Loading in 2 Seconds...
Loading in 2 Seconds...
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Protecting Your Information Assets:Privacy and Data Security Maureen CooneyCounsel to Hunton & Williams LLP Senior Policy Advisor The Center for Information Policy Leadership at Hunton & Williams LLP; email@example.com To: American Records Management Association
Our Firm • Founded in 1901, Hunton & Williams is one of the nation’s leading law firms with over 875 attorneys in 18 offices, serving clients in more than 100 countries.
Privacy and Information Management Practice • 20 privacy professionals in the U.S., EU and Asia • Our privacy clients include: • Kraft Foods - Visa • General Dynamics - British Telecom • Holtzbrinck Publishers - Google • Kodak - TJX • Estee Lauder - IKEA • Pitney Bowes - Computer Associates • The Center for Information Policy Leadership at Hunton & Williams
Four Privacy Risks • Legal compliance • Reputation • Investment • Reticence
Managing Privacy and Data Security • Managing customer relationships and privacyand Information security risks are significant business issues that require more than IT assessments and IT security solutions. • PREPARATION is key, utilizing a multidisciplinary approach and expertise throughout a business enterprise. • Effective management requires a strategy for data collection, use, retention and disposal.
Privacy as a Business Strategy • Developing a Business strategy for data collection and use minimizes risks and should include: • Identified business purposes for collecting or sharing a customer’s personal information; • Commitment to customer privacy and security; • Appropriate technology choices in the development of programs and safeguarding of information; • Information privacy and security risk assessments that include an analysis of the impact to the organization; • Compliance and risk mitigation plans; • Operational policies and procedures that augment IT solutions, i.e.,, role-based access and use authorizations • Employee Training and Accountability • Implementation of Oversight Audits
Internal Data Governance Model • Begins with a Privacy Assessment and Data Mapping of each enterprise program and record collection system that collects information about any individual through one or multiple information systems. • Determine the purpose and necessity of the information collected, used, retained, or shared, the appropriateness of technology choices, as well as data security. • What laws apply? What are U.S. and international consumer expectations? Transparency? What is the impact to the organization and its customers from a possible breach, security vulnerability or loss of consumer confidence from the handling of their personal information? • Benchmark policies and operational practices against fair information practices principles, legal requirements, and consumer expectations. • Establish written policies and procedures and internal risk management and accountability mechanisms.
Information Security • Security Breaches continued to be a top news item in 2006 – effecting consumer confidence and U.S. businesses • By the 3rd Quarter of 2006, 192 information security breaches were reported by the Identity Theft Resource Center • 120 million individuals were potentially affected • Costs to business soared -- $182 per compromised record (up 30 % from 2005) according to the Poneman Institute • Harris Poll of Sr. Executives – 61 % listed security breaches as higher concern than other crises, including terrorism, corporate malfeasance, product recalls, or workplace violence.
Information Privacy and Security: U.S. Legal Requirements • GLB’s Safeguards Rule • Applies to financial institutions, but . . . • HIPAA’s Security Rule • California’s AB 1950 and progeny • FACTA’s records disposal rule and state records disposition laws • State security breach notification laws • FTC Act Section 5
Patch Work of Legislative Responses • More than 35 State laws passed addressing consumer privacy – including security requirements and breach notification • Many federal bills introduced • Law passed addressing government data security
Who Else Cares? • Other interested parties • Credit reporting agencies • Credit card companies • Consider contractual obligations • File an incident report • Conduct an audit • Regulatory agencies • FTC and other relevant federal regulators • State agencies – NJ, NY, NC, NH, ME, HI
Protection and Prevention • Consistent with your business strategy for privacy and data security plan in the following areas: • Collect the minimum amount of personal information to accomplish your business purposes • From data flow inventories, classify information in records according to sensitivity and build in higher protections for more sensitive information • Build in appropriate policies, physical and technological safeguards for records • Require service providers and vendors to follow your privacy and security policies and procedures • Dispose of records in a secure manner
Where is the Greatest Risk? • Employees • Many security breaches are perpetrated by company employees • Conduct background checks • Train employees to spot issues • Provide whistleblower mechanisms • Monitor employees (as legally permissible)
Where is the Greatest Risk? (cont’d) • Vendors • Conduct due diligence • Identify and examine key vendor contracts • Analyze scope and substance of confidentiality and data security obligations • Examine data return and destruction provisions • Request that existing key vendors provide information about privacy and information security policies and practices • Conduct ongoing monitoring
Plan in Advance • Identify and train a data breach response team • Know where personal information is stored • Develop written policies and procedures • Understand your legal obligations • Involve PR/communications group and IT group • Conduct post-incident performance review and revise procedures accordingly
Minimizing the Risk • Concern and focus must come from the top • Integrate the concern for information security into your organizational ethic and train employees • Need accountability and strong audit procedures • Re-evaluate security systems and policies on an ongoing basis • Take prompt action in the event of a breach • Be able to explain what you have done and why • Prevention is the primary goal
Maureen Cooney Counsel, Privacy and Information Management PracticeSenior Policy Advisor for Global Privacy Strategies, Center for Information Policy Leadership Hunton & Williams LLP(202) firstname.lastname@example.org Questions?