CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

Slides:

Advertisements

Similar presentations

Institutional Telecomms and Computer Network Monitoring Andrew Charlesworth University of Bristol 10 June 2002.

Advertisements

NATIONAL INFORMATION GOVERNANCE BOARD

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

Data Protection Law In India iPleaders and Intelligent Legal Risk management LLP.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

The Data Protection (Jersey) Law 2005.

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Policy 6460 Staff Use of Computerized Information Resources Regulation 6460 R-Staff Use of Computerized Information Resources Regulation 6460 R.2 Staff.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Workshop on Harmonizing Cyberlaw in the ECOWAS region ( Procedural Law in the Budapest Convention ) Ghana, Accra 17 – 21 March 2014, Kofi Annan International.

Nigel, Lochie, Anika and Martin. As the internet is becoming the most popular area of crime, countries around the world are struggling to update the law.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

Chapter 1 Introduction to Security

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

Legislation Who governs e-commerce?. E-commerce is regulated by laws and guidelines. These aim to ensure that sites operate effectively and that online.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong.

Data Protection Overview

Legislation For e-commerce to operate correctly, it needs to adhere to the relevant legislation. These laws protect both the business and the consumer.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

The Data Protection Act 1998 The Eight Principles.

Florida Information Protection Act of 2014 (FIPA).

Privacy & Personal Information Prepared by the CBC Law Department CONFIDENTIAL – FALL 2011.

Computer and Internet privacy (2) University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb 2011 Feb 2011 ITSS 4201 Internet.

Data Protection Act AS Module Heathcote Ch. 12.

AICP New England 13 th Annual Education Day PRIVACY Jenny Erickson Vice President, Legislative and Regulatory Affairs The Life Insurance Association of.

Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

Robert Guerra Director, CryptoRights Foundation Implementing Privacy Implementing Privacy: Rules of the Game for Developers Mac-Crypto Conference on Macintosh.

BC Public Libraries November, 2008 Privacy Principles.

Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.

Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.

The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

Information Security Legislation Moving ahead Information Security 2001 Professional Information Security Association Sin Chung Kai Legislative Councillor.

Information Systems Unit 3.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Workshop 4 Tutor: William Yeoh School of Computer and Information Science Secure and High Integrity System (INFT 3002)

Human Rights Act, Privacy in the context of auditing Phil Huggins Chief Technologist, IRM PLC

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

Chapter 4: Laws, Regulations, and Compliance

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Key Points for a Privacy Programme for Multinationals Steve Coope.

Protection of Personal Information Act An Analysis on the impact.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.

Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.

The Data Protection Act 1998

The Data Protection Act 1998

Surveillance around the world

Data Protection Act and Other Laws

Obligations of Educational Agencies: Parents’ Bill of Rights

General Data Protection Regulation

The Data Protection Act 1998

Data Protection Legislation

The European Union General Data Protection Regulation (GDPR)

Data Protection & Freedom of Information- An Introduction

Employee Privacy and Privacy of Employee Information

Identify the laws and guidelines that affect day-to-day use of IT.

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013

BIGGEST INHIBITOR TO THE ADOPTION OF CLOUD COMPUTING Data Security?

SENSITIVE DATA IN THE CLOUD More data, more storage, more risks Identifiable personal information examples Credit card information Medical records Tax records Customer account records Human resources information Banking and insurance records Browsing history, s and other communication “Metadata” Sensitive personal data?

CLOUD SECURITY - STAKEHOLDERS Data collector/owner Outsourcing: How to select a cloud vendor? How to maintain direct control to safeguard data integrity? Cloud service providers How to satisfy data residency and privacy requirements How to remain flexible and provide cost- effective service? Regulator Formulation of relevant standards and practices How to ensure adoption and compliance? Would sensitive data end up overseas? Customers/end- users Are my data safe in the cloud? Would I know if there is security or privacy breach?

ISSUES ON CLOUD SECURITY Security Is the data protected from theft, leakage, spying or attacks? What is the level of control and protection? Residency Where is the data stored? geographically disbursed? What to do with data in transit & outside territory? Privacy Who can see personally identifiable information (PII)? Storing, transferring, locating and protecting PII

Challenges of cloud and security Maintaining ownership and control of data Info on 3 rd party service and distributed infrastructure Deliver resiliency, availability and flexibility of cloud services

COMPLIANCE REQUIREMENTS Some countries have laws restricting storage of data outside their physical country borders: India, Switzerland, Germany, Australia, South Africa and Canada EU: Data Protection Directive; Safe Harbor Principles – no sending PII outside European Economic area unless protections guaranteed USA: US Patriot Act, 40+ states have breach notification laws (25 states have exemption for encrypted personal data) Canada: Freedom of Information and Protection of Privacy Act

HONG KONG Section 33(2)(f) of Personal Data (Privacy) Ordinance, Standard discussions through HK/Guangdong Expert Committee on Cloud Computing Services and Standards Guidelines and information via infocloud.gov.hk

Can we still trust the ‘cloud’? What are the local laws that govern data being collected, transferred and stored? State-sponsored attacks?

INTERCEPTION OF COMMUNICATIONS – GOVERNMENT BODIES/OFFICIALS Article 30 of the Basic Law specifies that the freedom and privacy of communication of Hong Kong residents shall be protected by law. Interception of Communications and Surveillance Ordinance (Cap 589) -- since 2006 Regulate law enforcement agencies’ lawful interception of communications and covert surveillance operations for the prevention and detection of serious crimes and the protection of public security. Not applicable to non-public officers, and cannot be used to apply to non-governmental bodies and individuals. LEAs are required by the ICSO to obtain an authorization from a panel judge or a designated authorizing officer prior to any interception of communications and covert surveillance operations.

INTERCEPTION OF COMMUNICATIONS – NON-GOVT PERSONS/BODIES s24 of Telecommunications Ordinance (Cap 106) does not allow a telecommunications officer, or any person who, though not a telecommunications officer, has official duties in connection with a telecommunications service to wilfully intercept any message s27 of Telecommunications Ordinance (Cap 106) imposes prohibition on any person who damages, removes or interferes with a telecommunications installation with intent to intercept or discover the contents of a message s29 of the Post Office Ordinance (Cap 98) states that no person shall open any postal packet or take any of the contents out of any postal packet or have in his possession any postal packet or mail bag or any of the contents of any postal packet or mail bag or delay any postal packet or mail bag If such activities involve the collection of personal data, they are subject to the provisions of the Personal Data (Privacy) Ordinance. The hacking of the computer system is dealt with mainly by section 161 of the Crimes Ordinance (Cap 200) (obtains access to a computer with intent to commit an offence or with a dishonest intent) and section 27A of the Telecommunications Ordinance (Cap 106) (by telecommunications, obtains unauthorized access to any computer).

THANK YOU!