Tuesday, August 24th, 20107:40 a.m. – 9:00 a.m. | The Houstonian Hotel
111 North Post Oak Lane | Houston, TX 77024
Privacy and Data Protection: Why Should Your Company be
Concerned?
When You Think PRIVACY AND DATA PROTECTION, Think Fulbright.TM
2
Today’s SpeakersToday’s Speakers
Hugo TeufelDirector
Charles BakerPartner
Fulbright & [email protected]
Pamela Jones HarbourPartner
Fulbright & [email protected]
3
Fulbright’s 7Fulbright’s 7thth AnnualAnnualLitigation Trends SurveyLitigation Trends Survey
According to Fulbright’s 7th Annual Litigation TrendsSurvey (to be released October 13th) 43% of our respondents encountered issues involving privacy &
data protection in the past 12 months.
4
Most Common Privacy Most Common Privacy Problems IdentifiedProblems Identified
Search/collection of data from company equipment used by employees
Identification, collection, review or transfer from EU or the other jurisdiction to the U.S.
Use of third party vendors to collect and process data
Blocking statutes
PricewaterhouseCoopers 5
Privacy Compliance: The Top 10 Things You Need to Know Now
Hugo TeufelDirector, Advisory Services
Co-leader, US Privacy PracticePricewaterhouseCoopers LLP
PricewaterhouseCoopers 6
#10 Doing more with less doesn't mean doing nothing at all!
Directions and trends in a down economy
• Are privacy and business at a crossroad?
• More extraordinary transactions, closings and new business ventures.
PricewaterhouseCoopers 7
# 9 – “What, me worry?” Privacy isn’t just a concern for the financial services and health care sectors.
Why you might worry, at least a little bit. . . .
•It’s an information age.•Data flows. Globally.•Laws vary. Nationally and state to state.•Breaches happen.
PricewaterhouseCoopers 8
# 8 “It's a small world after all….” But that doesn't make privacy compliance easier!
The global picture: Data protection laws around the world• The EU directive drives privacy legislation in the EU and several other counties; the directive is implemented by country.
• North American countries in various stages of development.
• Canada with Federal & Provincial laws.• US multiple state laws , sectoral federal
laws.• Mexico 1 state law & federal law in the
works…• Asian countries becoming more privacy aware and adding many new laws.
• Central / South America – many countries with little and others like Argentina with an EU directive based law.
• Australia and New Zealand with strong regimes in place.
• Africa with little in place (South Africa moving forward).
PricewaterhouseCoopers 9
# 7 “Can't we all just get along?” – Regulators and Litigators
Increased Regulator Focus on Data Protection Controls
• Damages Paid- In the last 3 years, over $375 million paid by companies in fines, penalties and class-action settlements.
• Enforcements - Regulators globally have aggressively inspecting and pursuing privacy breaches and lack/failure of safeguards.
• Expensive Class Actions- Plaintiffs bar has used privacy as a new, fruitful area:- Recent settlements include:
• $128 million reserved by a retailer in connection with a breach.• $60 million in value paid by a Fortune 500 retailer for inappropriately
sharing customer information – not even a breach.• What is next?
- B to B?- Safe Harbor enforcement.- More regulations.
PricewaterhouseCoopers 10
#6 “Between a rock and a hard place.”ID thieves adapt and breach notification laws proliferate
ID theft is now a major concern• Identify theft complaints up 20% in ‘08• $50+ billion in losses.• 48% done by knowledgeable insiders.• Temporary / part-time workers are 3x
more likely to conduct ID Theft.• $6.6 million - average cost of a breach• $202 per record cost (vendor breaches
averaged $52 higher than internal ones)
New Approaches• Customer service, collections, call
centers, janitors - ID theft rings.• Medical ID theft/utilities theft. • Focus SSNs, driver's license and other
government-issued IDs; credit card, bank account and debit card numbers; health insurance IDs.
