1
A TOOLKIT FOR DATA PRIVACY & SECURITY Kick Off: Tom Hemnes, Member, GTC Law Group PC In-house Counsel Data/Privacy Compliance Program Tips from the Trenches (Panel) Alexis Goltra, Chief Privacy Officer, Oracle Corporation Scott Semel, EVP and GC, Intralinks, Inc. Danielle Sheer, VP & GC, Carbonite, Inc. Tom Hemnes, Member, GTC - moderator EU-US Privacy Shield and EU GDPR Tips David Bender, Special Counsel, Data Privacy, GTC Data Security, Disputes & Cyberinsurance Strategies (Panel) Rocco Grillo, Executive Managing Director/Cyber Resilience Leader, Stroz Friedberg Mark P. Szpak, Partner, Ropes & Gray LLP John Paul Sutrich, President, ARI Risk Management Consultants Paul-Johan Jean, CIPP/US, GIAC/GLEG, Co-Founder and Member, GTC – co-moderator Rick Olin, CIPP/US, Member, GTC – co-moderator Closing: Sayoko Blodgett-Ford, CIPP/US, Member, GTC Meet and Greet Session: Kenneth MacCuish, SVP & Chief Information Security Officer, Intralinks, Inc. Eric Ratcliffe, Director of Sales, 360Advanced David Small, Information Security Manager, Vice President, Boston Private 2
In-‐House Counsel Data/Privacy Compliance Program Tips from the Trenches (Panel) Alexis Goltra, Chief Privacy Officer, Oracle Corp. Scott Semel, EVP and GC, Intralinks, Inc. Danielle Sheer, VP & GC, Carbonite, Inc. Thomas Hemnes, GTC, Moderator
3
4 4
5
Legal, Security and Compliance Organization
General Counsel
Legal, Security & Compliance
Compliance Committees
Business Conduct & Ethics Committee
Disclosure Committee
Global Privacy Officer
Risk Management Committee
Security Steering Committee
Chief Information Security Officer
Information Security
Certifications
Customer Quality Assurance
© Intralinks 2016
6
Data Privacy and Security Org. Structure
Chief Information Officer
Legal Board of Directors
Data Privacy Officer
Product/Engineering Sr. Executive
carbonite.com
Compliance Committee Security Council
Operations Sr. Executive
IT Sr. Executive
7
Legal - GC
8
A TOOLKIT FOR DATA PRIVACY & SECURITY Kick Off: Tom Hemnes, Member, GTC Law Group PC In-house Counsel Data/Privacy Compliance Program Tips from the Trenches (Panel) Alexis Goltra, Chief Privacy Officer, Oracle Corporation Scott Semel, EVP and GC, Intralinks, Inc. Danielle Sheer, VP & GC, Carbonite, Inc. Tom Hemnes, Member, GTC - moderator EU-US Privacy Shield and EU GDPR Tips David Bender, Special Counsel, Data Privacy, GTC Data Security, Disputes & Cyberinsurance Strategies (Panel) Rocco Grillo, Executive Managing Director/Cyber Resilience Leader, Stroz Friedberg Mark P. Szpak, Partner, Ropes & Gray LLP John Paul Sutrich, President, ARI Risk Management Consultants Paul-Johan Jean, CIPP/US, GIAC/GLEG, Co-Founder and Member, GTC – co-moderator Rick Olin, CIPP/US, Member, GTC – co-moderator Closing: Sayoko Blodgett-Ford, CIPP/US, Member, GTC Meet and Greet Session: Kenneth MacCuish, SVP & Chief Information Security Officer, Intralinks, Inc. Eric Ratcliffe, Director of Sales, 360Advanced David Small, Information Security Manager, Vice President, Boston Private 9
The EU-US Privacy Shield The EU General Data Protection Regulation David Bender Special Counsel, Data Privacy GTC Law Group September 29, 2016
Why Do We Care About EU Law? n
n
n
Both Privacy Shield and the Regulation relate to EU privacy law. So who cares? – It’s over 3,000 miles from Boston to Brussels. Well, we in the US had better care, because: n
n
EU privacy law affects many of our clients right now, and will affect even more of them more severely in the near future.
