Recent Developments in Privacy and Data Security Secureworld Expo – Dearborn, Michigan October 4, 2012 Keith A. Cheresko, Principal Privacy Associates International LLC 1

Purpose Data protection is multifaceted, and often complex topic. Working to achieve compliance with the assorted obligations can make one feel a bit lost. The purpose today is to provide a brief high-level overview of the changing privacy and security environment. 2

Agenda Level Set Social Media Breach European Data Protection Regulation Practical Suggestions Questions & (hopefully) Answers 3

Areas or Topics of Data Privacy and Data Security Activity Breach Cloud Geo-Location Facial Recognition BYOD Medical Devices Marketing Social Media OBA Consumer Financial Protection Bureau Federal Trade Commission COPPA Health Care International EU Cookie Rules EU Data Protection Directive APEC USA PATRIOT ACT Supplier Relationships NIST 4

Focus on Several Items Social Media Breach Privacy Developments from the EU 5

Terminology Personal - “of, relating to, or affecting a particular person: private, individual ” Webster Personal Information (PI) - data of, relating to, or affecting a particular person Personally identifiable Information (PII) - data that can be tied to a unique person some of which has obtain defined legal protection (information relating to an identified or identifiable individual) 6

Privacy Privacy laws focus on the collection, use, and disclosure of personal information Security is the means by which we safeguard information against unauthorized acquisition, use, disclosure, alteration, destruction Security is necessary to maintain privacy, but... Security alone will not maintain privacy (e.g., notice, consent, retention) Security may conflict with privacy (e.g., national security, employee monitoring) 7

Security Data security is concerned with safeguarding all data, not just PII The security obligations global businesses must address are complex and often inconsistent Addressing them can be challenging to individuals responsible for technical, physical and administrative security 8

Social Media 9

NLRB Actions 9/7/12 NLRB decision invalidated Costco Wholesale Corporation’s electronic posting rule finding: rule prohibited employees from making statements that “damage the Company, defame any individual or damage any person’s reputation.” Costco’s policy overly broad “the rule would reasonably tend to chill employees in the exercise of their [NLRA] Section 7 rights”. 9/20/12 ALJ struck down EchoStar Corporation’s policy prohibiting employees from making disparaging comments about it on social media sites. The NLRB judge found that the prohibition, as well as a ban on employees using social media sites with company resources or on company time, chilled employees’ exercise of their rights under Section 7 of the National Labor Relations Act (“NLRA”). 10

Geo-Location Location, location, location use of location information to make offers, collected by some apps even if not needed. Is being considered sensitive data in some circles especially as its relates to children leads us to next topic. 11

COPPA Proposed update to COPPA is pending. Under COPPA, website operators need to give parents notice of their information practices. The proposed revisions are intended to ensure parents will get key info in a succinct “just in time” fashion, and not in a lengthy “who has time?” privacy policy. Updates to the ways businesses can get the verifiable parental consent they need before collecting kids’ information plus other measures. 12

Digital Afterlives Call For Federal Law To Safeguard 'Digital Afterlives' On Social Media “Virtually no law regulates what happens to a person's online existence after his or her death,” he said. “This is true even though individuals have privacy and copyright interests in materials they post to social networking sites.” [1] [1] 13

Social Media Passwords On September 27, 2012 California Governor Jerry Brown signed twin social media privacy bills prohibiting universities and employers from requiring that applicants give up their or social media account passwords. [2] [2] brown-tweets-social-media-privacy-bills.htmlhttp://latimesblogs.latimes.com/california-politics/2012/09/gov-jerry- brown-tweets-social-media-privacy-bills.html See also Maryland and Illinois 14

OBA – Online Behavioral Advertising Congress has held hearings and the FTC held workshops. Several organization The IAB (Interactive Advertising Bureau), DMA (Direct Marketing Association), BBB (Better Business Bureau), AAAA (American Association of Advertising Agencies) and ANA (Association of National Advertisers) are attempting to fend off legislation through self regulation. 15

Government Contracts Government contractors soon may be compelled to protect against the compromise of information that is resident on their network and computer systems. The Federal Acquisition Regulatory Council (FAR Council) issued on August 24 a proposed rule on “Basic Safeguarding of Contractor Information Systems”. 77 Fed. Reg. 51,495 (Aug. 24, 2012). The proposal would add a new FAR subpart and contract clause requiring small and large contractors, including commercial items contractors, to employ basic security measures to protect information from unauthorized disclosure, loss, or compromise. [3] [3] 24/pdf/ pdf 16

Cybersecurity Executive Order An interagency review of an executive order implementing new cybersecurity policies affecting both federal agencies and critical infrastructure in the private sector is under way. No timetable as to when the order would be issued. 17

