pwc best practices for data security and data breach protocol gabriel m.a. stern, fasken martineau...
TRANSCRIPT
PwC
Best Practices for Data Security and Data Breach Protocol
Gabriel M.A. Stern, Fasken Martineau DuMoulin LLP
Jason Green, PricewaterhouseCoopers
2PwC
Your presenters
Director with PwC LLP, and National Lead for Breach and Incident response. Part of the broader Cyber Resilience practice
25 background encompassing information security, investigations and digital forensics.
Led and driven large multi-functional, end-to-end security teams to address tactical and strategic security and risk needs across multiple industries
Jason GreenDirector
PricewaterhouseCoopers
Senior Associate with Fasken Martineau DuMoulin LLP, practicing in the area of Information Technology Law
Broad experience with information technology, privacy, consumer protection, health sector, and intellectual property-related matters.
Has drafted/negotiated a wide range of agreements, including outsourcing agreements, software agreements, e-commerce and website terms and conditions, privacy agreements, and procurement documents (requests for proposals, master service agreements and related materials).
Gabriel M.A. SternSenior Associate
Fasken Martineau DuMoulin LLP
PwC
Overview
1.Current risks and challenges – the new reality
2.Current risks and challenges – adapting to the new reality
3.Data breaches – some facts
4.Strategies to reduce vulnerability
5.Crisis management & incident response
6.The role for lawyers –notification requirements
7.The role for lawyers – vendor/contract management
8.The role for lawyers – helping when breaches occur
The key message for lawyers = we have an important role to play in managing data breaches and data security, but to effectively advise on such issues, the business and IT elements of these issues must be understood and engaged.
PwC
Current Risks and Challenges
The new reality
1
PwC 5
Putting cyber security into perspective
• Cyber security represents many things to many different people• Key characteristics and attributes of cyber security:
─ Broader than just information technology and not limited to just the enterprise
─ Increasing attack surface due to technology connectivity and convergence
─ An ‘outside-in view’ of the threats and potential impact facing an organization
─ Shared responsibility across the enterprise which requires cross functional disciplines in order to plan, protect, defend and respond─ Need to involve legal, IT, and business groups, all of which have
a role to play in managing these risksIt is no longer just an IT challenge – it is a business imperative with important legal obligations and consequences
PwC 6
The digital world has got biggerThe evolution:• Technology-led innovation is transforming
the business models.
• Companies operate in a dynamic environment that is increasingly hyper-connected and interdependent.
• The ecosystem is built around a model of open collaboration and trust.
• Constant information flow is the lifeblood of the business ecosystem.
Leading to:• Legal compliance regimes that must be
identified and adhered to
• Legal risk mitigation strategies that affect all parts of an enterprise
• Benefits of same technological advances are being exploited by an increasing number of global adversaries.
• Adversaries are actively targeting critical assets throughout the ecosystem.
• Data is distributed and disbursed, increasing the potential for loss and exposure.
• Changing business drivers and threats are creating opportunities and risks.
PwC 7
Organizations today face four main types of cyber adversaries…
Nation state
Insiders
Organized crime
Hacktivists
• Military, economic or political advantage
• Immediate financial gain• Collect information for
future financial gains
• Personal advantage, monetary gain
• Professional revenge• Bribery or coercion
• Influence political and /or social change
• Pressure business to change their practices
MotivesAdversary
• Trade secrets• Sensitive business
information• Emerging technologies• Critical infrastructure
• Financial / payment systems• Personally Identifiable
Information• Payment Card Information• Protected Health
Information
• Critical infrastructure• Operational technologies• Highly visible venues
• Corporate secrets• Sensitive business
information• Information related to key
executives, employees, customers & business partners
Targets
• Loss of competitive advantage
• Disruption to critical infrastructure
• Costly regulatory inquiries and penalties
• Consumer and shareholder lawsuits
• Loss of consumer confidence
• Destabilize, disrupt, and destroy physical and logical assets
• Disruption of business activities
• Brand and reputation• Loss of consumer
confidence
Impact
Adversary motives and tactics evolve as business strategies change and business activities are executed;
‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.
PwC 8
…Including “accidental insiders”
Insiders • Personal advantage,
monetary gain • Professional revenge• Bribery or coercion
MotivesAdversary
• Critical infrastructure• Operational technologies• Highly visible venues
Targets
• Destabilize, disrupt, and destroy physical and logical assets
Impact
Accidental insiders do not realize the risk they can cause in a business. The damage they can cause can be as significant as any targeted attack.