Here’s Why We Care n
n
n
US lawyers need to know about EU export restrictions to assist clients in getting personal data lawfully from the EU to the US. … and need knowledge of EU privacy law to help advise multinationals about privacy policies and practices. And there is a policy reason – US privacy law is in a state of flux, and it is valuable to see what other nations have tried, and the results.
Why We Care (continued) n
And if those reasons are not sufficiently compelling, beginning in May 2018 a new EU privacy law purports to: apply to any entity that markets to, or monitors the behavior of, an EU resident;; and n provide penalties that can be draconian. n
What We’re Talking About n
2015 Transatlantic trade: Just over $1 trillion, and growing. n
n
More than one quarter of this trade was digitally delivered, a portion that is increasing. Much of this trade comprised, and was accompanied by, the communication of an enormous amount of personal data from the EU to the US.
The History of Privacy Shield n
n n
n
“Safe Harbor” was established in 2000 for export from the EU to the US, and was ultimately used by 4,400 companies. Struck down in Oct. 2015 by EU’s highest court. “Privacy Shield” replacement opened for business in August 2016. Generally similar to Safe Harbor n n
Available only for export from EU to US US importers must be subject to jurisdiction of FTC or Department of Transportation.
Privacy Shield (continued) n
US importer must self-certify to the seven Privacy Shield Principles: n n n n n n n
Notice Choice Accountability for Onward Transfer Security Data Integrity and Purpose Limitation Access Recourse, Enforcement and Liability
Privacy Shield (continued) n
Requires certificants to: n n
n n
n
Confirm their eligibility;; Conduct a privacy audit (i.e., verify the statements they make about their practices);; Designate their privacy contact;; Draft and post their privacy policy embodying the Privacy Shield Principles.
Then certify online at US DOC Privacy Shield website (www.privacyshield.gov) by supplying information and agreeing to be bound by the Principles.
Some Major Differences Between Safe Harbor and Privacy Shield n
Privacy Shield: n
n
n
places more obligations on DOC and FTC to police compliance;; resulted in appointment of an Ombudsperson in US State Department, independent of US intelligence community, for EU residents’ complaints about US government surveillance;; and has more robust enforcement provisions.
Bases for Lawful Export n
n
n n
To a country (or territory or sector) with “adequate” privacy laws;; Explicit consent of the individual after being informed of possible risks;; Transfer of public information;; Transfer legally required on important public interest grounds;;
… or with “appropriate safeguards” comprising n n
n n n n
An inter-governmental agreement;; A form contract endorsed by the EU (“standard contractual clauses” – existing SCC remain valid);; A custom contract approved by a DPA;; Intra-enterprise binding corporate rules (BCR);; A Code of Conduct approved by DPA or EU;; A certification mechanism approved by DPA or a certification body;;
… or if transfer is “necessary” for: n
n
n n
the performance of a contract between the data subject and the controller;; a contract in the interest of the data subject between the controller and a third party;; important reasons of public interest;; protecting the vital interests of a person incapable of consent;;
“necessary for” (continued) n
n
the establishment, exercise, or defense of a legal claim;; the controller’s legitimate interests, not overridden by the data subject’s rights, for a non-repetitive transfer involving a limited number of persons, where the controller provides suitable safeguards.
IAPP Survey (conducted Summer 2016, released Sept. 2016) n
US importers from EU intend to rely on: n n n n n n n
Standard contractual clauses – 81% Consent – 36% Privacy Shield – 34% Binding corporate rules – 31% Certificates or codes of conduct – 17% Other bases – 27%. Nothing – 3%.
So Which Method(s) Should YOU Use?
Pertinent Factors n n n
n
n
Identity and number of transferor EU nations. Identity and number of transferee nations. Whether the transferee nations (or territories or sectors) are “adequate. Whether a substantial amount of your export is to the US. Whether you are subject to the jurisdiction of a responsible Privacy Shield US federal agency.
