Presenting a live 90‐minute webinar with interactive Q&A

Data Privacy and Security Compliance: y y pLegal and Business StrategiesCrafting and Implementing Security Policies and Responding to Breaches

T d ’ f l f

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

TUESDAY, FEBRUARY 15, 2011

Today’s faculty features:

Brian L. Hengesbaugh, Partner, Baker & McKenzie, Chicago

Yonaton Aronoff, Foley & Lardner, New York

The audio portion of the conference may be accessed via the

Robert D. Brownstone, Technology & eDiscovery Counsel; Co-Chair EIM Group,

Fenwick & West, Mountain View, Calif.

p ytelephone or by using your computer's speakers.

Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Continuing Education Credits FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your name, (2) your company name and (3) the number of attendees at your locationnumber of attendees at your location

• Click the arrow to send

Tips for Optimal Quality

S d Q litSound QualityIf you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection.

If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-443-5798 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.

Data Privacy and Security ComplianceData Privacy and Security ComplianceCrafting and Implementing Security Policies and Responding to Breachesp g

Brian Hengesbaughg gBaker & McKenzie (Chicago)brian.hengesbaugh@bakermckenzie.com

AgendaAgenda– Data security requirements– Breach notification requirements

– States– FederalFederal– International

– Take Aways

5

Data SecurityData Security R i tRequirements

6

D t S it R i tData Security Requirements–Data privacy and security laws*p y y–Breach notification statutes*–Tort law–Consumer protection law–Unfair competition law

I d t ifi l ti (t l i–Industry-specific regulations (telecom, insurance, banks, health care providers)

–Contracts (e.g., European standard contractualContracts (e.g., European standard contractual clauses)

–Industry standards (e.g., PCI)

7

Data Privacy and Security Laws– State Data Security Laws*– Gramm-Leach-Bliley Act (“GLBA”)

Safeguards RuleHealth Insurance Portability and– Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule

– Federal Trade Commission § 5– National Implementations of the EU

Data Protection Directive (95/46/EC)– Other emerging requirements

P ti Ti E ti t l– Practice Tip: Encryption controls (export controls as well as import and use) can conflict w/ data security requirements!

8

State Data Security Laws

– State Laws– “Reasonable” security standards (e.g., California)

– Specific data security obligations (e.g. Massachusetts)

– Special rules for SSNs (e.g. Michigan)

– Special rules for credit & debit card numbers (e.g.,Minnesota)

– Secure disposal laws (e.g.,Texas)

9

Massachusetts – A Sign of Things to Come?– Written Information Security Policy (WISP)– Administrative

– Identify and assess risks– Appoint data security managerpp y g– Employee training and discipline

– Physical– Restrictions on physical access to

documents and facilities– Technical (incl. specific standards)

– Encryption (portable devices + transmission across public networks and wireless)

– Secure access controls (not vendor supplied defaults)supplied defaults)

– Oversee service providers– Document responses to breach notifications– Penalties

$5 000 per violation attorneys’ fees and– $5,000 per violation, attorneys fees and restitution for losses suffered by individuals, as well as injunctive relief

10

BreachBreachN tifi ti LNotification Laws

11

Cost of Data Security Breach

Average cost of data security breach: $204/per compromised customer record.

Average cost per breach: $6.75 million.

Most costly breach this year: $31 million.

42 % of all breach cases These remain theBreaches at service-provider level:

42 % of all breach cases. These remain the most costly form of data breaches due to additional investigation and consulting fees.

12

Source: Ponemon Institute, U.S. Cost of a Data Breach Study, 2010 at http://www.ponemon.org/news-2/23

Key Concerns With State Breach Laws

– Data elements: SSNs, taxpayer ID numbers, driver’s license numbers, credit and debit card and bank account #s, health and medical data, complete date

f bi th di iti d l t i i t dof birth, digitized or electronic signature, and biometric data, etc. (NB: encryption generally safe harbor, but see CT Ins. Commissioner)

– Notice: – Individuals (all states, incl. content requirements

in some, e.g., MA, MD, NC),– Consumer reporting agencies (e.g., MN, FL), and – State agencies (e.g., NY, NJ, MA, MD).g ( g , , , , )

– Timing: As soon as reasonably possible and w/o unreasonable delay – FL, OH, WI - 45 days

CA (Med) + CT (Ins) 5 days– CA (Med) + CT (Ins) – 5 days

13

Definitions of “Breach”– “Reasonable belief” (e.g., California): “unauthorized acquisition, or reasonable belief

of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information.”

