PwC

Best Practices for Data Security and Data Breach Protocol

Gabriel M.A. Stern, Fasken Martineau DuMoulin LLP

Jason Green, PricewaterhouseCoopers

2PwC

Your presenters

Director with PwC LLP, and National Lead for Breach and Incident response. Part of the broader Cyber Resilience practice

25 background encompassing information security, investigations and digital forensics.

Led and driven large multi-functional, end-to-end security teams to address tactical and strategic security and risk needs across multiple industries

Jason GreenDirector

PricewaterhouseCoopers

Senior Associate with Fasken Martineau DuMoulin LLP, practicing in the area of Information Technology Law

Broad experience with information technology, privacy, consumer protection, health sector, and intellectual property-related matters.

Has drafted/negotiated a wide range of agreements, including outsourcing agreements, software agreements, e-commerce and website terms and conditions, privacy agreements, and procurement documents (requests for proposals, master service agreements and related materials).

Gabriel M.A. SternSenior Associate

Fasken Martineau DuMoulin LLP

PwC

Overview

1.Current risks and challenges – the new reality

2.Current risks and challenges – adapting to the new reality

3.Data breaches – some facts

4.Strategies to reduce vulnerability

5.Crisis management & incident response

6.The role for lawyers –notification requirements

7.The role for lawyers – vendor/contract management

8.The role for lawyers – helping when breaches occur

The key message for lawyers = we have an important role to play in managing data breaches and data security, but to effectively advise on such issues, the business and IT elements of these issues must be understood and engaged.

PwC

Current Risks and Challenges

The new reality

1

PwC 5

Putting cyber security into perspective

• Cyber security represents many things to many different people• Key characteristics and attributes of cyber security:

─ Broader than just information technology and not limited to just the enterprise

─ Increasing attack surface due to technology connectivity and convergence

─ An ‘outside-in view’ of the threats and potential impact facing an organization

─ Shared responsibility across the enterprise which requires cross functional disciplines in order to plan, protect, defend and respond─ Need to involve legal, IT, and business groups, all of which have

a role to play in managing these risksIt is no longer just an IT challenge – it is a business imperative with important legal obligations and consequences

PwC 6

The digital world has got biggerThe evolution:• Technology-led innovation is transforming

the business models.

• Companies operate in a dynamic environment that is increasingly hyper-connected and interdependent.

• The ecosystem is built around a model of open collaboration and trust.

• Constant information flow is the lifeblood of the business ecosystem.

Leading to:• Legal compliance regimes that must be

identified and adhered to

• Legal risk mitigation strategies that affect all parts of an enterprise

• Benefits of same technological advances are being exploited by an increasing number of global adversaries.

• Adversaries are actively targeting critical assets throughout the ecosystem.

• Data is distributed and disbursed, increasing the potential for loss and exposure.

• Changing business drivers and threats are creating opportunities and risks.

PwC 7

Organizations today face four main types of cyber adversaries…

Nation state

Insiders

Organized crime

Hacktivists

• Military, economic or political advantage

• Immediate financial gain• Collect information for

future financial gains

• Personal advantage, monetary gain

• Professional revenge• Bribery or coercion

• Influence political and /or social change

• Pressure business to change their practices

MotivesAdversary

• Trade secrets• Sensitive business

information• Emerging technologies• Critical infrastructure

• Financial / payment systems• Personally Identifiable

Information• Payment Card Information• Protected Health

Information

• Critical infrastructure• Operational technologies• Highly visible venues

• Corporate secrets• Sensitive business

information• Information related to key

executives, employees, customers & business partners

Targets

• Loss of competitive advantage

• Disruption to critical infrastructure

• Costly regulatory inquiries and penalties

• Consumer and shareholder lawsuits

• Loss of consumer confidence

• Destabilize, disrupt, and destroy physical and logical assets

• Disruption of business activities

• Brand and reputation• Loss of consumer

confidence

Impact

Adversary motives and tactics evolve as business strategies change and business activities are executed;

‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.

PwC 8

…Including “accidental insiders”

Insiders • Personal advantage,

monetary gain • Professional revenge• Bribery or coercion

MotivesAdversary

• Critical infrastructure• Operational technologies• Highly visible venues

Targets

• Destabilize, disrupt, and destroy physical and logical assets

Impact

Accidental insiders do not realize the risk they can cause in a business. The damage they can cause can be as significant as any targeted attack.

• None – these are data breaches where no malice is involved

• E.g. uploading confidential company documents to file sharing sites due to Limewire settings.

