Upload
izabella-bordwell
View
225
Download
1
Tags:
Embed Size (px)
Citation preview
Privacy Concerns in the Management of Today's Information
Andrew B. Clauss, Esq.
Partner, Brophy Clauss, LLC
Don McLaughlin, Esq.
Founder and CEO, Falcon Discovery
Christopher W. Brophy, Esq.
Partner, Brophy Clauss LLC
Shannon Bell, Esq.
Partner, Grund, Dagner & Jung, P.C.
Education Code: TU03-3524
Learning ObjectivesUpon completion of this session, participants
will be able to:1. Identify types of information and data that can
lead to privacy and confidentiality concerns
2. Describe the risks associated with creation, use, and management of this information
3. Develop strategies to minimize and balance these risks in the face of new technology
2
What This Course Does Not Cover Privacy and information security are very broad
areas; this presentation will not include specifics on the following areas, but you should be aware of them:– Detailed state, federal and international laws– Specific statutes, guidelines and regulations
• We highlight only a few• Each Industry will have specific laws and rules (e.g.,
CPNI for telecommunications)– Specific areas like security breaches, ISPs, internet sales,
wiretap act, children’s privacy, computer crimes, electronic surveillance (e.g. FISA, Patriot Act), SPAM, spyware, pretexting, insurance privacy, FERPA, etc.
3
4
Introduction
Three areas where privacy and security issues arise:1. Businesses possess private employee information.
What steps need to be taken to protect that information?
2. Businesses have their own private and confidential information. What steps need to be taken to keep that information private?
3. Businesses have private information about their customers. What needs to be done to keep that information protected?
The Playing Field – Sources of Privacy Law
International guidelines – OECD, APEC– What are they?
7 cornerstones of privacy– Notice– Choice– Onward transfer– Access– Security– Data integrity– Enforcement
5
Sources of Privacy Law
Involvement of the FTC– How are the FTC and the FTC Act involved in
privacy?– Targeted advertising
Health-related statutes– ADA– HIPAA & HITECH– State laws
6
Sources of Privacy Law
ECPA/SCA– What are they?– How do they apply?
Accessing co-employer’s email Use of another’s log-in information What about consent?
Online privacy statutes– E.g. California
7
Sources of Privacy Law
Financial privacy– GLB
When does it apply? How could it apply to your business?
– FCRA How could it apply to your business?
– FACT What is it and what does it cover?
– State laws Unique provisions Credit card restrictions
8
Sources of Employee Information
Employees use company email for personal communications
Employees provide the company with private financial information, including bank accounts, retirement accounts, HSA accounts, etc.
Employees provide human resource information like SSN’s, marital/partner status, etc.
Employees use company resources (computers, phones, etc.) for storing personal information, such as photos, documents, and personal communications (e.g. personal attorney-client and physician-patient communications)
9
Employee Privacy Issues
Employee privacy issues– Private areas provided by employers– Privacy expectations– Impact of policies– Investigations– Employee emails– Right to purchase device on termination– Monitoring employee emails– Cell phone privacy– BYOD – phones and computers– Video surveillance in workplace
10
11
What Policies and Procedures Should be Considered?
Companies need to be aware of and guard against litigation exposure from employee activity on company resources
Companies need to establish and enforce policies relating to employee use of company resources for personal business
Companies need to guard against unlawful use/disclosure of employee information
Case Studies
Personal information in workplace systems/files– Types of data:
Health information Personal legal – attorney-client privilege Financial Illegal material – pornography Personal apps/music/photos
– Where is it located?– What are the risks– What can be done to minimize risks
12
Case Studies
Bring Your Own Device (BYOD)– Pros vs. cons
What are the risks? What are the benefits?
13
Case Studies
Bring Your Own Device (BYOD)– Considerations
Eligibility Access Cost Devices/apps Security (data and network) Privacy Support Education and enforcement Feedback and modification
14
Case Studies
Bring Your Own Device (BYOD) – What are the risks?
FLSA Discovery issues Ownership issues Security
– What can be done to minimize risks? Policies and procedures
15
Case Studies Social media/email
– Key issues Investigation/review
• Two-party consent• Expectation of privacy issues
– Directed use of blogging and social media– Marketing laws– Misuse – liability to company?