More Factors n
n
n n n
Whether consent may legally apply to your situation under Member State law. Likelihood of obtaining required opt-in consents, and of avoiding significant number of withdrawals. Number of affiliated entities involved;; Conservatively, whether you fit into any “necessity”;; Whether transfer is required for some important public interest;;
David Bender, Esq.
25
And Even More Factors n n
n n n n
Whether the personal data is public;; Membership in organization with approved code of conduct for transfer;; Existence of approved certifications;; Tolerance for bureaucratic engagement;; Required time frame for compliance Whether data is subject to inter- governmental agreement. David Bender, Esq.
26
But First, Seriously Consider Hiring a Privacy Officer n
If you haven’t already, now would be a good time to hire a privacy officer. n
n n
n
Person with extensive privacy expertise, responsible for the company’s implementation & enforcement of its privacy policies and practices’ Gives privacy a more visible role in the company;; Independent, reporting to top management – helps get management’s attention;; Imposes privacy more thoroughly in the company’s DNA.
David Bender, Esq.
27
OK, I Choose Privacy Shield – Now What? n
n
n n
n
n
Determine your actual privacy practices for processing personal data. Prepare a draft privacy policy, consistent with those practices, and conforming to Privacy Shield;; Obtain a privacy audit;; Revise your practices and policy as necessary to eliminate gaps between them;; Certify online at the DOC Privacy Shield website and pay your fee;; Re-negotiate your vendor contracts to be sure your vendors comply with Privacy Shield. David Bender, Esq.
28
Drafting the Privacy Policy n
n
n
n
Don’t just throw in every restriction you can think of. Think of it as a contract, and as a basis for charging you with misrepresentation for any false statements. Include as few obligations as possible, subject to two constraints: law, and customer satisfaction. Identify your dispute resolution provider. David Bender, Esq.
29
Drafting the Policy (continued) n
Don’t blindly copy someone else’s policy. n
n
Don’t guarantee security. n
n n
But you may be able to use it as a starting point. Because you can’t.
Specify the scope of the policy. Reserve a right to change the policy. David Bender, Esq.
30
More on Privacy Policy n n
Incorporate a link to your DOC certification. Don’t ignore inconvenient pertinent matters. n
n n n
“We comply with lawful governmental requests and demands for information.”
Employ user-friendly language. Shorter is better than longer. Get your employees to buy into it.
David Bender, Esq.
31
The Times, They are A-Changin’ n
n
In May 2018 the EU Data Protection Directive will be succeeded by a “General Data Protection Regulation.” Two reasons for replacement: n
n
Directive failed to achieve harmonization of Member State data protection law;; and Technology rendered Directive obsolete. David Bender, Esq.
32
Some Changes Resulting from the Regulation n n n
n n n
Expanded jurisdiction. Extremely severe maximum fines. Using consent as basis for processing (including transfer) will be more difficult. More extensive right of erasure. Lead DPA, instead of diverse DPAs. Elimination of requirement to register all personal data databases. David Bender, Esq.
33
More Changes n
Requirement to employ expert data protection officer (DPO) in: n
any company whose core activities require large- scale n n
n
n
systematic monitoring of individuals, or processing of sensitive data;; and
all governmental agencies.
Obligation to maintain more documentation about processing. David Bender, Esq.
34
And Even More Changes n
Data controller must notify unencrypted data security breaches without undue delay to DPAs, and to individuals. n
n
Exception for breach unlikely to result in risk (or high risk) to rights of individuals.
Profiling is more tightly controlled. David Bender, Esq.
35
Yet More Changes n
n
n
Expanded “special” categories of data requiring more restrictive treatment to include genetic and biometric data. Parental consent required for online collection of personal data from persons under 16 years of age. “Privacy by design” and default privacy are required. David Bender, Esq.
