-
JAN-MAR 2014www.riskandcompliancemagazine.com
RCrisk &compliance&
Inside this issue:
FEATURE
The evolving role of the chief risk officer
EXPERT FORUM
Managing your company’s regulatory exposure
HOT TOPIC
Data privacy in Europe
REPRINTED FROM:RISK & COMPLIANCE MAGAZINE
JAN-MAR 2014 ISSUE
DATA PRIVACY IN EUROPE
www.riskandcompliancemagazine.com
Visit the website to request a free copy of the full e-magazine
Published by Financier Worldwide [email protected]
© 2014 Financier Worldwide Ltd. All rights reserved.
R E P R I N T RCrisk &compliance&
DATA PRIVACY IN NORTH AMERICA
���������������������������������
������������
������������������
�������
�������������������������������������
������������
�������������������������������������������������
���������
���������������������������������������������
risk &complianceRC&
RC_Apr14.indd 1 4/4/14 14:09:30
REPRINTED FROM:RISK & COMPLIANCE MAGAZINE
APR-JUN 2014 ISSUE
www.riskandcompliancemagazine.com
Visit the website to requesta free copy of the full e-magazine
Published by Financier Worldwide [email protected]
© 2014 Financier Worldwide Ltd. All rights reserved.
-
2 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
MINI-ROUNDTABLE
DATA PRIVACY IN NORTH AMERICA
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 3
MINI-ROUNDTABLEDATA PRIVACY IN NORTH AMERICA
Michael J. Gottlieb
Partner
Boies, Schiller & Flexner LLP
T: +1 (202) 237 9617
Kenneth K. Dort
Partner
Drinker Biddle & Reath LLP
T: +1 (312) 569 1458
Brenda Sharton
Partner
Goodwin Procter LLP
T: +1 (617) 570 1214
E: bsharton@goodwinprocter.
com
Christopher Wolf
Partner
Hogan Lovells US LLP
T: +1 (202) 637 5600
E: christopher.
Michael Gottlieb is a partner in the firm’s Washington, DC office. His practice focuses on crisis management and government response, including criminal and civil investigations, prosecutions, and enforcement actions initiated by federal and state regulatory agencies, securities litigation and enforcement, and appellate and constitutional litigation. Mr Gottlieb joined the firm after more than five years in senior positions in the Executive Branch, including three years as Special Assistant to the President and Associate White House Counsel, where one of his focus areas was legal national security issues, including cyber security and data privacy.
Kenneth K. Dort is a partner with Drinker Biddle & Reath LLP, in the firm’s Chicago office. He is a member of its Intellectual Property Practice Group and chairman of the firm’s Technology Committee. His practice is focused on information technology and intellectual property law issues, particularly software development and licensing, systems development and integration, data encryption and security, trade secret protection, and patent, copyright and trademark licensing and protection. He is the current chairman of the ABA Intellectual Property Law Section’s Online Data, Transactions and Security Committee.
Brenda Sharton is a member of the Goodwin Procter’s Executive Committee, the chair of the firm’s Business Litigation group, and the co-chair of the firm’s Privacy & Data Security practice. She is a nationally recognised expert in the area of privacy law and has handled privacy related litigation matters, data privacy breach investigations and class actions.
Christopher Wolf leads the global Privacy and Information Management practice at the law firm of Hogan Lovells US LLP. Mr Wolf founded and co-chairs the Future of Privacy Forum and is a founder of the Coalition for Privacy and Free Trade. He has focused on internet and privacy law since the early days of those disciplines. Mr Wolf has contributed to legal treatises, authored papers on law enforcement and national security access to Cloud data, and co-authored with Abraham H. Foxman, National Director of the Anti-Defamation League, of the book, Viral Hate: Containing Its Spread on the Internet.
S. Keith Moulsdale represents clients with respect to a range of tech-related legal issues, including cyber-security, electronic commerce, privacy, compliance, file-sharing, music and video downloading, publishing, software development, certification programs, OS licence compliance programs and other IP issues. He also represents cyber security technology and service companies, as well as organisations that have been the target of security breach attempts (due to theft, SQL injection attacks, phishing, brute-force attacks and other methods), and leads cross-functional assessment, containment and response efforts, develops mitigation strategies, and assists clients in assessing and complying with statutory notification requirements and preparing information security policies.
S. Keith Moulsdale
Partner
Whiteford, Taylor & Preston LLP
T: +1 (410) 347 8721
PANEL EXPERTS
-
4 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
RC: Could you outline the latest legal and regulatory developments affecting corporate handling of data in North America?