Hackers Try to Infiltrate White House Computers Hackers try to infiltrate the White House’s computer system, including ones with access to nuclear information. Classified as a “spear phishing” attack 18

Facial Recognition Facial recognition technology adopted in a variety of contexts, ranging from online social networks to digital signs and mobile apps. Focus on the current and future commercial applications of facial detection and recognition technologies Is facial recognition software good only for identification purposes (as opposed to verification)? Verification (or authentication) requires 100% accuracy whereas identification, for many applications, need not be absolutely correct all the time. Increasingly used by law enforcement. 19

BYOD Issues: Who owns the information? What are the rights of individual? What about comingled information on privately owned devices? Are there employee agreement to rules? What is the impact on security, the ability to conduct internal investigations, The confidentiality of information, e-discovery and litigation? 20

License Plate Scanners Scanners can read 60 license plates per second Match observed plates against a "hot list" of wanted vehicles, stolen cars, or criminal suspects. Retain license plates, dates, times, and locations of all cars seen in law enforcement databases for months or even years at a time Cameras run constantly, looking for hot listed plates. The system sends automated alerts directly to officers' in-car and in-office computers and to the Sheriff's communications desk. [4] [4] rapid-rise-of-license-plate-readers/ 21

Health Information Updated NIST Publications HHS/OCR risk analysis guidance references certain NIST publications. NIST has recently updated several publications: Special Publication Revision 1 focuses on risk assessments, step one in the risk management process [5] Special Publication takes over the “big picture” view of the overall four-step Risk Management process [6] Special Publication Revision 3 Final, Recommended controls for Federal Information Systems and Organizations is also invoked. [7] [5] [6[6] [7[7] errata_ pdfhttp://csrc.nist.gov/publications/nistpubs/ Rev3/sp rev3-final_updated- errata_ pdf 22

Medical Devices Certain medical devices have become increasingly complex, and the growing use of wireless technology in these devices has raised concerns about how protected they are against information security risks that could affect their safety and effectiveness. In a recent report, GAO: [8] identified the threats, vulnerabilities, and resulting information security risks associated with active implantable medical devices, determined the extent to which FDA considered information security during its premarket review of certain devices with known vulnerabilities, and determined what postmarket efforts FDA has in place to identify information security problems. [8] 23

SEC Disclosures The Division of Corporation Finance has issued guidance [9] on it's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. [9] 24

Real “Spy”ware Charges outlined in the FTC’s lawsuits [10] against a software business and seven rent-to-own companies assert that the software on rented computers gave the companies the ability to hit the kill switch if people were behind on their payments. But according to complaints filed by the FTC, it also let them collect sensitive personal information, grab screen shots, and take webcam photos of people in their homes. [10] 25

Breach PII As of October 3, Privacy Clearing House database lists: 563,653,911 records from 3408 data breaches made public from 2005 to October 3, ,344,474 records in their database from 534 breaches made public so far in 2012 [11] Breaches Affecting 500 or More Individuals Section 13402(e)(4) of the HITECH Act requires HHS posting of a list of breaches of unsecured protected health information affecting 500 or more individuals. [12] [11} [12] /postedbreaches.html 26

Statistics The Verizon 2012 Data Breach Investigations Report indicates: 855 incidents resulting in 174,000,000 compromised records [13] According to a study conducted by National Cyber Security Alliance and security firm McAfee for National Cyber Security Awareness month 25% of Americans have received a notification by a business, online service provider, or organization that personal information such as passwords or credit card numbers were subject to a data breach. [14] [13] [14] 27.

What is a Privacy Breach? Can relate to two situations: The unauthorized access to or acquisition of the kind of PII specified by an applicable law (security of PII) The failure to live up to obligations made with respect to non-security related aspects of privacy (notice, choice, access, etc.) 28

What is a Security Breach? The unauthorized access to or acquisition of anything proprietary: Buildings, facilities other physical plants, Computer equipment Product Inventory Confidential or secret information Trade secrets Intellectual property Proprietary items Financial information Data in paper or electronic data Personal information of consumers, employees, etc. Customers lists 29

FTC and Consumer Data The FTC is empowered through Section 5 of the Federal Trade Commission Act to address: – unfair methods of competition in or affecting commerce, and – unfair or deceptive acts or practices in or affecting commerce As noted earlier the failure to live up to one’s own privacy policy may be deemed a deceptive practice leading to a privacy breach. Also failing to provide adequate data security may be considered an unfair practice leading to a privacy breach. 30

Consequences of a breach? Depending on the nature, sensitivity, type and volume of data or other assets compromised it may mean: 31 Loss of Intellectual property Increased operating costs Possible ID theft Organization freeze- up/paralysis Legal actions – regulatory and consumer Lost business from consumer churn business termination Operating and operational inefficiencies Adverse impact on market valuation

