technology law forum - us and eu data protection and privacy laws

7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws

1/84

Technology Law ForumSeminar on Certain US and EU Data

Protection and Privacy Laws

Poorvi Chothani, Esq.Correspondent to Cyrus D. Mehta & Associates, PLLC,New York

(US Immigration & Nationality Law)

[email protected]:022 6654 1671


2/84

Monday, April 15,2013 2

Need for Protection Technological readiness of the Indian BPO industry is

very high

Regulatory frame work is inadequate

BPOs deal with sensitive and/or private data that needsprotection

Internet instrument in flattening of the world level

playing field for knowledge and access to ideas* Ref. Thomas Friedmans The World is Flat


3/84


Legal Lag Following Technology

Outsourcing Industry Great EconomicAdvantage to India

Other, competing outsourcing destinations

are gaining importance

Need for Protection


4/84


The US and the EU do not have ComprehensivePrivacy or Data Protection Laws

Intellectual property

Corporate secrets

Confidential CustomerHealth Information

Financial Information

Trade Secrets

Personal Identifiable

Information Name

Addresses

National IdentifyingNumbers

Telephone Numbers

Birth Date

Drivers Licenseinformation

Credit History

Court, and Trafficviolation records


5/84


Sensitive PersonalInformation

the racial or ethnic origin of the data subject, his political opinions his religious beliefs or other beliefs of a similar

nature, whether he is a member of a trade union

(within the meaning of the Trade Union andLabor Relations (Consolidation) Act 1992,

his physical or mental health or condition, his sexual life, the commission or alleged commission by him

of any offence, or any proceedings for any offence


6/84


Privacy Development Multilateral discussions and Initiatives:

Organization for Economic Cooperation and Development (OECD)

Developed 1980 Privacy guidelines

Working Party on Information Security and Privacy

Privacy also an issue within other OECD working parties:telecommunications, consumer protection, small businesses etc.

India is a Member of OECD

In the US the US Supreme Court interpreted the Constitutionand found a right to privacy


7/84


Introduction

US v EU

United States and the European Union share the goal ofenhancing privacy protection for their citizens

Different approach to Privacy:The United States uses a sectoral approach that relies on amix of legislation, regulation, and self regulation.The European Union relies on comprehensive legislation that,for example, requires creation of government data protection

agencies, registration of data bases with those agencies, andin some instances prior approval before personal dataprocessing may begin.

Effect: hampered U.S. companies ability to engage in manytrans-Atlantic transactions.


8/84


US and EU DifferentApproaches

The United States System is based on: Self Regulation

Sector specific Legislation

Enforcement (FTC) Outreach and Awareness

The European Unions System Based on Common Legislation

Covering all industry sectors and almost all personaldata

EU authorities could legally stop data flows at any time


9/84


Council of European Convention Established a committee of experts on data protection that

reported its findings in early 1979.

Was enacted for the Protection of Individuals with regard toAutomatic Processing of Personal Data, 1981.

Came into force on 1985 after five States ratified it.

Set forth the individual data subjects right to privacy

Enumerates a series of basic principles for data protection

Provides for transborder data flows

Finally lead to the European Union Directive 95/46/EC


10/84


The EC Data ProtectionDirective 95/46/EC

(EU Directive)

Data processing systems are designed to serve humanbeings

Respects fundamental rights and freedoms, the right to

privacy

Lays down conditions which must be fulfilled for legallyprocessing personal data

The European Parliament confirmed the existence of anetwork of supercomputers operated by the secretiveUnited States National Security Agency, an agencyresponsible for intercepting communications across theworld for the benefit of American business andGovernment.


11/84

EU Data Protection Directive

The EU Directive Each EC Member State has to enact laws in

keeping with the EU Directive

For e.g. the EU Directive implemented by theUnited Kingdom Data Protection Act 1998.

