May 2015 Issue
In today’s rapidly evolving global business environment, it is more important than ever for organisations to have recourse to tools that can help them effectively manage and safeguard the personal information they store, handle and transfer. The data protection landscape is changing and global businesses are now subject to myriad laws alongside an unprecedented escalation in regulatory scrutiny. For businesses, the need to address these risk and compliance responsibilities in terms of their data protection strategies is a major, far-reaching concern.
Pfeifle: Could you provide an overview of the latest developments in how data protection issues are being handled by regulators and companies in your region? Are any particular trends or patterns evident?
Luysterborg: Within the EMEA region, we are seeing a number of clear patterns emerge at different levels. At one level, we are seeing both companies and regulators really scrambling to get to grips with the upcoming EU Data Protection regulation and to make sense of its regulatory and operational consequences. At another level, we are seeing this evolve into three main focus areas – cyber security, data protection and privacy and finally, cloud computing. These three areas have come to a certain ‘maturity’ and this translates itself in very specific legal and operational challenges for both companies and regulators. For data protection regulators, they will now need to cope with increasingly wide powers for fines and audits, as well as highly complex and technology driven data systems, as well as concerning themselves with how to actually start enforcing the upcoming, more stringent data protection and cyber security rules.
Cohen: In recent years, corporate data protection has come under a microscope in the United States due to high profile incidents such as the Edward Snowden revelations and the Sony hack. The increasing use of online services and the ubiquity of mobile devices have also heightened the sensitivity of regulators and consumers in this area. Due to the intensifying focus on data protection, good data protection practices have become a competitive advantage. Therefore, responsible companies are taking proactive steps to demonstrate their commitment to data protection, whether it is through publicised transparency reports, tailored privacy disclosures, or the formation of and adherence to industry self-regulatory codes of conduct.
Farris: 2014 may be called the year of the high profile data breach, with virtually all sectors of the economy affected by various types of attacks. Regulators and technology-enabled companies have taken note. In the US, California has increased its enforcement efforts while it and a number of other states have also passed new laws, adding to the tangled web of regulations that companies must navigate. Corporations are increasing spending on cyber security measures, and preparing for increased regulation and enforcement, but the cyber skills gap amongst the general workforce and consuming population continues to grow, at the same time networks and services become more sophisticated and disparate.
Lo Cicero: The most prevalent trend is in the development or refreshing of data protection laws and frameworks by regulators along with companies working towards voluntary or mandated compliance to them. More companies in the European Union (EU) are now negotiating Binding Corporate Rule (BCR) with their relevant Data Protection Authority (DPA). The BCRs include a set of privacy principles that the companies commit to in order to ensure that intra-company cross-border transfers of personal data are in compliance with EU data protection requirements.
Bruemmer: It is fairly well-known around the world that there has been an increase in large data breaches occurring in the US. This has certainly raised the awareness among corporate America and its level of action to address the issue. How companies are approaching preparedness is encouraging as 73 percent of companies have a response plan in place, according to a Ponemon Institute study. However, they are not practiced. Seventy-eight percent of companies have not updated their plans and 30 percent of respondents felt their plan was ineffective.
Costante: Data protection is a hot topic everywhere, especially in Europe where every country has to implement the EU Data Protection Directive 95/46/EC. In the Netherlands, companies, industry associations, governments and institutions that collect personal data in an automatic way have to notify the College Bescherming Persoonsgegevens and communicate what data they are collecting, for what purpose and whether they intend to transfer such data outside the EU. In the Netherlands, data protection laws are taken quite seriously.
Lehmann: The major trend in data protection and data security is the imminent introduction of the German IT-Security Act. Being part of the so-called Digital Agenda of the German government, the IT-Security Act is currently the most conspicuous project in the field of data protection and security. Its goal is to strengthen critical IT infrastructures against attacks via the internet as the number and severity of attacks is constantly rising. In order to achieve this goal, the office for security in the information technology is being vested with new powers, such as to set binding standards for the security of infrastructure, to receive notification of attacks on infrastructure or request audits from the operators of infrastructure.
“Corporations are increasing spending on cyber security measures, and preparing for increased regulation and enforcement, but the cyber skills gap amongst the general workforce and consuming population continues to grow.”
Pfeifle: How can companies ensure that their boards are sufficiently aware of the amount of sensitive information they hold, and the significance the loss of such data assets has in terms of privacy laws?
Costante: Company boards have a very clear idea of what the law says in terms of privacy protection. They are particularly aware of the costs in terms of loss of trust and reputation from their customers in the event of a successful data breach. What is not clear to the data collector, however, is either where the data is within their organisation’s perimeter or how their data is actually being used. This is particularly pertinent for those boards that lack information about who can access the data, what access patterns are permitted and whether the current configuration, in terms of access control rules, complies with what is written on paper. This lack of awareness represents a vulnerability that malicious users can exploit. Even more dangerously, this lack of awareness can leave possible data breaches undiscovered for a very long time.
Bruemmer: Due to the number of recent massive data breaches, the issue is now certainly on the radar of company boards. The potential for a data breach and its impact on the company is now not just an IT issue but a company-wide risk that affects reputation, profits and stock. However, more engagement is needed. The Ponemon study found that only 29 percent of respondents say their company’s board, chairman and chief executive are informed and involved in plans to deal with a data breach, while only 36 percent say their leadership team has requested to be notified immediately if a data breach occurs. To ensure more engagement, company leaders must make security a priority and address topics with the board, including their response plans, security budgets and communication plans in the event of a breach to media and investors.
