1 / 23

Privacy & Data Security Jennifer Coughlin, Esquire

Privacy & Data Security Jennifer Coughlin, Esquire. American Fraternal Alliance Compliance Days May 21, 2013 – Oak Brook, IL. What is Cyber Risk?. “The chance of injury, damage or loss from an electronic exposure that can result in an adverse impact on a business” Source: NetDiligence

studs
Download Presentation

Privacy & Data Security Jennifer Coughlin, Esquire

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy & Data SecurityJennifer Coughlin, Esquire American Fraternal Alliance Compliance DaysMay 21, 2013 – Oak Brook, IL

  2. What is Cyber Risk? “The chance of injury, damage or loss from an electronic exposure that can result in an adverse impact on a business” Source: NetDiligence • Data Breach – Unauthorized access, use, acquisition or disclosure of information

  3. Whose information is at stake? • Employees • Clients, patients and customers • Contracted partners (PII belonging to other businesses)

  4. What information is at stake? • Personally identifiable information (PII) • Name PLUS social security numbers, financial account information, driver’s license, medical insurance ID number, passport, date of birth • Broader view: email addresses, phone numbers, zip codes • Protected Health Information (PHI) • Payment Card Industry (PCI) information

  5. How is information at stake? Internal Threats • Unnecessary access • Misdirected emails • Loss of unencrypted devices • Internal system security and software • Theft of data by employees • Misplacement of devices Source: Ponemon Institute

  6. How is information at stake? External Threats • Hacking of internal servers and databases • Viruses that gather PII and PHI • Theft of devices • Posting PII online in a public forum • Breaches in the “Cloud” • Third party vendors Source: Ponemon Institute

  7. Data Creates Duties To protect, preserve and defend. • What data do you collect, and why? • Where is it? How well is it protected? • Who can access it? • When do you purge it?

  8. State Regulations: Notice • 46 states & 4 U.S. jurisdictions require notice to customers after compromise of PII • Required time to notice: most expedient manner possible (no later than 45 days in FL, OH, and WI) • Some states require notice to State Attorneys General, consumer protection agencies • Some states require specific notification content • Issues: competing definitions of “Breach”and other terms • Lack of common law

  9. State Regulations: Examples Massachusetts 201 CMR 17: Standards for the Protection of Personal Information • Mandates procedures to reduce the likelihood and impact before a breach • Applies to all businesses, wherever situated, that store Massachusetts’ residents’ PII • Requires a “written information security program” • Specific technical requirements for user IDs, passwords, encryption, firewalls, data storage on laptops

  10. PCI DDS • Set of data use rules and standards created by the Payment Card Industry • Privately enforced against merchants that accept credit cards • Must encrypt certain stored credit card information • Can never store CVV codes • CVV Code used only when card is not present • Must have written policies that address ongoing security requirements

  11. Litigation Causes of Action • common law negligence • statutory right of action • Consumer Protection violations • Contract Lawsuits • Single Plaintiff • Class Action • Government Action • Banks • PCI

  12. Defending the Lawsuit/Action Injury and Standing • Tri-West, Starbucks, Hannaford Specialized considerations when defending a data breach class action • Multi-District Litigation • Motions on standing, damages and causation • Class certification discovery • Joinder of all necessary parties • E-Discovery Experts

  13. Data Breach Response • Discovery of data exposure event • Response team • Evaluation • Notification • Regulatory follow up

  14. Is It A “Breach”? • Legal question • What systems were accessed and is the breach over? • What kind of data and how many individuals affected? • Has the personal information been misused? Is it likely to be misused? • What do notices have to say? • What will regulators, federal and state, and plaintiffs do?

  15. Breach Response Data Breach Coach – Legal counsel • Manage investigation and contracts (privilege and control) and costs of breach response vendors • Legal compliance – addressing individuals, regulators and public messaging • Litigation hold • Litigation prep

  16. Response Team Vendors • Forensic IT investigators • Public Relations • Printing, mailing and call-center services • Credit monitoring, identity theft restoration

  17. Breach Costs • Assessing and responding to breach • Legal compliance and attorneys’ fees • Harm to brand and reputation • Remediation and ongoing auditing • Costs depend on the breach

  18. Costs (cont.) • Third Party Claims - credit monitoring, fraud restoration, time, emotional distress • Statutory damages • Civil Fines • Defense of actions • Rebuilding and evaluation of compromised network

  19. Evaluate the Risks • Have you ever experienced a data breach? • Do you collect, store, or transfer any personal, financial or health data? • Do you outsource computer network operations? • Do you outsource data or network management? • Do you share data with business partners or vendors? • Does your posted Privacy Policy actually align with your internal data management practices? • Have you had a recent cyber risk assessment?

  20. Managing the Risks • Mock breaches – aka “tabletop exercises” • Limit online access to data storage servers • Policies not enough • Destruction of hard drives to remove all PII • Limit data maintained or made available • Encrypting laptops, smartphones, etc.

  21. Prevention/PreparationTake Aways “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.” • Zappos CEO, Tony Hsieh ASSESSPREPARE INSURE

  22. Questions?

  23. JENNIFER A. COUGHLINjcoughlin@nldhlaw.com215-358-5132 Jennifer focuses her practice on privacy and data security matters, assisting clients in navigating the complex national and international laws governing the safe-keeping of data and what is required when this information is accessed or released without authorization. She helps clients assess whether a data breach occurred, determine the manner in which the intrusion happened, identify the individuals whose information was accessed, determine what state, federal and foreign laws govern the client's notice of the data breach, and prepare legally sufficient notices to the affected individuals. Jennifer also offers pre-breach privacy and data security services, assisting clients in assessing any forensic and legal vulnerability within the client's practice and recommending proactive measures to address and mitigate the client's risk. Jennifer is recognized as a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals — a designation that recognizes her proficiency and knowledge of U.S. privacy and data security laws. Prior to Nelson Levine, she practiced with a multi-state firm, where she focused on defending insured against labor, employment, property damage and malpractice claims. Jennifer hold a B.A from Cabrini College (2002) and a J.D. from Widener University School of Law (2005)

More Related