workplace data breach challenges: navigating notification...
TRANSCRIPT
Workplace Data Breach Challenges:
Navigating Notification Requirements,
Employee Monitoring and BYOD Programs Structuring Policies to Prevent and Respond to Leaks of Sensitive, Regulated or Proprietary Data
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, JULY 30, 2014
Presenting a live 90-minute webinar with interactive Q&A
V. John Ella, Shareholder, Jackson Lewis, Minneapolis
Brent E. Kidwell, Partner, Jenner & Block, Chicago
Joseph J. Lazzarotti, Shareholder, Jackson Lewis, Morristown, N.J.
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-258-2056 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
WORKPLACE DATA BREACH CHALLENGES: NAVIGATING NOTIFICATION REQUIREMENTS, EMPLOYEE MONITORING, AND BYOD PROGRAMS
Disclaimer
This presentation provides general information regarding its subject and
explicitly may not be construed as providing any individualized advice
concerning particular circumstances. Persons needing advice concerning
particular circumstances must consult counsel concerning those
circumstances.
6
Workplace Data Breach Challenges
• Employee Monitoring, BYOD programs, and
Navigating Notification Requirements.
― Employee Monitoring
V. John Ella
― BYOD Programs
Brent E. Kidwell
― Navigating Notification Requirements
Joseph J. Lazzarotti
7
Protecting Data
• Trade Secrets
• Personally identifiable information (PII)
• Personal health information (PHI)
• Financial information
• Business plans
• Customer and client data
• Employee data
8
Steps to Control of Access to Employee and Customer/Client Data
• Confidentiality/non-disclosure agreements
• Passwords, encryption, firewalls
• Policies and procedures
• Limited access
• Policies and procedures
• Training
• Monitoring
9
ALLOWABLE EMPLOYEE MONITORING
10
11
Employee Monitoring
• Reasons to monitor
• Avoid harassment claims
• Protect trade secrets
• Detect and dissuade improper behavior
• Ensure productivity
• Not a reason to monitor
• Prurient curiosity
12
Employee Monitoring
• Requirements to Monitor
• FTC guidance regarding endorsements
• FINRA requirements
• Child pornography reporting requirements
• Electronic discovery
13
Employee Monitoring
• Types of Monitoring
• Internet use
• Keystroke/keylogging
• Cached files
• Saved passwords on computers
• Video
• Audio
• GPS
• RFID
• Social media
• Physical searches
14
THINGS TO CONSIDER
“A growing number of companies are under pressure to
protect sensitive data — and not just from hackers lurking
outside the digital walls. They're also looking to protect it
from insiders — employees who may want to swipe
information such as customer bank account numbers or
electronic medical records.”
15
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
New Monitoring Software
“The content could be personal notes about one's family.
Or it could be company secrets. If the employee copies it
to a USB stick, the software sets off a red alert, grabs
that same file and displays its contents in real-time.”
16
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
New Monitoring Software
“Managers can't predict when an alleged violation might
happen. SureView lets them rewind to the minutes or
hour before the red alert, and watch like a slow-motion
film. Crouse says the software records four frames per
second and it's very compressed video, but it's very
readable by an investigator.”
17
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
New Monitoring Software
“Companies currently use software to block an employee
from copying or emailing an unauthorized document. But
according to a study by the research group Gartner, only 5
percent of that software traces every move, looking for
bad actors. By 2018, the study projects, it'll be 80
percent.”
18
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
Bad Consequences?
“Shannon heads an institute at Carnegie Mellon that
specializes in insider threat technologies. He says failures
in these technologies can create a really toxic workplace.
Say I'm poking around a bunch of files, doing research
above and beyond the call of duty. In the old days, no one
would know, or I'd be called proactive.”
19
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
Restrictions on Monitoring
• Electronic Communications Privacy Act (ECPA)
• Stored Communications Act (SCA)
• Common law intrusion upon seclusion
• State wire tap acts
• Notice requirements in CT, DE
• Restrictions on disclosure of social media passwords
in 13+ states
20
Overview of Privacy Law
• Not explicitly in U.S. Constitution
(except searches by the government)
• Almost all states have a common law
tort for “invasion of privacy”
• California and Montana have a state
constitutional right to privacy
21
Overview of Privacy Law
• Federal statutes are often industry-
specific (financial, medical, etc.)
