Tuesday, August 24th, 20107:40 a.m. – 9:00 a.m. | The Houstonian Hotel

111 North Post Oak Lane | Houston, TX 77024

Privacy and Data Protection: Why Should Your Company be

Concerned?

When You Think PRIVACY AND DATA PROTECTION, Think Fulbright.TM

2

Today’s SpeakersToday’s Speakers

Hugo TeufelDirector

PricewaterhouseCoopersHugo.teufel@us.pwc.com

Charles BakerPartner

Fulbright & Jaworskicsbaker@fulbright.com

Pamela Jones HarbourPartner

Fulbright & Jaworskipharbour@fulbright.com

3

Fulbright’s 7Fulbright’s 7thth AnnualAnnualLitigation Trends SurveyLitigation Trends Survey

According to Fulbright’s 7th Annual Litigation TrendsSurvey (to be released October 13th) 43% of our respondents encountered issues involving privacy &

data protection in the past 12 months.

4

Most Common Privacy Most Common Privacy Problems IdentifiedProblems Identified

Search/collection of data from company equipment used by employees

Identification, collection, review or transfer from EU or the other jurisdiction to the U.S.

Use of third party vendors to collect and process data

Blocking statutes

PricewaterhouseCoopers 5

Privacy Compliance: The Top 10 Things You Need to Know Now

Hugo TeufelDirector, Advisory Services

Co-leader, US Privacy PracticePricewaterhouseCoopers LLP

PricewaterhouseCoopers 6

#10 Doing more with less doesn't mean doing nothing at all!

Directions and trends in a down economy

• Are privacy and business at a crossroad?

• More extraordinary transactions, closings and new business ventures.

PricewaterhouseCoopers 7

# 9 – “What, me worry?” Privacy isn’t just a concern for the financial services and health care sectors.

Why you might worry, at least a little bit. . . .

•It’s an information age.•Data flows. Globally.•Laws vary. Nationally and state to state.•Breaches happen.

PricewaterhouseCoopers 8

# 8 “It's a small world after all….” But that doesn't make privacy compliance easier!

The global picture: Data protection laws around the world• The EU directive drives privacy legislation in the EU and several other counties; the directive is implemented by country.

• North American countries in various stages of development.

• Canada with Federal & Provincial laws.• US multiple state laws , sectoral federal

laws.• Mexico 1 state law & federal law in the

works…• Asian countries becoming more privacy aware and adding many new laws.

• Central / South America – many countries with little and others like Argentina with an EU directive based law.

• Australia and New Zealand with strong regimes in place.

• Africa with little in place (South Africa moving forward).

PricewaterhouseCoopers 9

# 7 “Can't we all just get along?” – Regulators and Litigators

Increased Regulator Focus on Data Protection Controls

• Damages Paid- In the last 3 years, over $375 million paid by companies in fines, penalties and class-action settlements.

• Enforcements - Regulators globally have aggressively inspecting and pursuing privacy breaches and lack/failure of safeguards.

• Expensive Class Actions- Plaintiffs bar has used privacy as a new, fruitful area:- Recent settlements include:

• $128 million reserved by a retailer in connection with a breach.• $60 million in value paid by a Fortune 500 retailer for inappropriately

sharing customer information – not even a breach.• What is next?

- B to B?- Safe Harbor enforcement.- More regulations.

PricewaterhouseCoopers 10

#6 “Between a rock and a hard place.”ID thieves adapt and breach notification laws proliferate

ID theft is now a major concern• Identify theft complaints up 20% in ‘08• $50+ billion in losses.• 48% done by knowledgeable insiders.• Temporary / part-time workers are 3x

more likely to conduct ID Theft.• $6.6 million - average cost of a breach• $202 per record cost (vendor breaches

averaged $52 higher than internal ones)

New Approaches• Customer service, collections, call

centers, janitors - ID theft rings.• Medical ID theft/utilities theft. • Focus SSNs, driver's license and other

government-issued IDs; credit card, bank account and debit card numbers; health insurance IDs.

