data privacy and securityy p compliancemedia.straffordpub.com/products/data-privacy-and... · 2011....
TRANSCRIPT
-
Presenting a live 90‐minute webinar with interactive Q&A
Data Privacy and Security Compliance: y y pLegal and Business StrategiesCrafting and Implementing Security Policies and Responding to Breaches
T d ’ f l f
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
TUESDAY, FEBRUARY 15, 2011
Today’s faculty features:
Brian L. Hengesbaugh, Partner, Baker & McKenzie, Chicago
Yonaton Aronoff, Foley & Lardner, New York
The audio portion of the conference may be accessed via the
Robert D. Brownstone, Technology & eDiscovery Counsel; Co-Chair EIM Group,
Fenwick & West, Mountain View, Calif.
p ytelephone or by using your computer's speakers.
Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
-
Continuing Education Credits FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your name, (2) your company name and (3) the number of attendees at your locationnumber of attendees at your location
• Click the arrow to send
-
Tips for Optimal Quality
S d Q litSound QualityIf you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection.
If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-443-5798 and enter your PIN when prompted Otherwise please send us a chat or e mail when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing QualityTo maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key againpress the F11 key again.
-
Data Privacy and Security ComplianceData Privacy and Security ComplianceCrafting and Implementing Security Policies and Responding to Breachesp g
Brian Hengesbaughg gBaker & McKenzie (Chicago)[email protected]
-
AgendaAgenda– Data security requirements– Breach notification requirements
– States– FederalFederal– International
– Take Aways
5
-
Data SecurityData Security R i tRequirements
6
-
D t S it R i tData Security Requirements–Data privacy and security laws*p y y–Breach notification statutes*–Tort law–Consumer protection law–Unfair competition law
I d t ifi l ti (t l i–Industry-specific regulations (telecom, insurance, banks, health care providers)
–Contracts (e.g., European standard contractualContracts (e.g., European standard contractual clauses)
–Industry standards (e.g., PCI)
7
-
Data Privacy and Security Laws– State Data Security Laws*– Gramm-Leach-Bliley Act (“GLBA”)
Safeguards RuleHealth Insurance Portability and– Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule
– Federal Trade Commission § 5– National Implementations of the EU
Data Protection Directive (95/46/EC)– Other emerging requirements
P ti Ti E ti t l– Practice Tip: Encryption controls (export controls as well as import and use) can conflict w/ data security requirements!
8
-
State Data Security Laws
– State Laws– “Reasonable” security standards (e.g., California)
– Specific data security obligations (e.g. Massachusetts)
– Special rules for SSNs (e.g. Michigan)
– Special rules for credit & debit card numbers (e.g.,Minnesota)
– Secure disposal laws (e.g.,Texas)
9
-
Massachusetts – A Sign of Things to Come?– Written Information Security Policy (WISP)– Administrative
– Identify and assess risks– Appoint data security managerpp y g– Employee training and discipline
– Physical– Restrictions on physical access to
documents and facilities– Technical (incl. specific standards)
– Encryption (portable devices + transmission across public networks and wireless)
– Secure access controls (not vendor supplied defaults)supplied defaults)
– Oversee service providers– Document responses to breach notifications– Penalties
$5 000 per violation attorneys’ fees and– $5,000 per violation, attorneys fees and restitution for losses suffered by individuals, as well as injunctive relief
10
-
BreachBreachN tifi ti LNotification Laws
11
-
Cost of Data Security Breach
Average cost of data security breach: $204/per compromised customer record.
Average cost per breach: $6.75 million.
Most costly breach this year: $31 million.
42 % of all breach cases These remain theBreaches at service-provider level:
42 % of all breach cases. These remain the most costly form of data breaches due to additional investigation and consulting fees.
12
Source: Ponemon Institute, U.S. Cost of a Data Breach Study, 2010 at http://www.ponemon.org/news-2/23
-
Key Concerns With State Breach Laws
– Data elements: SSNs, taxpayer ID numbers, driver’s license numbers, credit and debit card and bank account #s, health and medical data, complete date
f bi th di iti d l t i i t dof birth, digitized or electronic signature, and biometric data, etc. (NB: encryption generally safe harbor, but see CT Ins. Commissioner)
– Notice: – Individuals (all states, incl. content requirements
in some, e.g., MA, MD, NC),– Consumer reporting agencies (e.g., MN, FL), and – State agencies (e.g., NY, NJ, MA, MD).g ( g , , , , )
– Timing: As soon as reasonably possible and w/o unreasonable delay – FL, OH, WI - 45 days
CA (Med) + CT (Ins) 5 days– CA (Med) + CT (Ins) – 5 days
13
-
Definitions of “Breach”– “Reasonable belief” (e.g., California): “unauthorized acquisition, or reasonable belief
of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information.”