Sources: (FDIC 2/06; FTC 1/09; SMU 8/04; 2008 Annual Study: Cost of a Data Breach (Ponemon Institute)
Top 5 Complaints Received by FTC(1/2008 through 12/2008)
Number
1.Identity Theft 313,9822.Third Party and Creditor Debt Collection
104,642
3.Shop-at-Home and Catalog Sales
52,615
4.Internet Services 52,1025.Foreign Money Offers and Counterfeit Check Scams
38,505
PricewaterhouseCoopers 11
# 6 “Between a rock and a hard place.”ID thieves adapt and breach notification laws proliferate.
Regulatory approach and requirements. Breach notification laws. • In US, over 40 states passed laws in 2005-2009 plus DC, VI and Puerto Rico. • New laws and guidelines in US, Germany, Japan, UK, Canada, Australia and
elsewhere.• Scope in US is largely electronic SSNs, driver’s license numbers and financial data
elements.Impact of HITECH Act/Stimulus Bill – Expand Scope of Personal Information:• Previously, only AR and CA included Health Information; few states included paper. • Posting on HHS website and notifying local media for certain breaches.• Definition of personal information revolved around 14 data elements and varied widely
from state to state. HIPAA includes 18 data elements.Impact of Massachusetts 201 § 17.00 – Define required controls:• MA - minimum controls for handling personal information (defined as 5 types elements)
about a MA resident in paper and electronic records. • Potentially a new bar for future privacy and data projection regulation.
• Many companies have started protecting data and approaching compliance at the data element level, not the system and application level.
Continued….
PricewaterhouseCoopers 12
# 5 “Light at the end of the tunnel, or just the 5:15?”Identity theft regulation focuses on exploitation.
US identity theft red flags rule • Status
- Pushed back to December 31, 2010• Applicability.
- Banks, credit and debit card issuers, and other creditors (such as mortgage lenders, telecommunications companies and utilities) offering consumer credit that involves or is designed to permit multiple payments or transactions.
- Accounts (business-to-business) that potentially have a "reasonably foreseeable risk of identity theft“.
• Must put in place a written identity theft prevention program consisting of:- An identity theft prevention plan. - Obtaining board level approval of the plan.- Conducting an assessment against 26 specific criteria that are considered
warning signs for accounts and business activities that potentially pose a risk of identity theft to identify gaps and perform remediation.
- Maintain a sustainable and repeatable assessment process, including training and vendor oversight.
PricewaterhouseCoopers 13
# 4 “We’re not in Kansas anymore!” – A brave new web 2.0
• Social Media:– The two essential truths about social media.
• Cloud Computing:– Everything as a service (software, infrastructure, platform aaS).– Privacy, security issues; compliance as well.
• Coming to an Internet near you:
- Smart Grid:– ARRA– Decreased consumer costs, infrastructure costs.– Increased visibility into consumer usage.
- Electronic Health Records:– HIPAA, HITECH Act.– Increased efficiency in treatment, diagnosis; dangers to personal
dignity.
PricewaterhouseCoopers 14
# 3 Convergence theory, data governance & the C-suiteNew laws require program building blocks and governance
Certain laws and enforcements require governance, training, policies, assessments/audits or other compliance program building blocks.
Examples.• Eli Lilly FTC Enforcement required (i) reasonable administrative, technical and physical
controls be in place, (ii) appropriate oversight and (iii) training• Guess? Jeans FTC enforcement required assessments of reasonably foreseeable risks• HIPAA, GLBA, CA Web Privacy and other laws require privacy statement• ID Theft Red Flags Rule requires assessment, prevention plan, board approval/
oversight, governance, training• HIPAA, Swiss Data Protection Law and others require governanceKey trend in governance:• Over 70% of Fortune 500 have privacy officers, most organized in compliance or legal
followed by IT, business, PR and others. • Several companies making chief privacy officers chief data strategy & privacy officers• Structure “champions” along business or geographical lines, based on overall
compliance program structure. Usually compliance manger is same person.
PricewaterhouseCoopers 15
# 2 “Integrate or die!” - Integrated frameworks.
Pulling it all together with integrated frameworks
• Many companies operate in vertical silos with different frameworks.
• Clients often ask for one-off assessments of GLBA, HIPAA, PCI, ID Theft, Security Breach Laws, Marketing Laws or Other.
• The trend is to search for common requirements and points of leverage.
An integrated approach
Privacy• US – Fair
Information Practices (e.g., HIPAA, GLBA)
• Global – Organization of Economic Cooperation & Development (e.g., EU Data Protection Directive); APEC
Risk• COSO II • SOX• Basel II
Compliance• Federal Sentencing Guidelines
(7 Principles of an Effective Compliance Program)
Regulatory technical standards• FTC GLBA 501(b)
Safeguards Rule • HIPAA Security
Technical standards• ISO 17799• COBIT• PCI• Others
PricewaterhouseCoopers 16
# 1 “It's elemental, Watson!” Focus on the data elements.• Focus on Global Set of Elements. Avoid focus on just EU, PCI, HIPAA, SSN and/or
breach laws. PwC tracks more than 60 high-risk and regulated elements. • Cost Savings. Having one scoping exercise for multiple compliance areas affords the
opportunity to drive cost out of compliance by coordination.
