Cyberthreats and DataFlows - Dealing with an

Interconnected World

Orrie Dinstein Chief Privacy Leader and Senior IP & IT Counsel

GE Capital

CT Privacy Forum Hartford, Sept 2011

The rise of the Hactivist

Cyber threats Motivation Threat

• Espionage

• Strategic or

political advantage

• Terrorism

• Data theft

• War

• Working ability jeopardized

• Physical safety at risk

• Loss of productivity

• Loss of sensitive data

• Reputational damage

• Corporate

espionage

• Financial gain

• Identify theft

• Loss of sensitive data

• Decreased

competitiveness

• Reputational damage

• Business

disruption

• Harassment

• Vandalism

• Fame/PR

• Identify theft

• Personal information and

nonpublic data made

public

• Competitiveness

jeopardized

• Reputational damage

Nation States & Terrorists (cyber-war)

Cyber-criminals

Hactivists

(Anonymous; Wikileaks)

The IMF

The U.S. Senate The CIA’s main public website The website of InfraGard, an organization affiliated with the FBI The U.K.'s Serious Organised Crime Agency Arizona’s Dept of Public Safety Fox.com PBS Sony Pictures Bethesda Softworks, a Maryland game maker

porn website pron.com websites belonging to the Brazilian government and energy giant Petrobras Nintendo Booz Allen Hamilton Monsanto The Turkish government NATO the Italian Cybercrime agency Austrian broadcaster ORF

U.S. government contractor Mantech International Corp. Murdoch’s paper The Sun, directing visitors to a fake article claiming he died Fox News Twitter account - falsely tweeting that President Obama had been killed the Twitter account for PayPalUK

The Threats

Malware (virus; worm; spyware; Trojan; backdoor; rootkit; keystroke logger)

Scareware

P2P accounts

Scams; Spoofing of accounts

Social engineering

Botnets/zombies (DDoS attacks)

SPAM (also in use in VoIP [SPIT] and IM [SPIM])

Phishing (spear phishing and whaling)

Social Networking threats

• Social networking is becoming the preferred way to interact/connect and becoming a massive repository of personal data

• Increased capability on portable devices and networks

• Convergence of Personal and Business Data

• Increased Software/Hardware Vulnerabilities

• Organized Crime and Targeted Attacks

• Social Engineering

• Password crackers

• Social engineering

• Internet attacks (SQL injection; XSS)

Hacks

Anatomy of a hack – HBGary Federal is taken down by Anonymous

Step 1: SQL injection attack – generated emails, usernames and passwords; passwords were encrypted

Step 2: password crack (Rainbow tables) [weak algorithm and short passwords]

Step 3: reuse of passwords allowed access to other machines and to CEO’s email

Step 4: elevation of privileges flaw allowed root access

to some machines Step 5: emails to admin allowed to get access to other

necessary servers where remote root access is denied

Prevention

• Policies

• Data classification

• Training and awareness campaigns

• Manage third parties/contractors

• Encryption

• Access controls

• Multi-Factor authentication

• Network monitoring

It all starts with knowing where your data sits

and what your data flows are

EASIER SAID THAN DONE!!!

Multiple End-Point Storage Devices iPhones and other PDAs iPads and other tablets Digital Cameras Thumb Drives CD/DVD Drives Smart peripherals Personal devices Employee mobility – remote access

Increasingly complex environment

Managing Data Flows

18 Globalization of Privacy Status of Data Protection Laws around the world

Blue – Comprehensive Data Protection Law Enacted

Orange – No omnibus law but lots of sectoral and state laws

Red – Pending Effort to Enact Law

White – No Law

New

law

New

regs

U.S. •Limited sectoral Legislation •Primarily self-regulated

APEC/Canada • Stronger privacy laws and regulatory oversight • Minimal administrative requirements

EU • Strong global legislation • Strict regulatory environment • Administrative burdens • Strict enforcement

Global privacy regimes

The E.U.

“Transfer” defined broadly; includes mere remote read-only

access to EU-based data

Transfers within the EU – allowed, but subject to formalities;

needs to be legally justified

Transfer outside the EU/EEA, only to countries that offer

“adequate” protection: Switzerland, Argentina, Canada, Israel,

some islands you never heard of, and U.S. [“Safe-Harbor”

members] or subject to legal justification

Transfers to “inadequate countries” require special

exceptions and justifications

EUDPD – data transfers

Data transfer justifications

Justifications for transfers to inadequate countries: Data controller obtains “informed consent” of data

subject requires “unambiguous” consent

explicit consent for sensitive data, and transfers outside the EU

Under statutory exceptions (very narrowly drafted) [e.g., Transfer “necessary for the performance of a contract”]

Under a Contract C2C (model/ICC) C2P (ICC) specific contract

Under Binding Corporate Rules Aggregate/anonymous data

Binding Corporate Rules Internal codes of conduct Only apply to multinational organizations transferring personal

information outside the EEA, but within their group of cos. Requires approval from all relevant EU data protection

authorities – Lead Authority system established and 2/3 of the EU countries have accepted it

Applications for authorization must include: Evidence that the measures are binding, internally & externally Details of a data protection audit plan A description of processing and flows of information A description of the data protection safeguards in place Details of a mechanism for reporting and recording changes

Model checklists, standard application forms and BCR frameworks have been compiled by the WP29

Removes the onerous obligations of executing model contracts for every transfer

BCR’s drawbacks

Approval process is difficult and time consuming

Lead Authority selection is key – DPA attitudes and resources devoted to BCR’s vary

Some Member States’ national law (e.g. Portugal) do not support the concept of unilateral decision making and so cannot approve BCR

The WP29 Guidelines may be taken as rigid templates by some DP authorities.

Substantial changes in an organization’s structure are likely to trigger a requirement for a revised authorization

U.S. Model vs. EU Model:

U.S. E.U.

Scope Sectoral Comprehensive

Focus Notice Core rights

Notices General

Opt out

Detailed

Opt in

Approvals None Many

Transfers Unrestricted Approvals

Enforcement Decentralized Centralized

Fines Significant Low in most countries

APEC (Asia Pacific Economic Cooperation)

Created an information privacy framework with 9 privacy principles (consistent with OECD Guidelines):

Preventing harm

Integrity

Notice

Security

Collection limitation

Access and correction

Uses of personal information

Accountability

Choice

Endorsed by 21 member economies in November 2004

Operationalizing data flows

Europe

Solving the data flows

Are your int’l data flows point to point?

U.S. – Asia: contracts, accountability

U.S. – Canada: accountability

U.S. – EU: assess your options

Truly global data flows – need global solutions

Corporate Privacy Rules [BCR in EU]

Keep personal data local

Global Consents

World Wide Web of contracts

Data flow checklist

Do you know what data is going to be transferred

Do you know where it is going from and where to

Do you know who might see the data along the way

Did you get all necessary approvals

Did you vet the security, taking into account the nature of the data and the manner of transmission

Do you have contracts in place with vendors and

suppliers involved in the data transfer and do the contracts have the necessary privacy clauses

Do you have an incident response plan and team in case data gets lost or stolen

Orrie Dinstein orrie.dinstein@ge.com

QUESTIONS?