Technology Compliance...3 1. Current Events 5 Uber 6 Was described as a “do whatever you have to...
Transcript of Technology Compliance...3 1. Current Events 5 Uber 6 Was described as a “do whatever you have to...
1
SCCE Compliance and Ethics Institute
Breakout Session - October 15, 2017
Technology &Compliance
Ted Banks ���� Heidi Rudolph ���� Gene Stavrou
About Us
2
2
About You
Quick Survey
• Industry? Function/Department?
• Does your organization use social media to promote products or otherwise communicate with stakeholders?
• Is your organization preparing for/ready for the EU General Data Protection Regulation (GDPR)?
• Does your organization have a Bring Your Own Device program?
• Has your organization lost assets or revenue due to malicious software or phishing attacks?
3
What We’ll Cover in This Session
1. Current Events
2. Technologies
3. Scenarios
4. Business Landscape
5. Functions: Responsibilities, Incentives, Disincentives
4
3
1. Current Events
5
Uber
6
Was described as a “do whatever you have to do to get it done” environment.
Apple CEO Tim Cook threatened to have Uber’s iPhone app
removed from the App Store in 2015, when it learned that the
ride-sharing company had secretly found a way to identify
individual iPhones, even once the app was deleted from the
phone.
(The New York Times)
Uber is the subject of a United States Department of Justice
inquiry over a program that it used to deceive regulators who
were trying to shut down its ride-hailing service.
(The New York Times)
4
7
Relationship between Google, Amazon Alexa, Siri, and law enforcement/records is unfolding
Google is permanently disabling a feature on its new
Home Mini smart speaker, which was announced last
week and starts shipping next Thursday, after a reviewer
discovered the device was quietly recording his
conversations without his knowledge or consent.
(Business Insider)
8
Algorithms can be gamed.
The New York Post
5
Breaches
9
Number of Social
Security Numbers
revealed:
5mm
Kansas Dept.
of Commerce
2017
80mm
Anthem
2015
143mm
Equifax
2017
2. TechnologiesEmerging and pervasive technologies you should understand.
10
6
How Systems Work
Interface
Logic
Data11
Encryption
Interface
Logic
Data
Vulnerability of messages in transit and data at rest
12
7
EncryptionPublic key cryptography using secure sockets layer (“https”)
corporatecompliance.orgYour browser Certificate
Authority
Is corporatecompliance.org legit?
Yes, this site can be trusted
I would like to receive a document from you. Here is a lockbox and my public key
Here is the document you requested locked in the lockbox using your public key
Your browser unlocks (decrypts)
the document using its private key
In public key cryptography, the lockboxes and keys are all mathematical constructs.13
Ransomware
Cost to victims:
•All of 2015: $24 million
•Q1 2016 alone: $209 Million
14
WannaCry Ransomeware Attack
• Infected Windows beginning
on May 12, 2017
• Within a day, infected 230
computers in 150 countries
• Demanded payment in Bitcoin
• Many victims, including the
UK’s National Health Service
• Many later victims had not
run Microsoft’s patch
• The NSA knew about the
vulnerability but did not
report it to Microsoft
Where data is encrypted maliciously for ransom
8
Blockchain (Bitcoin example)
No Central Intermediary
Distributed Ledger
L
L
L
LL
L
• A way to conduct verified transactions without a central intermediary, such as a bank
• Distributed ledger verified by thousands of independent checkers (“miners”)
• The first miner to verify the transaction and crack a cryptographic “proof of work” puzzle gets to update the ledger, which is then propagated to other ledgers
• The miner who cracks the puzzle also gets paid in Bitcoin for the work.
• The approach relies heavily on cryptography and distributed verification to ensure that no one needs to trust anyone
• It is possible to remain anonymousL
15
Internet of Things (“IoT”)
• Home Automation
• Environmental Monitoring
• Infrastructure Management
• Manufacturing
• Energy Management
• Healthcare
• Transportation
The internetworking of physical devices + -A world where you get safe,
continually monitored
infrastructure, the best
deals, and the most
efficient, environmentally
friendly processes.