– “Misuse or harm” (e.g., Maryland): “unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a p y y p ybusiness. . . and [notification required] if it is likely that the breach has resulted or will result in the misuse of personal information of an individual residing in the State.”
– “May have been” (e.g., Indiana): “unauthorized acquisition of computerized data that compromises the security confidentiality or integrity of personal information Aftercompromises the security, confidentiality, or integrity of personal information . . . After discovering or being notified of a breach of security of data, the database owner shall disclose the breach to an Indiana resident whose . . . unencrypted personal information was or may have been acquired by an unauthorized person . . . ““E ti t f h b ” ( C ti t I B d) “– “Encryption not safe harbor” (e.g., Connecticut Insurance Board): “any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted.”
14
-
Protected Health Information – HITECH Act– Notification if breach of
"unsecured" protected health information (PHI) “Unsecured" defined generally to– Unsecured defined generally to be unusable, unreadable, or undecipherable (and NIST-approved);N ti /i 60 d f di– Notice w/i 60 days of discovery or "should have known"
– Content requirements for notice (date of breach, date of ( ,discovery, etc.)
– Notice to media and HHS if more than 500 people Direct application to covered– Direct application to covered entities and business associates
15
-
Gramm-Leach-Bliley Act (“GLBA”)– Consumer Financial Services Providers– Guidelines on Response Programs for
Unauthorized Access to Customer Information. Includes obligations to:
Establish and maintain a response– Establish and maintain a response program
– Establish appropriate contract terms with service providers
– Notify customers if misuse “ ibl ”“possible”
– Notify applicable regulatory agency, and
– Contain and control the incident.– Various other requirements to provide– Various other requirements to provide
reasonable security
16
-
C f B hConsequences of a Breach– Government investigations (FTC, HHS, State
AGs and non US authorities)AGs, and non-US authorities)– Consumer and employee class actions– Corporate customer and business partnerCorporate customer and business partner
actions– Bank class actions– Shareholder derivative claims– Adverse media attention and reputational
hharm
17
-
InternationalInternational i trequirements
18
-
Non-US Breach Notification Requirements
– Germany – Other emerging obligations: Canada, UK, Australia, Hong
K J dKong, Japan, and more….
19
-
German Security Breach Notification
– An information security breach obligation was implemented into German law on September 1, 2009: Section 42 (a) Federal Data Protection ActSection 42 (a) Federal Data Protection Act
– Obligation applies to illegal transfer or disclosure of certain personal data that may cause serious detrimentp yto the individuals at issue
– In the first year, 20 cases of data breaches were notified d S 42 FDPA i B i ( f 16 Gunder Sec. 42a FDPA in Bavaria (one of 16 German
States), which indicates information obligation is taken seriously.
20
-
Personal Data In Scope of Sec. 42a FDPA
– Special categories of data (Sec. 3 subsection 9 FDPA) (e.g., health/medical, race/ethnic origin, religion/philosophical beliefs, trade union membership, and sex life).
– Personal data protected by a professional secret. – Personal data that refer to punishable offenses or administrative
offenses or to the suspicion of punishable offenses oroffenses or to the suspicion of punishable offenses or administrative offenses.
– Personal data relating to bank accounts and credit card accounts.Personal data (base data and usage data) acc to Sec 93 (3)– Personal data (base data and usage data), acc. to Sec. 93 (3) Telecommunication Act; Sec. 15a Telemedia Act.
21
-
Sanctions
– Non-compliance (providing no information or being in default with providing the relevant information) may be subject to fines of up to EUR 300 000subject to fines of up to EUR 300,000.
– Information provided may not be used in criminal or administrative procedures against the notifying party.p g y g p y
22
-
Other Non-US Requirements
– Sector-specific obligations (e.g., financial services) in Japan, the UK, and the likeG id f d t t ti th iti d “ ib ”– Guidance from data protection authorities under “omnibus” data privacy laws to notify on basis of prevention of harm
– Potential civil law claims for non-notificationPotential civil law claims for non notification– Fast-evolving area (e.g., European Commission proposal
for revisions to the 1995 EC Data Protection Directive).
