Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley LLP’s capabilities.

Similar presentations


Presentation on theme: "© 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley LLP’s capabilities."— Presentation transcript:

1 © 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA The content of this packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome. Privacy and Security: Practical and Sensible Advice Chuck Schwab, Special Counsel, Cooley LLP and Karin Lindgren, General Counsel, Reed Group

2 Topics to Cover Today  Breach notification laws: planning for and responding to a security breach  Information security requirements for customer and employee data  Collection, use, and disclosure of information about customers and employees  International issues 2

3 Breach Notification Laws  Progenitor - California’s “SB 1386”  Identity Theft is the driver  No Federal “Data Breach Law” although several bills are still before Congress:  Personal Data Privacy and Security Act of 2011 (S. 1151) (Senators Leahy (D-VT), Schumer (D-NY) and Cardin (D-MD)) (Last action-written report filed by Committee on Commerce, Science and Transportation, November 2011).  Data Security and Breach Notification Act of 2011, S (Senators Pryor (D-AR) and Rockefeller (D-WV)) (last action - Committee on Commerce, Science and Transportation scheduled two mark-ups in fall 2011, which were both indefinitely postponed).  Data Breach Notification Act of 2011, S (Senator Feinstein (D- CA)) (last action - Committee on Judiciary hearing in October 2011, from which no written report has resulted.) 3

4 Breach Notification – Patchwork State Laws  Instead of one uniform federal law (like the FCRA), businesses must undertake the complex task of monitoring all state statutes: 4 Alaska Alaska Stat. § et seq. Nevada Nev. Rev. Stat. §§ 603A.010 et seq., Arizona Ariz. Rev. Stat. § New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21 Arkansas Ark. Code § et seq. New JerseyN.J. Stat. 56:8-163 California Cal. Civ. Code §§ 56.06, , , New York N.Y. Gen. Bus. Law § 899-aa Colorado Colo. Rev. Stat. § North Carolina N.C. Gen. Stat § ConnecticutConn. Gen Stat. 36a-701bNorth Dakota N.D. Cent. Code § et seq. Delaware Del. Code tit. 6, § 12B-101 et seq. Ohio Ohio Rev. Code §§ , , , Florida Fla. Stat. § Oklahoma Okla. Stat. § and § to -166 Georgia Ga. Code §§ , -911 Oregon Oregon Rev. Stat. § 646A.600 et seq. Hawaii Haw. Rev. Stat. § 487N-2 Pennsylvania 73 Pa. Stat. § 2303 Idaho Idaho Stat. §§ to Rhode Island R.I. Gen. Laws § et seq. Illinois815 ILCS 530/1 et seq.South Carolina S.C. Code § Indiana Ind. Code §§ et seq., et seq.. Tennessee Tenn. Code § , 2010 S.B Iowa Iowa Code § 715C.1 Texas Tex. Bus. & Com. Code § , Tex. Ed. Code (b)(5) (2011 H.B. 1224) KansasKan. Stat. 50-7a01, 50-7a02Utah Utah Code §§ , -102, -201, -202, -310 Louisiana La. Rev. Stat. § 51:3071 et seq. Vermont Vt. Stat. tit. 9 § 2430 et seq. Maine Me. Rev. Stat. tit. 10 §§ 1347 et seq. Virginia Va. Code § , § :05 (effective January 1, 2011) Maryland Md. Code, Com. Law § et seq. Washington Wash. Rev. Code § , Massachusetts Mass. Gen. Laws § 93H-1 et seq.. West Virginia W.V. Code §§ 46A-2A-101 et seq. Michigan Mich. Comp. Laws § Wisconsin Wis. Stat. § et seq. Minnesota Minn. Stat. §§ 325E.61, 325E.64 Wyoming Wyo. Stat. § to -502 Mississippi2010 H.B. 583 (effective July 1, 2011)District of Columbia D.C. Code § et seq. Missouri Mo. Rev. Stat. § Puerto Rico 10 Laws of Puerto Rico § 4051 et. seq. Montana Mont. Code §§ , Virgin Islands V.I. Code § 2208 Nebraska Neb. Rev. Stat. §§ , -802, -803, -804, - 805, -806, -807-