Gottlieb: Federal regulators are focusing on
data security more than ever before. To date, the
FTC has brought over 50 enforcement actions
concerning data breaches. These actions typically
result in a settlement in which the target company
agrees to bring a monitor in house and follow a
privacy framework. There is pending litigation that
has challenged the scope of the FTC’s authority
to regulate corporate data security practices,
and if the Government loses in that litigation, its
authority to regulate private data security practices
will weaken without new legislation. Congress is
considering legislation that would authorise the
Commission to seek civil penalties for data security
violations. Following Dodd-Frank, the SEC and the
CFTC promulgated Regulation S-ID, which requires
certain financial institutions and creditors to
implement comprehensive identity theft programs
to protect customer data. And earlier this year, the
SEC and FINRA both announced that they would be
enhancing their focus on cyber attacks and data
breaches. Finally, in February 2014, following an
Executive Order from President Obama, the National
Institute of Standards and Technology (NIST) released
the Framework for Improving Critical Infrastructure
Cybersecurity. While the Framework is voluntary,
companies may over time face serious pressure
to adopt its standards even outside of the critical
infrastructure area.
Dort: Over the last few years, the legal
developments affecting corporate handling of
data in North America have been both extensive
and intense at the federal and state levels. At the
federal level, the Sarbanes-Oxley Act’s requirement
of certifying financial statements by publicly traded
corporations has had the effect of mandating the
implementation of detailed data security policies so
as to guard the credibility of underlying corporate
data – such as inventory levels, revenue receipts
and cost levels – so as to enable a valid certification
of the resulting financial statements disclosed to
the public. On a related front, the SEC has recently
mandated that publicly traded corporations promptly
report and identify cyber risks that may have a
material impact on overall performance. In addition,
on the health front, the HITECH Act has federalised
the reporting of security breaches involving personal
health information, thereby taking that issue out
of the states’ hands. On the litigation front, the
plaintiffs’ bar has gradually evolved the theories
and approaches by which to sue corporations
incurring large data breaches. For example, while
the basic theories of negligence and breach of
contract have been in place for years in this sector,
the issue of causation has posed a dilemma. Recent
DATA PRIVACY IN NORTH AMERICA
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 5
MINI-ROUNDTABLE
cases have gradually lowered the bar on this issue,
at least at the pleading stage, thereby increasing
corporate exposure on this front. Finally, the FTC
and various state attorneys general have tightened
their requirements for website information collection
practices by requiring clear and detailed descriptions
of the website operators’ collection and handling
practices so as to give site visitors the opportunity to
decide whether to provide such information to the
operator. Violations of this standard are enforced as
unfair trade practices under the applicable law.
Sharton: Regulatory enforcement
of corporate data handling and privacy
issues seems to be on the rise, at the
state, federal and international level.
Moreover, there seems to have been a
shift in attitude from the regulators to
a more prosecutorial and enforcement
oriented stance. Recent enforcement
actions and settlements highlight
regulators’ strong desire to demonstrate
that they are taking privacy seriously.
Among the states, California continues to
be a leader on data privacy legislation. For example,
California recently expanded its statutory definition
of personal information to include usernames and
email addresses in combination with password,
sweeping data breaches that compromise more
than just traditional sensitive financial information
into the state’s regulatory purview. At the national
level, the Federal Trade Commission amended
the Children’s Online Privacy Protection Rule to,
among other things, expand their definition of
personal information that cannot be collected
without parental notice and consent to include
geolocation information, photographs and videos,
and require that covered website operators
adopt reasonable procedures for data retention
and deletion. Additionally, the US Department of
Health and Human Services issued the final HIPAA
Omnibus Rule, expanding HIPAA’s scope to business
associates and subcontractors such that almost any
company that touches personal health information
must comply with HIPAA requirements.
Wolf: There have been recent legal and regulatory
developments at all levels of regulation in the US,
federal, state and administrative. At the federal
DATA PRIVACY IN NORTH AMERICA
Brenda ShartonPartner
“Recent enforcement actions and settlements highlight regulators’ strong desire to demonstrate that they are taking privacy seriously.”
-
6 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
level, there is increased scrutiny of data brokers,
big data and data breaches. At the state level, there
is increased attorneys general enforcement and
new state laws – especially in California. And at
the administrative level, the work of the National
Institute of Science and Technology on cyber-
security, into which business has had input, is likely
to be an influential benchmark of US practices.
Moulsdale: In Canada, a bill that would have
given the federal personal information protection
statute (PIPEDA) teeth – by making breach
notification mandatory – failed once again; currently
it is merely voluntary. Alberta is the only province
that has made breach notification mandatory so
far. In the USA, a federal Personal Data Privacy and
Security Act has been proposed for the umpteenth
time, but it is unlikely to pass in a divided Congress.
