What Business Owners Need to Know About Data Privacy

Slides:

Advertisements

Similar presentations

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Advertisements

NACARA Annual Conference Industry Perspectives Panel September 29,2014 Boise, Idaho Andy Madden Director State Government Affairs ACA International.

Springfield Technical Community College Security Awareness Training.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Data Security Laws and the Rising Cybersecurity Debate

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Protecting Personal Information Guidance for Business.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Responding to a Data Security Breach

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Recent Trends and Insurance Considerations March 2015

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

© 2011 Foley Hoag LLP. All Rights Reserved. 1 What Law Applies In “the Cloud”? And how far into the Cloud does Massachusetts law extend? A CloudCamp Boston.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

© Copyright 2010 Hemenway & Barnes LLP H&B

The Internet of Things and Consumer Protection

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

HOW TO RESPOND TO A DATA BREACH: IT’S NOT JUST ABOUT HIPAA ANYMORE The Thirteenth National HIPAA Summit  September 26, 2006 Renee H. Martin, JD, RN, MSN.

Privacy Advisory Services … … A Best Practices, Integrated Approach Insert Firm Name Here.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates.

Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Chapter 4: Laws, Regulations, and Compliance

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Cyber Insurance - Risk Exposures and Strategic Solutions

Law Firm Data Security: What In-house Counsel Need to Know

E&O Risk Management: Meeting the Challenge of Change

Protection of CONSUMER information

Responding to a Data Breach 360° of IT Compliance

PENNSYLVANIA BAR ASSOCIATION PROFESSIONAL LIABILITY COMMITTEE

Preparing for a Security Incident Response: Are You Compromise Ready?

Chapter 3: IRS and FTC Data Security Rules

Presented by Harry A. Strausser III Collections Industry Consultant

Protecting Personal Information Guidance for Business.

Cyber Issues Facing Medical Practice Managers

Red Flags Rule An Introduction County College of Morris

Cyber Trends and Market Update

DATA BREACHES & PRIVACY Christine M

Current Privacy Issues That May Affect Your Credit Union

Employee Privacy and Privacy of Employee Information

Cybersecurity compliance for attorneys

Information Security Law Update

Identity Theft Prevention Program Training

NCHER 2018 Fall Legal Meeting October 5, 2018

Protecting Yourself from Fraud including Identity Theft

The E-Commerce Act and the Right to Privacy

National HIPAA Audioconferences

Cyber Security: What the Head & Board Need to Know

SOCIAL NETWORKING Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Recent Developments in Consumer Privacy

Texas Assisted Living Association 2019 Conference

Colorado “Protections For Consumer Data Privacy” Law

Anatomy of a Common Cyber Attack

Presentation transcript:

What Business Owners Need to Know About Data Privacy August 9, 2013 What Business Owners Need to Know About Data Privacy Craig A. Hoffman| cahoffman@bakerlaw.com | @Craig_Hoffman Blog: www.dataprivacymonitor.com

Agenda Compliance Obligations FTC Enforcement Data Breach Notification Laws Incident Response Best Practices Legislative Updates

Compliance Obligations

Compliance Complexity PCI-DSS HIPAA HITECH STATE PRIVACY LAWS (e.g. TX, CA) INTERNATIONAL DATA PROTECTION (e.g. EU, CANADA) FTC GLBA STATE BREACH NOTIFICATION LAWS SEC DISCLOSURE GUIDANCE INDUSTRY SELF REGULATION

Interacting with Customers Federal Law •Computer Fraud and Abuse Act (18 U.S.C. §1030) •Electronic Communications Privacy Act (18 U.S.C.§2510-2522) Stored Communications Act (18 U.S.C. §§2701-12) •Telephone Consumer Protection Act (47 U.S.C. §227) •Video Privacy Protection Act (18 U.S.C. §2710) •The CAN-SPAM Act (15 U.S.C. §7701 et seq.) Fair Credit Reporting Act (15 U.S.C. § 1681 et seq). •Children’s Online Privacy Protection Act (16 C.F.R. §312) State Law •Unfair competition Spyware, Spam, & Do Not Call statutes •“Shine the Light” Law (Cal. Civ. Code §1798.3) •Song-Beverly Act of 1971 (Cal. Civ. Code §§1747-1748.7) •Invasion of Privacy Act (Cal. Penal Code §630 et. seq.) •Standards for the Protection of Personal Information (MA 201 CMR 17.01 et seq)

