1 / 66

Data Privacy Notification Rules Data Breach

Shareholder Services Association. Data Privacy Notification Rules Data Breach. Moderated by David McCrystal The Keane Organization. Coeur d’Alene, Idaho July 17, 2009. Panel. Catherine D. Meyer Pillsbury Winthrop Shaw Pittman LLP Jonathan D. Avila The Walt Disney Company

laith-oneal
Download Presentation

Data Privacy Notification Rules Data Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shareholder Services Association Data Privacy Notification Rules Data Breach Moderated by David McCrystal The Keane Organization Coeur d’Alene, Idaho July 17, 2009

  2. Panel • Catherine D. Meyer • Pillsbury Winthrop Shaw Pittman LLP • Jonathan D. Avila • The Walt Disney Company • David L. Becker • BNY/Mellon • Peter C. Teuten • Keane Business Risk Management Solutions

  3. Disclaimer for all Presenters • THIS PRESENTATION IS SOLELY THE OPINION OF THE PRESENTERS. IT IS NOT THE OPINION OF THE WALT DISNEY COMPANY, THE KEANE ORGANIZATION, PILLSBURY WINTHROP SHAW PITTMAN, LLP, BNYMELLON, THEIR SUBSIDIARIES OR AFFILIATES, OR ANY OF THEIR OFFICERS OR DIRECTORS. • THIS PRESENTATION DOES NOT CONSTITUTE, AND SHOULD NOT BE RELIED UPON AS, LEGAL ADVICE. YOU ARE ENCOURAGED TO CONSULT YOUR OWN COUNSEL REGARDING THE APPLICATION OF ANY OF THESE OR OTHER LAWS TO YOUR COMPANY, TO YOUR CLIENTS, OR TO YOUR SPECIFIC CIRCUMSTANCES. THANK YOU.

  4. Data BREACHES David L. Becker Chief Compliance Officer BNY Mellon Shareowner Services 4

  5. BREACHES What Works? What Doesn’t? What Does it Cost? 5

  6. What Works? Prompt Responsiveness Right Group of People Legal, Risk Management, Operations, Senior Management Thorough Review of Data Involved Notification When Appropriate 6

  7. What Doesn’t? Delay Disorganization Concealment 7

  8. What Does It Cost? Darwin National Assurance Company, which offers a technology insurance product called Tech/404, has a calculator on its website to help you estimate what a a loss will cost. According to this calculator, a loss with 100,000 affected records will cost, on average: 8

  9. Investigation Consultants: $483,000 Attorneys: $489,720 Sub-Total: $972,720 9

  10. Notification Customer Notification: $890,400 Call Center Support: $630,000 Crisis/Media Management: $422,520 Sub-Total: $1,942,920 10

  11. Regulatory/Compliance Credit Monitoring (2 years): $4,048,800 Investigation Defense: $1,497,720 State/Federal Fines/Fees: $3,176,880 Sub-Total: $8,723,400 11

  12. Total Investigation: $ 972,720 Notification: $ 1,942,920 Regulatory: $ 8,723,400 Total Costs: $11,639,040 (for 100,000 records lost) 12

  13. TJX Cos. June 2009 45.7 million credit and debit cards compromised Consumer Suit: $30 cash or $60 voucher and 3 years credit monitoring, plus cost of obtaining new drivers’ license Bank Suit: Undisclosed settlement terms State Settlement: 9.75 million 13

  14. Unidentified Company CSO magazine April 2009 1 terabyte of data transmitted with private information 4 weeks of investigation Over $1 million in expense, and no breach notification required 14

  15. Security Breaches Are All Around Us May 7, 2009 UC Berkeley Reports Theft of Data on 160,000 current and former students January 20, 2009 Information on credit card information of 100 million people compromised via hacking into a wireless network January 6, 2009 Checkfree announces data breach exposing up to 5 million people to a Ukrainian attack site January 26, 2006 ChoicePoint to pay $15 million for data breach 15

  16. 16

  17. Catherine D. Meyer, Pillsbury Winthrop Pittman LLP • catherine.meyer@pillsburylaw.com • Jonathan D. Avila, The Walt Disney Company • Jonathan.Avila@disney.com • David L. Becker, BNY Mellon • david.becker@bnymellon.com • Peter C. Teuten, Keane Business Risk Management Solutions • pteuten@keanebrms.com 17