In the absence of an omnibus, federal data
protection law, substantive changes continue to be
driven by Presidential Executive Orders and state
legislatures. At the Presidential level, President
Obama directed development of a ‘baseline’
Cybersecurity Framework to reduce cyber risks
to critical infrastructure, which was finalised and
released in February 2014 by the National Institute
of Standards and Technology as a ‘Framework for
Improving Critical Infrastructure Cybersecurity’. At
the state level, California expanded the definition
of protected ‘personal information’ to include “a
user name or email address, in combination with
a password or security question and answer that
would permit access to an online account”.
RC: What penalties can authorities or private individuals seek to impose upon companies and their D&Os in the event of a breach or violation of data privacy laws in North America?
Sharton: Almost every US state has now adopted
a breach notification law, but the specifics of those
laws can vary substantially from state to state. Not
every state statute has explicit penalty provisions
for failure to comply with notification procedures,
but those that do have explicit penalties may
assess those penalties differently than others. Some
states calculate penalties based on the number of
consumers affected or the length of the notification
delay, while others simply provide a maximum civil
penalty per breach. Still others employ a hybrid
approach, factoring in both the number of affected
customers and the length of the delay, with a
maximum fine for a single security breach. Federal
regulatory agencies can also assess civil monetary
penalties for breaches within their regulatory
industries. And beyond statutory penalties specific
to privacy breaches, many state and federal officials
can bring suit under general consumer protection
laws which may open the door to additional, and
possibly more substantial, damages.
DATA PRIVACY IN NORTH AMERICA
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 7
MINI-ROUNDTABLE
Moulsdale: In the US, penalties in a particular
case depend on which of the many state or federal
data privacy or security laws is at issue. But,
generally speaking, remedies may include damages,
restitution, civil penalties and, in some cases,
criminal penalties. Violations of HIPAA, for example,
may result in civil penalties up to $1.5m per calendar
year, or criminal penalties of up to $250,000 and 10
years in prison. Violations of the COPPA Rule may
result in civil penalties of up to $16,000 per violation.
Data protection-related class action lawsuits are
also a real risk in the US, and the cost of merely
defending a case can prove to be a penalty in itself,
as in retailer Kmart’s $3m class action settlement in
connection with alleged use of background checks
to make employment decisions, or social media
provider Facebook’s $20m settlement for allegedly
putting users in an advertising program without their
permission. On the D&O level, directors and officers
can face derivative suits by shareholders who allege
breach of fiduciary duties by failing to take sufficient
steps to protect the company from a data breach,
as was the case in two lawsuits filed in January 2014
against the directors and officers of retailer Target.
Wolf: Depending on the nature of the violation,
regulators can enjoin allegedly unlawful conduct or
seek civil penalties. At the federal level, the Federal
Trade Commission (FTC) uses its authority to regulate
unfair or deceptive trade practices to enforce privacy
and security standards. Companies settling with
the FTC must implement independently auditable
privacy or security programs, with further missteps
resulting in significant fines. Specific federal agencies
are authorised to seek monetary fines for unlawful
conduct involving certain types of data or industry
sectors, such as healthcare, children’s data and
financial information. State attorneys general enforce
similar laws at the state level. Many state and federal
privacy laws allow individuals to recover statutory
damages. For example, the federal Video Privacy
Protection Act establishes minimum damages of
$2500 per violation. A class action lawsuit under
that statute seeking damages for conduct affecting
10,000 people could result in an award of at least
$25m.
Gottlieb: Litigation has become the norm
following significant data breaches. The massive
data breach at Target, for example, has already
prompted dozens of lawsuits, including consumer
class actions, suits by financial institutions
and derivative suits. Thus far, consumers have
struggled to find legal footing. The costs of personal
information disclosure vary greatly, and plaintiffs
often cannot prove harm. The speculative nature
of data breach claims has caused most consumer
class actions to fail to overcome early procedural
hurdles. Banks that issue credit and debit cards bear
the brunt of the costs after a data breach, usually
through reimbursing fraudulent charges and issuing
replacement cards. As breaches become more
DATA PRIVACY IN NORTH AMERICA
-
8 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
common, banks will demand that their business
partners comply with data protection standards, and
banks may become more frequent players in post-
breach litigation. State attorneys general and the
FTC have had moderate success settling data breach
suits, and those settlements often impose significant
penalties and compliance costs. The SEC, CFTC
and FINRA all have the power to impose penalties
against the financial institutions they regulate for
failing to adopt reasonable data protection policies
or ignoring red flags of security threats.
Dort: The penalties that may be imposed on
companies in the event of a breach or violation of
data privacy laws are varied. First, a government
agency may impose fines, usually based on the
egregiousness and level of harm of the specific
case, along with multi-year consent decrees
requiring companies to periodically report to that
agency regarding its follow-up efforts to comply
with the agency’s directives as laid out in the order.
