February 26, 2016 Chris Hydak Associate Privacy and Cybersecurity Practice Hunton & Williams LLP (212) 309-1012

Slides:

Advertisements

Similar presentations

Overview of U.S. Privacy and Information Security Issues

Advertisements

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Mobile Payments and the FTC Manas Mohapatra Director of Mobile Policy Mobile Technology Unit Federal Trade Commission The views expressed are not necessarily.

Red Flag Rules: What they are? & What you need to do

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Consumer Privacy & Protection Joanna Acocella May 22, 2007.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Responding to a Data Security Breach

1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Data Classification & Privacy Inventory Workshop

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

CONSUMER PROTECTION AND LITIGATION: CONSUMER PROTECTION AND LITIGATION: Ryan Mehm Attorney Bureau of Consumer Protection Federal Trade Commission The views.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.

FAIR CREDIT REPORTING ACT.  Serves the following principal purposes:  To regulate the consumer-reporting industry.  To prohibit unfair actions from.

A member of The Marmon Group of companies The Fair Credit Reporting Act as amended by the FACT Act Eric Rosenberg May 14, 2004 Chicago Association of Direct.

2015 ANNUAL TRAINING By: Denise Goff

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

HIPAA PRIVACY AND SECURITY AWARENESS.

Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”

FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)

Federal Trade Commission required to issue and enforce regulations concerning children’s online privacy. Initial COPPA Rule effective April 21, 2000;

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Sharing Information With Affiliates and Third Parties F. Jay Meyer Vice President & Senior Counsel TD Bank, N.A. Portland, Maine.

© 2011 Foley Hoag LLP. All Rights Reserved. 1 What Law Applies In “the Cloud”? And how far into the Cloud does Massachusetts law extend? A CloudCamp Boston.

Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.

New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Regulatory Law Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of.

Bryce K. Earl, Esq. and Thomas G. Grace, Esq Presentation To: Association of Corporate Counsel January 26, 2010 ______________________________ Covenants.

Federal Agencies and Laws for Consumer Rights

Student Financial Assistance. Session 55-2 Session 55 Internet Privacy Laws.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security and Privacy Overview and Update Peter Moldave October 28, 2015.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Laws and Regulations. Family Educational Rights and Privacy Act Children’s Online Privacy Protection Act Protection of Pupil Rights Amendment Health Insurance.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Nassau Association of School Technologists

Federal Agencies and Laws for Consumer Rights

Privacy principles Individual written policies

Obligations of Educational Agencies: Parents’ Bill of Rights

E&O Risk Management: Meeting the Challenge of Change

Red Flags Rule An Introduction County College of Morris

Current Privacy Issues That May Affect Your Credit Union

Identity Theft Prevention Program Training

National HIPAA Audioconferences

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

February 26, 2016 Chris Hydak Associate Privacy and Cybersecurity Practice Hunton & Williams LLP (212) New Developments in Data Privacy NCHER Winter Legal Meeting

Roadmap Introduction Overview of U.S. Privacy and Data Security Requirements –Federal –State U.S. Enforcement Climate –Federal –State Federal Policy Landscape 2 © Hunton & Williams LLP

3 What is Privacy? Privacy is the appropriate use of information as defined by: –Laws and regulations –Consumer expectations Security is the protection of information –Confidentiality of data –Data integrity –Availability of data © Hunton & Williams LLP

Four Privacy Risks Legal compliance Reputation Investment Reticence 4 © Hunton & Williams LLP

5 Overview of U.S. Privacy and Data Security Requirements © Hunton & Williams LLP

6 Patchwork of U.S. Privacy Laws U.S. has no overarching privacy scheme –Sectoral approach More than ten federal privacy laws Hundreds of state laws Plus industry standards (such as PCI DSS) No uniform definition of “personal information” © Hunton & Williams LLP

