People are beginning to notice this phenomenal rate of growth, and some companies are seeing incredible economic opportunities. However, the fact that the field has grown so quickly and so dynamically means that some of the lessons we've learned in the past about security and privacy are not being employed-in the interest of first-to- market opportunities-and the lack of oversight has many wondering about the unknown unknowns. The lack of recognition about the seriousness of this threat to companies and governments leads to a lack of security sufficient to defend against attacks.

The U.S. Congress, since 2012, has proposed more than 100 pieces of legislation related to Internet security and privacy. Only a couple were actually signed into law, but continuing security incidents, such as the breach of Sony's network and subsequent hostage-taking of one of its movies, have created greater awareness of security issues that will surely prompt more attempts at legislation and regulation. In fact, as of this writing, at least 10 pieces of legislation are being considered on Capitol Hill. In its report, the FTC endorsed strong, flexible, and technology-neutral general legislation but added that IoT-specific legislation would be premature, as the field is still in its early stages of development. They would prefer to see industry adopt self-regulatory practices.

At the corporate or company level, though, there is much decision makers can do now to address security and privacy concerns. Much of that involves adopting a forward-thinking attitude about the IoT and its role.

First is to understand that the IoT is not a possibility or a projection of the future-it is a reality. It is here now and will only continue to grow and affect every facet of our world.

The IoT carries with it many risks and challenges; it's the companies and organizations that address those issues head on that will survive. Conventional approaches to network security will likely have to be rethought.

Companies and organizations should stay up to date with evolving vulnerability assessments and advancements in security solutions. This also applies to administrators and executives, who should become fluent in the language that describes IoT capabilities, trends, and risks so that they can make more relevant and responsive decisions for their shareholders and customers. Administrators should attend conferences and industry events when possible as well.

Here is what we should consider now:

• Standardization of security protocols in the IoT space must be made an industry- wide priority.
• When breaches to networks do occur, it's important to notify consumers quickly so that they can protect themselves from the misuse of their data.
• Such breaches should also prompt industry-coordinated action to address the vulnerabilities exposed and propagate industry standards.
• Companies can give themselves some degree of protection also by entering into legal agreements with IoT vendors to provide adequate, tested, and updated security measures and to guard against the unauthorized access of sensitive information.

Remember that IoT security is not a battle that can be won and left behind. It is a war that will be fought for the foreseeable future-the proverbial marathon versus a sprint.

Keep in mind also that the IoT challenges we face mean a tremendous opportunity for fresh thinking. The future of the Internet, which carries with it the future of our world, is ours for the making. If you've read Isaac Asimov, you know that he was visionary about the future of technology. In his science fiction composed in the 1940s, he wrote, "No sensible decision can be made any longer without taking into account not only the world as it is, but the world as it will be."

That realization is more important now than ever before because someday soon we'll almost certainly ask why things aren't connected to the Internet rather than why they are connected.

Download your copy of Navigating the Digital Age to learn more about IoT, mobile security and the prevention of advanced cyber threats. Get the book here.

• The scope and type of data maintained by the company and the location and manner in which, and by whom, such data are used, transmitted, handled, and stored
• The organization's network infrastructure
• The organization's cybersecurity, privacy, and data protection practices
• The organization's state of compliance with regulatory and industry standards
• The use of unencrypted mobile and other portable devices.

Don't count on it. Cybersecurity is taking its place among the catalog of enterprise risks that demand boardroom attention for the long term. It comes along with the digital transformation that is sweeping through virtually all industries in the global economy. As businesses "digitize" all aspects of their operations, from customer interactions to partner relationships in their supply chains, entire corporations become electronically exposed-and vulnerable to cyberattack.

Cybersecurity risk is not new. However, in the last two years multiple high-profile attacks have hit brands we all trusted with our personal information, making for big headlines in the media and significant reputational and financial damage for many of the victimized companies. What's more, corporate heads have rolled: CIOs and even CEOs have departed as a direct result of breaches. The ripple effect continues. Cybersecurity legislation is a perennial agenda item for governments and regulators around the world, and shareholder derivative lawsuits have struck the boards of companies hit by high-profile cyberattacks.

Although directors have added cybersecurity enterprise risk to their agendas, there is no standard way for boards to think about cybersecurity, much less time-tested guidelines to help them navigate the issue. This chapter's goal is to help directors evolve their mindsets for thinking about the enterprise risk associated with cybersecurity and provide a simple blueprint to help directors incorporate cybersecurity into the board's overall enterprise risk strategy.

Establishing the right blueprint for boardroom cybersecurity review

For boards, cybersecurity is an issue of enterprise risk. As with all enterprise risks, the key focus is mitigation, not prevention. This universally understood enterprise risk guideline is especially helpful in the context of cybersecurity because no one can prevent all cyber breaches. Every company is a target, and a sufficiently motivated and well-resourced adversary can and will get into a company's network.

Consequently, terms like "cyber defense" are insufficient descriptors of an effective posture because they evoke the image that corporations can establish an invincible perimeter around their networks to prevent access by bad actors. Today, it's more accurate to think of the board-level cybersecurity review goal as "cyber resilience." The idea behind the cyber resilience mindset is that, because you know network breaches will happen, it is more important to focus on preparing to meet cyberthreats as rapidly as possible and on mitigating the associated risks.

Also important to a board member's cybersecurity mindset is to be free from fear of the technology. Remember, the issue is enterprise risk-not technical solutions. Just as you need not understand internal combustion engine technology to write rules for safe driving, you need not be excluded from the cybersecurity risk discussion based on lack of technology acumen. Although this is liberating, in a sense, there is also a price: directors cannot deny their fiduciary responsibility to oversee cybersecurity risk based on lack of technology acumen.

Given a focus on enterprise risk (not technology) and risk mitigation (not attack prevention), the correct blueprint for cyber-security review at the board level can best be expressed through the following three high-level questions:

• Has your organization appropriately assessed all its cybersecurity-related risks? What reasonable steps have you taken to evaluate those risks?
• Have you appropriately prioritized your cybersecurity risks, from most critical to noncritical? Are these priorities properly aligned with corporate strategy, other business requirements, and a customized assessment of your organization's cyber vulnerabilities?
• What actions are you taking to mitigate cybersecurity risks? Do you have a regularly tested, resilience-inspired incident response plan with which to address cyberthreats?

Naturally, these questions are proxies for the industry-specific and/or situation-specific questions particular to each organization that will result in that organization's most productive cybersecurity review. The key to formulating the relevant questions for your organization is to find the right balance between asking enough to achieve the assurance appropriate to board oversight, but not so much that management ends up spinning wheels unnecessarily.

