data privacy & security legal requirements and best practices

DATA PRIVACY & SECURITY

LEGAL REQUIREMENTSAND BEST PRACTICES

Deborah Shinbein, Esq., CIPPData Law Group, LLC

AGENDAOverview of selected privacy/security laws

Recommended privacy/security policies

Data breach planning and response

Monitoring compliance of your service providers

This presentation is just a brief overview of applicable laws, security precautions, and other

considerations, there are many more!

INITIAL ASSESSMENT There are numerous different state and federal laws

and regulations governing the collection, use, and security of personally identifiable information (“PII”)

Perform an assessment to determine which are applicable to your entity: What type of PII do you have From where is the PII collected? In what format(s) is the PII stored? How is the PII used today? Future plans? Is the PII shared with others (service providers, other

parties) From which states/countries is PII obtained?

STATE INFORMATION SECURITY LAWS

Many state laws applicable to PII, including security, destruction, use, transfer, and breach notification Applicable based on either/both:

Location of the data subject (scholarship applicant, donor, etc.), or Location of the entity

Various definitions of PII in different state laws Typically SSN, drivers license, credit/debit or financial acct. w/

password Sometimes other user ID # with password, biometric data, or other

identifiers


The most stringent state information security law: MA 201 CMR 17.00 Requires implementation of a Written Information

Security Plan (“WISP”) and specific security measures Administrative, technical & physical measures Reasonable collection, storage of PII Encryption requirements for electronic records

Entities have a legal responsibility to “oversee” service providers: Take reasonable steps to select and retain providers capable of

maintaining appropriate security measures for PII Contractually require service providers to implement and

maintain appropriate security measures for PII


CO 6-1-713. Disposal of personal identifying documents Public and private entities in CO that use

documents containing PII must develop a policy for the destruction or proper disposal of paper documents containing PII

PII means: social security #; personal identification #; password; driver's license or state ID; passport #; biometric data; employer, student, or military ID #; or a financial transaction device.

STATE INFORMATION SECURITY LAWS STATE

INFORMATION SECURITY LAWS CA requires businesses that own or license PII

about residents of CA to: Implement and maintain “reasonable” security

procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure, and

Contractually require nonaffiliated third parties that receive the PII to also maintain reasonable security procedures

EMPLOYEE PRIVACY Various state and federal requirements apply to how an entity

handles the collection, use, disclosure, safeguarding and disposal of its employee information

Background Checks: The FCRA requires prior disclosure and written consent when an employer requests a consumer report about the individual from a consumer reporting agency There are special considerations if an employer plans to use the information in

the consumer report in connection with an “adverse action” such as not hiring, promoting, rescinding a job offer, etc.

Employee monitoring – various laws require entities to develop comprehensive communications policies that govern the use of employer’s laptops, mobile devices, etc. and to provide employees with clear notice of the entity’s communications monitoring practices.

FERPA – FEDERAL EDUCATION RIGHTS AND

PRIVACY ACT Applies to any entity with educational data which

accepts any amount of funds from the federal government

Covered data: “Student education records” broadly defined: records, files, or documents that contain information

directly related to a student and that are maintained by or for an educational agency or institution

includes PII such as name, address, SSN, DOB, other PII

Requires reasonable security measures to prevent unauthorized access/disclosure of records

FERPA (CONT.) Limits disclosure of education records without written parent

or eligible student consent Consent requirements include:

Written consent including signature and date Must identify

Specific records to be disclosed

Purpose of disclosure

To whom disclosure may be made (parties/classes of parties)

Certain exceptions to consent requirement Access by “school officials” with legitimate educational interest

Anonymous or de-identified information

Information provided in connection with financial aid

Provided to schools to which the student seeks to enroll or has already enrolled

FERPA (CONT.) Recent guidance re: “school official” exception

May include third party providers if all requirements met: Performs an institutional service or function for which the school/district would otherwise

use its own employees

Must be under the “direct control” of the school/district regarding use/maintenance of records

Uses records only for authorized purposes (including purpose for which it was disclosed), and not re-disclose PII to other parties without authorization

