Rob Cutbirth, Partner, SF Avril Love, Counsel, LA

Piecing Together Data Policies that Make Sense in an Ever-Changing World

Motivations to Create a Policy1. Regulatory Standards:

HIPAA-HITECH/State Privacy Laws/FERPA2. Governance and Risk Management Standards:

Publicly Traded Companies/Board Standards/Insurance Rqmts/3. Financing/Customer Standards:

Lender-Imposed & Customer Requirements4. Internal Events:

The Boss, Who Heard At The Club That …; An Actual/PotentialSecurity Scare; Someone attending a Seminar at Tucker Ellis!

Some of the Basic Constraints1. Practicality:

Location/Systems/Personal Devices/Employee Skill sets

2. Enforceability: You must be able to enforce and you must enforce

3. Training: You must be able to develop a training program to share information and consequences

And Then These Turn Up the Heat On You

But If We Do That …

• It Will Make It Tougher To Use Our Systems/Not “User Friendly”

• It’s Really Not Going To Change Anything, so Why Do it

• It’s Going To Cost More

I Need My Own Special Policy Because…

• My Content Is Different

• My Department Needs Greater Flexibility

• I’m In A Different State/City/Type of Operation

Against these Challenges, How Do You Build a Strong and Defensible Data Security Policy?

First, Know Your:

• Legal Obligations & LimitationsInt’l; US/State/Industry

• Risks – Real and “Unreal”Industry and Data Driven

• Goals and ExpectationsWho Needs it/Who Wants it/When is it Needed/Who is Covered

• Systems/EnvironmentWhat can you Impose Given Your Hardware/Software Systemsand Limitations, and Your Vendor’s Systems

Second, Know Your Drafting Rules and Requirements

Cover a Majority of

IssuesMeet Language

Barriers

Create a Longer-

Lasting Version Draft to Get

Approvals

Let’s Start to Build a Personal Device Security Policy*

• Some Of The Key Issues:– Personal v. Company Devices– Nature Of Information Accessed And Stored– Protective Corporate Software/Apps– Separation From Employment– Lost/Stolen Phones and Phone Replacement– Passwords/Access To The Device By Non-Employees– To Whom Does the Policy Apply

*Does Not Include Other Issues That Should be in a Personal Device Policy:• Expense Reimbursement · Exempt v. Nonexempt Use

• Improper/Acceptable Use

The Policy – How We Might Build It …

• Opening Sentence – Why we have the PolicyIn meeting our legal and contractual obligations, and to avoid harm to the Company’s operations and business relationships, each of our employees and vendors must take reasonable and necessary steps to protect the personal, confidential, and proprietary information of the Company, our employees, and our customers and business partners (“Confidential Information”).

• Second Sentence – The Big Picture ObligationTo meet this obligation, our employees and vendors must diligently ensure that Confidential Information cannot be inappropriately accessed from their personal and business cellular telephones, tablets, or similar devices (“Personal Device”).

• Third Sentence – The ConsequencesEmployees failing to comply with these obligations may face discipline. Vendors’ employees failing to comply with these obligations may have their contracts terminated. In appropriate circumstances, breach of these obligations may also result in regulatory or law enforcement officials being notified.

• The Fourth Sentence – The “Rules”Protective actions required to be taken include:• The immediate reporting to __________________ of a

lost or stolen device, or an actual or potential security breach. You must then follow their direction and guidance.

• The use of password protection on any Personal Device used to access or transmit Confidential Information. Because only you are authorized to access or use Confidential Information from your Personal Device, passwords must not be shared with family members, friends, or others who could accidentally or intentionally access Confidential Information, placing you, the Company, and the accessing party at risk.

• The installation on your Personal Device of the ___________ application, which provides additional security for the device. In the case of a lost or stolen Personal Device, the Program can erase all Confidential Information and/or track the location of the device. The tracking feature of the program is only used in response to notice of a lost or stolen Personal Device.

• The removal of all Confidential Information, and programs or applications used to access Confidential Information, before you sell, gift, trade-in, or otherwise dispose of a Personal Device, or upon your separation from the Company. You must notify _______________________ to assist with this process.

You Should Also Tie in Vendors

• For vendors whose employees may have access to Confidential Information, our contracts will include a provision stating they will, at a minimum, comply with our Data Security Policies and Procedures, with their employees advised of these obligations.

Avril Love, Counsel515 South Flower Street

Forty-Second FloorLos Angeles, CA 90071

213.430.3306 (direct dial)

Rob Cutbirth, PartnerOne Market Plaza

Steuart Tower, Suite 700San Francisco, CA 94105

415-617-2235 RAC@TuckerEllis.com

Questions?