data privacy and information security compliance under...
TRANSCRIPT
Data Privacy and Information Security
Compliance Under Heightened Scrutiny:
Responding to a Data Breach or Cyber Attack
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, MAY 29, 2019
Presenting a live 90-minute webinar with interactive Q&A
Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West, Mountain View, Calif.
Isis Miranda, Attorney, Freeman Mathis & Gary, Los Angeles, Calif.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Data Privacy and Information Security Compliance Under Heightened Scrutiny
Robert Brownstone
and
Isis Miranda
May 29, 2019
© 2019 the presenters and their respective firms
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
Panelists
6
Agenda
I. NEW PRIVACY LEGISLATION
• The data privacy phenomenon
• Complying with the CCPA
II. DATA BREACHES
• Proactively preventing data breaches
• Reactively responding to data breaches
III. CYBERSECURITY INSURANCE
• Coverage for data breaches and privacy violations
• Other risk transfer strategies
7
I. NEW PRIVACY LEGISLATION
58%Countries with
Legislation
10%Countries with
Draft Legislation
21%Countries with No Legislation
12%Countries with
No Data
The Privacy Phenomenon (Global)
9
The Privacy Phenomenon (U.S.)
CA: CCPA
NV: Chapter 603A
WA: SB5376 ND: HB14185
IL: HB 3358
NM: SB176
HI: SB418 TX: HB4518& HB4390
NY: S224& SB S8641 MA: SD341/S120
NJ: S2834
RI: S0234
MD: SB613
CT: RB1108
NV: SB220
Federal privacy laws: HIPPA, GLBA, COPPA, ECPA, etc.
Law PassedLegislation Pending
10
Key Influences (driving new legislation)
• Expanding digital footprint• Rise of data brokers (e.g. Acxiom)• Online behavioral advertising• Edward Snowden• Governmental surveillance (global)• Massive data breaches• Cambridge Analytica
Texas Public Radio: https://www.tpr.org/post/views-brews-whos-tracking-your-digital-footprint
11
Online Behavioral Advertising
The Future of Privacy Forum: https://fpf.org/2016/05/20/14382/
12
13
CCPA Overview• The California Consumer Privacy Act (CCPA) provides California residents with:
1. Privacy Rights: certain rights to control personal information (broadly defined) pertaining to them; and
2. Private Right of Action: right to sue for statutory damages whenever their personal information (narrowly defined) is breached and the breach is caused by the failure to maintain reasonable security measures.
• The CCPA was rushed through the legislative process to avoid a stricter privacy law being placed on the voter ballot.
• As a result, the law has many ambiguities and internal inconsistencies.
• Many amendments to revise and/or clarify the CCPA are pending.
• Nonetheless, the act takes effect on January 1, 2020.
• The attorney general (AG) may begin enforcement actions 6 months after publishing guidance or on July 1, 2020, whichever is earlier.
• Many states are following CA’s lead, and many more are expected.14
DISCLAIMER
The CCPA has numerous ambiguities and internal inconsistencies
on account of the record-breaking speed with which it was written and enacted.
The materials provided herein, which do not constitute legal advice,
are designed to aid in understanding the CCPA in spite of those factors.
15
CCPA Covered Entities
• The CCPA applies to for-profit entities doing business in California:
a) with at least $25 million in annual revenue;
b) that receive or share the personal information of 50,000 or more consumers, households, or devices annually; or
c) derive 50% or more of revenues from the sale of consumers’ personal information.
• Consumer: A “natural person who is a California resident . . . however identified, including by any unique identifier.”
• Business: Determines the “purposes and means” of processing PI.
• Service Provider: Processes information on behalf of a business pursuant to a written contract that prohibits the service provider from using PI for any other purpose.
• Third Party: an entity that is not a Business or a Service Provider (with some caveats). 16
CCPA Consumer Rights
1. Right to know what personal information is being collected
2. Right to access & portability
3. Right to delete, unless information is needed:
• To complete transactions with the consumer or associated internal uses
• To detect security breaches
• To identify and repair errors that impair existing functionality
• To protect against or prosecute illegal activity
• Comply with a legal obligation
• Other exceptions also apply
4. Right to opt-out of the “sale” (or opt-in for minors)
5. Right not to be discriminated against for exercising their rights
17
CCPA Definition of PI“Personal Information means information that identifies or could reasonably be linked to a particular consumer or household.”
