Upload
lamtuong
View
217
Download
2
Embed Size (px)
Citation preview
Legal Issues of Data Security andPrivacy – Yes it Applies to You
BrownWinick Law Firm666 Grand Avenue, Suite 2000Des Moines, IA 50309-2510
www.brownwinick.com
What You Will Learn
What Rules Govern the Use of PersonalInformation and Data
What Information is Protected
Using Personal Information for Marketing
What Happens if There is a Breach
Differences Between US and EU
How to Start Protecting Yourself
Why This Matters?
Regulatory Activity
High Profile Breaches (Target, Anthem,Michaels, Casinos, Sony)
Competitive Risks
Bottom Line Impacts (fines, reputation,PR costs)
Shifting Targets, Unclear Rules
Data privacy rules are set country bycountry (some EU standards).
Rules fractured in US, with different rulesat the federal and state levels and forcertain sectors and types of data.
Extremely difficult to comply with allrules.
Key Regulatory Agencies
US Federal Trade Commission
California and Massachusetts
EU Data Protection Directive
US – General System
Limited Expectations of Privacy
Notice + Opt-Out System
Exceptions: Health Information,Financial Account Information,Employment Information
EU – General System
EU Directive. Establishes a minimumstandard for member states.
Data belongs to individuals, only be usedwith express consent (Opt-In) or inaccordance with law.
No transfer to countries without“adequate level of protection.” US doesnot meet standard.
State Data Breach Notification
Generally requires notice to people ifthere is a breach of personal informationthat is not encrypted.
Common Elements of PrivacyLaws
Covered Data
Notice
Choice and Consent
Access
Cross-Border Transfers
Security
Covered Data – Protected Info
Depends on the context and regulatoryenvironment.
Different statutory definitions of protectedinformation for data breach, financial data,health data, etc.
Companies often self define personal data(even accidentally) in privacy policies andother contracts.
Covered Data – Anonymous Data
Generally, data that is renderedanonymous and aggregated is notprotected under data privacy laws.
Notice of Collection
In EU and US, people generally have theright to know when data is beingcollected.
Notice can come in many ways, butshould be (i) in writing, (ii) clear andunderstandable, and (iii) conspicuous.
Choice and Consent
May always use data to provide theservices requested.
In US, generally data may be used asdescribed in notice unless a personOpts-Out.
In EU, generally data may only be usedas described in notice if a person Opts-In.
Access
Access reflects level of sensitivity.
Generally, access should be limited tothose parties that “need to know.”
Person should have access to data heldby company and ability tocorrect/update.
Transfers of Data
For US data, can be transferred to thirdparties, should be done consistently withcompany’s policy.
For EU data, can’t be transferred outsideof EU unless you have met the EU/USSafe Harbor or adopted standard modelclauses or binding corporate rules (forparents and subs).
Security
In US, generally must take reasonabletechnical, physical, and organizationalmeasures to protect the security of sensitivepersonal information. Additional standardsapply to certain data (i.e. HIPAA).
In EU, company must generally takeappropriate technical and organizationalmeasures against loss, destruction, orunauthorized access or use.
Percentage of Claims by Cause of Loss
NetDiligence® 2013 Cyber Liability & Data Breach InsuranceClaims
Percentage of Claims by Business Sector
NetDiligence® 2013 Cyber Liability & Data Breach InsuranceClaims
Matt or M. McKinney+
Any of the Following Unencrypted Information:
• Government Issued Identifier (SSN, Driver’s License, PilotLicense, Inmate Number, Etc…);
• Financial Account Number (credit card / debit card) incombination with any information to grant access to account(Exp., Security Code);
• Username and Password to Financial Account; or• Biometric Data Representation (fingerprint, retina, or iris).
What Constitutes“Personal Information?”
Own / LicenseData?
Own / LicenseData?
Yes
Yes
No
Yes
No Yes
No
No
Yes
Iowa’s Breach Notification Map
Prepared by Matt McKinney; Current as of 5/29/15
No
“Regular email is not a securemethod for sending sensitive data.The better practice is to encryptany transmission that containsinformation that could be used byfraudsters or identity thieves.”
Federal Trade Commission’sNovember 2011 Guide toBusiness.
Court Ruled FTC Can EnforceBreaches as an Unfair PracticeUnder FTC Act
FTC sued Wyndham Worldwide Corporation in 2012, alleging:• Violated FTC Act’s prohibition against unfair or deceptive acts
or practices.• Failure to maintain reasonable and appropriate data security for
consumers’ sensitive personal information”
Wyndham, moved to dismiss• Arguing the FTC does not have authority to bring an
“unfairness” claim involving data security.
