data security regulatory lansdcape
DESCRIPTION
An overview of security and privacy landscapeTRANSCRIPT
![Page 1: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/1.jpg)
brian bauer
![Page 2: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/2.jpg)
Before we begin
If you learn what's in this presentation
You will .........
![Page 3: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/3.jpg)
... spend LESS time preparing for test (IAPP, CISA, CGEIT, etc.)
![Page 4: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/4.jpg)
... have interesting material to impress your friends
![Page 5: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/5.jpg)
Learn the difference between real risk and just plain fun
![Page 6: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/6.jpg)
Get a keener perspective of Operational Risk , which is
Risk without Reward
![Page 7: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/7.jpg)
Let's get started !
![Page 8: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/8.jpg)
SourcesAchieving Data Privacy in the Enterprise, Safenet Derek Tumulak, April 8, 2010
Regulatory Information Architecture, Steven Alder, IBM, 2010
The source of much of my research, Sue Hammer, IBM, 2010California Data Privacy Laws: Is Compliance Good Enough?, Lumension, Chris Merritt, May 2010Privacy Law & Financial Advisors, Proskauer, Brendon M. Tavelli, Nov 20, 2009Medical Records on the Run: Protecting Patient Data with Device Control and Encryption, Sept 2009
2010 Data Breach Report, Verizon
Five Countries: Cost of Data Breach Sponsored by PGP Corporation, Dr. Larry Ponemon, April 19, 2010How secure is your confidential data?, By Alastair MacWillson, ACCENTURE
The Leaking Vault, Five Years of Data Breaches, Suzanne Widup, Digital Forensics, July 2010
Top 10 Big Brother Companies: Ranking the Worst Consumer Privacy Infringers, Focus EditorsFirst Annual Cost of Cyber Crime Study, Ponemon, July 2010 States failing to secure personal data, By Kavan Peterson, Stateline.org National Archives & Records Administration in Washington2010 Annual Identity Protection Services Scorecard, Javelin Strategy & Research
A New Era of Compliance - Raising the Bar for Organizations Worldwide, RSA, Oct12, 2010
Evolve or Die, Bunger & Robertson, 2010Compliance With Clouds: Caveat Emptor, by Chenxi Wang, Ph.D. , August 26, 2010Obscured by Clouds, Ross Cooney, 2010
Digital Trust in the Cloud, Liquid Security in Cloudy Places, CSC, 2010
Making Data Governance as simple as possible, but not simpler, Dalton Servo
![Page 9: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/9.jpg)
Let me be crystal clear, Brian is NOT a lawyer
DISCLAIMER
![Page 10: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/10.jpg)
AllBusinessisRegulated DECLARATION
![Page 11: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/11.jpg)
DISCLAIMER
My FOCUSOn the globe but US Centric
You are here
![Page 12: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/12.jpg)
What's Inside ?
Erosion in Trust
Industry Customer
Regulator
Futures
![Page 13: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/13.jpg)
Business is concerned with RISK
Risk from Regulation,Organized Crime,
Reduced Staffing,Sloppy Performance,
Lack of Training,New Technologies,
and even ...Clients/Customers
... is creating an EROSION in TRUST!
![Page 14: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/14.jpg)
Financial Times
Top Business Concern
![Page 15: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/15.jpg)
New Motivations
E&Y 2010
![Page 16: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/16.jpg)
The Economist Intelligence Unit
Geography Implications
![Page 17: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/17.jpg)
Loss of data is one of the biggest regulator concerns
Loss, theft, mistakes, under protected, ...
... a Breach of Trust – Over 500,000,000 U.S. records since 2005
![Page 18: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/18.jpg)
90% from external sources
48% insider help
85% from organized criminals
94% targeted financial data or sector
98% of records stolen produced by hack
96% of Trojans found were: "Crimeware-as-a-Service.""Crimeware-as-a-Service."
![Page 19: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/19.jpg)
We can do better
96% avoidable by simple controls
86% had evidence in log files
66% on devices NOT aware contain SPI
5% loss to shareholders after breach
43% higher breach cost in U.S.
![Page 20: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/20.jpg)
Deloitte – 2010 Financial Services Global Security Study – the faceless threat
Financial Serviceproviders have a39% confidence factor for their ability to protect your data from Insider Threatsvs. 71% for External Threats
![Page 21: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/21.jpg)
A reputation is easy to lose, not so easy to recover
- 60% of companies that lose their data will shut down within 6 months of the disaster.
- 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster.
- 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately.
![Page 22: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/22.jpg)
Restrict and monitor privileged users
Watch for 'Minor' Policy Violations
Implement Measures to Thwart Stolen Credentials
Monitor and Filter Outbound Traffic
Change Your Approach to Event Monitoring and Log Analysis
Share Incident Information
What can business do?
![Page 23: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/23.jpg)
What is the Customer's view?
