Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Quoi faire en cas de violation des données d'entreprise
Managing Corporate Data Breaches
George J. Pollack, Partner/Associé Davies, Montréal
Steve Mott, Principal BetterBuy Design, USA
March 20, 2012
ACADACADÉÉMIE DAVIESMIE DAVIES – pour la formation juridique continue DAVIES ACADEMYDAVIES ACADEMY – for continuing legal education
PART I - The Scourge of Data Breaches (and Mag-stripe Technology)
Data Breach Problem in Perspective
4
The Costs of Cybercrime
HP's second annual Cost of Cybercrime Study pegged the median annualized cost of cybercrime incurred by a benchmark sample of organizations at $5.9 million
The survey revealed a range of $1.5 million to $36.5 million, a 56 percent increase from the median cybercrime cost reported in HP's inaugural study published in July 2010
Organizations that had deployed security information and event management solutions realized a cost savings of nearly 25 percent over those who didn't
In 2011, the survey shows, the average time to resolve a cyber-attack took 18 days, with an average cost to participating organizations of nearly $416,000
That's a nearly 70 percent increase from the estimated $250,000 cost and a 14- day resolution period surmised from last year's study
Source: Hewlett-Packard “Cost of Cybercrime” Study, 2011
5
Another Look at Costs
SOURCE Forrester Research Inc.
6
But Even Security Companies Get Compromised
Cybercrime is expensive. Just ask storage maker EMC, parent of security
provider RSA. EMC CFO David Goulden the other day said last month's breach
of the system that stores secret codes for RSA's SecurID multifactor
authentication
tokens cost EMC $66.3 million in the second quarter. That's well
above average, according to a just‐released survey by technology provider
Hewlett‐Packard, conducted by the Ponemon Institute.
Source: Hewlett-Packard “Cost of Cybercrime” Study, 2011
7
High-level View of Data Breaches
Source: Verizon Business; 2010 Data Breach Investigation Report
8
PCI is Not a Solution to This Problem
Source: Verizon Business; 2010 Data Breach Investigation Report
9
Financial Services: Twice the Breach of Retail
Source: Verizon Business; 2010 Data Breach Investigation Report
10
Internal Sources a Big Issue
Source: Verizon Business; 2010 Data Breach Investigation Report
11
Hacking and Malware Spur the Problem
Source: Verizon Business; 2010 Data Breach Investigation Report
12
Secret Service: Compromises are Inherent
Source: Verizon Business; 2010 Data Breach Investigation Report
13
Malware Injections: Half the Compromises
Source: Verizon Business; 2010 Data Breach Investigation Report
14
Backdoor Access Control: Malware Favorite
Source: Verizon Business; 2010 Data Breach Investigation Report
15
Hackers: Relying on Stolen Logins
Source: Verizon Business; 2010 Data Breach Investigation Report
16
Payment Card Data the Favorite Target
Source: Verizon Business; 2010 Data Breach Investigation Report
17
Cost of Prevention: Too Low to Ignore
Source: Verizon Business; 2010 Data Breach Investigation Report
18
Existing IT Systems MUST Change
Source: Verizon Business; 2010 Data Breach Investigation Report
A Deep-Dive on Data Breach Costs
20
Trends in Per-Record Data Breach Costs
Source: Ponemon Institute; study of 45 breaches-2009
21
Indirect Costs: Twice Direct Charges
Source: Ponemon Institute; study of 45 breaches-2009
22
Average Cost/Firm: Nearly $7 million
Source: Ponemon Institute; study of 45 breaches-2009
23
Lost Business: Exceeds Other Direct Costs
Source: Ponemon Institute; study of 45 breaches-2009
24
Encryption Gaining as Key Solution
Source: Ponemon Institute; study of 45 breaches-2009
25
Customer Churn a Big Cost Driver
Source: Ponemon Institute; study of 45 breaches-2009
26
Violation of Trust an Important Factor
Source: Ponemon Institute; study of 45 breaches-2009
27
Direct Costs are Increasing
Source: Ponemon Institute; study of 45 breaches-2009
28
Taking Time for Notification Lowers Costs
Source: Ponemon Institute; study of 45 breaches-2009
29
Consultants a Must for Lowering Costs ;o)
Source: Ponemon Institute; study of 45 breaches-2009
30
QSAs: Like Firewalls and Encryption
Source: PCI-DSS QSA Survey-2010
A Few Words About Card Payments
32
Key Things to Remember about PCI
• PCI theory (protected data) is wildly unaddressed by PCI policy; it is NOT a solution across industries, because principal owners don’t understand businesses other than card payments
• PCI practice in card payments is stacked against merchants; merchant inputs are barely considered in PCI Security Standards Council proceedings; the purpose is to make bank issuers whole on fraud and risk of mag-stripe
