Data Privacy and Information Security

Compliance Under Heightened Scrutiny:

Responding to a Data Breach or Cyber Attack

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, MAY 29, 2019

Presenting a live 90-minute webinar with interactive Q&A

Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West, Mountain View, Calif.

Isis Miranda, Attorney, Freeman Mathis & Gary, Los Angeles, Calif.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-961-8499 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Data Privacy and Information Security Compliance Under Heightened Scrutiny

Robert Brownstone

and

Isis Miranda

May 29, 2019

© 2019 the presenters and their respective firms

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

Panelists

6

Agenda

I. NEW PRIVACY LEGISLATION

• The data privacy phenomenon

• Complying with the CCPA

II. DATA BREACHES

• Proactively preventing data breaches

• Reactively responding to data breaches

III. CYBERSECURITY INSURANCE

• Coverage for data breaches and privacy violations

• Other risk transfer strategies

7

I. NEW PRIVACY LEGISLATION

58%Countries with

Legislation

10%Countries with

Draft Legislation

21%Countries with No Legislation

12%Countries with

No Data

The Privacy Phenomenon (Global)

9

The Privacy Phenomenon (U.S.)

CA: CCPA

NV: Chapter 603A

WA: SB5376 ND: HB14185

IL: HB 3358

NM: SB176

HI: SB418 TX: HB4518& HB4390

NY: S224& SB S8641 MA: SD341/S120

NJ: S2834

RI: S0234

MD: SB613

CT: RB1108

NV: SB220

Federal privacy laws: HIPPA, GLBA, COPPA, ECPA, etc.

Law PassedLegislation Pending

10

Key Influences (driving new legislation)

• Expanding digital footprint• Rise of data brokers (e.g. Acxiom)• Online behavioral advertising• Edward Snowden• Governmental surveillance (global)• Massive data breaches• Cambridge Analytica

Texas Public Radio: https://www.tpr.org/post/views-brews-whos-tracking-your-digital-footprint

11

Online Behavioral Advertising

The Future of Privacy Forum: https://fpf.org/2016/05/20/14382/

12

13

CCPA Overview• The California Consumer Privacy Act (CCPA) provides California residents with:

1. Privacy Rights: certain rights to control personal information (broadly defined) pertaining to them; and

2. Private Right of Action: right to sue for statutory damages whenever their personal information (narrowly defined) is breached and the breach is caused by the failure to maintain reasonable security measures.

• The CCPA was rushed through the legislative process to avoid a stricter privacy law being placed on the voter ballot.

• As a result, the law has many ambiguities and internal inconsistencies.

• Many amendments to revise and/or clarify the CCPA are pending.

• Nonetheless, the act takes effect on January 1, 2020.

• The attorney general (AG) may begin enforcement actions 6 months after publishing guidance or on July 1, 2020, whichever is earlier.

• Many states are following CA’s lead, and many more are expected.14

DISCLAIMER

The CCPA has numerous ambiguities and internal inconsistencies

on account of the record-breaking speed with which it was written and enacted.

The materials provided herein, which do not constitute legal advice,

are designed to aid in understanding the CCPA in spite of those factors.

15

CCPA Covered Entities

• The CCPA applies to for-profit entities doing business in California:

a) with at least $25 million in annual revenue;

b) that receive or share the personal information of 50,000 or more consumers, households, or devices annually; or

c) derive 50% or more of revenues from the sale of consumers’ personal information.

• Consumer: A “natural person who is a California resident . . . however identified, including by any unique identifier.”

• Business: Determines the “purposes and means” of processing PI.

• Service Provider: Processes information on behalf of a business pursuant to a written contract that prohibits the service provider from using PI for any other purpose.

• Third Party: an entity that is not a Business or a Service Provider (with some caveats). 16

CCPA Consumer Rights

1. Right to know what personal information is being collected

2. Right to access & portability

3. Right to delete, unless information is needed:

• To complete transactions with the consumer or associated internal uses

• To detect security breaches

• To identify and repair errors that impair existing functionality

• To protect against or prosecute illegal activity

• Comply with a legal obligation

• Other exceptions also apply

4. Right to opt-out of the “sale” (or opt-in for minors)

5. Right not to be discriminated against for exercising their rights

17

CCPA Definition of PI“Personal Information means information that identifies or could reasonably be linked to a particular consumer or household.”

