1 / 24

Privacy and Security: Practical and Sensible Advice

Privacy and Security: Practical and Sensible Advice. Chuck Schwab, Special Counsel, Cooley LLP and Karin Lindgren, General Counsel, Reed Group. Topics to Cover Today. Breach notification laws: planning for and responding to a security breach

abel
Download Presentation

Privacy and Security: Practical and Sensible Advice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security: Practical and Sensible Advice Chuck Schwab, Special Counsel, Cooley LLP and Karin Lindgren, General Counsel, Reed Group

  2. Topics to Cover Today • Breach notification laws: planning for and responding to a security breach • Information security requirements for customer and employee data • Collection, use, and disclosure of information about customers and employees • International issues

  3. Breach Notification Laws • Progenitor - California’s “SB 1386” • Identity Theft is the driver • No Federal “Data Breach Law” although several bills are still before Congress: • Personal Data Privacy and Security Act of 2011 (S. 1151) (Senators Leahy (D-VT), Schumer (D-NY) and Cardin (D-MD)) (Last action-written report filed by Committee on Commerce, Science and Transportation, November 2011). • Data Security and Breach Notification Act of 2011, S. 1207 (Senators Pryor (D-AR) and Rockefeller (D-WV)) (last action - Committee on Commerce, Science and Transportation scheduled two mark-ups in fall 2011, which were both indefinitely postponed). • Data Breach Notification Act of 2011, S. 1408 (Senator Feinstein (D-CA)) (last action - Committee on Judiciary hearing in October 2011, from which no written report has resulted.)

  4. Breach Notification – Patchwork State Laws • Instead of one uniform federal law (like the FCRA), businesses must undertake the complex task of monitoring all state statutes:

  5. Patchwork– Most States • 46 States, the District of Columbia, Puerto Rico and the Virgin Island have enacted legislation requiring notification of security breaches involving personal information. • States with no security breach notification law: AL, KY, NM, and SD. • 29 states (AK, AZ, AR, CA, CO, CT, GA, HI, IL, IN, KS, KY, MS, MS, MI, MO, MT, NV, NJ, NY, NC, OR, RI, SC, TX, UT, VT, WA, and WI) have laws requiring encryption and secure disposal, of personal information held by businesses and/or government. • Every state has a law criminalizing identity theft.

  6. Patchwork – Commonalities • What is Covered: • Personal Information requires last name and first initial plus at least one more data element that could lead to loss (e.g., social security number, driver’s license number, credit or debit card number, or bank account number and access code, etc.) • Includes employee and customer information. • Most States have exemption for encrypted data: • Only IN, NYC, WY and DC lack an encryption safe harbor • MS, NH, OK, OR, and TX require notice if encrypted data is breached along with encryption key • Several States require notice to Attorney General even if data is encrypted

  7. Breach Notice – Timing and Scope • Planning for Breach is essential – Response time is mandated by law: • In all States except CA, GA, ID, and IL, discovery of a suspected breach triggers immediate requirement to investigate and notification is only triggered if investigation determines that there is a reasonable risk of identity theft or loss • In CA, GA, ID, and IL, notification requirement is triggered upon discovery • Once triggered, notification must be provided “As expediently as possible and without unreasonable delay unless disclosure impedes law enforcement investigation” • Several States require immediate disclosure to Attorney General (within 24 hours of discovery) • Notice must typically be in writing and sent to each individual victim, but a small number of states may allow substitute notice in cases of large breach

  8. Breach Notice - Content • Content of Notice: • General description of incident; • type of information breached; • toll-free numbers and addresses of the three NCRAs.

  9. Breach Notice – Penalties and Costs • Penalties For Failure to Provide Breach Notification • Administrative fines can vary State-by-State, ranging up to $500,000 in certain States. • Actual damages to each affected victim. • Costs and Expenses Associated with Breach • Costs of investigation. • Production and mailing costs for notification letters. • Costs of period of credit monitoring service for affected victims (Typically about $75-$125 per person). • Reputational costs.

  10. Other Breach Notification Laws • FTC’s Red Flag Rule – applies to financial institutions and “creditors” to have an identity theft prevention program; notification is an option • HIPAA – affects covered entities and business associates, requiring employers, for example, to: • Notify major media outlets and HHS if a breach involves 500 or more plan participants • Notify affected individuals within 60 days of becoming aware of the breach • GLBA – applies to financial institutions

  11. Information Security – Why? Confidential information is critical to the success of business Protection of valuable intellectual property is essential to maintain legal rights (e.g., trade secret protection) To further business, employees must have access to confidential information and must create IP Employers have legal obligations to keep certain information confidential Legal Requirements