Court disagreed
• Case not dismissed
FTC in Action
Practices FTC attacks as “deceptive”• Violating your published privacy policies
Practices FTC attacks as “unfair”• Failing to implement reasonable safeguards to
protect privacy of consumer information Failing to employ Firewalls
Storing sensitive data in readable text
Failing to implement adequate security policies and procedures
Utilizing outdated operating systems incapable of receivingupdates
Utilizing commonly-used default user IDs and passwords
Common Law 101
•Duty
•Breach
•Causation
•Injury/Harm
•Damages
•Defenses
Federal Trade Commission
•No “unfair or deceptivepractices in or affectingcommerce.”• Broad dragnet
• No Intent required
• No actual harm required
Director Liability Arising fromData Breach
Palkon v. Holmes, No. 14-cv-01234 (D.N.J.), Wyndham SHs sued D&O’s,claiming their failure to implement adequate information-security policies
allowed 3 data breaches
Directors owe Duties Of Care (BJR) and Loyalty—including Dutyof Oversight (No BJR)•Did not implement reporting or information system or
controls; or• Implemented controls, BUT “consciously failed to monitor or
oversee its operations.” Stone.
Director Liability Arising fromData Breach (cont.)
Palkon v. Holmes, No. 14-cv-01234 (D.N.J.), Wyndham SHs sued D&O’s,claiming their failure to implement adequate information-security policies
allowed 3 data breaches
After a data breach, claims against board probably will be•Breach of Duty of Care and•Breach of Duty Loyalty/Oversight Court “look[s] for evidence of whether a board has acted in
a deliberate and knowledgeable way identifying andexploring alternatives.” Citron v. Fairchild Camera
Directors may rely on reports prepared by others, BUTMUST TAKE an active and direct role
Board that fails to manage and monitor cybersecurityprobably breaches its duties of care and oversight
Director Liability Arising fromData Breach (cont.)
Palkon v. Holmes, No. 14-cv-01234 (D.N.J.), Wyndham SHs sued D&O’s,claiming their failure to implement adequate information-security policies
allowed 3 data breaches
Protect Against Liability•Board must become well-informed•Board should appoint a committee responsible for privacy and
security•Recruit and hire at least one tech-savvy member•Follow best industry practices
Director Liability Arising fromData Breach (cont.)
Gramm-Leach-Bliley Act• Applies to Financial Institutions;
• Requires a financial institution’s board of directors, or an appropriatecommittee of the board, to satisfy specific requirements designed toensure that the institution’s information security program is developed,implemented, and maintained;
• Management must provide a report to the board, or an appropriatecommittee, at least annually describing the overall status of theinformation security program and compliance with the SecurityGuidelines. The report should describe material matters relating to theprogram.
Privacy and Marketing
Nearly every business has a formal orinformal list of customers and prospects• File cabinet
• Database
• Rolodex
• Outlook Contacts
The ability to market to customers andprospects is regulated.
Risk Spectrum
The level of regulation, and theaccompanying risk, increases with the“invasiveness” of the means ofcommunication.• Direct mail
• Telemarketing
• Text messaging
Direct Mail Regulations
Postal regulations on issues like• Classification
• Size
• Weight
• Mailing rates
Direct Mail Regulations (cont.)
Deceptive Mail and Enforcement Act• Federal statute, passed in 2000
• Passed in response to deceptive practices bycompanies like Publishers Clearinghouse,which used materials that implied a purchaseincreased the odds of winning (subject of $34million settlement with 26 state AGs in 2001)
• Applies only to sweepstakes promoted orentered by mail
Direct Mail Regulations (cont.)
Deceptive Mail and Enforcement Act (cont.)• Creates private cause of action (including class
action) for violations
• Prohibits: claims that person is a winner unless they have actually
won a prize
Mailing of void checks (unless they clearly state theyare non-negotiable and have no cash value)
Implied affiliation or approval by the federal government
Direct Mail Regulations (cont.)
Deceptive Mail and Enforcement Act (cont.)• Requires clear and conspicuous disclosures:
No Purchase Necessary
Purchase will not increase odds
All material terms and conditions
Identification of the sponsor
Odds
List of prizes and values
Direct Mail Regulations (cont.)
Deceptive Mail and Enforcement Act (cont.)• Similar state laws regulate sweepstakes mailings
to residents (Colorado)
There is no federal “do not mail” list• Efforts in early 2000s to create a do-not-mail list,
akin to do-not-call regulations
• Defeated by direct marketing interest groups
• Rationale: it’s easy to throw away “junk mail”
Direct Mail Regulations (cont.)
