1

Recent Developments in Privacy and Data Security

Secureworld Expo – Dearborn, MichiganOctober 4, 2012

Keith A. Cheresko, Principal Privacy Associates International LLC

2

Purpose

Data protection is multifaceted, and often complex topic. Working to achieve compliance with the assorted obligations can make one feel a bit lost. The purpose today is to provide a brief high-level overview of the changing privacy and security environment.

3

Agenda

Level SetSocial MediaBreach European Data Protection RegulationPractical SuggestionsQuestions & (hopefully) Answers

4

Areas or Topics of Data Privacy and Data Security Activity

• Breach• Cloud• Geo-Location• Facial Recognition• BYOD• Medical Devices• Marketing• Social Media • OBA• Consumer Financial

Protection Bureau

• Federal Trade Commission• COPPA• Health Care • International • EU Cookie Rules• EU Data Protection Directive• APEC• USA PATRIOT ACT• Supplier Relationships• NIST

5

Focus on Several Items

• Social Media• Breach • Privacy Developments from the EU

6

Terminology

Personal - “of, relating to, or affecting a particular person: private,

individual <personal ambition> <personal financial gain>” Webster

Personal Information (PI) - data of, relating to, or affecting a particular person

Personally identifiable Information (PII) - data that can be tied to a unique person some of which has

obtain defined legal protection (information relating to an identified or identifiable individual)

7

Privacy

• Privacy laws focus on the collection, use, and disclosure of personal information

• Security is the means by which we safeguard information against unauthorized acquisition, use, disclosure, alteration, destruction

• Security is necessary to maintain privacy, but . . . • Security alone will not maintain privacy (e.g., notice, consent, retention)• Security may conflict with privacy (e.g., national security, employee

monitoring)

8

Security

• Data security is concerned with safeguarding all data, not just PII

• The security obligations global businesses must address are complex and often inconsistent

• Addressing them can be challenging to individuals responsible for technical, physical and administrative security

9

Social Media

10

NLRB Actions

9/7/12 NLRB decision invalidated Costco Wholesale Corporation’s electronic posting rule finding:• rule prohibited employees from making statements that “damage the Company, defame any individual or damage any person’s reputation.”• Costco’s policy overly broad “the rule would reasonably tend to chill employees in the exercise of their [NLRA] Section 7 rights”. •9/20/12 ALJ struck down EchoStar Corporation’s policy prohibiting employees from making disparaging comments about it on social media sites. •The NLRB judge found that the prohibition, as well as a ban on employees using social media sites with company resources or on company time, chilled employees’ exercise of their rights under Section 7 of the National Labor Relations Act (“NLRA”).

11

Geo-Location

Location, location, location use of location information to make offers, collected by some apps even if not needed. Is being considered sensitive data in some circles especially as its relates to children leads us to next topic.

12

COPPA

Proposed update to COPPA is pending.Under COPPA, website operators need to give parents notice of their information practices. The proposed revisions are intended to ensure parents will get key info in a succinct “just in time” fashion, and not in a lengthy “who has time?” privacy policy. Updates to the ways businesses can get the verifiable parental consent they need before collecting kids’ information plus other measures.

13

Digital Afterlives

Call For Federal Law To Safeguard 'Digital Afterlives' On Social Media “Virtually no law regulates what happens to a person's online existence after his or her death,” he said. “This is true even though individuals have privacy and copyright interests in materials they post to social networking sites.”[1]

[1] http://www.newsroomamerica.com/story/302710.html

14

Social Media Passwords

On September 27, 2012 California Governor Jerry Brown signed twin social media privacy bills prohibiting universities and employers from requiring that applicants give up their email or social media account passwords.[2]

[2] http://latimesblogs.latimes.com/california-politics/2012/09/gov-jerry-brown-tweets-social-media-privacy-bills.htmlSee also Maryland and Illinois

15

OBA – Online Behavioral Advertising Congress has held hearings and the FTC held workshops. Several organization The IAB (Interactive Advertising Bureau), DMA (Direct Marketing Association) , BBB (Better Business Bureau), AAAA (American Association of Advertising Agencies) and ANA (Association of National Advertisers) are attempting to fend off legislation through self regulation.