Approved set of standard contractual clauses

may be used

EU Directive applies to the processing ofpersonal data


12/84


Data Protection Principle

General Prohibition on collection and processing ofpersonal data

Subject to limited exceptions

Burden of proof is on the data controller

Restricts the transfer of personal data outside theEU Countries unless the other country ensures anadequate level of protection

The data controller or data aggregator is liable forensuring that these principles are adhered to


13/84


Principles of DataProtection - UK

The Data Protection Act 1998 requires that data controllers processpersonal data in accordance with Eight Principles. These requirethat personal data is:

1. Fairly and lawfully processed;

2. Processed for limited purposes;

3. Adequate, relevant and not excessive;

4. Accurate;

5. Not kept longer than necessary;

6. Processed in accordance with individuals' rights;

7. Kept secure;

8. Not transferred to countries outside the European Economic Areawithout adequate protection.


14/84


The EU Directive

Applies tp personal data includes customer,employee and coded data

Corresponding obligations of data controllers (need togive notice, choice, access, rectification, etc.)

Protection obligations (notification to government

agencies)

Covers all sectors of industry and commerce

T f f D t


15/84

Transfer of DataUnder the EU Directive

Transfer to Countries with AdequateProtectionwithout additional adequacyrequirements

Switzerland, Canada, Argentina and

the UK territories of Guernsey and theIsle of Man, all recognized by the EUas offering adequate data protection.


16/84

Options to transfer restrictions

under the EU Directive Adopt Standard Contract Clauses

Obtain Unambiguous Consent to transfer from affectedindividuals

Negotiated Protections acceptable in the UK

Codes of Conduct

Direct Compliance/registration with EU Authority

Some EU countries require that a copy of the executedagreement with the standard clauses be deposited with theregulatory authority this is not the case in the UK.


17/84

US Safe Harbor Framework to

Facilitate Business with EU StatesSafe Harbor" Framework bridges the different privacy approaches

Is a streamlined means for US organizations to comply with the Directive

The U.S. Department of Commerce created the Safe Harbor Framework inconsultation with the European Commission

The Safe Harbor -- approved by the EU in 2000-- important for U.S. companiesto avoid interruptions to dealings with entities in the EU or facing prosecution inthe EU

Certifying to the Safe Harbor assures EU organizations that the US company

provides "adequate" privacy protection, as defined by the Directive.

More than 933 members registered with the Department of Commerce (someregistrations are not current)


18/84


Safe Harbor

Result of the US and EUs expressed commitment tobridging different approaches to privacy whilemaintaining data flows and high level of privacyprotection.

FTC Act permitted each side to maintain theirposition

U.S Companies made voluntary commitments.

EU Satisfied because FTC Act made thosecommitments legally binding.


19/84


Safe Harbor

It recognizes and implements principles of the EU Data

Directive.

Creates a system of notice, opt-out, opt-in for certain sensitiveinformation, control of subsequent transfers, data security andintegrity systems.

Safe Harbor framework includes:

- 7 privacy principles

- 15 FAQs

- EUs adequacy determination

- Letters between Doc and European Commission


20/84

Other options Model ( standard) Contracts:

EU-based exporters or U.S by including

privacy clauses contracts they sign with

each other.

The EC has approved two based importers ofpersonal data can also satisfy the adequacy

requirements types of clauses:

Transfers: controller-to-controller

controller-to-processor transfers

The latter concerns transfers between data

controllers based in the EU and processors outside

the EU.


21/84


Model Contracts Enforcement is in Europe

Potentially different interpretation andenforcement approaches in different memberstates

Potential for member states to add contractualrequirements

Joint and Several Liability

Higher Standards than the Safe Harbor

Penalties Under the


22/84


Penalties Under theEU Directive

Each Member States national laws willdetermine the penalty

For Instance Under The UK DataProtection Act 1998 The RegulatoryAuthority who is The InformationCommissioner also imposes the penalty Fines; and Document that infringes privacy to be forfeited,

destroyed or erased.

h S f b


23/84


The Safe HarborPrinciples

An organization entering the Safe Harbormust adhere to 7 principles:

