privacy and data breach issues kirk herath, vp, chief privacy officer, nationwide dino tsibouris,...

Privacy and Data Breach Issues

Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates

“Big Data”

• What is Big Data?1. Exponential Growth in Data Generation• Web Tracking Techniques• Internet-Enabled Mobile Devices

2. Innovations in Data Use• Increase in Computing Capability• Falling Cost of Data Storage• Advances in Statistical Analysis

• Risks?

GLBA and State Law Progeny

• Data Lakes– Data accumulates from a variety of sources• Customers, Consumers, Affiliates, and 3rd Parties

• Data Governance & Preference Management– Data accuracy, completeness, and security– Is data “fit for a particular purpose?”• Record Retention – Is the data “expired?”• Opt-Out Preferences or a Failure to Opt-In?

TCPA

• Collecting Phone Numbers– Notice and Consent?– Use Limitations?

• July 10, 2015 FCC Declaratory Ruling and Order– Key: Definition of an Auto Dialer

Using “Big Data” to Gauge Risk

• Traditional Consumer Reporting Agencies v. ZestFinancial– FICO = 10-15 Variables to Derive a Risk Score– ZestFinancial = 1,000+ Variables to Derive a Risk

Score• Is this better? What are the risks?– Regulator Uncertainty and Scrutiny– Consumer Protection Considerations

FCRA

• Consumer Reporting Agencies– 3rd Party Reports– 7 Factor Data– Used for a Permissible Purpose

• Duties– Accuracy and Completeness– Transparency and Redress

• Private Right of Action & Statutory Damages

Fair Lending

• Laws– ECOA/Reg B– Fair Housing Act– UDAAP

• Discrimination– Disparate Treatment– Disparate Impact

Themes and Trends

Closer Look at Wyndham • 3 data breaches at hotels in less than 2 years.• Privacy and security representations made. • FTC alleges that Wyndham failed to:–Use complex IDs and passwords,–Use firewalls and network segmentation,–Patch systems, and – Follow incident response procedures.

• Compromised 500K credit cards.

Typical FTC §5 Enforcement Action• Designate employee responsible for privacy or

security program.• Conduct risk assessment and employee training.• Test and monitor risk identified.• Implement and maintain protections.• Evaluate and adjust of program.• Biennial third-party assessments.• In effect for 20 years.

Zappos MA AG Enforcement

• Zappos agreed to pay $106K• Unauthorized access to:–Names, addresses, phone numbers, – Last 4 digits of credit card numbers, and– Login credentials of customers.

Zappos MA AG Enforcement• Settlement requires:–Maintenance and compliance with information

security policies,– Providing the AG with information,– Demonstrating compliance with PCI-DSS for two

years,– Third party audit, providing copy to MA AG, and

addressing deficiencies, and – Annual training.

SHA1 MD5

The Legal Response

• Proposed federal legislation• Expanding state legislation• Federal and state level enforcement• Civil liability

A Push for Federal Data Breach Legislation

• Personal Data Notification & Protection Act• Proposed by President Obama at the State of the

Union Address on January 20, 2015• Pre-empts state laws• Must notify in 30 days• No private right of action• FTC enforcement

Personal Data Notification & Protection Act Triggers

• First and last name/or first initial and last name along with any two:–Home address or phone number–Mother’s maiden name– Full birth date

• SSN, DL, passport, alien registration number• Biometric data• Unique account ID (user name, routing code)

Personal Data Notification & Protection Act Triggers

• Any combination of the following three elements:– First and last name/first initial and last

name–Unique account ID–Any security code/source code that could

generate a security code or password

Personal Data Notification & Protection Act

• Risk of harm analysis• Must send notice 30 days after discovery• Individual notice (email acceptable with

consent)• Notice to media• Notice to Federal law enforcement• Notice to credit reporting agencies

A Push for State Law and Regulation

• Timing and content of breach notice• Definition of personal data– Email/password information–Non-HIPAA health data

• Requirements to inform media/regulators

Contracting3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation.

Security Breaches

• Remediation• Notification– Individuals, Regulators, Media

• Litigation

General Data Protection Regulation

• EU member states in final stages of negotiations.

• Expected in the next year or so. • Includes data breach notification obligation.• Fines as high as %2 of annual turnover.

Dino Tsibouris(614) 360-3133

Dino@Tsibouris.com

Questions & Answers

Kirk HerathHerathK@Nationwide.com