16%17%17%17%18%18%18%19%
21%21%21%21%
26%26%
29%30%30%
34%35%35%
44%44%
83%85%
65%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Address of childrenPersonal cellular, mobile or wireless number
User employee account or other passwordNames of children
Health insurance identification or account numberFinancial institution account number, credit or debit card number
Drugs, therapies, or medical products or equipment usedRx/Prescription number
Maritul statusThe age or gender of children
Employer or taxpayer identification numberBusiness electronic mail address
User Identification and/or Employee number as assigned by an employerAge
GenderSocial Security Number
Date of birthBusiness telephone number
Occupation/TitleHome telephone number
Home postal addressBusiness postal address
Middle Name/InitialLast Name
First Name/Initial
High Risk for Identity TheftSecurity Breach & DisclosureHIPAA
Example excerpt of global data element inventory.
17
The Litigation Landscape For Data Security The Litigation Landscape For Data Security Breaches And How to Respond to OneBreaches And How to Respond to One
Charles BakerPartner
Fulbright & [email protected]
18
Current Information Security ObligationsCurrent Information Security Obligations
1. Obligations to Protect Information Systems and Data
2. Obligations to Disclose Information
19
Obligations To Protect Information Obligations To Protect Information Systems & DataSystems & Data
Graham-Leach-Bliley Act (GLBA)
Set notification requirements on the use of personal information
Mandates that a financial institution provide privacy notices detailing
- What type of data collected- With whom it shares- How that information is protected
20
GLBA Requires Corporations to:GLBA Requires Corporations to:
Establish appropriate standards to ensure security and confidentiality of customer information
Protect against any anticipated threats
Protect against unauthorized access
21
FTC’S Safeguard RuleFTC’S Safeguard Rule
Set of standards for protection of customer records/information
Covers any financial institution that handles customer information
Requires financial institutions to develop, implement and maintain a comprehensive security program that contains administrative, technical and physical safeguards that are appropriate in relation to size and complexity as well as scope and nature of the activities
22
Required Administrative Safeguards Required Administrative Safeguards
Must have a designated person to coordinate programMust perform a risk assessmentMust design and implement safeguards and must regularly testMust oversee service providersMust update security program as changes in business occur
23
FTC’s Enforcement Of The FTC’s Enforcement Of The Safeguard RulesSafeguard Rules
Original enforcements aimed at mortgage companies for failure to comply with basic requirementsFTC also targeted nonfinancial institutions whose privacy statements were found to be false and misleading in light of subsequent security breachesMore recently, FTC has expanded the scope of its activity to include nonfinancial institutions that experience security breaches due to lax policies and procedures; FTC claims such lax security is “unfair”BJ’s Wholesale case
24
Obligations To Disclose Information Obligations To Disclose Information ––NotificationNotification
A. STATE REGULATION
● California first (2002)
● Designed to help customers protect themselves against identity theft, or minimize damage by informing consumers expeditiously of possible misuse of their personal information; provides private right of action
● Since then, over 45 states enacted similar laws; however, most provide that only AG can enforce
B. GLBA
● Financial institutions should implement a risk-based program to address incidents of unauthorized access
25
Trends In Security And Trends In Security And Privacy Breach LitigationPrivacy Breach Litigation
26
Private LitigationPrivate Litigation
So far, tough road for plaintiffs
Retailers will typically face class actions comprised of two groups: consumers and banks seeking to recoup losses
Most cases have not survived motions to dismiss due to inability to demonstrate that the mere loss of data caused them a legally cognizable injury
27
Theories Of Recovery Typically AllegedTheories Of Recovery Typically Alleged
NegligenceBreach of contractState unfair competition/unfair practice statutes● Similar to FTC● Prohibit “deceptive practices” and misrepresentations● Many states allow both A6 and private parties to sue;
some allow class actions
Breach of fiduciary duty
28
Why Consumer Suits Are DifficultWhy Consumer Suits Are Difficult
Difficulty of proving damages/cognizable injuryMost class action plaintiffs have had their personal information compromised but there is typically no proof that this information was ever fraudulently usedIncreased likelihood that one’s personal information may be used for illicit activity, standing alone, insufficient to warrant reliefSeveral courts have granted motions to dismiss not for failure to state a claim but that the plaintiffs lacked standing due to their failure to allege an “injury in fact”Other courts have granted Rule 12(b)(6) motions under the same theory i.e., failure to allege significant economic losses
29
ExamplesExamples
Pisciotta v. Old National Bancorp. (7th Cir.)Bell v. Acxiom Corp. (E.D. Ark. 2006)Ambury v. Express Scripts (8th Cir.)Ruiz v. Gap (9th Cir.)In re Hannaford Bros. Consumer Data Security Breach Litigation (D. Me 2009)
30
There Have Been Some ExceptionsThere Have Been Some Exceptions
Heartland Payment System Class Action
TJX Cases - Massachusetts
31
What About Suits By Banks?What About Suits By Banks?