23
-
Take Aways24
[change title in View/Header and Footer] 24
y
-
Top Ten Take Aways1. Establish a breach notification policy.2. Train “first responders” on basics of policy and
educate core team on responsibilities.3. Follow-through on expedited basis with
i ti ti f t d t ti l i id tinvestigation of any reported potential incidents.4. Consider engagement of counsel and/or forensics
or security investigators. 5. Make important judgment determinations on
whether incident requires notification to whom inwhether incident requires notification, to whom, in what order, and with what content.
6. Prepare for media and/or gov’t inquiries following notification.
7. Remediate incidents, and document where ,appropriate.
8. Enhance data security policies and procedures.9. Conduct organized review of policies and
procedures of vendors.10. Encourage senior management adopt strong data
security as a core “tone at the top” message!
25
-
Brian HengesbaughP t B k & M K i Chi ILPartner, Baker & McKenzie, Chicago, IL
[email protected](312) 861-3077( )
26
-
27
Data Privacy and Security Compliance: Legal and Business Strategies
Yonaton [email protected]
©2010 Foley & Lardner LLP
-
28
Notice of Security Breach LegislationNotice of Security Breach Legislation Common issuesCo o ssues
– When notice must be given; – The form of the notice;The form of the notice; – Who must notice be given to; – The scope of federal preemption; and– The scope of federal preemption; and – The effect of existing security policies.
©2010 Foley & Lardner LLP
-
29
Notice of Security Breach IssuesNotice of Security Breach Issues 46 states, as well as Puerto Rico,
Washington, D.C., and New York City have enacted laws or rules
Ohio Attorney General action
©2010 Foley & Lardner LLP
-
30
Notice of Security Breach LawsNotice of Security Breach Laws
Triggered if there is a breach of a data security; and Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Personal information includes medical information, as
well as health insurance information under certain stateswell as health insurance information under certain states laws
Certain laws apply even if there is simply a reasonable belief that there was an acquisition of databelief that there was an acquisition of data
Law enforcement concerns Direct notice typically required, though substitute notice
is permitted in certain instancesis permitted in certain instances
©2010 Foley & Lardner LLP
-
31
Notice of Security Breach LawsNotice of Security Breach Laws Issues to watch out for
– What good is encryption?– Electronic v. non-electronic
Al k H ii I di M h tt N th C li d Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin
– Is there a general duty?– Who else must notice be given to?– What form of notice?– Is notice required if there is no likelihood of identity
theft?
©2010 Foley & Lardner LLP
-
PPart II: art II: PProactive roactive PPolicies & olicies & PProtocols rotocols
StraffordStraffordFebruary 15, 2011February 15, 2011
(“Give (“Give PP’s a Chance”)’s a Chance”)
Data Privacy and SecurityData Privacy and SecurityData Privacy and Security Data Privacy and Security Compliance: Legal and Compliance: Legal and
Business StrategiesBusiness Strategies
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
Robert D. Brownstone, Esq.Robert D. Brownstone, Esq.© 2011
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
-
Agendag
II Crafting and Implementing a II. Crafting and Implementing a Comprehensive Program/Policy
INTRODUCTION; DIVIDE THE UNIVERSE
EIM
G
RO
UP
A. Access Restrictions
B. Encryption of ESI, especially of PII & Mobile DataE
C. Written Policies Consistently Enforced
D. Internal Training, incl. re: Incident-Responseg, p
E. Regular Monitoring of Networks
F. Privacy-breach liability insurance?
© 33
y y
-
INTRO – Various Typesof Sensitive Information of Sensitive Information
IP i l T d S t W k P d t t IP, incl. Trade Secrets, Work Product, etc.
Proprietary information:
EIM
G
RO
UP
strategic plans
customer listsE customer lists
Other Sensitive Information, including Other Entities’ (parents subs etc )Other Entities (parents, subs, etc.)
©
34
-
INTRO – Uber-Confidential InfoConfidential Info.
Some information items even more Some information items even more confidential than others . . .