– “Misuse or harm” (e.g., Maryland): “unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a p y y p ybusiness. . . and [notification required] if it is likely that the breach has resulted or will result in the misuse of personal information of an individual residing in the State.”

– “May have been” (e.g., Indiana): “unauthorized acquisition of computerized data that compromises the security confidentiality or integrity of personal information Aftercompromises the security, confidentiality, or integrity of personal information . . . After discovering or being notified of a breach of security of data, the database owner shall disclose the breach to an Indiana resident whose . . . unencrypted personal information was or may have been acquired by an unauthorized person . . . ““E ti t f h b ” ( C ti t I B d) “– “Encryption not safe harbor” (e.g., Connecticut Insurance Board): “any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted.”

14

Protected Health Information – HITECH Act– Notification if breach of

"unsecured" protected health information (PHI) “Unsecured" defined generally to– Unsecured defined generally to be unusable, unreadable, or undecipherable (and NIST-approved);N ti /i 60 d f di– Notice w/i 60 days of discovery or "should have known"

– Content requirements for notice (date of breach, date of ( ,discovery, etc.)

– Notice to media and HHS if more than 500 people Direct application to covered– Direct application to covered entities and business associates

15

Gramm-Leach-Bliley Act (“GLBA”)– Consumer Financial Services Providers– Guidelines on Response Programs for

Unauthorized Access to Customer Information. Includes obligations to:

Establish and maintain a response– Establish and maintain a response program

– Establish appropriate contract terms with service providers

– Notify customers if misuse “ ibl ”“possible”

– Notify applicable regulatory agency, and

– Contain and control the incident.– Various other requirements to provide– Various other requirements to provide

reasonable security

16

C f B hConsequences of a Breach– Government investigations (FTC, HHS, State

AGs and non US authorities)AGs, and non-US authorities)– Consumer and employee class actions– Corporate customer and business partnerCorporate customer and business partner

actions– Bank class actions– Shareholder derivative claims– Adverse media attention and reputational

hharm

17

InternationalInternational i trequirements

18

Non-US Breach Notification Requirements

– Germany – Other emerging obligations: Canada, UK, Australia, Hong

K J dKong, Japan, and more….

19

German Security Breach Notification

– An information security breach obligation was implemented into German law on September 1, 2009: Section 42 (a) Federal Data Protection ActSection 42 (a) Federal Data Protection Act

– Obligation applies to illegal transfer or disclosure of certain personal data that may cause serious detrimentp yto the individuals at issue

– In the first year, 20 cases of data breaches were notified d S 42 FDPA i B i ( f 16 Gunder Sec. 42a FDPA in Bavaria (one of 16 German

States), which indicates information obligation is taken seriously.

20

Personal Data In Scope of Sec. 42a FDPA

– Special categories of data (Sec. 3 subsection 9 FDPA) (e.g., health/medical, race/ethnic origin, religion/philosophical beliefs, trade union membership, and sex life).

– Personal data protected by a professional secret. – Personal data that refer to punishable offenses or administrative

offenses or to the suspicion of punishable offenses oroffenses or to the suspicion of punishable offenses or administrative offenses.

– Personal data relating to bank accounts and credit card accounts.Personal data (base data and usage data) acc to Sec 93 (3)– Personal data (base data and usage data), acc. to Sec. 93 (3) Telecommunication Act; Sec. 15a Telemedia Act.

21

Sanctions

– Non-compliance (providing no information or being in default with providing the relevant information) may be subject to fines of up to EUR 300 000subject to fines of up to EUR 300,000.

– Information provided may not be used in criminal or administrative procedures against the notifying party.p g y g p y

22

Other Non-US Requirements

– Sector-specific obligations (e.g., financial services) in Japan, the UK, and the likeG id f d t t ti th iti d “ ib ”– Guidance from data protection authorities under “omnibus” data privacy laws to notify on basis of prevention of harm

– Potential civil law claims for non-notificationPotential civil law claims for non notification– Fast-evolving area (e.g., European Commission proposal

for revisions to the 1995 EC Data Protection Directive).