18
Personal Information “Categories”
(A) “Identifiers, such as “real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, and other similar identifiers.”
(B) “Any categories of personal information described in [1798.90(e)].”
(C) “Characteristics of protected classifications under California or Federal law.”
(D) “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consumer histories or tendencies.”
(E) “Biometric information.”
(F) “Internet or other electronic network activity, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”
(G) “Geolocation data.”
(H) “Audio, electronic, visual, thermal, olfactory, or similar information.”
(I) “Professional or employment-related information.”
(J) “Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act.”
(K) “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
19
Consumer’s Rights Business Obligations (unless specified otherwise)
Right to access PI collected (§§ 1798.100; 1798.110)
• Inform consumers of the categories of PI to be collected and the purpose for which the information will be used.
• Upon request, disclose:• The categories of PI collected• Sources of information• Business or commercial purpose for collecting• Categories of third parties with whom PI is shared• The specific pieces of PI collected in prior 12 months
Right to delete PI collected (§ 1798.105)
• Inform consumers of their right to delete.• Upon request, delete PI collected (stored by the Business or a
Service Provider), unless exception applies.
Right to know whatPI is sold or disclosed (§ 1798.115)
• Upon request, disclose:• The categories of PI sold in prior 12 months and the categories
of third parties to whom the PI was sold (matrix format).• The categories of PI disclosed for a business purpose and the
categories of entities to whom the data was disclosed.• Third Parties must provide consumers with explicit notice and
opportunity to opt-out before re-selling PI they have purchased.
Right to opt-out fromsale of PI (§ 1798.120)
• Inform consumers that their PI may be sold and that they have the right to opt-out (or opt-in for minors)
• Upon request (or lack of consent for minors), refrain from selling PI
CCPA Rights and Obligations
CCPA Enforcement & Fines
• Privacy Violations:
• The AG may bring actions if businesses fail to cure the violation within 30 days of receiving notice and may seek civil penalties of $2,500 per violation or $7,500 for each intentional violation.
• Data Breaches (Private Right of Action:
• In addition to enforcement actions by the AG, consumers may bring suit, individually or as part of a class action, if businesses fail to cure the violation within 30 days of receiving notice and may recover statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater.
• Consumers can also sue for actual damages at any time.
20
CCPA Compliance – Data Map
• Prepare a data map indicating the location, age, and type of personal information:
1. Collected from consumers
2. Obtained from other entities
3. Shared with other entities, including:
a. Service providers for business purposes (not a “sale”)
b. Third parties to whom the consumer directs the disclosure of their information or intentionally interacts (not a “sale” provided that the third-party does not sell the information)
c. Third parties or other entities for monetary or other valuable consideration (constitutes a “sale”)
• Prioritize data security, including documenting basis for decisions, focusing on highly sensitive information stored in the least protected manner.
21
CCPA Compliance – New Processes• Develop processes (including system changes, training staff, etc.) to:
• Exclude consumers from the “sale” of information when they click the “Do Not Sell My Personal Information” button on your website, as well as the sale of information pertaining to minors (age 16 or younger) absent appropriate consent.
• Provide consumer with actual PI collected for prior 12 months and/or delete all PI, upon a verifiable request.
• Must be achievable within 45 days of receiving request but may be extended by up to an additional 45 (or 90?) days where reasonably necessary.
• Includes information stored by Service Providers, but not Third Parties
• Must be delivered though the consumer’s account or by email, in a readily usable format, or by mail.
• Verify consumer requests, including determining whether they are made by or on behalf of a California resident.
22
CCPA Compliance – Website Updates• Determine whether a separate website is needed for California consumers.
• Add a “Do Not Sell My Personal Information” button conspicuously displayed on the homepage or a California-specific website.
• Add a toll-free number consumers may call to submit requests.
