1

2

DATA PRIVACY & SECURITY

CHALLENGES

3

— HealthcareITNews 9/26/16

4

5

Yahoo announced on September 22, 2016 that the account information for at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, passwords and, in some cases security questions — was compromised in 2014 by what it believed was a “state-­sponsored actor” (i.e. an individual acting on behalf of a government). It did not name the country involved.

6

$2.1M in Attorneys’ Fees Awarded

“Attorneys for a proposed class of consumersseeking approval of a $6.3 million settlement withGodiva Chocolatier Inc. for allegedly printingreceipts that showed more than the last five digits oftheir credit card numbers should receive $2.1million in fees, a Florida federal judge said Friday,rejecting arguments raised by “serial objectors.””— Law360 9/19/16 (emphasis added)

NOTE: Godiva said the violation was caused by a third-­party vendor,which unilaterally and without permission, altered code in a way thatcaused the incomplete truncation of card information on thecompany’s receipts. The issue affected more than 300,000 consumersover a 12-­week period in 2015.

7

“Attorneys litigating a massive class action accusing several cruise marketing companies of violating the Telephone Consumer Protection Act by robocalling millions of Americans with offers for free trips have reached a settlement that could see the companies paying out up to $76 million. The plaintiffs, which include 1 million people who received calls from Caribbean Cruise Line and its subsidiary marketing companies between August 2011 and August 2012, will receive about $500 for each call they received.” — Law360 9/8/16 (emphasis added)

8

“A Massachusetts federal judge won't let USA Today parent companyGannett Co. off the hook for allegedly collecting app users' videoviewing data and sharing it with another company, ruling on Friday thatdisclosing personally identifiable information could indeed cause usersharm…”The [Video Privacy Protection Act] plainly provides plaintiffs likeYershov, who allege wrongful disclosure of their [personally identifiableinformation], with standing and a right to relief," Judge Saylor said.”— Law360 9/2/16 (emphasis added)

9

“In the first HIPAA enforcement actionagainst a business associate, federalregulators have smacked a nonprofitorganization with a $650,000 penalty.The move follows an investigation intothe 2014 theft of an unencryptedsmartphone that was not passwordprotected.” — HealthInfoSec 7/5/16(emphasis added)

The theft potentially exposed information on just 412 patients at 6Philadelphia-­area nursing homes receiving IT services from theCatholic Health Care Services of the Archdiocese of Philadelphia(CHCS). Those facilities reported the breach to the Dept. of Healthand Human Services' Office (HHS) in February 2014, triggering theOCR investigation.

10

11

Kellogg Canada, the latest company to be hit under Canada’s Anti-­Spam Law (CASL), was ordered by the Canadian regulators to pay $60,000 as part of a settlement for allegedly sending emails to recipient with their consent over a relatively short period of time (~2.5 months).

Notes:

1. Any company (whether resident in Canada or not) sending an electronic message to a recipient in Canada is subject to CASL.

2. Under CASL, a firm could face a maximum penalty of $10 million for sending emails without consent, and be open to civil litigation as well.

3. Per the regulators, the alleged violation was by Kellogg or its service providers. Any company using a third party marketers/partners to communicate with a recipient in Canada should ensure that such third party complies with CASL.

12

Viacom, Mattel, JumpStart and another company have recently agreed to pay a combined $835,000 in penalties and implement reforms after an investigation revealed that the children’s website operators permitted illegal tracking of kids’ online activity in violation of the Children’s Online Privacy Protection Act (COPPA). According to the New York Attorney General, none of the four companies had intentionally built native tools to track personal identifiers like cookies and IP addresses. But they were all contracting with advertising vendors that performed some type of persistent monitoring for targeted ads. — source Bloomberg Technology 9/13/16

13

“Airbnb complied with less than half of the nearly 200 requests itreceived from law enforcement officials around the world to hand overuser data in the first half of this year, the online short-­term rentalservice recently disclosed in its first-­ever transparency report.

Joining the ranks of companies such as Google Inc., Facebook Inc.,Twitter Inc. and Uber Technologies Inc., which have all moved inrecent years to share more with users about how they interact withthe government when it comes to user data requests, Airbnb Inc. onThursday published its inaugural accounting of global lawenforcement demands for user information.”— Law360 9/6/16

14

“A San Francisco judge on [September 15,2016] gave final approval to Citibank’s $1.55million settlement with over 400 customers whosay the bank violated a state criminal law byrecording account services phone calls withouttheir permission, ending a three-­year battle thathad bounced between state and federal court.

…In the complaint, originally filed in June 2013 in superior court, itwas alleged that the bank regularly monitored calls made to a toll-­free number associated with its checking, savings and CDdepartments without providing a warning at the top of the call, inviolation of California’s Invasion of Privacy Act.”— Law360 9/15/16

15

“The Federal Trade Commission has told a pair of privacy advocates that it will "carefully review" their allegations that mobile messaging service WhatsApp's move to share personal phone numbers and other user data with parent company Facebook for targeted marketing is unlawful, the groups said Wednesday.

