White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as...

White Squall: Big Data & The Evolving Data Privacy Imperative in Financial Services

Moderator:

Daniel B. Garrie, Executive Managing Partner, Law & Forensics LLC; Partner, Global Head of Cyber Practice, Zeichner Ellman & Krause LLP

Panelists:

Nancy L. Perkins, Counsel, Arnold & Porter LLP

James Quinn, Vice President of Security Architecture, Deutsche Bank

Jeffrey C. Sharer, Partner & Co-Chair, Data Law Practice, Akerman LLP

Mr. Daniel Garrie is the Executive Managing Partner at Law and Forensics LLC, a consulting firm that works with clients across industries to address cyber security, cyber warfare, e-discovery, and digital forensics challenges. He is also a Partner at Zeichner Ellman and Krause where he heads their cyber security and data breach practice. Mr. Garrie has built and sold several Internet security, e-commerce, and search technology startups. Prior to his time at Pulse Advisory, Daniel Garrie was the Worldwide Director of Electronic Discovery & Information Governance at Charles River Associates. He also works as a Strategic Partner for Quorumm Ventures and a Board of Governors member for the Organization of Legal Professionals. He is a nationally recognized educator and lecturer on various topics including computer software, cyber security, e-discovery, forensics, emerging internet and mobile technologies, and cyber warfare. He is the Editor in Chief of the Journal of Law & Cyber Warfare, a fellow at the Ponemon Information Privacy Institute, a distinguished neutral with CPR, and on the editorial board of the Beijing Law Review. Mr. Garrie's scholarship in e-discovery, forensics, and cyber security is frequently cited by the bench and the bar, including: Arrivalstar v. US, US v. Briggs, Coast Professional, Inc. v. US, Genger v. TR Investors, LLC, John B. v. Goetz, and Northruop Grumman Computing Systems, Inc. v. US. Mr. Garrie is also frequently quoted by leading publications including the New York Times, Fortune, Forbes, and the Wall Street Journal on issues relating to cyber security and cyberwarfare.

B.A., Computer Science, Brandeis Uni. M.A., Computer Science Brandies Uni. J.D., Rutgers School of Law

Daniel B. Garrie, Esq. Law & Forensics -- Executive Managing Partner Zeichner Ellman and Krause LLP – Partner, Global Head of Cyber Security and Data Breach Practice Contact: W: (855) 529 - 2466 M: (215) 280 – 7033 E: [email protected] URL: www.lawandforensics.com

2 (c) Law and Forensics 2016. All Rights Reserved 2

mailto:[email protected]

http://www.lawandforensics.com/

firm’s Data Privacy and Security practice. She focuses her

Nancy L. Perkins Counsel, Arnold & Porter LLP Contact: W: (202) 942-5065 E: [email protected] URL: www.aporter.com

(c) Law and Forensics 2016. All Rights Reserved 3

Nancy L. Perkins, counsel at Arnold & Porter LLP in Washington, D.C., advises clients on a

wide range of data protection issues at the federal and state levels, as well as on cross-border data

privacy and security matters. Ms. Perkins assists clients in responding to data security breaches,

including through notifications to individuals and government authorities, as well as in defending

against related litigation. Ms. Perkins frequently provides counsel on the Telephone Consumer

Protection Act, the Children’s Online Privacy Protection Act, the Video Privacy Protection Act,

the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information

Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Fair Credit

Reporting Act (as amended by the Fair and Accurate Credit Transactions Act), as well as state

privacy, security, and data breach notification laws. A graduate of Harvard Law School,

Harvard’s Kennedy School of Government, and Harvard College, she is the author of numerous

articles on data privacy and security regulation, and is an Adviser on the American Law

Institute’s current project to create a Restatement of Information Privacy Principles. She has

been ranked among America’s Leading Lawyers for Privacy & Data Security by Chambers USA

every year since 2009, and ranked among the World’s Leading Lawyers for Privacy & Data

Security (USA) by Chambers Global since 2010.