  18. Shareholder Services Association Data Privacy Catherine D. Meyer Pillsbury Winthrop Shaw Pittman LLP

  19. Regulatory Developments: Trends • Greater specificity in the security measures required by State and Federal regulations • Greater sensitivity to identity theft • Expansion of regulations beyond electronic format to paper • States imposing their data security laws on “foreign” businesses

  20. What security measures are required? Federal • Fair and Accurate Credit Transactions Act (FACTA) • Identity Theft Red Flags Program • Written Plan • August 1, 2009 • FACTA data destruction • Social Security Number and Consumer Report information must be shredded, burned or rendered unreadable State • Massachusetts • Data security plan • Encryption of data in transit and on portable devices • January 1, 2010 • Nevada • Encryption of data in transit • Connecticut • Published Social Security Number Policy • Data Security and Destruction

  21. Data Protection What information must be protected • Name and Social Security, Taxpayer ID number or driver’s license number • Name and financial account number • Consumer report information (Information that would be used for determining eligibility for credit, employment or insurance including mode of living, creditworthiness, credit standing, credit capacity, character, general reputation or personal characteristics)

  22. Federal Data Protection Requirements FACTA FACTA document destruction rules • Consumer report information must be disposed of in a manner that renders it unreadable • Includes name and Social Security or Taxpayer ID number, financial account number • May include stock ownership information to the extent that indicates creditworthiness

  23. State Data Security and Destruction • State statutory obligation to protect personal information of state residents against unauthorized access, destruction or misuse (9 states currently) • State statutory obligation to destroy documents or data containing personal information of state residents (25 states currently) • State statutes prohibiting public display or disclosure of Social Security Numbers (27 states currently)

  24. Identity Theft Red Flags Rule (72 Fed. Reg. 63718) Applies to “financial institution” or “creditor” that maintains “covered accounts” or “service provider” • “Creditor” is one who provides goods or services for deferred payment • “Service Provider” performs services on behalf of financial institution or creditor for covered accounts.

  25. Are you impacted? • A “covered account” is: • a consumer account designed to permit multiple payments or transactions, or • any other account for which there is a reasonably foreseeable risk from identity theft (a fraud committed or attempted using the identifying information of another person without authority) • Brokerage account vs. shareholder account

  26. Identity Theft Prevention Program Financial institutions and creditors with covered accounts must implement a written “Identity Theft Prevention Program” to detect, prevent, and mitigate identity theft in connection with the opening or operation of a covered account. Program is flexible and tailored to company’s experience. Program uses Red Flags: Circumstances, patterns, practices or specific activities that indicate the possible existence of identity theft (the use of personal information of another to obtain access to or funds from covered accounts) Enforced by FTC under FACTA – no private right of action

  27. Elements of Red Flags Program • Assess Risk, Identify, Detect and Respond appropriately to any red flags that are detected • Periodically update to address changing risks • Board of Directors’ initial approval and continuing oversight (may be delegated to appropriate committee) • Incorporate existing policies and procedures, e.g., for data security, Customer Information Procedures, and incident response • Train staff as needed • Oversee service provider arrangements

  28. Massachusetts“Standards for the Protection of Personal Information of Residents of the Commonwealth”(201 Mass. Code Regs. § 17.00) • Purpose: To establish “minimum standards to safeguard personal information in both paper and electronic records.” • Compliance Deadlines January 1, 2010 • General compliance with the new standards, with third-party service provider requirements and encryption of laptops • Obtaining compliance from third-party service providers and encryption of all other portable devices

  29. Massachusetts • Who Must Comply? • “…persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” • Personal Information • Massachusetts resident’s name and data element (Social Security Number; Driver’s License or ID Card Number; or Financial Account Number or Credit or Debit Card Number). • A presence in Massachusetts is not required to be liable under the Regulation. • Written Program Required – contrast with Red Flags Program • Regulations allow for flexibility to tailor each organization’s Program.

  30. Program RequirementsMassachusetts vs. Red Flags • Designate responsible employee • Identify/assess risks to security/confidentiality/ integrity of personal information • Employee security policy • Discipline • Terminated employees • Service Providers • Limit info amount, time and access • ID records and media included • Record access restrictions • Monitoring • Annual review • incident response documentation • Designate responsible employee • Identify/assess identity theft risks to security/confidentiality/ integrity of personal information • Discipline/compliance • Service Providers • Monitoring and training • Annual review • Incorporate related polices and procedures such as incident response documentation

  31. Massachusetts Compliance Considerations • Review information security policies and procedures • Review electronic and physical record retention policies and procedures • Encryption measures on all portable devices that contain personal information • Non-Massachusetts-based businesses should consider incorporating requirements in their information security programs • Review outsourcing agreements to verify that service providers with access to personal information are contractually bound to maintain sufficient safeguards

  32. Massachusetts If storing or transmitting personal information, the plan must address: (1) user authentication protocols; (2) security access control measures; (3) encryption of records that travel across public networks; (4) monitoring systems for unauthorized access; (5) encryption of personal information stored on portable devices; (6) updating firewalls and system security; (7) maintaining current virus protections; and (8) training for employees on computer security and protecting personal information.