• State legislatures are very busy passing
new privacy statutes
• International law differs
• Technology is challenging all of these
established legal structures
22
Common Law Privacy
The Restatement, Second, of Torts, Section 652A sets
forth four types of common law invasion of privacy:
• Unreasonable intrusion upon the
seclusion of another;
• Appropriation of the others’ name or
likeness;
• Publication of private facts; and
• Publicity that unreasonably places the
other in a false light before the public.
23
Electronic Monitoring
• Monitoring work email = usually o.k.
• Using work computer to obtain employee’s
password to personal, cloud-based email account =
usually not o.k.
24
Employee Monitoring Cases
• Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S.D.
Ind. 2011)
• Stengart v. Loving Care Agency, Inc., 990 A.2d 650
(N.J. 2010)
• Pure Power Boot Camp, Inc. v. Warrior Fitness Boot
Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y)
25
Monitoring – Preventive Steps
• Develop a specific, written policy:
• Establish information systems are the
property of the employer
• Reserve the right to monitor
• Prohibit inappropriate use
• Include penalties for policy violations
26
Monitoring – Preventive Steps
• Train/educate employees and others
• Keep the monitoring work-related
• Permit reasonable personal use
• Consider additional steps – desktop
statement, posting in common area,
written consent/acknowledgement
27
Employee Monitoring Issues
Courts will be more inclined to
rule in favor of the employer if:
• Employer owns the “system”
(computer, e-mail, etc.)
• Employee voluntarily uses an
employer’s network
• Employee has consented to be
monitored (usually based in
written personnel policy)
28
Vendor Agreements
• More than trade secrets and confidential business
information
• Similar to business associate agreement under
HIPAA
• Protects company in case of data breach
29
Legal / Compliance
- HIPAA
- FCRA
- GLBA
- State law
- Litigation
- International
H.R.
- Information about employees
* Hiring
* Testing
* Monitoring
* Record retention
- Ensuring compliance by employees
Workplace Information Risk
- Smart phones
- Social media
- Monitoring
- BYOD
30
- E-commerce
- Vendors
- Customers
- COPPA
- Data breach
- Confidentiality
- Trade secrets
- Policies
- Agreements
I.T.
- Passwords
- Data security
- Firewalls
- Technology
Policies
Electronic communications
Nondisclosure/confidentiality
Privacy/Monitoring (notice)
Sexual harassment
Social media
Bring your own device
Drug testing
31
Written information
security policy
Data destruction
Business associate
agreements
Vendor agreements
BYOD PROGRAMS
32
Personal Business
“The practice of
allowing the
employees of an
organization to use
their own computers,
smartphones, or other
devices for work
purposes.”
33
80% of employees
use personal devices for
business
But only 53% of
organizations officially
support BYOD
34
35
Scope of BYOD Expanding
Smartphones
Tablets
Laptops
36
Why BYOD – Perceived Benefits
Individuals
• Choice of devices -
flexibility
• Single device for business
and personal use
• Modern and “hip” to
select own device
(particularly important to
millennial workforce)
• Enables “cutting-edge”
technology
Business
• Reduced hardware and
support costs
• Increase employee
satisfaction
• Increased productivity
• Increased innovation
• Shifting management and
responsibility to
employees
37
Key Legal/Risk Management Issues
• Data Loss, Security and Incident
Response
• Legal/E-discovery
• Internal Investigations
38
Data Security/Incident Response
• Securing devices (encryption, passwords, etc.)
• Mobile Device Management solutions (MDM)
• Procedures for addressing lost or stolen devices
• Procedures for responding to data loss or breach
• Defining scope of data to be stored on devices, e.g.:
• Allowed to store PHI on device?
• Allowed to store PCI data on device?