Breach Notification Laws Designed to help enforce security obligations – In theory helps consumers protect themselves – Provides government authorities enforcement opportunities – Bad PR and breach-associated costs encourage compliance Breaches generally triggered by the unauthorized access to, or acquisition of, PI covered by the law Other variables affect whether a breach notification law applies such as: – Storage medium involved – Use of data encryption 32

Practical Considerations Basic requirements for data protection are surprisingly similar, across segments although details do vary The concept of technical, physical and administrative security requirements is almost universal Requirement to conduct practical risk assessments of requirements and vulnerabilities of the organization is also present in many segments and jurisdictions Most laws do not specify technical or physical requirements beyond requiring that they be reasonable, appropriate or adequate 33

Inventory your data/asset What is it? Where is it? Where is it going? Will it visit third parties? Who needs it to do their work? How is it used? How is it gathered and shared? How is it stored? What is its final resting place? Will it be gone for good? 34

Assess Risks/Threats Indentify all threats within the realm of possibility to the security of the data or asset. Consider all sources whether: – Internal – External – Natural – Man-made – Innocent – Malicious Assess the consequences to the organization should the identified threat materialize. What is the likelihood of the threat/risk materializing? What mitigations are there to counter the risk or recover if it occurs? 35

Physical Matters Physical Security includes Facility access controls Locks Alarms guards Safeguarding hard copy documents with PI Locking filing cabinets Clean desk policies Securing hardware on which PI is stored Computers Mobile devices Flash drives Modems 36

Administrative Measures Technology use policy Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops Security breach notification procedure How is unauthorized access or acquisition reported? Who is on the immediate response team? Confidentiality policy Does it cover confidential information and personal Information? Training Audit Office rules – badging, clear desk and screen locks Processes and teams for security incident management Downstream controls – contractual and audit controls on data recipients Officer, Director, and Employee training 37

Typical Requirements Assign responsibility with accountability to a lead person Conduct risk assessments Establish comprehensive written policies and procedures Train employees Evaluate and then supervise service providers Execute contracts with service providers Provide secure disposal Audit Create and implement incident response, record retention, and disaster recovery plans 38

Organiza tion Dealing with high-level requirements (“reasonable security”) Determining what “reasonable security “ is a team effort Determination should involve representatives from privacy, IT, legal, physical security, HR/training, and potentially other functions and advisors Work to determine what safeguards are necessary based on the specific vulnerabilities of the particular organization (risk analysis), the consequences of a breach and general good security practices. Documentation critical 39

Be Prepared Need for breach preparation Create an incident response team Create and document response procedures Communicate regularly Seek and obtain senior management support and resource commitment Arrange for service providers that will be needed to respond Document, document, document 40

Evaluate Risky Areas Collection of information over the Internet and Access to sensitive files by employees and independent contractors Dispersed systems, data; duplication (and more) of data Access to credit card, health, financial information Transmission, storage, and disposal of computerized data, including data contained on disks and hard drives and equipment disposal Data to be transmitted to any third party Storage and disposal of paper records Data center moves/consolidations Transfer and use by service provider/outsourcing Mobile computing and employee owned devices Logging and monitoring (employees, system access, phones/internet/ ) 41

Technical Measures Technical Security relates to the protection of electronic information through methods including: Access control: unique user ID, auto logoff, need to know Monitoring: log-in, movement of ePHI Audit: who accessed, how and when modified Encryption: at rest (server, laptop, mobile), in transmission Authenticating: confirming identity, managing accounts Firewalls, anti-virus, and anti-spyware protections Changing default settings and thereafter periodically changing of (non-default) IDs and passwords for internet facing devices 42

Technical Measures Basic rules for employees – Do not sensitive or special PI – Do not access more than that which is needed – Create and use secure documents – Use passwords System deployment and approval processes – what needs to happen before you flip the switch Eliminate unnecessary data and keep tabs on what is left Monitor and mine event logs Ensure essential controls are met: regularly check they remain so 43

European Data Protection Directive 44

The European Data Protection Laws Have Been a Compliance Headache for Companies Around the World 45

Proposed New Data Protection Regulation 46

The Good News DIRECTIVE REGULATION 47

Significantly Increased Fines and Penalties 48

Consent Narrowed 49

Data Breach Notification 50

Right to Be Forgotten 51

Data Minimization 52

Accountability 53

Mandatory Data Privacy Officer 54

Companies Outside Europe Potentially Subject to the Regulation 55

Status of Regulation 56

European Union: Cloud computing European Commission Supports Cloud Computing The European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. [16]Unleashing the Potential of Cloud Computing in Europe [16] 57

Questions? Keith A. Cheresko Privacy Associates International LLC (248)

Contact Information Keith A. Cheresko Privacy Associates International LLC (248) Robert L. Rothman Privacy Associates International LLC (248)