Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Privacy Risks of Emerging Technologies

Ben Holt
January 22, 2016

Privacy Risks of Emerging Technologies

Enterprise Risk Management Symposium, Salt Lake City, Panel Presentation with Jason Sabin of DigiCert, Doron Rotman of KPMG and Ben Holt of Stoel Rives

Ben Holt

January 22, 2016
Tweet

More Decks by Ben Holt

Other Decks in Business

Transcript

  1. © 2015 Marsh USA Inc. – Agenda What Information is

    Sensitive? 2 3 Role of Compliance in Privacy Key Privacy and Legal Considerations 4 Why Privacy Matters 1 Summary 5
  2. © 2015 Marsh USA Inc. The Numbers are Staggering and

    Reveal an Escalating Problem 1 There is greater focus… …but, still poor results. 55% of Audit Committees think more agenda time should be devoted to cybersecurity 88% of Boards say that their strategic risk register includes a cybersecurity risk category TOP CONCERNS FOR AUDIT COMMITTEES 1. Gov., Processes, Controls and Risk 2. Management 3. IT Risk and Emerging Technologies 4. Uncertainty 5. Information Privacy/Security/Cyber Average # of exposed or compromised records in US data breach FTSE 350 Cyber Governance Health Check HM Government (U.K.) Reported losses ($US Billions) by US companies from unauthorized use of computers by employees in 2014. Average Cost ($US Millions) of an organizational data breach “Is Governance Keeping Pace?” KPMG 2015 Data Breach Industry Forecast Experian 2015 Cost of a Data Breach Study: Global Analysis IBM – Ponemon Institute U.S. Dept. of Health and Human Services 29,087 $6.53 $40 2015 Global Audit Committee Survey KPMG’s Audit Committee Institute
  3. © 2015 Marsh USA Inc. Data breach results in 465,000

    stolen records. - December 2013, Leading Financial Services Firm 6-month intrusion results in 1.16 million stolen credit and debit cards. - September 2014, Leading Retailer Breach cost banks and credit unions over $200 million. - December 2013, Leading Retailer Data breach results in 56 million stolen payment card details and 53 million email addresses. - September 2014, Leading Home Improvement Retailer Privacy has Become a Conversation in Every Boardroom Breach thought to impact between 69 – 80 million customer records. - January 2015, Leading Health Insurance Provider Breach thought to impact between 69 – 80 million customer records. - January 2015, Leading Health Insurance Provider Data breach compromised 21.5 million employee and non-employee Social Security numbers and other highly sensitive records. - June 2015, US Government 1 Data breach suspected to impact 36 million accounts and 9 million individual credit card transactions from more than 50 countries. - July 2015, Online Dating Site
  4. © 2015 Marsh USA Inc. Valuable Data Types by Industry

    Consumer Products & Retail Energy & Natural Resources Healthcare & Life Sciences Financial Services • Credit Information & Transactions • Marketing Information & Campaigns • Pricing & Margin Information • Operational & Logistics Information • Geolocation Research Information • Formulas & Research Information • Industrial Control Information (SCADA, Oil Distribution Systems) • Contracts • Electronic Health Information • Patient Information (Financial) • Formulas & Research Information • Healthcare Delivery Systems • Claims Information • Medical Device Data • Clinical Trial Data • Financial/Investment Models • Account Information • Operational Monitoring Information (Transaction Volume, Shifts, Fraud Alerts) • Sensitive Strategic Information (IPO Information, Research Materials, Pre-release Analyst Reports) Industrial Manufacturing Telecom/ Technology & Media Cross Industry • Manufacturing Techniques • Quality Control Systems • New Technology Deployments • Supply Chain Information & Logistics Industry Types of Valuable Data Identification and prioritization of sensitive data in each industry • Customer & Employee Personal Data • Financial Reporting Data • Strategic Access (Mergers, Pricing, Strategies) • Regulated Data • Strategic Risk Information • IT infrastructure configuration data • Intellectual Property • Customer Payment Data • Innovations • Call Logs • Source Code • Cookies • IP Addresses 2
  5. © 2015 Marsh USA Inc. Valuable Data Types by Category