• None – these are data breaches where no malice is involved
• E.g. uploading confidential company documents to file sharing sites due to Limewire settings.
• All systems • Costly regulatory inquiries and penalties
• Consumer and shareholder lawsuits
• Loss of consumer confidence
• Disruption of business activities
• Brand and reputation• Destabilize, disrupt, and
destroy physical and logical assets
Accidental Insiders ?
PwC 9
Considerations for businesses adapting to the new reality
Historical perspectives Today’s leading insight
Scope of the challengeLimited to your “four walls” and the extended enterprise
Spans your interconnected global and hyper-connected business ecosystem and complex supply chain
Governance IT led and operated
CEO and Board accountable; Business-aligned and owned; Cross-functional governance; Legal properly engaged when appropropriate
Threat actor characteristics
One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
Organized, funded and targeted; motivated by economic, monetary and political gain
Threat focus Primarily external External and internal
Security risk equation Static or less dynamic Extremely dynamic and broad
Protection strategy One-size-fits-all approachPrioritize and protect your key assets based on threat modelling and intelligence
Defense posture Protect the perimeter; respond if attackedLayered defense; contextual threat intelligence; real-time detection; rapidly respond when attacked
Control model Primarily focused on preventionPredict, Prevent, Detect, Respond, Correct, and Recover
Threat intelligence & information sharing
Keep to yourself
Share internally (fraud, corporate security, ops risk) and externally (government, industry peers) … and sometimes you have no choice but to share
Risk management approach
Primarily focused on minimizing likelihood
Accepts breaches will occur often; focused on minimizing business impact; Lawyers can assist with this by, for example, properly managing vendor relationships
PwC
2
Current Risks and Challenges
Adapting to the new reality
PwC 11
Keeping pace with the new reality
Business Alignment and Enablement
Ris
k a
nd
Im
pact
Eva
luati
on
Board, Audit Committee, and Executive Leadership
Security Program, Resources and Capabilities
Investment Activities
Projects and InitiativesFunctions and Services
Security Strategy and Roadmap
Reso
urc
e P
rioritiza
tion
Engage and commit with the business• Leadership, ownership, awareness and
accountability for addressing the security risks that threaten the business
• Alignment and enablement of business objectives
• Engage your legal department before a problem happens (e.g. when contracting) as well as after (e.g. understanding breach notification obligations)
Transform and execute the security program• New and enhanced capabilities are needed
to meet the ever changing security challenges• A comprehensive program must be built on a
strong foundation and include proactive coordination and collaboration with the business
• The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed
Rationalize and prioritize investments• Critical assets are constantly evaluated given
they are fundamental to the brand, business growth and competitive advantage
• Threats and impact to the business are considered as investment activities are contemplated
Operating in the global business ecosystem requires organizations to think differently about their security investments.
PwC 12
Cyber security isn’t just about technology
Confidential & Proprietary• Not all breaches are intentional
• Vendor management and contract protection
PwC 13
Why organizations have not kept pace
Years of underinvestment in certain areas has left many organizations unable to adequately adapt and respond to dynamic security risks.
Product & Service Security
PhysicalSecurity
Operational Technology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& Scenario Planning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
Breach Investigationand Response
Notificationand
Disclosure
Privileged Access
Management
SecurityTechnology
Rationalization
Patch & ConfigurationManagement
consectetur adipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process and Technology
Fundamentals
Threat Intelligence
Incident and Crisis
Management
Ris
k a
nd I
mpact
Eva
luati
on
Reso
urc
e P
rioritiza
tion
Security Program, Functions, Resources and Capabilities
Compliance Remediation
Security Culture and Mindset
Monitoring and Detection
Critical Asset Identification and
Protection
Confidential & Proprietary
PwC
Data Breaches – Some Facts
3
PwC 15
Attacks on the rise
Confidential & Proprietary
PwC 16
Attacks Sources
PwC 17
Attacks Sources
Confidential & Proprietary
PwC 18
Impacts – Cost per Incident
Confidential & Proprietary
PwC 19
Impacts – Downtime
Confidential & Proprietary
PwC
Strategies to Reduce Vulnerability
4
PwC 21
Key focus points
• Keep the organization ahead of threats likely to target critical assets
• Align and prioritize security initiatives to enable strategic objectives
• Obtain buy-in from key stakeholders on the security program direction
• Compare security capabilities against industry peers
• Understand the maturity of the security program
• Identify strengths, weaknesses, opportunities and threats
• Establish a multi-year plan for enhancing security
• Vendor relationship management
• Contract terms and conditions (governance, audit rights, insurance, etc.)