In large data breach cases, costs to financial institutions to monitor accounts and reissue cards can be substantialThese cases usually based on a negligence theory but can also be based on contract (third party beneficiary)But these suits have also met resistance
32
ExamplesExamples
Bankforth v. BJ’s Wholesale Club
Sovereign Bank v. BJ’s Wholesale Club
CardSystems Proceedings
TJX Cases
33
Issues Under FCRAIssues Under FCRA
FCRA cases
● What is FCRA?● Creates a private cause of action for violators● Provides that any person that willfully violates its
provisions with respect to any consumer is liable to that consumer in an amount equal to sum of actual damages of consumer or damages not less than $100 and not more than $1000, punitive damage and attorneys’ fees
34
The The ROWE v. UNICAREROWE v. UNICARE CaseCase
FACTS: Putative class action based on state lawtheories and the FCRA. Rowe was a member of one ofthe defendant’s insurance plans who sought to bring aclass action suit on the basis that some of plaintiffs’personal information had been temporarily accessible tothe public on the Internet. He did not argue that any ofhis information had been stolen or that anyone hadactually accessed it.
35
The The ROWE v. ROWE v. UNICAREUNICARE CaseCase
ALLEGATIONS OF HARM: (1) anxiety and emotional distress; (2) increased risk of identity theft; (3) forced to spend time monitoring; (4) suffered injury to his possessory rights in his protected health information; and (5) his privacy was invaded.
RULING: Court denied motion to dismiss on the grounds that “anxiety and emotional distress” were sufficient to give rise to damages under the FCRA. However, plaintiff will still have to provide evidence of his emotional distress which may be difficult to prove. Also there was no discussion as to how this personal information qualified as a “credit report”; case probably has little precedential value.
36
FCRA Liability However Is Debatable: FCRA Liability However Is Debatable: Choicepoint CaseChoicepoint Case
FACTS: Over 145,000 customer records of Choicepoint (a data broker) were compromised by identity thieves who established sham accounts with Choicepoint in order to obtain online access to personal information. Numerous class action lawsuits filed.
DECISION: After consolidating the class actions, the federal court of the Central District of California dismissed the case (in 2006), finding that there was no showing that personal information had actually been transmitted to the identity thieves, and that a persons age, phone number and address were not sensitive information of the kind that could be considered a “consumer report” under the statute.
37
Failure To Follow Failure To Follow State Notification LawsState Notification Laws
Forty-Five States Have Notification Laws• Require a company to notify a consumer when a breach
occurs
Some States Allow A Private Cause Of Action For Failure To Follow Rules Of Proper Notification
38
SummarySummary
Individual consumers still have difficulty showing that a breach causes injuryDefendants in breach cases have been very successful in using the economic loss doctrineIt is extremely difficult for financial institutions to succeed on a claim for breach of contract if it is alleging that it is a third party beneficiary to the contract between the defendant company and the company’s merchant bankNew class actions show the emergence and importance of the PCI-DSS and how the standards can be used to establish a standard of care in negligence claims; earlier cases argued that companies had a fiduciary duty
39
Recent Observations In the Area of Recent Observations In the Area of Privacy from a Former RegulatorPrivacy from a Former Regulator
Pamela Jones HarbourPartner
Fulbright & [email protected]
40
Fulbright’s Privacy, Competition and Fulbright’s Privacy, Competition and Data Protection PracticeData Protection Practice
www.fulbright.com/privacy
41
When You ThinkPRIVACY AND DATA PROTECTION,
Think Fulbright.TM
AUSTIN • BEIJING • DALLAS • DENVER • DUBAI • HONG KONG • HOUSTON • LONDON • LOS ANGELESMINNEAPOLIS • MUNICH • NEW YORK • RIYADH • SAN ANTONIO • ST. LOUIS • WASHINGTON, D.C.
www.fulbright.com • 866-FULBRIGHT [866-385-2744]