...what is causing this Erosion of Trust
![Page 24: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/24.jpg)
Identity Theft #1 Consumer Complaint - FTC
10M Victims in the U.S. $5K loss per business, $50B total$500 loss per victim, $5B total30 hours to recovery, 297M hoursall numbers are approximate or rounded up
![Page 25: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/25.jpg)
What's on your mind?
![Page 26: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/26.jpg)
RiskiestRiskiest places for SSN# Universities and collegesUniversities and colleges
Banking and financial institutionsBanking and financial institutionsHospitalsHospitals
State governments State governments Local government Local government
Federal government Federal government Medical (supply) businesses Medical (supply) businesses
Non-profit organizations Non-profit organizations Technology companies Technology companies
Health insurers and medical officesHealth insurers and medical officesSymantec – Nov, 2010
![Page 27: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/27.jpg)
Trust Me – I'm lying?There is a notable difference between organizations’ intentions regardingdata privacy and how they actually protect it.
North Carolina attempting to get 50M records from Amazon on citizens
45% of businesses disagree to customer data control47% of businesses disagree the customer has a right to control
50% of businesses did not see need to limit distribution of PII
>50% of customers believe they have a right to control their data
1
![Page 28: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/28.jpg)
Accountability – who's is looking out for me?A majority (58%) of companies have lost sensitive personal information...
Insider involved in over 48% of data breaches
2
<-Diverse
Deliberate->
![Page 29: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/29.jpg)
Regulatory compliance – No confidence they can keep paceMany organizations believe complying with existing regulations is sufficient to protect their data. 3
![Page 30: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/30.jpg)
What do these companies have in common?
![Page 31: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/31.jpg)
Top 10 Big Brother Companies
Ranking the Worst Consumer Privacy Infringers, Focus Editors1
![Page 32: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/32.jpg)
Third parties – you sent my data to who?Companies should be careful about the company they keep. It is crucial they understand the perspective on and approach to data protection and privacy taken by their third-party partners.
48% of breaches caused by insiders
48% involved privileged misuse
61% were discovered by a 3rd party
4
![Page 33: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/33.jpg)
CultureCompanies that exhibit a “culture of caring” with respect to data protection and privacy are far less likely to experience security breaches.5
![Page 34: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/34.jpg)
Assign ownership
Develop comprehensive governance program
Evaluate data protection and privacy technologies
Build a culture
Reexamine investments
Choose business partners with care
How to reverse the spin?
Build a Data Protectionand Privacy Strategy
![Page 35: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/35.jpg)
You own some of this – Giving away your PRIVACY
Social networking
RFID tags/loyalty cards
The Patriot Act
GPS
The Kindle Bill Brenner, Senior Editor, CSO
![Page 36: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/36.jpg)
Regulator View
![Page 37: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/37.jpg)
Privacy
Data Protection
Breach Notification
Which comes 1st?
![Page 38: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/38.jpg)
If theCarrot isn't workingit's time to ....
Protect the consumer
Punish the breach
Promote compliance
![Page 39: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/39.jpg)
U.S. BreachNotificationLaws
46 States, the District of
Columbia, Puerto Rico and
the Virgin Islands
States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota.http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx
![Page 40: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/40.jpg)
Data BreachLaws go Global
![Page 41: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/41.jpg)
The carrot is now...avoid the paddle!
NERC - North American Electric Reliability Corporation
![Page 42: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/42.jpg)
Take ReasonableMeasures
BreachPrevention
RiskBased
Approach
DataCentric
CurrentRegulatorFocus
![Page 43: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/43.jpg)
Do the Regulatorshave to follow Regulations ?
![Page 44: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/44.jpg)
The “Rules” of Rulemaking – Kings have rules Regulatory agencies create regulations according to rules and processes defined by another law known as the Administration Procedure Act (APA).
The APA defines a "rule" or "regulation" as...
”[T]he whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of an agency.
The APA defines “rulemaking” as…
“[A]gency action which regulates the future conduct of either groups of persons or a single person; it is essentially legislative in nature, not only because it operates in the future but because it is primarily concerned with policy considerations.”
Under the APA, the agencies must publish all proposed new regulations in the Federal Register at least 30 days before they take effect, and they must provide a way for interested parties to comment, offer amendments, or to object to the regulation.
Once a regulation takes effect, it becomes a "final rule" and is printed in the Federal Register, the Code of Federal Regulations (CFR) and usually posted on the Web site of the regulatory agency.
(c)Tomo.Yun (www.yunphoto.net/en/)"
![Page 45: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/45.jpg)
What should be our Focus?