School/district should enter into a contract restricting the vendor from using PII for unauthorized purposes and provide ability to direct the vendor to use, transfer, or delete records only at the instruction of the school/district Online terms of services must comply w/ FERPA or the school/district can’t use the

exception

Parents/eligible students must be granted access to the records

FERPA (CONT.) Dept. of Education recent guidance re: best practices for contracting w/ online

service providers Establish policies and procedures to evaluate and approve vendors prior to

implementation

Use a written contract when possible, to maintain required “direct control” over the use and maintenance of student data Address data ownership, responsibilities in the event of breach, and minimum security controls

Specify information to be collected

Define purposes for which provider may use information, and limit to those uses

Specify whether school, parents, and students will be permitted to access the data, and describe the process to obtain access

Establish procedures for modifying and terminating the agreement, and how information will be disposed upon termination

Indemnification obligations and what the provider must do to remedy violation of laws/compensate the school for violation

Employ extra caution when using click-wrap terms

Be transparent w/ parents & students about how the school collects, shares, protects and uses student data (in addition to required notices under FERPA and PPRA)

Consider on a case-by-case basis whether obtaining parental consent may be appropriate (even if not required by FERPA)

GRAMM LEACH BLILEY ACT (GLBA)

Applies to any “Financial Institution” - defined as any U.S. Company that is “significantly engaged” in financial activities. It regulates management of “personally identifiable financial information” provided to a financial institution by a consumer or that results from a transaction or service performed for the consumer or is otherwise obtained by

the financial institution

Safeguards Rule requires companies to develop a WISP that describes their program to protect customer information. Physical, technical, administrative safeguards appropriate to the company’s size and complexity, the nature and scope

of its activities and the sensitivity of the customer information it handles select service providers that can maintain appropriate safeguards,

require this by contract, and oversee their handling of PII numerous other requirements

RECOMMENDED INFORMATION SECURITY AND PRIVACY

POLICIES

IMPORTANT SECURITY POLICIES Organizations with PII or other confidential

information should implement certain important policies for data security

Several of the laws and regulatory requirements discussed earlier require a written information security plan (“WISP”), which is an overarching policy about all things data security within the organization

Best practices mandate additional policies and procedures to ensure employees are aware of requirements, to prepare for breaches, to address other matters not included in the WISP

WRITTEN INFORMATION SECURITY PLAN

WISP should contain the following basic terms, although requirements vary based on specific laws/regulations:

1. Definition of information covered (applicable laws) State laws - personal information (typically SS#,

drivers license, credit card, account information) GLBA - consumer financial transaction data HIPAA – protected health information PCI - cardholder data

WRITTEN INFORMATION SECURITY PLAN (CONT.)

2. Designate a Data Security Coordinator Required duties vary based on laws/regulations:

Implement and enforce the WISP Train employees Evaluate vendors for security compliance Grant appropriate access Test the WISP’s security measures Evaluate and revise the WISP annually Document potential and actual security breaches

and measures taken

3. List organization’s internal risk mitigation procedures

Distribute WISP to all employees, get written acknowledgement of receipt

Limit access to customer and employee records (by person, location, remote)

Procedures to eliminate access for terminated employees

Password policies Reporting obligations (suspicious access, requests,

uses)



(Internal risk mitigation, continued) Clean desk policySecurity breach plan and proceduresEach department must implement its own rules re:

safeguarding records within that departmentLimit which employees have remote access to

systemsRecord retention and disposal policiesPhysical access restrictions (visitors, badges, etc.)


4. List company’s external risk mitigation procedures Network firewalls Regular updates to system security software, malware

protection, operating system patches, etc. Procedures to monitor computers and network for

unauthorized use of records Strong authentication procedures Encryption requirements for records (in transit, at rest,

on all devices)


WISP Worksheet (handout) Complete what you can now Take the worksheet back to your office to discuss

with others and complete. You may need to meet with representatives from:

Scholarship administration IT HR Accounting/finance Marketing

EMPLOYEE DEVICE POLICY (“BYOD”)

Security risks posed by allowing employees to use their own laptops, smartphones or tablets to perform work for the company

Major risks: Loss of devices Insecure devices/networks allowing remote access Unauthorized parties accessing devices

BYOD POLICIES (CONT.)

