IGF 2017 WS #120 Getting threats under control: best practices to notify data breaches

Session Format: Panel - 90 Min

Proposer:
Country: Mexico
Stakeholder Group: Civil Society

Co-Proposer:
Country: Mexico
Stakeholder Group: Private Sector

Speaker: Gemma Clavell
Speaker: Cédric Laurant
Speaker: Roberto Martínez

Content of the Session:
The scale and scope of targeted attacks and data breaches has been on the rise for the past few years, harming millions of users and consumers worldwide. This situation is aggravated by at least two factors: inadequate incident detection and response measures by organizations that are responsible for managing users’ personal data, and well-known technical weaknesses.

Over the course of this 90-minutes workshop, and after the moderator introduces a hypothetical breach scenario, panelists will provide answers and guidance regarding the following:

- How, what and when to notify the impacted individuals about the data breach?
- What criteria should be considered for disclosing data breaches to the public?
- What should be the role of law enforcement authorities/CERTs/data protection authorities/ international organizations regarding breach notification obligations?

The panel will provide an opportunity for a multi-stakeholder debate on how to notify individuals impacted by large-scale data breaches with representatives from civil society, intergovernmental organizations, technical community, private sector and academia.

Relevance of the Session:
The digital age is offering organizations and people an unprecedented opportunity to actively shape their future. However, rapid advances in digitization are introducing new risks for private and public organizations critical infrastructure that, if not addressed, increasingly threaten people's right to privacy and data protection. In the context of large-scale data breaches, assessing policies and best practices for appropriately responding to such threats is required.

Furthermore, companies have very few incentives to notify affected individuals if their personal data is compromised by such breaches and, thus, instead of building a breach incident response plan, they tend to deflect from disclosing such information to the public, to avoid both possible legal consequences or being shamed or embarrassed. This panel will tackle such issue by providing an open discussion of key steps organizations should take in responding to a data breach.

Tag 1: Privacy
Tag 2: Data protection
Tag 3: Data breaches

Interventions:
A brief introduction on the context of large-scale data breaches worldwide will be given at first by the onsite moderator (Cedric Laurant), followed by the presentation of a hypothetical case of a data breach. As representatives of different stakeholder groups, panelists will be asked to provide short remarks related to the appropriate course of action they consider would work best given the case in point. The rest of the time will be dedicated to the Q and A with the audience and remote participants. Finally, both the panelists and the moderator will assess what the best practices to notify data breaches are, ensuring that the different perspectives -legal, technical, procedural, academic and intergovernmental- are taken into account.

Intended Speakers:
- Gemma Galdon Clavell, Academia, Universitat de Barcelona
- Roberto Martinez, Technical Community, Kaspersky Lab
- Mike Bruemmer, Private Sector, Experian - Data Breach Resolution
- Erika Mata, Private Sector, Information Security & Control at Scotiabank
- Juliana Abrusio, Private Sector, Opice Blum – Attorneys at Law
- Belisario Contreras, Intergovernmental Organization, OAS

Diversity:
The speakers were chosen based on their expertise with a balance of stakeholder groups and gender.

Onsite Moderator: Cédric Laurant
Online Moderator: Giovanna Salazar
Rapporteur: Manuel Mejías

Online Participation:
Online participation in the proposed workshop will be encouraged before and during the session. The opportunity to participate in the session will be announced in mailing lists, and social media of the participating organizations. The online moderator will play a crucial role during the session, as she will be in charge of ensuring that online contributions and questions are submitted and prioritized.

Discussion facilitation:
The session will be organized as a facilitated dialogue through which each participant will have the opportunity to express their position on how to address a hypothetical data breach case introduced by the onsite moderator. After introducing the case in point, the moderator will ask the panel a round of questions and then will turn to the (onsite and online) audience for an interactive discussion.

The introduction (including context and the case study) will tentatively last 10 minutes.
Expert discussion will last 30 minutes (5 minutes per participant).
Q&A with the audience will last 35 minutes.
Final assessment and closing remarks – 15 minutes.

Conducted a Workshop in IGF before?: No
Link to Report: