Upload
abel
View
41
Download
0
Embed Size (px)
DESCRIPTION
Privacy and Security: Practical and Sensible Advice. Chuck Schwab, Special Counsel, Cooley LLP and Karin Lindgren, General Counsel, Reed Group. Topics to Cover Today. Breach notification laws: planning for and responding to a security breach - PowerPoint PPT Presentation
Citation preview
© 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome.
Privacy and Security: Practical and Sensible
Advice
Chuck Schwab, Special Counsel, Cooley LLP
and Karin Lindgren, General Counsel, Reed Group
www.cooley.com
Topics to Cover Today
Breach notification laws: planning for and responding to a security breach
Information security requirements for customer and employee data
Collection, use, and disclosure of information about customers and employees
International issues
2
www.cooley.com
Breach Notification Laws
Progenitor - California’s “SB 1386” Identity Theft is the driver
No Federal “Data Breach Law” although several bills are still before Congress:
Personal Data Privacy and Security Act of 2011 (S. 1151) (Senators Leahy (D-VT), Schumer (D-NY) and Cardin (D-MD)) (Last action-written report filed by Committee on Commerce, Science and Transportation, November 2011).
Data Security and Breach Notification Act of 2011, S. 1207 (Senators Pryor (D-AR) and Rockefeller (D-WV)) (last action - Committee on Commerce, Science and Transportation scheduled two mark-ups in fall 2011, which were both indefinitely postponed).
Data Breach Notification Act of 2011, S. 1408 (Senator Feinstein (D-CA)) (last action - Committee on Judiciary hearing in October 2011, from which no written report has resulted.)
3
www.cooley.com
Breach Notification – Patchwork State Laws
Instead of one uniform federal law (like the FCRA), businesses must undertake the complex task of monitoring all state statutes:
4
Alaska Alaska Stat. § 45.48.010 et seq. Nevada Nev. Rev. Stat. §§ 603A.010 et seq., 242.183
Arizona Ariz. Rev. Stat. § 44-7501 New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21
Arkansas Ark. Code § 4-110-101 et seq. New Jersey N.J. Stat. 56:8-163
CaliforniaCal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82 New York N.Y. Gen. Bus. Law § 899-aa
Colorado Colo. Rev. Stat. § 6-1-716 North Carolina N.C. Gen. Stat § 75-65
Connecticut Conn. Gen Stat. 36a-701b North Dakota N.D. Cent. Code § 51-30-01 et seq.
Delaware Del. Code tit. 6, § 12B-101 et seq. Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Florida Fla. Stat. § 817.5681 Oklahoma Okla. Stat. § 74-3113.1 and § 24-161 to -166
Georgia Ga. Code §§ 10-1-910, -911 Oregon Oregon Rev. Stat. § 646A.600 et seq.
Hawaii Haw. Rev. Stat. § 487N-2 Pennsylvania 73 Pa. Stat. § 2303
Idaho Idaho Stat. §§ 28-51-104 to 28-51-107 Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq.
Illinois 815 ILCS 530/1 et seq. South Carolina S.C. Code § 39-1-90
Indiana Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq. Tennessee Tenn. Code § 47-18-2107, 2010 S.B. 2793
Iowa Iowa Code § 715C.1 TexasTex. Bus. & Com. Code § 521.03, Tex. Ed. Code 37.007(b)(5) (2011 H.B. 1224)
Kansas Kan. Stat. 50-7a01, 50-7a02 Utah Utah Code §§ 13-44-101, -102, -201, -202, -310
Louisiana La. Rev. Stat. § 51:3071 et seq. Vermont Vt. Stat. tit. 9 § 2430 et seq.
Maine Me. Rev. Stat. tit. 10 §§ 1347 et seq. Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05 (effective January 1, 2011)
Maryland Md. Code, Com. Law § 14-3501 et seq. Washington Wash. Rev. Code § 19.255.010, 42.56.590
Massachusetts Mass. Gen. Laws § 93H-1 et seq. West Virginia W.V. Code §§ 46A-2A-101 et seq.
Michigan Mich. Comp. Laws § 445.72 Wisconsin Wis. Stat. § 134.98 et seq.
