1 / 72

How Safe Is Your Data?

How Safe Is Your Data?. Top Data Protection Issues Keeping Executives Awake at Night Ann LaFrance (London) Andy Kruppa (Miami) Gary Timin (Miami). May 22, 2014. Agenda. Overview US Cyber Risk Developments and Laws Florida Information Protection Act of 2014

paulus
Download Presentation

How Safe Is Your Data?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Safe Is Your Data? Top Data Protection Issues Keeping Executives Awake at Night Ann LaFrance (London) Andy Kruppa (Miami) Gary Timin (Miami) May 22, 2014

  2. Agenda • Overview • US Cyber Risk Developments and Laws • Florida Information Protection Act of 2014 • Data Protection Developments in the European Union • Practical Compliance Tips and Best Practices for Data Breach Response • Cyber Risk Insurance Issues • Questions

  3. “[W]e don’t see any industries flying completely under the radar. And that’s the real takeaway here – everyone is vulnerable to some type of [data breach] event.” – [Verizon’s 2014 Data Breach Investigations Report] • Examples: Adobe [153 million user accounts], Bell Canada, Gawker [1.3 million users], Snapchat [4.6 million users], Sony [multiple breaches], Vodafone, Yahoo, Target, etc. • The top nine sources of data breaches are the following: POS intrusions, attacks on web applications, insider misuse, physical theft/loss, errors, crimeware, card skimmers, denial of service attacks, and cyber-espionage.

  4. The Cost of Services to Respond to a Data Breach • The cost of a data breach is on the rise • Corporate Counsel reports the average two year cost rose in the US by 8% to $5.85M in 2013 • The average cost per record was $201 • In Europe the reported average two year cost was $3.5M ($145/record)

  5. US Cyber Risk Developments and Laws

  6. Federal Statutory Framework • Gramm-Leach-Bliley Act • Federal Trade Commission Act • Fair Credit Reporting Act/FACTA • SEC disclosure requirements • Federal Sector Requirements (not going to be addressed here) • Privacy Act • Federal Information Security Management Act • OMB’s Breach Notification Policy • Veterans Affairs Information Security Act • Children’s Online Privacy Protection Act • HIPAA/HITECH • Numerous pending federal bills (See, e.g., S.B. 1193)

  7. Gramm-Leach-Bliley Act [codified within 15 U.S.C. §§ 6701-81, 6801–27, 6901-10 and elsewhere] • For financial institutions and requires: • Notice of their privacy policies • Safeguarding customer information • Protection against any threats to records • Protection against unauthorized access/use • “Financial institutions” are businesses engaged in certain financial activities, including banking, lending, insurance and other financial activities • Prohibited from disclosing “nonpublic personal information” to third parties without (1) providing customers with a notice of privacy practices, and (2) an opportunity to opt-out

  8. Federal Trade Commission Act [15 U.S.C. §§ 41-58] • Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” • The FTC has alleged that companies who fail to protect data after promising to do so have acted deceptively. • The FTC has also prosecuted as unfair a company’s failure to employ reasonable security measures to protect consumers’ personal information. E.g., Wyndham case. • The FTC has entered into a number of consent orders requiring the defendants to implement information security programs (e.g., B.J.’s Wholesale Club, DSW, Inc., and Card Systems). • The largest civil money penalty ever assessed by the FTC was $10 million – arising from a data breach of personal financial records from a consumer reporting company that resulted in at least 800 cases of identity theft.

  9. SEC Data Breach Disclosure Guidance • SEC regulations may require public companies to disclose: • Any material cyber-security risks • Costs associated with preventing cyber risks • Data breaches • Legal proceedings pertaining to data breaches • Disclosure control and procedures designed to prevent cyber security risks Division of Corporation Finance, Securities and Exchange Commission – “CF Disclosure Guidance: Topic No. 2, Cybersecurity”

  10. Fair Credit Reporting Act, Fair and Accurate Transactions Act [15 U.S.C. § 1681 et seq.] • The Act and its requirements only apply to entities that fall within the definition of a “consumer reporting agency,” and only to products that fall within the definition of a “consumer report.” • Credit bureaus must ensure that: (1) a consumer’s information is used only for limited purposes; (2) “reasonable procedures” are employed to limit consumer reports to those with a permissible purpose; and (3) the accuracy of information in a consumer’s report. • “Permissible purposes” include decisions involving credit, insurance, or employment as well as providing reports to persons having “a legitimate business need” for the information in connection with a consumer-oriented transaction.