Alternatively, government agencies and individuals
may commence litigation arising from company
violations and seek compensation for the damages
caused by the violation. In addition, corporate
directors and officers of companies incurring a data
breach or violation of law may face claims asserting
that they violated fiduciary duties to take steps to
assure that the company’s data security system was
properly designed and implemented, or otherwise
failed to exercise reasonable care in overseeing the
company’s IT functions.
RC: In your experience, to what extent are companies aware of their obligation to secure and protect the privacy of the sensitive data that they store or transfer in the course of their business?
Moulsdale: Most mid-market and large
companies have begun to focus on data security
risks in structuring processes and products, and
in dealing with vendors and customers. Those
companies recognise that they must make
meaningful changes to keep pace with data security
and legal risks flowing from their ever-increasing
collection, storage and use of proprietary and
personal data. Although many firms of all sizes lag
woefully behind, the greatest lack of awareness
and compliance is among small and non-profit
organisations, which are either unaware of the risks
or obligations, or inadequately staffed or financed to
deal with them. This is a particularly tough challenge
for companies that do business across state and
international lines because data security laws and
enforcement vary across industries and jurisdictions.
Gottlieb: Companies are increasingly aware of
their obligations, and companies that were unaware
prior to the high profile data breaches at Target and
Neiman Marcus are likely paying attention now. Even
DATA PRIVACY IN NORTH AMERICA
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 9
MINI-ROUNDTABLE
before those breaches, survey data
showed that data security was
a top priority of more corporate
counsel and directors than any
other issue. There are certainly
companies that continue to view
data security and privacy to be
mostly IT rather than legal or senior
executive issues. That said, the
problem is less that companies
are not aware that they need to
protect sensitive data, and more
that companies are inadequately
prepared to address the political,
legal, and communications fallout
from a significant breach. One
separate but related problem is
that companies may not be aware
of the numerous disclosure obligations imposed by
rapidly changing laws at the federal and state level.
These disclosure obligations often apply even to
isolated incidents, and a failure to comply may lead
to unnecessary investigation, compliance costs and
embarrassment for the company.
Dort: For the most part, companies are quite
aware of their general obligations regarding the
safeguarding of sensitive data. However, quite often
they are not aware of implementation issues and
problems that may be rendering them susceptible to
a breach or similar problem. In addition, companies
often fail to acquire a firm grasp of the many
details found in data security laws and regulations,
both domestically and globally for international
companies. Indeed, for international companies the
task soon mushrooms as the number of jurisdictions
that need to be considered expands with their
growing operations. It often becomes a serious
problem to be sure that you are complying with
all applicable laws and regulations across multiple
jurisdictions.
Wolf: Most of the companies that I advise are
keenly aware of their obligations, and they embrace
DATA PRIVACY IN NORTH AMERICA
-
10 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
their roles as stewards of the consumer data that
they collect, process and share. Consumer-facing
companies know that consumer trust is vital to
success. The spotlight is trained on data collection
and use practices. Consumers are more willing than
ever to switch companies or stop using services
following reports of privacy or security missteps,
and many consumers are now proactively shopping
for privacy- and security-promoting goods and
services. That means that privacy and
security can no longer be check-box
compliance functions. They must become
integral parts of business models. In
my experience, many companies have
accomplished or are on their way to
accomplishing that goal.
Sharton: In my experience, most
companies are very aware of their
obligation to protect the sensitive data
that they may handle in the course
of their business, and they take that
obligation very seriously. Reputational risk, attention
to consumer concerns, as well as increased
regulatory and enforcement activity all contribute to
an atmosphere of attention to privacy issues by US
companies. In the absence of a federal regulatory
scheme addressing privacy, companies that
proactively adapt their privacy and data protection
practices to changing technologies and customer
expectations stand the best chance of staying out of
court and out of the regulators’ crosshairs on privacy
issues.
RC: What advice can you offer to companies on maintaining compliance with evolving data and privacy laws?
Dort: It is critical for companies attempting to
comply with evolving data and privacy laws to take
the following steps. First, delegate to a specific
officer the overall responsibility over IT performance
and data security. Second, budget for and allocate
sufficient resources to install an IT staff necessary
to handle all operational and develop tasks. Third,
delegate one person to be responsible for all legal
compliance. Fourth, implement training sessions for
all employees to impress on them the importance
of data security and the need to follow all security
DATA PRIVACY IN NORTH AMERICA
Christopher Wolf,Hogan Lovells US LLP
“The baseline activity for all companies is to monitor legal and regulatory developments. Don’t look just at what is coming next week or next month.”
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 11
MINI-ROUNDTABLE
procedures. Finally, continually monitor the security
protocols to be sure they meet and address the
changing cyber risk landscape, and to implement
any modifications as necessary to address changing
risks and threats.