Lo Cicero: Company board members are already pretty savvy and generally have a good understanding that information is an asset that has an intrinsic value dependent upon its criticality or sensitivity and that its loss could have financial, reputational, as well as regulatory implications. Of course, they may not be aware of the amount of such information nor of its current risk exposure. What companies should be focusing on is being able to quantify that in order to raise the awareness of the board. The level of effort required to determine both the value and risk of information is not insignificant and many companies choose to paint the picture in broad strokes. Those broad strokes may not provide sufficient details in order to enable an effective data protection initiative, but should provide enough generalities about the current state of affairs for the board to make a decision on the approach they are willing to take to safeguard that information.
Lehmann: There are two key points when it comes to minimising the risk of being the subject of a data protection scandal. The first relates to a company’s staff and the second one the infrastructure. With regard to the company’s staff, organisations should strive not only to lay down binding rules for their data but also to convince staff that this is a really important issue. Without this awareness, the best set of rules will not have the necessary effect. The second issue is the constant monitoring of and the willingness to spend money on making the infrastructure secure. This is no once and for all effort but an ongoing process. That process should not be the responsibility of the IT department alone; it should be supervised by someone else, since the results might not be optimal if the IT department controls itself.
Cohen: Regulators have made clear that ignorance of one’s own data practices is no excuse to a violation of privacy laws. Companies have a responsibility to know what information they collect, how they use it, how they safeguard it and to whom they disclose it, and a failure to do any of those can lead to significant legal exposure. To inform their boards, privacy compliance professionals need only point to high profile data protection incidents that involved major settlements, legal fees and reputational harm – not to mention the sacking of executives and senior management – to convince them to dedicate resources to data protection compliance.
Luysterborg: Companies need to first find out where their personal data actually resides and how they are used and shared within the organisation and its partners. Today, a lot of companies think they have a clear view whereas in fact they very often only have a one dimensional overview of their data flow. Indeed, a lot of existing data flows only focus on a scheme of where routers, firewalls and servers are based without taking into account typical privacy related challenges, such as usage of data for the stated purpose. Moreover, a lot of these existing data flows are either more driven by how processes should be instead of how they actually work and are often out of date.
Farris: There are few corporate boards that are unaware or unconcerned with the data privacy and security risks their companies face. Many, however, focus resources and attention on security solutions, without due consideration for privacy compliance or the internal systems necessary to ensure it. In the US, two-thirds of litigation relates to breach of privacy – the collection, use or sharing of data, for example – rather than security breaches such as unauthorised access via malicious intrusion. Corporations must do more than merely invest in security measures to harden their networks. Implement early warning systems and perform regular audits of internal and external data flows.
“The level of effort required to determine both the value and risk of information is not insignificant and many companies choose to paint the picture in broad strokes.”
Pfeifle: To what extent have regulatory authorities stepped up their data protection monitoring and enforcement efforts? How has this activity manifested itself?
Cohen: There is no generally applicable data protection law in the United States. Instead, the US takes a sectoral approach that imposes obligations on the processing of certain categories of data that are deemed to be more sensitive, and so in many cases vests enforcement authority in industry-specific regulators. Therefore, there is no single DPA enforcing privacy laws in the US – the closest being the Federal Trade Commission (FTC), which exerts the broadest authority over data protection under its ability to enforce against ‘unfair or deceptive’ trade practices. The effect is that when there is a high profile data privacy or security incident, multiple regulators at the federal and state level may assert jurisdiction over the incident, multiplying compliance obligations and potential penalties. For example, in just the past six months the Federal Communications Commission levied $25m and $10m fines against communications companies arising from data breaches, the first major fines it has issued purely for cyber security issues.
Costante: The Dutch DPA is very active with respect to monitoring and guaranteeing the enforcement of data protection law. Recently, the DPA has imposed a penalty payment on Google for failing to adequately inform its users about the intensive and combined collection of users’ personal data. Such heavy data collection takes place when users visit a website, watch a video or type a query into a search engine. According to Jacob Kohnstamm, chairman of the Dutch DPA, “Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested.”
Lehmann: In the past, regulators have started to conduct more and more audits and to monitor enterprises more closely. Some regulators have, for example, accessed websites in order to review their data protection features or sent out questionnaires that should be taken seriously. The trend toward higher fines started a few years ago and it is now not inconceivable that a severe violation of the law would be punished with a fine up to €1m. One major case related to an insurance company that paid office clerks in order to receive information about new employees that were in turn approached by the insurance company. As this scheme worked for years, the fine was over €1m.
Farris: Government regulation and enforcement has increased, and companies should expect the trend to continue. Perhaps most notably, the EU’s Data Protection Regulation is due to be enacted later this year. The General Data Protection Regulation (GDPR) is intended to not only unify data protection throughout the EU, but to strengthen protections around personal data. To that end, the GDPR includes strict penalties for non-compliance, including up-to €100m for companies that break the rules. In the US, California continues to not only strengthen its data privacy laws, but the state is also applying them extra-jurisdictionally against any company that might have data relating to a California resident. Other states have followed suit, with Florida, Delaware and Kentucky enacting new privacy legislation and California further strengthening its laws. The US federal government has trailed in enforcement, but may be reaching a tipping point due to the increasing number of major cyber security incidents being reported by large corporations.
Luysterborg: Within the EMEA region, although there are still a lot of differences in the level of enforcement actions taken by the national DPAs, we have seen a few common trends emerge. DPAs have or are in the process of increasing their staff numbers, as well as their ability to issue more important fines. Breach notification requirements laws and regulations either exist or are being proposed in a variety of jurisdictions including Germany, Austria and the Netherlands. All of this comes in advance of the proposed Data Protection Regulations which have already provided for a number of very severe fines in the current draft.