• All systems • Costly regulatory inquiries and penalties

• Consumer and shareholder lawsuits

• Loss of consumer confidence

• Disruption of business activities

• Brand and reputation• Destabilize, disrupt, and

destroy physical and logical assets

Accidental Insiders ?

PwC 9

Considerations for businesses adapting to the new reality

Historical perspectives Today’s leading insight

Scope of the challengeLimited to your “four walls” and the extended enterprise

Spans your interconnected global and hyper-connected business ecosystem and complex supply chain

Governance IT led and operated

CEO and Board accountable; Business-aligned and owned; Cross-functional governance; Legal properly engaged when appropropriate

Threat actor characteristics

One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain

Organized, funded and targeted; motivated by economic, monetary and political gain

Threat focus Primarily external External and internal

Security risk equation Static or less dynamic Extremely dynamic and broad

Protection strategy One-size-fits-all approachPrioritize and protect your key assets based on threat modelling and intelligence

Defense posture Protect the perimeter; respond if attackedLayered defense; contextual threat intelligence; real-time detection; rapidly respond when attacked

Control model Primarily focused on preventionPredict, Prevent, Detect, Respond, Correct, and Recover

Threat intelligence & information sharing

Keep to yourself

Share internally (fraud, corporate security, ops risk) and externally (government, industry peers) … and sometimes you have no choice but to share

Risk management approach

Primarily focused on minimizing likelihood

Accepts breaches will occur often; focused on minimizing business impact; Lawyers can assist with this by, for example, properly managing vendor relationships

PwC

2

Current Risks and Challenges

Adapting to the new reality

PwC 11

Keeping pace with the new reality

Business Alignment and Enablement

Ris

k a

nd

Im

pact

Eva

luati

on

Board, Audit Committee, and Executive Leadership

Security Program, Resources and Capabilities

Investment Activities

Projects and InitiativesFunctions and Services

Security Strategy and Roadmap

Reso

urc

e P

rioritiza

tion

Engage and commit with the business• Leadership, ownership, awareness and

accountability for addressing the security risks that threaten the business

• Alignment and enablement of business objectives

• Engage your legal department before a problem happens (e.g. when contracting) as well as after (e.g. understanding breach notification obligations)

Transform and execute the security program• New and enhanced capabilities are needed

to meet the ever changing security challenges• A comprehensive program must be built on a

strong foundation and include proactive coordination and collaboration with the business

• The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed

Rationalize and prioritize investments• Critical assets are constantly evaluated given

they are fundamental to the brand, business growth and competitive advantage

• Threats and impact to the business are considered as investment activities are contemplated

Operating in the global business ecosystem requires organizations to think differently about their security investments.

PwC 12

Cyber security isn’t just about technology

Confidential & Proprietary• Not all breaches are intentional

• Vendor management and contract protection

PwC 13

Why organizations have not kept pace

Years of underinvestment in certain areas has left many organizations unable to adequately adapt and respond to dynamic security risks.

Product & Service Security

PhysicalSecurity

Operational Technology

Security

Public/PrivateInformation

Sharing

ThreatModeling

& Scenario Planning

TechnologyAdoption andEnablement

Ecosystem &Supply Chain

Security

GlobalSecurity

Operations

Breach Investigationand Response

Notificationand

Disclosure

Privileged Access

Management

SecurityTechnology

Rationalization

Patch & ConfigurationManagement

consectetur adipiscing elit

InsiderThreat

UserAdministration

TechnologyDebt

Management

Secure Mobileand CloudComputing

Security Strategy and Roadmap

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Process and Technology

Fundamentals

Threat Intelligence

Incident and Crisis

Management

Ris

k a

nd I

mpact

Eva

luati

on

Reso

urc

e P

rioritiza

tion

Security Program, Functions, Resources and Capabilities

Compliance Remediation

Security Culture and Mindset

Monitoring and Detection

Critical Asset Identification and

Protection

Confidential & Proprietary

PwC

Data Breaches – Some Facts

3

PwC 15

Attacks on the rise

Confidential & Proprietary

PwC 16

Attacks Sources

PwC 17

Attacks Sources

Confidential & Proprietary

PwC 18

Impacts – Cost per Incident

Confidential & Proprietary

PwC 19

Impacts – Downtime

Confidential & Proprietary

PwC

Strategies to Reduce Vulnerability

4

PwC 21

Key focus points

• Keep the organization ahead of threats likely to target critical assets

• Align and prioritize security initiatives to enable strategic objectives

• Obtain buy-in from key stakeholders on the security program direction

• Compare security capabilities against industry peers

• Understand the maturity of the security program

• Identify strengths, weaknesses, opportunities and threats

• Establish a multi-year plan for enhancing security

• Vendor relationship management

• Contract terms and conditions (governance, audit rights, insurance, etc.)