23

Take Aways24

[change title in View/Header and Footer] 24

y

Top Ten Take Aways1. Establish a breach notification policy.2. Train “first responders” on basics of policy and

educate core team on responsibilities.3. Follow-through on expedited basis with

i ti ti f t d t ti l i id tinvestigation of any reported potential incidents.4. Consider engagement of counsel and/or forensics

or security investigators. 5. Make important judgment determinations on

whether incident requires notification to whom inwhether incident requires notification, to whom, in what order, and with what content.

6. Prepare for media and/or gov’t inquiries following notification.

7. Remediate incidents, and document where ,appropriate.

8. Enhance data security policies and procedures.9. Conduct organized review of policies and

procedures of vendors.10. Encourage senior management adopt strong data

security as a core “tone at the top” message!

25

Brian HengesbaughP t B k & M K i Chi ILPartner, Baker & McKenzie, Chicago, IL

brian.hengesbaugh@bakermckenzie.com(312) 861-3077( )

26

27

Data Privacy and Security Compliance: Legal and Business Strategies

Yonaton Aronoffyaronoff@foley.com212.338.3413

©2010 Foley & Lardner LLP

28

Notice of Security Breach LegislationNotice of Security Breach Legislation Common issuesCo o ssues

– When notice must be given; – The form of the notice;The form of the notice; – Who must notice be given to; – The scope of federal preemption; and– The scope of federal preemption; and – The effect of existing security policies.

©2010 Foley & Lardner LLP

29

Notice of Security Breach IssuesNotice of Security Breach Issues 46 states, as well as Puerto Rico,

Washington, D.C., and New York City have enacted laws or rules

Ohio Attorney General action

©2010 Foley & Lardner LLP

30

Notice of Security Breach LawsNotice of Security Breach Laws

Triggered if there is a breach of a data security; and Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Personal information includes medical information, as

well as health insurance information under certain stateswell as health insurance information under certain states laws

Certain laws apply even if there is simply a reasonable belief that there was an acquisition of databelief that there was an acquisition of data

Law enforcement concerns Direct notice typically required, though substitute notice

is permitted in certain instancesis permitted in certain instances

©2010 Foley & Lardner LLP

31

Notice of Security Breach LawsNotice of Security Breach Laws Issues to watch out for

– What good is encryption?– Electronic v. non-electronic

Al k H ii I di M h tt N th C li d Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin

– Is there a general duty?– Who else must notice be given to?– What form of notice?– Is notice required if there is no likelihood of identity

theft?

©2010 Foley & Lardner LLP

PPart II: art II: PProactive roactive PPolicies & olicies & PProtocols rotocols

StraffordStraffordFebruary 15, 2011February 15, 2011

(“Give (“Give PP’s a Chance”)’s a Chance”)

Data Privacy and SecurityData Privacy and SecurityData Privacy and Security Data Privacy and Security Compliance: Legal and Compliance: Legal and

Business StrategiesBusiness Strategies

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

Robert D. Brownstone, Esq.Robert D. Brownstone, Esq.© 2011

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

Agendag

II Crafting and Implementing a II. Crafting and Implementing a Comprehensive Program/Policy

INTRODUCTION; DIVIDE THE UNIVERSE

EIM

G

RO

UP

A. Access Restrictions

B. Encryption of ESI, especially of PII & Mobile DataE

C. Written Policies Consistently Enforced

D. Internal Training, incl. re: Incident-Responseg, p

E. Regular Monitoring of Networks

F. Privacy-breach liability insurance?

© 33

y y

INTRO – Various Typesof Sensitive Information of Sensitive Information

IP i l T d S t W k P d t t IP, incl. Trade Secrets, Work Product, etc.

Proprietary information:

EIM

G

RO

UP

strategic plans

customer listsE customer lists

Other Sensitive Information, including Other Entities’ (parents subs etc )Other Entities (parents, subs, etc.)

©

34

INTRO – Uber-Confidential InfoConfidential Info.

Some information items even more Some information items even more confidential than others . . .