7 Major U.S. Federal Privacy Laws Sectoral approach Laws include: –GLB: Financial institutions –HIPAA: Health care entities –Fair Credit Reporting Act (“FCRA”)/Fair and Accurate Credit Transactions Act (“FACTA”): Consumer reporting agencies and others FTC Disposal Rule Red Flags Rule –Children’s Online Privacy Protection Act (“COPPA”): Children’s data online –Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”): Commercial –Video Privacy Protection Act (“VPPA”): Video rental records –Driver’s Privacy Protection Act (“DPPA”): DMV records –Telephone Consumer Protection Act: Telemarketing –Privacy Act of 1974: Federal government © Hunton & Williams LLP

Gramm-Leach-Bliley Act (“GLB”) GLB includes an extremely broad definition of “Financial Institution” –The term “financial institution” means any institution the business of which is engaging in financial activities as described in section 1843(k) of title 12 Originally enforced by the FTC and various financial services regulators, including: –Office of the Comptroller of the Currency (“OCC”) –Federal Reserve Board (the “Board”) –Securities and Exchange Commission (“SEC”) Since 2011, Regulation P transferred authority over many financial institutions to the Consumer Financial Protection Bureau (“CFPB”) 8 © Hunton & Williams LLP

GLB Privacy Rule Notice Obligations Must provide “customers” with notice of privacy policies and practices at the outset of the relationship and annually thereafter –Regulations call for “reasonably understandable” notice Notice must include: –Categories of nonpublic personal information the institution collects –Categories of information it discloses –Affiliates and nonaffiliated third parties to whom such information is disclosed –Description of customer’s right to prevent certain disclosures to nonaffiliated third parties Final Model Privacy Notice Form – published in November 2009 –Safe Harbor if form is used, but use of model form is not required –“Opt out” and “no opt out” versions available 9 © Hunton & Williams LLP

GLB Privacy Rule  Disclosures to Non- Affiliates and Affiliates NPI may not be disclosed to non-affiliates, unless: –Customer has received an initial privacy notice –Customer has opportunity to opt out Opt out must be “clear and conspicuous” –Customer does not opt out But affiliate sharing is not restricted by GLB –Note: California’s Financial Information Privacy Act –Note: FACTA Affiliate Marketing Rule Broad exceptions permit nearly any legitimate business use: –“as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer” –“with the consent or at the direction of the consumer” –Disclosure to CRAs is permitted –“as required by law” 10 © Hunton & Williams LLP

Safeguards Rule Must develop policies and procedures to: –Ensure the security and confidentiality of customer records and information –Protect against any anticipated threats or hazards to the security or integrity of customer records and information –Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer Must properly dispose of consumer report information 11 © Hunton & Williams LLP

GLB Interagency Guidelines and Guidance Interagency Guidelines Establishing Information Security Standards –Requires a written security program overseen by Board of Directors (or their designee) –Requires that financial institutions take appropriate steps to protect information provided to a Service Provider (broadly defined) Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice –Applies to certain financial institutions –Prescribes a risk-based response program to address incident of unauthorized access to customer information, including procedures for notifying federal regulators, law enforcement authorities and customers –May preempt certain state information security breach notification laws 12 © Hunton & Williams LLP

Fair Credit Reporting Act Enacted in 1970 to promote accuracy, fairness and the privacy of personal information assembled by Consumer Reporting Agencies CRAs must follow “ reasonable procedures ” to protect the confidentiality, accuracy and relevance of credit information FCRA requires that: –Consumers be told by creditors why they have been turned down for credit and that the decision was based on a consumer report –The CRA provides a free copy of the report to the consumer after an adverse action –Consumers be allowed to dispute information in the report –The credit bureau reinvestigates the dispute –Data suppliers cooperate with the reinvestigation and report accurately thereafter, and the CRA corrects the report after such reinvestigation The “ user ” of a consumer report must have a permissible purpose for obtaining the report 13 © Hunton & Williams LLP