Minnesota Minn. Stat. §§ 325E.61, 325E.64 Wyoming Wyo. Stat. § 40-12-501 to -502
Mississippi 2010 H.B. 583 (effective July 1, 2011) District of Columbia D.C. Code § 28- 3851 et seq.
Missouri Mo. Rev. Stat. § 407.1500 Puerto Rico 10 Laws of Puerto Rico § 4051 et. seq.
Montana Mont. Code §§ 30-14-1704, 2-6-504 Virgin Islands V.I. Code § 2208
NebraskaNeb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
www.cooley.com
Patchwork– Most States
46 States, the District of Columbia, Puerto Rico and the Virgin Island have enacted legislation requiring notification of security breaches involving personal information.
States with no security breach notification law: AL, KY, NM, and SD.
29 states (AK, AZ, AR, CA, CO, CT, GA, HI, IL, IN, KS, KY, MS, MS, MI, MO, MT, NV, NJ, NY, NC, OR, RI, SC, TX, UT, VT, WA, and WI) have laws requiring encryption and secure disposal, of personal information held by businesses and/or government.
Every state has a law criminalizing identity theft.
5
www.cooley.com
Patchwork – Commonalities
What is Covered: Personal Information requires last name and first initial plus at least one
more data element that could lead to loss (e.g., social security number, driver’s license number, credit or debit card number, or bank account number and access code, etc.)
Includes employee and customer information.
Most States have exemption for encrypted data:
Only IN, NYC, WY and DC lack an encryption safe harbor
MS, NH, OK, OR, and TX require notice if encrypted data is breached along with encryption key
Several States require notice to Attorney General even if data is encrypted
6
www.cooley.com
Breach Notice – Timing and Scope
Planning for Breach is essential – Response time is mandated by law: In all States except CA, GA, ID, and IL, discovery of a suspected breach
triggers immediate requirement to investigate and notification is only triggered if investigation determines that there is a reasonable risk of identity theft or loss
In CA, GA, ID, and IL, notification requirement is triggered upon discovery
Once triggered, notification must be provided “As expediently as possible and without unreasonable delay unless disclosure impedes law enforcement investigation”
Several States require immediate disclosure to Attorney General (within 24 hours of discovery)
Notice must typically be in writing and sent to each individual victim, but a small number of states may allow substitute notice in cases of large breach
7
www.cooley.com
Breach Notice - Content
Content of Notice: General description of incident;
type of information breached;
toll-free numbers and addresses of the three NCRAs.
8
www.cooley.com
Breach Notice – Penalties and Costs
Penalties For Failure to Provide Breach Notification Administrative fines can vary State-by-State, ranging up to $500,000 in
certain States.
Actual damages to each affected victim.
Costs and Expenses Associated with Breach Costs of investigation.
Production and mailing costs for notification letters.
Costs of period of credit monitoring service for affected victims (Typically about $75-$125 per person).
Reputational costs.
9
www.cooley.com
Other Breach Notification Laws
FTC’s Red Flag Rule – applies to financial institutions and “creditors” to have an identity theft prevention program; notification is an option
HIPAA – affects covered entities and business associates, requiring employers, for example, to:
Notify major media outlets and HHS if a breach involves 500 or more plan participants
Notify affected individuals within 60 days of becoming aware of the breach
GLBA – applies to financial institutions
10
www.cooley.com
Information Security – Why?