How much board oversight is too much when it comes to cybersecurity? Learn more about board-level governance in Navigating the Digital Age. Get the book here.

In our experience, every CISO candidate asks four overarching questions when evaluating an opportunity:

1. "Who is my sponsor and how much influence does he or she have?"

This is likely to be the first question on the CISO candidate's mind, and he or she is thinking about this issue in at least two specific ways. First, although the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information security function to which the CISO will not be privy. As a result, the CISO will have to rely his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization's information security profile, he or she has to know there will be support in high places.

2. "How deep is the organization's commitment to information security?"

This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information security function and the need for making everyone in the organization, top to bottom, responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.

3."What key performance indicators will I be measured against?"

Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not "if" but "when." Therefore, it is not realistic for a company to hold its CISO to a "one strike and you're out" performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.

4. "Where will I be in five years?"

Those who lead the information security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader role in organizational leadership. It is important to understand each candidate's desires against what the organization can offer. Remember that the CISO's reporting relationship will be one factor that frames this issue in his or her mind.

For more information on what to expect and consider while hiring a CISO, download your copy of Navigating the Digital Age. Get the book here.

• whether and how often the vendor has experienced cybersecurity incidents in the past, the severity of those incidents, and the quality of the vendor's response
• whether the vendor maintains cybersecurity policies, such as whether the vendor has a written security policy or plan
• organizational considerations, such as whether the vendor maintains sufficient and appropriately trained personnel to protect the data and/or service at issue and respond to incidents
• human resources practices, particularly background screening employees, cybersecurity training, and the handling of terminations
• access controls, particularly whether controls are in place that restrict access to information and uniquely identify users such that access attempts can be monitored and reviewed
• encryption practices, including whether information is encrypted at rest, whether information transmitted to or from the vendor is properly encrypted, and whether cryptographic keys are properly managed
• evaluation of in what country any data will be stored
• the vendor's policies regarding the secondary use of customer data, and whether IT systems are created in such a way as to respect limitations on secondary use
• physical security, including resilience and disaster recovery functions and the use of personnel and technology to prevent unauthorized physical access to facilities back-up and recovery practices
• change control management, including protocols on the installation of and execution of software
• system acquisition, development, and maintenance to manage risk from software development or the deployment of new software or hardware
• risk management of the vendor's own third-party vendors
• incident response plans, including whether evidence of an incident is collected and retained so as to be presentable to a court and whether the vendor periodically tests its response capabilities
• whether the vendor conducts regular, independent audits of its privacy and information security practices

• 

  Sure Thing:

  Cyber insurance products that have traditionally focused on enterprise data security and privacy liability will continue to evolve to also address additional consequences including property damage, business interruption and bodily injury.
• 

  Sure Thing:

  CISOs (Chief Information Security Officers) will continue to have a bigger say, and in some cases become the key enterprise decision maker, in deciding whether to invest in cyber insurance of not.
• 

  Long Shot:

  The risk relationship between CISOs and Insurers will become more aligned - Insurers will start to understand better how investment in specific enterprise controls moves the risk needle, and in return will offer incentives such as lower premium for making that investment.  

Executive Summary

Introduction and Full Disclosure

• 5 CEOs (including ours)
• 4 CISOs/CIOs
• 6 Company executives (including one of ours)
• 1 Academic
• 14 Legal firms
• 1 Government official
• 3 Economics experts

• 5 essays on preventing material impact
• 2 essays on fundamental principles
• 1 essay on information sharing
• 1 essay on threat prevention
• 12 essays on what board members should be thinking about
• 22 essays on what the C-Suite should be thinking about

The Fundamental Principle – Prevent Material Impact

The Standards

1. Establish organization-wide information security (not just cyber but physical and logical as well).
2. Adopt a risk-based approach (just like every other company decision).
3. Set the direction of investment decisions (in terms of preventing material impact from cyber risk).
4. Ensure conformance with internal and external requirements (external regulations, internal policy, audit to make sure it gets done).
5. Foster a security-positive environment (from the top down).
6. Review performance in relation to business outcomes (evaluate security programs in terms of risk mitigation to the business – not for the sake of security alone).

1. Evaluate
2. Direct
3. Monitor
4. Communicate
5. Assure

1. Treat cyber risk as an enterprise risk.
2. Understand the legal implications of cyber risk.
3. Discuss cyber risk at board meetings, giving it equal footing with other risks.
4. Require management to have a measurable cybersecurity plan.
5. Develop a board-level plan for how to address cyber risk, including which risks should be avoided, accepted, mitigated or transferred via insurance.

Where Should the CISO Work?

Which Committees?

Litigation and Legal Challenges

1. That the directors breached their fiduciary duties by making a decision that was ill-advised or negligent.
2. By failing to act in the face of a reasonably known cybersecurity threat.

Disconnect Between Stock Holders and Board Members

• 74 percent of investors believe it is important for directors to discuss their company’s crisis response plan in the event of a major security breach.
• 52 percent reported having such discussions.

• 74 percent of investors urged boards to boost cyber risk disclosures in response to the SEC’s guidance.
• 38 percent of directors reported discussing the topic.

• 68 percent of investors believe it is important for directors to discuss engaging an outside cybersecurity expert.
• 42 percent of directors had done so.

• 55 percent of investors said it was important for boards to consider designating a chief information security officer.
• 26 percent reported that such a personnel move had been discussed in the boardroom.

• 45 percent of investors believe this is important.
• 21 percent use it.

Disclosure

• One or more cyber incidents materially affected the company’s products, services, customer or supplier relationships, or competitive conditions.
• If any litigation emerges as a result of a cyber incident.
• If significant costs are associated with cyber preparedness or remediation.

