© 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome.

Privacy and Security: Practical and Sensible

Advice

Chuck Schwab, Special Counsel, Cooley LLP

and Karin Lindgren, General Counsel, Reed Group

www.cooley.com

Topics to Cover Today

Breach notification laws: planning for and responding to a security breach

Information security requirements for customer and employee data

Collection, use, and disclosure of information about customers and employees

International issues

2

www.cooley.com

Breach Notification Laws

Progenitor - California’s “SB 1386” Identity Theft is the driver

No Federal “Data Breach Law” although several bills are still before Congress:

Personal Data Privacy and Security Act of 2011 (S. 1151) (Senators Leahy (D-VT), Schumer (D-NY) and Cardin (D-MD)) (Last action-written report filed by Committee on Commerce, Science and Transportation, November 2011).

Data Security and Breach Notification Act of 2011, S. 1207 (Senators Pryor (D-AR) and Rockefeller (D-WV)) (last action - Committee on Commerce, Science and Transportation scheduled two mark-ups in fall 2011, which were both indefinitely postponed).

Data Breach Notification Act of 2011, S. 1408 (Senator Feinstein (D-CA)) (last action - Committee on Judiciary hearing in October 2011, from which no written report has resulted.)

3

www.cooley.com

Breach Notification – Patchwork State Laws

Instead of one uniform federal law (like the FCRA), businesses must undertake the complex task of monitoring all state statutes:

4

Alaska Alaska Stat. § 45.48.010 et seq. Nevada Nev. Rev. Stat. §§  603A.010 et seq., 242.183

Arizona Ariz. Rev. Stat. § 44-7501 New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21

Arkansas Ark. Code § 4-110-101 et seq. New Jersey N.J. Stat. 56:8-163

CaliforniaCal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82 New York N.Y. Gen. Bus. Law § 899-aa

Colorado Colo. Rev. Stat. § 6-1-716 North Carolina N.C. Gen. Stat § 75-65

Connecticut Conn. Gen Stat. 36a-701b North Dakota N.D. Cent. Code § 51-30-01 et seq.

Delaware Del. Code tit. 6, § 12B-101 et seq. Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192

Florida Fla. Stat. § 817.5681 Oklahoma Okla. Stat. § 74-3113.1 and § 24-161 to -166

Georgia Ga. Code §§ 10-1-910, -911 Oregon Oregon Rev. Stat. § 646A.600 et seq.

Hawaii Haw. Rev. Stat. § 487N-2 Pennsylvania 73 Pa. Stat. § 2303

Idaho Idaho Stat. §§ 28-51-104 to 28-51-107 Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq.

Illinois 815 ILCS 530/1 et seq. South Carolina S.C. Code § 39-1-90

Indiana Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq. Tennessee Tenn. Code § 47-18-2107, 2010 S.B. 2793

Iowa Iowa Code § 715C.1 TexasTex. Bus. & Com. Code § 521.03, Tex. Ed. Code 37.007(b)(5) (2011 H.B. 1224)

Kansas Kan. Stat. 50-7a01, 50-7a02 Utah Utah Code §§  13-44-101, -102, -201, -202, -310

Louisiana La. Rev. Stat. § 51:3071 et seq. Vermont Vt. Stat. tit. 9 § 2430 et seq.

Maine Me. Rev. Stat. tit. 10 §§ 1347 et seq. Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05 (effective January 1, 2011)

Maryland Md. Code, Com. Law § 14-3501 et seq. Washington Wash. Rev. Code § 19.255.010, 42.56.590

Massachusetts Mass. Gen. Laws § 93H-1 et seq. West Virginia W.V. Code §§ 46A-2A-101 et seq.

Michigan Mich. Comp. Laws § 445.72 Wisconsin Wis. Stat. § 134.98  et seq.

Minnesota Minn. Stat. §§ 325E.61, 325E.64 Wyoming Wyo. Stat. § 40-12-501 to -502

Mississippi 2010 H.B. 583 (effective July 1, 2011) District of Columbia D.C. Code § 28- 3851 et seq.