Confidential information is critical to the success of business
Protection of valuable intellectual property is essential to maintain legal rights (e.g., trade secret protection)
To further business, employees must have access to confidential information and must create IP
Employers have legal obligations to keep certain information confidential
Legal Requirements
www.cooley.com
Information Security Regulations
FTC Act Fairness - Maintain Adequate and Appropriate Security Measures
Deceptiveness -- False or Misleading Statements; “100% Safe”
Original California SB 1386
State Data Security Law -- 10+ States “Reasonable” safeguards
Sensitive Data Social Security Number
Drivers License Number
Financial Account Information
Credit Card Number
12
www.cooley.com
InfoSec Regulations – A Higher Bar
Massachusetts Covers Sensitive Data
Mandates Security Program
Safeguards Require Encryption
Policies
Training
Monitoring
Some states require encryption for transmission (Nevada)
Data destruction 23 + states, FCRA
“Reasonable steps” to destroy sensitive data (or all data for CA, CT, KY)
13
www.cooley.com
Other InfoSec Regulations
HIPAA Security Rule Information Security Program
Administrative Technical Physical Safeguards
Data Breach Notification GLBA Safeguards Rule – Information Security Program
Administrative, Technical, Physical Safeguards Size and Complexity of Organization Sensitivity of Customer Information Designate Employees to Coordinate ID Risks & Sufficiency of Safeguards
Red Flags Rule - Implement program to detect, prevent, and mitigate identity theft
14
www.cooley.com
InfoSec Policies
Diamonds vs.Toothbrushes
Written InfoSec Policy Identify Security Risks and Identity Theft Risks
Reasonable approach to security risk vectors
Graduated treatment of data types
Establish a “Privacy/InfoSec Officer”
Establish technical controls on data – access, transmission
Maintain technical vigilance – apply security patches within a reasonable time
Annual policy/risk review
Train at least key people
15
www.cooley.com
Consumer Privacy - Federal
Customer vs. Consumer
FTC Act – unfair or deceptive practices notice – disclosures of what, who x2, how x2
choice – secondary uses, disclosures, opt-out or opt-in
access – access to data, correction
Behavioral Tracking
TCPA Junk Fax, Do Not Call, SMS
CAN-SPAM Disclosures for Promotional Emails
Opt-Out
16
www.cooley.com
Consumer Privacy - California
California Online Privacy Protection Act Post a policy Identify
Information collected Third parties with whom you share the information
California – Shine the Light Disclosures about sharing with third parties for their marketing purposes Consumer right to opt-out or receive information about third parties
California – Song-Beverly Act Prohibits collection of PII that is not on the credit card, including zip code
Applies to online transactions?
Spyware Laws – track data
17
www.cooley.com
Employee Privacy
FCRA Applies to reports prepared by a third party that regularly assembles or
evaluates credit or other information on a consumer (“consumer reporting agency”)
Covers any inquiry for employment purposes bearing on an individual’s “credit, general reputation, personal characteristics, or mode of living”
Criminal history checks, credit checks, sex offender registry, motor vehicle record checks, employment and education verification
Requires permissible purpose to access
State “mini-FCRAs”
Credit check laws
Anti-discrimination laws
Genetic Information Non-Discrimination Act of 2008 (GINA)
18
www.cooley.com
FCRA Process
Provide notice and obtain authorization before procuring a background check report
Before taking adverse action or risk based pricing decision, provide notice, including a copy of the report and FTC summary of rights
Wait 5 days before taking final action
Deliver final adverse action or risk based pricing notice
19
www.cooley.com
Social Network Checks
Establish policies on when social media checks will be conducted, by whom, at which sites, for what information, and how will that information be evaluated
Include social checks by third-party vendors in your FCRA compliance program
Social checks by the employer’s own staff are not subject to FCRA
Careful about: asking/coercing an employee or applicant to provide social media password(s), or fraudulently/coercively gaining access to network
Be careful of taking adverse action against en employee for comments on social media (could be protected by state law or NLRB rules)
20
www.cooley.com
Employees – Practical Pointers
Contracts Require employees to sign proprietary information agreements;
define “confidential information”
Require job applicants to sign non-disclosure agreements
Handbooks/Policies – Privacy expectation is key Adopt electronic data and computer use policies
Employer-allowed use of email and computers
Employer ownership of all data on work computers
Limit personal use
Employee consent to monitoring and inspection
Restrictions on social media use?
www.cooley.com
International
EU spam laws Opt-in, with some EBR exceptions
Canadian spam law Expecting regulations
All electronic messages (not just email)
Explicit or implied (including EBR) consent
Heavy fines (C$220/message, D&O exposure)
Cookie directive The Sound and the Fury
Waiting for industry solutions
22
www.cooley.com
International (2)
EU Directive Expectation of compliance is growing
Model Contracts
Processor
Controller
Safe Harbor
7 Principles – Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement
Two Toughies: Onward Transfer, Enforcement
BCRs
EU Regulation on horizon you don’t even want to know
~2 years away
23
www.cooley.com
Questions?
For more information contact:
Chuck Schwab, [email protected]
Sign up for Alerts at www.cooley.com.
24