• Understand the levels of potential liability that may arise for each of your systems

Confidential & Proprietary

PwC 22

Strategic Driver Analysis

Target Operating Model Design

Gap Analysis & Benchmarking

Roadmap Development

· Identify Consumers/Stakeholders (Internal & External)

· Understand Existing Business Strategy

· Conduct Voice of the Stakeholder (VoS)

· Evaluate External Business Ecosystem Pressures and Threats

· Define Mission, Vision, Drivers, Guiding Principles for the Security Program

· Define Solutions & Services

· Map Consumers (Internal & External) with Solutions & Services

· Define Sourcing & Delivery Models

· Map Solutions & Services to Capabilities

· Define Solution & Service Offering Ownership

· Document Solutions & Services Interdependencies

· Document Security Organization Structure

· Define Performance Metrics

· Perform Current State Capability Assessment

· Perform Gap Analysis

· Define Case for Change

· Perform Peer-Comparison/Benchmarking

· Define Security Projects/Initiatives

· Prioritize Projects/ Initiatives & Map Inter-dependencies

· Define High Level Cost Estimates

· Define High Level Resourcing Requirements

· Define Change Management & Communications Plan

Key A

cti

vit

ies

Phase

s

Align cyber security programs to business strategy and emerging threat landscape

Confidential & Proprietary

PwC 23

Security functional domains

Security Strategy

SustainableSecurity

Behaviours

Security Governance

and Compliance

Cyber Threat Assessment

Technology

CyberCrisis

Response

Security Architecture &

ServicesThreat,

Intelligence & Vulnerability Management

Identity & Access

Management

Incident & Crisis

Management

Information & Privacy Protection

Risk & Compliance

Management

Emerging Trends &

Innovation

Strategy, Governance & Management

Anticipate changes in the risk landscape through situational awareness of the internal and external factors impacting the business ecosystem.

Address threats and weaknesses

Anticipate and respond to security crisesPlan, detect, investigate, and react timely and thoroughly to security incidents, breaches and compromises.

Manage risk and regulations

Efficiently and effectively identify, evaluate and manage risk to the business while addressing the evolving regulatory requirements.

Enable secure access

Provide integrated and secure processes, services, and infrastructure to enable appropriate controls over access to critical systems and assets.

Safeguard critical assets

Identify, prioritize, and protect sensitive or high value business assets.

Adapt to the future

Assess the opportunities and security related risks of new technology adoption and dynamically changing business models.

Align with the business

Prioritize investments, allocate resources, and align security capabilities with the strategic imperatives and initiatives of the organization.

Secure by design Create sustainable security solutions to provide foundational capabilities and operational discipline.

Strategy through

Execution

Confidential & Proprietary

PwC

Crisis Management & Incident Response

5

PwC

Cyber Crisis and Business Continuity Integration

Integrated Business Continuity Program

Enterprise Risk Management (ERM)

Business Continuity

Management (BCM)

Crisis Management (CM)

Disaster Recovery Program (DRP)

Business Continuity Program (BCP)

Ris

k a

ssess

men

t

Ris

k r

esp

on

se

Ris

k m

on

itori

ng

RM

opti

miz

ati

on

Cri

sis

man

agem

en

t

Dis

ast

er

recovery

Bu

sin

ess

con

tin

uit

y

Em

erg

en

cy

resp

on

se

Com

mu

nic

ati

on

&

coord

inati

on

Com

man

d &

con

trol

Tech

nic

al

infr

ast

ructu

re

Appli

cati

on

s

Data

recove

ry

People

Locati

on

& r

eso

urc

es

Recove

ry p

rocedu

res

Eve

nt

RiskManagement

Continuity Plan & Resiliency

Improvement

IssuesAssessment

Restoration Activities

RETURN TO NORMAL OPERATIONSOPERATIONALIMPROVEMENT

Effective Data Breach Response preparation activities augment existing Business Continuity program activities in each stage of the BCM lifecycle.