Wolf: The baseline activity for all companies
is to monitor legal and regulatory developments.
Don’t look just at what is coming next week or
next month. Even simple changes to privacy or
security regulations can require significant and
costly adjustments to business operations. Too
often, I have seen companies wait until the last
minute to address new compliance obligations. That
can lead to unnecessary stress and expense. I also
recommend that companies proactively engage in
the development of privacy and security standards,
as well as breach response. If companies take a
reactive stance and wait for changes to come to
them, they risk being subject to unduly burdensome
laws and regulations that ignore industry realities.
By engaging with self-regulatory bodies, multi-
stakeholder groups and, when appropriate,
regulators and lawmakers, companies can provide
valuable input to the development of privacy
and security frameworks that address consumer
concerns and promote innovation.
Sharton: Data security breaches can have
significant business, legal and reputational costs for
companies. Companies should guard against data
breaches by implementing a robust, comprehensive
privacy and information security program.
Understanding that there is no such thing as perfect
security, however, it is essential that companies
acknowledge the inevitability of data breaches these
days and adopt a proactive – rather than reactive
– strategy to combat risk. It is imperative to have a
crisis management plan and a designated response
team organised before any incident occurs. Not only
will this expedite any response, it will also protect
against regulatory risks as regulators want to see
that companies have a reasonable plan in place
to address incidents and have made a good faith
effort to follow that plan. Moreover, it is advisable
to develop a working relationship with legal counsel
who has expertise in the privacy arena. Given
the reputational costs of bungling a data breach
response, it is not in a company’s best interest to
just be compliant with privacy laws and regulations
or industry minimum standards. Companies should
guard customers’ personal information in the same
way they protect their trade secrets.
Gottlieb: Forward-thinking corporate counsel
should invest in data privacy the same way that
they have previously invested in compliance with
the Foreign Corrupt Practices Act or the federal
securities laws. Companies need to commit
themselves to understanding, at a minimum: the
types of sensitive data they hold that may be
subject to state and federal laws; the systems in
DATA PRIVACY IN NORTH AMERICA
-
12 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
place to protect that data, including the plan to
ensure that employees comply with data protection
requirements; the company’s communications to
customers, investors and regulators regarding its
protection efforts; and the company’s plan in the
event of a breach, including applicable disclosure
obligations at the state and federal level.
Moulsdale: At its heart, effective data security
and privacy fundamentally require the adoption
and periodic review of processes that ensure an
organisation stays abreast of, and timely addresses,
rapidly changing technologies, electronic threats
and other risks. In fact, most organisations must
periodically monitor those processes because some
state-level data security laws impose a general duty
to implement and maintain ‘reasonable’ security
procedures and practices that are ‘appropriate’
to the nature of underlying personally identifiable
information, and the nature and size of a business
and its operations. And the strictest state laws, such
as in Massachusetts, and certain sector-specific
US federal laws, such as HIPAA, require ‘regular”
monitoring or ‘periodic’ evaluations. Organisations
should view the rapidly changing legal landscape
as another risk factor that must be regularly or
periodically monitored and addressed, much like
technological risk factors. In order to ensure that
those evolving legal and other risks are properly
monitored, organisations should designate an
executive to be responsible for data security and
privacy, ensure that the executive has complete
C-suite support for that responsibility, and enable
the executive to assemble, or seek the support of,
multi-disciplinary teams of people who understand
data security, including lawyers and data security
specialists.
RC: If a company suspects or confirms that it has been the victim of a serious breach resulting in compromised data, what immediate steps should it take to manage the situation?
Wolf: First, convene the company’s incident
response team to manage the company’s response.
Identify the source of the breach and limit further
data loss. In doing so, take steps to ensure that
evidence of the breach is preserved. Determine
what is likely to happen to the data that was
compromised. If possible and appropriate, dedicate
resources to recovering the data before it is used
to facilitate identity theft, fraud or other unlawful
activities. Identify the types of data compromised;
the individuals and entities that may have been
affected; and the laws, regulations and agreements
that may dictate how the company must respond to
the breach. Anticipate the reactions of consumers
and business customers. Develop a consistent
communications strategy that addresses reasonable
concerns and shows that the company takes its
obligations seriously. Importantly, prepare all written
DATA PRIVACY IN NORTH AMERICA
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 13
MINI-ROUNDTABLE
reports at the direction of counsel and subject to
attorney-client privilege.