  11. Fair and Accurate Transactions Act • The Fair and ACcurate Transactions Act (“FACT Act”) amended FCRA, to add requirements designed to prevent identity theft and assist identity theft victims. • The FTC enforces FCRA/FACT and a violation is deemed to be an unfair or deceptive act or practice in violation of section 5(a) of the FTC Act. • There are various penalties for violating the FCRA: actual damages sustained by a consumer, plus costs and attorneys fees; punitive damages for willful violations; fines; and injunctive penalties. • Carsten v. University of Miami, US Dist. Ct. for the Southern District of Florida, No. 14-cv-20497 (“UM Data Breach Lawsuit”)

  12. State Data Breach Notification Laws

  13. State Statutory Framework Generally • Personal Information: An individual's first name or first initial and last name plus one or more of the following data elements: (i) SSN, (ii) driver's license or state ID number, and (iii) account number, credit card number or debit card number combined with the PIN/access code. • Personal Information does not include information that is lawfully publicly available. • Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.

  14. State Statutory Framework Generally • Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent out to individuals. • Risk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment of the risk of harm to the affected individuals. • Encryption Safe Harbor: States have different laws affecting the definition of a breach and the notification requirements based on whether the data was encrypted. • Private Cause of Action: Some states explicitly allow for a private cause of action resulting from a data breach; others explicitly exclude such a cause of action from their statutes. • Paper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials, or both.

  15. Contractually Imposed Industry Self-Regulation • The Payment Card Industry Data Security Standard (PCI DSS) is an industry regulation developed by bank card distributors. • The PCI DSS requires organizations that handle bank cards to conform to certain security standards, such as maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks, and maintaining an information security policy. • Entities that fail to comply with PCI DSS face fines and increases in the rates that the credit card companies charge for transactions, and potentially can have their authorization to process payment cards revoked. • Legislation has been passed in the Texas House mandating compliance with the PCI DSS standard.

  16. Common Law Causes of Action • Negligence – a number of courts in a number of states have acknowledged a legal duty to secure personal information. • Negligent misrepresentation – cases have proceeded on the theory that defendants have impliedly represented that they will protect data. • Contract law claims – where explicit commitments have been made about data security, plaintiffs have sued on those contractual duties. • Breach of fiduciary duty claims require that Plaintiffs show a relationship of trust, but have been used to sue when data breaches have occurred. • Consumer law claims.

  17. Emerging Enforcement and Litigation • Target • Wyndham • University of Miami

  18. Target Data Breach • In December 2013, hackers gained access to 70,000,000 users’ credit/debit card information, as well as other PII. • Data was lifted by uploading malware via Target’s POS devices. • The data breach triggered so many lawsuits that an MDL was created. So far, 33 lawsuits, in 18 districts, and more than 50 actions and potential tag-along actions have been filed. • Among other things, Target has been sued by both banks and customers for negligence, violating customer’s privacy rights, breaching fiduciary duties, and for failing to disclose the breach in a timely manner. • The lawsuits also allege Target failed to meet the PCI Data Security Standard because the three-digit CVV codes were stored on Target’s system in violation of the standard. • Shareholder derivative suit filed. • CEO Greg Steinhafel asked to resign.

  19. Wyndham Data Breaches • From 2008 to 2010, Wyndham sustained three data breaches to more than 600,000 consumer credit/debit card numbers, with over $10 million in known resulting fraud losses. • The FTC filed enforcement action against Wyndham alleging, among other things, that Wyndham’s failure to implement a reasonable security policy violated § 5(a) of FTC Act and constituted an unfair trade practice. • FTC seeks an order compelling Wyndham to improve security and remedy consumer harm caused. • The New Jersey District Court refused to dismiss: “[T]his Court [refuses] to dismiss the FTC’s complaint on fair notice grounds [because of, among other things,] the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure . . .”. • Wyndham has moved to certify an interlocutory appeal, with a number of parties filing amici briefs, and the FTC opposing.

  20. Wyndham Data Breaches • A shareholder derivative lawsuit has been filed against the company’s directors and officers for allowing three data breaches in under two years. • Among other allegations, the Complaint alleges the company was damaged by Wyndham’s: • Failing to have adequate information security policies • Using system software that ceased having security updates three years before the first breach • Having inappropriately configured software • Failing to timely disclose the breaches in financial filings • Failing to have internal controls to prevent and detect breaches • The substantive claims are for breach of fiduciary duty, corporate waste, and unjust enrichment.