16

Government Contracts Government contractors soon may be compelled to protect against the compromise of information that is resident on their network and computer systems. The Federal Acquisition Regulatory Council (FAR Council) issued on August 24 a proposed rule on “Basic Safeguarding of Contractor Information Systems”. 77 Fed. Reg. 51,495 (Aug. 24, 2012). The proposal would add a new FAR subpart and contract clause requiring small and large contractors, including commercial items contractors, to employ basic security measures to protect information from unauthorized disclosure, loss, or compromise.[3] [3] http://www.gpo.gov/fdsys/pkg/FR-2012-08-24/pdf/2012-20881.pdf

17

Cybersecurity Executive Order

• An interagency review of an executive order implementing new cybersecurity policies affecting both federal agencies and critical infrastructure in the private sector is under way.

• No timetable as to when the order would be issued.

18

Hackers Try to Infiltrate White House Computers

• Hackers try to infiltrate the White House’s computer system, including ones with access to nuclear information. • Classified as a “spear phishing” attack

19

Facial Recognition

• Facial recognition technology adopted in a variety of contexts, ranging from online social networks to digital signs and mobile apps. • Focus on the current and future commercial applications of facial detection and recognition technologies• Is facial recognition software good only for identification purposes (as opposed to verification)? • Verification (or authentication) requires 100% accuracy whereas identification, for many applications, need not be absolutely correct all the time.• Increasingly used by law enforcement.

20

BYODIssues:• Who owns the information?• What are the rights of individual?• What about comingled information on privately owned devices?• Are there employee agreement to rules?• What is the impact on security, the ability to conduct internal investigations, The confidentiality of information, e-discovery and litigation?

21

License Plate Scanners

• Scanners can read 60 license plates per second• Match observed plates against a "hot list" of wanted vehicles, stolen cars, or criminal suspects.• Retain license plates, dates, times, and locations of all cars seen in law enforcement databases for months or even years at a time• Cameras run constantly, looking for hot listed plates. • The system sends automated alerts directly to officers' in-car and in-office computers and to the Sheriff's communications desk. [4] [4]http://arstechnica.com/tech-policy/2012/09/your-car-tracked-the-rapid-rise-of-license-plate-readers/

22

Health Information Updated NIST Publications

HHS/OCR risk analysis guidance references certain NIST publications. NIST has recently updated several publications: • Special Publication 800-30 Revision 1 focuses on risk assessments, step one in the risk management process[5]

• Special Publication 800-39 takes over the “big picture” view of the overall four-step Risk Management process[6]

• Special Publication 800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations is also invoked.[7] [5] http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf [6] http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf [7] http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

23

Medical Devices Certain medical devices have become increasingly complex, and the growing use of wireless technology in these devices has raised concerns about how protected they are against information security risks that could affect their safety and effectiveness.In a recent report, GAO:[8] • identified the threats, vulnerabilities, and resulting information security risks associated with active implantable medical devices, • determined the extent to which FDA considered information security during its premarket review of certain devices with known vulnerabilities, and • determined what postmarket efforts FDA has in place to identify information security problems. [8] http://gao.gov/assets/650/647767.pdf

24

SEC Disclosures

The Division of Corporation Finance has issued guidance[9] on it's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. [9] http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

25

Real “Spy”ware

Charges outlined in the FTC’s lawsuits[10] against a software business and seven rent-to-own companies assert that the software on rented computers gave the companies the ability to hit the kill switch if people were behind on their payments. But according to complaints filed by the FTC, it also let them collect sensitive personal information, grab screen shots, and take webcam photos of people in their homes. [10] http://ftc.gov/opa/2012/09/designware.shtm