- Notice

- Choice

- Onward transfer

- Security

- Data integrity

- Access

- Enforcement


24/84


Safe Harbor Pros/Cons Public attention/positive privacy image

Added liability

Increased compliance flexibility

EU-wide solution

Response to customer concerns

Dispute jurisdiction

Unavailable to financial services firms

f f f


25/84


Enforced by US government agencies

One set of rules

Less specific standards, only principlesspecified

Eliminates model contract burdens andonerous negotiations

Enforcement of SafeHarbor Principles


26/84


Some US Laws

Graham-Leach-Bliley Act (GLBA)

Fair Credit Reporting Act

The Sarbanes-Oxley (SOX) Act

Right to Financial Privacy Act

The Health Insurance Portability and Accountability Act(HIPAA)

The Childrens Online Privacy Protection Act (COPPA)


27/84


Some More US Laws The Electronic fund transfer Act Right to Financial Privacy Act Provisions of the Federal Trade Commission

The Drivers Privacy Protection Act:-

Restricts the ability of Motor Vehicle Department to disclosemotor vehicle operator permits, motor vehicle titles andmotor vehicle registrations.

Information on accidents, driving violations and drivers

status is expressly excluded from the federal disclosure rules.

Violations are punishable by a criminal fine or by civil fineagainst the Department of Motor Vehicles.


28/84


The Privacy Act of 1974

Establishes citizens rights against the Government

to know what information the Government collects from them,

why it is collecting,

who has accessed the information

Allows to receive a copy of the information.

Governs the activities of federal agencies with regard to whythey may or may not collect certain pieces of data.


29/84


Graham-Leach-BlileyAct (GLBA)Applies to Financial Institutions

National BanksBanks Financial and Operating SubsidiariesAffects how institutions share information

Restricts Transmission to Third Parties

Exceptions disclosure to affiliated thirdparties

Transfer of Data

Prohibits Disclosures for Marketing Purposes.


30/84


GLBA

Organizations must: Deliver Privacy Policies to each customer

Provide a Reasonable Opportunity to Opt-Out of certain

information sharing arrangements

Develop,Implement and maintain a comprehensiveinformation security Program.

Program must include administrative, technical andphysical safeguards appropriate to the

The Fai C edit Repo ting


31/84


The Fair Credit ReportingAct (FCRA)

Applicable to: Credit Rating Agencies and in some instances to Banks

and other financial service providers

Affects customers Credit Report pertaining to: credit worthiness,

credit standing,

credit capacity,

character, general reputation,

personal characteristics or

mode of living


32/84


FCRA

FCRA sets standards for: Collection;

Communication; and

Use of credit related information

FCRA requirements include:

Furnishing consumer reports only forpermissible purposes

Maintaining high standards

Ensuring accuracy

Enabling individuals to correct misinformation

Resolving customer disputes

The Sarbanes-Oxley (SOX)


33/84

The Sarbanes Oxley (SOX)Act

Reactionary measure to US corporatescandals, has a significant impact on UScompanies as well as auditing firms.

To strengthen corporate governance andrestore investors confidence.

Companies must attest that outsourcingfirms have internal controls in place tocomply with SOX and other regulations.


34/84

Sarbanes Oxley

Legislation is wide ranging and establishesnew or enhanced standards for all USpublic company Boards, Management, andpublic accounting firms.

Contains 11 titles, or sections, rangingfrom additional Corporate Boardresponsibilities to criminal penalties.

Requires Security and ExchangeCommission (SEC) to implement rulingson requirements to comply with the newlaw.

The Health Insurance


35/84

The Health InsurancePortability and

Accountability Act (HIPAA)

Establishes privacy protection for healthcare information.

HIPAA provisions apply to organizations thatoffer health plans, doctors, hospitals andother health care providers and in turn theMedical Transcription Industry

Limits the use of patient information

In most cases would extend to the

Offshored activity of the organizations


36/84

HIPAA Contd.

Information may be disclosed to abusiness associate if

The data owner obtains satisfactoryassurance in a written agreement that

the information will be safeguarded

Data Owner will most likely require

business associates to agree to thesame obligations that apply to thecovered entity.