Conclusion

References

• “Advisory Group Opposes Re-election of Most of Target’s Board,” by Elizabeth A. Harris, The New York Times, 28 May 2014, Last Visited 9 January 2016
• “CYBERSECURITY CANON AWARD WINNERS: 2015 Award Winners,” Palo Alto Networks, Last Visited 12 January 2016
• “Data Breaches Hit the Board Room: How to Address Claims Against Directors & Officers,” by Jon Talotta, Michelle Kisloff, & Christopher Pickens, Hogan & Lovells: Chronicle of Data Protection, 23 January 2015, Last Visited 9 January 2016
• “Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats,” by the World Economic Forum, 2015, Last Visited 20160109
• “Target Directors and Officers Hit with Derivative Suits Based on Data Breach,” by Kevin LaCroix, The D&O Diary, 3 February 2014, Last Visited 9 January 2016
• “Why Data Breaches Don’t Hurt Stock Prices,” by Elena Kvochko and Rajiv Pant, Harvard Business Review, 31 March 2015, Last Visited 12 January 2016

Combined Authors

• Create an environment in which self- directed employee actions reflect a high degree of institutional integrity and personal reliability.
• Articulate clear expectations in an enterprise Acceptable Use Policy governing IT resources. This should be a formal signed agreement between the company and each employee and external party who has access to the enterprise IT resources or facilities.
• Create a safe environment in which to self-report accidental actions that jeopardize security. Removing the stigma of having inadvertently committed a security violation can help minimize impact and help everyone learn.
• Provide regular insider threat awareness training as well as realistic phishing training exercises. An organized phishing awareness exercise program can raise the company's standard of performance in this critical area.
• Establish a set of institutional values reflecting the desired culture, select leaders based on their adherence to these values, and include demonstration of these values as an item on employee performance assessments.

• Creation and oversight of policies related to the management of insider risk
• Regularized workflow, processes, and meetings to actively and collectively review threat intelligence, the internal threat landscape, internal indicators of risk, insider events, sponsored activities, and trends from each sub-discipline
• Implementation and oversight of personnel reliability processes from pre-employment background checks to off-boarding procedures to assess and act upon personnel security risks, behavioral risk indicators, and individual vulnerability to compromise
• Decision-making authority pertaining to the integration of programs within each vertical, the aggregation of insider risk data across the verticals, and the corporate response to insider events
• Definition of requirements for employee training and awareness of insider threats and prevention measures.

• Access controls, particularly for privileged users (those with administrative authority)
• Data protection, including encryption, data loss prevention technology, data backups, and exfiltration monitoring
• Configuration management and secure configurations
• Vulnerability and patch management
• Internal network segmentation

• email behavior: volume, content, and addressees; presence and type of attachments
• workday activities: patterns of on/off duty time, including weekdays, weekends, and holidays; location
• job performance: performance reviews, productivity, and time accountability
• indicators of affiliation: degree of participation in company- sponsored activities; indications of discontent through online behavior and social media usage

• Does executive leadership have a clear and consistent understanding of cybersecurity relative to the business?
• Does management understand its responsibility for cybersecurity and have an adequate system of controls in place?
• Is the cybersecurity budget appropriately funded?
• Is the organization's enterprise risk management program appropriately staffed and resourced given the types of risk assessed?
• Are there clear policies and procedures in place in the event of a breach?
• Is the company's disclosure response in line with SEC guidelines and shareholders expectations?

• Under what circumstances will there be a public announcement? If so, when?
• Do you need to send notice to your customers?
• Under what circumstances will you call law enforcement?
• In the event of a breach, will you bring in a forensic group? If so, will the forensic team report to the board or management?

• How many new alerts will this technology or new data feed produce?
• Who will tune the technology to limit the number of false positives it produces?
• Is the technology filling a gap in detection capabilities or adding on to existing capabilities?
• How does the introduction of this new technology affect the SOC workflow?

• Cyber asset inventory and environment characterization
• Risk assessment and risk management strategy
• Governance and organization structure

• Program control design, control selection, and implementation
• Training
• Maintenance

• Threat and program effectiveness monitoring and reporting
• Incident alerting and response planning

• Event analysis and escalation
• Containment, eradication, and recovery

• Lessons learned and program adjustment
• Communications

• Prioritize critical assets
• Establish risk appetite
• Approve risk management strategy
  • Mitigate the risk
  • Transfer the risk
  • Accept the risk
• Approve the program and policies
• Assign responsibilities
• Provide oversight

• Define boundaries
• Design use case scenarios to understand impact from system attack and compromise
• Identify constraints for mitigating all risk
• Develop a justified risk management strategy
• Identify all required users of systems or delegates to receive data on a "need to know" basis

• Recommend technical and physical controls
• Identify threats and systems vulnerabilities
• Evaluate the likelihood and probability of impact for each threat and vulnerability
• Estimate the impact on systems and operations from a financial, legal and regulatory perspective

• Insurers can reward a strong cyber security posture through lower premium and self-insured retentions or broader coverage.

• It transfers residual risk from the balance sheet as part of a broader enterprise risk management strategy.

The European Union's (EU) new data protection framework, known as the General Data Protection Regulation (the "Regulation"), is, at bottom, a response to the astonishing evolution in online commerce.¹ As a result, only one of the Regulation's 91 articles specifically addresses the personal data of employees. This gap means U.S. multinational employers - especially those engaged in business-to-business ("B-to-B") commerce - must carefully parse the Regulation to figure out how it applies to their management of a global workforce. To assist in that effort, this Insight describes 10 practical steps that U.S. multinationals can take towards satisfying those provisions of the Regulation with the greatest impact on managing a global workforce.

Overall, the Regulation will not demand dramatic changes in the policies and procedures previously implemented to comply with the European Union Data Protection Directive (the "Directive"), the EU's pre-existing framework document for data protection that the Regulation expressly repeals and replaces. However, in order to comply with the Regulation, virtually all U.S. multinational employers likely will need to update at least some of their existing policies and procedures, and re-align some of their practices, for handling the personal data of employees of their EU subsidiaries.

While the compliance requirements have not changed significantly, the enforcement risk has increased dramatically. The Regulation empowers data protection regulators to impose administrative fines of 20 million Euro, or up to 4% of a corporate group's worldwide gross annual revenue, for most violations and up to 2% of that amount, or 10 million Euro, for less serious violations. Regulators also can ban data processing at the EU subsidiary and suspend data transfers to the parent corporation. Consequently, U.S. multinationals should take advantage of the two-year grace period to come into compliance. The grace period will commence at some point in early 2016 when the Regulation is published in the Official Journal of the European Union.

Ten Practical Steps For Compliance

As noted above, only one of the Regulation's 91 articles specifically addresses the personal data of prospective, current or former employees (collectively, "employee data"). Article 81 of the version published by EU authorities in December 2015 provides that EU Member States may enact laws specific to the processing of employee data to implement the Regulation. For multinational employers, this provision could defeat one of the principal putative benefits of the Regulation-to establish a single set of data protection rules applicable in all 28 EU Member States to eliminate complexity, ensure consistency and reduce administrative costs. In respect of employee data, the Regulation should therefore be read in conjunction with any applicable laws of relevant EU Member States that regulate the handling of employee data.

Even though the Regulation specifically addresses employee data in only one article, the Regulation applies broadly to the processing of all "personal data," which is defined to mean "any information related to an identified or identifiable natural person." Consequently, U.S. multinationals need to determine how to apply, in the employment context (together with the applicable local employee data protection laws), regulatory requirements designed to protect online consumers and numerous other categories of data subjects.