Bruemmer: Despite being a top priority for the Obama administration and leadership in Congress over the past year, legislation in the US to establish a national data security and breach standard remains undefined. While the Health Insurance Portability and Accountability Act (HIPAA) provides clear federal rules for disclosing a breach of Protected Health Information (PHI), modern healthcare organisations still may find themselves needing to disclose losses of other types of information, leading to more complexity.
Lo Cicero: We haven’t really seen an increase in proactive regulatory authority monitoring, though swift enforcement efforts based on publicly disclosed incidents are now the norm. There has been a significant increase of awareness within various industries, particularly in critical infrastructure, where companies are starting to ensure their partners, vendors and other suppliers are properly vetted to ensure they comply with industry accepted good practices for data and information security and privacy. This trend is most likely the result of some of the more recent breaches that originated from a weak supply chain.
“It is essential that a company makes its staff aware of the risks because that is where mistakes happen. Managers, on the other hand, are often well acquainted with the risks.”
Pfeifle: In your opinion, is there now a greater level of understanding within companies about the duties of confidentiality and data protection? How can knowledge gaps be identified and filled?
Lo Cicero: Generally, there is now a greater level of understanding about the duties of confidentiality and data protection but mostly within a company’s legal, risk, security and compliance functions. That level of understanding needs to be extended throughout the organisation and gaps can be relatively easy to recognise by identifying and focusing on the parts of the organisation that own, generate or are the custodians of relevant information types to determine their level of awareness and compliance.
Bruemmer: After closing the books on a record year for data breaches in 2014, preventing and managing security incidents are two of the highest priorities facing businesses. So there is definitely a greater level of understanding. As a result, executives need to be prepared for a data breach the same way companies would plan to face a natural disaster or other major business risk. Although there is heightened sensitivity for cyber attacks, a majority of companies continue to miss the mark on their largest security threat – employees. Between human error and malicious insiders, time has shown us that the majority of data breaches originate inside company walls.
Lehmann: The awareness of data protection is improving constantly. Data protection – along with the risk of receiving a heavy fine – is something a board of directors would listen to. This is probably due to the fact that data protection scandals have gained more profile in the past and may now make the headlines. It is essential that a company makes its staff aware of the risks because that is where mistakes happen. Managers, on the other hand, are often well acquainted with the risks.
Farris: Companies certainly have heightened awareness, but many are slow to understand and adopt regulatory standards and practical measures to protect themselves. At the end of 2013, too many companies believed that the Target attack was not relevant because they were not a retailer, or because they were not holding credit card information. 2014 taught us that everyone is vulnerable. Closing the knowledge gap starts from within. Often, it is the failure to implement and execute robust internal controls consistent with enterprise-wide policies that creates vulnerabilities and makes a company susceptible to attack, not a technological failure or electronic security weakness.
Luysterborg: We believe that the majority of companies are still too focused on the ‘silo approach’ when it comes to both data protection and confidentiality issues. Too often, companies equate equal data protection privacy with policy, and cyber security with technology, thereby negating the issue of the so-called security /privacy paradigm. Moreover, whereas tying someone’s identity to his or her behaviour will get you good security, too much of it will put you in jeopardy with data privacy requirements. Therefore, a truly holistic and multi-disciplinary approach is called for. In more practical terms, this means that companies will need to have operational processes and controls in place to deal effectively with upcoming requirements, such as privacy by design, privacy impact assessments, breach notification and incident management.
Cohen: Due to the more active enforcement environment – plus the recent trend of privacy class action lawsuits, which have resulted in some significant settlements – company decision makers have paid more attention and dedicated more resources in recent years to data protection. But corporate cultures are inertial, so companies should take proactive steps to inform their workforces about data protection compliance. This involves two important processes: engaging in robust training, reinforcement and follow-up about the company’s obligations and policies, and integrating data protection considerations throughout the design and development of products, services and initiatives to catch possible issues before they are realised.
Costante: Most companies have a great understanding of the need of data protection. The trouble is that often the level of priority given to data protection is nowhere near as high as it should be. In addition, we often see an approach to data protection that is reactive rather than preventive – companies ask for the help of data protection experts when they think they have already been victim of a data breach. In case the importance of data protection is still in doubt, many cases in literature quantify the costs – in terms of money, reputation and legal troubles – of neglecting data protection. A clear example is provided by the case of Sony – the Sony breach cost the company an estimated $171m and resulted in a £250,000 fine from British regulators.
Pfeifle: What lessons can we learn from high profile data breach cases, such as those involving Target and the Wyndham Worldwide Corporation, among others?
Farris: Companies must recognise that a data breach can happen to them, and if they are not vigilant, it will. Organisations must reject the notion that ‘the hackers’ are just too good, or that a breach is inevitable because there are just too many vulnerabilities to be addressed. Accountability and a security audit are good initial steps, but leading companies will recognise that privacy and security are not static concepts. Your strategy must evolve with the threats. Engage in more than a single analysis of the company’s risk – make audits and risk assessments periodic, and implement policies that make privacy and security part of the company’s fibre. Lastly, companies must prepare for the worst. Employ active monitoring and create a rapid response team that can act swiftly and decisively at the first sign of trouble to identify a breach, limit its impact, notify customers and ultimately limit liability to the company.
