data security and privacy overview and update peter moldave october 28, 2015
Post on 18-Jan-2018
218 Views
Preview:
DESCRIPTION
TRANSCRIPT
Data Security and Privacy Overview and Update
Peter MoldaveOctober 28, 2015
Topics to cover today:
Data SecurityData PrivacyData Integrity Specific Issues with Regulated Data
Examples of situations that companies face
Storage of employee and customer personal data
Use of credit reports for employment decisions
Use of health data for marketingTechnological features required to
comply with regulations
Data security and data privacy are not the same thing
Data security is about protecting data from unauthorized access
Data privacy is about restrictions on collection or use of (personal) information
Data protection may be combination of privacy and security
Data integrity is separate from data security and data privacy
Ensuring data is available and usefulData integrity issues are in some ways
opposite to those of privacy and security
Data Protection RegulationUS has no general (federal) data
protection requirementSpecific US items may need more specific
consideration, i.e. Gramm-Leach-Bliley, HIPAA, COPPA, Fair Credit Reporting, State Data Protection
European rules on data protection are more generalSafe Harbor update
Examples where data security and data privacy issues come up“Normal” companies (i.e. not “internet”)
Employee recordsState data security (SSN’s etc.)
Hiring decisionsState data security & Fair Credit Reporting
Customer relationshipsInformation about EU customers
Services provided to healthcare companiesAre you a “business associate”
Use of on-line resourcesAre your records appropriately protected?
Examples (cont.)“Internet” companies i.e. product
provided over internetObligations regarding customer dataObligations regarding customer’s
customers dataAbility to use data to improve products,
provide services to other than the immediate customer
Obligations regarding method of storage/protection of data
Some terminology to usePersonally Identifiable Information (“PII”)
A data protection (US state law) conceptInformation associated with a particular individualExample definition under Massachusetts data
protection law: Name + account number Personal Health Information (“PHI”)
A HIPAA conceptInformation relating to a health care services
provided to an individualCan including billing information
Terminology (cont.)HIPAA
US federal law regulating health information
Generally covers health care providersCan also extend to “business
associates”Graham-Leach-Blighly
US federal law regulating privacy of financial information
Generally covers financial institutions
Terminology (cont.)Data subject/subject individual
What individual is the data being gathered about
Generic terminology/EU privacy terminology
Aggregated dataData which has been combined so that
it does not reflect any particular individual
Terminology (cont.)
CustomerWhat organization is utilizing the
information supplied by the Content company concerning the data subject
End UserMay be the same as the data subject,
maybe a person at the Customer organization
Terminology (cont.)
EncryptionA method of transforming data so that it
is not immediately readable by an unauthorized third party
Clear textThe original unencrypted data
Rights/Liability
Interests of the content company(Data Privacy) Use restriction obligation
to data subject, source(Data Security) Security protection
obligation to data subject(Data Integrity) Data integrity of
concern to data recipient, not to subject
Rights/Liability (cont.)
Interests of the data subject(Data Privacy) Use restriction obligation
to data subject(Data Security) Security protection
obligation to data subject(Data Integrity) Data integrity not
relevant to subject
Rights/Liability (cont.)
Customer(Data Privacy/IP) Use restriction
obligation to data subject, source(Data Security) Security protection
obligation to data subject(Data Integrity) Data integrity of
concern to Customer
Contractual protection of data is importantProblem areas/issues
Overbroad clausesIndemnificationLiability for events over which you have no
controlConfidentiality clauses; interaction with privacy
policiesAddressing multiple levels of source of data
End user->provider->customer->third party resources
HIPAAWhat is covered: Protected health
information maintained or transmitted electronically (“PHI”)
Who is covered: Covered Entity: includes health plans,
and health care providers who transmits any health information in electronic form
Business Associate: includes non-health care organizations performing services to a Covered Entity involving access to PHI
HIPAA (cont.)What is required: adequate security;
Business Associates Agreements (“BAA”) with Business Associates
What is restricted: Use of PHI other than for provision of health care
What is permitted: use for health care purposes, etc.