![Page 46: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/46.jpg)
Embrace risk-based compliance
![Page 47: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/47.jpg)
Establish an Establish an enterprise controls framework enterprise controls framework
![Page 48: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/48.jpg)
Set/adjust threshold for controls for "reasonable and appropriate" security
![Page 49: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/49.jpg)
Streamline and automate compliance processes (GRC)
![Page 50: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/50.jpg)
Fortify third-party risk management
![Page 51: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/51.jpg)
Unify the compliance and business agendas
![Page 52: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/52.jpg)
Educate and influence regulators and standards bodies
![Page 53: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/53.jpg)
So ...
Regulators
Where are they headed?What's their next target?
![Page 54: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/54.jpg)
Take ReasonableMeasures
BreachPrevention
RiskBased
Approach
DataCentric
Current... and foreseeable futureRegulatorFocus
Redux
![Page 55: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/55.jpg)
CloudComputing
![Page 56: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/56.jpg)
Privacy or data protection concerns make Clouds risky for Regulated data
![Page 57: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/57.jpg)
Lack of Visibility
![Page 58: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/58.jpg)
Who do you trust?
![Page 59: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/59.jpg)
Security & Compliance Risk
![Page 60: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/60.jpg)
Requires Risk Based Analysis
FedRamp - Proposed Security Assessment and Authorization for U.S. Government Cloud Computing, Nov 2, 2010
![Page 61: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/61.jpg)
SocialMedia
![Page 62: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/62.jpg)
![Page 63: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/63.jpg)
81% of Senior Executivesrate their knowledge of laws regulating online activity as
non-existent
![Page 64: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/64.jpg)
Business Investigations of data loss via social media:18% by video/audio 17% by social networking13% by blog posting
![Page 65: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/65.jpg)
Quick tipOffline laws apply online
![Page 66: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/66.jpg)
copyrighttrademark
fraudcontract
trade secretstheft/conversion
identity theftprivacy laws
tortscrimes
statutory lawssexual harassment
discriminationnegligence
defamation ...
![Page 67: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/67.jpg)
More Regulator Activity & more to Come
45 states have enacted anti-bullying laws - http://www.bullypolice.org/Without: Hawaii, South Dakota, Michigan, New York, Montana, North Dakota and Missouri
(SEC), and (FINRA), issued guidance on use of social media sites Securities and Exchange Commission, Financial Industry Regulatory Authority
UK (ASA), issued guidance on social media marketingAdvertising Standard Authority
FTC, Final Guides governing social media endorsementsFederal Trade Commission
Maryland leads the way in social media campaign regulations
CA – (FPPC), “regulate the same as traditional media”Fair Political Practices Commission
![Page 68: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/68.jpg)
Future Regulatory FocusAmateur Data ControllersRight to not be over-regulatedRight to demand co-operation
Privacy PoliciesRight to be better informed
Right to be forgottenRight to have policies monitored
Right to Data PortabilityEnd of online anonymity
Processing of data by 3rd partiesDuties for data controllers
Behavioral advertisingRight to opt-in vs. have to opt-out
The rights of minors
![Page 69: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/69.jpg)
Where is this all headed?
For us?
For our clients?
![Page 70: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/70.jpg)
Manage (Govern) the Data
![Page 71: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/71.jpg)
What is Data Governance? An operating discipline for managing data and information as a key enterprise assets
Organization, processes and tools for establishing and exercising decision rights regarding valuation and management of data
Elements of data governanceDecision making authorityCompliancePolicies and standardsData inventoriesFull life-cycle managementContent managementRecords management,Preservation and disposalData qualityData classificationData security and accessData risk managementData valuation
![Page 72: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/72.jpg)
Where does (Data Governance) fit?
