BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

Privacy & Security: What You Need to Know Now and Next Year

Alan Charles Raul202.736.8477

araul@sidley.comDecember 7, 2010

Key Points on Privacy/Data Security• Wall Street Journal Series: “What They Know”

• Baseline U.S. Privacy and Data Security Obligations

• Political and Legislative Changes in Washington

• Legal and Regulatory Issues Are in Flux

• Activist FTC Making Policy and Enforcing Standards

• Cybersecurity Threat to Privacy, Proprietary Data and Critical Infrastructure

• States Are Active Too

• Dealing with the EU (and the Rest of the World)

• Litigation and Enforcement

2

WSJ: What They Know?

• Surprise – online businesses know a lot about you! (And sometimes even they are really surprised)

• Articles describe spying on consumers

– And have already spawned purported class litigation

• Intrusive new tracking technologies

• Cell phone stalking

• Data scraping from online forums

• Profiling and targeting online users

• Read this series! http://online.wsj.com/public/page/what-they-know-digital-privacy.html

3

4

Current Reality Facing Global Corporations

• Significant international cultural – and legal –differences exist in the meaning and nuances of privacy and data protection

• Achieving compliance with overlapping and conflicting federal, state, national, sub-national and multilateral rules is complex and burdensome

• Trend is towards stricter, more prescriptive laws, with more complexity and greater enforcement appears likely

• Senior corporate leadership must assess whether their existing policies, internal controls and management systems for privacy/information security and international data transfers are adequate

5

Overview of U.S. Privacy Law• No comprehensive federal privacy statute

– no analog to EU’s 1995 Data Protection Directive (privacy framework for member states to implement in national law)

• In U.S., privacy is regulated via:

– Federal sector-specific and ad hoc statutes and regulations

• Financial: Gramm-Leach-Bliley and Dodd-Frank

• Medical: HIPAA and HITECH

• Communications: ECPA, etc.

– FTC regulation and enforcement

– State laws, AG enforcement actions and private litigation

• Industry self-regulation through company privacy policies, and association codes

• NGO scrutiny

Political and Legislative Changes

• There was an election recently

• Numerous privacy and security initiatives will resurface

• Election results likely to create a Congress even more enthused about these issues

• E.g., Senator-elect Blumenthal [former litigious State AG]

• Chairman[?] Joe Barton or Chairman[?] Cliff Stearns

– Tea Party influence?

6

Federal Legislative Proposals• [Boucher]/Stearns; Rush; Kerry/Rockefeller; Republicans?

• Extend privacy/security coverage beyond existing sector-specific laws

• Privacy policy requirements governing collection, use, disclosure, retention and disposal of personal information

• Federal preemption of state law?

• Opt-in versus opt-out consent to share personal information with unaffiliated third parties?

• Who can enforce: FTC? State Ags? Private litigants?

• Standardized federal data breach notification and reporting?

– Risk of harm threshold versus any potential compromise of covered PII?

7

White House Launches Interagency Subcommittee on Privacy and Internet Policy

• To advise White House and coordinate privacy and internet policy on federal level

• Core principles:

– facilitating transparency

– promoting cooperation

– empowering individuals to make informed and intelligent choices

– strengthening multi-stakeholder governance models

– and building trust in online environments

• Includes representatives from Departments of Commerce, Justice, Energy, Education, Health and Human Services, Homeland Security ,State, Transportation, and Treasury, as well as FTC and FCC, among other federal stakeholders.

8

9

FTC Authority and Agenda

• Re-thinking privacy

– “Notices not working” (Jon Leibowitz, FTC Chairman)

– “Human dignity not respected by companies” (David Vladeck, Director of Consumer Protection)

– Move away from notice and consent paradigm (Sears)

• FTC Privacy Report (preliminary staff report) released Dec. 1, 2010 (comments due Jan. 31, 2011)

• NTIA/Commerce also issuing report on Internet issues

New FTC Report

• “Privacy by design” (i.e., think about privacy early and often)

• Simplify choice for collection and use of consumer data for practices other than “commonly accepted practices”

• Encourage industry-led “do-not-track” systems

• Promote greater transparency

– shorter and clearer privacy policies

– permit consumers to access data about themselves

• Provide more prominent “just in time” notices

– opt-in consent for use of consumer data in new ways

10

New from the Agencies: HHS• Proposed modifications to the HIPAA Privacy, Security and