HIPAA C li


37/84

HIPAA Compliance Self-assessments, employee training, and

increased technological capacities

Administrative, technical, and physical safeguardsMust reasonably safeguard from any intentionalor unintentional use or disclosure that is inviolation of the standard

Implementation specifications or otherrequirements of (Companys Privacy Rules).

Business associate would have to comply too.

Th T l h C


38/84


The Telephone ConsumerProtection Act, (TCPA)

Restricts the use of the telephone andfacsimile machine to deliver unsolicitedadvertisements.

Prohibits the delivery of artificial orprerecorded messages to residences

Once a consumer asks not to receive callsfrom a particular company, that companymay not call that consumer.


39/84


TCPA & Related FCC Rules

Exempts autodialed calls to emergency telephonelines, health care facilities, paging services, cellulartelephones, and any service for which the calledparty is charged for the call

Enforcement A National Do-Not-Call registry It includes all telemarketers (with the exception of certain nonprofit

organizations)

Covers both interstate and intrastate telemarketing calls Consumers can place their telephone numbers on the registry

through one telephone call or one Web click.


40/84


Other US laws

The Fair and Accurate Credit Transactions Actof 2003 Disposal of Records (affects almostevery business in the US.

US Patriot Act Affects bank secrecy to

combat money laundering, terrorism andcriminal behavior.


41/84


More US Laws

The Video Privacy Protection Act Forbids a video rental or sales outlet from disclosing

information concerning what tapes a person borrows/buys orereleasing identifiable information.

Enforced through civil liability action.

Electronic Communication Privacy Act Prohibits the unauthorized interception or disclosure of many

types of electronic communications including telephoneconversations and electronic mail, although disclosure y one of

the parties to the communication is permitted. Applies both to the Government and private persons and

entities. Violations are subject to civil and criminal penalties.

Data Protection


42/84


Data ProtectionLaws in the US.Electronic Funds Transfer Act

Requires institutions which deal withelectronic banking services to inform theirconsumers of the circumstances underwhich automated bank account informationwill be disclosed to third parties, in theordinary course of business.

Violators are subject to civil and/or criminalpenalties.

Enforced by the Federal Revenue Board.

Data Protection Laws in the


43/84


Data Protection Laws in theUS.

Right to Financial Privacy Act

Mandates that the Federal Government present proper legal processor formal written request to inspect an individual financial recordskept by a financial institution including credit card companies

Gave simultaneous notice to the consumer to provide him/her with

the opportunity to object. Provides for civil liability.

The Cable Communication Policy Act as amended by theCable Television Consumer Protection Act

Establishes written disclosure requirements regarding the collection

and use of personally identifiable information by cable televisionservice providers

prohibits the sharing of such information without prior consent.

Communications Act


44/84


Communications Act

Requires the Telecommunication Commission toprotect the confidentiality of customer proprietarynetwork information

Includes the destinations and numbers of calls made

by customers

Except as required to provide the customerstelecommunications service or pursuant to consumerconsent.

Penalties may include attorneys fees and punitivedamages and reasonable litigations cots in addition toactual damages


45/84


Penalties

Each violation of (COPPA) The ChildrensOnline Privacy Protection Act invokes apenalty of $11,000.

Penalty actual damages, statutorydamages up to $1000, punitive damagesper violation (no cap on class action

damages, attorney fees and civil penaltiesup to $2,500

Penalties-HIPAA violations


46/84


Penalties HIPAA violations

Certain violations attract a US$100 penalty for each violation

Total amount imposed on the person for all violations of anidentical requirement or prohibition during a calendar year

may not exceed US$25,000.

Knowing wrongful disclosure invokes penalty of US$ 50,000and/or imprisonment up to one year

False pretenses, the offender may be fined up to US$

1000,000 and/or imprisoned up to 5 years, the penalty isincreased respectively to US$ 250,000, and 10 years if theoffense is committed with intent to gain commercialadvantage for violating HIPAA.

Penalties


47/84


Penalties The penalties for violating GLBA are steep and cost up to

$11,000 per day

Penalties for violation of FACTAs (Fair and AccurateCredit Transactions Act) rule of disposal, which affectsmost businesses, - actual damages, statutory damages,

punitive damages per violation, attorneys fees andpenalties up to US$ 2,500 and imprisonment of not morethan 2 years.