  12. Information Security Regulations • FTC Act • Fairness - Maintain Adequate and Appropriate Security Measures • Deceptiveness -- False or Misleading Statements; “100% Safe” • Original California SB 1386 • State Data Security Law -- 10+ States • “Reasonable” safeguards • Sensitive Data • Social Security Number • Drivers License Number • Financial Account Information • Credit Card Number

  13. InfoSec Regulations – A Higher Bar • Massachusetts • Covers Sensitive Data • Mandates Security Program • Safeguards Require Encryption • Policies • Training • Monitoring • Some states require encryption for transmission (Nevada) • Data destruction • 23 + states, FCRA • “Reasonable steps” to destroy sensitive data (or all data for CA, CT, KY)

  14. Other InfoSec Regulations • HIPAA Security Rule • Information Security Program • Administrative • Technical • Physical Safeguards • Data Breach Notification • GLBA Safeguards Rule – Information Security Program • Administrative, Technical, Physical Safeguards • Size and Complexity of Organization • Sensitivity of Customer Information • Designate Employees to Coordinate • ID Risks & Sufficiency of Safeguards • Red Flags Rule - Implement program to detect, prevent, and mitigate identity theft

  15. InfoSec Policies • Diamonds vs.Toothbrushes • Written InfoSec Policy • Identify Security Risks and Identity Theft Risks • Reasonable approach to security risk vectors • Graduated treatment of data types • Establish a “Privacy/InfoSec Officer” • Establish technical controls on data – access, transmission • Maintain technical vigilance – apply security patches within a reasonable time • Annual policy/risk review • Train at least key people

  16. Consumer Privacy - Federal • Customer vs. Consumer • FTC Act – unfair or deceptive practices • notice – disclosures of what, who x2, how x2 • choice – secondary uses, disclosures, opt-out or opt-in • access – access to data, correction • Behavioral Tracking • TCPA • Junk Fax, Do Not Call, SMS • CAN-SPAM • Disclosures for Promotional Emails • Opt-Out

  17. Consumer Privacy - California • California Online Privacy Protection Act • Post a policy • Identify • Information collected • Third parties with whom you share the information • California – Shine the Light • Disclosures about sharing with third parties for their marketing purposes • Consumer right to opt-out or receive information about third parties • California – Song-Beverly Act • Prohibits collection of PII that is not on the credit card, including zip code • Applies to online transactions? • Spyware Laws – track data

  18. Employee Privacy • FCRA • Applies to reports prepared by a third party that regularly assembles or evaluates credit or other information on a consumer (“consumer reporting agency”) • Covers any inquiry for employment purposes bearing on an individual’s “credit, general reputation, personal characteristics, or mode of living” • Criminal history checks, credit checks, sex offender registry, motor vehicle record checks, employment and education verification • Requires permissible purpose to access • State “mini-FCRAs” • Credit check laws • Anti-discrimination laws • Genetic Information Non-Discrimination Act of 2008 (GINA)

  19. FCRA Process • Provide notice and obtain authorization before procuring a background check report • Before taking adverse action or risk based pricing decision, provide notice, including a copy of the report and FTC summary of rights • Wait 5 days before taking final action • Deliver final adverse action or risk based pricing notice

  20. Social Network Checks • Establish policies on when social media checks will be conducted, by whom, at which sites, for what information, and how will that information be evaluated • Include social checks by third-party vendors in your FCRA compliance program • Social checks by the employer’s own staff are not subject to FCRA • Careful about: asking/coercing an employee or applicant to provide social media password(s), or fraudulently/coercively gaining access to network • Be careful of taking adverse action against en employee for comments on social media (could be protected by state law or NLRB rules)

  21. Employees – Practical Pointers • Contracts • Require employees to sign proprietary information agreements; define “confidential information” • Require job applicants to sign non-disclosure agreements • Handbooks/Policies – Privacy expectation is key • Adopt electronic data and computer use policies • Employer-allowed use of email and computers • Employer ownership of all data on work computers • Limit personal use • Employee consent to monitoring and inspection • Restrictions on social media use?

  22. International • EU spam laws • Opt-in, with some EBR exceptions • Canadian spam law • Expecting regulations • All electronic messages (not just email) • Explicit or implied (including EBR) consent • Heavy fines (C$220/message, D&O exposure) • Cookie directive • The Sound and the Fury • Waiting for industry solutions

  23. International (2) • EU Directive • Expectation of compliance is growing • Model Contracts • Processor • Controller • Safe Harbor • 7 Principles – Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement • Two Toughies: Onward Transfer, Enforcement • BCRs • EU Regulation on horizon • you don’t even want to know • ~2 years away

  24. Questions? For more information contact: Chuck Schwab, schwabca@cooley.com Sign up for Alerts at www.cooley.com.

More Related