Embed Size (px)
Citation preview
GSBlaw.com
DATA SECURITY: LEGAL LANDSCAPE AND BEST
PRACTICES
November 16, 2011
Scott G. [email protected]
Garvey Schubert BarerSeattle, Portland, Washington D.C., New York, Beijing
GSBlaw.com 2
Overview
• Why you should care
• Context of US data security
• State and Federal patchwork
• Data breach laws
• Best practices
GSBlaw.com 3
Why should you care?
• As a company doing business in the US you will need to comply
• Your business partners will require that you comply
• If you don’t comply, you are exposed to risk: claims and fines
– $10 Million in penalties in ChoicePoint
• The average cost of dealing with data breaches
– $7.2 Million per breach
• Damage to brand and loss of customers
GSBlaw.com 4
Context for US Rules
• 1973 Department of Health Education and Welfare: Records, Computers and the Rights of Citizens
– No secret personal data record-keeping
– Right to know what information is collected and how it is used
– Right to prevent multi-purpose use
– Right to correct or amend records
– Assurance of reliability
– Prevent misuse
• Adopted by OECD
• Endorsed by Dept. of Commerce in 1981
GSBlaw.com 5
No Unified Rule – A Patchwork
• Silos
– Financial information
– Healthcare
– Children
• Focus is on access not collection
GSBlaw.com 6
Applicable Law
• Federal
– Privacy Act
– Federal Information Security Management Act
– Veterans Affairs Information Security Act
– Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH)
– Gramm-Leach Bliley (GLB)
– Children’s Online Privacy Protection Act (COPPA)
– FTC Act
GSBlaw.com 7
Patchwork (Con’t.)
– Fair Credit Reporting Act (FCRA); Fair and Accurate Transactions Act (FACTA)
– Sarbanes Oxley (SOX)
• State
– Privacy Policy
– State Privacy Acts
– Common Law
– Contract
GSBlaw.com 8
Unifying Theme: Manage and Protect Data
• Problem:
– 22.4 Million sensitive records breached as of June 2011
– $7.2 Million per data breach event
• Data Breach Laws
– Federal
– 46 States
– Requirements
– Private right of action; penalties
GSBlaw.com 9
Data Breach Obligations
• Breach: Unauthorized access to/acquisition of personal information.
• Notice to each individual whose personal information was disclosed.
– Personal information: first name/initial and last name plus another personal identifier (e.g. soc security number, driver’s license, account number). Some states also cover medical and health insurance information, employer taxpayer id, or biometric data.
– Electronic or hard copy
GSBlaw.com 10
Data Breach Obligations (Con’t.)
• Exceptions
– Encrypted
– Investigation indicates identity theft is not likely to result
• Timing of notice
– Most expedient time possible and without undue delay
– Some states establish times for notice: 45 days after discovery of the breach; California 10 days.
• Form of notice
– Written notice, electronic notice, telephonic notice
– Substitute notice: email + statewide media + posting
GSBlaw.com 11
Data Breach Obligations (Con’t.)
• Content of notice
– Incident in general terms
– Type of information obtained
– Telephone number for additional information
– Contact number for credit reporting agencies
– Advice to monitor accounts and credit reports
• Notice to third parties
– Notice to state agencies and/or credit reporting agencies
GSBlaw.com 12
Best Practices
• Before data breach
– Develop policies and procedures for handling data
– Conduct training
– Collect the minimum necessary and retain it for the minimum amount of time
– Inventory records and devices that contain data
GSBlaw.com 13
Best Practices (Con’t.)
• Classify data by sensitivity
• Employ physical and technological safeguards, e.g. access controls, incident logging, etc.
• Limit the number of mobile devices that contain data and the number of people with access to them
• Do not use personal data in testing
• Use encryption
• De-identify data
GSBlaw.com 14
Best Practices (Con’t.)
• Dispose of records and devices that contain data securely
• Audit systems to understand vulnerabilities; Monitor
• Require service providers to comply
– Require remediation plan
– Indemnity
– Audit rights
GSBlaw.com 15
Best Practices (Con’t.)
• After the breach
– Contain the breach
– Engage response team
– Analyze the breach
– Determine legal requirements and manage to highest requirement
– Contact insurance
– Develop communications plan
– Prepare for litigation, e.g. litigation hold
– Perform assessment against your plan
GSBlaw.com 16
Resources
• “Protecting Personal Information: A Guide for Business”, FTC: www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf
• “Security Breach Notification Laws” NCSL: www.ncsl.org/Default.aspx?TabId=13489
• “Chronology of Data Breaches”, Privacy Rights Clearinghouse: www.privacyrights.org/data-breach
• “U.S. Cost of a Data Breach”, Ponemon: www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon
GSBlaw.com 17
Resources (Con’t.)
• “Guide to Protecting the Confidentiality of Personally Identifiable Information”, NIST: csrc.nist.gov/publications/nistbul/april-2010_guide-protecting-pii.pdf
• “Best Practices in Data Protection”, Ponemon: http://www.ponemon.org/blog/post/best-practices-in-data-protection-study-released
• “Recommended Practices on Notice of Security Breach Involving Personal Information” California Office of Privacy Protection: www.privacy.ca.gov/res/docs/pdf/secbreach.pdf
GSBlaw.com
TAX AND LEGAL CONSIDERATIONS ASSOCIATED WITH OPERATING A DATA STORAGE AND SECURED
SYSTEMS BUSINESS
November 16, 2011
Gary P. [email protected]
Garvey Schubert BarerPortland, Oregon, and Seattle, Washington
GSBlaw.com 19
Tax and Legal Considerations Associated With Operating a Data Storage and Secured Systems Business
I. Tax Considerations
II. Sources of Legal Liability
III. Contract Strategies
2
GSBlaw.com 20
I. Tax Consideration
A. Nexus
1. Permanent Establishment
a. “Fixed place of business through which the business of an enterprise is wholly or partly carried on”
2. PE Applied to Electronic Commerce
a. Website – not fixed to a physical place
b. Server – located at a physical place and can be viewed as a fixed place of business
3
GSBlaw.com 21
I. Tax Consideration (Con’t.)
B. Characterization of Revenue
1. How is revenue from electronic commerce characterized?
C. Deduction of Expenses
4
GSBlaw.com 22
II. Sources of Legal Liability
A. International Privacy Laws and National Breach Laws
1. Supra-national organizations
2. National laws
B. Third Party Sources of Risk
1. Data hosts, processors, advertisers, marketing partners, etc.
5
GSBlaw.com 23
III. Contract Strategies
A. Notice
1. Immediate notification of any actual, probable or reasonably suspected breach of security
B. Cooperation
1. Assistance in investigating, remedying, etc.
C. Standard of Care
D. Indemnity
1. Any failure to comply with a contractual obligation
6
GSBlaw.com 24
III. Contract Strategies (Con’t.)
E. Limitation of Liability
1. Exclusion of indirect and consequential damages
F. Arbitration
7
