Is your job as CIO or CISO at risk based on Privacy violations?
The data breach events which hit the press recently triggered most of the governments to take a harder look at how critical personal data is being protected in its current and in new laws. Obviously for any business it is necessary to follow todays and future local laws. If it could be possible that your business in a country could violate such a regulation, then a proper risk assessment is absolutely necessary to decide if possible sanctions would be “justifiable”.
By looking at the activities around the world it becomes obvious that the governments do not trust the companies any more that they know how to protect the personal data according to the local legal requirements. If you have a look for example to the new privacy requirements in the amendment of the Massachusetts State Security Breach Notification Act (201 CMR 17.00) it becomes obvious that the local governments started to add direct IT security requirements inside this local law. As typically the age of a local law is much longer than the availability / actuality of the mentioned “secure” IT security measures and as a global acting company has to fulfill all of these not harmonized local requirements this seems to become a real nightmare for the future.
Nevertheless, even with stronger enforcement standards and penalties beginning to emerge in many countries, it doesn’t necessarily mean that business players react unfavorably. As far as I’m aware no US based company pulled out of Europe due to the stringent European Data Directive, they much rather worked with the US government to come up with a workable solution ( i.e. Safe harbor) to comply with the new legal requirement.
On the other hand, several European companies have build own legal entities in the US so that they can make business there but don’t need to necessarily comply with all worldwide laws.
Within 2009 the head of Germany’s state owned rail operator Deutsche Bahn resigned following a series of scandals over the company’s attempts to spy on its staff. Even a harder hit was taken on the Deutsche Telecom Head of Internal Investigation. He was arrested on criminal charges after it was revealed they too were spying on their employees and partners. Also in the UK the chairman of Revenue and Customs service which admitted to losing the details of 25 million individuals was forced to resign.
Obviously now board members and executive staff like CIO’s, CRO’s or CISO’s find themselves in trouble. Authorities make them personally negligent for not taking adequate security precautions and they see themselves confronted even with criminal charges in some cases. Is this only a demonstrative show of public relations good faith, that those companies who suffer a breach are holding employees to greater accountability or is this a substantial risk for you in your role?
The future will bring us more clarity here but there is certainly precedence for personal responsibility for intentionally violating the law (SOX and the new American Recovery and Reinvestment Act both have personal liability).
To demonstrate the possible impact I did a little research and found the following cases:
All the fines listed here will most probably soon be eclipsed by Heartland, the payment system provider who was hacked for a reported 100 million credit card details in January of 2009. The US Federal Trade Commission FTC has created privacy enforcement programs to make sure companies keep the promises they make to consumers about privacy, including the precautions they need to take to secure consumers' personal information.
You can go to their web page and look under privacy/enforcements - they give a summary of enforcements and usually a consent decree goes with them (mandatory audits, mandatory security program, encryption, etc). The following link will give you examples of some of the Commission’s Section 5 privacy cases:
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
To ensure that customer get informed in case of any data breach, many countries have issued updated privacy regulations requiring disclosure of data breaches. January 2009 Alana Maurushat from the University of New South Wales wrote an interesting paper called “Data Breach Notification Law across the World from California to Australia”.
http://law.bepress.com/unswwps/flrps09/art11/
Not only does it have a very resourceful table on the last page outlining the differences in 25 countries breach notification laws. He sums it up better than I ever could:
“Two related phrases aptly describe the impetus behind such (data breach disclosure) laws: “Sunlight as disinfectant” and the “Right to Know”. Data breach notification is promulgated under the theory that the consumer has the right to know when their personal information has been stolen or compromised. Equally, it is hoped that data breach notification laws will provide a necessary incentive for corporations and organizations to take adequate steps to secure personal information held within their organization. In this sense, exposing security breaches of corporations will shine "sunlight" onto an organization's security practices, and will "disinfect" those problematic security areas requiring change”.
In the US where data breach notification laws exist, breach notification usually means a letter to the individual whose data has been accessed and may also include mandatory notification to state Attorneys General as well as federal regulators. The content of the notice is dictated by statute and so there may be many different letters for the same breach based on the state where the person lives. While most of these laws may not directly conflict there are some differences. A lot have different time periods in which officials and consumers should be notified of a breach. Some apply to government agencies and some do not. Some have exclusions for data which is encrypted others such as in Texas require full disclosure. Some require different information be contained in the notification letter some allow notification to be done over the telephone. It is important that a company needs to quickly determine what state or country laws may apply in order to assess what its specific obligations may be. Because of the sensitivity of the data and the laws that come into play, this is not a question that can be resolved in weeks – this is a question that must be resolved within days after learning about the possible breach.