Gottlieb: It should go without saying that the
best time to prepare to manage a breach is before
a breach ever occurs. Having a management plan in
place will help a company avoid unforced errors and
minimise damage as quickly as possible. Generally
speaking, the first step should be to investigate
the breach to determine its scope, the type of
data that may have been compromised,
whether the threat remains ongoing, and
the relevant disclosure obligations the
company may face. This should begin
immediately – delays in understanding
the breadth of a data breach may end
up seriously costing a company. One
critical element of any response to a
breach will be harmonising the company’s
communications to customers, investors,
regulators, Congress and the press.
Companies should not make public
representations about a breach without
appropriate qualifications given the state of the
investigation. It is important for counsel to be
involved early in order to protect relevant privileges
and anticipate possible investigation and litigation
risks. In particular, companies must avoid the
temptation to downplay the extent of a breach in
the press prematurely, as misstatements can lead to
regulatory actions or shareholder suits.
Sharton: Ideally, a company will have prepared a
comprehensive crisis management plan in advance
and would activate that plan immediately upon
discovering any suspected breach. That said, first
and foremost a company must take steps to contain
the breach as a technical matter. Right from the
outset, the company should inform and involve legal
counsel. It is vital that the response is conducted
in consultation with and at the direction of counsel
– whether internal or external – to help preserve
legal privileges, potentially coordinate with law
enforcement, and safeguard against other legal risks.
It is advisable to have outside legal counsel employ
any forensic team hired to protect the integrity of
the data and any evidence under privilege. Forensic
experts are often required to help determine the
scope of the breach and the type of data affected.
DATA PRIVACY IN NORTH AMERICA
Michael J. Gottlieb,Boies, Schiller & Flexner LLP
“One critical element of any response to a breach will be harmonising the company’s communications to customers, investors, regulators, Congress and the press.”
-
14 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
Once the breach has been contained, legal counsel
and management should work together to assess if
and when notification should – or must – be given
to potentially affected individuals or governmental
agencies in light of regulatory and business
requirements and to develop a strategy for internal
and external communications.
Moulsdale: A company’s first step should be
to activate its Breach Response/Mitigation Plan,
provided it had the foresight to create
one in advance. If not, then the company
should assemble a breach response
team led by a C-suite executive, such as
CFO or COO. The response team’s first
steps should be to engage experienced,
independent legal counsel and forensic
specialists, and then work with those
experts to: contain the breach and prevent
further harm; preserve data and evidence,
particularly log files in the case of a
hacking-type breach; forensically assess
the causes and impact of the breach;
check insurance policies for possible
coverage and follow any required steps to trigger
coverage; determine the scope of the company’s
duty to notify potential victims, government agencies
or others under state, provincial or federal laws;
review customer and vendor agreements for
contractual duties or rights that may have been
triggered by the breach; and manage and contain
communications.
Dort: A company’s response to a data breach
begins before the breach even occurs. First, the
company must prepare alternative contingency
plans that key off of the various types of sensitive
data they have. Second, the company should
identify the personnel who will play a role in those
contingency plans, and drill them so that in the
event of a breach, they are familiar with the tasks
required of them. Third, in the event of a data
breach, a company should immediately activate the
appropriate plan and put the correct personnel into
action – forensic IT investigators, public relations,
management and legal. In this way, the company
will not waste time ‘improvising’ under a clear crisis
DATA PRIVACY IN NORTH AMERICA
S. Keith Moulsdale,Whiteford, Taylor & Preston LLP
“Together, insider theft and employee error or negligence account for roughly 15 percent of data security breaches.”
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 15
MINI-ROUNDTABLE
environment, and risk compounding the effects of
the breach or failing to comply with all applicable
laws as it responds to the breach.
RC: What can and should companies do to manage internal threats to data privacy, including the actions of rogue employees?
Gottlieb: Most companies spend their IT security
budget on trying to keep unauthorised personnel
– or hackers – out of a company’s network. Often,
however, damage to a company is inflicted by an
authorised user of its network: an employee. The
two most famous ‘insider’ threats – Bradley Manning
and Edward Snowden – exploited US government
networks carrying top secret information. These
incidents highlight the significant harm that an
insider can inflict on an organisation. To mitigate
insider threats, companies need to link the
operations of Human Resources, Physical Security
and IT Security departments. When an employee is
preparing to leave a company, whether voluntarily or
involuntarily, the HR department should immediately
notify IT Security to monitor for unauthorised
activity on the network. Moreover, IT must disable
employees’ network access in a timely manner.
When an employee has demonstrated erratic
behaviour or is being disciplined, supervisors may
need to request special monitoring of their network
usage. Corporate Security or HR can also monitor
public databases for red flags requiring enhanced
network monitoring. There are specialised insider
threat detection technologies that can help identify
malicious insider activity in real time. But there are
significant limitations to these technologies; for
instance, they do not detect activity that is gradual or
is part of an employee’s normal behaviour pattern.
