webinar: data privacy laws & guidelines: improving risk mitigation with data sanitization

© 2016 Blancco Oy Ltd. All Rights Reserved.

Data Privacy Laws & Guidelines:Mitigating Risk with Data Sanitization


MEET OUR SPEAKERS

2

Richard StiennonChief Strategy Officer

Blancco Technology Group

Jason BirdGlobal DLP Expert at Cyber Orchestration

Limited


Agenda

• Market Drivers of Data Sanitization• Global Trend Towards Data Privacy Regulations & Standards• Why Organizations Struggle with Data Sanitization • Building a Best-In-Class Data Retention Program

3


Market Drivers of Data Sanitization


Market Drivers of Data Sanitization

Cybersecurity• Less data, smaller target• Prevent reconnaissance • Prevent data breaches

Electronic Records Management

• Reduce discovery burden• Data retention policies

Regulation and Standards

5


Global Trend Toward Data Privacy Regulations & Guidelines


Data Retention, Security & Privacy

7


Data Protection & Information Lifecycle Management

8


Live Poll

Does your organization have a comprehensive data retention program (including a plan for destruction) in place?

• Yes • No• We’re working on it

9


The Old View of Data Retention

10


The New View of Data Retention

11


Data You Cannot Afford to Keep

12

Data Growth in the Digital Universe

Source: IDC, The Digital Universe in 2020


Global Trend Towards Data Privacy Legislation

13

Legislative Trends:• Increasing laws on data

protection (111 countries). Compared to only one in 1998

• Tougher penalties• More active enforcements

EU GDPR:• Requires a Data Protection

Officer• Requires auditable procedures

and routines to be in place• Includes the “right to erasure”

of data• Requires active reporting of

any data breach• Could result in up to 4% of

turnover in fines ($2,500 per RECORD)


Data Retention & Protection Are Both Vital for Regulatory Compliance

14


“Policies and procedures must be in place both to remove any stored data…”

Achieving PCI Compliance Is Important

15

“…as well as making sure no access to data can be achieved in any way throughout the lifecycle.”

15


• HIPAA is more explicit since it deals directly with protecting health records from being exposed.

• HIPAA has two rules of interest to IT security; the Privacy Rule and the Security Rule. In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

• It includes such measures as breach notification for secured protected health information.

• Current best practices for HIPAA compliance include:

• • Construct a security plan for data disposal

• • Remove data from reusable hardware

• • Track all reprocessed hardware

• • Back up all data from all hardware

“Best practice includes plans and policies to manage both the data life cycle and asset life cycle to protect patient information at all times ”

HIPAA: Influencing Healthcare Industry Globally

16

© 2016 Blancco Oy Ltd. All Rights Reserved.17

Data Protection Authority

• 60 personnel today• Advices Eu Commission • Will oversee creation of

State DPAs

Data Protection Supervisor

• Coordinates each State DPS

28 Data Protection Authorities

• Each country sets up DPA

28 Data Protection Supervisors

• Each country sets up DPS

EU GDPR: What You Need to Know


Mandatory requirement does not override stricter national

requirements (adopted version)

• Voluntary appointment (Council’s version)

• Mandatory requirement, overrides (stricter) national (initial proposal by the Commission)

No minimum threshold; processing activities must be large-scale

(adopted version)

• Very low threshold: process data of > 500 individuals ➔ mandatory for almost all companies

• (Committee on Civil Liberties, Justice and Home Affairs of the Parliament’s version// Parliament’s version)

• High threshold: enterprises > 250 employees

• (initial proposal by the Commission)

Compliance Mandatory as of May 25, 2018

The GDPR’s Data Protection Officer

Violation of the obligation to designate a DPO is subject to fines of up to 10 Million € or 2% of the worldwide annual turnover, whichever is greater, Art. 83 (4a) GDPR


The DPO’s Duties, As Specified by EU GDPR

1Informing the organization of its obligations to comply with the GDPR and other EU or Member State data protection laws

2Monitoring compliance with GDPR and other EU or Member State data protection laws, including managing internal data protection activities, training data processing staff and conducting internal audits

3 Advising the organization on data protection impact assessments

Serving as the point of contact for and cooperating with the relevant Data Protection Authority on issues related to personal data processing4

5Taking inquiries from data subjects (employees, clients, etc.) regarding the organization’s data protection practices and the exercise of their rights under the GDPR 19


Live Poll

Which of the following qualifications/skillsets do you value most in a Data Protection Officer (DPO)?