36
We’re Not Quite Finished n
A company must conduct an “impact assessment statement” when it undertakes: n
n
n
Systematic extensive evaluation of an individual’s personal aspects based on automated processing on which are based decisions that significantly affect individuals;; Large-scale processing of special categories of data or of criminal matters;; or Systematic large-scale monitoring of a publicly accessible area. David Bender, Esq.
37
So What Should YOU Be Doing to Accommodate these Changes? n
n n
n
n
Determine whether you will be subject to the Regulation’s broad jurisdiction. If so, start preparing NOW. Item #1: If you don’t already have one, hire a DPO. Start re-negotiating your pertinent contracts to require your vendors to conform to Regulation standards. Conduct your privacy audit. David Bender, Esq.
38
What You Need to Do n
n
Privacy Policy: Start drafting, with Regulation in mind. Consent: Examine the consents you have received as a basis for processing, as the Regulation restricts this further. n n n
Are the consents opt-in? If not, can you get opt-in consents? If not, find a new basis or a new way to process.
David Bender, Esq.
39
Security n
Implement appropriate security – Regulation gives examples of security functions that should be dealt with. n n
n n
Pseudonymization and encryption;; Ability to ensure ongoing confidentiality, integrity, availability, and resilience;; Ability to restore availability after incident;; Process for regularly assessing effectiveness of technical and organizational measures for ensuring security. David Bender, Esq.
40
Breach Notification n
n
n
Establish a relationship with the DPAs you may have to notify. Line up vendors you’ll need to handle a breach (e.g., legal, forensic, word processing, call center, credit monitoring). If you don’t already have one, draft an incident response plan (IRP). n
Run through a fire drill or two. David Bender, Esq.
41
Documentation n
All organizations with > 250 employees, and some with less, must maintain records indicating: n n
n
n
Purposes of all processing;; Categories of data subjects, personal data, and disclosees;; Cross-border transfer and, for non-adequate countries, documentation of safeguards;; General description of organizational and technical security measures. David Bender, Esq.
42
… and More n
n
Kids: If U collect personal data from persons < 16, establish procedures for acquiring reasonably verified parental consent. Profiling: Determine whether you do any profiling that is entirely automated. n
Can you insert a human somewhere into the process? David Bender, Esq.
43
Impact Assessment n
When an impact assessment is required, make sure it involves: n
n
n n
A systematic description of contemplated processing, with purposes;; Assessment of the necessity and proportionality of the processing in relation to the purposes;; Assessment of risks to data subjects;; and Measures for addressing those risks.
David Bender, Esq.
44
Impact Assessment (continued) n
n
When there is high risk and no mitigation, the company must consult the DPA and provide details of the contemplated processing. If the DPA concludes that the processing is non-compliant, it may require compliance and offer advice. David Bender, Esq.
45
Conclusion n
Privacy Shield: Likely to “work” if the EU court and the DPAs keep their hands off of it. n n
n
Two big “ifs”. If you qualify and it seems useful, it’s well worth a try.
Regulation: Launched with great fanfare;; EU believes it will take privacy to new heights. n n
Not everyone subscribes to that theory;; Time will tell. David Bender, Esq.