• The rationale is to avoid investing in better technology (e.g., Chip+PIN in EMV) as long as possible
• Visa’s expectation is that merchants will roll over and play dead
• Visa mau-mau’s QSAs and QIRAs when it can
• Seminal suit by Utah restaurant could start the unraveling process
• Pressure on PCI Council resulting in acceptance of encryption and tokenization as a solution
• Use in mobile will further break lock of PCI on POS marketplace and beyond—to all industries (but there are no regulations for mobile)
33Source: Hospitality Lawyer.com
Utah Restaurant
Lawsuit Could Start an Anti-PCI ‘Revolution’
34
Cloud-based Transacting Can Bypass Mag-Stripe
What to Do After A Breach is Discovered
36
What Happens after a Breach
Many organizations go public too early—before the facts are known—trying to avoid vilification, but inadvertently attracting misplaced lame
Many organizations belatedly put in place training and awareness programs to help reduce the risks of future breaches
Most increased their security budgets, and 28 percent hired additional IT staff
In addition, the actions most often taken to help reduce negative consequences of a breach were to hire legal counsel and forensics experts
37
Best Practices from Legal Point-of-View
• A breach WILL happen (and might have already happened—but you don’t know it yet)
• Assume it has/will happen, and develop a remediation program ASSUMING THE BAD GUYS are already there, in order to prevent damage when they do get in
• Have lawyers and forensic experts hired, briefed and on-call
• Document everything—especially access history
• Ensure staff responsibility for vigilance and policy enforcement are trained and monitored
• When confronted, push back quickly and hard to make sure blamed gets shared appropriately
How to Prevent A Breach in the First Place
39
Accenture: Data Privacy and
Protection at the Tipping Point
How Global Organizations
approach the challenge of
protecting personal data
(Ponemon Institute—2009)
40
Contrasting Individual Privacy Values
Source: Accenture/Ponemon
41
Privacy Sensitivity Varies by Industry
Source: Accenture/Ponemon
42
Most Failures are from Within
Source: Accenture/Ponemon
43
Organization Cultural Values Make A Difference
Source: Accenture/Ponemon
44
Policies Accompany Cultural Values
Source: Accenture/Ponemon
45
What Prevents Data Breaches
Creating an information strategy that enables the organization to identify, track and control how data flows across all areas of an organization’s systems and processes
Assigning ownership of and accountability for data privacy and protection through a data governance program
Evaluating their current data privacy and protection technologies to confirm they are providing the necessary level of protection
Building a consistent level of awareness of the importance of data privacy and protection among the workforce and providing employees with the appropriate guidance for how to handle sensitive data
Reexamining their data privacy and protection investmentsChoosing business partners with care
Having formal incident response policies, procedures and team
Part II – The Legal Ramifications of a Data Breach
47
Part II – The Legal Ramifications of a Data Breach
INTRODUCTION
• One of the features of the digital age has been the increased collection, storage and accessibility of personal data that is used by both private and public sector organizations for a wide variety of social, commercial and other purposes.
48
Part II – The Legal Ramifications of a Data Breach (cont'd)
• This information has become a valuable commodity not only for organizations intending to make legitimate and lawful use of personal data but also, more ominously, for predators with more sinister and often obscure objectives in mind.
49
• All sectors of the economy are vulnerable to cyber attacks designed to access a vast amount of electronically stored personal data, and data breaches are now becoming commonplace occurrences.
Part II – The Legal Ramifications of a Data Breach (cont'd)
50
• The emergence of new technologies, including cloud computing, enhances the vulnerability of stored data to unlawful access and dissemination, and has significantly enhanced the risks of a data compromise event and amplified the consequences of unauthorized access.
Part II – The Legal Ramifications of a Data Breach (cont'd)
51
• Other than observing "best practices" from an information- technology perspective – including firewalling sensitive data, enforcing password discipline and monitoring data storage systems in order to detect unauthorized access or exfiltration of data – there is no single body of rules, guidelines or standards that define what constitutes reasonable care in the safeguarding of electronically stored data.