Everything from your car to
your refrigerator to your
home heating system can be
susceptible to hacking (or at
least they might tell the
world that you’re not home)
• In August 2016, a strain of malicious software detected 380,000 IoT devices
still using unchanged, factory-set usernames and passwords.
• It used the devices to stage a Distributed Denial of Service attack, where
certain servers were bombarded with requests from these devices,
overburdening the servers and taking them down.
Machines will negotiate and conduct transactions on your
behalf, possibly using blockchain-based verification systems.
-McKinsey
16
9
Web Beacons
http://www.[domainname].com/images/productimage.png?id=OEPCI-90rDDIVS884739
[You]
17
SALE!Lorem ipsum dolor sit
amet, consectetur
adipiscing elit. Integer
tristique dui non ante
eleifend, faucibus
congue nisi porta. Sed semper, ex ac
efficitur tincidunt, sapien purus pulvinar
nunc, vel ultrices nulla magna vitae risus.
Ut ac consectetur massa. Maecenas
faucibus consectetur leo, nec faucibus velit
viverra a. Nam vitae nulla sit amet metus
gravida bibendum non in lorem. Proin a
magna ac dui sodales porta et maximus
neque. Ut eu feugiat nisi, ac aliquam eros.
Generated marketing emails
contain links and image names
that identify the recipient in
web logs and analytics.
Artificial Intelligence1. If a school bus is in the path of an oncoming train, are we obligated to pull the
railroad switch lever, resulting in the death of a pedestrian on the other track?
2. If we’re driving a truck loaded with pipes, are we obligated to stop short and
impale ourselves in order to keep from demolishing the car in front of us?
• No truck driver, so no risk of impalement.
• The autonomous truck, programmed to keep a safe distance and
learning from millions of scenarios, could foresee the bad
situation and act accordingly.
• A communications-linked sensor might alert the oncoming autonomous
train in enough time to stop.
• Equally vigilant sensors could warn the person to get off the track in time,
not to mention that a human track worker might be less likely anyway.
18
10
3. Technology Scenarios
19
Is it okay to use the WIFI at Starbucks?
websiteYour browser
Data in transit is vulnerable to “Man in the middle” and other attack types
A virtual private network encrypts your transactions over the public network
and does not expose interaction to your service provider
(except that you are connecting to the VPN server)
websiteYour browser VPN
20
11
It wasn’t me, it was the AI!
21
How should a traffic algorithm calculate ETA? If it aggregates trips along a stretch of highway where a majority
of drivers routinely go 5MPH over the speed limit, should it
suggest a time estimate based on a disregard of the law?
How should a news algorithm determine
popular news stories? When should humans intervene and take a blatantly false story
out of the mix?
Ransomware – to pay or not to pay
“Paying a ransom doesn’t guarantee an
organization that it will get its data back—we’ve
seen cases where organizations never got a
decryption key after having paid the ransom.
Paying a ransom not only emboldens current
cyber criminals to target more organizations, it
also offers an incentive for other criminals to get
involved in this type of illegal activity. And finally,
by paying a ransom, an organization might
inadvertently be funding other illicit activity
associated with criminals.”
James Trainor
FBI Cybercrime Division Assistant Director
22
12
Third party computing: a cloud can be cloudy
• Where is your PII? Inventory?
• What does your contract say?
• Saving money, but is it secure? Where is your data?
• Privacy? Records Management? eDiscovery?
23
Employees on social media
• Good employees can accidentally divulge material non public information
• How about a disgruntled employee?
• Is your IP protected?
• How does your organization enforce and monitor social media use?
24
13
Education: are employees the weakest link?
Q: According to a 2016 PwC survey, in what percentage of data breaches are employees the source of the breach?
25
34%A Code of Conduct and Privacy Policy
must be continually updated to reflect relevant
risks and a changing regulatory environment.
4. Business Landscape
26
14
Business Landscape
• Expertise is leaving the company,
• Expanding use of third parties, even outside of IT
• Disjointed systems affecting records compliance
• Social media/expectation of connectivity
• The coming of GDPR
27
15
What is GDPR?
