Live note taking at the 2016 MRIA annual conference in Montreal. Any errors or bad jokes are my own. If you think any of this is legal advice, turn off your internet right now and grab a colouring book and crayons instead.
Panelists: Patrick Cruikshank, Eric Dolden, Derrick Leue, Serge Solski
- What is cyberrisk – extortion, online wire fraud, identity theft
- Legal trends – 3 claims per month for this legal speaker, Canada protects all aspects about a person including which brand of pop they like and what TV shows they watch not just their financial or medical records; doesn’t matter if it’s knowing or careless or preventable you are liable; if you give away confidential information even when you know it’s confidential, you are liable for the costs and profits
- Business don’t report every issue becaus it could put their reputation at risk
- Are market research companies too small for hackers to come after them? Absolutely not. Geography doesn’t matter. You are just a number on the Internet, crimes of opportunity. 80% of attacks are from external parties [yikes 20% are YOUR employees!]; They just need a door to get in and then they can figure out how to get $ from you.
- Newest legislation moved us closer to the American model. Snooping or taking of data without consent, there is an obligation ot report to privacy commissioner whether provincial or federal. If there is a possibility of harm, you are obligated to notify the persons that their information was compromised. Not every unauthorized access requires notification becuase there may be no risk of harm, whether physical, emotional, identify theft, financial loss, loss of business, reputational harm, risk of humiliations, loss of relationship, public safety or health. Snooping without taking also counts.
- PIPDEA protects only PII.
- Breach of confidence is different – giving away information knowingly, trying to get paid twice for the same thing, maybe it’s careless such as an email with an unintended recipient and that would be negligence
- [listening to these speakers makes me really wonder about what I have in my emails, how much PII or confidential information is in there? How many unintended people have I emailed?]
- [really glad MRIA included this session right after the main keynote. This is massively important and business threatening information that we all must know]
- Someone could easily lock us out of our own systems unless we pay them 500 000. Would we tell the right people because this would threaten your current and future business. It can make more sense to pay up rather than report it.
- In every case, even when there was zero harm, judges has said consumers are owed damages because their privacy was compromised, awards are around $5000 up to a high of $20000 in cases of deliberate negligence
- Look at known vulnerabilities like firewalls and failing to updates systems, employees need to know hot to avoid creating holes in the firewall, need to constantly update systems, make sure team doesn’t destroy evidence or you can’t prove that YOU didn’t do it
- Most canadians don’t have adequate insurance for cyberrisk, we’re covered for fire and injury and financial loss and liability but these don’t cover information loss, denial of service attack
- Better to have one insurance companies that covers all the issues as opposed to one covering physical loss, one covering information loss
- Human error is one of the best arguments for buying cyberrisk insurance
- Directors and officers have been named in claims for not being efficient in dealing with issues or not ensuring they stay up to date with issues – e.g., not responding after two reminders, not heeding recommendations
- Small companies probably won’t survive cybercrime while big companies might make it through
- EXPECT to be attacked, this is a hard fact. Be prepared because people and technology have weaknesses. Someone WILL click on that link and download that virus.
Live blogged in Nashville. Any errors or bad jokes are my own. Any typos are purely the fault of the iPad.
by Peter Milla and Dave Christiansen
CASRO has seen an increase in requests from clients and regulators for data privacy and security compliance
– code of standards
– safe harbor program
COmpliance means confirming to a rule, like a policy or law. CLients want operational transparency.
COmpanies will require 50 percent less business process workers and 500 percent more digital business jobs. especially regulatory analysts and risk professionals. These jobs are generally only in larger companies. This includes privacy officers.
Privacy and security are symbiotic. This can be a crisis for MR. Privacy is appropriate use of the data. security is the confidentiality and integrity of data.
– you cant just destroy data. what about all the backups. the saved copies that everyone has from their piece of the work.
– availability of data could impact life or death in some cases
What drives compliance
– client wants it [i hope vendors want it too. why is because clients want it?]
– legislation or regulation like HIPPA GLB COPAA FTC PIPIDA. you could be accused of unfair trade practice for discontinuing a poor responder.
– gain a competitive advantage
[wow, typing on an iPad keyboard is quiet and completely unobtrusive when you lay it flat! But i cant put pictures or links easily. Sorry.]
ISO 27002 – you cant be certified, you can be compliant
HIPAA compliance case study
– business associates now face liability. Uses not in accordance with BAA. failure to limit PHI. failure to provide breach notification. failure to provide HHS access when required. failure to comply with security rule.
– many companies state one year but they keep it forever
– Protected Health Information PHI.
– employees don’t usually intend to make errors, they just don’t know
– no easy checklist of requirements
– does offer a set of principles. instruction is to take necessary steps to disclose minimum necessary information
– much is process based
HIPAA security rule compliance
– risk analysis – evaluate likelihood of risks, implement appropriate security measures, document those measures, maintaining continuous review and assessment, ensure access control and integrity control, ensure transmission security, keep documentation up to date
BLUE CROSS – just had a breach that affected 80 million US citizens, 25% of the population. names, SIN, birthdays. be sure to use your free annual credit report. Take advantage of free credit monitoring. monitor your children as well. be alert when filing your income taxes.
Top security trends
– cybercrime, privacy and regulation, third party provider threats and breaches, BYOx in the workplace – Bring Your Own Device [like i’m doing right now. are my office security systems on my personal tablet?]
[note to self and everyone. turn the GPS off all of your devices. it is not necessary that every software program knows where you are, where you live, where you work, where your kids live]
Advanced Persistent Threat – APT
– china and Russia and Iran have active cyber espionage, aligned in every industry to take whatever they can, causing information security bar to be raised
CLients expect all their information is safe. need a dedicated person or team. CISSP, CISM, CISA, ISO, SDLC. [we have this person. they went to every single office in every country over the last couple weeks to remind every single person just how serious security issues are.]
[everyone should have come to this session. i don’t care if you think you’re doing fine. you need persistent reminders of just how worried you really ought to be.]
Information security is not IT security. spans people processes and technology. its digital written and spoken. it’s being proactive. it’s an organizational discipline.
– best practice for information security, NIST, CSF, COBIT. can be audited and certified. Earth’s ‘best practice’ its the policies procedures and controls and training.
– it is not industry specific. it is federal, state, industry, contractual relevant.
– vulnerability assessment annually or quarterly, penetration testing, gap assessment, awareness training, internal audit, risk assessment.
[Annie’s free public service announcement – do an internal audit today. if it looks like spam, it probably is. if it doesn’t look like what I usually email to you, i probably didn’t email it to you.]