http://www.aporter.com/

James Quinn has more than 20 years’ experience in IT Security, Incident Response, and IT Engineering and Architecture. He is currently a vice-president responsible for IT Security Architecture, Governance, and Innovation for Deutsche Bank. Before joining Deutsche Bank, he was an independent consultant for more than 10 years, during which he formed and managed the world-wide Incident Response Team for Credit Suisse in Zürich, Switzerland. He is a board certified Information Systems Security Professional, and is active in several professional organizations, including the High Technology Crime Investigators Association, InfraGard, and the Greater New York Area Electronic Crimes Task Force. Mr. Quinn grew up in Europe, attending schools in five different countries, holds a Bachelor of Arts in History from the University of Washington, and a Master of Arts in Security Studies from Georgetown University. He lives in New York City and spends his spare time working with the Civil Air Patrol, as Treasurer of the Chaîne des Rôtisseurs, the international gastronomic society, and is active in several community organizations. In a previous career, Mr. Quinn sang and conducted opera professionally, which explains his ability and willingness to make a fool of himself in front of audiences.

James Quinn Vice President of Security Architecture, Deutsche Bank Contact: W: (201) 593-3587 E: [email protected] URL: www.db.com





http://www.db.com/

Jeffrey Sharer is a partner in the Chicago office of Akerman LLP and co-chair of Akerman's Data Law Practice. He concentrates his practice in the increasingly business-critical area of information law. His practice encompasses information governance, privacy and data protection, and electronic discovery. Jeffrey combines deep understandings of both law and technology to help clients navigate the "digital deluge" and mitigate risk, reduce cost, and create business value through sound, end-to-end governance of enterprise data. Jeffrey advises clients on a wide range of U.S. and cross-border privacy and data protection issues; the development and implementation of records retention policies and schedules; litigation preparedness and discovery strategy; defensible disposition of electronic and hard copy information; and myriad other issues associated with electronic records, big data, and cybersecurity. Jeffrey also is a leading proponent of "collaborative disaggregation" of legal services, proactively partnering with alternative service providers and leveraging artificial intelligence and other forms of technology to meet clients' needs better, faster, and at lower cost than could be achieved under traditional models based directly or indirectly on billable hours. Jeffrey represents clients across a wide range of industries.

Jeffrey C. Sharer Partner & Co-Chair, Data Law Practice, Akerman LLP Contact: W: (312) 634-5730 E: [email protected] URL: www.akerman.com



http://www.akerman.com/

Agenda

Legal Overview

Third Part Risks: Filling the Gaps and

Managing Vendors

Future Predictions

Summary/Takeaways

Questions


Legal Overview


Gramm Leach Bliley Act (GLBA)

Gramm Leach Bliley Act – enacted in 1999, it is the

main governing law for privacy in financial institutions.

The goal of GLBA’s privacy provisions is to:

1. to ensure the security and confidentiality of customer records and information;

2. to protect against any anticipated threats or hazards to the security or integrity of such records; and

3. to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Two main compliance rules:

1. Financial Privacy Rule 2. Safeguards Rule


GLBA Privacy Rule

•(1) Financial Privacy Rule:

• Requires financial institutions to provide consumers with NOTICE explaining what information is collected, where it is shared, how it is used, and how it is protected

• Notice is required at the time the relationship is established and, subject to certain exceptions, annually

• Must give the consumer the right to OPT OUT of certain data-sharing practices

• Must inform consumers of changes in privacy policy

• Financial institutions are defined as "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance"

Different requirements for Customers and Consumers

• Consumer: “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.”

• Customer: A "customer relationship" is a continuing relationship with a consumer.

• Consumers have very limited privacy rights under the GLBA:

• “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”


GLBA Safeguards Rule

•(2) Safeguards Rule:

• Requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. Must include:

• Denoting at least one employee to manage the safeguards;

• Constructing a thorough risk analysis on each department handling the nonpublic information;

• Develop, monitor, and test a program to secure the information; and,

• Change the safeguards as needed with the changes in how information is collected, stored, and used.


