legal issues of data security and privacy – yes it applies ... security... · what you will learn...

Legal Issues of Data Security andPrivacy – Yes it Applies to You

BrownWinick Law Firm666 Grand Avenue, Suite 2000Des Moines, IA 50309-2510

www.brownwinick.com

What You Will Learn

What Rules Govern the Use of PersonalInformation and Data

What Information is Protected

Using Personal Information for Marketing

What Happens if There is a Breach

Differences Between US and EU

How to Start Protecting Yourself

Meet the BW Presenters

Drew Larson Matt McKinney

Brian McCormac Katheryn Thorson

Why This Matters?

Regulatory Activity

High Profile Breaches (Target, Anthem,Michaels, Casinos, Sony)

Competitive Risks

Bottom Line Impacts (fines, reputation,PR costs)

How Much is Your Hacked DataWorth?

Credit – Tom Gara, Wall Street Journal

WHAT RULES GOVERN?WHAT INFO IS PROTECTED?

Shifting Targets, Unclear Rules

Data privacy rules are set country bycountry (some EU standards).

Rules fractured in US, with different rulesat the federal and state levels and forcertain sectors and types of data.

Extremely difficult to comply with allrules.

Key Regulatory Agencies

US Federal Trade Commission

California and Massachusetts

EU Data Protection Directive

US – General System

Limited Expectations of Privacy

Notice + Opt-Out System

Exceptions: Health Information,Financial Account Information,Employment Information

EU – General System

EU Directive. Establishes a minimumstandard for member states.

Data belongs to individuals, only be usedwith express consent (Opt-In) or inaccordance with law.

No transfer to countries without“adequate level of protection.” US doesnot meet standard.

State Data Breach Notification

Generally requires notice to people ifthere is a breach of personal informationthat is not encrypted.

Common Elements of PrivacyLaws

Covered Data

Notice

Choice and Consent

Access

Cross-Border Transfers

Security

Covered Data – Protected Info

Depends on the context and regulatoryenvironment.

Different statutory definitions of protectedinformation for data breach, financial data,health data, etc.

Companies often self define personal data(even accidentally) in privacy policies andother contracts.

Covered Data – Anonymous Data

Generally, data that is renderedanonymous and aggregated is notprotected under data privacy laws.

Notice of Collection

In EU and US, people generally have theright to know when data is beingcollected.

Notice can come in many ways, butshould be (i) in writing, (ii) clear andunderstandable, and (iii) conspicuous.

Choice and Consent

May always use data to provide theservices requested.

In US, generally data may be used asdescribed in notice unless a personOpts-Out.

In EU, generally data may only be usedas described in notice if a person Opts-In.

Access

Access reflects level of sensitivity.

Generally, access should be limited tothose parties that “need to know.”

Person should have access to data heldby company and ability tocorrect/update.

Transfers of Data

For US data, can be transferred to thirdparties, should be done consistently withcompany’s policy.

For EU data, can’t be transferred outsideof EU unless you have met the EU/USSafe Harbor or adopted standard modelclauses or binding corporate rules (forparents and subs).

Security

In US, generally must take reasonabletechnical, physical, and organizationalmeasures to protect the security of sensitivepersonal information. Additional standardsapply to certain data (i.e. HIPAA).

In EU, company must generally takeappropriate technical and organizationalmeasures against loss, destruction, orunauthorized access or use.

WHAT HAPPENS IF THERE IS A

BREACH?

Percentage of Claims by Cause of Loss

NetDiligence® 2013 Cyber Liability & Data Breach InsuranceClaims

Percentage of Claims by Business Sector

NetDiligence® 2013 Cyber Liability & Data Breach InsuranceClaims

Matt or M. McKinney+

Any of the Following Unencrypted Information:

• Government Issued Identifier (SSN, Driver’s License, PilotLicense, Inmate Number, Etc…);

• Financial Account Number (credit card / debit card) incombination with any information to grant access to account(Exp., Security Code);

• Username and Password to Financial Account; or• Biometric Data Representation (fingerprint, retina, or iris).

What Constitutes“Personal Information?”

Own / LicenseData?

Own / LicenseData?

Yes

Yes

No

Yes

No Yes

No

No

Yes

Iowa’s Breach Notification Map

Prepared by Matt McKinney; Current as of 5/29/15

No

“Regular email is not a securemethod for sending sensitive data.The better practice is to encryptany transmission that containsinformation that could be used byfraudsters or identity thieves.”

Federal Trade Commission’sNovember 2011 Guide toBusiness.