FTC Compliance Complexity Section 5 FTC Act CAN-SPAM Do Not Track & Do Not Call Dot Com Disclosures / Testimonials & Endorsements Fair Credit Reporting Act Children’s Online Privacy Protection Act Gramm-Leach-Bliley Act Representations to Customers

Enforcement Agency Trends - FTC Website Privacy Policies Big Data Do Not Track & Dotcom Disclosures Mobile Apps COPPA Location Based Services Facial Recognition

FTC Enforcement - Wyndham Wyndham disclosed three incidents of card data theft between April 2008 and January 2010. The FTC requested information from Wyndham, and after production proposed a consent order. Wyndham did not agree and the FTC brought an enforcement action alleging that Wyndham committed unfair and deceptive trade practices in violation of Section 5 of the FTC Act. The representations supporting the FTC’s claims come from Wyndham’s privacy policy: . . . We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program (collectively, “Customers”). . . . We safeguard our Customers’ personally identifiable information by using standard industry practices. Although “guaranteed security” does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that the Information is not improperly altered or destroyed.

Breach Notification Laws

Breaches by Industry Trustwave 2013 Global Security Report

Causes of Breach PrivacyRights.org

Mandiant M-Trends 2013 Security Threat Report

Basics of State Laws All but four states have a breach notification law. The laws apply to a breach affecting “personal information.” A breach is generally unauthorized access to or acquisition of personal information. Most states have a “risk of harm” exception and a “safe harbor” if the data was encrypted. Most require notification as soon as reasonably possible.

Ohio Law “Personal information” is a name in combination with: (1) SSN, (2) driver’s license or state ID, or (3) account or payment card number along with a security code, access code, or password allowing access to individual’s financial account. "Breach of the security of the system" means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state. Breach notification required “in the most expedient time possible” but not later than 45 days after discovery. State AG may bring enforcement action to seek a civil fine.

Costs of Response Forensics Notification costs Credit monitoring Call center Crisis response Legal fees Defense costs/settlement expenses PCI fines/assessments & regulatory fines

Incident Response Best Practices

Decisions, Decisions, Decisions Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a “law enforcement” delay?

Prepare Cyber Liability Insurance Written Information Security Policy Incident Response Plan Training & Education Identify & Mitigate Risk Manage Vendors

Commonalities of Breaches Will be an external attack involving hacking and malware Vulnerability created by third party vendor Will not be detected for months Breached entity will learn from third party Initial exploit relatively simple and avoidable

Respond Respond quickly Bring in the right team Preserve evidence Document analysis Involve the C-suite Be guarded, consistent, and honest in communications Plan for likely reaction of customers, employees, & key stakeholders Mitigate harm Respond quickly Bring in the right team Preserve evidence Contain & remediate Let the forensics drive the decision-making Law enforcement

SEC Guidance on Cyber-Security Disclosure Obligations SEC Guidelines Issued October 13, 2011 Suggests that publicly traded companies: Disclose incidents of cyber intrusions in SEC filings Disclose “risk factors” of cyber intrusions SEC has issued letters requesting certain high-profile cyber intrusions be disclosed Amazon’s Zappos.com breach Google Although not mandatory, SEC’s activity here seen as foreshadowing to future mandatory obligations

After the Breach Regulatory inquiries and enforcement actions Customer questions and demands Lawsuits Internal policy review

Legislative Update Cybersecurity Consumer Privacy Bill of Rights Mandatory standards, info exchange, scope, liability protection Executive Order & Presidential Directive Consumer Privacy Bill of Rights Codes of Conduct Breach Notification Electronic Communications Privacy Act HIPAA Final Rule