerns in
some cases, and created better understanding of citizen and non-citizen surveillance
• After around 4,000 amendments, where a high percentage were funded by US corporate interests – more money spent on lobbying this single legislation than all others put together, ever!
• Pause for thoughts: Do our privacy and Data Protection laws come from the US internet giants? Do Europeans only get what the US corps give us?
• Several tripartite (European Commission, European Parliament and European Council) discussions and agreements have taken place to produce the final version which is likely to be out by year end
• It is likely that businesses will have around 18-24 months to implement compliance measures
22
To cut a very long story slightly shorter
• … Well shorter than 4000 amendments anyway
• And then it came … there was light at the end of the tunnel …
The full text – all 261 pages
Brussels, 6 April 2016 (OR. en) 5419/16 DATAPROTECT 2 JAI 38 MI 25 DIGIT 21 DAPIX 9 FREMP 4 CODEC 52
EU level 1
• Regulation not a Directive
• One single European law
• Every company supervised by lead single Supervisory Authority to provide 1 shop stop approach
• Broader territorial scope – will apply to: • controllers and processors established in EU that process personal data; and
• controllers and processors not based in EU who target individuals who are in the EU.
• No longer a requirement to register to process data (in every country)
• Data cannot be transferred to any country not providing the same adequate level of protection
EU level 2
• Expanded definitions / new concepts: • Personal Data – GDPR clarifies location data, genetic data, online identifiers and technology identifiers are
personal data • Pseudonymous Data – defined as data that does not allow identification of individuals without additional
information and is kept separate • Anonymised Data – not within scope of GDPR • Profiling – automated processing of personal data used to evaluate an individual’s “personal aspects”
• Parental consent is required for the processing of personal data of children under the age of 16
• Consent must either be: • unambiguous consent for processing personal data; or • explicit consent for processing sensitive personal data.
• GDPR maintains existing rights , expands them and introduces new rights: • right to erasure (and right to be forgotten); • right to restrict the processing of personal data; and • right to the portability of data.
Country level
• Inform Supervisory Authority when a Controller becomes aware there has been a breach unless the breach has a low risk to individual rights
• Inform Data Subjects to allow them to take necessary precautions
• Right to lodge a complaint with a Supervisory Authority
• Judicial Remedy against Data Controllers or Processors
• Judicial Remedy against Supervisory Authorities
• Class Actions
• Individuals’ Right to Compensation
Company level 1
• A new explicit principle of accountability – controllers must ensure compliance
• New concepts of ‘privacy by design’ and ‘privacy by default’
• Controller must carry out a data protection impact assessment prior to processing data where the processing is likely to result in a high risk for the rights / freedoms of individuals due to: • the use of new technologies; and • the nature, scope, context and purposes of processing.
• Individuals must not be subject to a decision based solely on automated processing (including profiling) that either produces a legal effect or significantly affects them, unless the decision is: • necessary to enter into or perform a contract with that individual; • authorised by law; or • based on individual’s explicit consent.
Company level 2
• Controllers and processors must appoint a DPO in case of: • regular and systematic processing of data subjects on a large scale; and • when the core activities of the controller or the processor consist of processing on a large
scale of sensitive data or data relating to criminal convictions and offences.
• GDPR introduces an obligation to notify personal data breaches: • to the supervisory authority within 72 hours; and • to affected individuals without undue delay (where likely to result in a high risk to such
individuals).
• Data Processors can be liable for the security of personal data
• Obligation to take Technical and Organisation measure, but still have regard to the state of the art and implementation costs
• Follow Codes of Conduct (from industry groups)
• Impose fines of up to EUR 20 million or up to 4% of worldwide annual turnover
What about EU-US Privacy Shield?