18

Personal Information “Categories”

(A) “Identifiers, such as “real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, and other similar identifiers.”

(B) “Any categories of personal information described in [1798.90(e)].”

(C) “Characteristics of protected classifications under California or Federal law.”

(D) “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consumer histories or tendencies.”

(E) “Biometric information.”

(F) “Internet or other electronic network activity, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”

(G) “Geolocation data.”

(H) “Audio, electronic, visual, thermal, olfactory, or similar information.”

(I) “Professional or employment-related information.”

(J) “Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.”

(K) “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

19

Consumer’s Rights Business Obligations (unless specified otherwise)

Right to access PI collected (§§ 1798.100; 1798.110)

• Inform consumers of the categories of PI to be collected and the purpose for which the information will be used.

• Upon request, disclose:• The categories of PI collected• Sources of information• Business or commercial purpose for collecting• Categories of third parties with whom PI is shared• The specific pieces of PI collected in prior 12 months

Right to delete PI collected (§ 1798.105)

• Inform consumers of their right to delete.• Upon request, delete PI collected (stored by the Business or a

Service Provider), unless exception applies.

Right to know whatPI is sold or disclosed (§ 1798.115)

• Upon request, disclose:• The categories of PI sold in prior 12 months and the categories

of third parties to whom the PI was sold (matrix format).• The categories of PI disclosed for a business purpose and the

categories of entities to whom the data was disclosed.• Third Parties must provide consumers with explicit notice and

opportunity to opt-out before re-selling PI they have purchased.

Right to opt-out fromsale of PI (§ 1798.120)

• Inform consumers that their PI may be sold and that they have the right to opt-out (or opt-in for minors)

• Upon request (or lack of consent for minors), refrain from selling PI

CCPA Rights and Obligations

CCPA Enforcement & Fines

• Privacy Violations:

• The AG may bring actions if businesses fail to cure the violation within 30 days of receiving notice and may seek civil penalties of $2,500 per violation or $7,500 for each intentional violation.

• Data Breaches (Private Right of Action:

• In addition to enforcement actions by the AG, consumers may bring suit, individually or as part of a class action, if businesses fail to cure the violation within 30 days of receiving notice and may recover statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater.

• Consumers can also sue for actual damages at any time.

20

CCPA Compliance – Data Map

• Prepare a data map indicating the location, age, and type of personal information:

1. Collected from consumers

2. Obtained from other entities

3. Shared with other entities, including:

a. Service providers for business purposes (not a “sale”)

b. Third parties to whom the consumer directs the disclosure of their information or intentionally interacts (not a “sale” provided that the third-party does not sell the information)

c. Third parties or other entities for monetary or other valuable consideration (constitutes a “sale”)

• Prioritize data security, including documenting basis for decisions, focusing on highly sensitive information stored in the least protected manner.

21

CCPA Compliance – New Processes• Develop processes (including system changes, training staff, etc.) to:

• Exclude consumers from the “sale” of information when they click the “Do Not Sell My Personal Information” button on your website, as well as the sale of information pertaining to minors (age 16 or younger) absent appropriate consent.

• Provide consumer with actual PI collected for prior 12 months and/or delete all PI, upon a verifiable request.

• Must be achievable within 45 days of receiving request but may be extended by up to an additional 45 (or 90?) days where reasonably necessary.

• Includes information stored by Service Providers, but not Third Parties

• Must be delivered though the consumer’s account or by email, in a readily usable format, or by mail.

• Verify consumer requests, including determining whether they are made by or on behalf of a California resident.

22

CCPA Compliance – Website Updates• Determine whether a separate website is needed for California consumers.

• Add a “Do Not Sell My Personal Information” button conspicuously displayed on the homepage or a California-specific website.

• Add a toll-free number consumers may call to submit requests.

• Add a website form for submitting requests

• Update privacy policy to include:

• A description of consumers’ rights under the CCPA and a link to the webpage containing the “Do Not Sell My Personal Information” button.