Consider requiring remote device management software: Remote deletion capabilities

Lost/stolen Designated # inaccurate password attempts

Security software to ensure storage and transmissions are in accordance with the firm’s security standards

Automatic remote backups of the device on a regular basis

BYOD POLICIES (CONT.)Terms to consider for BYOD policies (tailor for business needs and data):

Limit the type of information that may be accessed from personal devices

Require that certain information be encrypted Employees must immediately report suspected loss or theft Prohibit storing the company’s information in cloud storage

services other than those provided or approved by the company

Employees must consent to the employer’s access to the device’s data if needed for legal reasons

Consider limiting type of devices employees may use for work

BYOD POLICIES (CONT.)Potential terms, continued:

Consent to employer monitoring of the device if appropriate Procedures regarding the employee’s termination Limitations for using devices on unsecured public wi-fi

networks Prohibit using personal email accounts for work Requirements regarding the device’s internal security

settings and which alterations, if any, may be made Strong passwords (company policy) Two factor authentication for company accounts

BYOD POLICIES (CONT.)Potential terms, continued:

Require implementation of all system updates If automatic backup is not possible, establish manual

backup procedures and frequency Restrict use of the device by friends and family (or establish

a separate walled user log-in for company information) Other terms as applicable depending on the nature of the

data and your company’s needs

Require employees to sign the BYOD policy

Some provide firm-owned devices to employees, giving the company greater control and rights

BYOD POLICIES (CONT.)

BYOD Worksheet (handout) Complete what you can now Take the worksheet back to your office to discuss

with others and complete. You may need to meet with representatives from:

IT HR

EMAIL/NETWORK USE POLICY Limit use of company email for company functions No emailing confidential data, applications containing

PII, etc. unless encrypted If you receive confidential information via email, delete

the message, notify the sender of the company’s policy and require encryption next time

Do not have email forwarded to a non-company account Require archiving and deletion of email according to

company schedule Company may monitor email and network use at any

time and without notice

EMAIL/NETWORK USE POLICY (CONT.)

No use of network to transmit unauthorized files/information

No downloading software unless approved by IT dept. Outside devices may not connect to company network

Recommend a separate guest network

Cloud storage only as approved by IT dept.Remote connection to network through VPN

whenever possibleOther requirements based on the nature of the

company and data

EMAIL/NETWORK USE POLICY (CONT.)

Email/Network Use Worksheet (handout) Complete what you can now Take the worksheet back to your office to discuss with

others and complete. You may need to meet with representatives from:

IT HR Administration Others? (understand unique departmental needs)

PASSWORD POLICY

Require strong passwords on all computers/devices used by employees (company owned or employee owned) Require new passwords at least every 90 days

Use a company database/system to track changes and require new passwords each time (no repeats)

Complexity requirements – contain at least 4 of the following: Upper case letters Lower case letters Numbers “Special” characters (e.g. @#$%&) Punctuation marks

At least 10 (TBD) alphanumeric characters

PASSWORD POLICY (CONT.)

Do NOT use passwords with the following characteristics: A word found in a dictionary (English or foreign) Name of family, pets, friends, co-workers, fantasy characters,

etc. The company’s name, a nearby city name or derivation Computer terms and names, commands, sites, companies,

hardware, software Birthdays and other personal information such as addresses

and phone numbers Word or number patterns like aaabbb, qwerty, zyxwvuts,

123321 Any of the above preceded or followed by a digit (e.g., secret1,

1secret) Any of the above spelled backwards

PASSWORD POLICY (CONT.)

Additional password recommendations: Always decline the use of the "Remember Password" feature of

applications Use different passwords for company accounts from other non-

company access Use different passwords for various company access needs

whenever possible Do not share company passwords with anyone, including

administrative assistants Passwords should never be written down or stored on-line

without encryption

WEBSITE/MOBILE APP PRIVACY POLICY

Essential terms to include Data collected (how/when collected) How the data is used Under what circumstances is data shared (and with whom)

Avoid over-promising “we will never share your data” Ability for users to modify/delete their PII Ability to opt-out of sharing with third parties, use for marketing, etc. Notice of material changes

No use inconsistent with original policy unless notice and choice

Disclosures if using cookies/similar tracking technologies CA required disclosures:

How site responds to browser do not track signals Use of cookies to track users across sites

EU: must disclose use of cookies and obtain consent Consent to transfer to U.S. if applicable Effective date (governs all data collected under that policy) Contact information

WEBSITE/MOBILE APP PRIVACY (CONT.)