Part II – The Legal Ramifications of a Data Breach (cont'd)
52
• The law governing a breached entity's liability for the consequences of a data breach is in its infancy, and Canadian courts have not yet had the opportunity of defining what constitutes reasonable care in the electronic storage of personal data or prescribing sanctions for entities that are negligent in the manner in which they use, disseminate or store personal data.
Part II – The Legal Ramifications of a Data Breach (cont'd)
53
• The one exception is in the area of the storage of credit card account data. Here, the credit card associations such as Visa and MasterCard, have promulgated a set of rules known as the Payment Card Industry Data Security Standards ("PCIDSS") which prescribes minimum safeguards that merchants, credit card transaction processors and others in the payment card transaction chain must observe in the handling, transmission and storage of card holder account data.
• Failure to adhere to the PCIDSS can lead to the imposition of onerous penalties and assessments in the event that account data is compromised by an intrusion.
Part II – The Legal Ramifications of a Data Breach (cont'd)
54
• There now exists legislation at the federal level (The Personal Information Protection and Electronic Documents Act) and in some provincial jurisdictions (e.g. in Québec, An Act Respecting the Protection of Personal Information in the Private Sector; in Alberta, the Personal Information Protection Act) that establish a range of obligations around the collection, use, disclosure and handling of personal information. Only the Alberta legislation contains mandatory breach notification provisions.
Part II – The Legal Ramifications of a Data Breach (cont'd)
55
• While the caselaw has not yet begun to coalesce around a body of guiding principles with respect to liability for the consequences of a data breach, hacking incidents have begun to spawn litigation including some very high-profile class action litigation in Ontario and Québec:
Part II – The Legal Ramifications of a Data Breach (cont'd)
56
• Speevak v. Canadian Imperial Bank of Commerce – Alleging the unauthorized access to sensitive financial and other information about customers stored by a financial institution.
Part II – The Legal Ramifications of a Data Breach (cont'd)
57
• Scholes v. Honda Motor Company – Alleging the compromise of customer data held by an automobile manufacturer.
Part II – The Legal Ramifications of a Data Breach (cont'd)
58
• Maksimovic v. Sony of Canada Inc. and D'Cruze v. Sony of Canada Ltd. (Ontario) and Banks v. Sony Canada Ltd. (Québec) – Alleging the compromise of credit card data following the hacking of Sony's "Playstation" gaming platform.
Part II – The Legal Ramifications of a Data Breach (cont'd)
59
The Québec Context
• Quebec has extensive privacy rights which may be invoked when an individual's personal information has been compromised.
• Liability for damages sustained as the result of a data compromise could flow from a number of juridical sources including:
• The Civil Code of Quebec (the "CCQ")• An Act Respecting the Protection of Personal Information in
the Private Sector (the "Private Sector Act")• The Quebec Charter of Human Rights (the "Charter")
• Violation of privacy rights can give rise to compensatory and punitive damages.
60
A. The CCQ
3. Every person is the holder of personality rights, such as the right to life, the right to the inviolability and integrity of his person, and the right to the respect of his name, reputation and privacy.
These rights are inalienable.
35. Every person has a right to the respect of his reputation and privacy.
No one may invade the privacy of a person without the consent of the person unless authorized by law.
The Québec Context
61
A. CCQ (continued)
1457. Every person has a duty to abide by the rules of conduct which lie upon him, according to the circumstances, usage or law, so as not to cause injury to another.
Where he is endowed with reason and fails this duty, he is responsible for any injury he causes to another person by such fault and is liable to reparation for the injury, whether it be bodily, moral or material in nature.
The Québec Context
62
B. The Charter
5. Every person has a right to respect for his private life.
24. No one may be deprived of his liberty or of his rights except on grounds provided by law and in accordance with prescribed procedures.
The Québec Context
63
C. The Private Sector Act
• The object of the legislation is to establish standards for the exercise of the rights conferred by articles 35 et seq CCQ concerning "… the protection of personal information relating to the other persons which a person collects, holds or communicates to third persons in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code". (Article 1)
• Personal information is defined as any information which relates to a natural person and allows that person to be identified. (Article 2)
The Québec Context
64
C. The Private Sector Act (cont'd)
• Article 10 prescribes that:
"A person carrying on an enterprise must take the security measures necessary to ensure the protection of personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purpose for which it is to be used, the quantity and distribution of the information and the medium on which it is stored".