Penalties for violation of FCRA (Fair Credit Reporting Act)- damages of not less than $ 100 and civil penalty of not

more than $2,500 per violation or punitive damages andimprisonment up to 2 years.

US or State Laws andd ll


48/84

Pending Bills

US States, laws or pending bills to: Regulate privacy and personal data; Impose obligations on call center

activities; Try to minimize or ban offshoring of state

contracts; Some of these measures are protective of

the US workforce. Many of the bills may fail, be significantly

diluted or be challenged on grounds ofconstitutionality or found to violateinternational trade agreements.

Bills or recent laws that curtail the


49/84


granting of state contracts to Non-USworkers or restrict performance ofstate contracts outside the US

New York;

Massachusetts;

Texas;

Oregon;

Pennsylvania;

Florida;

Maryland;

Missouri; and

Nevada

C lif i P i L


50/84


California Privacy Laws

Law ofNotice of Security Breach: Owner ofpersonal information becomes aware of a breachof security must disclose the breach to everyresident of California whose unencrypted personal

information was, or is believed to have been,accessed by an unauthorized person.

Privacy of financial information: Stricter thanGLBArequires affirmative opt-in for sharing of

information with third parties, provides for opt-out for sharing with affiliates unless in the sameline of business under the same name.

California Privacy Laws


51/84


y

Online Privacy Act

Information sharing disclosure: Business

having personal information of a Californiaresident must give list of categories ofinformation shared with third parties withthe names and contact information of the

third parties, OR provide a conspicuousprivacy statement with a cost free optout prior to the disclosure.

Prohibitions on the


52/84

Transmission of Information

Tennessee requires a express writtenpermission of a customer before sending any

financial, credit or identifying information to aforeign country.

In California proposed legislation requiresstrict privacy compliance when sending anindividuals personal information abroad.

Protectionism-Implications


53/84

pfor the US and the World

Create friction and hurdles in commercial activities

Effective measures to stifle meaningful outsourcing

US companies will be less competitive and will put evenmore jobs in danger if they cannot benefit from service costarbitrage

Deterrent to American companies from offshoring medical,accounting, financial consulting or other information-basedservices overseas

Absence of legal ramifications does not alleviate theharm to public image

Protectionism-Implications


54/84

Protectionism Implicationsfor the US and the World

Legislation banning state awards of grants,loans, or tax credits to companies thatoutsource

Protectionist measures only affect theimmediate future.

Offshoring is a valuable tool for Americanbusiness.

American business men are very innovative

Non-DelegableResponsibilities for Offshored


55/84

Responsibilities for OffshoredWork

Data protection laws, that are modeledon the European regime, are aimed atdata controllers or processors withoutregard to any employment relationship.

Customer retains legal responsibility for

transgressions by the sourced processorabroad.

Canada Legislation


56/84

g

Legislation similar to the EU Data Privacy Directive.

Canada - The Personal Information and Protectionof Electronic Documents Act, (PIPEDA)

PIPEDA creates a Privacy Commissioner. Citizensmay bring complaints to the Commissioner whohas the power to enforce the Act in CanadianFederal Court.

PIPEDA requires prior consent before disclosure

and prohibits disclosure without consent. A strongopt in provision, the Act clearly covers businessesbased outside of Canada who collect, use, ortransfer data including personal information aboutindividuals within Canada.