Costante: There is one thing these breaches have in common: the data breach has not been detected on time. By the time the company suspected that something was wrong, data had already been leaking for some time, causing most of the damage. Furthermore, it took days, and an intensive and expensive forensic analysis, before the victims had any idea of how the attack took place. The data protection mechanisms in place, if there were any, were not sufficient enough to stop the hackers from breaking into data-servers and stealing millions of records containing customers’ personal information. These cases should serve as a wakeup call for other companies: early detection of data breaches is necessary and prevention is the key. If the right prevention solutions are in place, there is no need for costly forensics, as breaches can be detected in time and the right actions can be taken. For example, in the Target data breach the attackers were undiscovered for about three weeks. With a detection system in place the breach would have been uncovered much earlier, diminishing the amount of data stolen and the overall cost the breach caused to the company.
Luysterborg: On the one hand, some good ‘old school’ security measures still stand today and should not be forgotten or thrown away. Two factor authentications, third party vendor control, and solid identity and access management procedures can go a long way. On the other hand, in addition to some ‘old school’ commons sense measures, the new cyber threats require a new more ‘versatile and innovative’ approach to security. This means a better and more pragmatic approach to utilising those tools and procedures best suited for the type of cyber attack companies face, and to have a better view of what the cyber and privacy threats are per business unit within your company and its partners. This requires not only having cyber or logging tools in place but also understanding the characteristics of your business services, vendors and related communication channels.
Lo Cicero: One of the primary lessons is that it is now generally understood that accountability and liability for the protection of company assets, including information, is at the top of the company and cannot be delegated. There has been C-level turnover as a result of data breaches and now boards and their audit committees, as well as the general public, demand exceptional due care be exercised in the protection of consumer and personal information. In the absence of that, and as a result of subsequent breaches, lawsuits and regulatory sanctions are inevitable.
Bruemmer: There are several lessons to be learnt, the top two being the importance of a public relations plan, and again, employee security protocols. In today’s 24 hour news cycle climate, an organisation must be prepared to have its announcement pre-empted by the media. If the news is out before a company has spoken, what is Plan B? The second lesson is that, not surprisingly, the cause of many of the largest US data breaches reportedly was an employee mistake. Accordingly, this is an area that needs improvement. In the data breach events we serviced in 2014, approximately 80 percent of the documented root causes came from employee negligence. The main penetration point was compromised administrative credentials that allowed easy access through the organisation’s cyber security defences. This theme has been consistent over the last three years.
Cohen: The main lesson is that cyber security is one of the most significant legal and reputational risk areas that companies face today. The immediate ramifications are obvious: class actions, regulatory enforcement and legal and forensics fees, among others. But what is unknown at this point is how some of the more prominent data breaches will affect those companies longer-term, as they fight to convince their customers and business partners that they will not put data at risk. The other big lesson is that perfect security is impossible, so there always will be a risk of a breach.
Lehmann: We may learn that it is not only essential that a company keeps up its security measures but ensures that information is passed on to the right points and that immediate action is taken once the suspicion of a leakage is detected. It is crucial that every crisis is taken seriously and communicated openly instead of being hushed up. The longer a leakage is kept secret the more the public will treat that as a scandal.
“There is one thing these breaches have in common: the data breach has not been detected on time. By the time the company suspected that something was wrong, data had already been leaking for some time, causing most of the damage.”
Pfeifle: With ‘privacy by design’ likely to become increasingly important, how can companies incorporate privacy and data protection into their product/service development process?
Luysterborg: Having timely and effective data privacy impact assessments in place and embedded into each product or service development process – wherever personal data are involved – will be crucial. The key here is effectiveness. In order for privacy by design, as well as such privacy impact assessments to be effective, they should not be considered as just filling out a form or be standalone documents and processes. They must be considered in line with the organisation’s other risk based processes and tailored to the specific business service or product it intends to cover. Companies do not just need content, they need a specific privacy impact assessment process, a formalised way in which assessments are started, progressed and finished and by which risk, mitigations and actions are reported and followed up.
Cohen: Data protection enforcement in the United States has become a retrospective exercise, with plaintiffs and regulators regularly second-guessing the internal data processing practices of companies that experience a privacy or security incident. Therefore, privacy by design is essential for companies handling sensitive information, becoming the de facto standard of care in lawsuits and regulatory enforcement. The key to incorporating privacy by design into the development of products and services is to carefully tailor procedures that require that privacy be considered throughout the process without imposing an undue burden or unnecessary bureaucracy on the business.
Farris: Privacy by design is likely to become the standard for responsible product and service development. The seven principles of privacy by design describe a system of value sensitive design, whereby data privacy and security – and individual values and protections – are considered throughout the entire systems engineering process. At its core, privacy by design teaches companies to be proactive and preventative about privacy and security, not reactive and remedial. The foundational principles include embedding security and privacy measures as the default in product development, providing transparency and visibility into privacy measures, and thinking about security from a user-centric and full lifecycle approach. For many companies, this means reconstituting the way they do research and development, and taking a hard look at their current product offerings.
Lehmann: If privacy by design is taken seriously then it has to be incorporated in the development of new products and services from the start and not only at a later stage. Moreover, the one responsible for privacy should be part of the team at all times and not just occasionally. Finally, privacy design should be part of the final signing off. One major issue is the so-called ‘privacy by default’ which, in principle, says that if the customer has to make any adjustments or choices, the data protection friendly adjustment or choice should always be the first or even predefined one. The major advantages for companies that adhere to these principles will be that they save the costs and trouble of changing a product after it has been finished.
