Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
Monique Altheim Principal, The Law Office Monique Altheim
Dori Anne KuchinskyAssistant General Counsel, Litigation & Global Privacy
W.R. Grace & Co.
Kamal Patheja Legal Director Global Software Licensing
DHL
Albert M. RaymondHead of U.S. Privacy & Social Media Compliance
TD Bank
FEBRUARY 4 – 6, 2014 / THE HILTON NEW YORK
Target and Neimans and Snapchat, Oh My! The Year in Data Privacy
• Privacy Jeopardy: The Rules The Categories The Prizes
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
EU-U.S. Safe Harbor and the “Snowden Effect”
Poll Question:
The FTC recently announced settlements with 12 U.S. companies for Safe Harbor violations. The violation charged
was:
a) Allowing the NSA to access EU data transferred under Safe Harbor
b) Using Safe Harbor to justify transfers to inadequate countries
c) Falsely claiming they had current Safe Harbor certificationsd) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Social Media Security Fails in 2013
Associated Press Twitter Account Hack April 2013
• The Associated Press' Twitter account was hacked.
• Moments later, the Syrian Electronic Army claimed responsibility for the attack.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
• The message spread quickly, with Twitter users immediately wondering if the account had been hacked.
• The Associated Press’ clarified the tweet was a fake a shortly thereafter.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Associated Press Twitter Account Hack
The Syrian Electronic Army, an organization that supports Syrian President Bashar al-Assad, tweeted:
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Associated Press Twitter Account Hack
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Associated Press Twitter Account Hack
Real Repercussions
Poll Question:
Which of these ‘strong’ passwords should have the Associated Press used to protect its Twitter account?
a) Passwordb) Qwertyc) Abc123d) Muj@hideen2#
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Associated Press Twitter Account Hack
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas
Poll Question:
If your vendor causes a security or privacy event for you, what could be your recourse?
a) Legal actionb) Nothing. Your vendor’s action are your ownc) Depends on the contractd) Run over someone with a Chrysler 300 Hemi
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
Burger King’s Twitter Account Hijacked
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
• The account was hacked by an unknown group, which changed the company’s logo and profile name to McDonald’s. It then started tweeting offensive messages, along with a message the company was “bought out” by McDonald’s.
• After nearly an hour and a half of “tasteless” tweets filled with drug references and obscenities, Twitter finally suspended the account.
• Afterwards, Burger King actually gained almost 30,000 followers after the incident!
300% in conversations on BK site (450,000 tweets!)
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
Poll Question:
What do you suppose is the biggest risk from having your SM account hijacked?
a) Brand riskb) Reputation riskc) Both A & Bd) Loss of the formula for ‘secret sauce’
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Lessons Learned?Poor Pwd Management: The companies didn’t know who had access to the account or to the passwords. If the same password can be used across multiple accounts, that’s poor password management.
Newsflash!: Passwords need to be changed on a periodic basis.
Weakest Link: Any system can be compromised with enough time and effort. Many ways into the crown jewels exist including phishing, smishing, social engineering, software, or applications.
Inside Job: Malcontent employees (current or former) who have/had access to the passwords make it difficult to know if the account truly was hacked or if it was an a rogue employee. Many social media accounts are not tied to Active Directory or LDAP systems.
Vendor Management: If you lack the skills inside the organization to run your SM site, you may rely on an external firm. Burger King and Chrysler were both highly dependent on external agencies to manage and control their Twitter accounts. Improper governance and oversight led to epic Social Media Fails#
Location, Location, Location- Why it REALLY Matters
Conflict with respect to Personal Data*
• EU: everything is prohibited unless expressly permitted by law
• US: everything is permitted unless expressly prohibited by law
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
US vs. EU
*Art. 2 Directive 95/46/EC:“Personal data" means any information relating to an identified or identifiable natural person ("data subject").
An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #1- Dude - Where’s My Data?
Data
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #1
Poll Question:
Which of the following is Personal Data?
a) Car registration plateb) Work email addressc) Employee numberd) Employee status on corporate live chat systeme) All of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #1
Poll Question:
Which of the following is NOT an adequate way of transferring Personal Data to a third party company outside
of the EEA?
a) Model Clausesb) Safe Harbor registrationc) White Listed Countriesd) Binding Corporate Rulese) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #1- Dude - Where’s My Data?• DPDHL UK entity engaged with UK supplier to acquire a claims handling system
• The solution involved the hosting of claims related information of DPDHL employees
• Contract governed by English law
• Contract provides for DPDHL providing personal data to supplier in UK
• Contract completed ready for sign off
• DPDHL Legal enquire as to supplier’s server location
• “Oops, forgot to tell you”: Data to be hosted in US! By a third party!