46
47
A TOOLKIT FOR DATA PRIVACY & SECURITY Kick Off: Tom Hemnes, Member, GTC Law Group PC In-house Counsel Data/Privacy Compliance Program Tips from the Trenches (Panel) Alexis Goltra, Chief Privacy Officer, Oracle Corporation Scott Semel, EVP and GC, Intralinks, Inc. Danielle Sheer, VP & GC, Carbonite, Inc. Tom Hemnes, Member, GTC - moderator EU-US Privacy Shield and EU GDPR Tips David Bender, Special Counsel, Data Privacy, GTC Data Security, Disputes & Cyberinsurance Strategies (Panel) Rocco Grillo, Executive Managing Director/Cyber Resilience Leader, Stroz Friedberg Mark P. Szpak, Partner, Ropes & Gray LLP John Paul Sutrich, President, ARI Risk Management Consultants Paul-Johan Jean, CIPP/US, GIAC/GLEG, Co-Founder and Member, GTC – co-moderator Rick Olin, CIPP/US, Member, GTC – co-moderator Closing: Sayoko Blodgett-Ford, CIPP/US, Member, GTC Meet and Greet Session: Kenneth MacCuish, SVP & Chief Information Security Officer, Intralinks, Inc. Eric Ratcliffe, Director of Sales, 360Advanced David Small, Information Security Manager, Vice President, Boston Private 48
Data Security, Disputes and Cyberinsurance Strategies Rocco Grillo, Executive Managing Director/Cyber Resilience Leader, Stroz Friedberg Mark Szpak, Partner, Ropes & Gray John Paul Sutrich, President, ARI Risk Management Paul-‐Johan Jean, CIPP/US, GIAC/GLEG, Member, GTC, Moderator Rick Olin, CIPP/US, Member, GTC, Moderator 49
Privacy Liability & Network Risk Insurance What you really need to know September 29, 2016
Thank You
50
The System Favors Risk Bearing Entities • RBE – Insurers/Reinsurers (Manufacturers) – Insurance has become increasingly complex and nuanced. – For the most part, insurers have their fingers on the “legal and financial pulse” of the risk they accept.
• Intermediaries – Brokers (Distributors) – Commission & “Contingencies” create conflicts. – Broker Limitation of Liability.
• Wholesalers - Broker’s Broker (Sub-Distributor) – Wholesalers afford additional market access for inexperienced insurance brokers. – Avoid the U.S. broker/U.S. wholesaler/London broker scenario.
© Andrew Robinson International Risk Management Consultants, Inc.
51 51
Typical “Cyber” Policy Structure • • • •
•
•
•
Claims Made or Claims Made & Reported – Responds only to claims made (and reported to the insurer) during the policy period or Extend Reporting Period/Discovery (so-called “tail”) Limit of Liability – For all Claims made during the policy period – Defense Expenses usually reduce available Limit of Liability Deductibles v. Retentions (keep in mind when drafting contracts): – Insurer seeks reimbursement of Deductible – There is no insurance within the Retention Insuring Agreement - Duty to Defend v. Indemnify/Reimburse – DD: Insurer selects Defense Counsel whereas the Insured does in I/R – DD: Lower risk of Allocation than with I/R – DD: Insurer has more control of settlement than with I/R Coverage Modules (some policies also include professional liability) – First Party: Network Interruption, Data Recovery & Data Extortion – Third Party: Security & Privacy, Multimedia, Monitoring/Notification, Regulatory Fines and Penalties, Unintentional Breach of Contract Typical Policy Exclusions – Fraudulent, Dishonest or Criminal Acts – Bodily Injury and Property Damage – Strikes, Civil Commotion, War, Terrorism – PCI/Payment Card Company Rules Fines & Penalties – Alpha & Beta Product Offerings Endorsements – Correct planned/unplanned deficiencies – Enhance or restrict coverage
© Andrew Robinson International Risk Management Consultants, Inc.
52 52
Most Common Missing Policy Ingredients • Innocent Insureds Without full severability of the exclusions a triggered exclusion may be imputed against all Insureds. • Pre-Approved Vendors Crisis Management, Notification/Call Center, Credit Monitoring, Digital Forensics, etc. • Hammer Clause What will the insurer do if you do not agree to a settlement offer? • Coverage Avoidance Non-Cancelable is not the same as Non-Rescindable. • True worldwide policy territory Not possible as many jurisdictions prohibit non-admitted insurance. • Cyber Terrorism War/Terrorism exclusions may preclude coverage. • Avoid Sub-limits PCI fines, Credit Monitoring, Notifications, Digital Forensics, etc. • Adequate Privacy/Network Risk Coverage Requires both First & Third Party coverages. © Andrew Robinson International Risk Management Consultants, Inc.