Costante: Sadly, the majority of companies are still behaving reactively. However, we can see different trends emerging in different areas. For example, banks and financial institutions have a good understanding of the threats to their data and are aware that their data represents an appealing target. On the other side, companies in the area of manufacturing or e-commerce tend to underestimate the risk of a data breach. To establish an effective data security culture there is much work to be done with regard to increasing awareness. Furthermore, companies should provide clear guidelines to their employees, as well as putting in place mechanisms for data protection that will give employees reassurances that data security is being taken seriously.
Bruemmer: Designing products with privacy and data protection in mind is an important way that companies can limit exposure if it were to experience a breach. By being careful about limiting what data is being collected, ensuring that it is stored securely using encryption, and checking that products do not expose data in ways they shouldn’t, companies can greatly reduce the potential damage. There are also significant cost benefits of building in versus bolting on data protection, by avoiding costly security and privacy retrofits later in the product development cycle or following a major security incident.
Lo Cicero: Concepts such as ‘privacy by design’ and ‘secure by design’ have gained momentum but it is only when an appropriate business impact or risk assessment is performed will an organisation be capable of fully realising the significance or criticality of a proposed solution, product or service in order to balance privacy and data protection concerns with speed of delivery or time to market. It has to be a pragmatic rather than a one-size-fits-all approach in order to ensure the delivery is fit for use and purpose on all counts.
“What is unknown at this point is how some of the more prominent data breaches will affect those companies longer-term, as they fight to convince their customers and business partners that they will not put data at risk.”
Pfeifle: What are a few of the essential elements companies must put in place when preparing for a potential data security breach incident? What top priorities should a robust response plan incorporate?
Cohen: Perhaps the most essential element a company should include in its breach response plan is a clear chain of command so that when a crisis occurs, it can react quickly and seamlessly. Importantly, this chain of command should include oversight or supervision by the general counsel or other member of the legal team, who should be brought in early in the process to maintain the legal privilege of any information or reports generated during the internal investigation. After invoking the chain of command, the next most important elements are neutralising and eradicating the threat.
Lehmann: A data breach incident may start with a remote suspicion or a minor incident but develop into a real catastrophic event. Thus, the first issue should be the awareness that every incident could be important and has to be properly reported and categorised in order to take the proper actions. That will only work if there is a clear reporting chain that encourages notification. The second major issue relates to the communication of any incidents to the public. Therefore, the legal department must know about any legal technicalities and a communication strategy must be quickly identified.
Lo Cicero: The most essential elements are to actually have a comprehensive plan that has been properly prepared, with its components ready, having been regularly tested and undergone iterations of refinement. It will astonish the board members of many companies that these basic principles are not followed within their own organisations. As far as priorities, the plan needs to ensure a high level of integration with the crisis management department to maintain awareness of the situation for executives and critical decision makers and to coordinate support and logistics for the incident response and recovery teams.
Luysterborg: In order to understand the key elements of a successful data security breach response plan, one has to first understand the most common pitfalls. As such, most companies do have some form of incident response plan in place. The problem is that either no one is aware of the plan, or it is not sufficiently formalised or rendered truly operational. As a result, execution is largely based on existing relationships and ad hoc ‘historical’ knowledge and no real useable playbooks exist for handling an incident, let alone properly communicating on it.
Farris: First and foremost, companies should get their house in order and develop a plan before a breach occurs. By creating accountability for data privacy and security issues among management, clearly delineating responsibilities in the event of breach, and developing comprehensive internal and external crisis communications plans, companies can be well prepared and minimise both liability and any reputational impact of a breach. A data breach is a major event for any company, but a bungled response can be catastrophic. Do not get stuck trying to determine internal responsibilities, identifying government agencies to be notified, or how to communicate with the public during or after a breach. Create a team, write a plan, perform exercises and tests, and refine the plan as the threats evolve.
Costante: A company can do several things to prepare for a potential leak. First, it should put in place monitoring solutions that are able to capture activities over sensitive data. For example, companies should have full awareness of how their data is used, the locations in which it is stored and who has access to it. Second, companies should use security solutions, such as anomaly detection, to spot potential data leaks. Realistically speaking, an outgoing flow of millions of records from a data source is quite anomalous and it is unlikely to happen every day. Existing anomaly-based systems can easily spot these situations and raise the alarm, allowing for a prompt reaction to data breaches.
Bruemmer: Organisations can significantly reduce the costs and reputational fallout by preparing ahead of time with a strong IT security posture, hiring a chief information security officer (CISO) and preparing an incident response plan. One of the essential elements they should put in place is to identify and secure outside partners such as legal counsel and identity theft protection product firms. The process will go much smoother when the negotiations are already concluded and contracts are in place. The response plan should include an identified response team list with contact information. An outlined structure of internal reporting to ensure executives should also be included.
Pfeifle: What strategies should companies consider to deal with internal data security risks, such as those posed by the Bring Your Own Device (BYOD) policy? How can companies ensure staff are not doing any wrong, without violating their privacy?
Lehmann: Management should at first try to convince the staff that any regulation of the issue is for the mutual best because it serves the company and the staff is awarded some choice of their devices. However, complete freedom will not be the method of choice. There has to be a limitation to the devices involved because without limitation the devices may become unmanageable – as might the risks involved.
Costante: Statistics says that the insider threat is one of the most dangerous types of threat due to the sheer quantities of information an internal threat can leak. This suggests that the employer and the employee trust gap is widening. A good strategy to reduce the risks coming from BYOD policies is to include a strict separation between personal and corporate data. This separation should be implemented in terms of behavioural guidelines as well as by enforcing specific policies.