Dort: To manage internal threats, such as those
posed by rogue employees, a company must
implement strict security policies grounded on a
‘need to know’ basis, thus permitting access to
sensitive data by only those personnel with a true
need to access and handle it. In addition, companies
should design into their IT systems sophisticated log-
in functions such that trails will be left in the system
tracking all details of system events – the ‘who,
what, where and when’ data that will be needed
to determine what happened and to determine
the appropriate remedies. In addition, companies
should train employees thoroughly about the need
for data security and how to properly implement the
company’s applicable security protocols, and make
clear to employees the rationale underlying those
protocols.
Moulsdale: Together, insider theft and employee
error or negligence account for roughly 15 percent
of data security breaches. So, it is as critical to
manage potential internal risks as it is to manage
external threats. Management of internal risks
DATA PRIVACY IN NORTH AMERICA
-
16 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
should include: routine, but legally compliant, use
of background checks when hiring employees
or subcontractors with access to sensitive data
or systems; routine data security training; data
classification and segregation; limiting access to a
data class, particularly any sensitive classes, based
on a need to know; deletion of stale or unneeded
personal data; and implementation and enforcement
of a written information security plan or ‘WISP’,
including any policies related to data security, such
as a ‘bring your own device’ to work policy.
Sharton: Five things that a company can do
to manage internal threats to data privacy are as
follows. First, educate employees as to their roles
and responsibilities with respect to information
security. Second, set the tone at the top that privacy
is mission-critical to the organisation. Third, develop
a comprehensive incident response plan. Fourth,
consistently monitor what data the company
has, where that data is located and the data’s
current security status. Finally, employ role-based
access controls so that no employee has greater
information access than is necessary to capably
perform his or her job function and that access is
cut-off as soon as employment ends. While this list
is far from exhaustive, implementation of these five
practices in any company not currently employing
such practices will greatly improve internal data
security.
Wolf: Technological measures are useful, but
they can only do so much. The lapses of well-
meaning individuals and the nefarious actions of
rogue employees can lead to data loss even when
the most sophisticated measures are in place.
For that reason, it is essential that companies
foster a culture of privacy and security awareness.
Management should consistently communicate
the importance of privacy and security, develop
robust training programs, and integrate privacy and
security awareness into evaluation metrics. When
employees integrate the lessons from privacy and
security trainings into their day-to-day activities,
they are far less likely to inadvertently compromise
or inappropriately use personal information.
Furthermore, the actions of a rogue employee are
likely to stand out in an organisation that embraces
and fosters a culture of privacy and security
awareness.
RC: What challenges do responsible companies face when they seek to deliver innovative products and services while promoting privacy and security?
Dort: In general, companies need to develop a
clear understanding of all the data that they will
be collecting and how they will be handling it, both
internally, and if applicable, as to third parties. For
example, as to the developing ‘internet of things’ in
which products will communicate via the internet
DATA PRIVACY IN NORTH AMERICA
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 17
MINI-ROUNDTABLE
with external systems to maximise performance,
such links will be susceptible to compromise by third
parties. The growth of Wi-Fi communications with
products such as medical devices that communicate
directly with physicians could compromise PHI
absent appropriate security protocols. Thus, for
any given business model, the company must fully
understand the implications of how it handles data
so that it proactively addresses potential
problems, thereby avoiding them or at
least minimising the risk thereof.
Wolf: One of the greatest challenges for
companies seeking to deliver innovative
products and services is that they are
often forced to comply with privacy
and security frameworks that were
designed to address the issues raised by
now-obsolete technologies. Technology
often outpaces regulation. Some of
the US privacy laws were drafted back
when chirping modems announced our
connections to the internet and we stored all of our
data locally. Yet we see people trying to fit the square
pegs of cloud computing, social media, Big Data and
personalisation into the round holes of decades-
old laws and regulations. We need to allow more
room for innovation when it comes to promoting
privacy and security. The Fair Information Practice
Principles were designed as high-level guidelines
for organisations’ privacy practices. Companies
should be encouraged to promote those principles
without being forced to adopt the privacy-promoting
mechanisms that were made for another era.
Gottlieb: There is often a tension inside
a company between enhanced security and
increased technology deployment. Companies
are obviously interested in deploying the latest
innovative technology that will increase revenue and
efficiency, but can they do so in a safe and secure
manner that will protect the company’s intellectual
property and personal records? The solution for
sophisticated businesses is often a long testing cycle
for innovative products and services to ensure that
the functionality that these products and services
produce also meets the privacy and security
standards that the company expects. Taking time
DATA PRIVACY IN NORTH AMERICA
Kenneth K. Dort,Drinker Biddle & Reath LLP
“In general, companies need to develop a clear understanding of all the data that they will be collecting and how they will be handling it, both internally, and if applicable, as to third parties.”