Prohibits “unfair or deceptivepractices in or affectingcommerce.”

Court Ruled FTC Can EnforceBreaches as an Unfair PracticeUnder FTC Act

FTC sued Wyndham Worldwide Corporation in 2012, alleging:• Violated FTC Act’s prohibition against unfair or deceptive acts

or practices.• Failure to maintain reasonable and appropriate data security for

consumers’ sensitive personal information”

Wyndham, moved to dismiss• Arguing the FTC does not have authority to bring an

“unfairness” claim involving data security.

Court disagreed

• Case not dismissed

FTC in Action

Practices FTC attacks as “deceptive”• Violating your published privacy policies

Practices FTC attacks as “unfair”• Failing to implement reasonable safeguards to

protect privacy of consumer information Failing to employ Firewalls

Storing sensitive data in readable text

Failing to implement adequate security policies and procedures

Utilizing outdated operating systems incapable of receivingupdates

Utilizing commonly-used default user IDs and passwords

Common Law 101

•Duty

•Breach

•Causation

•Injury/Harm

•Damages

•Defenses

Federal Trade Commission

•No “unfair or deceptivepractices in or affectingcommerce.”• Broad dragnet

• No Intent required

• No actual harm required

Director Liability Arising fromData Breach

Palkon v. Holmes, No. 14-cv-01234 (D.N.J.), Wyndham SHs sued D&O’s,claiming their failure to implement adequate information-security policies

allowed 3 data breaches

Directors owe Duties Of Care (BJR) and Loyalty—including Dutyof Oversight (No BJR)•Did not implement reporting or information system or

controls; or• Implemented controls, BUT “consciously failed to monitor or

oversee its operations.” Stone.

Director Liability Arising fromData Breach (cont.)



After a data breach, claims against board probably will be•Breach of Duty of Care and•Breach of Duty Loyalty/Oversight Court “look[s] for evidence of whether a board has acted in

a deliberate and knowledgeable way identifying andexploring alternatives.” Citron v. Fairchild Camera

Directors may rely on reports prepared by others, BUTMUST TAKE an active and direct role

Board that fails to manage and monitor cybersecurityprobably breaches its duties of care and oversight




Protect Against Liability•Board must become well-informed•Board should appoint a committee responsible for privacy and

security•Recruit and hire at least one tech-savvy member•Follow best industry practices


Gramm-Leach-Bliley Act• Applies to Financial Institutions;

• Requires a financial institution’s board of directors, or an appropriatecommittee of the board, to satisfy specific requirements designed toensure that the institution’s information security program is developed,implemented, and maintained;

• Management must provide a report to the board, or an appropriatecommittee, at least annually describing the overall status of theinformation security program and compliance with the SecurityGuidelines. The report should describe material matters relating to theprogram.

USING PERSONAL

INFORMATION FOR MARKETING

Privacy and Marketing

Nearly every business has a formal orinformal list of customers and prospects• File cabinet

• Database

• Rolodex

• Outlook Contacts

The ability to market to customers andprospects is regulated.

Risk Spectrum

The level of regulation, and theaccompanying risk, increases with the“invasiveness” of the means ofcommunication.• Direct mail

• Email

• Telemarketing

• Text messaging

Direct Mail Regulations

Postal regulations on issues like• Classification

• Size

• Weight

• Mailing rates

Direct Mail Regulations (cont.)

Deceptive Mail and Enforcement Act• Federal statute, passed in 2000

• Passed in response to deceptive practices bycompanies like Publishers Clearinghouse,which used materials that implied a purchaseincreased the odds of winning (subject of $34million settlement with 26 state AGs in 2001)

• Applies only to sweepstakes promoted orentered by mail


Deceptive Mail and Enforcement Act (cont.)• Creates private cause of action (including class

action) for violations

• Prohibits: claims that person is a winner unless they have actually

won a prize

Mailing of void checks (unless they clearly state theyare non-negotiable and have no cash value)

Implied affiliation or approval by the federal government


Deceptive Mail and Enforcement Act (cont.)• Requires clear and conspicuous disclosures:

No Purchase Necessary

Purchase will not increase odds

All material terms and conditions

Identification of the sponsor

Odds

List of prizes and values


Deceptive Mail and Enforcement Act (cont.)• Similar state laws regulate sweepstakes mailings

to residents (Colorado)

There is no federal “do not mail” list• Efforts in early 2000s to create a do-not-mail list,

akin to do-not-call regulations

• Defeated by direct marketing interest groups

• Rationale: it’s easy to throw away “junk mail”


Limited options to opt-out of direct mail:• Prescreened offers of credit/insurance (credit

reporting agencies)

• Direct Marketing Association (DMA) offers a fiveyear opt out from direct mail from its members

Email Regulations

Big Picture• United States: must opt out to stop receiving

commercial emails

• Rest of world: must opt in to receive them

In the US, email marketing is regulated bythe Controlling the Assault of Non-SolicitedPornography and Marketing Act of 2003(CAN-SPAM Act)

Email Regulations (cont.)