EIM

G

RO

UP M&A activity

contemplated or threatened lawsuits

E

criminal investigations

administrative agency inquiriesad st at e age cy qu es

info. under NDA/protective-order

PII & PHI (identity theft)

©

PII & PHI (identity theft)

35

INTRO – Liability Risks & Data LeakageData Leakage

Intentionally Harmful Intentionally Harmful

Intentional Disclosures

EIM

G

RO

UP

Inadvertently Harmful

Intentional Disclosures E Intentional Disclosures

(“Netiquette”; Social-Media;

Sock Puppeting; P2P)Sock-Puppeting; P2P)

Unintentional Losses of

© Sensitive Info. = our focus36

DIVIDE THEUNIVERSE

Be Proactive in Four Key Arenas (not exhaustive)

UNIVERSE

1. Policies/Practices Applicable to

All Information, Including PII

EIM

G

RO

UP

a. “Least Privileged Access" (see below)

b. Data Encryption (see below)

E

c. Local Storage Restrictions

d. Password Practices (& Forced-Screen-Saver)d. Password Practices (& Forced Screen Saver)

e. Metadata-Scrubbing & Redaction

f Checklists for Terminated Employee

©

f. Checklists for Terminated Employee

37

DIVIDE THEUNIVERSE (c’t’d)

• 2. Policies/Practices Applicable to Personal

UNIVERSE (c t d)

2. Policies/Practices Applicable to Personal Information as to Non-Employee Individuals

a. PII Collection Practices via the Website

EIM

G

RO

UP

a. PII Collection Practices via the Website

b. PII Collection Practices via Suppliers

E

c. PII Collection Practices via Tradeshows

d. PII Collection Practices via Products

e. PII Collection via Corporate Acquisitions

©

38

DIVIDE THEUNIVERSE (c’t’d)

3. Policies/Practices Applicable to PII

UNIVERSE (c t d)

Illustration by Keith Simmons

Collected From Employees

a. Special Information-Security Practices

EIM

G

RO

UP for Employee Data – Locked Cabinets;

“Need-to-Know”-Electronic-Access, etc.

b B k d Ch k i l iE b. Background Checks involving

Consumer Credit Reports

d. Individual Employees’ Personnel Filesd. Individual Employees Personnel Files

e. Outsourced Storage of, e.g., Benefits,

Leave and Compensation Information

©

39

DIVIDE THEUNIVERSE (c’t’d)

4. Data-Storage Contracts with Third-

UNIVERSE (c t d)

g

Party Host-ers (cloud, etc.)

Due diligence

EIM

G

RO

UP Due diligence

Negotiate to attempt to allocate risks re:

E

giving notice to those affected

paying for remedial measuresp y g

Applicability to sub-contractors

©

40

A. Access Rights re:Sensitive Info

“Least Privileged Access" approach

Sensitive Info.

Least Privileged Access approach

Default is "deny all" – i.e., one

cannot gain access unless

EIM

G

RO

UP

cannot gain access unless

affirmative need shown

ifi ll th i d dE specifically authorized; and

securely enabled

Each authorized user should:

have unique ID; and

© 41 be subjected to two-factor

authentication at each login

A. Access (c’t’d) –Whole Lifecycle

Disposal protocol, esp. for sensitive info.

Whole Lifecycle

p p , p

ESI and hardcopy

EIM

G

RO

UP

Donated, sold, recycled or . . .

returned at end of leaseE returned at end of lease

Anything with memory/hard-drive

Copiers/scanners/digital-senders

FTC Disposal Rule (FACTA/FCRA)

© 42

FTC Disposal Rule (FACTA/FCRA)

B. Encryptionc ypt o

Altruism and . . . . Selfishness Altruism and . . . . Selfishness

Protective

EIM

G

RO

UP

AND

E

Typically exempts an incident from

reach of > 40 states’ notice-of-

breach statutes linked off this page

©

43

B. Encryption

Statutes such as Cal. SB 1386 not

specific re: level; BUT use most

robust encryption available

EIM

G

RO

UP

yp

Best to avoid ROT-13

“rotate by 13 places”E “rotate by 13 places”

can be broken in seconds

Best to use Advanced Encryption

Standards (AES) cryptographic cipher

© 44 basically unbreakable

B. Encryption

Whether data at rest or in-transit . . .

encryption in various environments??

a. Mobile Devices and Portable Media

EIM

G

RO

UP

Laptops

S t h /PDA’E Smart-phones/PDA’s

Removable Media [DRM?]

b. Virtual Private Network (VPN) Software

c. Website & Extranet Servers (SSL, at least)

© 45 d. Email Messages and Attachments

C. & D. Compliance PROGRAMBig Picture – Three E’sBig Picture Three E s

KUMBAYA?!

© TOSHIBA

EIM

G

RO

UP

E

Clear, well-thought-out policy language on which multiple constituencies have weighed in . . .