• Information collected: The categories of personal information collected, the categories of the sources of the information, and the commercial and business purposes for which the personal information is collected.

• Information shared: The categories of personal information sold or disclosed, the categories of entities with whom the information is shared, and the business or commercial purpose for sharing the information.

• Description of any financial incentives for providing data or not exercising rights.

• Two or more designated methods for submitting requests, including a toll-free number and a website address (if applicable). 23

CCPA Compliance – Training

• A business must ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices, including how the business complies with CCPA, must be informed of all of the requirements in [the transparency and access provisions] and how to direct consumers to exercise their rights under those sections.

24

CCPA Compliance – Contract Updates

• Update contracts with service providers to include a certification that the service provider understands and will comply with the restrictions set forth in the CCPA [See section 1798.20(v) and (w)].

• A business that discloses personal information to a service provider (pursuant to a written agreement containing a certification of compliance) shall not be liable if the service provider violates the CCPA provided that, at the time the information was disclosed, the business does not have “actual knowledge, or reason to believe, that the service provider intends to commit such a violation.” [See section 1798.20(w)].

25

CCPA Data Security “Requirements”

• The CCPA has no express requirements pertaining to data security.

• There is a provision (Section 1798.150(a)(1))that provides a remedy for the breach of a consumer’s personal information as a result of a business’s violation of its duty to maintain reasonable security measures that is not defined elsewhere in the CCPA.

• Nonetheless, notice must be provided to the business as to which provisions of the CCPA it has violated.

• Although the business has the opportunity to “cure” the breach within 30 days, it is unclear how that is possible in a data breach context.

• A business is required to attest that the violation has been cured AND that “no further violations shall occur.”

26

II. DATA BREACHES

28

II. A. Proactive Prevention ofData Breaches – Introduction

Divide the Universe, e.g., into:

1. Policies/Practices Applicable to All Information, Including PII

2. Policies/Practices Applicable to Personal Information as to Non- Employee Individuals

3. Policies/Practices Applicable toPII Collected From Employees

4. Data-Storage Contracts with Third-Party Host-ers (Cloud, etc.)

29

II(A). Policies – Enforcement AND Training

Kompliance KUMBAYA?!

Clear, well-thought-out language regarding which multiple constituencies have weighed in . . .

Compliance’s “3 E’s” = Establish/Educate/Enforce(Nancy Flynn, ePolicy Institute, as discussed here)

30

Train managers and staff re: access, nondisclosure and safeguarding

Review pertinent segments of certain Employee Handbook policies, e.g.

Code of Conduct; Confidentiality Policy

Technology-Acceptable-Use-Policy (TAUP)/No-Employee-Expectation- of-Privacy Policy (NoEEP)

Social-Media

BYOD (Mobile Devices)

Separating Employee Policy [& related checklist(s) from IT Dep’t, HR Dep’t, etc.]

II(A). Compliance’sThree E’s (c’t’d)

31

[Spear-]Phishing

Test users periodically

Capture metrics

Encourage vigilance

Ransomware

Keep patches up to date

Back-up regimen – rule of 3

Bitcoin?

II(A). Training (c’t’d)

32

II(A). 1. ProactivePrevention (c’t’d)

Many tips/tools discussed in:

Brownstone/Moore Cyber Security Practitioner article (May ’17) downloadable here

Koenig, et al., Equifax Breach: 3 Immediate Steps Leading Companies Are Taking To Respond, Fenwick & West Alert (9/22/17)

Hobbs, et al., New Concerns for Employers and HR Departments post-Equifax Cyber Breach, Holland & Hart (9/18/17)

Argento, et al., Vendor Breaches and Their Implications for Employers, Littler (9/15/17)

33

II(A). Prevention (c’t’d) – 2. Passwords; Access; & Central Storage

Passwords

Lockout . . . No sharing . . . Password manager?