-
18
MINI-ROUNDTABLE
RISK & COMPLIANCE Apr-Jun 2014
to conduct adequate security testing may delay the
deployment of an innovative product or service, but
may nonetheless be necessary to mitigate risks.
RC: Would you say there is a strong culture of data protection developing in North America? Are companies proactively implementing appropriate controls and risk management processes?
Sharton: I think there is a strong culture of data
protection developing in the United States. The US
companies with which I have dealt have made data
protection and privacy a priority by setting a tone
from the top that privacy is a core value of their
business. These companies take data protection
very seriously, and development of a privacy culture
and appropriate risk management controls seem to
be driven by reputational, business and competitive
concerns. These concerns seem paramount, rather
than other factors such as enforcement activity
on the part of the government. High profile data
breaches only add to the competitive pressures to
make sure that one’s data privacy house is in order.
Gottlieb: Corporate culture surrounding data
protection is certainly improving. On the positive
side, companies are training more employees on
risks, and monitoring security practices more than at
any time before. Executives are increasingly involved
in sending a message from senior management
about the importance of cyber risk management.
And the development of the NIST framework has the
potential to establish norms and standards that
DATA PRIVACY IN NORTH AMERICA
18 RISK & COMPLIANCE Apr-Jun 2014 www.riskandcompliancemagazine.com
-
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 19
MINI-ROUNDTABLE
will spread beyond the critical infrastructure space
and improve corporate risk management over
time. But there is still a long way to go. Executives
must continue to build cybersecurity into the
organisational structure of businesses, rather than
segregating the issue solely as an IT or compliance
function. Moreover, companies must train their
employees on why cyber security is essential to their
position as stewards of corporate and customer
information. In today’s environment, one misstep
can cause potentially catastrophic damage to the
company.
Wolf: Companies are embracing their roles as
stewards of consumer data. While I cannot speak for
all companies, in my experience most companies
are dedicating significant resources to proactively
addressing privacy and security concerns.
Companies do not want to be part of the next media
story announcing a data breach or privacy misstep.
The fallout from such an event can be crippling.
Instead, companies want to be known for their
positive efforts to cultivate and implement privacy
and security innovations. Companies recognise that
data is the new oil. And they also recognise that
without consumer trust and engagement, the data
will not flow.
Dort: The culture of data protection, while quite
weak 10 years ago, is now becoming stronger day
to day. Given the massive public relations damage
suffered by many companies over the last few years
in response to data security breaches, companies
are greatly motivated to protect sensitive data so as
to avoid these disasters. Moreover, governments at
both the federal and state levels are becoming more
proactive and aggressive in mandating effective
data security procedures. Finally, the courts have
become instruments of remedy for affected persons
– on both an individual and class basis – in response
to breaches. As a result, companies are becoming
much more proactive both domestically and
internationally in their handling of sensitive data.
Moulsdale: The blossoms of a strong culture of
data protection are beginning to form in the US. After
years of relative corporate and consumer apathy,
this shift is primarily being driven by enforcement
actions taken by state attorneys general and the
FTC, as well as a rising level of consumer awareness
– which has been triggered by daily news reports
of data security breaches that have touched every
business sector. In particular, that awareness has
spiked recently due to revelations about alleged
privacy violations of the National Security Agency.
That said, complying with a complex patchwork
of US and foreign data protection laws can be
expensive; while most companies would prefer full
compliance with applicable laws, the expense of full
compliance can be prohibitive. RC&
DATA PRIVACY IN NORTH AMERICA
-
RISK & COMPLIANCE Apr-Jun 201420 www.riskandcompliancemagazine.com
EDITORIAL PARTNER
Michael J. Gottlieb
Partner
Washington, DC, US
T: +1 (202) 237 9617
Karen L. Dunn
Partner
Washington, DC, US
T: +1 (202) 895 5235
Lee S. Wolosky
Partner
New York, NY, US
T: +1 (212) 754 4205
KE
Y
CO
NT
AC
TS
Boies, Schiller & Flexner LLP, founded
in 1997, has close to 300 lawyers practicing
in the US and the UK. We regularly serve
as lead counsel in the most significant and
highest profile disputes in the world. In less
than a decade, we have won and saved our
clients billions of dollars in trials, arbitrations
and settlements. Our Crisis Management
and Government Response practice focuses
on enterprise-threatening events involving
overlapping civil or criminal litigation, intense
media scrutiny and inquiries by legislative and
regulatory authorities. Our partners have served
in senior positions in Congress, the White House,
the DOJ, FTC, SEC and both federal and state
prosecutors’ offices.
E D I T O R I A L PA RT N E R
Boies, Schiller & Flexner LLPwww.bs f l l p. com