EIM
G
RO
UP M&A activity
contemplated or threatened lawsuits
E
criminal investigations
administrative agency inquiriesad st at e age cy qu es
info. under NDA/protective-order
PII & PHI (identity theft)
©
PII & PHI (identity theft)
35
-
INTRO – Liability Risks & Data LeakageData Leakage
Intentionally Harmful Intentionally Harmful
Intentional Disclosures
EIM
G
RO
UP
Inadvertently Harmful
Intentional Disclosures E Intentional Disclosures
(“Netiquette”; Social-Media;
Sock Puppeting; P2P)Sock-Puppeting; P2P)
Unintentional Losses of
© Sensitive Info. = our focus36
-
DIVIDE THEUNIVERSE
Be Proactive in Four Key Arenas (not exhaustive)
UNIVERSE
1. Policies/Practices Applicable to
All Information, Including PII
EIM
G
RO
UP
a. “Least Privileged Access" (see below)
b. Data Encryption (see below)
E
c. Local Storage Restrictions
d. Password Practices (& Forced-Screen-Saver)d. Password Practices (& Forced Screen Saver)
e. Metadata-Scrubbing & Redaction
f Checklists for Terminated Employee
©
f. Checklists for Terminated Employee
37
-
DIVIDE THEUNIVERSE (c’t’d)
• 2. Policies/Practices Applicable to Personal
UNIVERSE (c t d)
2. Policies/Practices Applicable to Personal Information as to Non-Employee Individuals
a. PII Collection Practices via the Website
EIM
G
RO
UP
a. PII Collection Practices via the Website
b. PII Collection Practices via Suppliers
E
c. PII Collection Practices via Tradeshows
d. PII Collection Practices via Products
e. PII Collection via Corporate Acquisitions
©
38
-
DIVIDE THEUNIVERSE (c’t’d)
3. Policies/Practices Applicable to PII
UNIVERSE (c t d)
Illustration by Keith Simmons
Collected From Employees
a. Special Information-Security Practices
EIM
G
RO
UP for Employee Data – Locked Cabinets;
“Need-to-Know”-Electronic-Access, etc.
b B k d Ch k i l iE b. Background Checks involving
Consumer Credit Reports
d. Individual Employees’ Personnel Filesd. Individual Employees Personnel Files
e. Outsourced Storage of, e.g., Benefits,
Leave and Compensation Information
©
39
-
DIVIDE THEUNIVERSE (c’t’d)
4. Data-Storage Contracts with Third-
UNIVERSE (c t d)
g
Party Host-ers (cloud, etc.)
Due diligence
EIM
G
RO
UP Due diligence
Negotiate to attempt to allocate risks re:
E
giving notice to those affected
paying for remedial measuresp y g
Applicability to sub-contractors
©
40
-
A. Access Rights re:Sensitive Info
“Least Privileged Access" approach
Sensitive Info.
Least Privileged Access approach
Default is "deny all" – i.e., one
cannot gain access unless
EIM
G
RO
UP
cannot gain access unless
affirmative need shown
ifi ll th i d dE specifically authorized; and
securely enabled
Each authorized user should:
have unique ID; and
© 41 be subjected to two-factor
authentication at each login
-
A. Access (c’t’d) –Whole Lifecycle
Disposal protocol, esp. for sensitive info.
Whole Lifecycle
p p , p
ESI and hardcopy
EIM
G
RO
UP
Donated, sold, recycled or . . .
returned at end of leaseE returned at end of lease
Anything with memory/hard-drive
Copiers/scanners/digital-senders
FTC Disposal Rule (FACTA/FCRA)
© 42
FTC Disposal Rule (FACTA/FCRA)
-
B. Encryptionc ypt o
Altruism and . . . . Selfishness Altruism and . . . . Selfishness
Protective
EIM
G
RO
UP
AND
E
Typically exempts an incident from
reach of > 40 states’ notice-of-
breach statutes linked off this page
©
43
-
B. Encryption
Statutes such as Cal. SB 1386 not
specific re: level; BUT use most
robust encryption available
EIM
G
RO
UP
yp
Best to avoid ROT-13
“rotate by 13 places”E “rotate by 13 places”
can be broken in seconds
Best to use Advanced Encryption
Standards (AES) cryptographic cipher
© 44 basically unbreakable
-
B. Encryption
Whether data at rest or in-transit . . .
encryption in various environments??
a. Mobile Devices and Portable Media
EIM
G
RO
UP
Laptops
S t h /PDA’E Smart-phones/PDA’s
Removable Media [DRM?]
b. Virtual Private Network (VPN) Software
c. Website & Extranet Servers (SSL, at least)
© 45 d. Email Messages and Attachments
-
C. & D. Compliance PROGRAMBig Picture – Three E’sBig Picture Three E s
KUMBAYA?!
© TOSHIBA
EIM
G
RO
UP
E
Clear, well-thought-out policy language on which multiple constituencies have weighed in . . .