Provides criminal and civil penalties

CAN-SPAM Act sets forth requirements for“commercial emails”:• primary purpose is the commercial advertisement

or promotion of a product or service


Preempts state laws regulating commercialemails• except for claims falsity or deception (consumer

fraud, for example)

• Important because California attempted to enacta law requiring opt-ins for commercial emails


CAN-SPAM Act generally does not regulate“transactional or relationship” emails:• the primary purpose of which is to:

facilitate, complete, or confirm a commercialtransaction

provide warranty, safety, or recall information

provide notice of change in terms, features, orrecipient’s standing, or periodic account statementsrelating to a subscription, account, loan or othercommercial relationship with the sender


CAN-SPAM Act generally does not regulate“transactional or relationship” emails:• the primary purpose of which is to (cont.):

provide employee benefit information (if recipient iscurrently participating)

deliver goods, services, or updated information underthe terms of a previously agreed transaction with thesender


Gray areas:• mixed commercial and transactional messages

Example: normal billing statement combined withunrelated advertising information

What is “primary purpose” of the email?

• Who is the “sender” of the email? If you hire someone else (ad agency) to send the email,

both can be held responsible


CAN-SPAM Act requirements• No false or misleading header information (including

domain name and email address); must accuratelyidentify the sender

• Subject line cannot deceive the recipient about thecontents or subject of the message

• Sender must provide an internet-based opt-outmechanism

• commercial emails must be identified as anadvertisement and contain the sender’s postaladdress


Opt-out requests• opt-out mechanism you offer must be functional

for at least 30 days after the commercial emailwas sent

• opt-out requests must be honored within 10business days

Telephone MarketingRegulations

Telephone Consumer Protection Act of1991 (TCPA)• Regulates how businesses may contact people

by telephone or fax and provides process for do-not-call list enforcement

Telephone MarketingRegulations (cont.)

Telephone Consumer Protection Act of1991 (TCPA) (cont.)• Provides for enforcement by:

FCC

State attorneys general

Private litigants (including class actions)

• Remedies:

• Injunctive relief

• $500 per violation for non-willful violations

• $1,500 per violation for willful violations


Telephone Consumer Protection Act of1991 (TCPA) (cont.)• Calls to Cell Phones

In order to make prerecorded or automated calls to cellphones (including text messages), the caller must haveconsent from the called party:

• Written consent for sales or marketing calls or messages

• Oral or written consent for non-telemarketing calls ormessages

• Includes debt collection calls


Telephone Consumer Protection Act of1991 (TCPA) (cont.)• Calls to Residential Phones

Same rule as above for prerecorded or automatedcalls, except that consent must be written

No exception for established business relationships


Faxes• In 2005, Congress passed the Junk Fax

Prevention Act as an amendment to the TCPA.

• Does anyone send faxes anymore?

• Certain disclosures and an opt-out mechanism isrequired


National Do-Not Call Registry• Jointly established by FCC and FTC in 2003

• Telemarketers must suppress calls to numberson the registry within 31 days of when the numberwas added

• If residential telephone users place their numberson the registry, they may not be called unless: There is an existing business relationship with the

consumer

The consumer has given express written consent


Safe harbor defense if,• Call was made erroneously, and

• Caller has in place business standards (such ascompliance procedures and training, recordkeeping policies, and a procedure to avoid DNCviolations)

• Burden is on caller to prove these factors


TCPA• October 2013 regulations tightened requirements

for autodialed calls and text messages to cellphones Requires express written consent (opt-in) with more

detail than “I agree to receive text messages”

• Must mention “autodial” technology

• Best practice to disclose approximate number ofcalls/messages that will be received

Eliminates existing business relationship exception


Recent developments/hot topics• Recycled phone numbers

• Smartphones (contact list)

• Revocation of consent not mentioned in the TCPA

• “grandfathering” of old opt-ins

• Vendor/agency contracts

Are you protected?

• Distributors/franchisees

Vicarious liability?