Sources: (FDIC 2/06; FTC 1/09; SMU 8/04; 2008 Annual Study: Cost of a Data Breach (Ponemon Institute)

Top 5 Complaints Received by FTC(1/2008 through 12/2008)

Number

1.Identity Theft 313,9822.Third Party and Creditor Debt Collection

104,642

3.Shop-at-Home and Catalog Sales

52,615

4.Internet Services 52,1025.Foreign Money Offers and Counterfeit Check Scams

38,505

PricewaterhouseCoopers 11

# 6 “Between a rock and a hard place.”ID thieves adapt and breach notification laws proliferate.

Regulatory approach and requirements. Breach notification laws. • In US, over 40 states passed laws in 2005-2009 plus DC, VI and Puerto Rico. • New laws and guidelines in US, Germany, Japan, UK, Canada, Australia and

elsewhere.• Scope in US is largely electronic SSNs, driver’s license numbers and financial data

elements.Impact of HITECH Act/Stimulus Bill – Expand Scope of Personal Information:• Previously, only AR and CA included Health Information; few states included paper. • Posting on HHS website and notifying local media for certain breaches.• Definition of personal information revolved around 14 data elements and varied widely

from state to state. HIPAA includes 18 data elements.Impact of Massachusetts 201 § 17.00 – Define required controls:• MA - minimum controls for handling personal information (defined as 5 types elements)

about a MA resident in paper and electronic records. • Potentially a new bar for future privacy and data projection regulation.

• Many companies have started protecting data and approaching compliance at the data element level, not the system and application level.

Continued….

PricewaterhouseCoopers 12

# 5 “Light at the end of the tunnel, or just the 5:15?”Identity theft regulation focuses on exploitation.

US identity theft red flags rule • Status

- Pushed back to December 31, 2010• Applicability.

- Banks, credit and debit card issuers, and other creditors (such as mortgage lenders, telecommunications companies and utilities) offering consumer credit that involves or is designed to permit multiple payments or transactions.

- Accounts (business-to-business) that potentially have a "reasonably foreseeable risk of identity theft“.

• Must put in place a written identity theft prevention program consisting of:- An identity theft prevention plan. - Obtaining board level approval of the plan.- Conducting an assessment against 26 specific criteria that are considered

warning signs for accounts and business activities that potentially pose a risk of identity theft to identify gaps and perform remediation.

- Maintain a sustainable and repeatable assessment process, including training and vendor oversight.

PricewaterhouseCoopers 13

# 4 “We’re not in Kansas anymore!” – A brave new web 2.0

• Social Media:– The two essential truths about social media.

• Cloud Computing:– Everything as a service (software, infrastructure, platform aaS).– Privacy, security issues; compliance as well.

• Coming to an Internet near you:

- Smart Grid:– ARRA– Decreased consumer costs, infrastructure costs.– Increased visibility into consumer usage.

- Electronic Health Records:– HIPAA, HITECH Act.– Increased efficiency in treatment, diagnosis; dangers to personal

dignity.

PricewaterhouseCoopers 14

# 3 Convergence theory, data governance & the C-suiteNew laws require program building blocks and governance

Certain laws and enforcements require governance, training, policies, assessments/audits or other compliance program building blocks.

Examples.• Eli Lilly FTC Enforcement required (i) reasonable administrative, technical and physical

controls be in place, (ii) appropriate oversight and (iii) training• Guess? Jeans FTC enforcement required assessments of reasonably foreseeable risks• HIPAA, GLBA, CA Web Privacy and other laws require privacy statement• ID Theft Red Flags Rule requires assessment, prevention plan, board approval/

oversight, governance, training• HIPAA, Swiss Data Protection Law and others require governanceKey trend in governance:• Over 70% of Fortune 500 have privacy officers, most organized in compliance or legal

followed by IT, business, PR and others. • Several companies making chief privacy officers chief data strategy & privacy officers• Structure “champions” along business or geographical lines, based on overall

compliance program structure. Usually compliance manger is same person.

PricewaterhouseCoopers 15

# 2 “Integrate or die!” - Integrated frameworks.

Pulling it all together with integrated frameworks

• Many companies operate in vertical silos with different frameworks.

• Clients often ask for one-off assessments of GLBA, HIPAA, PCI, ID Theft, Security Breach Laws, Marketing Laws or Other.

• The trend is to search for common requirements and points of leverage.

An integrated approach

Privacy• US – Fair

Information Practices (e.g., HIPAA, GLBA)

• Global – Organization of Economic Cooperation & Development (e.g., EU Data Protection Directive); APEC

Risk• COSO II • SOX• Basel II

Compliance• Federal Sentencing Guidelines

(7 Principles of an Effective Compliance Program)

Regulatory technical standards• FTC GLBA 501(b)

Safeguards Rule • HIPAA Security

Technical standards• ISO 17799• COBIT• PCI• Others

PricewaterhouseCoopers 16

# 1 “It's elemental, Watson!” Focus on the data elements.• Focus on Global Set of Elements. Avoid focus on just EU, PCI, HIPAA, SSN and/or

breach laws. PwC tracks more than 60 high-risk and regulated elements. • Cost Savings. Having one scoping exercise for multiple compliance areas affords the

opportunity to drive cost out of compliance by coordination.