© 46

p o g

Compliance Policy’s “3 E’s” = Establish/Educate/Enforce

C. & D. Compliance’sThree E’s ( ’t’d)

ESTABLISH only those policy

Three E s (c’t’d)

y p y

structures that organization has

culture and will to enforce

EIM

G

RO

UP

EDUCATE all employees on key

aspects of major policies/protocolsE aspects of major policies/protocols

ENFORCE policies:

as consistently as possible

based on dialogue with IT Dep’t

© 47

based on dialogue with IT Dep t

(tech should not “wag the dog;”

should align with policy goals)

C. & D. Compliance’sThree E’s ( ’t’d)

Train on rules of behavior for access,

Three E s (c’t’d)

nondisclosure and safeguarding

Review pertinent segments of certain

EIM

G

RO

UP

e e pe t e t seg e ts o ce ta

Employee Handbook policies, e.g.

Code of ConductE Code of Conduct

Confidentiality Policy

Technology-Acceptable-Use-Policy (TAUP)/No-

Employee-Expectation-of-Privacy Policy (NoEP)

© 48 Separating Employee Policy (& related

checklists from IT Dep’t, HR Dep’t, etc.)

E. Monitoring/Testing/Auditing

Track all access to key resources and sensitive data

Testing/Auditing

Periodic vulnerability scans and penetration tests

Vulnerability Management Program (VMP)

EIM

G

RO

UP Vulnerability Management Program (VMP)

anti-virus/malware software

enabling regular updates/patches E enabling regular updates/patches

Independent consultant to periodically formally evaluate

electronic security safeguards to ensure consistency with:

written policies;

chosen compliance framework(s); and

© 49 current best practices

F. CyberInsurance?

First Party Coverage? Third Party Coverage

Insurance?

(clients, vendors, employees, etc.)?

Covered by Prop Ins Policy? CGL Policy?

EIM

G

RO

UP

Covered by Prop. Ins. Policy? CGL Policy?

Good chance it’s not, depending on state law:

E

Jerry Oshinsky and Kenneth K. Lee, Insurance

Coverage For Cyber Crimes, D.J. (4/14/10)

David Navetta, Insurers Deny Coverage for Breach David Navetta, Insurers Deny Coverage for Breach

Notice Costs, Info. Law Group (6/10/10)

Covered by D&O and/or E&O?

© 50

y /

F. Cyber Insurance (c’t’d)

If not, get separate/special coverage?

Insurance (c t d)

Exs (not recommendations):

EIM

G

RO

UP AON’s Network Security & Privacy

Coverage and/or Privacy Regulatory

Proceeding CoverageE Proceeding Coverage

Chartis’ Network, Security and Privacy

and ID Theft (netAdvantage®)and ID Theft (netAdvantage )

Chubb’s Cyber-Security Insurance Policy

© 51 CNA’s Cyber Liability and CNA NetProtect

F. Cyber Insurance (c’t’d)

Depends at least in part on

Insurance (c t d)

Depends at least in part on

Industry

EIM

G

RO

UP

Data types and volumes

TO LEARN MOREE TO LEARN MORE:

Affiliated Insurance Managers (AIM), How you can

b i li (6/10/10)protect your business online (6/10/10)

Amy O'Connor, Security Breach Notification Laws

Reinforce Need for Cyber Insurance Ins J (3/4/10)

© 52

Reinforce Need for Cyber Insurance, Ins. J. (3/4/10)

F. Cyber Insurance Insurance (c’t’d)

Statistics on Breaches

See “Chronology of Data Breaches” for 4/20/05 – 2/7/11 (500M+ records; > 2,200 incidents)

EIM

G

RO

UP

Each missing record can cost $200+

Angela Moscaritolo Data breaches cost E • Angela Moscaritolo, Data breaches cost organizations $204 per record in 2009, SC Magazine (1/25/09) (36 % of situations from loss of laptop or mobile device)

linking to linking to

See Data Loss Cost Calculator

©

53

Conclusion/Q tiQuestions

Let’s be careful out there Let s be careful out there . . .

EIM

G

RO

UP

Q+A:

R b t D B tE Robert D. Brownstone

Vi it F&W EIM & P i G Visit F&W EIM & Privacy Groups

f i k / i /2 14 0 ? 1045

©

54

Robert D. BrownstoneRobert D. Brownstone

650.335.7912

rbrownstone@fenwick.com

EIM

G

RO

UP

rbrownstone@fenwick.com

E© 55