Internal measures for risk managementInternal measures for risk management

Keeping data safe, and Keeping data safe, and Dealing with a failureDealing with a failure

David Vaile, Executive Director

Cyberspace Law and Policy CentreUNSW Law FacultyJune 2009http://cyberlawcentre.org/

OutlineOutline

• What data is targeted?• How to reduce the risk of data breaches?• Improving processes for data loss protection• Assessing risk • Interaction with Digital Document Retention and

Destruction policy issues

• Damage control• What happens after disclosure?• Examining the potential mandatory disclosure

breach notification rules being proposed

What data is targeted by e-criminals?What data is targeted by e-criminals?

• Wide range: some direct, some peripheral• Customer authentication, staff

authentication • Passwords!• System controls and security

architecture, crypto systems etc.• Contact lists: customers, suppliers,

intermediaries• Organisational structure: names and roles• Transaction data, commercially sensitive

data• Demographic data

How is data is targeted by How is data is targeted by e-criminals?e-criminals?Complex mix of techniquesSocial engineeringStraight hacking (rarer)Interfering in secure transactions

(rare)Malware: spam, zombie bot net, root

kitsPhishing and other hybrids Insiders / expelleesSuppliers

How can organisations reduce the How can organisations reduce the risk of data breaches?risk of data breaches?• ID what you hold, who it might tempt, how they’d

get it• Review your governance model for commercial and

personal information security• Risk assessment• Digital document retention and destruction policies• Audits and process improvement• Reward the whistleblower, don’t suppress bad news• Value data for the worst loss it could cause a

stakeholder• Review IT security infrastructure, malware

protection• Assume security will fail • Damage management policies: for you and data

subject

Improving your business processes Improving your business processes for data loss protectionfor data loss protection• Identify data ‘owners’, localise responsibility• Value errors, mistakes, problems, niggling

doubts, reward open reports and good response• Stop suppression of bad news, hiding, denial• Model the lifecycle of data, ID the weak links• Review policies to ensure they value data• Audits, run-throughs, external attack simulation• Avoid ‘stupid security’, insist on good security• Subjects get reasonable access to own records?• Logging and transaction analysis,

anomaly detection, investigation

Assessing risk of data breachAssessing risk of data breachWhose risk? Yours, staff, suppliers,

customers, their associates ...Very wide multi-pass audit for risk

vectorsExternal reality checks, industry scanDo your internal systems and

processes support protection and detection?

Can you cope with a breach? Policy, procedures, customer centric response?

Interaction with retention & Interaction with retention & destruction policy?destruction policy?• Digital Document Retention & Destruction

policy: critical for bringing 3 tribes together• Know why and how long you retain,

when you destroy• Review evidentiary value of your metadata

and logs• Breach risk should drive some of the policy:• shorter retention periods?• de-identified storage?

• Review every 3 years, react to risk changes

Damage controlDamage control• It’s D-Day, the horse has bolted.• You must have a plan sorted out first! • Assume the worst happens: who gets

hurt, who needs help, what you can you keep quiet?

• Get help quick: law enforcement, external security, smart PR

• Offer help quick: victims, staff, intermediaries

• Reassure victims• Be open with media and inquirers,

hiding makes it worse.

What happens after disclosure?What happens after disclosure?• Identify what is lost, who is affected, scope of risk,

how far it has gone -- Assume the worst!• Work out how to protect your own interests, and

stakeholders who may be affected. • Notification: not open-ended, consider how far is

needed• Offer practical assistance to those affected• Don’t lay blame easily.• Consider accepting some liability for minor

remedies and losses: great for retaining trust and confidence

• Move quickly for first responses, but buy time to carefully review the actual outcome

Potential mandatory disclosure Potential mandatory disclosure breach notification rulesbreach notification rules• Review global developments, see where it is

headed in Australia – some years to go• Not an option to stay in denial• See Australian Privacy Commissioner

voluntary guidelines, US approach, EU model

• Consider opting for world’s best practice, which may be higher than current mandatory requirement

• Disclose in a way that is of most help to the recipient: in some case will just be online, may be by direct contact, or advertisement

David Vaile, Executive Director

Cyberspace Law and Policy CentreUNSW Law Faculty

d.vaile@unsw.edu.au

(02) 9385 3589

http://cyberlawcentre.org/