16
Case Studies Social media/email
– What are the risks? Disclosure of confidential information Admissions against interest Cyber defamation
– What can be done to minimize risks? Restricted access from company IT systems Email/social media management strategies
17
18
Corporate Privacy Issues
Trade secrets, company financial status, company planning, etc., together with employee and customer information
Research and development Legal advice Litigation concerns, especially discovery
issues relating to the foregoing
Corporate Privacy Policy Considerations
Data destruction– SOX– State laws
Document destruction rule Data breach notification laws
19
Corporate Privacy Policy Considerations
Non-statutory & other concerns– NDAs and agreements– Private suits
Intrusion upon seclusion, appropriation of name or likeness, publicity given to private life, and false light publicity
– Class-action suits Protection of trade secrets
20
Case Studies
Cloud computing– Public vs. private vs. hybrid vs. data center– Security breaches and issues– Downtime; financial health of provider– Private contracts with providers– Disclosure/consent from customers– M2M networks– Portal access– Ownership of data
21
Case Studies
Cloud Computing– Interesting case law– What are the risks?– What can be done to minimize risks?
22
Case Studies
Trade secret protection– What is a trade secret?– What are the prongs of trade secret law?
Reasonable steps to preserve the secrecy of the trade secret
– What must you do to protect your trade secrets in order to maintain a cause of action for trade secret theft? Internet/social media Work from home/BYOD Cloud computing
23
Case Studies
Trade Secret Protection– Interesting case law– What are the risks?– What can be done to minimize risks?
24
25
Customer Information Privacy Issues
Companies are collecting more and more personal information about their customers, including social security numbers, email addresses, buying habits/history, etc.
Companies have legal obligations to protect this information
Companies have restrictions on how such data can be used
Social security numbers, credit card information, bank account numbers, birthdates, addresses, etc.– Federal laws– State laws
26
Policy Decision Points for PII
Companies need to decide what customer information they want/need to retain in light of laws regulating what may or may not be asked of customers– How, where, and for how long is such
information going to be retained?– How will the information be used?– Who has access to that information?– How will information be protected?
Proper Disclosure of PII
Case Studies
Personally Identifiable Information– What is PII?
SSI # Address Credit card numbers Email addresses? IP addresses?
– What is required?– Use, disclosure, and destruction– Examples of actual cases
27
Case Studies
Personally Identifiable Information– Interesting case law– What are the risks?– What can be done to minimize risks?
28
General Strategies and Concerns
Choices– Benefit to business vs. data & privacy risks– Limit/expand scope of policy– Cost of technology– Insurance and risk shifting– Limit exposure (LOL, consent, etc.)– Trade secret/confidentiality risks– Security breach and risks– Interaction/coordination with other business units (Legal,
IT, HR, Risk Management, Marketing, Finance, etc.)– Litigation – discovery, preservation, and spoliation issues
29
General Strategies and Concerns
Process– Review laws– Develop policies– Incident response plans– Security safeguards– Notification processes– Sensitive information access restrictions– Do third-party vendors meet privacy and security
standards?– Auditing and compliance– Identify and address common vulnerabilities
30
General Strategies and Concerns
Policies– Considerations
Consent Limitations Processes Scope
31
General Strategies and Concerns
Policies– Examples of commonly-used policies
Security breach/emergency response BYOD Email AUP Social media Work from home Trade secret/confidentiality
32
General Strategies and Concerns
Technologies– Encryption– MDM (mobile device management) software– Digital rights management– SharePoint– Customized solutions
33
General Strategies and Concerns
Outside resources– Attorneys
Most law firms have privacy groups to assist with legal requirements and risks
In-house legal can assist – involve them
– Consultants Most consulting firms have privacy groups to create
and implement policies
– Technology– Crisis
What do you do when something goes wrong? Crisis management can be critical
34
Continue the Conversation
35
Twitter@ARMA_INT or #ARMA13
… and find us on Facebook and LinkedIN by searching for ARMA International
Facilitator Meet and GreetPub Crawl (Expo Hall, Tues.) – 3:30-5:30 pm
Lunch (General Session, Wed.) – 11:30 am-1:00 pm
Please Complete Your Session Evaluation
Privacy Concerns in the Management of Today's Information
Education Code: TU03-352436
Andrew B. Clauss, Esq.
Don McLaughlin, Esq.
Christopher W. Brophy, Esq.
Kevin Lanoha, Esq.