FTC enforcement actions – must follow your own privacy policy, no deceptive or unfair practices Not having reasonable data security has been

deemed unfair/deceptive Enforcement re: failures leading to security

breaches

OTHER POLICIES TO CONSIDER

Data Retention Policy

Data Destruction Policy

Remote Access Policy

Backup Policy

Social Media Policy

Many others…

SECURITY BREACH PLANNING

BEFORE A BREACH OCCURS

Limit the type and amount of personal data collected Don’t use SSN as identifier Is DOB really necessary? Evaluate other identifiers

Employee measures Restrict who has access to personal data Train staff re: how to spot a breach, what to do if a breach is

suspected

Monitor data access and use on ongoing basis Use software to notify of:

Outside access requests (potential hackers) Suspicious patterns of use Unusually large access requests/downloads

Access by unauthorized departments

BEFORE A BREACH OCCURS (CONT.)

Segregate data to limit risks Use separate networks, firewalls, access controls

Encrypt data (eliminates many notification requirements)

Data destruction Schedule for destruction; all types of data/formats Compliance with state laws (shred, erase, make

unreadable)

Evaluate cyber liability insurance Be sure to read exclusions carefully!

CREATE A BREACH PLANDraft a Breach Plan including the following:

Company contacts: Designate an incident response team and the team lead Other individuals (management, board, IT dept., etc.) Include all means of contact for all individuals to be notified: cell/home/work phone,

multiple email addresses, to be used 24x7

External parties to be notified Third parties for whom you process data Third parties storing/processing your data Law enforcement if applicable Criteria to assess which notification laws are triggered

Data forensics specialist to contact for investigation Evaluate several options and enter a contract in advance

Attorney to assist if a breach occurs PR firm to manage media coverage if applicable List of states from which the entity has personal information triggering

notification requirements (update frequently)

CREATE A BREACH PLAN (CONT.) List steps to take immediately:

Document the date and time the breach was discovered Document everything known about the breach (who

discovered/reported, who is aware of it, how it was discovered, any

evidence, etc.) Secure the premises or take other measures to preserve evidence

Assess what data may have been accessed Analyze backups or reconstructed data sources Ascertain the number of people who may be impacted and type of

information accessed Take steps to identify specific individuals’ data potentially compromised

Contact data forensics expert Contact outside breach counsel Contact PR representative (if media coverage is likely)

BREACHES – IMMEDIATE ACTIONS (CONT.)

Remediation: If lost device – implement remote deletion (after consultation with

data forensics) If network breach – contain the breach as feasible

Terminate outside access to the network Review log files for suspected intrusions/IP addresses

If an identifiable system has been compromised: Before shutting down system, collect evidence (pursuant to

instructions of data forensics specialist): Make a list of processes running on the system Check status of network interface List all listening ports and active network connections Make exact copies of compromised system’s hard drive

BREACHES - NOTIFICATION Legal notification requirements

State requirements Based on location of the data subject, not the company

Additional requirements for other laws Tricky issues:

Various definitions of what triggers notification Carve-outs for encryption in some states PII triggers vary in different states

Timing Some states require notification within X days Most merely require notice as soon as possible Notification may be delayed if it may interfere with investigation

Additional third party notifications required Vary among states State attorney general, credit bureaus, etc.)

Content of notification varies among states Some require specific elements, others prohibit certain details

BREACHES – NOTIFICATION (CONT.)