[In acknowledging the complaint, the FTC indicated] that WhatsApp's new data-­sharing policy ran afoul of both Section 5 of the FTC Act as well as repeated promises both companies made to the regulator when Facebook acquired the messaging service in 2014 about how WhatsApp user data would not be used for marketing purposes without users' consent.” — Law360 9/7/16

16

DATA PRIVACY & SECURITY

SOLUTIONS

17

A TOOLKIT FOR DATA PRIVACY & SECURITYKick Off: Tom Hemnes, Member, GTC Law Group PC

In-­house Counsel Data/Privacy Compliance Program Tips from the Trenches (Panel)Alexis Goltra, Chief Privacy Officer, Oracle CorporationScott Semel, EVP and GC, Intralinks, Inc.Danielle Sheer, VP & GC, Carbonite, Inc.Tom Hemnes, Member, GTC -­ moderator

EU-­US Privacy Shield and EU GDPR TipsDavid Bender, Special Counsel, Data Privacy, GTC

Data Security, Disputes & Cyberinsurance Strategies (Panel)Rocco Grillo, Executive Managing Director/Cyber Resilience Leader, Stroz FriedbergMark P. Szpak, Partner, Ropes & Gray LLPJohn Paul Sutrich, President, ARI Risk Management Consultants Paul-­Johan Jean, CIPP/US, GIAC/GLEG, Co-­Founder and Member, GTC – co-­moderatorRick Olin, CIPP/US, Member, GTC – co-­moderator

Closing: Sayoko Blodgett-­Ford, CIPP/US, Member, GTC

Meet and Greet Session: Kenneth MacCuish, SVP & Chief Information Security Officer, Intralinks, Inc. Eric Ratcliffe, Director of Sales, 360AdvancedDavid Small, Information Security Manager, Vice President, Boston Private

18

ASAP

• CPO/DPO: Designate a Chief Privacy Officer/Data Protection Officer (or whatever title you prefer) who can work comfortably with leadership, product development, advertising/PR, legal, and outside vendors. This can be a new hire or a current employee. If this is a current employee who is already overloaded, offer them support from outside counsel or experts as needed. If they do not have deep expertise, encourage them to seek appropriate formal Privacy & Security training and fund such training.

• Privacy Team: Assign a person in each functional group to serve on this team, led by the CPO.

• EU: Start the process of Privacy Shield and GDRP compliance (+ Brexit issues) if you import (or may in the future import) any data from Europe (for example, from visitors to your main corporate website in the US or from European operations).

TOOLKIT TIPS AND SUGGESTED PRIORITIES (SEE HANDOUT FOR FULL LIST)

19

WITHIN NEXT 3 – 6 MONTHS

• Insurance: Confirm existence of appropriate coverage (assess financial loss exposure and tighten up IT/P&S practices before entering insurance market);; add or modify policies as needed.

• WISP: Put an initial Written Information Security Policy in place, together with detailed internal procedures to ensure compliance. Consider specialized regulations (e.g., CA anti-­spam).

• Update Privacy Policy: Review processing of personal information, including collection, use, disclosure, storage, retention, and disposal, and consider any applicable specialized regulations.

• Update Legal Terms: Consider adding class action waiver, arbitration clause, and “prior express written consent” required by Telephone Consumer Protection Act for texts and auto-­dialed calls.

• Encryption: Encrypt personal information and sensitive data in storage and transit.• Backups: Frequently and securely back up all electronic data on an automatic basis.• Limit Access: Limit employee/vendor access to personal information and sensitive data to those who have a need to know.

• Data Breaches/Incident Response: Designate person to lead response (ideally CPO) and ensure likely first contacts (IT, customer service, PR, sales, executives ...) know to call (not email, not text) immediately re any suspected incident. Draft incident response plan and line up team (legal, forensic, call center …).

TOOLKIT TIPS AND SUGGESTED PRIORITIES – cont. (SEE HANDOUT)

20

ONGOING

• Audits: Conduct periodic Privacy & Security audits, at least annually, both internally and of vendors.

• Cultural Change: Implement educational programs and written policies to create an organizational culture of privacy and security awareness.

• New Product Launches: Integrate Privacy & Security review into product development from the start – and into all advertising and marketing efforts.

• Contracts: Review and update agreements to ensure Privacy & Security compliance (US, CA, EU …).

TOOLKIT TIPS AND SUGGESTED PRIORITIES – cont. (SEE HANDOUT)

21

Kenneth MacCuish, Senior Vice President & Chief Information Security Officer, Intralinks, Inc. kmaccuish@intralinks.comPreviously, Mr. MacCuish was Global Head of Information Security, CISSP at Bain Capital.

Eric Ratcliffe, Director of Sales, 360Advanced eratcliffe@360advanced.comMr. Ratcliffe oversees all sales and marketing operations and works directly with the audit and assessment operations team to ensure delivery of the highest level of quality on all Assurance and Compliance projects.

David Small, Information Security Manager, Vice President, Boston Private dsmall@bostonprivate.comSupports all aspects of Boston Private’s security posture and Information Security Program. Responsible for maintaining technical security, profile, technologies, controls, standards and procedures in addition to providing technical security consulting to Business Departments and Information Technology staff.

MEET & GREET EXPERTS

22

GTC DATA PRIVACY & SECURITY TEAM

David Bender, Special Counsel, Data Privacy dbender@gtclawgroup.com914.693.1890

Brent Bliven, CIPP/US blivenb@gtclawgroup.com 339.832.2165

Sayoko Blodgett-­Ford, Member, CIPP/US sayoko@gtclawgroup.com 425.681.3795

Thomas Hemnes, Member themnes@gtclawgroup.com 617.906.5499

Paul-­Johan Jean, Co-­Founder & Member, CIPP/US, GIAC/GLEG paul@gtclawgroup.com 1.617.216.1298

Grace Lee glee@gtclawgroup.com 617.575.9157

Rick Olin, Member, CIPP/US rolin@gtclawgroup.com 617.216.5062

Stephen Pakan spakan@gtclawgroup.com 315.729.6775

Laila Paszti lpaszti@gtclawgroup.com 416.707.2818

23

ADDITIONAL RESOURCES (JAPANESE LANGUAGE EXPERTISE)