Farris: Despite the publicity received by high profile hacks like Sony, the greatest loss of data and intellectual property for companies continues to originate from low-tech threats posed by employees and contractors. Whether it is weak password policies, poor security on employee devices, unrestricted remote access, unencrypted portable devices, outdated virus and malware software or ineffective anti-spam and anti-phishing policies, many companies struggle to do the basics of protecting their systems and networks. These vulnerabilities are exacerbated by the growing skills gap that exists between cyber criminals and technology users. Companies have to balance flexibility and productivity versus security and privacy concerns when considering any BYOD policy. Policies should be developed by teams that include IT, legal, HR, security personnel and relevant business unit leadership.
Lo Cicero: Ensuring staff are not doing any wrong without violating their privacy on BYOD is perhaps a dichotomy. The purpose of BYOD is to allow access to company information and systems on personally owned devices. Companies have an obligation to control and ensure that information is handled in accordance with its internal, legal and regulatory requirements. The technical mobile device management solutions that allow that control are invasive by nature and potentially give more control and visibility of the device than what an individual would want their company to have. The company’s strategy should be to clearly document expectations and requirements and educate staff so that they know what both the individuals concerned and the company can or cannot, and will and will not, do in regard to personally owned devices on a BYOD program.
Luysterborg: We have found that providing specific and practical awareness sessions to staff, covering areas such as social media in a concentrated time span really helps especially when the focus is not only on the risk for the company but, initially, the risks that employees run when using social medial at home. Providing staff with tips and tricks on how to better secure their usage of social media at home, while explaining the benefits thereof and giving practical examples, really helps bring that message to the workplace environment. As such, companies can get across the ‘quid pro quo’ message much more easily.
Cohen: To manage internal data security risks, companies should establish a data security program through which they develop internal controls, policies and procedures tailored to address reasonably foreseeable security risks. Companies should then have a process in place to audit or test for compliance with those controls, policies and procedures, which may include monitoring usage of their network and resources, within the bounds of the law and existing policy. Companies also can minimise data security risk by structuring their networks, minimising their data collection and limiting access to data in such a way that lowers the risk of unauthorised access to or use of data.
Bruemmer: Mobile-related data breaches stem from a range of circumstances, including loss or theft of devices, failure to use anti-malware, or failure to password-protect a device being used for business purposes. But the proliferation of usage in the workplace shows there is a great benefit to companies and a comfortable level of security. To manage internal threats, risk managers should begin by ensuring all employees have a background screening prior to employment or handling sensitive data. Second, every employee within an organisation should go through an annual job-specific privacy and security training session – no exceptions, even in the C-suite.
“By being careful about limiting what data is being collected, ensuring that it is stored securely using encryption, and checking that products do not expose data in ways they shouldn’t, companies can greatly reduce the potential damage.”
Pfeifle: In terms of system monitoring and accountability, what steps can companies take to ensure their plans and policies are being followed and are effective?
Farris: Promoting awareness alone is not enough, nor is investing only in edge security. Companies should be proactive and embed privacy and security protocols in all aspects of the enterprise. This includes not only the deployment of internal-facing technological security monitoring and reporting, but training, incentivising positive privacy behaviours and embedding privacy and security best practices in the organisation’s products. This is a cultural shift for many companies. Writing security policies in a vacuum or confining data privacy issues to the IT department will leave companies vulnerable and increase the risk of negative outcomes.
Luysterborg: Companies need a multi-disciplinary approach that is reflected and formalised in steering committees or working groups. Next, they need a clear division of responsibilities and accountability. It is not sufficient to just insert ‘data protection’ in to the job description of the data protection officer. You need to ensure that the officer or the committee that he or she is sitting on has the formal authority to make decisions on these issues. Often, this is one of the main reasons why data protection issues and projects fail within a company – a vertical silo based approach used to handle a horizontal, company-wide problem.
Cohen: To ensure plans and policies are being followed and are effective, it is important to test and monitor for compliance on a regular basis, and to train personnel where they are not fully compliant. Where personnel are not intentionally violating policy, it is crucial to have a feedback loop through which they can learn how to change how they operate in order to comply with the company’s obligations. For serious violations of company data protection policy, the company must stand firm behind its policies and hold personnel accountable, consistently, regardless of their intent.
Bruemmer: It is not easy to instil a culture that places a premium on data security because it takes everyone from the board-level down to every employee to make it a top priority. To ensure protocols are being followed, companies must make it a year round effort. They should remind employees on an ongoing basis of best practices such as good password habits and avoiding opening suspicious links in emails or online. Companies should take the opportunity to discuss security throughout the year. Ultimately, companies will know if their security policies are effective if they avoid a data breach. However, the odds are not in their favour – an organisation has to be 100 percent right all of the time while a criminal just needs to be right once to get into the system.
Costante: Solutions that monitor activities and that are able to identify anomalies in usage patterns would be effective in this scenario. These kinds of solutions are known as behavioural-based solutions, and are able to detect any deviation from a baseline. In this way it is possible to spot policy infringements, misconfigurations and misbehaviour – these are the main causes of data breaches according to studies from Verizon, IBM and the Ponemon Institute.
Lo Cicero: Initial basic steps would be to ensure that staff are informed of company policies through awareness programs and put in place the various technical controls for monitoring and accountability. Depending on jurisdictions there may be boundaries regarding what monitoring is allowed in order to safeguard privacy, but privacy is not to be used as a blanket of cover to avoid detection of inappropriate use nor to prevent a company from implementing appropriate controls because ultimately the company and its executives are accountable for what happens under their watch. As far as measuring effectiveness goes, establishing metrics appropriate to the company and its policies is required. Ensuring that these metrics can be generated automatically from appropriate systems would be beneficial in order not to create an administrative burden that is neither sustainable nor scalable.