Limited options to opt-out of direct mail:• Prescreened offers of credit/insurance (credit
reporting agencies)
• Direct Marketing Association (DMA) offers a fiveyear opt out from direct mail from its members
Email Regulations
Big Picture• United States: must opt out to stop receiving
commercial emails
• Rest of world: must opt in to receive them
In the US, email marketing is regulated bythe Controlling the Assault of Non-SolicitedPornography and Marketing Act of 2003(CAN-SPAM Act)
Email Regulations (cont.)
Provides criminal and civil penalties
CAN-SPAM Act sets forth requirements for“commercial emails”:• primary purpose is the commercial advertisement
or promotion of a product or service
Email Regulations (cont.)
Preempts state laws regulating commercialemails• except for claims falsity or deception (consumer
fraud, for example)
• Important because California attempted to enacta law requiring opt-ins for commercial emails
Email Regulations (cont.)
CAN-SPAM Act generally does not regulate“transactional or relationship” emails:• the primary purpose of which is to:
facilitate, complete, or confirm a commercialtransaction
provide warranty, safety, or recall information
provide notice of change in terms, features, orrecipient’s standing, or periodic account statementsrelating to a subscription, account, loan or othercommercial relationship with the sender
Email Regulations (cont.)
CAN-SPAM Act generally does not regulate“transactional or relationship” emails:• the primary purpose of which is to (cont.):
provide employee benefit information (if recipient iscurrently participating)
deliver goods, services, or updated information underthe terms of a previously agreed transaction with thesender
Email Regulations (cont.)
Gray areas:• mixed commercial and transactional messages
Example: normal billing statement combined withunrelated advertising information
What is “primary purpose” of the email?
• Who is the “sender” of the email? If you hire someone else (ad agency) to send the email,
both can be held responsible
Email Regulations (cont.)
CAN-SPAM Act requirements• No false or misleading header information (including
domain name and email address); must accuratelyidentify the sender
• Subject line cannot deceive the recipient about thecontents or subject of the message
• Sender must provide an internet-based opt-outmechanism
• commercial emails must be identified as anadvertisement and contain the sender’s postaladdress
Email Regulations (cont.)
Opt-out requests• opt-out mechanism you offer must be functional
for at least 30 days after the commercial emailwas sent
• opt-out requests must be honored within 10business days
Telephone MarketingRegulations
Telephone Consumer Protection Act of1991 (TCPA)• Regulates how businesses may contact people
by telephone or fax and provides process for do-not-call list enforcement
Telephone MarketingRegulations (cont.)
Telephone Consumer Protection Act of1991 (TCPA) (cont.)• Provides for enforcement by:
FCC
State attorneys general
Private litigants (including class actions)
• Remedies:
• Injunctive relief
• $500 per violation for non-willful violations
• $1,500 per violation for willful violations
Telephone MarketingRegulations (cont.)
Telephone Consumer Protection Act of1991 (TCPA) (cont.)• Calls to Cell Phones
In order to make prerecorded or automated calls to cellphones (including text messages), the caller must haveconsent from the called party:
• Written consent for sales or marketing calls or messages
• Oral or written consent for non-telemarketing calls ormessages
• Includes debt collection calls
Telephone MarketingRegulations (cont.)
Telephone Consumer Protection Act of1991 (TCPA) (cont.)• Calls to Residential Phones
Same rule as above for prerecorded or automatedcalls, except that consent must be written
No exception for established business relationships
Telephone MarketingRegulations (cont.)
Faxes• In 2005, Congress passed the Junk Fax
Prevention Act as an amendment to the TCPA.
• Does anyone send faxes anymore?
• Certain disclosures and an opt-out mechanism isrequired
Telephone MarketingRegulations (cont.)
National Do-Not Call Registry• Jointly established by FCC and FTC in 2003
• Telemarketers must suppress calls to numberson the registry within 31 days of when the numberwas added
• If residential telephone users place their numberson the registry, they may not be called unless: There is an existing business relationship with the
consumer
The consumer has given express written consent
Telephone MarketingRegulations (cont.)
Safe harbor defense if,• Call was made erroneously, and
• Caller has in place business standards (such ascompliance procedures and training, recordkeeping policies, and a procedure to avoid DNCviolations)
• Burden is on caller to prove these factors
Telephone MarketingRegulations (cont.)
TCPA• October 2013 regulations tightened requirements
for autodialed calls and text messages to cellphones Requires express written consent (opt-in) with more
detail than “I agree to receive text messages”
• Must mention “autodial” technology
• Best practice to disclose approximate number ofcalls/messages that will be received
Eliminates existing business relationship exception
Telephone MarketingRegulations (cont.)