PwC 26

Incident ResponseCompanies must comply with existing and emerging regulations, identify and secure sensitive information that is constantly in motion, investigate breaches and data theft, manage the insider threat, and reduce the gamut of cyber security risks

As such organizations must be prepared to:(1) Forensically investigate cyber intrusions, data theft, and insider malfeasance in order to manage legal, regulatory, reputational, and other risks and comply with requirements;(2) Assess business and customer impact and mitigate risk; and,(3) Rebound stronger through long-term remediation planning, strategic information security program development, and executive support.

Extended the approach beyond immediate technical remediation to business impact analysis, regulatory and customer notification support, strategic remediation planning, security program roadmaps, and litigation defense.

PwC

The Role for Lawyers

Notification requirements

6

PwC 28

Breach Notification Generally

•Privacy law primer:

• For private sector organizations generally, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information.

• Certain provinces have privacy legislation that has been deemed substantially similar to PIPEDA.

• One of those provinces, Alberta, has in force rules regarding the notification that is required in the event of privacy breaches.

• Breach notification requirements have also been proposed for PIPEDA - different versions have been proposed over time.

• If such PIPEDA requirements were to ever be adopted, breach notification obligations would apply across the majority of the country.

PwC 29

Alberta’s PIPA Breach Notification Requirement

•Alberta’s Personal Information Protection Act (PIPA) includes both a reporting and a notification regime in respect of security breaches.

•Under this regime, certain privacy breaches must be reported to the Alberta Information and Privacy Commissioner, and under very similar circumstances, affected individuals must be notified of such breaches.

PwC 30

Alberta’s PIPA Breach Notification Requirement con’t

•Threshold for reporting a breach: whether, objectively, “a reasonable person would consider that there is a real risk of significant harm to an individual.”

•Threshold for notifying affected individuals: where “there is a real risk of significant harm.”

• What is “significant harm?”:

• (i) A “significant harm” is a “material harm” having “non-trivial consequences or effects” (examples may include “possible” “financial loss, identity theft, physical harm, humiliation to one’s professional or personal reputation”); and

• (ii) “real risk” is one where there is a “reasonable degree of likelihood that the harm could result.”

PwC 31

Other Breach Notification Issues

•Even absent any statutory breach notification obligations, might the business nonetheless what to report/notify?

• E.g. for goodwill purposes.

•Practical challenges can exist in determining whether breaches have even occurred.

• E.g. unsecured beta version of e-commerce site. But unclear if any actual privacy breach. Difficult to tell even through forensics.

PwC

The Role for Lawyers

Vendor/contract management

7

PwC 33

Vendor/contract management – overview

•In contracting with vendors, lawyers have the opportunity to build a toolset to help their clients manage data breach/security issues.

•The scope of relevant vendors can be quite wide – not just IT vendors.

• HVAC vendors may be given overly broad system access rights, which could pose a threat.

• Encourage clients to ask the right questions:

• What systems will the service impact?

• Where will my data be?

PwC 34

Vendor/contract management – overview con’t

•Educating vendors is often one of the key roles customers play.

• E.g. US vendors not being familiar with Canadian privacy law obligations.

• Let the data/system guide your drafting: the nature, sensitivity, etc. of the data/system should influence the type of agreement you draft.

• Doing so will provide your client with an appropriate toolset.

PwC 35

Vendor/contract management – some key terms

•Unlimited liability for when breaches occur.

• E.g. exclusion from liability caps/disclaimer of indirect damages.

•Parental guarantee?

• Such breaches can be costly – will you be able to collect damages from the actual contracting counterparty?

•Insurance.

•Restricting location of data.

• Alternatively, disclosure regarding location of data.

PwC 36

Vendor/contract management – some key terms

•Express privacy compliance (where applicable to the data).

•Audit rights.

•Specific security requirements.

• Often involves a back and forth between customer’s standard policies and vendor’s standard service offering.

• Expect standard DR/business continuity planning (outside of any DR service being provided).

• E.g. vendor cannot rely on force majeure unless they have DR/business continuity plans in place.

PwC

The Role for Lawyers

Helping when breaches occur

8

PwC 38

Help! There’s been a breach! What do I do?

•What do lawyers need to think about when they get that call from their IT department?

• Understand what data was lost – e.g. if personal information was breached, the aforementioned breach notification issues must be considered.

• Retention issues – e.g. when to freeze all data.

• Discuss with litigators as appropriate.

• Is there an “adversary” against whom action should/can be taken?

PwC 39

Help! There’s been a breach! What do I do? con‘t

• Figure out what contractual tools with vendors may be helpful.

• Exercise audit rights?

• Consider whether damages should be sought.

Thank you