• Add a website form for submitting requests
• Update privacy policy to include:
• A description of consumers’ rights under the CCPA and a link to the webpage containing the “Do Not Sell My Personal Information” button.
• Information collected: The categories of personal information collected, the categories of the sources of the information, and the commercial and business purposes for which the personal information is collected.
• Information shared: The categories of personal information sold or disclosed, the categories of entities with whom the information is shared, and the business or commercial purpose for sharing the information.
• Description of any financial incentives for providing data or not exercising rights.
• Two or more designated methods for submitting requests, including a toll-free number and a website address (if applicable). 23
CCPA Compliance – Training
• A business must ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices, including how the business complies with CCPA, must be informed of all of the requirements in [the transparency and access provisions] and how to direct consumers to exercise their rights under those sections.
24
CCPA Compliance – Contract Updates
• Update contracts with service providers to include a certification that the service provider understands and will comply with the restrictions set forth in the CCPA [See section 1798.20(v) and (w)].
• A business that discloses personal information to a service provider (pursuant to a written agreement containing a certification of compliance) shall not be liable if the service provider violates the CCPA provided that, at the time the information was disclosed, the business does not have “actual knowledge, or reason to believe, that the service provider intends to commit such a violation.” [See section 1798.20(w)].
25
CCPA Data Security “Requirements”
• The CCPA has no express requirements pertaining to data security.
• There is a provision (Section 1798.150(a)(1))that provides a remedy for the breach of a consumer’s personal information as a result of a business’s violation of its duty to maintain reasonable security measures that is not defined elsewhere in the CCPA.
• Nonetheless, notice must be provided to the business as to which provisions of the CCPA it has violated.
• Although the business has the opportunity to “cure” the breach within 30 days, it is unclear how that is possible in a data breach context.
• A business is required to attest that the violation has been cured AND that “no further violations shall occur.”
26
II. DATA BREACHES
28
II. A. Proactive Prevention ofData Breaches – Introduction
Divide the Universe, e.g., into:
1. Policies/Practices Applicable to All Information, Including PII
2. Policies/Practices Applicable to Personal Information as to Non- Employee Individuals
3. Policies/Practices Applicable toPII Collected From Employees
4. Data-Storage Contracts with Third-Party Host-ers (Cloud, etc.)
29
II(A). Policies – Enforcement AND Training
Kompliance KUMBAYA?!
Clear, well-thought-out language regarding which multiple constituencies have weighed in . . .
Compliance’s “3 E’s” = Establish/Educate/Enforce(Nancy Flynn, ePolicy Institute, as discussed here)
30
Train managers and staff re: access, nondisclosure and safeguarding
Review pertinent segments of certain Employee Handbook policies, e.g.
Code of Conduct; Confidentiality Policy
Technology-Acceptable-Use-Policy (TAUP)/No-Employee-Expectation- of-Privacy Policy (NoEEP)
Social-Media
BYOD (Mobile Devices)
Separating Employee Policy [& related checklist(s) from IT Dep’t, HR Dep’t, etc.]
II(A). Compliance’sThree E’s (c’t’d)
31
[Spear-]Phishing
Test users periodically
Capture metrics
Encourage vigilance
Ransomware
Keep patches up to date
Back-up regimen – rule of 3
Bitcoin?
II(A). Training (c’t’d)
32
II(A). 1. ProactivePrevention (c’t’d)
Many tips/tools discussed in:
Brownstone/Moore Cyber Security Practitioner article (May ’17) downloadable here
Koenig, et al., Equifax Breach: 3 Immediate Steps Leading Companies Are Taking To Respond, Fenwick & West Alert (9/22/17)
Hobbs, et al., New Concerns for Employers and HR Departments post-Equifax Cyber Breach, Holland & Hart (9/18/17)
Argento, et al., Vendor Breaches and Their Implications for Employers, Littler (9/15/17)
33
II(A). Prevention (c’t’d) – 2. Passwords; Access; & Central Storage
Passwords
Lockout . . . No sharing . . . Password manager?