There is no "one size fits all" approach. The US American Recovery and Reinvestment Act has put in place notification requirements to the FTC and Health and Human Services (for medical information). In many instances, encryption of the database or data in transit eliminates the requirement to make a notification however it should be noted that in some US states, encryption does not impact the notice requirements. Also if the data is encrypted but the key was compromised, then notification is still required. Therefore this is a very good unexpected additional income for the lawyers. :-)
As there are so many possible pitfalls, it is highly recommended to familiarize yourself with the requirements as you could become very quickly responsible for not following local laws. I don’t want to go any further with this. I hope it became clear to all of you that in case of Privacy of Information we talk about a ticking time bomb and as I can see from most of the replies I received many of you are aware of that. Please keep in mind that sooner or later someone can come and keep you responsible for it in case something goes horribly wrong. Focusing on privacy, educating the people about the do’s and don’t and having people on board knowing and understanding the needs and obligations behind becomes absolutely crucial.
I hope you have enjoyed the 3 privacy articles. If you have any kind of learning’s or also materials which could help others to better understand or be prepared please bring them to my attention and I will make sure that the large community can benefit from them. As usual feel also free to send us your ideas, feedback and comments. Either directly on the blog or via mail at
-Andreas
By looking at the activities around the world it becomes obvious that the governments do not trust the companies any more that they know how to protect the personal data according to the local legal requirements. If you have a look for example to the new privacy requirements in the amendment of the Massachusetts State Security Breach Notification Act (201 CMR 17.00) it becomes obvious that the local governments started to add direct IT security requirements inside this local law. As typically the age of a local law is much longer than the availability / actuality of the mentioned “secure” IT security measures and as a global acting company has to fulfill all of these not harmonized local requirements this seems to become a real nightmare for the future.
Nevertheless, even with stronger enforcement standards and penalties beginning to emerge in many countries, it doesn’t necessarily mean that business players react unfavorably. As far as I’m aware no US based company pulled out of Europe due to the stringent European Data Directive, they much rather worked with the US government to come up with a workable solution ( i.e. Safe harbor) to comply with the new legal requirement.
On the other hand, several European companies have build own legal entities in the US so that they can make business there but don’t need to necessarily comply with all worldwide laws.
Within 2009 the head of Germany’s state owned rail operator Deutsche Bahn resigned following a series of scandals over the company’s attempts to spy on its staff. Even a harder hit was taken on the Deutsche Telecom Head of Internal Investigation. He was arrested on criminal charges after it was revealed they too were spying on their employees and partners. Also in the UK the chairman of Revenue and Customs service which admitted to losing the details of 25 million individuals was forced to resign.
Obviously now board members and executive staff like CIO’s, CRO’s or CISO’s find themselves in trouble. Authorities make them personally negligent for not taking adequate security precautions and they see themselves confronted even with criminal charges in some cases. Is this only a demonstrative show of public relations good faith, that those companies who suffer a breach are holding employees to greater accountability or is this a substantial risk for you in your role?
The future will bring us more clarity here but there is certainly precedence for personal responsibility for intentionally violating the law (SOX and the new American Recovery and Reinvestment Act both have personal liability).
To demonstrate the possible impact I did a little research and found the following cases:
- Germans retail chain Lidl paid the highest fine ever seen in Germany – nearly 1.5 million € and the CEO for Germany was fired for violating privacy laws
http://www.datenschutz-berlin.de/news/Presse%C3%BCbersicht+/2008/9/12
- As a result of the scandal related to the wiretapping of phone conversations of several Greek officials, including Prime Minister Costas Karamanlis, during the period August 2004 – March 2005, Vodafone was fined 2006 with 76 million € by the Greek privacy committee for not having protected its network against hacking activities and 19.1 million € by the EETT, the national telecommunications regulator, for alleged breach of privacy rules.
http://www.theregister.co.uk/2006/12/15/voda_fined_over_greek_wiretaps/
In March 2009 the Council of State, Greece's highest administrative court, decided to order the Communications Privacy Protection Authority (ADAE) to withdraw the 76-million-euro fine it has imposed on mobile phone company Vodafone.