26

Breach

PII

As of October 3, Privacy Clearing House database lists:

563,653,911 records from 3408 data breaches made public from 2005 to October 3, 201219,344,474 records in their database from 534 breaches made public so far in 2012[11]

Breaches Affecting 500 or More IndividualsSection 13402(e)(4) of the HITECH Act requires HHS posting of a list of breaches of unsecured protected health information affecting 500 or more individuals. [12]

[11} http://www.privacyrights.org/data-breach/new [12]http://www.hhs.gov/ocr/privacy/hipaa/administrative/

breachnotificationrule/postedbreaches.html

27

Statistics

The Verizon 2012 Data Breach Investigations Report indicates:

855 incidents resulting in 174,000,000 compromised records[13]

According to a study conducted by National Cyber Security Alliance and security firm McAfee for National Cyber Security Awareness month 25% of Americans have received a notification by a business, online service provider, or organization that personal information such as passwords or credit card numbers were subject to a data breach.[14]

[13] http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf [14] https://blogs.mcafee.com/consumer/online-safety-survey2012

.

28

What is a Privacy Breach?

Can relate to two situations:• The unauthorized access to or acquisition of

the kind of PII specified by an applicable law (security of PII)

• The failure to live up to obligations made with respect to non-security related aspects of privacy (notice, choice, access, etc.)

29

What is a Security Breach?The unauthorized access to or acquisition of anything proprietary:

Buildings, facilities other physical plants, Computer equipment Product Inventory Confidential or secret informationTrade secretsIntellectual propertyProprietary items Financial informationData in paper or electronic data Personal information of consumers, employees, etc.Customers lists

30

FTC and Consumer Data• The FTC is empowered through Section 5 of the Federal Trade

Commission Act to address:

– unfair methods of competition in or affecting commerce, and

– unfair or deceptive acts or practices in or affecting commerce

• As noted earlier the failure to live up to one’s own privacy policy may be deemed a deceptive practice leading to a privacy breach.

• Also failing to provide adequate data security may be considered an unfair practice leading to a privacy breach.

31

Consequences of a breach?

Depending on the nature, sensitivity, type and volume of data or other assets compromised it may mean:

•Loss of Intellectual property •Increased operating costs

•Possible ID theft •Organization freeze-up/paralysis

•Legal actions – regulatory and consumer

•Lost business from consumer churn business termination

•Operating and operational inefficiencies

•Adverse impact on market valuation

32

Breach Notification Laws• Designed to help enforce security obligations

– In theory helps consumers protect themselves– Provides government authorities enforcement opportunities– Bad PR and breach-associated costs encourage compliance

• Breaches generally triggered by the unauthorized access to, or acquisition of, PI covered by the law

• Other variables affect whether a breach notification law applies such as:– Storage medium involved– Use of data encryption

33

Practical Considerations

• Basic requirements for data protection are surprisingly similar, across segments although details do vary

• The concept of technical, physical and administrative security requirements is almost universal

• Requirement to conduct practical risk assessments of requirements and vulnerabilities of the organization is also present in many segments and jurisdictions

• Most laws do not specify technical or physical requirements beyond requiring that they be reasonable, appropriate or adequate

34

Inventory your data/asset

What is it?Where is it?Where is it going?Will it visit third parties?Who needs it to do their work?How is it used?How is it gathered and shared?How is it stored?What is its final resting place?Will it be gone for good?

35

Assess Risks/Threats • Indentify all threats within the realm of possibility to the security of the data or asset. • Consider all sources whether:

– Internal– External– Natural– Man-made– Innocent– Malicious

• Assess the consequences to the organization should the identified threat materialize.• What is the likelihood of the threat/risk materializing? • What mitigations are there to counter the risk or recover if it occurs?