The Regulation's scope is broad in another way that impacts U.S. multinationals. The Regulation applies to all EU residents, regardless of citizenship. For U.S. multinationals, this means that expatriates working at an EU subsidiary are entitled to all of the Regulation's protections when their data is collected while they reside in the EU.

In contrast to U.S. law, which allows employers to collect, use and disclose employee data for almost any purpose unless specifically prohibited by law, the Regulation-following prior law-establishes the exact opposite rule, i.e.,employers can lawfully "process" employee data only if the Regulation specifically permits the processing. The Regulation defines "processing" to cover any operation during the course of the information life cycle, from initial collection to final destruction, and includes cross-border data transfers.

Only a few of the permissible purposes for processing personal data identified in the Regulation may apply in the employment context. Identifying the permissible purpose for processing each category of employee data is a critical exercise. The Regulation authorizes the maximum administrative fines-as noted above, up to 4% of gross annual worldwide revenue for the corporate group-for the processing of personal data without a permissible purpose.

a. Consent Generally Will Not Be A Valid Ground For Processing In The Employment Context

While the Regulation permits processing of personal data with the consent of the data subject, the Regulation also provides that consent is not valid unless it is "freely given, specific, informed and unambiguous." Neither the preamble to the Regulation nor the Regulation itself specifically addresses whether an employee can freely give consent in the context of the employment relationship. However, EU regulators construed similar language in the Directive to mean that employees generally could not freely give consent to their employer's processing of their personal data due to the significant imbalance in power between employers and employees. Consequently, employers who consider relying on employee consent as a lawful ground for processing personal data should carefully assess whether consent would be freely given or voluntary. Any threat of discipline, termination, or other significant detriment for refusing to consent likely would invalidate the employee's consent. In addition, employers should watch for new Member State laws and administrative guidance addressing this issue.

Employers who do identify circumstances where consent could be a lawful basis for processing must fulfill the Regulation's other requirements for valid consent. To be specific and informed, employees' consent should be preceded by a robust notice of data processing that meets the requirements described in Step 3, below. To be unambiguous, the consent must be manifested by an affirmative statement or action, i.e., "opt-in" consent; failure to object to a request for consent, also known as "opt-out" consent, will not suffice.

The Regulation imposes on the "data controller" the burden of proving the validity of consent, and any request for consent in a written document must be "clearly distinguishable" from the document's other text. The Regulation defines "data controller" as the natural person or legal entity that decides the "purposes and means of processing" personal data. This definition would include an employer. Consequently, employers who intend to rely on consent as a ground for processing should consider satisfying these requirements by having employees execute a clearly separate consent statement at the end of the notice of data processing described in Step 3, below, or if that notice does not address the specific processing that is the subject of the request for consent, by executing a standalone consent statement in some other form.

Employers should beware that employees have the right to withdraw consent at any time, and they must be informed of that right.  This can be accomplished through the notice of data processing or other form used to obtain consent.

b. Processing Necessary To Perform An Employment Contact Is A Viable Ground But Likely Will Be Narrowly Construed

The Regulation permits processing if "necessary for the performance of a contract" with the data subject, i.e., an employee. Given administrative interpretations of prior EU law, this ground likely will be construed to cover only processing with a close nexus to the employment contract, such as the payment of compensation and benefits or processing requests for sick leave or vacation. By contrast, this ground likely will not be broad enough to cover processing that is more ancillary to the employment relationship, such as for purposes of making travel arrangements or offering diversity awareness training. It is still uncertain whether and to what extent this ground would support any data processing by the parent corporation for the parent corporation"s own (or joint) purposes, such as global succession planning, because the parent corporation does not have an employment contract with the employees of its EU subsidiaries. However, processing by the parent corporation to facilitate the subsidiary's administration of its employment contract with the employee, such as to make a human resources information system (HRIS) database available to the subsidiary-employer, likely would fall within the scope of this ground.

c. Processing To Comply With Legal Obligations Is Limited To Obligations Established By EU And Member State Law

The Regulation permits the processing of employee data to comply with legal obligations "to which the data controller is subject." Importantly for U.S. multinationals, this ground applies only to legal obligations imposed by EU or Member State law on the controller, i.e., the subsidiary-employer. Consequently, U.S. legal requirements, such as the requirement to implement a litigation hold in civil litigation or to produce information in response to a subpoena issued by a U.S. court, would not provide a valid basis for processing the personal data of EU employees.

d. Processing For The "Legitimate Interests" Of The Employer Is Subject To An Employee’s Right To Object

The Regulation permits processing that is necessary to achieve the "legitimate interests" of the employer. However, an employer cannot rely on this ground unless it (a) balances its legitimate interest against the employee's rights and determines that those rights are not overriding; and (b) notifies the employee, in writing, of the legitimate interest pursued and of the employee's right to object to the processing. If the employee objects, the employer must cease its processing in reliance on this ground unless the employer can demonstrate (a) "compelling legitimate grounds" for the processing that override the employee's interests, or (b) that the processing is necessary to establish, pursue or defend legal claims.

Applying the balancing test in the absence of further guidance will prove difficult. That said, an employer likely will be able to justify processing of employee data that is not particularly sensitive on the legitimate interest ground where there is a tight nexus to the employment relationship, such as processing an employe's contact details to arrange business travel or for diversity awareness training. By contrast, processing employee data with little or no tie to the employment relationship, such as to market the employer's own products or services to the employee, almost surely would not be justified on this ground.

As with prior law, the Regulation requires that data controllers distribute a notice of data processing to each individual when personal data is first collected. As applied in the employment context, this means that employers will be required to provide a notice to job applicants concerning the processing of their data during the application process as well as a notice to new hires, typically during the onboarding process, explaining how their personal data will be processed during the employment relationship.

While this basic notification requirement is unchanged, the Regulation requires a far more robust notice. The notice must include the following information: (a) the identity and contact details of the employer; (b) the purposes for the processing and when the processing is based on legitimate interests, a description of those interests; (c) the categories of recipients of disclosures of personal data; (d) that the controller intends to transfer personal data to a third country and the legal basis for the transfer (described in Step 5, below); (e) the period for which the personal data will be stored or the criteria for determining the period; (f) how employees can exercise the rights of access, correction, erasure, and objection; (g) where processing is based on consent, the right to withdraw consent; (h) the right to file a complaint with a data protection authority ("DPA"); (i) whether the employee is obliged to provide the data by statute, contract, or for another reason, and the possible consequences of failing to provide the data; and (j) whether the personal data will be subject to automated processing and, if so, the logic and the consequences of the processing for the data subject.