Lehmann: The first step is that staff must accept any policy. Management need to prepare the staff for the implementation of the guidelines and then to explain them. If possible, staff must be able to see that they too can derive some benefit from the implementation of the guidelines as well. Moreover, at least in Germany, the works council has to be involved because it has to consent to the guidelines or policies. That may lead to lengthy and cumbersome negotiations, but without their explicit consent the works council may block anything by way of an injunction at a relevant court.
Pfeifle: What trends have you observed in the area of litigation brought against companies – as well as individuals – found guilty of breaching or violating data protection and privacy laws? Are the penalties imposed on miscreants stringent and far-reaching?
Bruemmer: There have been many class action law suits filed in the US following data breaches, but their success has been limited. Due to the difficulties involved in receiving a windfall, most breached companies do not suffer many consequences unless they fail to meet the legal notification requirement. Since 2001, the FTC has brought more than 50 cases alleging that organisations failed to protect consumers’ personal information. Generally, settlements with the FTC require companies to implement a comprehensive information security program and undergo evaluation every two years by a certified third-party. Regulations may heat up so organisations are advised to work closely with legal counsel to ensure that they are prepared to comply with state, federal and international laws and regulations.
Lehmann: Litigation in Germany is seldom brought against companies on data protection grounds. However, that may soon change. Under German law, organisations for the protection of consumers have – once they are registered with a certain government authority – the right to sue companies if they violate consumer rights, such as using unfair standard terms and conditions. In a recent draft bill, the German government has announced that this right will also be extended to incorporate data protection rights as well. It is to be expected that once the bill has been passed, those companies which have been slack about data protection will face litigation that could prove to be quite costly.
Costante: Europe is known to be strict when it comes to data protection. For example, in December 2014, Germany imposed a fine of €1.3m on the insurance group Debeka because of a violation of data protection laws and a lack of internal controls. Recently, many other cases of data breaches have also come to light. In addition to Target, there have been data breaches at Home Depot, Sony and Adobe. Sony has already been charged with a £250,000 fine in Europe, while Target is facing a fine between $400m and $1.1bn by the Payment Cards Industry (PCI) Council. Clearly, fines imposed on companies found guilty of not implementing the right security mechanisms are quite high and are meant to make a statement.
Farris: Difficult hurdles related to standing and damages have not stopped the plaintiffs’ bar from attacking companies that suffer data breaches. The scope and number of consumer class actions brought against companies in the wake of data breaches is growing at an unprecedented rate. Nearly 70 cases were filed after the Target breach. While consumers have not been particularly successful in these actions, the cost of defence continues to mount. Plaintiffs in data breach cases have asserted numerous causes of action in an attempt to overcome standing and damages issues, alleging negligence, breach of contract, invasion of privacy, failure to satisfy state notification laws, unfair competition and breach of consumer protection laws. Courts have largely rejected these cases on lack of standing or speculative damages grounds, but there is concern that courts may begin to relax standards as public perception shifts.
Lo Cicero: The trend that we have observed regarding litigation brought against companies is that the basis for lawsuits has nearly always been the lack of due diligence in the cyber security and privacy aspects of corporate management as a fiduciary responsibility. Additionally, several new information security and privacy laws in certain countries have provisions for personal liability of company directors and officers in this space. Although we are not aware of any such cases brought against executives thus far, it is an issue as real as their corporate management fiduciary responsibility. Regarding miscreants, those breaches that were the result of non-malicious actions, the penalties have generally been in-house HR department matters up to and including dismissal.
Luysterborg: To be fair, within the EMEA region – with a few exceptions such as Spain, for example – penalties imposed on companies and individuals have not been that stringent or far reaching. In some countries, such as the UK, other regulators including the Financial Services Authority have been charged with imposing heavy fines, not the local DPA. However this is sometimes due to a lack of regulatory powers. But this is beginning to change. Also, with the new arsenal of powers attributed to the DPA under the proposed EU Data Protection Regulation, including significant fines, possible mandatory periodically data protection audits, and so on, combined with very detailed new control obligations, we are expecting this to change quite dramatically.
Cohen: Plaintiffs most often bring litigation for data privacy or security violations as class action lawsuits on behalf of all other individuals or entities that are similarly situated. These class actions raise the stakes for the companies which are sued, because a loss in the case could result in damages aggregated across all of its users or customers, which could be substantial. Because of this, companies defending these lawsuits typically seek to have the cases dismissed early on in the litigation to avoid the risk that a class of plaintiffs could recover large damages. If a defendant is unable to have the case dismissed, it will often end up settling.
“Providing staff with tips and tricks on how to better secure their usage of social media at home, while explaining the benefits thereof and giving practical examples, really helps bring that message to the workplace environment.”
Pfeifle: What final advice can you offer to companies on managing the data risks they face going forward?
Lehmann: The most important advice companies should take on board is that data protection and data security are important issues and they must be taken seriously. Compliance here is a management task and, consequently, a failure may entail the liability of the management toward the company. In its own interest, the management will then apply great care in these matters.
Luysterborg: It is similar to the start of any successful AA recovery. Firstly, companies must admit that they are at risk and that data protection and cyber security is a concern. Secondly, companies need to take a holistic and risk based approach. There is no 100 percent data protection compliance solution and there never will be. As the old axiom goes – there are only two kinds of companies, those that have been hacked and those that will be. You will be judged on your preparedness and your capability to respond to a data protection breach or incident. The only successful approach is a holistic one – one that does not treat security and data privacy separately, and that combines people, process and technology in the most pragmatic manner.