• Understand the levels of potential liability that may arise for each of your systems
Confidential & Proprietary
PwC 22
Strategic Driver Analysis
Target Operating Model Design
Gap Analysis & Benchmarking
Roadmap Development
· Identify Consumers/Stakeholders (Internal & External)
· Understand Existing Business Strategy
· Conduct Voice of the Stakeholder (VoS)
· Evaluate External Business Ecosystem Pressures and Threats
· Define Mission, Vision, Drivers, Guiding Principles for the Security Program
· Define Solutions & Services
· Map Consumers (Internal & External) with Solutions & Services
· Define Sourcing & Delivery Models
· Map Solutions & Services to Capabilities
· Define Solution & Service Offering Ownership
· Document Solutions & Services Interdependencies
· Document Security Organization Structure
· Define Performance Metrics
· Perform Current State Capability Assessment
· Perform Gap Analysis
· Define Case for Change
· Perform Peer-Comparison/Benchmarking
· Define Security Projects/Initiatives
· Prioritize Projects/ Initiatives & Map Inter-dependencies
· Define High Level Cost Estimates
· Define High Level Resourcing Requirements
· Define Change Management & Communications Plan
Key A
cti
vit
ies
Phase
s
Align cyber security programs to business strategy and emerging threat landscape
Confidential & Proprietary
PwC 23
Security functional domains
Security Strategy
SustainableSecurity
Behaviours
Security Governance
and Compliance
Cyber Threat Assessment
Technology
CyberCrisis
Response
Security Architecture &
ServicesThreat,
Intelligence & Vulnerability Management
Identity & Access
Management
Incident & Crisis
Management
Information & Privacy Protection
Risk & Compliance
Management
Emerging Trends &
Innovation
Strategy, Governance & Management
Anticipate changes in the risk landscape through situational awareness of the internal and external factors impacting the business ecosystem.
Address threats and weaknesses
Anticipate and respond to security crisesPlan, detect, investigate, and react timely and thoroughly to security incidents, breaches and compromises.
Manage risk and regulations
Efficiently and effectively identify, evaluate and manage risk to the business while addressing the evolving regulatory requirements.
Enable secure access
Provide integrated and secure processes, services, and infrastructure to enable appropriate controls over access to critical systems and assets.
Safeguard critical assets
Identify, prioritize, and protect sensitive or high value business assets.
Adapt to the future
Assess the opportunities and security related risks of new technology adoption and dynamically changing business models.
Align with the business
Prioritize investments, allocate resources, and align security capabilities with the strategic imperatives and initiatives of the organization.
Secure by design Create sustainable security solutions to provide foundational capabilities and operational discipline.
Strategy through
Execution
Confidential & Proprietary
PwC
Crisis Management & Incident Response
5
PwC
Cyber Crisis and Business Continuity Integration
Integrated Business Continuity Program
Enterprise Risk Management (ERM)
Business Continuity
Management (BCM)
Crisis Management (CM)
Disaster Recovery Program (DRP)
Business Continuity Program (BCP)
Ris
k a
ssess
men
t
Ris
k r
esp
on
se
Ris
k m
on
itori
ng
RM
opti
miz
ati
on
Cri
sis
man
agem
en
t
Dis
ast
er
recovery
Bu
sin
ess
con
tin
uit
y
Em
erg
en
cy
resp
on
se
Com
mu
nic
ati
on
&
coord
inati
on
Com
man
d &
con
trol
Tech
nic
al
infr
ast
ructu
re
Appli
cati
on
s
Data
recove
ry
People
Locati
on
& r
eso
urc
es
Recove
ry p
rocedu
res
Eve
nt
RiskManagement
Continuity Plan & Resiliency
Improvement
IssuesAssessment
Restoration Activities
RETURN TO NORMAL OPERATIONSOPERATIONALIMPROVEMENT
Effective Data Breach Response preparation activities augment existing Business Continuity program activities in each stage of the BCM lifecycle.