• 3 months later we sign off the deal after arduous negotiations surrounding the data
protection provisions – supplier did not see what the big deal was for DPDHL!
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #2- Show Me the Data!
DATA !
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #2Poll Question:
Which of the following is deemed valid consent for the purposes of transferring Personal Data?
a) Data subject’s waiver in the form of posting of same Personal Data to social media
b) A formal consent form signed by the company’s CEO authorizing the transfer of employee Personal Data
c) A formal consent form signed by an administrative assistant authorizing transfer of his/her personal data
d) An email by CEO authorizing transfer of his/her personal datae) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #2
Poll Question:
Which of the following is true?
a) E-discovery rules override the EU Data Protection Directiveb) EU Data Protection Directive overrides E-discovery rulesc) The EU Data Protection Directive can be ignored by US
Company only doing business in the USd) Companies can select which privacy regime to follow based
on country of registratione) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #2- Show Me the Data!• US based employee seconded to Germany
• The new role never transpired
• Employee sought reinstatement to her original role in US
• Old role filled!!!
• Employee commenced proceedings in US against DPDHL alleging wrongful termination and harassment
• Plaintiff produced altered emails
• DHL had to collect emails from executives and non-executives in Germany to disprove P’s allegations
• US litigators barred by EU Data Protection from collecting data
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #2- Show Me the Data!• DPDHL had to implement adequate measures which included:
Giving German employees an opportunity to consult with DPDHL Data Protection Officers
DPDHL Officers consulting with German Worker’s Council
US lawyers to disclose data needed, where it would be sent to and how it would be used
US lawyers had to obtain consent from each custodian, subject to refusal or withdrawal
EU employees to self-collect
Data subject to protective order
Then and only then data could be used in litigation
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Lessons Learned?
• From the outset ask suppliers about server locations and DR sites
• Quiz your business folk on the type of data to be processed/hosted/stored
• In any litigation matter be mindful of any European aspects to the case
• Seek Local legal advice on national law issues • The EU Directive has been implemented by all EU
members in their local legislation with varying degrees of formality e.g. Germany compared to UK
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Privacy Enforcement in the U.S.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Oregon Woman Awarded $18.6 MILLION Over Equifax Credit Report Mix-Up
July 2013(Reduced to $ 1.62 Million in Appeal on January
29, 2014)
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
FTC Collects $3.5 Million From TeleCheck For Failing To Investigate
Disputes Or Correct Errors January 16, 2014
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
FTC Expands FCRA Coverage to Mobile Industry – Criminal Records Search Apps
January 10, 2013
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
FCRA
Poll Question:
A consumer reporting agency falls under the FCR Act, if it sells consumer reports to:
a) Banks, Insurance Companies, Employers and Consumersb) Banks, Insurance Companies, Employers and for Other
Business Purposesc) Banks, Insurance Companies, Employers, Marketers, and
Dating Sitesd) All of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
FTC Announces First Settlement Involving Privacy and the "Internet of Things" – The
TRENDnet Case September 2013
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Section 5 (a) of the FTC Act
Poll Question:
A company has an obligation under section 5 (a) of the FTC Act to provide reasonable security for its PII:
a) Alwaysb) Only if there is risk of substantial damagec) Only if it promises to do sod) Never
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
WellPoint Pays HHS $1.7 Million for Leaving Information Accessible Over
Internet July 2013
Poll Question:
The following entities must comply with HIPAA Privacy and Security Rules:
a) Law firms that handle PHI from insurance companies, hospitals or health care providers
b) Webmd.com and Patientslikeme.comc) H.R. departmentsd) All of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
HIPPA
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Lessons Learned?• Data Brokers and App Developers: If you quack like a duck…you are a duck.
Regardless of your ToS, if you act as a consumer reporting agency, you need to be compliant with the FCRA requirements to avoid steep fines from the FTC and law suits from wronged consumers.
• Companies under jurisdiction of FTC: Say what you mean and mean what you say in your privacy policies. Don’t make promises you will not keep, lest the FTC will accuse you of deceptive practices under Section 5 (a) FTCA.If you handle sensitive data, the breach of which may result in substantial damage, you must have a data security program in place, lest the FTC will accuse you of unfair practices under Section 5(a) FTCA.
• All companies processing PH data from HIPAA “covered entities”: As “business associates” you must comply with HIPAA Privacy and Security Rules as well. HHS/FTC are after you!
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Questions?