  21. University of Miami • Class action against the University of Miami • Alleged failure to secure PII (names, DOB, SSN, health info) • Breach occurred by unauthorized access to PII of “thousands of former patients” by a UM employee of UM’s computer records at an offsite vendor • The vendor was not sued (so far, no indemnity action by UM) • UM allegedly failed to timely notify the affected parties of the breach, although it did offer free credit monitoring when the breach was reported • Class representative suffered financial loss by identify theft (bank account withdrawals, unauthorized purchases, and false tax returns)

  22. University of Miami • Claims for Relief • I. Negligence (breached by failing to safeguard PII and failing to timely notify of breach) • II. Negligent Misrepresentation (misrepresented UM would keep PII private/secure) • III/IV. FCRA (UM took credit info for establishing eligibility for credit for medical treatments; violated by not having reasonable procedures to safeguard and by allowing access to unauthorized third-parties) • V. FDUTPA (UM represented there was a secure online environment for PII, which was breached by UM’s failure to take reasonable steps to protect and by failing to timely notify affected patients) • VI. Breach of Fiduciary Duty (fiduciary duty to safeguard PII breached by failure to safeguard and notify) • VII. Breach of Contract (UM breached contractual duty to keep PII secure and notify of a breach within 60-days) • UM filed a motion to dismiss the amended complaint, which is fully brief and remains pending

  23. Many Others • Snapchat [FTC settlement re: truth of privacy claims] • LabMD [FTC action over HIPAA covered entity security] • University of Pittsburgh Medical Center • Facebook • Path • LinkedIn • Ebay [May 21, 2014 – stolen employee login credentials] • Nieman Marcus [1.1 M cards exposed] • Michaels Stores

  24. Target, Wyndham, and UM – Take Aways • Even some large business have failed to take security as seriously as they should • Company directors and officers are at risk • Put the company at risk for reputational harm, FTC liability, damages, remediation costs • Data breaches can be massively expensive • A proper timely response is critical to defense of potential enforcement actions or civil claims • Data breach class actions and shareholder derivative suits are on the rise

  25. Florida Information Protection Act of 2014

  26. New Act Replaces Current Statute • Current (since 2005): 817.5681, F.S. • DLA may seek “administrative fines” up to $500K for failure to report breach promptly if and as required • Reporting obligations & penalties are broadly similar to new Act, but with many technical differences • No reported enforcement or cases • New: 501.171(1)-(10), F.S. (SB 1524) • Becomes effective 7/1/2014 • Awaiting Governor action • Continues DLA enforcement but broadens duties and scope • Companion Public Records Exemption: 501.171(11) (SB 1526) • Exempts “all information” DLA receives pursuant to (a) required notice OR (b) DLA investigation while “active” – UNLESS DLA discloses. • Personal info (defined), proprietary info (defined), “computer forensic report” and “weaknesses … in data security” are exempt indefinitely.

  27. Three Basic Duties • Protect electronic “personal information” • Vaguely worded • Promptly give notices of “breaches” • ‘Recipe’ with many specifics (later slides) • Dispose of unneeded “customer records” • Vague

  28. Key Defined Terms • Personal Information • Data in Electronic Form • Breach of Security • Customer Records • Covered Entity • Governmental Entity • Third-Party Agent

  29. “Personal Information” • User name OR email, PLUS password OR security Q&A that “permit[s] access to an online account” [undefined phrase] OR • First name or initial AND “last name” AND any of: • SSN • Gov’t ID number (driver license, passport, military, etc) • Financial account # OR credit or debit card # PLUS password or access or security code • ANY medical information • Health policy or subscriber # AND “unique identifier used by a health insurer” [undefined]

  30. Two Exclusions from “Personal Info” • “Information about an individual . . . made publicly available” [undefined] by any [U.S.?] “governmental entity.” (but from context, not “gov’tal entity” as defined) • Any information “encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.” [no terms defined]

  31. “Covered” & “Governmental” Entities • “Covered Entity” – Any “commercial entity” that “acquires, maintains, stores, or uses personal information.” • May exclude political, charity & some non-profit organizations • For breach notice requirements only, also includes “governmental entities”. • NOT limited based on location(s) of business or of information storage or use or whether transaction business in Florida • “Governmental Entity” – Any Florida department, division, agency, board, district, etc, or “other instrumentality” of Florida that acquires, maintains, stores or uses electronic personal info. • Cities? Counties? Does “division” include “subdivision”?