The Québec Context
65
C. The Private Sector Act (cont'd)
• The Private Sector Act prescribes penal sanctions for the violation of the provisions of Division III of the legislation. Article 10 is included in Division III such that a violation of the obligation to safeguard information could lead to the imposition of a fine ranging from $1,000 to $10,000 for a first offence and, for a subsequent offence, to a fine of $10,000 to $20,000. (Article 91)
Where an offence is committed by a legal person, the administrator(s), director(s) or representative(s) of the legal person who authorized the act or omission constituting the offence, is (are) deemed to be a party to the offence. (Article 93)
The Québec Context
66
C. The Private Sector Act (cont'd)
• The legislation does not contain a specific damages remedy for the violation of a duty imposed on an enterprise regarding the protection of personal information.
The Québec Context
67
• Federal legislation that applies generally to all collection, use or disclosure of personal information by private sector businesses within the legislative authority of Parliament.
• PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.
• Schedule 1 to the PIPEDA sets forth a series of obligations and principles regarding the collection, use, storage and disclosure of personal information that constitute the Model Code for the Protection of Personal Information. Principle 7, which deals with the safeguarding of personal information, states that:
Personal Information Protection and Electronic Documents Act ("PIPEDA")
68
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards shall protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification. Organizations shall protect personal information regardless of the format in which it is held.
The nature of the safeguards will vary, depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection […]
Personal Information Protection and Electronic Documents Act ("PIPEDA")
69
• In 2007, the Office of the Privacy Commissioner issued a series of guidelines entitled "Key Steps for Organizations in Responding to Privacy Breaches“ (the “Guidelines”). The purpose of the guidelines was to assist private sector organizations in taking appropriate steps in the event of a privacy breach and to provide guidance in assessing whether notification of the breach to affected individuals is required.
Personal Information Protection and Electronic Documents Act ("PIPEDA")
70
• Though voluntary, the Guidelines have been adopted as best practices by many private sector organizations. The Guidelines elaborate four steps that organizations should follow in responding to data breaches:
• Breach containment and preliminary assessment• Evaluation of risks associated with the breach• Notification• Prevention
Personal Information Protection and Electronic Documents Act ("PIPEDA")
71
• As the Guidelines are voluntary, an organization that has suffered a breach is not obliged to give notice of the potential compromise of data to the affected individuals.
• There are no penalties under PIPEDA for failing to follow the Guidelines. The legislation does, however, give the Federal Privacy Commissioner power to investigate a data breach. Amongst other things, the Commissioner may issue a report on the breach setting out his findings and recommendations. The Commissioner may also request that the breached organization give notice of any action taken to implement recommendations contained in the report or reasons why such remedial action will not be taken.
• However, a civil court would likely find that failure to respect the Guidelines amounted to a breach of a duty of care in respect of the safeguarding of personal information.
Personal Information Protection and Electronic Documents Act ("PIPEDA")
72
• Once the Commissioner has issued a report, no further action will be taken unless a complainant applies to the Federal Court to seek enforcement of damages. No fines are prescribed for organizations that have suffered data breaches and the Federal Court has been very circumspect in making damage awards for breaches of PIPEDA (Randall v. Nubodys Fitness Centres, 2010 FC 681 and Nammo v. Trans Union of Canada Inc., 2010 FC 1284).
Personal Information Protection and Electronic Documents Act ("PIPEDA")
73
On September 29, 2011, the Government of Canada introduced Bill C- 12, the Safeguarding Canadian's Personal Information Act which, if passed, will amend PIPEDA to add a new breach notification requirement. The Bill requires notification to the Commissioner of Privacy where "[…] any material breach of security safeguards involving personal information under an organization's control […]" occurs. The factors relevant to materiality include:
Personal Information Protection and Electronic Documents Act ("PIPEDA")
74
– The sensitivity of the personal information.
– The number of individuals whose personal data was involved.
– An assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.
Personal Information Protection and Electronic Documents Act ("PIPEDA")
75
• The Bill also provides that the breached organization must notify an affected individual "[…] if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual".