2 factor authentication

Traditionally, these have beenconsidered best practices:

minimum 8 (or 12) characters complex

reuse restriction

90 day expiration

But see new NIST SP 800-63: Digital Identity Guidelines(6/22/17) and this Aug. ’17 NIST paper/bulletin

34

II(A)(2). Access (c’t’d) –RBAC

“Least Privileged Access" approach [“role-based access control (RBAC)”]

Data and physical

Default is "deny all” – i.e.,cannot gain access unless:

affirmative need shown; and

specifically authorized

For lawyers: “ 'Need to Know’ Security” (LTN 4/24/17)(LEXIS login needed)

Central vs. Local Storage

Digital Rights Management (DRM)?35

Altruism and . . . . Selfishness

Especially PII & Mobile Data

At rest and in transit . . .

Best to avoid ROT-13

“rotate by 13 places”

can be broken in seconds

Best to use Advanced Encryption Standards (AES) cryptographic cipher

basically unbreakable

II(A). Prevention (c’t’d) –3. Encryption of ESI

36

1. Website & Extranet Servers (> SSL)

2. Virtual Private Network (VPN) Software

3. Cloud: secure file transfer protocol (.ftp) sites(Citrix ShareFile; Filezilla; and OneHub, e.g.)

4. Email Messages and Attachments[Transport Layer Security (TLS)]

5. End-user devices

Desktop PC’s, Laptops and Macs

Tablets and Smartphones

Mobile Devices and Portable Media

II(A)(3). Prevention–Encryption of ESI (c’t’d)

37

Use privacy screen/filter

Security When Traveling

Avoid using shared computers in cyber cafes,

public areas or hotel business centers

If must use public/hotel WiFi, use a VPN

(VMware Horizon or Cisco AnyConnect, e.g.)

Avoid public hotspots unless use, e.g., iPass

Borrow/buy MiFi device?

Do not use devices belonging to other

travelers, colleagues or friends

II(A). Prevention (c’t’d) –4. Commuting/Travel

38

International Travel Tips:

Recommended: change any and all passwords before leaving abroad and again when return

Do not take regular laptop, tablet or phone to China

Potentially same re: EU travels

Avoid sending sensitive emails

U.S. Customs & Border Protection (CBP) has increased scrutiny of laptops, devices, etc.

39

II(A)(4). Commuting/Travel (c’t’d)

CBP (c’t’d)

Upon citizens returning to the States, CBP

asking for passwords, including social-media

Adi Robertson, Former Mozilla CTO files complaint against border patrol over warrantless phone search, Verge (4/2/19)

Darlene Storm, NASA scientist detained at U.S. border until handing over PIN to unlock his phone, Computerworld (2/13/17)

Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly (2/20/17)

Assert attorney-client privilege (or another basis for confidentiality such as privacy?)

But don’t go so far as to get detained ? !

40

II(A)(4). Commuting/Travel (c’t’d)

Metadata and Redactions

Metadata – Goalkeeper Prompts in

Workshare Protect , for example . . .

II(A). Prevention (c’t’d) –5. Metadata & Netiquette

41

Metadata and Redactions (c’t’d)

Ex: Manafort filing in Collusion Investigation

II(A)(5). Metadata andNetiquette (c’t’d)

42

Metadata and Redactions (c’t’d)

Workshare settings (incl. re: .pdf’s)

Redactions

DO

USE Adobe Acrobat Pro

Don’t’s:

Word: borders/shading or highlighter

Acrobat: text box or shapes-drawing tool

II(A)(5). Metadata andNetiquette (c’t’d)

43

Social Media

Bcc’s

Emails to “All” (companywide)

Auto-complete

Reply All

II(A)(5). Metadata andNetiquette (c’t’d)

44

Firewall

Anti-Virus/Malware (incl. macros)/Spyware

enabling regular updates/patches

Spam filtering plus phishing protection

Ex: ProofPoint, including URL defense

Periodic vulnerability assessments and pen

(etration) tests by independent consultant

II(A). Prevention (c’t’d) – 6. Network Monitoring and Pen Tests

45

Top Ten

FOLLOW PROCESS (IF ANY!) . . .

10. Policy/Protocols/Checklists

Internal team leaders members ID’d, e.g.