Implementing GLBA Safeguards Requirements

Designate employee(s) to coordinate IT security program

Identify and assess risks; evaluate effectiveness of current

safeguards

Design and implement a safeguards program; regularly monitor and

test

Select service providers that can maintain appropriate safeguards,

require security by contract, and oversee handling of customer

information

Evaluate and adjust program in light of relevant circumstances


Other Regulatory Standards

Safe & Sound Banking Practices

Bank Service Company Act

FCRA Red Flags Rules

PCI Standards

FFIEC IT Examination Handbook

NIST Cybersecurity Framework

Federal Trade Commission Actions

State Law


Federal and State banking regulators increasingly see

cybersecurity practices as integral to safe and sound banking

―Unsafe and unsound‖ banking practices may include:

– Failure to identify data security threats and vulnerabilities

– Lack of planned procedures for responding to a security incident

– Inadequate management of third-party relationships, including data

and technology service providers


Safe and Sound Banking Practices

Bank Service Company Act

Banks must exercise adequate oversight to ensure data protection by

their service providers, including IT vendors and data processors

Bank oversight responsibility requires regular assessments of vendors’

management of cybersecurity risks, including:

– protection against unauthorized use and sharing of consumer information

– disaster recovery

– record retention and proper disposal

– reporting protocols

Service providers are also subject to direct examination and enforcement

action by the federal banking agencies


Red Flags Rule

Financial institutions must have programs to identify

and respond to ―red flags‖ of possible identity theft:

1. Mechanisms to detect red flags

2. Procedures for responding to red flags

3. Policy to stay current with respect to new potential threats


PCI Standards

1. Build & Maintain Secure Network – Firewalls

– Passwords (do not use defaults)

2. Protect Cardholder Data – Protect stored data

– Encrypt transmissions

3. Maintain a Vulnerability Management Program – Anti-virus software

– Maintain secure systems/applications

4. Implement Strong Access Controls – Need-to-Know

– Unique IDs

– Restrict Physical Access

5. Regularly Monitor and Test Networks – Track and monitor all access

– Regularly test systems and processes

6. Maintain an Information Security Policy


NIST Cybersecurity Framework

Executive Order 13636 directed NIST to work w/ stakeholders to

develop voluntary cybersecurity framework for ―critical

infrastructure‖

1. Framework Core Functions: Identify, Protect, Detect, Respond, Recover

2. Implementation Tiers: Companies select appropriate Cybersecurity posture

from ―Partial‖ and reactive (Tier 1) to ―Adaptive‖ and risk-informed (Tier 4)

3. Profile: The outcomes selected based on business needs—can be used to

perform self assessments and to set goals


FTC Enforcement Authority

Broad authority under Sec. 5(a) of the FTC Act

– The FTC has the authority to enforce violations of unfair and deceptive

acts in the commercial marketplace

The FTC has asserted violations of numerous statutes in its

data security enforcement actions, including the GLBA and

FCRA

Over 60 data security enforcement actions over the past 12

years, affecting nearly all sectors of the economy


FFIEC IT Booklet Information Security

The member agencies of the Federal Financial

Institutions Examination Council (FFIEC)

implemented section 501(b) of the Gramm-Leach-

Bliley Act of 1999 (GLBA) by defining a process-

based approach to security in the "Interagency

Guidelines Establishing Information Security

Standards" (501(b) guidelines)

The 501(b) guidelines afford the FFIEC agencies

enforcement options if financial institutions do not

establish and maintain adequate information

security programs

The Guidelines require that Financial institutions

maintain an ongoing information security risk

assessment program that effectively considers and

acts on potential information security threats.


SEC OCIE Cybersecurity Initiative

How does it work? The U.S. Securities and Exchange Commission’s

Office of Compliance Inspections and Examinations

(OCIE) announced that its 2014 Examination Priorities

included a focus on technology, including cybersecurity

preparedness

OCIE’s cybersecurity initiative is designed to assess

cybersecurity preparedness in the securities industry

and to obtain information about the industry’s recent

experiences with certain types of cyber threats.

As part of this initiative, OCIE will conducted

examinations of more than 50 registered broker-

dealers and registered investment advisers


SEC OCIE Cybersecurity Initiative

• Physical devices and systems within the firm.