![Page 73: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/73.jpg)
Data Governance is the weakest link
![Page 74: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/74.jpg)
Bitmap83
Why is Data Governance important?Regulator shift
OLDPrinciples
Based
NEWRule
Based
UK FSA, has proposed a “Data Accuracy Scorecard” Financial Services Authority
Regulators will punish inadequate Data Governance
Breach Notification laws create demand to govern data
![Page 75: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/75.jpg)
Ensure that the Right Peoplehave the Right Access
to the Right Datadoing the Right Things
Efficientlyand Productively
RestoreTrust
![Page 76: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/76.jpg)
Future Bottom LineRegulations will be MORE :
PrescriptiveProhibitive &Penalizing
![Page 77: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/77.jpg)
Questions
![Page 78: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/78.jpg)
BACKUP – this is backup
![Page 79: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/79.jpg)
Laws & Regulations
• Data Protection Act• Gambling Act 2005• Protection from Harassment Act 1997• Racial, sexual and age discrimination
legislation• Obscenity Publications Act 1959
• “…obscene if it is intended to corrupt or deprave persons exposed to it”
Laws & Regulations• The Terrorism Acts 2000 & 2006• Money Laundering Regulations• CAP Codes & the ASA
• Transparency and Honesty• Careful with trans-national campaigns
• Consumer Protection from Unfair Commercial Practices Regulations 2008 (CPR’s)
• Contempt of Court
![Page 80: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/80.jpg)
High-level International Overview
• New Basel Capital Accord (Basel-II)• Payment Card Industry Data Security Standard (PCI-DSS)• Society for Worldwide Interback Funds Transfer (SWIFT)• Personal Information Protection Act (PIPA) – Canada• Personal Information and Electronic Documents Act (PIPEDA) – Canada• Personal Information Privacy Act (JPIPA) – Japan• SafeSecure ISP – Japan• Federal Consumer Protection Code, E-Commerce Act – Mexico• Privacy and Electronic Communications (EC Directive) Regulations 2003 • Directive 95/46/EC Directive on Privacy and Electronic Communications –
European Union • Central Information System Security Division (DCSSI) Encryption – France• Federal Data Protection Act (FDPA - Bundesdatenschutzgesetz - BDSG) of
2001 – Germany • Privacy Protection Act (PPA) of Schleswig-Holstein of 2000 – Germany• US Department of Commerce “Safe Harbor”
![Page 81: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/81.jpg)
Relevant Laws and Regulations
• Sarbanes-Oxley Act• PCAOB Rel. 2004-001 Audit Section• SAS94• Fair Credit Reporting Act (FCRA)• AICPA Suitability Trust Services Criteria• SEC CFR 17: 240.15d-15 Controls and
Procedures• NASD/NYSE 240.17Ad-7 Transfer Agent
Record Retention• GLBA (15 USC Sec 6801-6809) 16 CFR 314• Appendix: 12 CFR 30, 208, 225, 364 & 570• Federal Financial Institutions Examination
Council (FFIEC) Information Security• FFIEC Business Continuity Planning• FFIEC Audit• FFIEC Operations• Health Insurance Portability and Accountability
Act (HIPAA) § 164• 21 CFR Part 11 – FDA Regulation of Electronic
Records and Electronic Signatures• Payment Card Industry Data Security Standard
(PCI-DSS)
• Federal Trade Commission (FTC)• CC1798 (SB1386)• Federal Information Security Management Act
(FISMA)• USA PATRIOT• Community Choice Aggregation (CCA)• Federal Information System Controls Audit
Manual (FISCAM)• General Accounting Office (GAO)• FDA 510(k)• Federal Energy Regulatory Commission (FERC)• Nuclear Regulatory Commission (NRC) 10CFR
Part 95• Critical Energy Infrastructure Information (CEII)• Communications Assistance for Law
Enforcement Act (CALEA)• Digital Millennium Copyright Act (DMCA)• Business Software Alliance (BSA)• New Basel Capital Accord (Basel-II)• Customs-Trade Partnership Against Terrorism
(C-TPAT)• Video Privacy Protection Act of 1988 (codified at
18 U.S.C. § 2710 (2002))
![Page 82: Data Security Regulatory Lansdcape](https://reader031.vdocuments.mx/reader031/viewer/2022013110/5463df88af7959624d8b768a/html5/thumbnails/82.jpg)
US Federal Privacy Laws and US Federal Breach Laws (USA is a member, OECD and a member, CPEA. The US has also ratified CE ETS 185)
1. Children’s Online Privacy Protection Act (COPPA) 1. Federal Trade Commission's Final COPPA Rule (PDF) 2. Communications Assistance for Law Enforcement Act (CALEA) 3. Depart of Defense Directive 5400.11.R - Privacy Program (May 14, 2007 edition) (PDF) 1. Defense Privacy Office 4. Electronic Communications Privacy Act (ECPA) 5. Fair Credit Reporting Act (FCRA, PDF) 1. As Amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT) 2. Federal Trade Commission's Red Flag Rule (PDF) (DELAYED UNTIL NOVEMBER 1st 2009) 6. Family Educational Rights and Privacy Act (FERPA, The Buckley Amendment) 1. US Department of Education Final Rule (PDF) 2. Protection of Pupil Rights Amendment (PPRA) 3. No Child Left Behind Act (PDF) 7. Genetic Information Nondiscrimination Act 2008 (GINA, PDF) 1. Proposed rule making genetic information covered under PII, HIPAA, and HITECH (PDF) 8. Gramm-Leach-Bliley Act (GLBA) 1. Federal Trade Commission's Final Financial Privacy Rule (PDF) 2. Federal Trade Commission's Final Safeguards Rule (PDF) 9. Health Insurance Portability and Accountability Act (HIPAA, PDF) 10. HITECH Act (Notice: I could not find it consolidated and called out anywhere, so had to create it myself, PDF) 1. HITECH Breach Notification Guidance and Request for Public Comment (From the US Department of Health and Human Services, PDF) 11. Federal Trade Commission's Health Breach Notification FINAL Rule (PDF) 12. Safe Harbor Guidelines from the US Department of Commerce