2 factor authentication
Traditionally, these have beenconsidered best practices:
minimum 8 (or 12) characters complex
reuse restriction
90 day expiration
But see new NIST SP 800-63: Digital Identity Guidelines(6/22/17) and this Aug. ’17 NIST paper/bulletin
34
II(A)(2). Access (c’t’d) –RBAC
“Least Privileged Access" approach [“role-based access control (RBAC)”]
Data and physical
Default is "deny all” – i.e.,cannot gain access unless:
affirmative need shown; and
specifically authorized
For lawyers: “ 'Need to Know’ Security” (LTN 4/24/17)(LEXIS login needed)
Central vs. Local Storage
Digital Rights Management (DRM)?35
Altruism and . . . . Selfishness
Especially PII & Mobile Data
At rest and in transit . . .
Best to avoid ROT-13
“rotate by 13 places”
can be broken in seconds
Best to use Advanced Encryption Standards (AES) cryptographic cipher
basically unbreakable
II(A). Prevention (c’t’d) –3. Encryption of ESI
36
1. Website & Extranet Servers (> SSL)
2. Virtual Private Network (VPN) Software
3. Cloud: secure file transfer protocol (.ftp) sites(Citrix ShareFile; Filezilla; and OneHub, e.g.)
4. Email Messages and Attachments[Transport Layer Security (TLS)]
5. End-user devices
Desktop PC’s, Laptops and Macs
Tablets and Smartphones
Mobile Devices and Portable Media
II(A)(3). Prevention–Encryption of ESI (c’t’d)
37
Use privacy screen/filter
Security When Traveling
Avoid using shared computers in cyber cafes,
public areas or hotel business centers
If must use public/hotel WiFi, use a VPN
(VMware Horizon or Cisco AnyConnect, e.g.)
Avoid public hotspots unless use, e.g., iPass
Borrow/buy MiFi device?
Do not use devices belonging to other
travelers, colleagues or friends
II(A). Prevention (c’t’d) –4. Commuting/Travel
38
International Travel Tips:
Recommended: change any and all passwords before leaving abroad and again when return
Do not take regular laptop, tablet or phone to China
Potentially same re: EU travels
Avoid sending sensitive emails
U.S. Customs & Border Protection (CBP) has increased scrutiny of laptops, devices, etc.
39
II(A)(4). Commuting/Travel (c’t’d)
CBP (c’t’d)
Upon citizens returning to the States, CBP
asking for passwords, including social-media
Adi Robertson, Former Mozilla CTO files complaint against border patrol over warrantless phone search, Verge (4/2/19)
Darlene Storm, NASA scientist detained at U.S. border until handing over PIN to unlock his phone, Computerworld (2/13/17)
Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly (2/20/17)
Assert attorney-client privilege (or another basis for confidentiality such as privacy?)
But don’t go so far as to get detained ? !
40
II(A)(4). Commuting/Travel (c’t’d)
Metadata and Redactions
Metadata – Goalkeeper Prompts in
Workshare Protect , for example . . .
II(A). Prevention (c’t’d) –5. Metadata & Netiquette
41
Metadata and Redactions (c’t’d)
Ex: Manafort filing in Collusion Investigation
II(A)(5). Metadata andNetiquette (c’t’d)
42
Metadata and Redactions (c’t’d)
Workshare settings (incl. re: .pdf’s)
Redactions
DO
USE Adobe Acrobat Pro
Don’t’s:
Word: borders/shading or highlighter
Acrobat: text box or shapes-drawing tool
II(A)(5). Metadata andNetiquette (c’t’d)
43
Social Media
Bcc’s
Emails to “All” (companywide)
Auto-complete
Reply All
II(A)(5). Metadata andNetiquette (c’t’d)
44
Firewall
Anti-Virus/Malware (incl. macros)/Spyware
enabling regular updates/patches
Spam filtering plus phishing protection
Ex: ProofPoint, including URL defense
Periodic vulnerability assessments and pen
(etration) tests by independent consultant
II(A). Prevention (c’t’d) – 6. Network Monitoring and Pen Tests
45
Top Ten
FOLLOW PROCESS (IF ANY!) . . .
10. Policy/Protocols/Checklists
Internal team leaders members ID’d, e.g.