  32. Two Other Definitions • “Breach” = “Unauthorized access of data in electronic form containing personal info;” but not “good faith access” by employee or agent if info is not used for “unrelated” purpose and not “subject to further unauthorized use.” • “Customer Records” = “Any material, regardless of form, on which personal info is recorded or preserved by any means” [for ex., paper], “provided by an individual in this state” [so, not just residents] to purchase, lease or obtain anything.

  33. First Duty: Protect Personal E-Data • “Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal info.” • No definition, criteria, examples, or safe harbor for “reasonable measures” • Effects of changing technologies and mischief • “Secure” broader or stronger than “protect”?

  34. Second Duty: Give Notices of Breaches • Subject to limited exceptions, “covered entities” must give “expeditious” notice of all breaches: • To Department of Legal Affairs (DLA), if breach “affect[s]” at least 500 individuals in Florida • To all affected individuals in Florida, regardless of number – technically, to those “whose personal info was, or the covered entity reasonably believes to have been, accessed” • To consumer reporting agencies, if more than 1,000 notified • Breach incurred by third-party agent (as defined) treated as breach by its principal

  35. Notice Required to DLA • “As expeditiously as practicable” within 30 days after “determination of the breach or reason to believe a breach occurred.” • Up to 15 more days “if good cause for delay” shown • Substance of notice to DLA – • “Synopsis of the events surrounding the breach” • Number of individuals in Florida “potentially affected” • Free services offered to those affected • Copy of notice to affected individuals in Florida • DLA can require more info (inclg “policies in place regarding breaches” and steps taken to rectify)

  36. Notice to Affected Individuals • To all individuals in Florida whose personal info was, or entity “reasonably believes to have been,” accessed by breach. • “As expeditiously as possible and without unreasonable delay” in the circumstances, and within 30 days of determination or reasonable belief of breach. • Must delay per request of a law enforcement agency if agency considers notice interferes with a criminal investigation. • Exception (“waiver”): Notice not required if entity “reasonably determines” in writing, after an “appropriate investigation” and consulting with law enforcement agencies, that “breach has not and will not likely result in identity theft or other financial harm to” affected individuals. Must furnish such written determination to DLA.

  37. How to Notify Individuals • By snail mail or email to address in records • “Substitute notice” OK if over 500K affected individuals OR cost of direct notice over $250K • “Conspicuous notice” on website AND published in “major” print and broadcast media in area • Minimum notice contents – • Known or estimated date(s) of breach(es) • Description of accessed personal information • Contact information for more specifics

  38. Other Notices • If more than 1,000 individuals “at a single time,” notify consumer credit reporting agencies with nationwide consumer files. • “Third-party agent” = entity “contracted to maintain, store or process [any] personal info” for a covered or governmental entity. • Agent must notify principal of breach w/n 10 days • Principal then proceeds per statute to give notices • Violation of Act by agent attributed to principal

  39. Third Duty: Dispose of Old Customer Records • Each covered entity and third-party agent must “take all reasonable measures to dispose . . . of customer records containing personal information within its custody or control when the records are no longer to be retained.” • Retention time based on other law or policy? • Dispose by shredding, erasing “or otherwise modifying” personal info so it is “unreadable or undecipherable through any means.” • No definitions, criteria, examples, or safe harbor.

  40. Enforcement by DLA • New 501.171 is not part of FDUTPA, but in an action DLA brings under 501.207, any violation of Act is “an unfair or deceptive trade practice”. • Per 501.207, DLA may bring actions – • For declaration that any act or practice is a violation • To enjoin anyone committing past or present violation or who “is otherwise likely to violate” in the future • On behalf of consumers or government for their “actual damages” caused by a violation [no punitive damages]

  41. More on DLA Enforcement • If violator shows violation “resulted from bona fide error” despite reasonable procedures to avoid error, liable only for “unjust enrichment”. • DLA or “any interested party” may move for other equitable remedies, including inter alia: • appointment of magistrate or receiver • sequestration or freezing of assets • reimburse damaged consumers • adhere to consumers’ “reasonable expectations” • strike or limit “unconscionable” provisions • divest interest in enterprise

  42. Further on Enforcement • Failure to notify DLA or public as required: DLA recovers “civil penalty” up to $500K depending on duration of violation • “Per breach and not per individual affected” • Can DLA recover its legal fees and costs under 501.2075 if it recovers a civil penalty? Unclear • No private cause of action under 501.171 • BUT, does Act create standards of care on which private plaintiffs can base tort actions?