Personal Information Protection and Electronic Documents Act ("PIPEDA")
76
"Significant harm" includes "[…] bodily harm humiliation damage to reputation, loss of employment, business or professional opportunities, financial loss, identity theft,negative effects on the credit record and damage to or loss of property." Considerations relevant to the of significance include:
– The sensitivity of the compromised information– The probability that personal information has been or will be
misused.
Personal Information Protection and Electronic Documents Act ("PIPEDA")
77
Notification must be given "[…] as soon as feasible after the organization confirms that the breach has occurred and concludes that it is required." The form and contents of the notice will be established by Regulation. The Bill provides, however, that the notice must provide "[…] sufficient information to allow the individual to understand the significance to them (sic!) of the breach and to take steps, if any and possible, to reduce the risk of harm that could result from it or mitigate the harm."
Personal Information Protection and Electronic Documents Act ("PIPEDA")
78
• In addition to notifying individuals, organizations must also notify other organizations or "government institutions" of a breach if that other organization or government institution "[…] may be able to reduce the risk of harm […] or mitigate that harm."
• The Bill contains no penalties for organizations who do not report data breaches.
• However, a failure to provide notice where one was required could give rise to a civil, quasi-delictual claim for damages.
Personal Information Protection and Electronic Documents Act ("PIPEDA")
79
• Alberta has the most robust privacy legislation in Canada in the form of the Personal Information Protection Act ("PIPA") which provides for mandatory notification to the Alberta Privacy Commissioner ("APC") if personal information under an organization's control is accessed without authorization such that a reasonable person would consider that there exists real risk of significant harm to an individual.
• The APC may require the breached organization to notify the affected individuals where he determines that there is a real risk of significant harm as a result of the unauthorized access or disclosure.
Alberta
80
• Control of personal information is defined as meaning having the authority to manage personal information. When an organization engages the services of a person to manage personal information, the organization is responsible for that person's compliance with PIPA with respect to such services and the organization that engages the services of a third party is considered to be in control of the information (See Office of the Information and Privacy Commissioner, Best Buy Canada Ltd., P2011-ND-011 and Office of the Information and Privacy Commissioner, Aviscan Inc., P2011-ND-001).
Alberta
81
• Factors to be considered when determining whether a real risk of significant harm to individuals exists include the number of affected individuals, the maliciousness of the breach and whether there are indications that personal information was misappropriated for nefarious purposes, the sensitivity of the information and the harm that may result.
Alberta
82
• Significant harm means that it is important, meaningful and with non-trivial consequences or effects (Office of the Information and Privacy Commissioner, Canadian Standards Association, P.2011- ND-26).
• Credit card fraud is considered significant financial harm that can be caused by a privacy breach.
• Credit card numbers with names are considered personal information of high sensitivity (Office of the Information and Privacy Commissioners, Full Bars Communications Inc., P2010-ND-005).
Alberta
83
• Risk of real harm does not mean that harm will certainly result from the incident, but that the likelihood that it will result must be more than mere speculation or conjecture. This standard was found to be satisfied when data such as financial information was accessed without authorization and in a way, that suggests nefarious purposes (Office of the Information and Privacy Commissioner, Twin American LLC, P.2011-ND-010).
• PIPA provides for fines of up to $100,000 when a person fails to provide notice to the Commissioner when required to.
Alberta
84
• For retail businesses that rely on credit card transactions, PCI DSS represents both a challenge and a potential source of unexpected but significant liability in the event that a credit card association determines, in accordance with its proprietary, black-box methodology, that a data breach resulted from non-compliance with PCI DSS.
• The credit card associations have regulatory regimes – which are generally made applicable to merchants through the contracts they enter into with transaction processors – that give the associations broad and unfettered discretion to determine that a data breach resulted from PCI DSS non-compliance. There are no meaningful ways of appealing such findings.
PCI DSS – A Particular Regime
85
Liability for Damages
• To date, there is no caselaw in Québec – or anywhere else in Canada – dealing with liability for data breaches. However, under the legal regime outlined above, an organization that has failed to take reasonable care in safeguarding personal data from a cyber- attack could be liable for damages. To succeed, a plaintiff would be required to demonstrate that the breached entity acted wrongfully, that personal information intended to be treated as confidential was compromised, that he or she has sustained damages as a result and that there is a causal link between the damages and the wrongful act.