• Regulation
• Who is impacted?
• Enforcement
• Cybersecurity
• Trends• New York – Part 500
• Others to come?
• Compliance conflicts – monitoring can be useful but GDPR limits the scope by which monitoring can be used
Data Subject – Data Controller – Data Processor
There are three key terms: data subjects, data controllers, and data processors.
For example, a company is a data controller with respect to the customers or employees about whom it has personal information.
The customers and employees are the data subjects in this context: natural persons whose personal data is being processed by the data controller.
An example of a data processor would be a company to whom payroll operations are outsourced by the employer in its capacity as a data controller.)
30
16
1.Question: Which of the following represent potential consequences if a company does
not adequately protect personal information?
□ a. Fines
□ b. Loss of consumer confidence
□ c. Disruption of operations
□ d. All of the above
□ e. None of the above – protecting personal information is not very important
Quiz
Answer: d – All of the above.
2.Question: Company contracts a third party consumer rewards agency based in South
Africa to create and launch a new online consumer rewards program. The agency’s
system is hacked and personal information of our consumers from all over the world is
stolen. Can we be held liable for the theft?
□ a. Yes
□ b. No
Quiz
Answer: Yes. Even though it was the third party’s systems were
hacked, we are the first one who is liable and is ultimately held
accountable for the data breach.
17
3.Question: We discover a batch file of personal data derived from a 2007 online survey.
We have not used the data since 2007 and do not at this time have a specific need for
the data. Can we retain the data in the event it may need it at some point in the future?
□ a. Yes
□ b. No
Quiz
Answer: No. The idea that personal data should not be retained
for longer than necessary in relation to the purposes for which
they were collected, or for which they are further processed, is
key to ensuring fair processing.
4.Question: True of false. Storing personal information is a form of processing.
□ a. True
□ b. False
Quiz
Answer: True. Storing personal information is a form of process.
Processing represents any action that takes place during the life
cycle of personal information.
18
What is at stake?
What are the potential consequences for
companies who mishandle personal
information?
• Loss of consumer confidence and reputation
• Diminished brand value
• Payment of fines, potentially in the millions
• Disruption of operations
• Personal liability for employees
1. Data Privacy and its current importance in the world
a) Greater public interest, laws and enforcement globally
b) Issues – loss of data; hacking / ransomware
c) Regulators are requiring companies to create and maintain a corporate culture that emphasizes data privacy and security by establishing reliable data protection governance
2. Impact to organizations
a) Reputational damage
b) Regulatory entanglements
c) Fines – this is where to mention 2/4% of global turnover
3. Embracing and integrating good data privacy practice
a) Consistent with Codes of Conduct
b) Connects us with the desires/beliefs of employees and consumers
c) Is the law in most of the places where we operate (plus extraterritorial reach of EU law)
Use security measures such as passwords on
files and encryption.
When Handling Personal Information
Don’t share the information with anyone
unless they have a legitimate need to
access.
Make sure all of your devices are password
protected, and report any loss / theft of
devices immediately.
What can I do?
19
Have a formal access protocol and limit
access to the repository to “need to know.”
With A Repository (e.g. Sharepoint) That Contains
Personal Information.
What can I do?
Ensure that the repository is aligned with
our security standards.
Ensure that the repository does not collect
more information than is necessary or
retain any personal information longer than
required.
Ensure that the 3rd party is under contract
with us, and the contract includes our
minimum privacy terms.
If I Work With A 3rd Party That Processes Personal Information
Ensure that the 3rd party meets our security
standards.
Only share the personal information with
the 3rd party in secure format.
What can I do?
20
From employees – Ensure that the
collection is consistent with our Global Data
Privacy Policy.
Collecting Personal Information
From Consumers - Ensure that they
understand exactly how their information
will be used and that their consent is
collected and stored.
What can I do?
Complete and submit a Privacy Impact
Assessment form.
When Developing / Purchasing A System That Will Hold
Personal Information
Ensure that the system’s security is
reviewed and meets our Information
Security standards.
If it is a 3rd party system, there must be a
contract, and the contract must have our
minimum privacy and security terms.