    Corporate Intellectual Property, Research, Development, Merger, Acquisitions, Divestiture, Trade secrets Customer Patient, Benefits, Financial, Health Employee Third Party Data Category A critical organizational need is to identify what data is sensitive and critical to each stakeholder in the information lifecycle. This categorization of data helps drive a risk-based agenda and meaningful investment. Attorney-Client Human Resources, Payroll, Health, Benefits, Performance Reviews Commercial Agreements, Rate Cards, Hosted Data, Managed Data Lawsuit, Arbitration, Privileged Communications 2
  6. © 2015 Marsh USA Inc. Privacy is an Enterprise-Wide Conversation

    • Privacy should be top of mind for individuals and groups located throughout the organization Legal Risk Management Compliance P R I V A C Y 3
  7. © 2015 Marsh USA Inc. Building a Privacy Management Function

    BUILDING A COMPREHENSIVE IMPLEMENTATION HUMAN FACTORS OPERATIONS TECHNOLOGY PLANNING & CONTROL INFORMATION RISK MANAGEMENT PRIVACY AND SECURITY FOUNDATIONS LEADERSHIP & GOVERNANCE LEGAL & COMPLIANCE 3 PRIVACY CAPABILITY
  8. © 2015 Marsh USA Inc. Key Privacy Needs Third Party

    and Supply Chain management Internet of things Changing regulatory requirements Mobile Consumer trust and brand protection Big Data Data localization 4
  9. © 2015 Marsh USA Inc. Common Privacy Triggers ▪ Has

    the organization experienced an accidental or unauthorized access and/or release of data? ▪ Is the organization subject to regulatory requirements for data privacy, security, and business continuity? ▪ How effectively can the organization detect and respond to a suspected, discovered, and/or reported data breach? ▪ Are the organization’s security capabilities aligned with the delivery of business objectives and supports its governance structure? ▪ Has the board of directors, executive management or audit committee assessed the organization’s ability to detect, respond and recover from a data security event? ▪ How well does the organization’s current operating model support responses to changes in economic conditions, regulatory reform, and increased risk management measures? 4
  10. © 2015 Marsh USA Inc. Legal Thoughts - As a

    Data Gatherer Partner Focus Data Focus International Focus • Data Mapping (What data do I have) • Data culling (What data do I want) • Data Risk Management (What data am I willing to risk) • Data Protection (How Do I Lock Which Data) • Data service mapping (Who holds my data?) • Servicer Risk (What is my downside?) • Mitigating legal risk (What does my contract say?) • Where is My data stored? • Where is my data gathered? • What are the rules? (EU, HIPAA, GLB, PCI, Data Breach) 4
  11. © 2015 Marsh USA Inc. Legal Thoughts - As a

    Data Subject Bring Your Own Device (BYOD) Sharing Apps •Location tracking •What can I share? Surprise! Policies • Jailbreaking • Password/PIN • Discoverable – No right to privacy • Seizeable – border seizures •Kids •Repair •Upgrading 4
  12. © 2015 Marsh USA Inc. Legal Thoughts – Additional Considerations

    SLA and high risk data What is the exchange? - Free vs. Paid What type of data is collected by the vendor? Narrow the rules: focus on what do I need to keep private Review your policies - Not set and forget What rules do I play by? (EU, HIPAA, GLB, PCI, data breach) Encrypt! (Data at rest, data in transit, backups, device) Leaving and deletion Risk allocation 4
  13. © 2015 Marsh USA Inc. Summary Key Takeaways Privacy threats

    are larger and more impactful than ever Privacy starts and ends with sensitive information Privacy is a business issue and not just an IT issue Privacy triggers are growing and stem from common business and organizational themes 5