It is not yet clear whether employers will be required to issue updated notices to employees who received a notice that was valid under prior law or whether a notice that meets all of the Regulations' requirements will need to be distributed only to employees who are hired after the Regulation goes into effect.

The Regulation places substantial emphasis on individuals' rights of access, correction, erasure, and objection as a means of achieving the new law's broader objective of protecting individuals' fundamental right of privacy. To that end, the Regulation requires that employers provide employees with a mechanism to exercise these rights and to respond, in writing, to any request without undue delay and, at the latest, within one month. The response period may be extended for up to two additional months in light of the complexity and number of requests. Any denial of a request must include the reasons for the denial and the right to file a complaint with the DPA or to seek judicial relief. All responses to requests must be free of charge unless the request is manifestly excessive (generally because it is repetitious). If the employer has doubts regarding the identity of a person making a request, it may ask for verification of the person's identity.

While prior law provided a right of access and correction, the right of erasure (also known as the "right to be forgotten") is new. Employees generally have the right to require the employer to delete their personal data when, for example, (a) the data no longer is necessary for the purposes of which it was collected; (b) the employee has withdrawn consent to processing, and no other ground for processing is available; and (c) the employee objects to processing, and there is no compelling ground that overrides the employee's interests. However, employers are not required to erase any employee data that they are required to retain under EU or Member State law that is necessary to establish, pursue, or defend legal claims.

Employers should note that, subject to further administrative guidance, executing an employee's request "to be forgotten" could be technically challenging and administratively burdensome. In today's online environment, employee data rarely is confined to a personnel file maintained by the human resources (HR) department. Rather, to fully comply with an erasure request, employers could be required to search numerous internal systems - including the corporate intranet, internal social media platforms, document management systems, and corporate e-mail - and to communicate with the many service providers with which HR departments routinely contract.

The Regulation's overall scheme for cross-border data transfers is materially the same as that under the Directive. This scheme generally prohibits transfers of employee data outside the EU unless the EU subsidiary-employer ensures that the recipient, typically the parent corporation, but sometimes also other non-EU members of the corporate group, will ensure an adequate level of protection for the transferred data.

The employer-subsidiary satisfies this adequacy requirement if the European Commission (the "Commission") has determined that the receiving country ensures an adequate level of protection for the transferred data. The Commission's prior adequacy determinations under the Directive remain in effect. Hundreds of U.S. multinational employers relied on the Commission's determination that the U.S.-EU Safe Harbor Framework provided an adequate level of protection until the European Court of Justice invalidated that determination on October 6, 2015. If current negotiations between the U.S. Commerce Department and the Commission result in an adequacy determination for a replacement framework, the Regulation would permit EU subsidiaries to rely on that mechanism to transfer employee data to a U.S. parent corporation provided that (a) the parent corporation complies with the replacement framework; and (b) one of the lawful grounds for processing employee data described in Step 2, above, applies to the cross-border data transfer.

Until the Commission issues an adequacy determination regarding data transfers to the United States, U.S. multinationals generally will need to rely on one of the other mechanisms identified in the Regulation. These mechanisms include the standard contractual clauses ("SCCs") approved by the Commission under the Directive as well as binding corporate rules ("BCRs"). The SCCs are a form agreement between the data exporter (the EU subsidiary-employer) and the data importer (the U.S. parent corporation and any non-EU affiliate that receives EU personal data). BCRs are legally binding policies applicable to all members of a corporate group, whether located within or outside the EU, and are enforceable by employees as third-party beneficiaries. To date, fewer than 75 U.S. companies have implemented BCRs as compared to more than 4,000 that certified to the Safe Harbor Framework.

The Regulation potentially makes BCRs more attractive by codifying a "one-stop shop" approach to regulatory oversight that provides a more streamlined and timelier approval process for BCRs. Under this process, the DPA for the employer's "main establishment" would be the employer's "sole interlocutor" or "lead" DPA with respect to the approval process, meaning that the employer would not be required to deal directly with any other DPA for purposes of obtaining approval of the BCRs. The employer's "main establishment" would be "the place of central administration in the [EU]" unless another establishment in the EU determines how data will be processed. The Regulation also establishes specific deadlines for review and approval of BCRs by other concerned DPAs and by the European Data Protection Board. The Board is composed of the head of the DPA for each of the 28 EU Member States and replaces the Article 29 Working Party, which was responsible for overseeing implementation of the Directive.

U.S. multinationals should note that the one-stop shop approach is just one way in which the Regulation streamlines the DPA's supervision of data processing. The Regulation also abolishes virtually all requirements to submit notifications to, and otherwise to consult with, DPAs regarding data processing.

The Regulation requires employers to implement administrative and technical safeguards for employee data to reduce identified risks and to prevent a "personal data breach."  The Regulation defines a breach to mean a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data."  The Regulation does not specify safeguards that must be implemented, but it does identify the following steps and objectives as potentially appropriate: (a) pseudonymization and encryption; (b) the ability to ensure the confidentiality, integrity and availability of personal data; (c) disaster recovery capabilities; and (d) a process for regularly testing, assessing and evaluating the safeguards. Having a subsidiary-employer implement safeguards similar to those required by the HIPAA Security Rule or by Massachusett" information security regulations likely will meet this standard.² In addition, regulators most likely will publish detailed security guidelines during the two-year grace period before the Regulation goes into effect.

When a personal data breach does occur, the Regulation requires prompt action. The employer must notify the DPA within 72 hours, and if that notification is delayed, explain the reason for the delay. Notification is not required if the breach "is unlikely to result in a risk for the rights and freedoms of individuals."  The employer must document its breach response sufficiently to permit the DPA to verify compliance with the Regulation.

Employers must notify affected employees of a personal data breach "without undue delay," if the breach is "likely to result in a high risk to the rights and freedoms of individuals," or if ordered to do so by the DPA. As with U.S. breach notification laws, the Regulation establishes an "encryption safe harbor," meaning that the employer is not required to notify affected individuals if their personal data is subject to encryption that renders the information unreadable. Notification to individuals also is not required if (a) the employer took steps to ensure that the high risk to employees does not materialize, or (b) notification would involve disproportionate effort, but in this case, the employer must provide notice by public communication, such as by posting notice on a web site or by publication in the media.

The U.S. parent corporation typically will select certain vendors to provide employment-related services to the entire corporate group, such as stock option administrators, online performance evaluation platforms, and providers of HRIS data bases. Because the parent corporation effectively is contracting on behalf of its EU subsidiaries, it should comply with the Regulation's requirements when entering these arrangements if the service provider will process EU employee data.