53 53
The Procurement Process • The goal of “cyber” insurance is to transfer both expected and unexpected uncertainty above time and/or financial thresholds. • Scenario based planning is helpful in quantifying your Value at Risk (VaR). • Alternative futures planning can provide insight into Areas at Risk (unexpected). • With a better understanding of your Risk Profile, you can deploy strategies to lower both Areas (AaR) and Values at Risk (VaR). • With a healthier understanding of the AaR and VaR, you’re able to favorably position your organization with the RBEs. • For the insurers, applications are as much of a coverage vetting tool as the policy’s exclusions. 54 54
Problematic Application Questions • Is all Data and Confidential Information stored on your databases, servers and data files encrypted? • Is anti-virus software installed on all of the Insureds computer systems including laptops with the most current virus definitions? • Is all remote access restricted to VPN? • Are security logs reviewed periodically for suspicious activity? If so, how often? • Do you monitor your Computer Network in real time to detect possible intrusions or abnormalities in performance of the system? • Are all employees and subcontractors periodically instructed on their specific job responsibilities with respect to information security, such as proper reporting of suspected security incidents? 55 55
Typical Application Warranty Language The following are directed to any of the firms principals, partners, directors, risk manager or employees: Are you or they aware of any circumstance or incident, which could give rise to a claim against You, arising from a breach of network, failure of IT networks, data corruption, an infringement of third party IP rights or an instance of professional negligence? OR Are you or anyone in your firm aware of any fact, circumstance or situation that could give rise to a claim under this or similar insurance policy? Signature Block The undersigned is an authorized principal, partner, director, risk manager, or employee of the applicant and certifies that the answers herein are true, correct and complete. 56 56
Recommended Application Precautions • Qualify or limit responses as necessary. • Make qualifications or limitations clear. • Restate questions, then answer. • Reject “warranties” where possible. • Base representations/warranties on knowledge of signer after reasonable investigation, as opposed to blanket statements that representations are “true” and “complete”. • Don’t volunteer information that isn’t called for to “bulk up” responses. • Severability of the Application is as important as severability of the Exclusions. © Andrew Robinson International Risk Management Consultants, Inc.
57 57
Overall Takeaway • The system favors the product manufacturer (RBE). • No two RBEs policies or applications are the same. • One word can make the difference in coverage. • Reductions in and elimination of coverage are not only found in the Exclusion/Endorsement sections. • Get your IT/Privacy house in order before approaching the RBE (insurance) market. • Be concerned when the Intermediary says: “I checked with the Insurer and we believe you’re covered”. • Regardless of what you may have been told about cyber insurance, everything is negotiable. © Andrew Robinson International Risk Management Consultants, Inc.
58 58
59
A TOOLKIT FOR DATA PRIVACY & SECURITY Kick Off: Tom Hemnes, Member, GTC Law Group PC In-house Counsel Data/Privacy Compliance Program Tips from the Trenches (Panel) Alexis Goltra, Chief Privacy Officer, Oracle Corporation Scott Semel, EVP and GC, Intralinks, Inc. Danielle Sheer, VP & GC, Carbonite, Inc. Tom Hemnes, Member, GTC - moderator EU-US Privacy Shield and EU GDPR Tips David Bender, Special Counsel, Data Privacy, GTC Data Security, Disputes & Cyberinsurance Strategies (Panel) Rocco Grillo, Executive Managing Director/Cyber Resilience Leader, Stroz Friedberg Mark P. Szpak, Partner, Ropes & Gray LLP John Paul Sutrich, President, ARI Risk Management Consultants Paul-Johan Jean, CIPP/US, GIAC/GLEG, Co-Founder and Member, GTC – co-moderator Rick Olin, CIPP/US, Member, GTC – co-moderator Closing: Sayoko Blodgett-Ford, CIPP/US, Member, GTC Meet and Greet Session: Kenneth MacCuish, SVP & Chief Information Security Officer, Intralinks, Inc. Eric Ratcliffe, Director of Sales, 360Advanced David Small, Information Security Manager, Vice President, Boston Private 60
TOOLKIT TIPS AND SUGGESTED PRIORITIES (SEE HANDOUT FOR FULL LIST) ASAP • CPO/DPO: Designate a Chief Privacy Officer/Data Protection Officer (or whatever title you prefer) who can work comfortably with leadership, product development, advertising/PR, legal, and outside vendors. This can be a new hire or a current employee. If this is a current employee who is already overloaded, offer them support from outside counsel or experts as needed. If they do not have deep expertise, encourage them to seek appropriate formal Privacy & Security training and fund such training. • Privacy Team: Assign a person in each functional group to serve on this team, led by the CPO. • EU: Start the process of Privacy Shield and GDRP compliance (+ Brexit issues) if you import (or may in the future import) any data from Europe (for example, from visitors to your main corporate website in the US or from European operations).