5 Patchwork– Most States  46 States, the District of Columbia, Puerto Rico and the Virgin Island have enacted legislation requiring notification of security breaches involving personal information.  States with no security breach notification law: AL, KY, NM, and SD.  29 states (AK, AZ, AR, CA, CO, CT, GA, HI, IL, IN, KS, KY, MS, MS, MI, MO, MT, NV, NJ, NY, NC, OR, RI, SC, TX, UT, VT, WA, and WI) have laws requiring encryption and secure disposal, of personal information held by businesses and/or government.  Every state has a law criminalizing identity theft. 5

6 Patchwork – Commonalities  What is Covered:  Personal Information requires last name and first initial plus at least one more data element that could lead to loss (e.g., social security number, driver’s license number, credit or debit card number, or bank account number and access code, etc.)  Includes employee and customer information.  Most States have exemption for encrypted data:  Only IN, NYC, WY and DC lack an encryption safe harbor  MS, NH, OK, OR, and TX require notice if encrypted data is breached along with encryption key  Several States require notice to Attorney General even if data is encrypted 6

7 Breach Notice – Timing and Scope  Planning for Breach is essential – Response time is mandated by law:  In all States except CA, GA, ID, and IL, discovery of a suspected breach triggers immediate requirement to investigate and notification is only triggered if investigation determines that there is a reasonable risk of identity theft or loss  In CA, GA, ID, and IL, notification requirement is triggered upon discovery  Once triggered, notification must be provided “As expediently as possible and without unreasonable delay unless disclosure impedes law enforcement investigation”  Several States require immediate disclosure to Attorney General (within 24 hours of discovery)  Notice must typically be in writing and sent to each individual victim, but a small number of states may allow substitute notice in cases of large breach 7

8 Breach Notice - Content  Content of Notice:  General description of incident;  type of information breached;  toll-free numbers and addresses of the three NCRAs. 8

9 Breach Notice – Penalties and Costs  Penalties For Failure to Provide Breach Notification  Administrative fines can vary State-by-State, ranging up to $500,000 in certain States.  Actual damages to each affected victim.  Costs and Expenses Associated with Breach  Costs of investigation.  Production and mailing costs for notification letters.  Costs of period of credit monitoring service for affected victims (Typically about $75-$125 per person).  Reputational costs. 9

10 Other Breach Notification Laws  FTC’s Red Flag Rule – applies to financial institutions and “creditors” to have an identity theft prevention program; notification is an option  HIPAA – affects covered entities and business associates, requiring employers, for example, to:  Notify major media outlets and HHS if a breach involves 500 or more plan participants  Notify affected individuals within 60 days of becoming aware of the breach  GLBA – applies to financial institutions 10

11 Information Security – Why?  Confidential information is critical to the success of business  Protection of valuable intellectual property is essential to maintain legal rights (e.g., trade secret protection)  To further business, employees must have access to confidential information and must create IP  Employers have legal obligations to keep certain information confidential  Legal Requirements

12 Information Security Regulations  FTC Act  Fairness - Maintain Adequate and Appropriate Security Measures  Deceptiveness -- False or Misleading Statements; “100% Safe”  Original California SB 1386  State Data Security Law States  “Reasonable” safeguards  Sensitive Data  Social Security Number  Drivers License Number  Financial Account Information  Credit Card Number 12

13 InfoSec Regulations – A Higher Bar  Massachusetts  Covers Sensitive Data  Mandates Security Program  Safeguards Require Encryption  Policies  Training  Monitoring  Some states require encryption for transmission (Nevada)  Data destruction  23 + states, FCRA  “Reasonable steps” to destroy sensitive data (or all data for CA, CT, KY) 13