• Software platforms and applications within the firm.

• Maps of network resources, connections, and data flows (including locations where customer data is housed).

• Connections to the firm’s network from external sources.

• Resources (hardware, data, and software) are prioritized for protection based on their sensitivity and business value.

• Logging capabilities and practices are assessed for adequacy, appropriate retention, and secure maintenance.

The SEC will look at the following:

These examinations will help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats.


SEC OCIE Examinations

The U.S. Securities and Exchange Commission’s

Office of Compliance Inspections and Examinations

(OCIE) announced that its 2016 Examination

Priorities include a focus:

Examining matters of importance to retail investors;

Assessing issues related to market-wide risks; and

Using its ability to analyze data to identify and examine registrants that may be engaged in illegal activity.


SEC OCIE Examination Priorities for 2016 Assessing Market Wide Risk

• Cybersecurity: In 2016 the SEC will test and assess “firms’ implementation of procedures and controls” relating to cybersecurity compliance and controls.

• Regulation Systems Compliance and Integrity (“SCI”) : The SEC “will examine SCI entities to evaluate whether they have established, maintained, and enforced written policies and procedures reasonably designed to ensure the capacity, integrity, resiliency, availability, and security of their SCI systems.” Included in this are “assessing the resiliency of their primary and back-up data centers, evaluating whether computing infrastructure components are geographically diverse, and assessing whether security operations are tailored to the risks each entity faces.”

• Liquidity Controls: Clearing Agencies

There are four main focuses

that the OCIE will examine when

determining market wide,

structural risks:


Financial Services – Information Sharing and Analysis Center (FS-ISAC)

FS-ISAC is a private-sector nonprofit information-sharing forum

established by financial services industry participants in response

to the federal government’s efforts to facilitate the public and

private sectors’ sharing of physical and cybersecurity threat and

vulnerability information.

Allows financial institutions to share threat information among one

another; however, the report also links to government resources so

that private financial institutions can share information with the

government:

• FBI Infraguard

• U.S. Computer Emergency Readiness Team at US-CERT

• U.S. Secret Service Electronic Crimes Task Force

Financial institutions with less than $1 billion in assets may

subscribe to free limited critical notifications


Compliance vs. Security


Encrypt all data using FIPS-140-2 compliant

encryption

• Full disk encryption with keys stored on same disk

• SSL encryption with no TLS monitoring or protection against man-in-the-middle attacks

• Full disk encryption with independent key management

• TLS encryption that forces SSL over TLS and monitors for MIM threats

Compliance Requirement Compliant but Insecure Compliant and Secure

How Do You Know You’re Secure?

Value of assets is understood

Known threats and impacts are cataloged

Kinds of attacks and vulnerabilities have been identified

Countermeasures associated with the attacks and vulnerabilities

along with their costs have been estimated

Results can be measured, but it’s important to select good,

meaningful metrics

Real risks drive decisions, not FUD or “security theater”


Cybersecurity Information Sharing Act of 2015

Broad authorization for federal government to share unclassified cyberthreat indicators with businesses and public

Federal government to release periodic cybersecurity best practices

Businesses authorized to: Share cyberthreat information with enumerated federal agencies

Monitor information systems and information stored on, processed by, or transiting systems for purposes of protecting information and information systems

Immunity for businesses against lawsuits arising from authorized sharing with federal government and compliant monitoring of systems

Privacy protections limit government’s disclosure, retention, and use of shared information to certain enumerated purposes

Also, businesses required to scrub personal information known at time of sharing to exist and not to be directly related to cybersecurity threat

DOJ and DHS to publish policies and procedures to assist in identification of threats and protection of personal information Interim guidelines published in February 2016

Final guidelines to be published by June 2016


Costs & Security


• 100% security is impossible, so compliance-driven environments must be slowed by cost drivers

Source: Olavsson 1992, “A Structured Approach to Computer Security”

Third Party Risks: Filling the Gaps and Managing Vendors


Panama Papers (March 2016) – 11.5 million documents

How it happened: An anonymous source

leaked documents to a German newspaper,

which then shared these documents with the

International Consortium of Investigative

Journalists (ICIJ)

Aftermath: ―It allows a never-before-seen

view inside the offshore world — providing a

day-to-day, decade-by-decade look at how

dark money flows through the global financial

system, breeding crime and stripping national

treasuries of tax revenues‖ - ICIJ


Panama Papers – Legal Issues/Analysis

Regulations and frameworks triggered

Why were other regulations not triggered?