What can I do?
21
If birthdays are celebrated in the
office, collect the birthday
information directly from employees,
not from our HR systems, and make
participation voluntary.
Always Keep Privacy And Security of
Personal Information Top of Mind What can I do?
Celebrating
Birthdays
EXAMPLES
Always include a detailed description
of the purpose of the survey. Collect
and store the consent of all survey
participants. Delete survey data
after purpose has been met.
Using Surveys
Privacy extends to job applicants and
recruits. Never check the social
media accounts of job applicants
unless you say you are going to do
that in the job advertisement.
Job Applicants
Immediately escalate any suspicion
of a data breach or cyber attack, or
of lost or stolen computers or
devices. You can contact the Privacy
Team at WeRPrivacy.com.
Breaches
Which of these could be considered personal information?
• Birthdate / Age
• Internet Protocol (IP) Address
• Gender
• Salary
• Shoe size
• Job title
• Tattoos
• Favorite hobbies
22
5. FunctionsResponsibilities, Incentives, Disincentives
43
The Compliance Function
• We’re an outwardly facing department—we need to know who knows what and how things work.
• We must sometimes be the politician, working with people as a trusted resource
• We work hard to understand the business and where it makes money
• We manage risk
• We are educators
44
23
Information Technology
45
• Tell me what we need to do—technology is nothing if it doesn’t address valid requirements
• Our use of third parties sometimes means that our systems are more rigid than some in the business would like
• System rules are explicit and enforced. We need to capture your requirements in that spirit
Marketing
46
• We can’t get bogged down in process
• We’ll take care of growing the business, you take care of the back end stuff
• That being said, we can capture a wealth of data. Let’s use it!
24
Privacy
47
• These aren’t just numbers and segments and sales—they represent individuals with certain rights to privacy
• We need to grow the business but protect those rights
Outside Experts
48
• Outside counsel
• Privacy experts
• IT experts
• Project management
• Here’s what we’ve seen…
25
Thank You!Enjoy the rest of the conference!
[email protected] [email protected] [email protected]
11 Key GDPR Tenets
1. Increases the individual’s expectation of data privacy and the organization’s obligation to follow established cybersecurity practices.
2. Establishes hefty fines for non-compliance. An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars (there are two tiers of violations and the higher tier is subject to fines of over 20 million euros or 4% of the company’s net income).
3. Imposes detailed and demanding breach notification requirements. Both the authorities and affected customers need to be notified “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach]”. Affected companies in America that are accustomed to US state data breach reporting may need to adjust their breach notification policies and procedures to avoid violating GDPR.
4. Requires many organizations to appoint a data protection officer (DPO). You will need to designate a DPO if your core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.” For firms who already have a chief privacy officer, making that person DPO would make sense, but if there is no CPO or similar position in the organization, then a DPO role will need to be created.
5. Tightens the definition of consent. Data subjects must confirm their consent to your use of their personal data through a freely given, specific, informed, and unambiguous statement or a clear affirmative action. In other words: silence, pre-ticked boxes, or inactivity no longer constitute consent.
6. Takes a broad view of what constitutes personal data, potentially encompassing cookies, IP addresses, and other tracking data.
7. Codifies a right to be forgotten so individuals can ask your organization to delete their personal data. Organizations that do not yet have a process for accommodating such requests will need to work on that.
8. Gives data subjects the right to receive data in a common format and to ask that their data be transferred to another controller. Organizations that do not yet have a process for accommodating such requests will need to work on that.
9. Makes it clear that data controllers are liable for the actions of the data processors they choose. (The controller-processor relationship should be governed by a contract that details the type of data involved, its purpose, use, retention, disposal, and protective security measures. For US companies, think Covered Entities and Business Associates under HIPAA.)
10. Increases parental consent requirements for children under 16.
11. Enshrines “privacy-by-design” as a required standard practice for all activities involving protected personal data. For example, in the area of app development, GDPR implies that “security and privacy experts should sit with the marketing team to build the business requirements and development plan for any new app to make sure it complies with the new regulation”.
50