14 Other InfoSec Regulations  HIPAA Security Rule  Information Security Program  Administrative  Technical  Physical Safeguards  Data Breach Notification  GLBA Safeguards Rule – Information Security Program  Administrative, Technical, Physical Safeguards  Size and Complexity of Organization  Sensitivity of Customer Information  Designate Employees to Coordinate  ID Risks & Sufficiency of Safeguards  Red Flags Rule - Implement program to detect, prevent, and mitigate identity theft 14

15 InfoSec Policies  Diamonds vs.Toothbrushes  Written InfoSec Policy  Identify Security Risks and Identity Theft Risks  Reasonable approach to security risk vectors  Graduated treatment of data types  Establish a “Privacy/InfoSec Officer”  Establish technical controls on data – access, transmission  Maintain technical vigilance – apply security patches within a reasonable time  Annual policy/risk review  Train at least key people 15

16 Consumer Privacy - Federal  Customer vs. Consumer  FTC Act – unfair or deceptive practices  notice – disclosures of what, who x2, how x2  choice – secondary uses, disclosures, opt-out or opt-in  access – access to data, correction  Behavioral Tracking  TCPA  Junk Fax, Do Not Call, SMS  CAN-SPAM  Disclosures for Promotional s  Opt-Out 16

17 Consumer Privacy - California  California Online Privacy Protection Act  Post a policy  Identify  Information collected  Third parties with whom you share the information  California – Shine the Light  Disclosures about sharing with third parties for their marketing purposes  Consumer right to opt-out or receive information about third parties  California – Song-Beverly Act  Prohibits collection of PII that is not on the credit card, including zip code  Applies to online transactions?  Spyware Laws – track data 17

18 Employee Privacy  FCRA  Applies to reports prepared by a third party that regularly assembles or evaluates credit or other information on a consumer (“consumer reporting agency”)  Covers any inquiry for employment purposes bearing on an individual’s “credit, general reputation, personal characteristics, or mode of living”  Criminal history checks, credit checks, sex offender registry, motor vehicle record checks, employment and education verification  Requires permissible purpose to access  State “mini-FCRAs”  Credit check laws  Anti-discrimination laws  Genetic Information Non-Discrimination Act of 2008 (GINA) 18

19 FCRA Process  Provide notice and obtain authorization before procuring a background check report  Before taking adverse action or risk based pricing decision, provide notice, including a copy of the report and FTC summary of rights  Wait 5 days before taking final action  Deliver final adverse action or risk based pricing notice 19

20 Social Network Checks  Establish policies on when social media checks will be conducted, by whom, at which sites, for what information, and how will that information be evaluated  Include social checks by third-party vendors in your FCRA compliance program  Social checks by the employer’s own staff are not subject to FCRA  Careful about: asking/coercing an employee or applicant to provide social media password(s), or fraudulently/coercively gaining access to network  Be careful of taking adverse action against en employee for comments on social media (could be protected by state law or NLRB rules) 20

21 Employees – Practical Pointers  Contracts  Require employees to sign proprietary information agreements; define “confidential information”  Require job applicants to sign non-disclosure agreements  Handbooks/Policies – Privacy expectation is key  Adopt electronic data and computer use policies  Employer-allowed use of and computers  Employer ownership of all data on work computers  Limit personal use  Employee consent to monitoring and inspection  Restrictions on social media use?

22 International  EU spam laws  Opt-in, with some EBR exceptions  Canadian spam law  Expecting regulations  All electronic messages (not just )  Explicit or implied (including EBR) consent  Heavy fines (C$220/message, D&O exposure)  Cookie directive  The Sound and the Fury  Waiting for industry solutions 22

23 International (2)  EU Directive  Expectation of compliance is growing  Model Contracts  Processor  Controller  Safe Harbor  7 Principles – Notice, Choice, Onward Transfer, Access, Security, Data Integrity, Enforcement  Two Toughies: Onward Transfer, Enforcement  BCRs  EU Regulation on horizon  you don’t even want to know  ~2 years away 23

24 Questions? For more information contact: Chuck Schwab, Sign up for Alerts at 24


Download ppt "© 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley LLP’s capabilities."

Similar presentations


Ads by Google