dino tsibouris & mehmet munur - legal perspective on data security for 2016

Mehmet MunurAttorney

Tsibouris & Associates, LLC

Legal Perspective on Data Security for 2016

Dino TsibourisAttorney

Tsibouris & Associates, LLC

Overview1. Looking back at 2015 2. More capable and technical regulators3. Expanding enforcement by Federal

regulators4. State guidelines on security5. How to prepare6. International privacy issues

Looking back at 2015

Expanding Enforcement

Typical FTC §5 Enforcement Action• Designate employee responsible for privacy or

security program• Conduct risk assessment and employee

training• Test and monitor risks identified• Implement and maintain protections• Evaluate and adjust program• Biennial third-party assessments• In effect for 20 years

ASUS FTC Enforcement

“your secure space”“private personal cloud for selective file sharing”

“indefinite storage and increased privacy”“the most complete, accessible, and secure

cloud platform”

ASUS FTC Enforcement

Authentication bypass vulnerabilityPassword disclosure vulnerability

Cross-site request forgery vulnerabilitiesFTP Server, if enabled, open to all by default

Notified of vulnerabilities in June 2013Issued firmware in February 2014

ASUS FTC Enforcement• Risks assessment must include risks relating to:– Employee training and management, including

secure engineering and defensive programming; – Product design, development, and research; – Secure software design, development, and testing,

including for Default Settings; – Review, assessment, and response to third-party

security vulnerability reports, and – Prevention, detection, and response to attacks,

intrusions, or systems failures.

ASUS FTC Enforcement• Design and implementation of reasonable safeguards

must include:– Vulnerability and penetration testing; – Security architecture reviews; – Code reviews; and – Other reasonable and appropriate assessments,

audits, reviews, or tests to identify potential security failures and verify that access to Covered Devices and Covered Information is restricted consistent with a user’s security settings.

CFPB Dwolla Enforcement

data security practices “exceed industry standards” “surpass industry security standards”

“sets a new precedent for the industry for safety and security”

Dwolla stores consumer information “in a bank-level hosting and security environment”

CFPB Dwolla Enforcement• Falsely claimed its data security practices exceeded

or surpassed industry security standards• Failed to employ reasonable and appropriate

measures to protect data obtained from consumers from unauthorized access

• Falsely claimed that its information is securely encrypted and stored

• Did not encrypt some sensitive consumer personal information and released applications to the public before testing whether they were secure

CFPB Dwolla Enforcement

• Consent order requires Dwolla to:– Stop misrepresenting its data security

practices;– Train employees; and –Pay a $100,000 civil money penalty.

• There was no data breach.

HIPAA Enforcement

• Feinstein Institute for Medical Research $3.9 million settlement, security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities

• North Memorial Health Care of Minnesota $1.55 million settlement for failing to enter into a business associate agreement

CA AG Data Breach Report • Recommendations:– For reasonable security, points to 20

controls from the Center for Internet Security’s Critical Security Controls– Implement multi-factor authentication–Use strong encryption with portable and

desktop devices, especially in the healthcare sector

• Conduct a privacy audit

• Identify the categories of data you collect

• Locate where it is collected and stored

• Identify who may access it

• Limit access

How to Prepare

• Perform intrusion testing

• Create a data incident response plan

• Develop customer communications

• Anticipate regulator notifications if required

• Select media response team

How to Prepare

• Draft internal privacy policy and external privacy notices

• Develop an information security policy

• Integrate with HR Policies

• Data Security Team - Physical & System Security

• Vendor management

How to Prepare

International Privacy Issues

EU-US Privacy Shield

Possible Alternatives

• Standard Contractual Clauses (Model Clauses)• Binding Corporate Rules• Derogations in Law–Necessary for performance of contract–Unambiguous, informed, freely given,

specific consent• European Commission working on details of

the EU-US Privacy Shield

General Data Protection Regulation

• Final text negotiated but not formally published – effective in ~ 2.5 years

• 72-hour data breach notification obligation • Fines as high as 4% of annual turnover

What should you do?• Implement security and privacy by design• Understand data collection, transfer, and use• Conduct risk assessments• Address risk assessment results• Prepare for data breaches• Ready response teams, including legal,

communications, forensic, and business• Obtain cyber liability insurance• Repeat annually

Dino Tsibouris(614) 360-3133

Dino@Tsibouris.com

Questions & Answers

Mehmet Munur(614) 859-6962

Mehmet.Munur@Tsibouris.com