1. Data Security and Privacy Overview and Update Peter Moldave October 28, 2015

2. Topics to cover today: Data Security Data Privacy Data Integrity Specific Issues with Regulated Data

3. Examples of situations that companies face Storage of employee and customer personal data Use of credit reports for employment decisions Use of health data for marketing Technological features required to comply with regulations

4. Data security and data privacy are not the same thing Data security is about protecting data from unauthorized access Data privacy is about restrictions on collection or use of (personal) information Data protection may be combination of privacy and security

5. Data integrity is separate from data security and data privacy Ensuring data is available and useful Data integrity issues are in some ways opposite to those of privacy and security

6. Data Protection Regulation US has no general (federal) data protection requirement Specific US items may need more specific consideration, i.e. Gramm-Leach-Bliley, HIPAA, COPPA, Fair Credit Reporting, State Data Protection European rules on data protection are more general Safe Harbor update

7. Examples where data security and data privacy issues come up “Normal” companies (i.e. not “internet”) Employee records State data security (SSN’s etc.) Hiring decisions State data security & Fair Credit Reporting Customer relationships Information about EU customers Services provided to healthcare companies Are you a “business associate” Use of on-line resources Are your records appropriately protected?

8. Examples (cont.) “Internet” companies i.e. product provided over internet Obligations regarding customer data Obligations regarding customer’s customers data Ability to use data to improve products, provide services to other than the immediate customer Obligations regarding method of storage/protection of data

9. Some terminology to use Personally Identifiable Information (“PII”) A data protection (US state law) concept Information associated with a particular individual Example definition under Massachusetts data protection law: Name + account number Personal Health Information (“PHI”) A HIPAA concept Information relating to a health care services provided to an individual Can including billing information

10. Terminology (cont.) HIPAA US federal law regulating health information Generally covers health care providers Can also extend to “business associates” Graham-Leach-Blighly US federal law regulating privacy of financial information Generally covers financial institutions

11. Terminology (cont.) Data subject/subject individual What individual is the data being gathered about Generic terminology/EU privacy terminology Aggregated data Data which has been combined so that it does not reflect any particular individual

12. Terminology (cont.) Customer What organization is utilizing the information supplied by the Content company concerning the data subject End User May be the same as the data subject, maybe a person at the Customer organization

13. Terminology (cont.) Encryption A method of transforming data so that it is not immediately readable by an unauthorized third party Clear text The original unencrypted data

14. Rights/Liability Interests of the content company (Data Privacy) Use restriction obligation to data subject, source (Data Security) Security protection obligation to data subject (Data Integrity) Data integrity of concern to data recipient, not to subject

15. Rights/Liability (cont.) Interests of the data subject (Data Privacy) Use restriction obligation to data subject (Data Security) Security protection obligation to data subject (Data Integrity) Data integrity not relevant to subject

16. Rights/Liability (cont.) Customer (Data Privacy/IP) Use restriction obligation to data subject, source (Data Security) Security protection obligation to data subject (Data Integrity) Data integrity of concern to Customer

17. Contractual protection of data is important Problem areas/issues Overbroad clauses Indemnification Liability for events over which you have no control Confidentiality clauses; interaction with privacy policies Addressing multiple levels of source of data End user->provider->customer->third party resources

18. HIPAA What is covered: Protected health information maintained or transmitted electronically (“PHI”) Who is covered: Covered Entity: includes health plans, and health care providers who transmits any health information in electronic form Business Associate: includes non-health care organizations performing services to a Covered Entity involving access to PHI

19. HIPAA (cont.) What is required: adequate security; Business Associates Agreements (“BAA”) with Business Associates What is restricted: Use of PHI other than for provision of health care What is permitted: use for health care purposes, etc. What is not covered: aggregated data, de- identified data

20. Gramm- Leach-Bliley What is covered: nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes; but not for business, commercial, or agricultural purposes. Who is covered: Financial institutions

21. GLB (cont.) What is required: develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to insure the security and confidentiality of customer information. 16 CFR 314.3

22. Fair Credit Reporting Act What is covered: “consumer report” communication any information by a consumer reporting agency bearing on a consumer’s credit worthiness,... character, general reputation, personal characteristics, or mode of living. 15 U.S.C. § 1681a(d)

23. FCRA (cont.) Who is covered: Consumer reporting agencies What is required: In many cases, consent from data subject; notice upon adverse actions; correction of erroneous information

24. FCRA (cont.) What is restricted: Use of/access to credit information for unauthorized reason (i.e. not in connection with credit etc. transaction); maintenance of certain stale or prohibited information. 15 U.S.C. § 1681c What is permitted: Use for eligibility for credit, insurance or employment purposes with consent of data subject. 15 U.S.C. § 1681b

25. EU Expansive view of what is covered Requirement re destruction/review by data subject Restrictions on cross-border usage Impact of recent “Safe Harbor” decision

26. State Data Protection Laws Overview What is covered: Personally identifiable information (“PII”), usually a name or email address plus SSN or financial account number, in general only in electronic form Who is covered: In general, citizens of the applicable state What is required: Encryption of electronic PII What is restricted: In general, unauthorized disclosure of PII

27. Massachusetts example What is covered What is required What is not covered Actions to take on data breach

28. Data Security

29. Considerations What is the data being utilized? Plan ahead for type/form of data collection Define access control Understand location of content and encryption strategy Understand backup and archiving Contingency plan for data breach

30. What is content used for - internally Consistency with internal privacy policy Consistency with regulatory requirements Consistency with IP rights granted in end user agreements

31. What is content used for - provider Consistency with internal and provider privacy policy Consistency with regulatory requirements Consistency with IP rights granted in end user agreements Is aggregate/anonymous use permitted?

32. What is content used for – provider (cont.) Performance of service Monitoring of service Other uses Creating new products Selling of aggregate data

33. Planning ahead for data collection and storage Where is data stored Is data for separate projects/separate clients stored in separate “containers”? How is access controlled (2 factor authentication?) In what form is it stored (encrypted or unencrypted) Where are encryption keys stored How is it protected from external access (firewalls etc.)

34. Access to Content - Generally Purpose of access Security of information flow Agreements with third parties Conformance of theory with reality

35. Access to Content – Generally (cont.) Consider regulatory requirements for protection of data Consider regulatory requirements for agreements (BAA’s etc.) Consider impact of mobile usage

36. Access to Content – Generally (cont.) Employees Implement appropriate internal security policy Consider whether employee use of own devices is problematic Access by third parties Implement appropriate non-disclosure agreements Make sure access consistent with agreements and privacy policy

37. Subcontractors Consent over use of subcontractors Vetting of subcontractors Ensuring contractual provisions flow properly May require use of BAA's for HIPAA data Dealing with changes to provision

38. Backups and archives How is it archived? Where is it archived? Is the location acceptable based on general data protection principles? Frequency Security – encrypted vs. non-encrypted Retention period When can/must it be destroyed Stop-destruction in case of litigation

39. Backups and archives (cont.) Make sure document retention policy and archive process consistent Make sure litigation hold can be implemented Clarify location of data Consider ability to delete backups/archives on a client by client/project by project basis

40. Data Breach Exposure to liability Financial – identify theft monitoring HIPAA – regulatory actions

41. Contingency planning for data breach Understanding regulatory requirement and time frames Determining types of data being stored Encryption

42. Arrange insurance for data breach Usually E&O May be sublimits on notification Primary insurance coverage under own policy Also coverage under supplier policy Name as additional insured Concern about coverage amount

43. Questions? Peter Moldave Gesmer Updegrove LLP 617-531-8340 peter.moldave@gesmer.com