Alternate notice in some cases Mail/printed notices typically required Electronic (email) often allowed if that is the primary

means of communication (laws vary) Publication in media in some states, if substantial number

of consumers and unable to reach many via mail or email

If a substantial number, evaluate whether a call center’s services would be helpful

Evaluate whether to obtain credit monitoring or other services for impacted consumers If you may want this, negotiate pre-breach for better rates Most consumers don’t take advantage of this even if

offered

EVALUATING AND OVERSEEING COMPLIANCE OF SERVICE

PROVIDERS

YOU CAN’T OUTSOURCE COMPLIANCE

When companies use third party vendors to collect, process, or provide other data management services, the company is responsible to ensure the vendors maintain security practices in accordance with applicable laws and regulations governing the company’s PII

Take adequate internal precautions to prevent unauthorized access to data and networks by your vendors

Before engaging a vendor, be sure it can comply on your behalf

According to a study published by PwC in Nov. 2013: “Although 71% of companies expressed confidence that their security activities are effective, only 32% require third-parties to comply with their policies.”

SELECTING A PROVIDER – DUE DILIGENCE

When choosing third party service providers who will have access to PII, ask for the following (as applicable): Require them to complete a vendor compliance questionnaire

Legal compliance documentation Data security measures (copy of their WISP if possible)

Network, firewalls, encryption standards, backups, etc. - may potentially include dozens of questions as needed (or more)

Third party audits and certifications Employee training, background checks, confidentiality policies Cyber insurance Location of data centers

Visit their facilities, meet the team Obtain and check customer references

NEGOTIATING VENDOR CONTRACTS

Key considerations: Contractually shift responsibility when you trust an

outside entity with data Evaluate whether to include specific/detailed

requirements or merely require compliance with “applicable laws and regulations”


Restrictions on vendor access and use of PII Specify use parameters - only in the performance

of this agreement List permitted means of access How data will be transferred to/from vendor, etc. Timing limitations


Information Security Requirements Specific IT measures to comply with acceptable industry practices:

encryption of data (in transit, at rest, web-facing applications) firewalls network security mobile security access controls/authentication segregation of vendor’s data/systems vendor application of latest security patches

Employee background checks/training Limit physical access to facilities Other requirements based on applicable laws Data centers: location requirements needed if processing PII or ePHI

to comply with data import/export regulations and local laws


Security Breach Notification and Disclosures Immediately notify customer of all suspected breaches (specify

details) Procedures vendor must follow in the event of a breach Investigation details (timing, approved by customer, vendor

pays) What vendor has done/will do to mitigate potential damage,

prevent future breaches Notification to consumer

Require compliance with various state/industry breach notification laws

Customer approves (or controls) all public communications Vendor pays costs for notification program, credit

monitoring, etc.


Compliance With Laws Require the vendor to comply with all applicable information security

and privacy laws and regulations Include an additional list if vendor may not be aware of some for your

industry

Confidentiality Obligations Data, results of processing, other relevant business information Require notification to customer of any subpoenas/other requests by

government or third parties for data Access limitations “legitimate business need to know” Survival of obligation of confidentiality post termination Require the vendor to return, or destroy, all data in the vendor’s

possession or control Compliance with applicable data destruction laws


Service Level Agreements Uptime guarantees

Error response and remediation timing

Notification before suspension of services

Maintenance windows – late night/early morning

Penalties for noncompliance – credits, termination rights

Reporting – re: SLA compliance

Emergency resource allocation: preferential treatment


Risk Allocation Provisions Limitation of liability Indemnification by vendor re: security breach

claims/costs

Insurance Requirements Cyber insurance covering both data loss and

data breach response General commercial liability, other as applicable Additional insured


Audit and Monitoring Rights

Third party audit of vendor’s IT security practices, inspection of data centers – confirm vendor's infrastructure and security practices via an onsite inspection

customer selects the auditor Note: be sure you want this, if no corrective actions taken, may be

deemed negligent

Audit data collected/accessed, other aspects of contract performance

Consider monitoring software


Termination Issues Include threshold for SLA violations or certain breaches for

which no cure is allowed Post termination obligations

transition assistance data transfer (customer designates format)

Personnel and Subcontractors Right to approve key people on the project Right to prohibit/approve use of any subcontractors Background check, training, monitoring, other restrictions Contractual requirements for subcontractors

THANK YOU!

Feel free to contact me with any questions:

Deborah Shinbein, Esq., CIPP/[email protected]

303-997-1325

data privacy & security legal requirements and best practices

Documents

data security

social security

security precautions

license pii

appropriate security

type of pii

different state laws

state id passport