16%17%17%17%18%18%18%19%

21%21%21%21%

26%26%

29%30%30%

34%35%35%

44%44%

83%85%

65%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Address of childrenPersonal cellular, mobile or wireless number

User employee account or other passwordNames of children

Health insurance identification or account numberFinancial institution account number, credit or debit card number

Drugs, therapies, or medical products or equipment usedRx/Prescription number

Maritul statusThe age or gender of children

Employer or taxpayer identification numberBusiness electronic mail address

User Identification and/or Employee number as assigned by an employerAge

GenderSocial Security Number

Date of birthBusiness telephone number

Occupation/TitleHome telephone number

Home postal addressBusiness postal address

Middle Name/InitialLast Name

First Name/Initial

High Risk for Identity TheftSecurity Breach & DisclosureHIPAA

Example excerpt of global data element inventory.

17

The Litigation Landscape For Data Security The Litigation Landscape For Data Security Breaches And How to Respond to OneBreaches And How to Respond to One

Charles BakerPartner

Fulbright & Jaworskicsbaker@fulbright.com

18

Current Information Security ObligationsCurrent Information Security Obligations

1. Obligations to Protect Information Systems and Data

2. Obligations to Disclose Information

19

Obligations To Protect Information Obligations To Protect Information Systems & DataSystems & Data

Graham-Leach-Bliley Act (GLBA)

Set notification requirements on the use of personal information

Mandates that a financial institution provide privacy notices detailing

- What type of data collected- With whom it shares- How that information is protected

20

GLBA Requires Corporations to:GLBA Requires Corporations to:

Establish appropriate standards to ensure security and confidentiality of customer information

Protect against any anticipated threats

Protect against unauthorized access

21

FTC’S Safeguard RuleFTC’S Safeguard Rule

Set of standards for protection of customer records/information

Covers any financial institution that handles customer information

Requires financial institutions to develop, implement and maintain a comprehensive security program that contains administrative, technical and physical safeguards that are appropriate in relation to size and complexity as well as scope and nature of the activities

22

Required Administrative Safeguards Required Administrative Safeguards

Must have a designated person to coordinate programMust perform a risk assessmentMust design and implement safeguards and must regularly testMust oversee service providersMust update security program as changes in business occur

23

FTC’s Enforcement Of The FTC’s Enforcement Of The Safeguard RulesSafeguard Rules

Original enforcements aimed at mortgage companies for failure to comply with basic requirementsFTC also targeted nonfinancial institutions whose privacy statements were found to be false and misleading in light of subsequent security breachesMore recently, FTC has expanded the scope of its activity to include nonfinancial institutions that experience security breaches due to lax policies and procedures; FTC claims such lax security is “unfair”BJ’s Wholesale case

24

Obligations To Disclose Information Obligations To Disclose Information ––NotificationNotification

A. STATE REGULATION

● California first (2002)

● Designed to help customers protect themselves against identity theft, or minimize damage by informing consumers expeditiously of possible misuse of their personal information; provides private right of action

● Since then, over 45 states enacted similar laws; however, most provide that only AG can enforce

B. GLBA

● Financial institutions should implement a risk-based program to address incidents of unauthorized access

25

Trends In Security And Trends In Security And Privacy Breach LitigationPrivacy Breach Litigation

26

Private LitigationPrivate Litigation

So far, tough road for plaintiffs

Retailers will typically face class actions comprised of two groups: consumers and banks seeking to recoup losses

Most cases have not survived motions to dismiss due to inability to demonstrate that the mere loss of data caused them a legally cognizable injury

27

Theories Of Recovery Typically AllegedTheories Of Recovery Typically Alleged

NegligenceBreach of contractState unfair competition/unfair practice statutes● Similar to FTC● Prohibit “deceptive practices” and misrepresentations● Many states allow both A6 and private parties to sue;

some allow class actions

Breach of fiduciary duty

28

Why Consumer Suits Are DifficultWhy Consumer Suits Are Difficult

Difficulty of proving damages/cognizable injuryMost class action plaintiffs have had their personal information compromised but there is typically no proof that this information was ever fraudulently usedIncreased likelihood that one’s personal information may be used for illicit activity, standing alone, insufficient to warrant reliefSeveral courts have granted motions to dismiss not for failure to state a claim but that the plaintiffs lacked standing due to their failure to allege an “injury in fact”Other courts have granted Rule 12(b)(6) motions under the same theory i.e., failure to allege significant economic losses

29

ExamplesExamples

Pisciotta v. Old National Bancorp. (7th Cir.)Bell v. Acxiom Corp. (E.D. Ark. 2006)Ambury v. Express Scripts (8th Cir.)Ruiz v. Gap (9th Cir.)In re Hannaford Bros. Consumer Data Security Breach Litigation (D. Me 2009)

30

There Have Been Some ExceptionsThere Have Been Some Exceptions

Heartland Payment System Class Action

TJX Cases - Massachusetts

31

What About Suits By Banks?What About Suits By Banks?