Recent developments/hot topics• Recycled phone numbers
• Smartphones (contact list)
• Revocation of consent not mentioned in the TCPA
• “grandfathering” of old opt-ins
• Vendor/agency contracts
Are you protected?
• Distributors/franchisees
Vicarious liability?
Taco Bell case
Data Privacy in the EU
Data Protection Directive
• Adopted in 1995 by EU
• Provides minimum requirements for theprocessing of personal data
Each EU member state has enacted its ownlegislation
• Each member state’s legislation complies with theDirective and may contain stricter requirements
• Has resulted in inconsistencies
Data Privacy in the EU
Scope of Regulation
• Broad Definitions: personal data and processing
• Jurisdictional Scope: presence of person orequipment
Notification and Registration RequirementsBefore Processing• Each member states has different requirements and
fees
• Exemptions may be available
Data Privacy in the EU
Principles:• Process data fairly and lawfully
• Collect data only for specified, legitimatepurpose
• Refrain from storing excessive information
• Keep data up-to-date
Consent Requirements: Opt-In
Implement Data Security Measures
EU Data Transfer
General prohibition on transferring personaldata outside EU unless “adequate level ofprotection”
Few non-EU countries meet such threshold
Three Main Compliance Alternatives:• Binding Corporate Rules
• Standard Model Clauses
• EU/US Safe Harbor
EU Data Transfer – Binding CorporateRules and Standard Model Clauses
Binding Corporate Rules (HP, Citigroup)• Solution for multinational companies that wish to globally
transfer data between affiliates
• Binding rules that show companies adequately protect data
• Expensive ($200k+) and time consuming (18+ months)
Standard Model Clauses• Data transfer provisions in contracts
• Need separate contract for each transfer
• Unfriendly characteristics– subcontracting restrictions andjoint and several liability
EU Data Transfer – EU/US SafeHarbor
Voluntary program that started in October 1998
Currently 4,000+ organizations (Google, FB)
Allows U.S. organization to satisfy Directive’s“adequacy requirement”
Seven Principles: notice, choice, onward transfer,security, data integrity and enforcement
Enforced by private sector (dispute resolutionsystem) and government (TFC and EU)
Relatively inexpensive unless conducting audits
Data Privacy in China
No comprehensive legal framework
Complex and vague: 200+ laws
Consent required
No notification or registration process
No transfer limitations
Generally, only telecommunication businessoperators and internet services providers aresubject to breach notification laws.
Data Privacy in India
Information Technology Act of 2000 &Information Technology Rules 2011
No registration of notification requirements
Express consent and privacy policy required
Transfer allowed if same level of protectionprovided
• Consent
• Allowed under lawful contract
• Complies with security standards
Current Issues
“Snowden Effect”
EU/US Safe Harbor Update
Increased FTC Enforcement Actions
EU Facebook Litigation
Practical Tips for Foreign Data
Complete compliance is challenge
Obtain consent through opt-in and keepupdated privacy policies
Reach out to local and internationalprivacy team to analyze risks, benefitsand what transfer mechanism fits yourcompany’s needs
Be Aware!
Congrats, you have already started!
Know your business and the data that itcollects. There is more than you think.
Think about physical and technicalsecurity and your data handlingpractices.
First Steps
Develop & Review Policies and Procedures
Train Employees
Long, Unique Passwords
Multiple Usernames and Passwords (2-Step)
Secure Connections
Encryption
Indemnification of Third-Party Agreements
Add/Review Insurance Coverage
If You Have a Breach
Immediate internal investigation• Retain counsel – privilege/work product issues
• Interview key personnel
• Document actions taken
Immediately and fully notify customers• No cover up, minimization, or delayed reporting
• Include plan/potential compensation offer
• Establish customer hotline
Stay Informed (and blatant plug)
Go to our website to find and downloadarticles about data privacy.www.brownwinick.com/dataprivacy
Sign up for updates and alerts goingforward.
“10 Questions to Ask About Your DataSecurity Right Now!” Handout
Website: www.brownwinick.comToll Free Phone Number: 1-888-282-3515
OFFICE LOCATIONS:
666 Grand Avenue, Suite 2000Des Moines, Iowa 50309-2510
Telephone: (515) 242-2400Facsimile: (515) 283-0231
DISCLAIMER: No oral or written statement made by BrownWinick attorneys shouldbe interpreted by the recipient as suggesting a need to obtain legal counsel fromBrownWinick or any other firm, nor as suggesting a need to take legal action. Do notattempt to solve individual problems upon the basis of general information providedby any BrownWinick attorney, as slight changes in fact situations may cause amaterial change in legal result.