61
TOOLKIT TIPS AND SUGGESTED PRIORITIES – cont. (SEE HANDOUT) WITHIN NEXT 3 – 6 MONTHS •
• • •
• • • •
Insurance: Confirm existence of appropriate coverage (assess financial loss exposure and tighten up IT/P&S practices before entering insurance market);; add or modify policies as needed. WISP: Put an initial Written Information Security Policy in place, together with detailed internal procedures to ensure compliance. Consider specialized regulations (e.g., CA anti-spam). Update Privacy Policy: Review processing of personal information, including collection, use, disclosure, storage, retention, and disposal, and consider any applicable specialized regulations. Update Legal Terms: Consider adding class action waiver, arbitration clause, and “prior express written consent” required by Telephone Consumer Protection Act for texts and auto- dialed calls. Encryption: Encrypt personal information and sensitive data in storage and transit. Backups: Frequently and securely back up all electronic data on an automatic basis. Limit Access: Limit employee/vendor access to personal information and sensitive data to those who have a need to know. Data Breaches/Incident Response: Designate person to lead response (ideally CPO) and ensure likely first contacts (IT, customer service, PR, sales, executives ...) know to call (not email, not text) immediately re any suspected incident. Draft incident response plan and line up team (legal, forensic, call center …). 62
TOOLKIT TIPS AND SUGGESTED PRIORITIES – cont. (SEE HANDOUT) ONGOING •
Audits: Conduct periodic Privacy & Security audits, at least annually, both internally and of vendors.
•
Cultural Change: Implement educational programs and written policies to create an organizational culture of privacy and security awareness.
•
New Product Launches: Integrate Privacy & Security review into product development from the start – and into all advertising and marketing efforts.
•
Contracts: Review and update agreements to ensure Privacy & Security compliance (US, CA, EU …).
63
MEET & GREET EXPERTS Kenneth MacCuish, Senior Vice President & Chief Information Security Officer, Intralinks, Inc.
[email protected] Previously, Mr. MacCuish was Global Head of Information Security, CISSP at Bain Capital. Eric Ratcliffe, Director of Sales, 360Advanced
[email protected] Mr. Ratcliffe oversees all sales and marketing operations and works directly with the audit and assessment operations team to ensure delivery of the highest level of quality on all Assurance and Compliance projects. David Small, Information Security Manager, Vice President, Boston Private
[email protected] Supports all aspects of Boston Private’s security posture and Information Security Program. Responsible for maintaining technical security, profile, technologies, controls, standards and procedures in addition to providing technical security consulting to Business Departments and Information Technology staff.
64
GTC DATA PRIVACY & SECURITY TEAM David Bender, Special Counsel, Data Privacy
[email protected] 914.693.1890 Brent Bliven, CIPP/US
[email protected] 339.832.2165 Sayoko Blodgett-Ford, Member, CIPP/US
[email protected] 425.681.3795 Thomas Hemnes, Member
[email protected] 617.906.5499 Paul-Johan Jean, Co-Founder & Member, CIPP/US, GIAC/GLEG
[email protected] 1.617.216.1298 Grace Lee
[email protected] 617.575.9157 Rick Olin, Member, CIPP/US
[email protected] 617.216.5062 Stephen Pakan
[email protected] 315.729.6775 Laila Paszti
[email protected] 416.707.2818 65
Thank You
66