Strategies to Optimize


57/84

Strategies to OptimizeOpportunities in the Face of

International Laws

Suggested Best Practices for

Working Managers and ChiefExecutives

Compliance


58/84


Compliance Conducting an inventory of information collection and disclosure practices;

Evaluating agreements with third parties that involve the disclosure ofconsumer information

Establishing mechanisms to handle opt-out elections by consumers

Developing or revising existing privacy policies

Determining how to deliver privacy notices to consumers (by the datacontroller in the US)

Establishing employee training and compliance programs

Setting Targets for implementation and regular checks of the compliance

program


59/84


Non-tangible Essentials

Honesty

Flexibility

TransparencySupported by contracts that adequatelyaddress the risks associated with theoutsourced service, be it risk of OSPscapabilities of customers complianceneeds

Contracts


60/84


Effective andComprehensive Contracts

Clear and unambiguouscontracts

Flexibility in Contracts

Service Level Contracts Employee Contracts

Limitations on Liability

Confidentiality Contracts

Third Party Licenses and

Service Contracts Service Level

Breakdown

Transition and ExitProcedures

DisputeResolution

Alternate DisputeResolution

Governing Law andJurisdiction


61/84


Contracts

Aspects of BusinessContinuity

Compliance with

legal and regulatoryrequirementspertaining to the

OSPs country

Customers country

HR TrainingRequirements

Confidentiality

Choice of law(may be morethan one to govern

different aspectsof the contract


62/84

Monday, April 15,

2013 62

Contracts Contd. Adopting the EU model contractual provisions in

contracts to mitigate problems with EU Directivecompliance issues

Careful and clear allocation of responsibility of the

OSP and the customer for violations of the rights ofthird parties and, indeed, liability for punitivedamages.

Careful consideration before granting customer

indemnity in the contract.

Any liability agreement should include a cap.

Management Related BestPractices


63/84

Monday, April 15,

2013 63

Practices

Due Diligence by both parties

Commitment of negotiating representative and SeniorManagement Staff to ensure security and compliance

Regular and frequent monitoring of the relationship

Ensure that knowledge of compliance policies percolatesthrough all operation levels

Technical and Physical Security of Infrastructure

Operational protection measures- No devices to save data locally- Communication restrictions

Management Related Best Practices


64/84

Monday, April 15,

2013 64

Contd.

Dedicated Physical Security Officer appointed by theOSP

Onsite Manager appointed by the customer

Dedicated and Trained (in the requirements)Compliance Officer

OSPs should configure a complex matrix orcapabilities, scale, skills, language, managementand infrastructure when making commitments.



65/84

Monday, April 15,

2013 65

Practices

Contd. Consolidate information for managing business

performance

Improve Business Intelligence

Periodically Asses internal controls

Record Management and Provisions to ExamineAudit Trails

Monitoring, Managing and Transforming theServices



66/84

Monday, April 15,

2013 66

Standard Written Internal Company Practices to EnhanceSecurity with Recorded Standard Operating ProceduresManuals

Disaster Recovery Plan

Insurance to cover risks of security breaches and/or loss ofdata

Insurance to cover risk of claims arising out of the quality,timeliness and quantity of services

Employee certified security professionals

Practices

Contd.

Employee Related BestPractices


67/84

Practices

Employee Background Checks

Centralized Data Bank of all BPO related employees, helpsidentify prior violators (as initiated by NASSCOM)

Need Based Dissemination of Information - Division ofprocess, access and/or control

Technical Limitations on Access or Communication ofdifferent processes

Standard Written Internal Company Practices to EnhanceSecurity with Recorded Standard Operating ProceduresManuals

T h l i l B t P ti


68/84

Monday, April 15,

2013 68

Technological Best Practices

Encryption

Installing and Using StandardizedTechnical Measures

Industry Related BestPractices


69/84

Practices Establishment of an Independent Governing Body to

regulate the industry

Independent Certification About Security StandardsSome Certifying Authorities British Standards Institute (BSI) BS 7799 ISO 1799

Det Norske Veritas (DNV) Standardization Testing Quality Certification (STQC- Govt. of

India) KPMG Ernst & Young

Self-Regulation and Compliance Training

OSP should inform customer about any infractions tomitigate damage

Industry Related BestPractices


70/84

Monday, April 15,

2013 70

Practices

Card Holder Information Security Program(CISP)

Payment Card Industry (PCI) Data SecurityStandard, to safeguard sensitive data for allcard brands - result of a collaborationbetween Visa and MasterCard - createscommon industry security requirements

endorsed by other card services

Industry

Industry Related BestP a ti es


71/84

Monday, April 15,

2013 71

Practices

Technology Regulation and Certification

COBIT Control Objectives forInformation and related Technology (by

ISACA) based on ITIL

ITIL (the IT Infrastructure Library) -

Office of Government Commerce (UK) isthe most widely accepted approach to ITservice management

Relevance of US Laws toIndian Businesses


72/84

Monday, April 15,

2013 72

Indian Businesses

Extraterritorial reach?