Enforcement rules pursuant to the HITECH Act

– Extends Privacy Rule and Security Rule provisions to Business Associates

– Further limit use/disclosure of PHI for marketing purposes

– Prohibits sale of protected health information

– Strengthen processes for data subjects to access their electronic health records

• HHS withdrew final breach notification rule from OMB review

– May be responding to criticisms that “risk of harm” threshold was too lenient

– FTC’s companion data breach rule did not include a “risk of harm” trigger

11

12

Cybersecurity and “Advanced Persistent Threat”

• Cyber-attacks against Google were "wake-up call" about vulnerabilities that could cripple US economy (Dennis Blair, U.S. Director of National Intelligence)

• Cybersecurity legislation will seek to:– Enhance coordination and prioritization of federal

research and development– Promote development of technical standards– Improve the transfer of Cybersecurity technologies to

the marketplace

• Government contractors and companies involved in critical infrastructure should assess their technical and legal responses to Cybersecurity risks

– DOD advanced notice of proposed rulemaking for defense contractors

13

Data Breaches• Data breach notification laws are pervasive

– 46 states (and counting), DC, Puerto Rico, and the Virgin Islands have breach notification requirements

– Some states require reporting to government agencies

• Triggers Vary

– Risk of harm

– Pure acquisition

• Encryption remains a key issue

– Creates safe harbor from state data breach notice laws

– Laptops, portable media (such as USB drives)

– Wireless transmission; transmission over public network

State Legislative Initiatives• Prohibitions on use of credit histories in employee or

job applicant evaluations

– E.g., Employee Credit Privacy Act, effective Jan. 2011

• Updates to State Breach Notification bills

– AG notice (e.g., California S.B. 1166, vetoed Sept. 29)

– Adding medical and/or insurance data

– Cost shifting measures to require breaching entities to reimburse for reissued bank/debit cards

• Locational privacy

– E.g., California S.B. 1268, would limit the transportation agency’s use and retention of location histories collected from the operation of auto tolls (such as Fast Track and EZ Pass). Approved by the Governor Sept. 29.

14

15

Massachusetts Data Security Standards

• Regulation 201 CMR 17.00 (effective March 1, 2010)

• Requires anyone that owns, licenses, stores or maintains resident’s personal information to develop and implement a written comprehensive information security program

• Requirements passed through to vendors

• Personal information is defined as:– Name plus SSN, driver’s license number or other state-issued

identification number, or credit or debit card number or other financial account number

– Applies to electronic or paper data

16

• Collect only minimum personal information necessary

• Retain information only as long as necessary for purpose originally collected

• Limit access to those with need to know

• Promptly deactivate user name/password of terminated employee authorized to access personal information

• Encrypt personal information:– in transmission over Internet

– on all wireless transmissions

– on portable storage media

• Develop policy to regulate when and how personal information may be transported, stored and accessed off-site

• Develop policies for telecommuting

• Assign passwords of at least seven letters and numbers

• Monitor access to personal information and review audit trails

Massachusetts Data Security Regulations

17

Cloud Computing• Privacy and data security issues

– E-discovery

– What law governs when your data is in the clouds?

– Data retention

• “Storage of data on remote computers may also raise privacy and security concerns for consumers” (David Vladeck, FTC's Consumer Protection Bureau)

• German DPA issued opinion that personal data should not be sent to cloud computing service

• Relationship of cloud to 4th Amendment expectation of privacy? Is cloud computing a modern safe deposit box?

• Microsoft Cloud Computing Initiative– The “Cloud Computing Advancement Act”

– Suggests modernizing ECPA

– Deter hacking via the CFAA

News from Around the World:International Data Transfers

• Articles 25 and 26 of the Data Protection Directive prohibit transfer of personal data to countries outside EEA that do not ensure an adequate level of protection

• Possible means for dealing with data transfers outside the EU include:

– Consent – but consent must be informed and freely given

– Model Contracts

– US Safe Harbor

– Binding Corporate Rules

– Article 26(1)(d) – transfer necessary or legally required on important public interest grounds or for establishment, exercise or defence of legal claims

• Hague Convention – compliance with request under Hague Convention provides formal basis for transfer of personal data but some EU Member States have not signed Convention or have signed with reservations regarding civil discovery

18

News from Around the World: Litigation/Investigations

• Approach to document discovery varies between Member States

• French Blocking Statute prohibiting communication to foreign authorities. Aerospatiale/MAFF-Executive Life