In large data breach cases, costs to financial institutions to monitor accounts and reissue cards can be substantialThese cases usually based on a negligence theory but can also be based on contract (third party beneficiary)But these suits have also met resistance

32

ExamplesExamples

Bankforth v. BJ’s Wholesale Club

Sovereign Bank v. BJ’s Wholesale Club

CardSystems Proceedings

TJX Cases

33

Issues Under FCRAIssues Under FCRA

FCRA cases

● What is FCRA?● Creates a private cause of action for violators● Provides that any person that willfully violates its

provisions with respect to any consumer is liable to that consumer in an amount equal to sum of actual damages of consumer or damages not less than $100 and not more than $1000, punitive damage and attorneys’ fees

34

The The ROWE v. UNICAREROWE v. UNICARE CaseCase

FACTS: Putative class action based on state lawtheories and the FCRA. Rowe was a member of one ofthe defendant’s insurance plans who sought to bring aclass action suit on the basis that some of plaintiffs’personal information had been temporarily accessible tothe public on the Internet. He did not argue that any ofhis information had been stolen or that anyone hadactually accessed it.

35

The The ROWE v. ROWE v. UNICAREUNICARE CaseCase

ALLEGATIONS OF HARM: (1) anxiety and emotional distress; (2) increased risk of identity theft; (3) forced to spend time monitoring; (4) suffered injury to his possessory rights in his protected health information; and (5) his privacy was invaded.

RULING: Court denied motion to dismiss on the grounds that “anxiety and emotional distress” were sufficient to give rise to damages under the FCRA. However, plaintiff will still have to provide evidence of his emotional distress which may be difficult to prove. Also there was no discussion as to how this personal information qualified as a “credit report”; case probably has little precedential value.

36

FCRA Liability However Is Debatable: FCRA Liability However Is Debatable: Choicepoint CaseChoicepoint Case

FACTS: Over 145,000 customer records of Choicepoint (a data broker) were compromised by identity thieves who established sham accounts with Choicepoint in order to obtain online access to personal information. Numerous class action lawsuits filed.

DECISION: After consolidating the class actions, the federal court of the Central District of California dismissed the case (in 2006), finding that there was no showing that personal information had actually been transmitted to the identity thieves, and that a persons age, phone number and address were not sensitive information of the kind that could be considered a “consumer report” under the statute.

37

Failure To Follow Failure To Follow State Notification LawsState Notification Laws

Forty-Five States Have Notification Laws• Require a company to notify a consumer when a breach

occurs

Some States Allow A Private Cause Of Action For Failure To Follow Rules Of Proper Notification

38

SummarySummary

Individual consumers still have difficulty showing that a breach causes injuryDefendants in breach cases have been very successful in using the economic loss doctrineIt is extremely difficult for financial institutions to succeed on a claim for breach of contract if it is alleging that it is a third party beneficiary to the contract between the defendant company and the company’s merchant bankNew class actions show the emergence and importance of the PCI-DSS and how the standards can be used to establish a standard of care in negligence claims; earlier cases argued that companies had a fiduciary duty

39

Recent Observations In the Area of Recent Observations In the Area of Privacy from a Former RegulatorPrivacy from a Former Regulator

Pamela Jones HarbourPartner

Fulbright & Jaworskipharbour@fulbright.com

40

Fulbright’s Privacy, Competition and Fulbright’s Privacy, Competition and Data Protection PracticeData Protection Practice

www.fulbright.com/privacy

41

When You ThinkPRIVACY AND DATA PROTECTION,

Think Fulbright.TM

AUSTIN • BEIJING • DALLAS • DENVER • DUBAI • HONG KONG • HOUSTON • LONDON • LOS ANGELESMINNEAPOLIS • MUNICH • NEW YORK • RIYADH • SAN ANTONIO • ST. LOUIS • WASHINGTON, D.C.

www.fulbright.com • 866-FULBRIGHT [866-385-2744]