• Familiarity with compliance requirements and auditing activities, as well as ability to interpret data protection requirements

• Professional certifications, such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Privacy Professional (CIPP)

• Strong grasp of how the business operates and its data processing activities • Well-versed on data lifecycle management, including the required technology

and processes to properly manage data across its entire lifecycle (i.e. create, use, store, archive, share and destroy)

• Clear understanding of customer interactions and how data is collected both online and offline

20


Hiring a DPO: Your Options

Hire Brand-New Role

Add DPO Duties into

Existing Role

Outsource to 3rd Party


0102

03

04

TOP MANAGEMEN

T

Must implement information

security policy themselves

RISK MANAGEMEN

TRelevant

security risks should be

addressed and mitigated

INTERNAL AUDITS

Must verify all security risks

have been addressed and

operational processes are

set

DATA REMOVAL

Sensitive data and licensed

software must be securely

removed prior to disposal or

reuse

ISO/IEC 27001 Guidelines Matter

22


“Sanitization is a process to render access to target data

(the data subject to the sanitization technique) on the media infeasible for a given

level of recovery effort”

23

Next Step: Live Environment Media Sanitization

NIST: SP 800-88r1 Are Important


ISO Information Security Standard

ISO 27001 requires both ”Privacy and protection of personally identifiable information” as well as ”Secure disposal or re-use of equipment””All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.”

• ”Top management shall implement the information security policy themselves.”

• ”The policy must ensure that all relevant risks are addressed.”

• ”Internal audits should regularly verify that all risks are addressed and operational processes are in place.”

Who is responsible: What should be included at least:

24


Why Organizations Struggle With Data Sanitization


Why Organizations Struggle With Data Sanitization

26

Ineffective Tools & Technology• Basic deletion, quick format & factory reset

are not effective • Shortcomings in data deletion technologies

(insufficient overwrite passes)• Cryptographic erasure is flawedLimited Reach• Failing to erase data stored on

laptops/desktops, mobile devices and removable media

Incomplete Monitoring• Lack of reporting • Missing proof of erasure -> no audit trail and

increased risk


• Online Banking SSL certificates discovered within a Sharepoint portal

• End of Year results in an open file share, for a comms agency to collect for formatting and distribution to the public

• Spreadsheets of customer records exported out of the protected CRM platform

• Live PII data for employees stored within CSV’s and being used to test a cloud based HR Application (no classification tag, unprotected)

• Network diagrams and technical instructions for sensitive applications found in an Open Transfer share

• Password to corporate banking service in an un-encrypted document on the users laptop

• User sending Top Secret documents to colleagues and cc’ing YAHOO email

The Data Management Problem: Use-Case Examples

27


Building a Best-In-Class Data Retention Program


• It is very difficult to go in from day one with a highly accurate data model, knowing all data types, all classifications and therefore all the policies you will ever need

• If Data Loss Prevention, particularly Data At Rest Scanning is new, you are going to need to introduce it at a sensible pace within the business and gain buy-in

Core Policies – Used within all scanning mediums for all

countries and functions (passwords, HR labelled data, Network Diagrams)

Often fire-fighting at this level

Country specific policies – Regulatory

(PCI/SOX/MAS/HIPAA)Defined data elements and

combinations “Crown Jewels”

Business Unit specific policies. Document type

classification and tracking; alongside specific data

violations detectedBusiness Sponsored and

customer responsive service

Phase 1 Phase 2 Phase 3

Maturity in content awareness

+ +

Approaching Data Security Maturity: A Phased Approach

29


Identify Data Storage in

Scope

Identify which data is sensitive (Crown Jewels)

Define business usage controls and content of

interest

Build policies for detection and

apply to defined targets in scope

Distribute Reports within defined target

operating model

Education program for data usage standards

Track & Report Risk Reduction

program

Apply lessons learned to real-time protection

Co-ordinated reporting of Data

in Motion and Data at Rest

Creating a Best-In-Class Data Retention Program

30


Don’t Forget These Important Considerations

31


Q&A


Content You May Find Useful:

“The Ultimate Guide to Data Retention”https://www.blancco.com/resources/guide-books/ultimate-guide-data-retention/

“The Information End Game: What You Need to Know to Protect Corporate Data Throughout its Lifecycle”: http://www2.blancco.com/en/white-paper/the-information-end-game-what-you-need-to-know-to-protect-corporate-data

“EU GDPR: A Corporate Dilemma”

http://info.blancco.com/EU-GDPR-Corporate-Dilemma-Research-Study

“EU GDPR: Setting Responsibilities & Expectations for the DPO Role”http://info.blancco.com/en-wp-eu-gdpr-setting-responsibilities-and-expectations-for-the-dpo

https://www.blancco.com/resources/guide-books/ultimate-guide-data-retention/

http://www2.blancco.com/en/white-paper/the-information-end-game-what-you-need-to-know-to-protect-corporate-data

http://info.blancco.com/EU-GDPR-Corporate-Dilemma-Research-Study

http://info.blancco.com/en-wp-eu-gdpr-setting-responsibilities-and-expectations-for-the-dpo