Affect conduct of business (both onshore andoffshore).

Stringent reporting requirements and penalties.

Assumption of liability under contract.

Choice of law of a foreign jurisdiction automaticallyextends liability.

Future


73/84

Monday, April 15,

2013 73

Future

Indian-US security Forum to shortly sign anMoU formalizing the roadmap for co-operation on information security issues

Industry could lobby with the Government To create an Indian version of the Safe Harbor

To provide regulatory authority and frame work

like SEBI and SEBI guidelines to Protect Privacy The amendments to the IT Act should be in sync

with global laws and trends.

Conclusion


74/84

Monday, April 15,

2013 74

Factors that nurture BPOs also spawn crimes.

Elaborate, onerous, technical security measures reduceproductivity and erode employee motivation.

Combination of Best Practices.

US Protectionist Measures likely to have an adverse effectupon both the US and the global economy.

Laws will have to evolve to govern the runawayproliferation of outsourcing.

Fraud and Data Violations can occur anywhere in the world.

Data Protection Strategy


75/84

Monday, April 15,

2013 75


Organize

Determine the scope

Assign resources

Separate duties where sensitive dataresides



76/84

Monday, April 15,

2013 76


Assess Data Risk

Identify sensitive and critical data

Perform risk analysis of entire backup process

Conduct a cost/benefit analysis on backup dataencryption

Inform business managers of risk solutions andcosts



77/84

Monday, April 15,

2013 77


Develop an backup Data Protection Program

Devise a multi-layered approach that includes

Authentication

Authorization

Encryption

Auditing

Copy the backup data-get that copy off-site, off-lineand out-of-reach



78/84

Monday, April 15,

2013 78


Develop a Backup Data Protection Program

End-to-end chain of custody

Need a sound method to track backup media when moved

Report daily on tapes sent off-site and those on-site

Reconcile between tapes off-site to tapes on-site to accountfor all media

Destroy all media once it has become obsolete-get a certificateof destruction



79/84

Monday, April 15,

2013 79


Develop a Backup Data ProtectionProgramProtect all the backup data

Consider the use of technologies likeElectronic Vaulting to securely backupdistributed data

Not protecting this data exposes it topotential risk and unauthorized access



80/84

Monday, April 15,

2013 80


Implement the Plan

Execute the plan based on standard

guideline developed Train staff

Communicate the process to the

organization



81/84

Monday, April 15,

2013 81

Data Protection StrategyTest the Process

Periodically test the process-understand ifsome backup data is left exposed and where

- Recommend improvements- Decide on corrective actions

Conduct disaster recovery tests to ensureyou can recover the data

Change the data protection process as thebusiness changes

Conclusions


82/84

Monday, April 15,

2013 82

Conclusions Data protection Directive was not conceived with e-commerce

in mind and raises numerous problems and legal uncertainty

Government control and discretionary authority areinconsistent with innovative information society and consumerchoice

Data Protection applies even if consumer does not want it,resulting in paternalism.

Privacy protection increases risk of fraud

EC exports its consumer and data protection regime to therest of the world, thus reducing availability of e-commerceservices and making them more expensive.

Conclusions


83/84

Monday, April 15,

2013 83

Conclusions

There is cost to privacy protection

In market setting, cost is self-limiting

Governments monopoly over force and absenceof self-limiting mechanism are differences thatshould have consequences

Privacy versus security debate highlightsproblems of quantifying cost of privacy


84/84

Thank YouPoorvi Chothani, Esq.

LawQuest

36, Maker Tower F

Cuffe Parade

Mumbai 400 005

E-mail [email protected] 00 91 22 6654 1671