To begin with, the parent corporation should vet the service provider's ability to comply with the Regulation. In particular, the parent corporation should take steps to assess whether the service provider has adequate technical and administrative safeguards in place and has the capability to fully satisfy employees' requests to exercise their rights with respect to their personal data stored at the service provider.

The Regulation also specifies a long list of matters that must be addressed in the service agreement. The service agreement must address, for example, (a) the subject matter and duration of the processing; (b) the nature and purpose of the processing; and (c) the types of personal data and categories of data subjects. The service agreement also must impose numerous obligations on the service provider, including, for example, that the service provider: (a) process personal data only subject to the employer's instructions, (b) require its employees to execute a confidentiality agreement; (c) implement required security measures;

(d) assist the employer fulfill its obligations to respond to requests by employees to exercise their rights; and (e) cooperate with the employer in fulfilling its breach notification obligations.

The Regulation provides that the processing of "special categories of personal data," also known as "sensitive personal data," is prohibited unless an exception applies. Sensitive personal data includes race or ethnic origin, data concerning health or sex life and sexual orientation, trade-union membership, genetic data, biometric data, political opinions, and religious or philosophical beliefs. An employer can process sensitive personal data only in the following limited circumstances: (a) the employee gives explicit consent (except where the law does not permit the employee to consent); (b) processing is necessary for the employer to fulfill obligations and exercise specific rights established by EU or Member State law; or (c) processing is necessary to establish, pursue or defend against legal claims. In addition, a health care professional can process personal data concerning an employee's health when necessary for preventive or occupational medicine, to assess the working capacity of the employee, or to provide care.

Given the Regulation's emphasis on protecting sensitive personal data, regulators likely will narrowly construe these exceptions. Consequently, EU subsidiary-employers should scrutinize and restrict their collection of sensitive personal data. Likewise, U.S. parent corporations should carefully assess whether any of the exceptions would justify transferring any categories of sensitive personal data to the United States, and if so, whether the cross-border data transfer really is necessary.

The Regulation also establishes a special rule for the processing of criminal history information, albeit that category is not specifically identified as sensitive personal data. Under that special rule, an employer can process criminal history information - even with an applicant's or employee's consent - only if specifically authorized by EU or Member State law to perform a criminal history check. Consequently, the U.S. parent corporation likely will not be able to lawfully apply policies broadly requiring criminal history checks of U.S. applicants and employees to applicants and employees located in the EU.

The Regulation requires that employers maintain detailed records concerning their data processing. These records must be provided to the DPA upon request.

The information to be recorded includes the following: (a) contact information for the employer; (b) the purposes of the processing ; (c) the categories of data subjects and of personal data processed; (d) the categories of recipients, including those in third countries; (e) the third countries to which personal data will be transferred and the instrument, e.g., SCCs or BCRs, used to provide an adequate level of protection; (f) where possible, the envisaged retention periods for different categories of employee data; and (g) a general description of the security measures for employee data.

Although the Regulation contains more detailed compliance requirements than the Directive, the Regulation's requirements are much less detailed than what U.S. multinationals are used to seeing in U.S. regulations. However, the Regulation confers on the European Data Protection Board the authority to issue guidance on topics such as breach notification and binding corporate rules. Further guidance on these and other topics almost surely will be forthcoming during the two-year grace period before compliance with the Regulation becomes mandatory.

• Education is a long process, but avoids a single point of failure. While many boards will have members who specialize in different areas of expertise, total responsibility for cyber risks cannot be pushed onto only one person. As our world become increasingly reliant on digitization, cyber risks and areas for IT innovation are woven into the business fabric of an organization. Learning about new technology can be difficult or even scary for many board members who don't believe they have the expertise to ask smart questions. However, having an "intellectual curiosity" to drive education about new technology trends is a basic requirement to be a modern board member.

• When judging your cyber risk, get a second opinion.From Palo Alto Networks survey with Georgia Tech of board members from around the world, we found that 53% of boards sought outside experts to assist in evaluating their corporate risk. This outside perspective can be especially beneficial in cybersecurity, where internal company dynamics can hamper strong oversight. Here’s the problem: it’s tough to prove that your security investments and personnel are working well without a negative scenario that illustrates as much. If you have been hit by a successful attack, you believe you have made poor investments or your personnel are falling down on the job. But if you don’t see any damaging attacks, how do you know if you are preventing anything or just not looking for problems? Often, not looking for problems can be a much safer career move for security personnel facing a board with little understanding of how to evaluate this highly technical issue. Bringing in an outside expert can help ensure there is honest and accurate reporting that places security personnel in a position to participate in conversations on investment and risk, rather than simply cherry picking technical metrics to prove they are doing their jobs.

• "Just the facts" is not enough. As efforts to monitor, detect, and analyze cyber threats get better every day, reporting on risk grows more convoluted. At the security operations level, this means more manual work tracking all of this data. At the board level, this means heat-maps and dashboards full of highly technical jargon, with little meaning for non-security experts. Occasionally, companies will be blessed with the CISO who picked up an MBA along her career and can translate technical data into business risk language, but this is neither reliable for oversight, nor scalable for all businesses. Instead, management must play an active role in looking at the economic risks associated with specific threats. This requires security personnel to be tied into the enterprise risk management process so that they can understand what is relevant and what is just noise. Done ahead of time, this can help management present the board with more digestible reporting on how their investments match up against cyber threats to the company's bottom line.

• First, device manufacturers are adopting operational systems that have changed the default local encryption setting from "off" to "on." In other words, data on local devices was previously stored in an unencrypted form unless the user manually chose to enable the encryption option, but now the converse will be true - affirmative action by the user is necessary to store data in an unencrypted form.
• Second, service providers are taking steps to offer users products that automatically encrypt data stored in cloud storage systems and messages transmitted to other people in a manner that cannot be decrypted by the service providers. Put another way, service providers are offering products that prevent them from being technically capable of responding to lawful government demands as they cannot turn over data they do not possess.

• We should not overstate the practical significance of any decision the U.S. might make. It is uncertain that authoritarian nations (e.g. China or Russia) will forgo implementing an encryption access requirement simply because the U.S. chooses not to (or vice versa)
• It is possible (and perhaps even highly likely) that mandating exceptional encryption access would hinder or damage innovation in the U.S. encryption technology market. It may also restrain innovation in related U.S. security technology markets
• Adoption of an American encryption access requirement may result in adverse collateral effects, decreasing law enforcement's investigative access to metadata and hampering the competitiveness of American businesses and U.S. national security; and
• Efforts to constrain encryption through forms of extraordinary access will inevitably introduce vulnerabilities into the security of consumer products in ways that are likely to have adverse long-term effects on the security, privacy, and civil liberties of citizens.

