Data Security and Privacy Overview and Update Peter Moldave October 28, 2015
Topics to cover today: Data Security Data Privacy Data Integrity Specific Issues with Regulated Data
Examples of situations that companies face Storage of employee and customer personal data Use of credit reports for employment decisions Use of health data for marketing Technological features required to comply with regulations
Data security and data privacy are not the same thing Data security is about protecting data from unauthorized access Data privacy is about restrictions on collection or use of (personal) information Data protection may be combination of privacy and security
Data integrity is separate from data security and data privacy Ensuring data is available and useful Data integrity issues are in some ways opposite to those of privacy and security
Data Protection Regulation US has no general (federal) data protection requirement Specific US items may need more specific consideration, i.e. Gramm-Leach-Bliley, HIPAA, COPPA, Fair Credit Reporting, State Data Protection European rules on data protection are more general Safe Harbor update
Examples where data security and data privacy issues come up “Normal” companies (i.e. not “internet”) Employee records State data security (SSN’s etc.) Hiring decisions State data security & Fair Credit Reporting Customer relationships Information about EU customers Services provided to healthcare companies Are you a “business associate” Use of on-line resources Are your records appropriately protected?
Examples (cont.) “Internet” companies i.e. product provided over internet Obligations regarding customer data Obligations regarding customer’s customers data Ability to use data to improve products, provide services to other than the immediate customer Obligations regarding method of storage/protection of data
Some terminology to use Personally Identifiable Information (“PII”) A data protection (US state law) concept Information associated with a particular individual Example definition under Massachusetts data protection law: Name + account number Personal Health Information (“PHI”) A HIPAA concept Information relating to a health care services provided to an individual Can including billing information
Terminology (cont.) HIPAA US federal law regulating health information Generally covers health care providers Can also extend to “business associates” Graham-Leach-Blighly US federal law regulating privacy of financial information Generally covers financial institutions
Terminology (cont.) Data subject/subject individual What individual is the data being gathered about Generic terminology/EU privacy terminology Aggregated data Data which has been combined so that it does not reflect any particular individual
Terminology (cont.) Customer What organization is utilizing the information supplied by the Content company concerning the data subject End User May be the same as the data subject, maybe a person at the Customer organization
Terminology (cont.) Encryption A method of transforming data so that it is not immediately readable by an unauthorized third party Clear text The original unencrypted data
Rights/Liability Interests of the content company (Data Privacy) Use restriction obligation to data subject, source (Data Security) Security protection obligation to data subject (Data Integrity) Data integrity of concern to data recipient, not to subject
Rights/Liability (cont.) Interests of the data subject (Data Privacy) Use restriction obligation to data subject (Data Security) Security protection obligation to data subject (Data Integrity) Data integrity not relevant to subject
Rights/Liability (cont.) Customer (Data Privacy/IP) Use restriction obligation to data subject, source (Data Security) Security protection obligation to data subject (Data Integrity) Data integrity of concern to Customer
Contractual protection of data is important Problem areas/issues Overbroad clauses Indemnification Liability for events over which you have no control Confidentiality clauses; interaction with privacy policies Addressing multiple levels of source of data End user->provider->customer->third party resources
HIPAA What is covered: Protected health information maintained or transmitted electronically (“PHI”) Who is covered: Covered Entity: includes health plans, and health care providers who transmits any health information in electronic form Business Associate: includes non-health care organizations performing services to a Covered Entity involving access to PHI
HIPAA (cont.) What is required: adequate security; Business Associates Agreements (“BAA”) with Business Associates What is restricted: Use of PHI other than for provision of health care What is permitted: use for health care purposes, etc. What is not covered: aggregated data, de- identified data
Gramm- Leach-Bliley What is covered: nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes; but not for business, commercial, or agricultural purposes. Who is covered: Financial institutions
GLB (cont.) What is required: develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to insure the security and confidentiality of customer information. 16 CFR 314.3
Fair Credit Reporting Act What is covered: “consumer report” communication any information by a consumer reporting agency bearing on a consumer’s credit worthiness,... character, general reputation, personal characteristics, or mode of living. 15 U.S.C. § 1681a(d)
FCRA (cont.) Who is covered: Consumer reporting agencies What is required: In many cases, consent from data subject; notice upon adverse actions; correction of erroneous information
FCRA (cont.) What is restricted: Use of/access to credit information for unauthorized reason (i.e. not in connection with credit etc. transaction); maintenance of certain stale or prohibited information. 15 U.S.C. § 1681c What is permitted: Use for eligibility for credit, insurance or employment purposes with consent of data subject. 15 U.S.C. § 1681b
EU Expansive view of what is covered Requirement re destruction/review by data subject Restrictions on cross-border usage Impact of recent “Safe Harbor” decision
State Data Protection Laws Overview What is covered: Personally identifiable information (“PII”), usually a name or address plus SSN or financial account number, in general only in electronic form Who is covered: In general, citizens of the applicable state What is required: Encryption of electronic PII What is restricted: In general, unauthorized disclosure of PII
Massachusetts example What is covered What is required What is not covered Actions to take on data breach
Data Security
Considerations What is the data being utilized? Plan ahead for type/form of data collection Define access control Understand location of content and encryption strategy Understand backup and archiving Contingency plan for data breach
What is content used for - internally Consistency with internal privacy policy Consistency with regulatory requirements Consistency with IP rights granted in end user agreements
What is content used for - provider Consistency with internal and provider privacy policy Consistency with regulatory requirements Consistency with IP rights granted in end user agreements Is aggregate/anonymous use permitted?
What is content used for – provider (cont.) Performance of service Monitoring of service Other uses Creating new products Selling of aggregate data
Planning ahead for data collection and storage Where is data stored Is data for separate projects/separate clients stored in separate “containers”? How is access controlled (2 factor authentication?) In what form is it stored (encrypted or unencrypted) Where are encryption keys stored How is it protected from external access (firewalls etc.)
Access to Content - Generally Purpose of access Security of information flow Agreements with third parties Conformance of theory with reality
Access to Content – Generally (cont.) Consider regulatory requirements for protection of data Consider regulatory requirements for agreements (BAA’s etc.) Consider impact of mobile usage
Access to Content – Generally (cont.) Employees Implement appropriate internal security policy Consider whether employee use of own devices is problematic Access by third parties Implement appropriate non-disclosure agreements Make sure access consistent with agreements and privacy policy
Subcontractors Consent over use of subcontractors Vetting of subcontractors Ensuring contractual provisions flow properly May require use of BAA's for HIPAA data Dealing with changes to provision
Backups and archives How is it archived? Where is it archived? Is the location acceptable based on general data protection principles? Frequency Security – encrypted vs. non-encrypted Retention period When can/must it be destroyed Stop-destruction in case of litigation
Backups and archives (cont.) Make sure document retention policy and archive process consistent Make sure litigation hold can be implemented Clarify location of data Consider ability to delete backups/archives on a client by client/project by project basis
Data Breach Exposure to liability Financial – identify theft monitoring HIPAA – regulatory actions
Contingency planning for data breach Understanding regulatory requirement and time frames Determining types of data being stored Encryption
Arrange insurance for data breach Usually E&O May be sublimits on notification Primary insurance coverage under own policy Also coverage under supplier policy Name as additional insured Concern about coverage amount
Questions? Peter Moldave Gesmer Updegrove LLP