What is not covered: aggregated data, de-identified data
Gramm- Leach-Bliley
What is covered: nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes; but not for business, commercial, or agricultural purposes.
Who is covered: Financial institutions
GLB (cont.)
What is required: develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to insure the security and confidentiality of customer information. 16 CFR 314.3
Fair Credit Reporting Act
What is covered: “consumer report” communication any information by a consumer reporting agency bearing on a consumer’s credit worthiness, . . . character, general reputation, personal characteristics, or mode of living. 15 U.S.C. § 1681a(d)
FCRA (cont.)
Who is covered: Consumer reporting agencies
What is required: In many cases, consent from data subject; notice upon adverse actions; correction of erroneous information
FCRA (cont.)What is restricted: Use of/access to
credit information for unauthorized reason (i.e. not in connection with credit etc. transaction); maintenance of certain stale or prohibited information. 15 U.S.C. § 1681c
What is permitted: Use for eligibility for credit, insurance or employment purposes with consent of data subject. 15 U.S.C. § 1681b
EU
Expansive view of what is coveredRequirement re destruction/review by
data subjectRestrictions on cross-border usageImpact of recent “Safe Harbor”
decision
State Data Protection LawsOverview
What is covered: Personally identifiable information (“PII”), usually a name or email address plus SSN or financial account number, in general only in electronic form
Who is covered: In general, citizens of the applicable state
What is required: Encryption of electronic PII
What is restricted: In general, unauthorized disclosure of PII
Massachusetts example
What is coveredWhat is requiredWhat is not coveredActions to take on data breach
Data Security
ConsiderationsWhat is the data being utilized?Plan ahead for type/form of data
collectionDefine access controlUnderstand location of content and
encryption strategyUnderstand backup and archivingContingency plan for data breach
What is content used for - internally
Consistency with internal privacy policy
Consistency with regulatory requirements
Consistency with IP rights granted in end user agreements
What is content used for - provider
Consistency with internal and provider privacy policy
Consistency with regulatory requirements
Consistency with IP rights granted in end user agreementsIs aggregate/anonymous use permitted?
What is content used for – provider (cont.)
Performance of serviceMonitoring of serviceOther uses
Creating new productsSelling of aggregate data
Planning ahead for data collection and storageWhere is data stored
Is data for separate projects/separate clients stored in separate “containers”?
How is access controlled (2 factor authentication?)In what form is it stored (encrypted or
unencrypted)Where are encryption keys storedHow is it protected from external access (firewalls
etc.)
Access to Content - Generally
Purpose of accessSecurity of information flow
Agreements with third partiesConformance of theory with reality
Access to Content – Generally (cont.)
Consider regulatory requirements for protection of data
Consider regulatory requirements for agreements (BAA’s etc.)
Consider impact of mobile usage
Access to Content – Generally (cont.)Employees
Implement appropriate internal security policy
Consider whether employee use of own devices is problematic
Access by third partiesImplement appropriate non-disclosure
agreementsMake sure access consistent with
agreements and privacy policy
Subcontractors
Consent over use of subcontractorsVetting of subcontractorsEnsuring contractual provisions flow
properlyMay require use of BAA's for HIPAA data
Dealing with changes to provision
Backups and archivesHow is it archived?
Where is it archived? Is the location acceptable based on general data protection principles?
FrequencySecurity – encrypted vs. non-encrypted
Retention periodWhen can/must it be destroyed
Stop-destruction in case of litigation
Backups and archives (cont.)Make sure document retention policy
and archive process consistentMake sure litigation hold can be
implementedClarify location of dataConsider ability to delete
backups/archives on a client by client/project by project basis
Data Breach
Exposure to liabilityFinancial – identify theft monitoringHIPAA – regulatory actions
Contingency planning for data breach
Understanding regulatory requirement and time frames
Determining types of data being storedEncryption
Arrange insurance for data breachUsually E&OMay be sublimits on notificationPrimary insurance coverage under own
policyAlso coverage under supplier policyName as additional insuredConcern about coverage amount
Questions?
Peter MoldaveGesmer Updegrove LLP617-531-8340peter.moldave@gesmer.com
top related