What’s the all fuss about Safe Harbour / Privacy Shield? 1
• Safe Harbour scheme set up in 2000
• EU DP law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those in the EU
• The Safe Harbour agreement between the EC and the US government essentially promised to protect EU citizens’ data if transferred by companies in the US. It allowed companies like Facebook to self-certify that they would protect EU citizens’ data when transferred and stored within US data centres
• It is a self-certification scheme managed by the Federal Trade Commission under the oversight of the US Department of Commerce
31
What’s the all fuss about Safe Harbour / Privacy Shield? 2 • In 2008 Australian research firm (Galexia) found "the ability of the US to protect privacy
through self-regulation, backed by claimed regulator oversight was questionable‘
• After Snowden, an Austrian Max Schrems challenged FaceBook that it wasn’t keeping his data safe from the US intelligence agencies, by taking the Irish ICO to court. This was referred to the EU Court of Justice, where the Court ruled that Safe Harbour principles were invalid
• 2 key findings: o US federal government agencies could use personal data under US law, but were not required
to opt in. o EU citizens did not have the same protection or rights in cases of wrong doing under Safe
Harbour as they do under EU law
• Enter Safe Harbour 2, coming your way soon
• Stop Press: EU Model Clauses may also be invalid, however binding corporate rules still most likely OK
32
What does all this mean for your business? 1
• If you are using US based cloud services, you are transferring data, therefore you do need to consider your response to both:
o a) Pre-GDPR o b) Compliance with GDPR
• If you think you are not using any US cloud based services, audit all activities – it is more likely that you are but just don’t know it!
• Identify all the data you currently hold or use and the data you intend to hold or use and separate it according to your obligations and risks – this first (big) step will demonstrate to a Supervisory Authority that you have at least started the process of understanding what is required of you
• Use this data to undertake a privacy impact assessment
• Consider any data you hold or collect that may be excessive for the use it was collected for, and decide a way forward which respects the new rights
• Consider the consent you currently hold and how it will need to change
33
What does all this mean for your business? 2
• Update privacy policies especially: what data you collect; how you will use it; subject rights and how you assist in subjects exercising them; your responsibilities; who and how to complain to
• Consider all your suppliers and all those to whom you supply services to in the context of who holds what data and the assurance you or they need to comply to the Regulation
• Revisit your Incident Response procedures and ensure that they work for you minimising your risks and maximising your response
• Consider the use of specialist services on a retainer basis to assist you doing the above plus more to instil a compliance regime, Virtual DPO, Virtual CIRO, Legal, Incident Response Team
• Consider the use of Cyber Insurance
34
TRUSTe Survey 1
• Across US and Europe
• 100 medium to large organisations
• Respondents had responsibilities for IT or regulatory compliance
• 20% well prepared
• 26% just started
• 44% unaware of vaguely aware
TRUSTe Survey 2
If you remember nothing else …
• Regardless of whether the UK is a member of the EU or not, businesses in the UK will have to comply with the Regulation, since the Regulation relates to anyone handling data about EU citizens
• If you want to export data from the EU, then the territory that you intend to export it to must be able to provide the same safeguards as exists in the EU
• The chances are that if you can show that you have taken a risk based approach, you will most likely not be fined by a Supervisory Authority (ICO in the UK), its where you are unable to demonstrate your approach that you are most likely to be fined
• Equally, it is better to give subjects rights under the GDPR earlier than later than required by law
• Think of compliance to the EU GDPR like health and safety – certain industries / sectors or business types / model will need to do more than others
• There will always the “data protection gone mad” syndrome, but just don’t become part of it
37
What to do, what to do
• Identify who will be responsible
• Review your business case for all data processing (this includes): • Assess current policies • Assess current use of personal and sensitive data • Brief all senior managers – as they will determine the work for their staff in
complying or not as the case may be • Assess current 3rd party suppliers
• Create a knowledge base to share with others
• Produce a gap analysis
• Develop a readiness plan with details on who will do what and by when
• Act on the plan
Finally
We will be back here within 8-10 years from now!
Sarb Sembhi CISM
Chief Technology Officer & Acting Chief Information Security Officer
Questions