Missouri Mo. Rev. Stat. § 407.1500 Puerto Rico 10 Laws of Puerto Rico § 4051 et. seq.

Montana Mont. Code §§ 30-14-1704, 2-6-504 Virgin Islands V.I. Code § 2208

NebraskaNeb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807

www.cooley.com

Patchwork– Most States

46 States, the District of Columbia, Puerto Rico and the Virgin Island have enacted legislation requiring notification of security breaches involving personal information.

States with no security breach notification law: AL, KY, NM, and SD.

29 states (AK, AZ, AR, CA, CO, CT, GA, HI, IL, IN, KS, KY, MS, MS, MI, MO, MT, NV, NJ, NY, NC, OR, RI, SC, TX, UT, VT, WA, and WI) have laws requiring encryption and secure disposal, of personal information held by businesses and/or government.

Every state has a law criminalizing identity theft.

5

www.cooley.com

Patchwork – Commonalities

What is Covered: Personal Information requires last name and first initial plus at least one

more data element that could lead to loss (e.g., social security number, driver’s license number, credit or debit card number, or bank account number and access code, etc.)

Includes employee and customer information.

Most States have exemption for encrypted data:

Only IN, NYC, WY and DC lack an encryption safe harbor

MS, NH, OK, OR, and TX require notice if encrypted data is breached along with encryption key

Several States require notice to Attorney General even if data is encrypted

6

www.cooley.com

Breach Notice – Timing and Scope

Planning for Breach is essential – Response time is mandated by law: In all States except CA, GA, ID, and IL, discovery of a suspected breach

triggers immediate requirement to investigate and notification is only triggered if investigation determines that there is a reasonable risk of identity theft or loss

In CA, GA, ID, and IL, notification requirement is triggered upon discovery

Once triggered, notification must be provided “As expediently as possible and without unreasonable delay unless disclosure impedes law enforcement investigation”

Several States require immediate disclosure to Attorney General (within 24 hours of discovery)

Notice must typically be in writing and sent to each individual victim, but a small number of states may allow substitute notice in cases of large breach

7

www.cooley.com

Breach Notice - Content

Content of Notice: General description of incident;

type of information breached;

toll-free numbers and addresses of the three NCRAs.

8

www.cooley.com

Breach Notice – Penalties and Costs

Penalties For Failure to Provide Breach Notification Administrative fines can vary State-by-State, ranging up to $500,000 in

certain States.

Actual damages to each affected victim.

Costs and Expenses Associated with Breach Costs of investigation.

Production and mailing costs for notification letters.

Costs of period of credit monitoring service for affected victims (Typically about $75-$125 per person).

Reputational costs.

9

www.cooley.com

Other Breach Notification Laws

FTC’s Red Flag Rule – applies to financial institutions and “creditors” to have an identity theft prevention program; notification is an option

HIPAA – affects covered entities and business associates, requiring employers, for example, to:

Notify major media outlets and HHS if a breach involves 500 or more plan participants

Notify affected individuals within 60 days of becoming aware of the breach

GLBA – applies to financial institutions

10

www.cooley.com

Information Security – Why?

Confidential information is critical to the success of business

Protection of valuable intellectual property is essential to maintain legal rights (e.g., trade secret protection)

To further business, employees must have access to confidential information and must create IP

Employers have legal obligations to keep certain information confidential

Legal Requirements

www.cooley.com

Information Security Regulations

FTC Act Fairness - Maintain Adequate and Appropriate Security Measures

Deceptiveness -- False or Misleading Statements; “100% Safe”

Original California SB 1386

State Data Security Law -- 10+ States “Reasonable” safeguards

Sensitive Data Social Security Number

Drivers License Number

Financial Account Information

Credit Card Number

12

www.cooley.com

InfoSec Regulations – A Higher Bar

Massachusetts Covers Sensitive Data

Mandates Security Program

Safeguards Require Encryption

Policies

Training

Monitoring

Some states require encryption for transmission (Nevada)

Data destruction 23 + states, FCRA

“Reasonable steps” to destroy sensitive data (or all data for CA, CT, KY)