• Sandboxing data
• Virtualization
• E.g., Good Technology MDM
39
iOS 8 40
Internal Investigations
• Business access to data, even if “personal”
• Where to draw the line
• E.g., personal vs. business phone calls and voicemail
• Monitor user activity on devices
• Location or travel monitoring
• Web browsing activities
• Text messages (which don’t pass through corporate
network)
• Define “personal” vs. “business” use
• Define permissible use by policy
41
City of Ontario, California v. Quon
• Police officer using department supplied pager allegedly sends inappropriate
messages to other officer
• Department reviews messages on pager
• City had a general "Computer Usage, Internet and E-mail Policy" that stated
that "[t]he City of Ontario reserves the right to monitor and log all network
activity including e-mail and Internet use, with or without notice," and that
"[u]sers should have no expectation of privacy or confidentiality when using
these resources."
• Supreme Court held that City’s search of pager was permissible and assumed,
but did not decide, employee had right of privacy in personal messages
• Fourth Amendment search and seizure case but still interesting regarding
privacy issues
• United States Supreme Court 2009
42
Legal/E-discovery
• Data preservation process (a/k/a legal hold)
• Data collection
• Segregation of personal vs. business data
• Preservation of data – new device or termination
• Requires ACCESS and CONTROL of devices (policy is key)
• Requires procedures and tools to preserve, collect and access
data
43
Source: http://www.mobileiron.com/en/infographic/trustgap
44
Risk Management Strategies
Ignore the risk
Limit BYOD by data type, device, employee, etc. to contain risk
Implement technology security controls (e.g., MDAM)
Prohibit BYOD
45
Possible Elements of a BYOD Policy
Define who may participate
Delineate economic issues
(reimbursement, etc.)
Specify device options and
minimum requirements
Allocate responsibility for
loss or theft
Allocate rights and data permissions
Specify location where data is stored
(e.g., local, cloud, etc.)
Define acceptable use
List permissible applications
Allocate responsibility for
support
Specify company ability to monitor
activities – expectation of
privacy
Handling data preservation
Handling employee terminations – remote wiping
46
Other Potentially Relevant Enterprise Policies
• Acceptable Use Policies
• Employee Conduct
• Remote Access/Remote Working
• Privacy Policy
• Special Data Policies (HIPPA, etc.)
• General Security Policies
• Incident Response
47
Key BYOD Risk Management Tips
• Develop and implement a BYOD policy
• Enforce and audit compliance with your
BYOD policy
• Know WHAT data resides on BYOD devices
• Know WHERE data resides on BYOD devices (or
related locations)
• Implement technology to assist in device (and
people!) management
48
Key Drivers of Breach Notification Laws Continue
• Huge Breaches – Target, eBay, Dept. of Energy, the ones not
reported
• Identity Theft Tops 2013 FTC Consumer Complaint List
• 14th Year in a row
• Consumers lost $1.6 billion to fraud in 2013
• Most complaints: Age 20-29
• Most familiar with technology and most at risk
• Technology Outpacing Law
49
NAVIGATING NOTIFICATION REQUIREMENTS
50
What Data Privacy and Security Laws Affect Your Company
• There is currently no broadly applicable federal law in the
U.S. - we follow a piecemeal approach:
• HIPAA, GLBA, FCRA, ECPA, SCA, CFAA,
ADA/GINA/FMLA, FISMA, COPPA, FERPA…
• States generally have one or more of the following:
• Affirmative obligations to safeguard (e.g., CA, CT, IL
(biometric information), MA, MI, TX, others)
• Data breach notification (47 states plus some cities)
• Various Social Security number protections
• Data destruction requirements
51
What Is a Data Breach?
• Unauthorized use of, or access to, records or data containing personal information
― Personal Information (PI) typically includes
― First name (or first initial) and last name in combination with:
― Social Security Number
― Drivers License or State identification number
― Account number or credit or debit card number in combination with access or security code
― Biometric Information (e.g. NC, NE, IA, WI)
― Medical Information (e.g. HIPAA, AR, CA, DE, MO, TX, VA)
― username or e-mail address with a password/security question and answer that permits access to online account (CA and FL).
― Broader view taken by FTC – email address, phone numbers, etc.
― PI typically maintained about?
― Employees…Customers…Vendors
52
Handling Data Breaches
• How does a “Data Breach” occur?