  33. ConnecticutAn Act Concerning the Confidentiality of Social Security Numbers(Public Act No. 08-167) • “Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed.” • Effective Date: October 1, 2008 • Penalties: Provides for fines of $500 per violation not to exceed $500,000.

  34. Nevada Restrictions on transfer of personal information through electronic transmission(Nev. Rev. Stat. § 597.970) • Prohibits unencrypted electronic transfer of customer information outside a company’s system. • Facsimiles excepted • Effective Date: October 1, 2008

  35. Nevada Significant Features • First state law to mandate a specific type of security measure (encryption) for personal information. • Applies to any organizations “doing business in Nevada.” This standard can include out of state businesses. • Applies to all of a business’s customers, not just Nevada-based customers. • Transmissions that remain within a business and faxes are excluded from the requirement. • Penalties for non-compliance are not specified in the statute.

  36. Program Development • Designate senior management team • IT, compliance, legal, fraud/risk management • Establish a formal timeline • Allow adequate time for testing and training • Contact vendors and service providers who may need to develop compliant programs

  37. Integration Challenges • Integration with Existing Programs • Management Oversight • Documentation of Program • Board Approval • Resources • Budget/Procurement Cycle • Flexibility • Vendor Management

  38. Board Considerations • Financial commitment • Operational compliance • Reputation and litigation risks • Allocation of existing corporate resources • Leverage existing controls if possible • Coordination of compliance initiatives • Appropriate to size and complexity of entity • Dependent on nature and scope of activities

  39. Shareholder Services Association Data Security Breach Notification Laws: The U.S. Model(s) Jonathan D. Avila Vice President – Counsel, Chief Privacy Officer The Walt Disney Company

  40. Overview • History of legislation • Elements of California model • Non-California Variations • Compliance challenges

  41. History • First enacted in California (effective 7/1/03) • Choicepoint as accelerator in other states • Divergence from California model • Broadening Calif. statute • Narrowing Calif. statute

  42. California Model • Purpose: (c) Identity theft is one of the fastest growing crimes committed in California. Criminals who steal personal information such as social security numbers use the information to open credit card accounts, write bad checks, buy cars, and commit other financial crimes with other people's identities. (d) Identity theft is costly to the marketplace and to consumers. (e) According to the Attorney General, victims of identity theft must act quickly to minimize the damage; therefore expeditious notification of possible misuse of a person's personal information is imperative. Calif. Senate Bill 1386 Preamble

  43. California Model • Basic requirement: “Any . . . business that conducts business in California, and that owns or licensescomputerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Cal. Civ. Code §1798.82 (a)

  44. California Model • Obligation of data processors: “Any . . . business that maintains computerized data that includes personal information that the . . . business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery if the personal information was or is reasonably believed to have been, acquired by an unauthorized person.” Cal. Civ. Code §1798.82 (b)

  45. California Model • Definition of “breach”: “For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” Cal. Civ. Code §1798.82 (d)

  46. California Model • Definition of “compromise”: “to expose or make vulnerable to danger . . . ; jeopardize. Such mistakes compromise our safety.” Random House Webster’s Collegiate Dictionary

  47. California Model • Activity that is not a “breach”: “Good faith acquisition of personal information by an employee or agent of the . . . business for the purposes of the . . . business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.” Cal. Civ. Code §1798.82 (d)

  48. California Model • Original definition of “personal information”: “For purposes of this section, ‘personal information’ means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: • Social security number. • Driver's license number or California Id Card number. • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” Cal. Civ. Code §1798.82 (e)

  49. California Model • Addition to “personal information”: “Medical information" – “any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” “Health insurance information” -- “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.” Cal. Civ. Code §1798.82 (f) (2), (3))

  50. California Model • Exclusion from “personal information”: “For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.” Cal. Civ. Code §1798.82 (f)

More Related