FACTA, Red Flags Rule and Affiliate Marketing Fair and Accurate Credit Transactions Act (“FACTA”) was enacted in 2003 to amend the FCRA and two key rules resulted: Red Flags Rule: –Requires financial institutions and creditors to develop and implement an Identity Theft Prevention Program that identifies, detects and responds to “Red Flags” signaling fraud by identity theft –Requires users of consumer reports to develop procedures for responding to notices of address discrepancy; imposes duties on credit card issuers regarding change of address notifications Affiliate Marketing Rule: –Requires to provide notice to individuals that their information will be shared with affiliates for marketing purposes, and that they may elect to limit the use of their eligibility information to make solicitations –Opt out must be effective for five years, unless revoked by customer, with renewal requirements at end of five years 14 © Hunton & Williams LLP

15 State Privacy Laws Examples: –Website privacy notices (CA, DE) –Marketing restrictions (e.g., telemarketing) –Restrictions on sharing information with third parties for marketing purposes (CA) –SSN use restrictions –Child protection registry laws (MI, UT) –Radio frequency identification (RFID) –Anti-spyware –Credit reports © Hunton & Williams LLP

16 State Information Security Laws Several states have laws mandating security measures to protect PI –Example: California’s AB 1950 requires reasonable security procedures and contracts with service providers –Massachusetts requires businesses to develop, implement and maintain a comprehensive WISP to protect personal information, including: Developing information security policies Requiring service providers by contract to implement security measures for personal information Implementing numerous computer system security requirements –Nevada requires encryption of data in transit © Hunton & Williams LLP

17 Information Security Breach Notification Laws 90% of U.S. companies have experienced a hacking event in the last year The term “security breach” defines a broad range of activities 51 U.S. jurisdictions have security breach notification laws –California’s SB 1386 started the trend –There are also federal breach notification requirements pursuant to HIPAA and GLB Recent breaches have been game changers –Companies notifying when not legally required to do so (Epsilon and JPMorgan) –Huge volumes of affected individuals (Anthem, Sony and Target) –Security companies targeted (RSA) © Hunton & Williams LLP

18 Breach Laws: Requirements Generally, duty to notify arises as a result of unauthorized access or acquisition of unencrypted computerized “personal information” “Personal information” typically is name combined with: –SSN –driver’s license or state ID card number –account, credit or debit card number, along with password or access code But state laws differ: –Definition of PI –Computerized v. paper data –Notification to state agencies –Notification to CRAs –Timing of individual notification –Harm threshold –Contents of notification letter © Hunton & Williams LLP

U.S. Enforcement Climate 19

20 Federal Privacy Enforcement FTC Act provides the principal enforcement tool for privacy issues Section 5 of the FTC Act: –Prohibits “unfair or deceptive acts or practices in or affecting commerce” –FTC privacy enforcement actions typically result from (1) security breaches, (2) deceptive statements in privacy policies, and (3) lack of conspicuous notice –Google Buzz settlement –Wyndham’s challenge to the FTC’s authority HHS is now also proactive

21 State Privacy Enforcement and Class Actions State AGs are now proactive –Regularly make inquiries and bring enforcement actions Class actions filed with increasing regularity –Common after data breaches, particularly (but not necessarily) when there is harm –Standing post Clapper vs. Amnesty International –Recent privacy and information security class actions: In re Sony Gaming Networks, Neiman Marcus and Target – allegations sufficient to establish standing In re Science Applications – risk of many harms alleged insufficient to establish injury for standing purposes © Hunton & Williams LLP

Federal Policy Landscape 22

Federal Policy Landscape Existing privacy law framework in the U.S. is under pressure White House (and Congress) focused on cybersecurity –Cybersecurity Act of 2015 –Numerous Executive Orders –Single data breach standard proposed FTC Reports and Areas of Focus –Internet of Things, Mobile, Do-Not-Track © Hunton & Williams LLP 23

24 Questions? Chris Hydak Associate Privacy and Cybersecurity Practice Hunton & Williams LLP (212)