• The lost laptop/bag
• Inadvertent access
• Data inadvertently put in the “garbage”
• Theft/intentional acts, hacking, phishing attacks other intrusions
• Inadvertent email attachment(s)
• Stressed software applications
• Rogue employees
• Remote access
• Wireless networks
• Peer to peer networks
• Vendors
53
Handling Data Breaches
• 3 Critical Phases
• Discovery
• Notification and response process (if needed)
• Review and evaluate to avoid future incidents
54
Handling Data Breaches
• Discovery: stop the bleeding…first steps • Dust off your breach response plan – hopefully you have one
• Immediately alert data breach response team, counsel, and
insurance carrier, if applicable
• Take steps to secure information systems, including any and all files
containing customer, employee and other individuals' personal
information that may be at risk
• Coordinate with law enforcement, as needed
• Identify key person to monitor and drive team progress
• Involve top management, public relations
• Make preliminary assessments and consider preliminary actions,
notices
• Consider implementing litigation hold
55
Handling Data Breaches
• Discovery: did a breach occur?
• Review applicable federal, state and local laws
• FTC/HIPAA/SEC considerations
• Risk of harm trigger…e.g., in Michigan – no notification if “the security
breach has not or is not likely to cause substantial loss or injury to, or
result in identity theft with respect to, 1 or more residents of this state”
• Police investigation/consultation
• Consider whether immediate federal and/or state notification
required/recommended
• Conservative vs. aggressive approach
• Breach involves “risk of harm” states and “non-risk of harm” states
• Notify individuals, but not state agencies
56
Handling Data Breaches
• Notification and response
• Who must be notified?
• Individuals, children
• Government agency notifications (State Police, AG, HHS, etc.)
• Owners
• Credit reporting agencies
• State-wide media
• What should notice say/who approves?
• Some states require information such as – (i) description of breach in
general terms, (ii) types of personal information involved, (iii) what is
being done to protect data from further security breaches, (iv)
telephone number for notice recipient to obtain assistance, information,
and (v) reminder of the need to remain vigilant for incidents of fraud
and identity theft.
57
Handling Data Breaches
• Notification and response
• When to deliver
• Without unreasonable delay
• Some states permits delay for (i) law enforcement investigation,
and (ii) as necessary to determine the scope of the security
breach and restore the reasonable integrity of the database.
• How to deliver
• Writing
• Electronic
• Telephone
• Credit monitoring services
• Optional, consider when appropriate
• Describe in initial letter
58
Handling Data Breaches
• Notification and response
• Call center/script
• Internal/external
• Escalation process
• Returned mail
• Substitute notice provisions
• Coordinate with vendors
• Review service agreements carefully
• Services agreement should include data security provisions
• Responding to inquiries
• Affected individuals
• Governmental agencies
• Media
• Document, document, document
59
Handling Data Breaches
• Review and assess
• Why did the breach occur?
• Amend and implements updated policies and
procedures as appropriate, such as training
• Document post-breach considerations and remedial
steps taken, if any.
• Document why breach not reported (see, e.g., FL,
HIPAA)
60
Other Key Features
• Private Cause of Action
― Some states permit – AK, CA, LA, MD, MN, NH, NC, SC, TN, VA,
WA
• Some states publish notices
― Maryland -
http://www.oag.state.md.us/idtheft/breacheNotices.htm
― New Hampshire - http://www.doj.nh.gov/consumer/security-
breaches/index.htm
• Risk of Harm Trigger
― Examples: AK, AZ, AR, CO, CT, DE, FL, HI, ID, IN, IA, KS, KY, LA,
MD, MI, MS, MO, MT, NH, NJ, NC, OH, OK, OR, PA, PR, RI, SC, UT,
VA, WV, WI.
61
Take-aways!
• Take reasonable steps to prevent breaches
– develop and implement a written
information security program
• Have a data breach response plan
• Educate employees about the plan,
practice the plan, follow the plan
• Be transparent, credible, responsive
62
• V. John Ella, Jackson Lewis, [email protected]
• Brent E. Kidwell, Jenner & Block, [email protected]
• Joseph J. Lazzarotti, Jackson Lewis, [email protected]
63