• Nearly half (48%) of the directors surveyed agree that economic uncertainty is one of the biggest challenges facing corporate boards in 2016, followed by market risk (37%) and cyber risk (35%).

• More than a third of those responding (38%) believe that although they are doing all they can to protect the company's data, most cybersecurity risk is really out of their hands.

• Over half (57%) of those surveyed say they have not thoroughly vetted a crisis communications plan within the past 12 months. Yet, 52% are confident their current plan would run successfully.

• Two-thirds (65%) of respondents agree that direct engagement with shareholders can serve to open dialogue in a meaningful way before critical issues come to a head.

• Close to half (42%) of directors surveyed believe their board needs to focus more on long-term strategic planning.

• Almost half (45%) of respondents lack confidence in the idea that their employees are thoroughly trained, understand, and assume appropriate responsibility for compliance related to the use of corporate social media, followed by data security (33%) and third-party risk (28%).

1. Implement policy management tools and do not access personal applications and information without consent
2. Inform employees about your policies with regard to the use of personal devices on the corporate network
3. Encourage employees to declare stolen, unused or lost devices and regularly update security settings and applications

• Ensure there are numerous avenues available to make complaints (including anonymous complaints) and that employees are aware of those avenues. Employees should be able to lodge a complaint via managers, Human Resources, Compliance, Legal, a telephone/e-mail hotline, or a website.
• Be sensitive to the potential for real or perceived retaliation against whistleblowers. Involve Legal or Human Resources in any employment decisions involving a potential whistleblower, including performance reviews, before finalizing, to ensure there is no retaliation.
• Resist the urge to identify an anonymous whistleblower; it is very difficult to retaliate against someone whose identity is unknown. Implement a system by which you can follow up with an anonymous whistleblower that safeguards his or her identity (i.e., Ethics Point or Hushmail).
• Train IT managers and other employees on the front lines about what could form the basis for cybersecurity whistleblower complaints and how to properly receive and escalate them.
• Review third-party vendor practices (contractors, consultants, auditors, hotline administrators) to ensure they too provide optimal whistleblower procedures. Make clear in company policies that reports from third parties are also accepted by the company.
• Whistleblowers may have a heightened sensitivity to whether the investigation is biased, so consider extra precautions to ensure the neutrality of the investigation.
  • If the complaint involves a manager, HR and legal personnel who support the manager should not be involved in the investigation.
  • If the internal audit department is participating in the investigation, make sure that the audit personnel who work for the area of the business under investigation are not participating in the investigation.
  • If the complaint involves a C-level employee, independent outside counsel should be retained by the audit committee of the board of directors, as opposed to company's inside counsel or regular outside counsel conducting the investigation.

• Don't retreat into denial. Acknowledge there is a problem and control your message;
• Carefully assemble the facts and convey them in a straightforward, conversational manner;
• Designate one trusted professional as the spokesperson and have that individual speak on a regularly scheduled basis to stabilize contact with the press;
• Use dignified, jargon-free language and a serious tone that says, "We get it, and we're dealing with the situation";
• Don't react in a defensive way. Go on the offensive when appropriate by introducing new initiatives that mitigate the damage and prevent recurrence.

• Helped you articulate the business value of information;
• Adopted this as a tool for establishing priorities on protecting information;
• Set performance expectations within the lines of business; and
• Communicated their expectations of the framework through their engagement.

• Demand evidence that your cybersecurity team is able to respond quickly and flexibly to changing threats and give them the license and the support they need to do so.
• Work with your major clients and third parties to exercise a major incident. You will need their cooperation if you are attacked and working closely in this way builds trust and transparency.
• Prepare for the worst case. Exercise your response to a cyber-attack and make sure you develop muscle memory. This will help you to respond quickly by understanding how an incident might unfold and how you might respond.
• Consider the role of cyber insurance in helping you mitigate the financial impact and access specialist expertise when needed. You won't have all the skills you need in-house.

• Assessed the privacy and cyber risk to Speedway, including general cybercrime and terrorism risks, couched within cyber attack data for Indiana organizations using a risk assessment built on top of Microsoft’s Damage, Reproducibility, Exploitability, Affected Users, Discoverability (DREAD) system.
• Analyzed Speedway’s SCADA systems, role-based password security, password policy, work station policy, disaster recovery protocols, single points of failure, remote access, “Bring Your Own Device,” and general privacy policies.
• Investigated the state and federal privacy and cybersecurity laws and policies related to SCADA and employee technical use applicable to Speedway; and
• Suggested a host of technical and managerial best practices ranging from the specific (e.g., codifying all procedures related to Speedway’s SCADA systems and improving employee cybersecurity training) to the general (g., creating a mobile device management policy for lost or stolen phones, and including an email privacy trailer in official correspondence) using the NIST Cybersecurity Framework as a baseline. Further suggestions and tactics are listed below:

• Lock down your wireless network with a strong password and encryption
• Connect to your router to see which devices are connected to your network
• Ensure all updates and patches are applied to the devices connected to the network
• Your SSID (Service Set Identifier) is the name of your network. Change this default name to a unique, robust name, preferably a longer one with both letters and numbers
• Minimize targets of opportunity by making it more difficult to login as an administrator

• Disable default file and print sharing
• Disable Remote Desktop (RDP) and Remote Assistance, unless you require these features. If you do, enable the remote connections when needed, and then disable them again when the job is done.

• Install and run Identity Finder or another a tool to help you search for, protect, and dispose of personal information stored on your computer, file shares, or external media

• Uninstall any software and services you do not need
• Remove files or data you no longer need to prevent unauthorized access to them

• Computer science
• Network security
• Cryptography
• Enterprise Risk Management
• Ethics
• Law
• Policy

1. Identify local educational institutions with technical, managerial, and/or legal cybersecurity expertise;
2. Contact your firm’s government affairs and public relations specialists to reach out to local and state government entities that may be interested in partnering to establish a cybersecurity clinic; and
3. Provide internships and seed funding to create the new courses and program architecture at community colleges and research institutions necessary to launch a cybersecurity clinic.

• A move away from the traditional cybersecurity focus on tactical elements like email hygiene and firewalls to a more strategic view centered on the data itself.
• Less emphasis on responding to threats and more on instilling appropriate behaviors and managing perceptions of risk.
• A shift from building higher walls and deeper moats that prevent intrusion to ensuring customized value-based risk management that protects each information asset.