InfoSec, Legal & Public Relations

Outside contacts listed, e.g., Information-

Security consulting firm, Counsel, Law

enforcement & Insurance carrier

II. B. Reactively Responding –Incident-Response

46

II(B). Incident-Response (c’t’d) –Top Ten Tips

10. Big-Picture Process (c’t’d)

Categories defined?

Data- and machine- handling protocol

Workflow/Communication chart re:

Discover/Assess/Contain

Remediate/Close/Mitigate

47

FACT INTAKE . . . 4 W’s-plus

9. Who, what, where, when re: info.?

8. Encrypted?

7. If encrypted, key compromised?

II(B). TOP TENTIPS (c’t’d)

48

GET YOUR BEARINGS . . .

6. If a contractual relationship:

Look at the contract

Decide if will try to negotiate re: notice

5. If law enforcement is involved, open a dialogue . . .

4. See if, under strictest statute, > 1notice trigger has kicked in

II(B). TOP TENTIPS (c’t’d)

49

TO GIVE NOTICE OR NOT TO GIVE NOTICE. . .

3. If MUST give notice, tackle the required:

Method and Contents

E.g., Cal. SB 24 (specifying some required contents of notice of breach of PII or PHI under Cal. Civ. Code)

Recipients (might include an AG., e.g.)

Timing (might be OK, under law, to delay)

2. If COULD give notice, discusscustomer-relations with C level

1. If WILL give notice, work with PR as totheme(s), timing & press release (if any)

II(B). TOP TENTIPS (c’t’d)

50

III. CYBERSECURITY INSURANCE

51

Must understand data and scope of coverage to manage risk

Comprehensive General Liability (CGL) policies not

written to cover – and may expressly exclude – cyber risks

Often need cyber coverage on top of (CGL)

CGL does not consider data tangible property

Sony PlayStation breach: Third party hackers didn’t violate privacy clause in CGL policy/ies

Private info. posted (e.g., PHI on dark web)

Insurer may have duty to defend if info. “published”

Grey area: Clauses limiting CGL policies for some cyber riskmay still not get insurer off hook when information gets published

III. Cyber Policies (c’t’d)

52

Personal injury/ies based on advertising injury risk may be covered by CGL duty to defend, depending on how “publication” defined

See Travelers Indem. v. Portal Healthcare Solutions, 644 Fed. Appx. 245, 2016 WL 1399517 (4/11/16) (unpublished) (unintentional publication still a publication)

See also Andrew G. Simpson, Fallout from Travelers CGL Cyber Ruling: Insurance Buyers and Sellers Beware, Ins. J. (4/25/16), cautioning against total reliance on Travelers

III. Cyber Policies (c’t’d)

53

Cyber policies’ terms are still in flux

no form policies

lots of variation

Increased uncertainty of scope of coverage

carriers sometimes more willing to negotiate

Some concerns:

May need phishing rider to address biggest risk

Terrorism exclusion could apply if hackers are nation states or could extend to all hackers

III. Cyber Policies (c’t’d)

54

Insurer may be able to deny coverage if insured didn’t have reasonable security measures. . . .

Opening phishing emails may be deemed non-reasonable

Theft by social-engineering / tricking does not equal theft – need coverage specifically for that category of activity

Some Tips

Don’t voluntarily admit fault

May negate coverage

Duty to defend

Insurers have teams on standby to mitigate breach, etc.

Small businesses don’t have that critical capability

III. Cyber Policies (c’t’d)

55

Some Tips (c’t’d)

“Industry standards language” not sensible

should be red flag

Seek coverage for litigation judgments, settlement payments and GDPR fines

First party vs. third party insurance

First party: Direct costs to company such as credit monitoring, PR, forensics, ransom, business interruption

Third party: Failure to prevent cyber attackson others or privacy of others . . . .

III. Cyber Policies (c’t’d)

56

Some Tips (c’t’d)

Third Party Coverage (c’t’d)– could include:

Failure to disclose data breach

Distributed Denial of Service (DDOS) attack

Payment Card Industry Data Security Standard (PCI DSS) non-compliance

P.F. Chang's China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (Chubb) (D. Az. 5/31/16)

III. Cyber Policies (c’t’d)

57