Taco Bell case

HIGHLIGHTS ON

INTERNATIONAL ISSUES

Data Privacy in the EU

Data Protection Directive

• Adopted in 1995 by EU

• Provides minimum requirements for theprocessing of personal data

Each EU member state has enacted its ownlegislation

• Each member state’s legislation complies with theDirective and may contain stricter requirements

• Has resulted in inconsistencies


Scope of Regulation

• Broad Definitions: personal data and processing

• Jurisdictional Scope: presence of person orequipment

Notification and Registration RequirementsBefore Processing• Each member states has different requirements and

fees

• Exemptions may be available


Principles:• Process data fairly and lawfully

• Collect data only for specified, legitimatepurpose

• Refrain from storing excessive information

• Keep data up-to-date

Consent Requirements: Opt-In

Implement Data Security Measures

EU Data Transfer

General prohibition on transferring personaldata outside EU unless “adequate level ofprotection”

Few non-EU countries meet such threshold

Three Main Compliance Alternatives:• Binding Corporate Rules

• Standard Model Clauses

• EU/US Safe Harbor

EU Data Transfer – Binding CorporateRules and Standard Model Clauses

Binding Corporate Rules (HP, Citigroup)• Solution for multinational companies that wish to globally

transfer data between affiliates

• Binding rules that show companies adequately protect data

• Expensive ($200k+) and time consuming (18+ months)

Standard Model Clauses• Data transfer provisions in contracts

• Need separate contract for each transfer

• Unfriendly characteristics– subcontracting restrictions andjoint and several liability

EU Data Transfer – EU/US SafeHarbor

Voluntary program that started in October 1998

Currently 4,000+ organizations (Google, FB)

Allows U.S. organization to satisfy Directive’s“adequacy requirement”

Seven Principles: notice, choice, onward transfer,security, data integrity and enforcement

Enforced by private sector (dispute resolutionsystem) and government (TFC and EU)

Relatively inexpensive unless conducting audits

Data Privacy in China

No comprehensive legal framework

Complex and vague: 200+ laws

Consent required

No notification or registration process

No transfer limitations

Generally, only telecommunication businessoperators and internet services providers aresubject to breach notification laws.

Data Privacy in India

Information Technology Act of 2000 &Information Technology Rules 2011

No registration of notification requirements

Express consent and privacy policy required

Transfer allowed if same level of protectionprovided

• Consent

• Allowed under lawful contract

• Complies with security standards

Current Issues

“Snowden Effect”

EU/US Safe Harbor Update

Increased FTC Enforcement Actions

EU Facebook Litigation

Practical Tips for Foreign Data

Complete compliance is challenge

Obtain consent through opt-in and keepupdated privacy policies

Reach out to local and internationalprivacy team to analyze risks, benefitsand what transfer mechanism fits yourcompany’s needs

HOW TO START PROTECTING

YOURSELF

Be Aware!

Congrats, you have already started!

Know your business and the data that itcollects. There is more than you think.

Think about physical and technicalsecurity and your data handlingpractices.

First Steps

Develop & Review Policies and Procedures

Train Employees

Long, Unique Passwords

Multiple Usernames and Passwords (2-Step)

Secure Connections

Encryption

Indemnification of Third-Party Agreements

Add/Review Insurance Coverage

If You Have a Breach

Immediate internal investigation• Retain counsel – privilege/work product issues

• Interview key personnel

• Document actions taken

Immediately and fully notify customers• No cover up, minimization, or delayed reporting

• Include plan/potential compensation offer

• Establish customer hotline

Stay Informed (and blatant plug)

Go to our website to find and downloadarticles about data privacy.www.brownwinick.com/dataprivacy

Sign up for updates and alerts goingforward.

“10 Questions to Ask About Your DataSecurity Right Now!” Handout

Website: www.brownwinick.comToll Free Phone Number: 1-888-282-3515

OFFICE LOCATIONS:

666 Grand Avenue, Suite 2000Des Moines, Iowa 50309-2510

Telephone: (515) 242-2400Facsimile: (515) 283-0231

DISCLAIMER: No oral or written statement made by BrownWinick attorneys shouldbe interpreted by the recipient as suggesting a need to obtain legal counsel fromBrownWinick or any other firm, nor as suggesting a need to take legal action. Do notattempt to solve individual problems upon the basis of general information providedby any BrownWinick attorney, as slight changes in fact situations may cause amaterial change in legal result.

legal issues of data security and privacy – yes it applies ... security... · what you will learn...

Documents