© 46
p o g
Compliance Policy’s “3 E’s” = Establish/Educate/Enforce
-
C. & D. Compliance’sThree E’s ( ’t’d)
ESTABLISH only those policy
Three E s (c’t’d)
y p y
structures that organization has
culture and will to enforce
EIM
G
RO
UP
EDUCATE all employees on key
aspects of major policies/protocolsE aspects of major policies/protocols
ENFORCE policies:
as consistently as possible
based on dialogue with IT Dep’t
© 47
based on dialogue with IT Dep t
(tech should not “wag the dog;”
should align with policy goals)
-
C. & D. Compliance’sThree E’s ( ’t’d)
Train on rules of behavior for access,
Three E s (c’t’d)
nondisclosure and safeguarding
Review pertinent segments of certain
EIM
G
RO
UP
e e pe t e t seg e ts o ce ta
Employee Handbook policies, e.g.
Code of ConductE Code of Conduct
Confidentiality Policy
Technology-Acceptable-Use-Policy (TAUP)/No-
Employee-Expectation-of-Privacy Policy (NoEP)
© 48 Separating Employee Policy (& related
checklists from IT Dep’t, HR Dep’t, etc.)
-
E. Monitoring/Testing/Auditing
Track all access to key resources and sensitive data
Testing/Auditing
Periodic vulnerability scans and penetration tests
Vulnerability Management Program (VMP)
EIM
G
RO
UP Vulnerability Management Program (VMP)
anti-virus/malware software
enabling regular updates/patches E enabling regular updates/patches
Independent consultant to periodically formally evaluate
electronic security safeguards to ensure consistency with:
written policies;
chosen compliance framework(s); and
© 49 current best practices
-
F. CyberInsurance?
First Party Coverage? Third Party Coverage
Insurance?
(clients, vendors, employees, etc.)?
Covered by Prop Ins Policy? CGL Policy?
EIM
G
RO
UP
Covered by Prop. Ins. Policy? CGL Policy?
Good chance it’s not, depending on state law:
E
Jerry Oshinsky and Kenneth K. Lee, Insurance
Coverage For Cyber Crimes, D.J. (4/14/10)
David Navetta, Insurers Deny Coverage for Breach David Navetta, Insurers Deny Coverage for Breach
Notice Costs, Info. Law Group (6/10/10)
Covered by D&O and/or E&O?
© 50
y /
-
F. Cyber Insurance (c’t’d)
If not, get separate/special coverage?
Insurance (c t d)
Exs (not recommendations):
EIM
G
RO
UP AON’s Network Security & Privacy
Coverage and/or Privacy Regulatory
Proceeding CoverageE Proceeding Coverage
Chartis’ Network, Security and Privacy
and ID Theft (netAdvantage®)and ID Theft (netAdvantage )
Chubb’s Cyber-Security Insurance Policy
© 51 CNA’s Cyber Liability and CNA NetProtect
-
F. Cyber Insurance (c’t’d)
Depends at least in part on
Insurance (c t d)
Depends at least in part on
Industry
EIM
G
RO
UP
Data types and volumes
TO LEARN MOREE TO LEARN MORE:
Affiliated Insurance Managers (AIM), How you can
b i li (6/10/10)protect your business online (6/10/10)
Amy O'Connor, Security Breach Notification Laws
Reinforce Need for Cyber Insurance Ins J (3/4/10)
© 52
Reinforce Need for Cyber Insurance, Ins. J. (3/4/10)
-
F. Cyber Insurance Insurance (c’t’d)
Statistics on Breaches
See “Chronology of Data Breaches” for 4/20/05 – 2/7/11 (500M+ records; > 2,200 incidents)
EIM
G
RO
UP
Each missing record can cost $200+
Angela Moscaritolo Data breaches cost E • Angela Moscaritolo, Data breaches cost organizations $204 per record in 2009, SC Magazine (1/25/09) (36 % of situations from loss of laptop or mobile device)
linking to linking to
See Data Loss Cost Calculator
©
53
-
Conclusion/Q tiQuestions
Let’s be careful out there Let s be careful out there . . .
EIM
G
RO
UP
Q+A:
R b t D B tE Robert D. Brownstone
Vi it F&W EIM & P i G Visit F&W EIM & Privacy Groups
f i k / i /2 14 0 ? 1045
©
54
-
Robert D. BrownstoneRobert D. Brownstone
650.335.7912
EIM
G
RO
UP
E© 55