• Establishing uniform perspectives and behaviors that can crystalize into social norms regarding the use and handling of information at work - even when those norms are different than those governing how people handle personal information at home.
• Managing the uncertainty and ambiguity that comes from the shift to a front-line, decentralized approach to information security
• Having exceptional strategic orientation and the ability to communicate and influence outside of one's chain of command.
• Technical savviness and broader business understanding, as the role expands from just addressing cybersecurity threats to the broader mandate of managing information risk.

• Appropriate Balance

• Increased Confidence and Brand Reputation

• Overlay those exposures with the firm's existing commercial insurance portfolio.

• Functional platforms like CRM systems will have more “smart” features that identify and flag potential information security risks, requiring action from the user (think of Gmail’s prompt if you use the word “attached” in an email but don’t attach a file).
• Information risk management will become part of professional training across functions, from university curricula on through company development programs.
• Slogans, mnemonics, and other aids will be developed to help guide non-professionals in their information risk management decision making.
• Information risk management will become part of an executive’s career narrative, one more factor in hiring, promotions and incentives.

• When the chief marketing officer designs a new social media campaign, are information security considerations and best practices part of the plan?
• Is the head of human resources ensuring that the vast stores of confidential information in employee management systems are being handled with appropriate care?
• Does the CFO have verification processes in place to thwart unauthorized requests for capital transfers?
• Has the head of sales ensured that personally identifiable information is siloed in a facility with a certification such as SSAE 16?

• “What are our crown jewels that we want to protect with top priority?”
• “What are business consequences if those crown jewels were damaged?”
• “How much investment are we willing to make to mitigate those risks?”

• The Long Arm of the Law: Understanding EU Legislation's Impact on Cybersecurity (Millbank, Tweed, Hadley & McCloy LLP - Joel Harrison, Partner)
  • Details about the Network Information Security (NIS) Directive and the General Data Protection Regulation (GDPR).
• What is the Process for Achieving State of the Art? (PwC - Gregory Albertyn, Senior Director and Avi Berliner, Manager)
  • Describes achieving 'state of the art' cybersecurity to meet forthcoming EU legislation.
• State of the Art - How and Why? (Palo Alto Networks - Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa)
  • What fundamental cybersecurity principals need to change to address the upcoming changes?

• The Long Arm of the Law: Understanding EU Legislation's Impact on Cybersecurity (Millbank, Tweed, Hadley & McCloy LLP - Joel Harrison, Partner)
  • Details about the Network Information Security (NIS) Directive and the General Data Protection Regulation (GDPR).
• What is the Process for Achieving State of the Art? (PwC - Gregory Albertyn, Senior Director and Avi Berliner, Manager)
  • Describes achieving 'state of the art' cybersecurity to meet forthcoming EU legislation.
• State of the Art - How and Why? (Palo Alto Networks - Greg Day, Vice President and Regional Chief Security Officer, Europe, Middle East and Africa)
  • What fundamental cybersecurity principals need to change to address the upcoming changes?

• Have we estimated the cost of a breach before it happens?
  • Prevention costs far less than mitigation. Understand that even a fairly aggressive estimate of mediation cannot account for the true, long-term impact to your brand and on customer relationships.

• Have we insisted on a security solution that is actionable for all stakeholder teams?
  • Make sure your security solution not only notifies you of threats, but also reports back when the threat has been eliminated.

• Are we the most efficient we can be when it comes to IT?
  • Cybersecurity can improve efficiencies, resulting in greater network bandwidth; security and reducing overhead are not mutually exclusive. Network bandwidth is a key issue for branch offices.

• How is our security solution delivering ROI and how can we measure it?
  • With a centralized platform, you can efficiently distribute the same security to all branches with one interface; a singular point of access reduces costs by avoiding the overhead of different security devices.

• Are we secure on a per-file basis?
  • Aim for security per file for all users independent of branch or country. Secure and deliver “one desktop” so user’s permissions, access, profile and desktop all move with them across devices throughout the day.

1. Ensure the next Cybersecurity Program for Human Resources Development in 2017 and future governmental initiatives to raise the importance of diversity and encourage both men and women to be part of the cybersecurity human resources development ecosystem: education, recruiting, hiring and retention.
2. Japanese academia, government and businesses should help young women who are interested in cybersecurity get connected with their peers overseas via Girls Who Code and conferences for mentorship and networking.

• Businesses that sell or purchase personal information; consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and tax file numbers; and certain other third parties.

• Review your data collection practices and policies, internal data-handling, and data-breach policies to reflect the new requirements and ensure personal information is collected and stored only when needed.
• Audit how you are holding data and whether any sits with third parties (for example, in the cloud) on your organisation’s behalf.
• Strengthen your cybersecurity defences. Visibility is key. This means reviewing your cybersecurity strategies and practices to ensure that steps are in place to avoid data breaches or you have outlined ways to reduce administrative errors, which could lead to a breach. For example:
  • Who has access to the data and do they need access to the data? Reducing or limiting access reduces the possibility of anyone inadvertently leaking the data or a cyber criminal getting access to data.
  • For sensitive data, think of how it could be shared. Is there the right governance in place to prevent someone from sharing or breaking a business process? Many times a process needs to be updated to ensure there is a balance between the risk and productivity.

• A description of what types of activities the policy seeks to deter (not a detailed, exhaustive list which might encourage actions short of declared thresholds, but rather a description of the scale, scope and consequences of malicious cyber activities that could impact national/international security, national/international economic stability, serious public safety concerns or national/international level privacy and freedoms)
• Deterrence by denial (denying the adversary’s anticipated gain by making the effort too difficult - primarily through defense, resilience and reconstitution capabilities and processes)
• Deterrence by cost imposition (making the anticipated cost or punishment associated with an adversary’s efforts more painful than it is willing to accept in relation to the expected gain - primarily through economic, law enforcement and even military instruments of national power when other preferred measures are insufficient)
• Activities that support deterrence (these include diplomatic, informational, and intelligence instruments of national power, as well as research and development to shape the future of cybersecurity by planning for and investing in tools, techniques, and a workforce necessary to improve the resilience of the digital environment and provide new technological options for deterring malicious cyber activities)

"Alors que les menaces ne cessent de se diversifier et de gagner en sophistication, les cybercriminels, qui ciblaient essentiellement les individus, reportent désormais leur attention sur la source de revenus la plus lucrative, à savoir les entreprises." ajoutant que "tout au long de l'année 2016, nous avons constaté que les cybercriminels extorquent de l'argent aux organisations pour plus de rentabilité ; or cette tendance n'est pas près de ralentir. "

Des attaques très lucratives