Costante: Protect your data. Do not wait for a breach to occur. Deploy solutions for data usage awareness and data protection. Trust what you can monitor and measure. Keep in mind the fundamental steps for data protection – monitoring so you know what is going on in your organisation, detecting so you can be notified on time when something anomalous is happening, acting so you can be prepared to promptly react to anomalous events, and auditing so you can collect evidence to deal with the breach when everything else goes wrong.
Farris: Companies need to move beyond awareness and begin to view data privacy and security issues as an enterprise-wide cultural matter. Internal focus remains as important as combating external threats. Training and compliance programs are critical in hardening corporate systems. If employees or vendors leave the proverbial back door open, cyber criminals can penetrate systems easily, no matter how heavily a company has invested in edge security. Take affirmative steps to test privacy and security practices. The best security policy can do little to protect your company if the policy is poorly implemented.
Lo Cicero: Consider the potential merits of converging various interrelated compliance, legal, risk, privacy and information security functions within your organisation so that parallel and overlapping efforts are integrated, not run in silos. Take on board the lessons learned from companies that have experienced breaches and what they did subsequently to shore up their management and control as well as governance and oversight. Develop a multi-year information security and data protection roadmap to outline the projects and activities identified as being essential to ensure appropriate program continuity.
Cohen: It is always better to think about data protection compliance ahead of time than to determine what procedures are in place in the heat of an incident. Therefore, astute companies develop a data protection compliance plan in advance. This plan should include the location and identification of regulated or sensitive data types throughout the organisation, the identification of legal and reputational risks to the company based on its collection, use and disclosure of that information, and the development and monitoring of controls, policies and procedures to address those risks. It is not enough to merely set up the privacy program and let it operate. The company should regularly re-evaluate its data protection risks, update its privacy program in light of the changing risk profile and train new employees on the requirements of the program.
Bruemmer: It all starts with IT. Conduct a risk assessment of your entire network and know where all your sensitive data resides, including with your vendors. Second, build a comprehensive data breach response plan with delegated authority from the board and executive management. Third, every organisation should increase job specific security and privacy training. Lastly, do not forget to practice the response plan regularly before an event occurs. After a data breach, organisations should notify consumers and regulators as early as possible. The most important steps to rebuild trust with customers are to communicate an empathetic apology, provide an informative FAQ, make available a hotline they can call with questions and offer a comprehensive identity theft protection product.
As publications director, Sam Pfeifle oversees everything from the Daily Dashboard to the monthly Privacy Advisor to the International Association of Privacy Professionals’ (IAPP’s) various blogs, books and Resource Center items. Mr Pfeifle came to the IAPP after stints overseeing a number of B2B publications, including titles in the physical security, workboat and 3D data capture industries. He began his journalism career with the alternative newsweekly The Portland Phoenix.
Erik Luysterborg is a partner at Deloitte Belgium. He leads their Cyber Risk Services group as well as the European Data Protection and Privacy services within the EMEA region. He is also the founder of the Deloitte European Privacy Academy. He has over 15 years experience in this area and has somewhat of a hybrid background as he is both a lawyer as well as a security professional. He provides pragmatic cross-functional solutions to clients’ privacy and cyber security challenges.
Michael Bruemmer is vice president with the Experian Data Breach Resolution group. He has more than 25 years in the industry, with expertise in identity theft and fraud resolution. Mr Bruemmer currently resides on the Medical Identity Fraud Alliance Steering Committee, Ponemon Responsible Information Management (RIM) Board, and the International Association of Privacy Professionals (IAPP) Advisory Board.
Dr Jochen Lehmann specialises in IT matters with a particular focus on data protection and data security matters. He is a member of the IT group of the firm that is led by four partners, including himself, and he is also a member of the internal IT advisory board.
Bret Cohen practices in the areas of privacy, cyber security and consumer protection. He counsels clients on a wide variety of privacy and cyber security matters including investigations by the Federal Trade Commission and state attorneys general, security and privacy incident remediation and notification, government data collection and cross-border data transfers including US-EU Safe Harbor certification.
Claudio Lo Cicero is the chief information security officer for Denmark based Maersk Oil. Mr Lo Cicero holds a Master of Science with an information security specialisation as well as several information security and data privacy professional certifications including the CIPM, CISSP, CRISC and CISM. He is also a member of several industry organisations such as the IAPP, ISACA, ISSA and ISC2.
Daniel Farris is a former software engineer and network administrator in the telecommunications industry. He offers his clients real-world experience in fibre optic networking, cloud computing, mobile app development and data privacy and security. His practice is founded upon understanding how technology can strengthen and expand upon the core missions of his clients’ businesses. Mr Farris is a shareholder, and co-chair of Polsinelli’s Data Privacy and Security team.
Dr Elisa Costante received an MSc Degree in Software Engineering from the University of Sannio in Benevento, Italy in 2010, with a thesis on trust for web services. She got her PhD with a thesis entitled ‘Privacy throughout the Data Cycle’ at the security group of the Eindhoven University of Technology. During her studies she became an expert on privacy and data protection. Since May 2014 she has been a Product Manager at SecurityMatters.
© Financier Worldwide
MODERATOR
IAPP
THE PANELLISTS
Deloitte
Experian
GÖRG
Hogan Lovells US LLP
Maersk Oil
Polsinelli
SecurityMatters