13

www.cooley.com

Other InfoSec Regulations

HIPAA Security Rule Information Security Program

Administrative Technical Physical Safeguards

Data Breach Notification GLBA Safeguards Rule – Information Security Program

Administrative, Technical, Physical Safeguards Size and Complexity of Organization Sensitivity of Customer Information Designate Employees to Coordinate ID Risks & Sufficiency of Safeguards

Red Flags Rule - Implement program to detect, prevent, and mitigate identity theft

14

www.cooley.com

InfoSec Policies

Diamonds vs.Toothbrushes

Written InfoSec Policy Identify Security Risks and Identity Theft Risks

Reasonable approach to security risk vectors

Graduated treatment of data types

Establish a “Privacy/InfoSec Officer”

Establish technical controls on data – access, transmission

Maintain technical vigilance – apply security patches within a reasonable time

Annual policy/risk review

Train at least key people

15

www.cooley.com

Consumer Privacy - Federal

Customer vs. Consumer

FTC Act – unfair or deceptive practices notice – disclosures of what, who x2, how x2

choice – secondary uses, disclosures, opt-out or opt-in

access – access to data, correction

Behavioral Tracking

TCPA Junk Fax, Do Not Call, SMS

CAN-SPAM Disclosures for Promotional Emails

Opt-Out

16

www.cooley.com

Consumer Privacy - California

California Online Privacy Protection Act Post a policy Identify

Information collected Third parties with whom you share the information

California – Shine the Light Disclosures about sharing with third parties for their marketing purposes Consumer right to opt-out or receive information about third parties

California – Song-Beverly Act Prohibits collection of PII that is not on the credit card, including zip code

Applies to online transactions?

Spyware Laws – track data

17

www.cooley.com

Employee Privacy

FCRA Applies to reports prepared by a third party that regularly assembles or

evaluates credit or other information on a consumer (“consumer reporting agency”)

Covers any inquiry for employment purposes bearing on an individual’s “credit, general reputation, personal characteristics, or mode of living”

Criminal history checks, credit checks, sex offender registry, motor vehicle record checks, employment and education verification

Requires permissible purpose to access

State “mini-FCRAs”

Credit check laws

Anti-discrimination laws

Genetic Information Non-Discrimination Act of 2008 (GINA)

18

www.cooley.com

FCRA Process

Provide notice and obtain authorization before procuring a background check report

Before taking adverse action or risk based pricing decision, provide notice, including a copy of the report and FTC summary of rights

Wait 5 days before taking final action

Deliver final adverse action or risk based pricing notice

19

www.cooley.com

Social Network Checks

Establish policies on when social media checks will be conducted, by whom, at which sites, for what information, and how will that information be evaluated

Include social checks by third-party vendors in your FCRA compliance program

Social checks by the employer’s own staff are not subject to FCRA

Careful about: asking/coercing an employee or applicant to provide social media password(s), or fraudulently/coercively gaining access to network

Be careful of taking adverse action against en employee for comments on social media (could be protected by state law or NLRB rules)

20

www.cooley.com

Employees – Practical Pointers

Contracts Require employees to sign proprietary information agreements;

define “confidential information”

Require job applicants to sign non-disclosure agreements

Handbooks/Policies – Privacy expectation is key Adopt electronic data and computer use policies

Employer-allowed use of email and computers

Employer ownership of all data on work computers

Limit personal use

Employee consent to monitoring and inspection

Restrictions on social media use?

www.cooley.com

International

EU spam laws Opt-in, with some EBR exceptions

Canadian spam law Expecting regulations

All electronic messages (not just email)

Explicit or implied (including EBR) consent

Heavy fines (C$220/message, D&O exposure)

Cookie directive The Sound and the Fury

Waiting for industry solutions

22

www.cooley.com

International (2)

EU Directive Expectation of compliance is growing

Model Contracts

Processor

Controller

Safe Harbor

7 Principles – Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement

Two Toughies: Onward Transfer, Enforcement

BCRs

EU Regulation on horizon you don’t even want to know

~2 years away

23

www.cooley.com

Questions?

For more information contact:

Chuck Schwab, schwabca@cooley.com

Sign up for Alerts at www.cooley.com.

24