InfoSec, Legal & Public Relations
Outside contacts listed, e.g., Information-
Security consulting firm, Counsel, Law
enforcement & Insurance carrier
II. B. Reactively Responding –Incident-Response
46
II(B). Incident-Response (c’t’d) –Top Ten Tips
10. Big-Picture Process (c’t’d)
Categories defined?
Data- and machine- handling protocol
Workflow/Communication chart re:
Discover/Assess/Contain
Remediate/Close/Mitigate
47
FACT INTAKE . . . 4 W’s-plus
9. Who, what, where, when re: info.?
8. Encrypted?
7. If encrypted, key compromised?
II(B). TOP TENTIPS (c’t’d)
48
GET YOUR BEARINGS . . .
6. If a contractual relationship:
Look at the contract
Decide if will try to negotiate re: notice
5. If law enforcement is involved, open a dialogue . . .
4. See if, under strictest statute, > 1notice trigger has kicked in
II(B). TOP TENTIPS (c’t’d)
49
TO GIVE NOTICE OR NOT TO GIVE NOTICE. . .
3. If MUST give notice, tackle the required:
Method and Contents
E.g., Cal. SB 24 (specifying some required contents of notice of breach of PII or PHI under Cal. Civ. Code)
Recipients (might include an AG., e.g.)
Timing (might be OK, under law, to delay)
2. If COULD give notice, discusscustomer-relations with C level
1. If WILL give notice, work with PR as totheme(s), timing & press release (if any)
II(B). TOP TENTIPS (c’t’d)
50
III. CYBERSECURITY INSURANCE
51
Must understand data and scope of coverage to manage risk
Comprehensive General Liability (CGL) policies not
written to cover – and may expressly exclude – cyber risks
Often need cyber coverage on top of (CGL)
CGL does not consider data tangible property
Sony PlayStation breach: Third party hackers didn’t violate privacy clause in CGL policy/ies
Private info. posted (e.g., PHI on dark web)
Insurer may have duty to defend if info. “published”
Grey area: Clauses limiting CGL policies for some cyber riskmay still not get insurer off hook when information gets published
III. Cyber Policies (c’t’d)
52
Personal injury/ies based on advertising injury risk may be covered by CGL duty to defend, depending on how “publication” defined
See Travelers Indem. v. Portal Healthcare Solutions, 644 Fed. Appx. 245, 2016 WL 1399517 (4/11/16) (unpublished) (unintentional publication still a publication)
See also Andrew G. Simpson, Fallout from Travelers CGL Cyber Ruling: Insurance Buyers and Sellers Beware, Ins. J. (4/25/16), cautioning against total reliance on Travelers
III. Cyber Policies (c’t’d)
53
Cyber policies’ terms are still in flux
no form policies
lots of variation
Increased uncertainty of scope of coverage
carriers sometimes more willing to negotiate
Some concerns:
May need phishing rider to address biggest risk
Terrorism exclusion could apply if hackers are nation states or could extend to all hackers
III. Cyber Policies (c’t’d)
54
Insurer may be able to deny coverage if insured didn’t have reasonable security measures. . . .
Opening phishing emails may be deemed non-reasonable
Theft by social-engineering / tricking does not equal theft – need coverage specifically for that category of activity
Some Tips
Don’t voluntarily admit fault
May negate coverage
Duty to defend
Insurers have teams on standby to mitigate breach, etc.
Small businesses don’t have that critical capability
III. Cyber Policies (c’t’d)
55
Some Tips (c’t’d)
“Industry standards language” not sensible
should be red flag
Seek coverage for litigation judgments, settlement payments and GDPR fines
First party vs. third party insurance
First party: Direct costs to company such as credit monitoring, PR, forensics, ransom, business interruption
Third party: Failure to prevent cyber attackson others or privacy of others . . . .
III. Cyber Policies (c’t’d)
56
Some Tips (c’t’d)
Third Party Coverage (c’t’d)– could include:
Failure to disclose data breach
Distributed Denial of Service (DDOS) attack
Payment Card Industry Data Security Standard (PCI DSS) non-compliance
P.F. Chang's China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (Chubb) (D. Az. 5/31/16)
III. Cyber Policies (c’t’d)
57