  43. Data Risk Developments in the European Union EU Data Protection Fundamentals Draft EU Data Protection Regulation Safe Harbor Controversy European Court of Justice Judgment on Google Search

  44. 1) EU Data Protection Fundamentals

  45. 1) EU Data Protection Fundamentals • Data Protection Directive 1995 • Establishes the baseline rules on how data is processed (including how it is obtained, retrieved, recorded, used, disclosed, stored and erased). • Applies to all types of personal data: employee, customer, supplier. • Applies directly to European subsidiaries of US companies in their domestic processing of personal data. • Each EU Member State has implemented the Directive with a national flavor, and there are some significant substantive and procedural differences among Member States within the EU. • The European Commission (“Commission”) has proposed sweeping changes to this Directive through the introduction of a Data Protection Regulation that will be directly applicable in each Member State (see Section C).

  46. 1) EU Data Protection Fundamentals (cont’d) EU Data Protection Principles There are 8 core data protection principles that must be respected by all companies processing EU personal data: • Personal data must be processed fairly and lawfully • Personal data shall be obtained and used for one or more specified purposes that have been notified to individuals (e.g. in a privacy policy) • Personal data shall be adequate, relevant and not excessive • Personal data shall be accurate, and where necessary, kept up-to-date • Personal data shall not be kept for longer than is necessary • Personal data shall be processed in accordance with the rights of data subjects (e.g. data subjects have the right to access and require rectification or deletion of their personal data) • Technical and organisational measures must be taken to prevent, misuse, loss, damage or unlawful processing of personal data (higher security is required for sensitive data) • No transfer of personal data outside of the EEA (subject to exceptions)

  47. 1) EU Data Protection Fundamentals (cont’d) Comparison to US approach • In contrast to US practice, protection of personal data is considered a fundamental human right in the EU. • In the EU, there is a horizontal approach to regulation covering all industries and the rules are prescriptive – requiring compliance by EU companies to various procedural and substantive rules. • The EU prohibits the transfer of EU personal data to points outside the EU (and this includes remote access to EU personal data from points outside the EU), unless specified conditions are met. • The transfer of personal data within a corporate group or partnership is also caught by the prohibition/required conditions. • US-EU Safe Harbor, EU Model Clauses and Binding Corporate Rules

  48. 2) Draft EU Data Protection Regulation

  49. 2) Draft Data Protection Regulation • A new and highly controversial Regulation on data protection is currently being debated by the EU institutions and, if adopted, will become directly enforceable law in all EU Member States. Highlights • Scope/Jurisdiction: • The Regulation will apply to businesses with no physical presence in the EU if they process personal data in connection with the provision of services to or the monitoring of individuals in the EU. • The Regulation will apply even if the processing takes place outside the EU and even if no payment by the data subject is required. • Requirement for data subjects to be resident in the EU removed • Could apply where data subjects are temporarily travelling in the EU • Sanctions: • Maximum fines of up to EUR 100 Million or 5% of global turnover (whichever is higher) for serious breaches. • Private right of action for victims - non-pecuniary damage is covered.

  50. 2) Draft Data Protection Regulation (cont’d) • International Data Transfers: • If a non-EU government/court (e.g. under the Patriot Act) requests a company to disclose EU personal data, then, unless international treaties allow for such disclosure, the data controller or processor must: • notify the data protection authority without undue delay; • obtain prior authorization for the disclosure/transfer (based on public interest or in respect of legal claims); and • inform the relevant data subject(s). • As a result, companies operating outside the EU but storing/processing EU data will face a conflict of laws when deciding how to respond to non-EU regulatory requests. • For example, a company in the US could face contempt of court and criminal sanctions for failing to respond to US requests, or large fines from the EU if they do comply. • There is also a proposal to “sunset” the existing authorisation procedures (Safe Harbor adequacy decisions and standard clauses) after 5 years: • This raises issues about impact on long-term cloud and other outsourcing agreements involving international transfers from the EU.

More Related