- USA and TJX Security Breach in 2006: First settlement with US Federal Trade Commission will require that TJX implement comprehensive information security program and obtain audits by independent third-party security professionals every other year for 20 years. Under a separate settlement agreement, TJX and Visa are presenting Visa issuers with a so-called alternative recovery offer under which TJX will pay up to $40.9 million in pre-tax funds to compensate U.S. Visa issuers for breach-related expenses, provided they agree not to sue TJX or seek any other form of recovery from TJX, Fifth Third, or Visa.
http://www.usatoday.com/money/industries/retail/2007-11-30-tjx-visa-breach-settlement_N.htm
On June 23rd 2009 it was announced that TJX has settled with 41 US State regulators too - an extra $9.75m with ongoing supervision and audit going along with it. Details can be found at http://www.reuters.com/article/marketsNews/idUSN233656120090623
- U.S based ChoicePoints company which offers an ID verification service which lost 163,000 customer records got fined with 15 million US$
http://www.scmagazineus.com/Feds-slap-ChoicePoint-with-15M-penalty/article/32887/
All the fines listed here will most probably soon be eclipsed by Heartland, the payment system provider who was hacked for a reported 100 million credit card details in January of 2009. The US Federal Trade Commission FTC has created privacy enforcement programs to make sure companies keep the promises they make to consumers about privacy, including the precautions they need to take to secure consumers' personal information.
You can go to their web page and look under privacy/enforcements - they give a summary of enforcements and usually a consent decree goes with them (mandatory audits, mandatory security program, encryption, etc). The following link will give you examples of some of the Commission’s Section 5 privacy cases:
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
To ensure that customer get informed in case of any data breach, many countries have issued updated privacy regulations requiring disclosure of data breaches. January 2009 Alana Maurushat from the University of New South Wales wrote an interesting paper called “Data Breach Notification Law across the World from California to Australia”.
http://law.bepress.com/unswwps/flrps09/art11/
Not only does it have a very resourceful table on the last page outlining the differences in 25 countries breach notification laws. He sums it up better than I ever could:
“Two related phrases aptly describe the impetus behind such (data breach disclosure) laws: “Sunlight as disinfectant” and the “Right to Know”. Data breach notification is promulgated under the theory that the consumer has the right to know when their personal information has been stolen or compromised. Equally, it is hoped that data breach notification laws will provide a necessary incentive for corporations and organizations to take adequate steps to secure personal information held within their organization. In this sense, exposing security breaches of corporations will shine "sunlight" onto an organization's security practices, and will "disinfect" those problematic security areas requiring change”.
In the US where data breach notification laws exist, breach notification usually means a letter to the individual whose data has been accessed and may also include mandatory notification to state Attorneys General as well as federal regulators. The content of the notice is dictated by statute and so there may be many different letters for the same breach based on the state where the person lives. While most of these laws may not directly conflict there are some differences. A lot have different time periods in which officials and consumers should be notified of a breach. Some apply to government agencies and some do not. Some have exclusions for data which is encrypted others such as in Texas require full disclosure. Some require different information be contained in the notification letter some allow notification to be done over the telephone. It is important that a company needs to quickly determine what state or country laws may apply in order to assess what its specific obligations may be. Because of the sensitivity of the data and the laws that come into play, this is not a question that can be resolved in weeks – this is a question that must be resolved within days after learning about the possible breach.
There is no "one size fits all" approach. The US American Recovery and Reinvestment Act has put in place notification requirements to the FTC and Health and Human Services (for medical information). In many instances, encryption of the database or data in transit eliminates the requirement to make a notification however it should be noted that in some US states, encryption does not impact the notice requirements. Also if the data is encrypted but the key was compromised, then notification is still required. Therefore this is a very good unexpected additional income for the lawyers. :-)
As there are so many possible pitfalls, it is highly recommended to familiarize yourself with the requirements as you could become very quickly responsible for not following local laws. I don’t want to go any further with this. I hope it became clear to all of you that in case of Privacy of Information we talk about a ticking time bomb and as I can see from most of the replies I received many of you are aware of that. Please keep in mind that sooner or later someone can come and keep you responsible for it in case something goes horribly wrong. Focusing on privacy, educating the people about the do’s and don’t and having people on board knowing and understanding the needs and obligations behind becomes absolutely crucial.
I hope you have enjoyed the 3 privacy articles. If you have any kind of learning’s or also materials which could help others to better understand or be prepared please bring them to my attention and I will make sure that the large community can benefit from them. As usual feel also free to send us your ideas, feedback and comments. Either directly on the blog or via mail at
-Andreas