• Swiss Penal Code Article 271 blocks in-country discovery and some internal investigation work

• February 2009, Article 29 Data Protection Working Party published Guidelines for EU Data Production on pre-trial discovery for cross border civil litigation

• Privilege for in-house counsel undermined in EU

19

20

News from Around the World:Whistleblowers/Hotline Transfers

• EU Article 29 Working Party Guidelines for Whistleblowing Schemes (Feb. 1, 2006)

– applies EU data protection principles to whistleblowing schemes in accounting, internal accounting controls, auditing matters, and the fight against bribery, banking, and financial crime

– anonymous whistleblowing schemes should not be encouraged; confidentiality should be assured

– specific organization must be set up within company, separate from other departments, to investigate complaints

News from Around the World:South of the Border

• Mexico’s has new omnibus data protection law

• Enforcement from data protection authority (Federal Public Information and Data Protection Institute) to begin in January 2012

• The DPA authorized to levy fines without judicial action

• Generally EU-style framework

• Significantly, does not limit international data transfers

– Likely stumbling block to a potential “adequacy determination” from the EU

• Also requires data breach notification 21

Enforcement & Litigation Developments: FTC Consent agreement with Twitter

• First information security enforcement action against social network

• Complaint alleges Twitter failed to live up to promises of data security; failed to honor user privacy selections.

– Duplicative or common administrative passwords,

– no lock-out for numerous unsuccessful login attempts,

– No separation of administrative login page, nor restricting administrative access to those who need such access.

• Hackers gained control of Twitter, reset user passwords, sent unauthorized messages under user accounts.

• Requires a written information security program with stronger data security measures

22

Enforcement & Litigation Developments: Privacy in the Business World

• Corporation Privacy: FCC v. AT&T

– Supreme Court reviewing Third Circuit decision that corporations can assert privacy interest to prevent disclosure of enforcement-related records under FOIA

• Employee Privacy: Chamber of Commerce v. Candelaria

– Supreme Court will determine whether Arizona’s controversial 2007 law requiring use of E-Verify is preempted by federal law

– E-Verify is administered by DHS as tool to determine legal employment status of employees

23

Enforcement & Litigation Developments: Privacy in the Business World

• City of Ontario v. Quon: Whether government employee had expectation of privacy in text messages sent through government-phone after receiving a written policy that messages were subject to monitoring, but being told by supervisor that messages would not be read

• 9th Cir. held the examination of the respondents’ text messages violated Fourth Amendment

• Supreme Court reversed, but took restrained approach

• The court assumed, arguendo, that Quon had expectation of privacy in text messages, but held City’s search was reasonable

24

25

Enforcement and Litigation Developments:International Enforcement

• DPAs 2007 annual report noted increases in formal complaints and claims of data protection violations

• French Data Protection Authority (CNIL) received twice as many complaints in 2007 over 2006. – 2004 amendment French Data Protection Act of 1978 enabled

CNIL to levy fines up to €150,000 ($195,372) for violations– During 2007, CNIL imposed fines ranging from €5,000

($6,514) to €50,000 ($65,136), issued five warnings, and sent 101 formal notifications.

• In Spain, number of claims filed by citizens to Spanish DPA (AEPD) rose by 7 percent over 2006, totaling 1,624 in 2007– AEPD resolved 399 penalty procedures, 32.5% increase over

2006– Fines imposed by AEPD amounted to €19.6 million ($25.5

million) in 2007• Italy's DPA made 316 decisions on formal complaints in 2007• UK Information Commissioner responded to 47 consultations, a

“very significant increase” over 2006

26

The Cost of Getting Data Protection Wrong• Breaches and data incidents can be extremely painful

• Hard costs:– Cost of notifying affected individuals

– Credit monitoring

– Investigation and legal fees

• Potential costs:– FTC, State AG, and regulatory investigations

– Class actions by data subjects

– Litigation with business partners over hard costs

– Legal defense fees

• Brand/Reputation harm:– Charges of deceptive / unfair business practices

– Lost confidence / uncertainty in clients / employees

– Lost profits / business partners

Contact Information

Alan Charles Raularaul@sidley.com

(202) 736-8477

Sidley Austin LLP1501 K Street, NW

Washington, DC 20005

www.sidley.com/infolaw

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

This presentation has been prepared by Sidley Austin LLP as of October 12, 2010, for informational purposes only.