PwC 26
Incident ResponseCompanies must comply with existing and emerging regulations, identify and secure sensitive information that is constantly in motion, investigate breaches and data theft, manage the insider threat, and reduce the gamut of cyber security risks
As such organizations must be prepared to:(1) Forensically investigate cyber intrusions, data theft, and insider malfeasance in order to manage legal, regulatory, reputational, and other risks and comply with requirements;(2) Assess business and customer impact and mitigate risk; and,(3) Rebound stronger through long-term remediation planning, strategic information security program development, and executive support.
Extended the approach beyond immediate technical remediation to business impact analysis, regulatory and customer notification support, strategic remediation planning, security program roadmaps, and litigation defense.
PwC
The Role for Lawyers
Notification requirements
6
PwC 28
Breach Notification Generally
•Privacy law primer:
• For private sector organizations generally, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information.
• Certain provinces have privacy legislation that has been deemed substantially similar to PIPEDA.
• One of those provinces, Alberta, has in force rules regarding the notification that is required in the event of privacy breaches.
• Breach notification requirements have also been proposed for PIPEDA - different versions have been proposed over time.
• If such PIPEDA requirements were to ever be adopted, breach notification obligations would apply across the majority of the country.
PwC 29
Alberta’s PIPA Breach Notification Requirement
•Alberta’s Personal Information Protection Act (PIPA) includes both a reporting and a notification regime in respect of security breaches.
•Under this regime, certain privacy breaches must be reported to the Alberta Information and Privacy Commissioner, and under very similar circumstances, affected individuals must be notified of such breaches.
PwC 30
Alberta’s PIPA Breach Notification Requirement con’t
•Threshold for reporting a breach: whether, objectively, “a reasonable person would consider that there is a real risk of significant harm to an individual.”
•Threshold for notifying affected individuals: where “there is a real risk of significant harm.”
• What is “significant harm?”:
• (i) A “significant harm” is a “material harm” having “non-trivial consequences or effects” (examples may include “possible” “financial loss, identity theft, physical harm, humiliation to one’s professional or personal reputation”); and
• (ii) “real risk” is one where there is a “reasonable degree of likelihood that the harm could result.”
PwC 31
Other Breach Notification Issues
•Even absent any statutory breach notification obligations, might the business nonetheless what to report/notify?
• E.g. for goodwill purposes.
•Practical challenges can exist in determining whether breaches have even occurred.
• E.g. unsecured beta version of e-commerce site. But unclear if any actual privacy breach. Difficult to tell even through forensics.
PwC
The Role for Lawyers
Vendor/contract management
7
PwC 33
Vendor/contract management – overview
•In contracting with vendors, lawyers have the opportunity to build a toolset to help their clients manage data breach/security issues.
•The scope of relevant vendors can be quite wide – not just IT vendors.
• HVAC vendors may be given overly broad system access rights, which could pose a threat.
• Encourage clients to ask the right questions:
• What systems will the service impact?
• Where will my data be?
PwC 34
Vendor/contract management – overview con’t
•Educating vendors is often one of the key roles customers play.
• E.g. US vendors not being familiar with Canadian privacy law obligations.
• Let the data/system guide your drafting: the nature, sensitivity, etc. of the data/system should influence the type of agreement you draft.
• Doing so will provide your client with an appropriate toolset.
PwC 35
Vendor/contract management – some key terms
•Unlimited liability for when breaches occur.
• E.g. exclusion from liability caps/disclaimer of indirect damages.
•Parental guarantee?
• Such breaches can be costly – will you be able to collect damages from the actual contracting counterparty?
•Insurance.
•Restricting location of data.
• Alternatively, disclosure regarding location of data.
PwC 36
Vendor/contract management – some key terms
•Express privacy compliance (where applicable to the data).
•Audit rights.
•Specific security requirements.
• Often involves a back and forth between customer’s standard policies and vendor’s standard service offering.
• Expect standard DR/business continuity planning (outside of any DR service being provided).
• E.g. vendor cannot rely on force majeure unless they have DR/business continuity plans in place.
PwC
The Role for Lawyers
Helping when breaches occur
8
PwC 38
Help! There’s been a breach! What do I do?
•What do lawyers need to think about when they get that call from their IT department?
• Understand what data was lost – e.g. if personal information was breached, the aforementioned breach notification issues must be considered.
• Retention issues – e.g. when to freeze all data.
• Discuss with litigators as appropriate.
• Is there an “adversary” against whom action should/can be taken?
PwC 39
Help! There’s been a breach! What do I do? con‘t
• Figure out what contractual tools with vendors may be helpful.
• Exercise audit rights?
• Consider whether damages should be sought.
Thank you