36

Physical MattersPhysical Security includes

•Facility access controls• Locks• Alarms• guards

•Safeguarding hard copy documents with PI• Locking filing cabinets• Clean desk policies

•Securing hardware on which PI is stored• Computers

• Mobile devices

• Flash drives

• Modems

37

Administrative MeasuresTechnology use policy

• Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops

Security breach notification procedure• How is unauthorized access or acquisition reported?• Who is on the immediate response team?

Confidentiality policy• Does it cover confidential information and personal Information?

• Training• Audit• Office rules – badging, clear desk and screen locks• Processes and teams for security incident management• Downstream controls – contractual and audit controls on data recipients• Officer, Director, and Employee training

38

Typical Requirements

• Assign responsibility with accountability to a lead person• Conduct risk assessments • Establish comprehensive written policies and procedures• Train employees• Evaluate and then supervise service providers• Execute contracts with service providers• Provide secure disposal• Audit• Create and implement incident response, record retention, and

disaster recovery plans

39

OrganizationDealing with high-level requirements (“reasonable security”)

• Determining what “reasonable security “ is a team effort• Determination should involve representatives from privacy, IT, legal,

physical security, HR/training, and potentially other functions and advisors

• Work to determine what safeguards are necessary based on the specific vulnerabilities of the particular organization (risk analysis) , the consequences of a breach and general good security practices.

• Documentation critical

40

Be Prepared

Need for breach preparation• Create an incident response team • Create and document response procedures• Communicate regularly • Seek and obtain senior management support and resource

commitment• Arrange for service providers that will be needed to respond• Document, document, document

41

Evaluate Risky Areas

• Collection of information over the Internet and email • Access to sensitive files by employees and independent contractors• Dispersed systems, data; duplication (and more) of data• Access to credit card, health, financial information• Transmission, storage, and disposal of computerized data, including data contained on

disks and hard drives and equipment disposal• Data to be transmitted to any third party• Storage and disposal of paper records• Data center moves/consolidations• Transfer and use by service provider/outsourcing• Mobile computing and employee owned devices• Logging and monitoring (employees, system access, phones/internet/email)

42

Technical Measures

Technical Security relates to the protection of electronic information through methods including:

• Access control: unique user ID, auto logoff, need to know• Monitoring: log-in, movement of ePHI• Audit: who accessed, how and when modified• Encryption: at rest (server, laptop, mobile), in transmission• Authenticating: confirming identity, managing accounts

• Firewalls, anti-virus, and anti-spyware protections• Changing default settings and thereafter periodically changing of (non-

default) IDs and passwords for internet facing devices

43

Technical Measures • Basic rules for employees

– Do not email sensitive or special PI– Do not access more than that which is needed– Create and use secure documents– Use passwords

• System deployment and approval processes – what needs to happen before you flip the switch

• Eliminate unnecessary data and keep tabs on what is left

• Monitor and mine event logs

• Ensure essential controls are met: regularly check they remain so

44

European Data Protection Directive

45

The European Data Protection Laws Have Been a Compliance Headache for

Companies Around the World

46

Proposed New Data Protection Regulation

47

The Good News

DIRECTIVE

REGULATION

48

Significantly Increased Fines and Penalties

49

Consent Narrowed

50

Data Breach Notification

51

Right to Be Forgotten

52

Data Minimization

53

Accountability

54

Mandatory Data Privacy Officer

55

Companies Outside Europe Potentially Subject to the Regulation

56

Status of Regulation

57

European Union: Cloud computing

European Commission Supports Cloud ComputingThe European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. [16] [16] http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf

58

Questions?

Keith A. ChereskoPrivacy Associates International LLC

kcheresko@privassoc.comwww.privassoc.com

(248) 535-2819

59

Contact Information

Keith A. ChereskoPrivacy Associates International LLCkcheresko@privassoc.comwww.privassoc.com(248) 535-2819

Robert L. RothmanPrivacy Associates International LLCrrothman@privassoc.comwww.privassoc.com(248) 880-3942