Panama Papers – Legal Issues/Analysis (cont’d)

What is different when the third-party vendor is not U.S. domiciled?

Does it matter?


Panama Papers (cont’d)

What was done correctly in handling the incident?


Panama Papers (cont’d)

What was done incorrectly in handling the incident?


Vendor Identification and Assessment

• What analysis should be done when selecting a vendor?

Due Diligence on Cyber-Preparedness

– Review public filings, if any

– Search litigation and enforcement history

– Determine if regulators have expressed any concerns with vendor


Vendor Contracting

• What provisions should be included in the vendor contract?

Protections against unauthorized use, access and disclosure of data (e.g., customer

data)

Complying with breach notification and remediation/mitigation requirements under

applicable law

– Best practice is to have contractual provisions that impose affirmative covenants on vendors

Compliance with rules on disposal of information/data and media

Business continuity and disaster recovery

Maintenance and transfer of records on contract termination/expiration

Special issues – e.g., vendors’ implementation of anti-money laundering (AML)

programs, or appropriate vendor support for financial institution’s AML efforts


Risk Allocation with Vendors

• How should risk be allocated in the vendor contract?

Require representations, warranties and indemnities focused on cyber-

security issues

Limitations on liability and carve-outs – Contracting discipline in negotiating such limits and carve-outs

– Importance of contracting policies

Insurance – Coverage and exclusions

– Importance of careful drafting so there is recourse to insurance


• How to ensure vendor compliance?

Include in contractual obligations and enforce:

Right of access by audit personnel and examiners – E.g., bank service providers subject to examination and administrative action

pursuant to Bank Service Company Act (12 U.S.C. § 1867)

Periodic sharing of vendors’ internal audit reports and regulatory documents

Same requirements for vendor’s subcontractors

Specificity regarding compliance with law and regulatory requirements, and notice of non-compliance


Ensuring Vendor Compliance

How to Test/Validate Compliance with Cybersecurity Requirements

Not all vendors are the same

Audits and assessments at least annually


Other Significant Threat Vectors

• Insiders

• Mobile devices and payments

• Social engineering

• Ransomware

• Nation-states


What and When to Disclose to Regulators


Suggestions/Recommendations 1 of 2

• What legal instruments should be in place to make the experience less painful?


Suggestions/Recommendations 2 of 2

• What legal instruments should be in place to make the experience less painful?


Lessons Learned from the Panama Papers


Future Predictions


What should companies be considering that is on the horizon?

Technologies are always evolving. It’s important that our

regulations and policies are not dependent upon the technology.


What should companies be considering that is on the horizon? (cont’d)


Summary/Takeaways


Take Away 1

Compliance is important but security is more so. Since it’s possible

to be completely compliant yet insecure, it’s critical to build a

comprehensive risk based security and privacy program that

balances risks, costs, vulnerabilities, and threats—rather than the

―more security is better‖ approach.


Take Away 2


Take Away 3


Questions


Contact

53

Daniel B. Garrie Phone: 855-529-2466 Email: [email protected] [email protected] URL: www.lawandforensics.com

(c) 2016. Law and Forensics. All Rights Reserved

Jeffrey C. Sharer Phone: 312-634-5730 Email: [email protected] URL: www.akerman.com

Nancy L. Perkins Phone: Email: [email protected] URL: www.aporter.com

James Quinn Phone: 201-593-3587 Email: [email protected] URL: www.db.com



http://go.microsoft.com/fwlink/p/?LinkId=255141


http://www.lawandforensics.com/


http://www.aporter.com/




http://www.db.com/

White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as...

Documents

Transcript of White Squall: Big Data & The Evolving Data Privacy ......•Financial institutions are defined as...