privacy & data security for inhouse counsel

WARNING TRACKWARNING TRACKWARNING TRACKWARNING TRACKPrivacy & Data Security Issues

for In-House Counsel

Presented by Anthony MartinMay 7, 2009

Copyright 2009, Husch Blackwell Sanders LLP

Cell Phones Stolen from Verizon StoresCell Phones Stolen from Verizon StoresCell Phones Stolen from Verizon StoresCell Phones Stolen from Verizon Stores

ST. LOUIS POSTST. LOUIS POSTST. LOUIS POSTST. LOUIS POST----DISPATCHDISPATCHDISPATCHDISPATCHTuesday, May 5, 2009

Burglars broke into three area Verizon Wireless stores overnight, stealing about 100 cell phones and two computerstwo computerstwo computerstwo computersworth at least $42,000, police said.

• State & Local Police

• US Attorneys Office

• FBI

• FTC

• Public Relations

• IT Department

• Risk Management

• Insurance Agents

• Legal Team

• Privacy Policies

• Data Breach Report

• Service Provider Contracts

• PCI-DSS

• Banks & CC

• Customer Lists

• State Breach Laws

• Pick up the kids.Pick up the kids.Pick up the kids.Pick up the kids.

10,000 Customer Records

$200 Per Record

$2,000,000 Problem

WARNING TRACKWARNING TRACKWARNING TRACKWARNING TRACKPrivacy & Data Security Issues

for In-House Counsel

Information Privacy:Information Privacy:Information Privacy:Information Privacy: how we collect and use the “personal information” of others that we are authorized to have.

Data Security:Data Security:Data Security:Data Security: how we keep that personal information safe from unauthorized access or use.

Outline For Discussion

• Labor & Employment

• Litigation

• Real Estate

• Corporate Compliance

• Corporate Transactions

• Solutions

Labor & EmploymentLabor & EmploymentLabor & EmploymentLabor & Employment

• Reasonable Expectation of Privacy.

• Access to Employee eAccess to Employee eAccess to Employee eAccess to Employee e----mail.mail.mail.mail.

• Location Awareness and Social Media.

• Employee Handbooks and Policies.

The Stored Communications Act prohibits intentional access to an electronic communication while it is in electronic storage in such system.

18 U.S.C.A. § 2701

LitigationLitigationLitigationLitigation

• Admissibility of Evidence.Admissibility of Evidence.Admissibility of Evidence.Admissibility of Evidence.

• Cross-Border Discovery Issues.

• Protective Orders and Appeals.

The Member States shall provide that the transfer to a third country of personal data . . . may take place only if the third country in question ensures an adequate level of protection.

Article 25, EU Privacy DirectiveArticle 25, EU Privacy DirectiveArticle 25, EU Privacy DirectiveArticle 25, EU Privacy Directive

Real EstateReal EstateReal EstateReal Estate

•Mortgage Fraud and Identity Theft.

• FACT Act “Red Flags” Regulations.

Corporate ComplianceCorporate ComplianceCorporate ComplianceCorporate Compliance

• Data Breach Incident Response Plan.Data Breach Incident Response Plan.Data Breach Incident Response Plan.Data Breach Incident Response Plan.

• Sarbanes-Oxley and SEC Disclosures.

• Increased Regulation and Oversight.

446 reported data breaches for 2007.

656 reported data breaches for 2008.

159 reported data breaches in 2009.

12,000 Laptops are “lost” in airports.

Every week.

Average incident costs are $6.65 million.

The most significant cost decrease was seen in activities relating to

post-breach response.

The U.S. Cost of a Data Breach Study

Ponemon Institute

The CEO must certify that all the information in public reports is valid and accurate.

The CEO sign off on the validity of the data without confirmation of the security of those systems and networks.

The CEO/CFO must attest to having proper "internal controls."

These “internal controls” include controls over networked electronic systems, which can include anything that sits on the network or connects to the network.

Corporate TransactionsCorporate TransactionsCorporate TransactionsCorporate Transactions

• Service Provider Agreements.Service Provider Agreements.Service Provider Agreements.Service Provider Agreements.

• Mergers & Acquisitions.

Third-party organizations accounted for more than 44 percent of all breaches.

These are the most expensive form of data breaches due to additional investigation fees.

SolutionsSolutionsSolutionsSolutions

• Risk Assessments.

• Plan with Privacy & Data Security in Mind.

• Training.

• Privacy Officer.

““““You have zero privacy. . .You have zero privacy. . .You have zero privacy. . .You have zero privacy. . .””””

““““Get over it.Get over it.Get over it.Get over it.””””

Scott McNealy CEO Sun Microsystems

““““Every single datum about Every single datum about Every single datum about Every single datum about

my life is private? my life is private? my life is private? my life is private?

That's silly.That's silly.That's silly.That's silly.””””

Antonin Scalia US Supreme Court

Including:Including:Including:Including:

home address and the value of his home,

home phone number,

movies he likes,

food preferences,

wife's personal e-mail address,

and "photos of his lovely grandchildren."

15151515----Page Dossier on Scalia . . .Page Dossier on Scalia . . .Page Dossier on Scalia . . .Page Dossier on Scalia . . .