Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Business Owners Need to Know About Data Privacy

Published byArchibald Gilmore Modified over 6 years ago

Similar presentations

Presentation on theme: "What Business Owners Need to Know About Data Privacy"— Presentation transcript:

1 What Business Owners Need to Know About Data Privacy
August 9, 2013 What Business Owners Need to Know About Data Privacy Craig A. Hoffman| Blog:

2 Agenda Compliance Obligations FTC Enforcement
Data Breach Notification Laws Incident Response Best Practices Legislative Updates

3 Compliance Obligations

4 Compliance Complexity
PCI-DSS HIPAA HITECH STATE PRIVACY LAWS (e.g. TX, CA) INTERNATIONAL DATA PROTECTION (e.g. EU, CANADA) FTC GLBA STATE BREACH NOTIFICATION LAWS SEC DISCLOSURE GUIDANCE INDUSTRY SELF REGULATION

5 Interacting with Customers
Federal Law •Computer Fraud and Abuse Act (18 U.S.C. §1030) •Electronic Communications Privacy Act (18 U.S.C.§ ) Stored Communications Act (18 U.S.C. §§ ) •Telephone Consumer Protection Act (47 U.S.C. §227) •Video Privacy Protection Act (18 U.S.C. §2710) •The CAN-SPAM Act (15 U.S.C. §7701 et seq.) Fair Credit Reporting Act (15 U.S.C. § 1681 et seq). •Children’s Online Privacy Protection Act (16 C.F.R. §312) State Law •Unfair competition Spyware, Spam, & Do Not Call statutes •“Shine the Light” Law (Cal. Civ. Code §1798.3) •Song-Beverly Act of 1971 (Cal. Civ. Code §§ ) •Invasion of Privacy Act (Cal. Penal Code §630 et. seq.) •Standards for the Protection of Personal Information (MA 201 CMR et seq)

6 FTC Compliance Complexity
Section 5 FTC Act CAN-SPAM Do Not Track & Do Not Call Dot Com Disclosures / Testimonials & Endorsements Fair Credit Reporting Act Children’s Online Privacy Protection Act Gramm-Leach-Bliley Act Representations to Customers

7 Enforcement Agency Trends - FTC
Website Privacy Policies Big Data Do Not Track & Dotcom Disclosures Mobile Apps COPPA Location Based Services Facial Recognition

8 FTC Enforcement - Wyndham
Wyndham disclosed three incidents of card data theft between April 2008 and January 2010. The FTC requested information from Wyndham, and after production proposed a consent order. Wyndham did not agree and the FTC brought an enforcement action alleging that Wyndham committed unfair and deceptive trade practices in violation of Section 5 of the FTC Act. The representations supporting the FTC’s claims come from Wyndham’s privacy policy: . . . We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program (collectively, “Customers”) We safeguard our Customers’ personally identifiable information by using standard industry practices. Although “guaranteed security” does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that the Information is not improperly altered or destroyed.

9 Breach Notification Laws

10 Breaches by Industry Trustwave Global Security Report

11 Causes of Breach PrivacyRights.org

12 Mandiant M-Trends 2013 Security Threat Report

13 Basics of State Laws All but four states have a breach notification law. The laws apply to a breach affecting “personal information.” A breach is generally unauthorized access to or acquisition of personal information. Most states have a “risk of harm” exception and a “safe harbor” if the data was encrypted. Most require notification as soon as reasonably possible.

14 Ohio Law “Personal information” is a name in combination with: (1) SSN, (2) driver’s license or state ID, or (3) account or payment card number along with a security code, access code, or password allowing access to individual’s financial account. "Breach of the security of the system" means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state. Breach notification required “in the most expedient time possible” but not later than 45 days after discovery. State AG may bring enforcement action to seek a civil fine.

15 Costs of Response Forensics Notification costs Credit monitoring
Call center Crisis response Legal fees Defense costs/settlement expenses PCI fines/assessments & regulatory fines

16 Incident Response Best Practices

17 Decisions, Decisions, Decisions
Is it a breach? Do you involve law enforcement? Do you hire a forensics company? Do you retain counsel? Do you involve regulatory agencies? Is crisis management necessary? Do you offer credit monitoring? Do you get relief from a “law enforcement” delay?

18 Prepare Cyber Liability Insurance Written Information Security Policy
Incident Response Plan Training & Education Identify & Mitigate Risk Manage Vendors

19 Commonalities of Breaches
Will be an external attack involving hacking and malware Vulnerability created by third party vendor Will not be detected for months Breached entity will learn from third party Initial exploit relatively simple and avoidable

20 Respond Respond quickly Bring in the right team Preserve evidence
Document analysis Involve the C-suite Be guarded, consistent, and honest in communications Plan for likely reaction of customers, employees, & key stakeholders Mitigate harm Respond quickly Bring in the right team Preserve evidence Contain & remediate Let the forensics drive the decision-making Law enforcement

21 SEC Guidance on Cyber-Security Disclosure Obligations
SEC Guidelines Issued October 13, 2011 Suggests that publicly traded companies: Disclose incidents of cyber intrusions in SEC filings Disclose “risk factors” of cyber intrusions SEC has issued letters requesting certain high-profile cyber intrusions be disclosed Amazon’s Zappos.com breach Google Although not mandatory, SEC’s activity here seen as foreshadowing to future mandatory obligations

22 After the Breach Regulatory inquiries and enforcement actions
Customer questions and demands Lawsuits Internal policy review

23 Legislative Update Cybersecurity Consumer Privacy Bill of Rights
Mandatory standards, info exchange, scope, liability protection Executive Order & Presidential Directive Consumer Privacy Bill of Rights Codes of Conduct Breach Notification Electronic Communications Privacy Act HIPAA Final Rule

24

Download ppt "What Business Owners Need to Know About Data Privacy"

Similar presentations

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
NACARA Annual Conference Industry Perspectives Panel September 29,2014 Boise, Idaho Andy Madden Director State Government Affairs ACA International.

NACARA Annual Conference Industry Perspectives Panel September 29,2014 Boise, Idaho Andy Madden Director State Government Affairs ACA International.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Data Security Laws and the Rising Cybersecurity Debate

Data Security Laws and the Rising Cybersecurity Debate
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
Responding to a Data Security Breach

Responding to a Data Security Breach
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Similar presentations

Ads by Google