86
• Even in instances where a data breach results in the compromise of confidential personal data, damages may be hard to prove. For example, in the case of compromised credit card data, the financial institution typically covers any tangible costs. Other types of claims, including time lost and inconvenience, damage to reputation or mental suffering, are difficult to quantify and prove and typically give rise to nominal awards of damages.
Liability for Damages
87
• Québec law does not impose a duty to notify individuals whose personal data is compromised as a result of a data breach. However, we believe that a Québec court could hold a breached entity liable for a failure to notify on the general principles set out above, especially in light of the fact that the compromise of personal data places individuals at greater risk of identity theft, and the failure to notify could deprive the affected individuals of their ability to mitigate the risk of harm.
Liability for Damages
88
• The class action litigation currently before the courts is likely to influence how the courts in Québec, and elsewhere in Canada, define the standard of care to be exercised in safeguarding confidential information.
Liability for Damages
89
• Card associations may impose punitive fines and assessments, often in the millions of dollars, on non-compliant organizations. These assessments are intended amongst other things, to recoup a) the costs involved in re-issuing compromised cards; and b) the value of estimated fraud.
• TJX (Operating the brands TJ Max, Marshalls, Winners, etc.) – Data breach in 2007 with 46,500,000 cards compromised. TJX eventually settled with Visa for $40.9 million. This was over and above amounts that TJX paid to settle litigation against it by the Federal Trade Commission and the attorneys general from 41 states.
PCI DSS – A Particular Regime
90
• Heartland Payment Systems - Data breach in 2008 with as many as 100 million credit and debit cards compromised. The Company is reported to have paid about $160 million in fines, including $60 million paid to Visa.
PCI DSS – A Particular Regime
91
• Traditional errors and omissions and commercial general liability policies were written for a conventional basket of risks, not those inherent in the electronic storage of data.
• While insurance is not an alternative to rigorous risk management, proper cyber-crime coverage can mitigate losses flowing from a data breach.
Insurance
92
• New cyber liability insurance products are emerging on the market, covering, to varying extents an insured's liability where it is held liable for cyber-related injuries sustained by third parties. These products also offer coverage for out of pocket expenses incurred by the breached entity in connection with:
- breach notification
- breach management
- audit and remediation
- redress funds for affected individuals
- business interruption
Insurance
93
• The law relating to data breaches and associated liabilities is in its earliest stages of development in Canada
• There are a series of common sense steps that organizations can take to mitigate their exposure in the aftermath of a breach:
• Determine what data elements have been breached and how sensitive these elements are; the more sensitive the data, the greater the risk of harm to individuals. This assessment will help determine whether a breach should be responded to, who should be informed (including privacy commissioners) and what form that notification should take;
A commonsense approach to handling the fallout from data breaches
94
• The cause and extent of the breach should be determined and an assessment should be made as to whether there is a risk of on-going breaches and compromise of information.
• Determine how many individuals have had their information placed at risk and who are these individuals, i.e. Members of the public? Employees? Service providers?
A commonsense approach to handling the fallout from data breaches
95
• Assess the possibility of foreseeable harm in light of the breach, the likely reasonable expectations of the individuals whose information was compromised and the party who is suspected of having caused the breach. Consider what the nature of the harm to the individuals might be (e.g. does the breach pose a risk to personal security or financial loss) and what impact the breach may have on the organization's reputational interests and finances. Also to be weighed in the balance is whether notification itself could cause harm to the public.
A commonsense approach to handling the fallout from data breaches
96
• Notification, even when it is not obligatory by law, may be an important mitigation strategy. Although each breach incident will vary and a case by case approach should be taken, an overriding consideration (aside from statutory notice obligations) in deciding whether to notify should be whether notification is necessary to avoid or mitigate harm to an individual whose personal data has be compromised.
• You may wish to consider notifying other parties of a data breach including insurers, the police, professional association etc.
A commonsense approach to handling the fallout from data breaches
Merci / Thank you
This presentation will be available online at This presentation will be available online at dwpv.com/academydwpv.com/academy
Cette prCette préésentation sera disponible en ligne sur sentation sera disponible en ligne sur dwpv.com/academiedwpv.com/academie
1386 Long Ridge Road
Stamford, CT 06903
Office: 203.968.1967
email: [email protected]
website: www.betterbuydesign.com
Steve Mott, Principal
BetterBuyDesignGeorge J. Pollack, Partner
DaviesOffice: 514.841.6451
email: [email protected]