1. GSBlaw.com DATA SECURITY: LEGAL LANDSCAPE AND BEST PRACTICES November 16, 2011 Scott G. Warner sgwarner@gsblaw.com Garvey Schubert Barer Seattle, Portland, Washington D.C., New York, Beijing

2. GSBlaw.com 2 Overview Why you should care Context of US data security State and Federal patchwork Data breach laws Best practices

3. GSBlaw.com 3 Why should you care? As a company doing business in the US you will need to comply Your business partners will require that you comply If you don’t comply, you are exposed to risk: claims and fines –$10 Million in penalties in ChoicePoint The average cost of dealing with data breaches –$7.2 Million per breach Damage to brand and loss of customers

4. GSBlaw.com 4 Context for US Rules 1973 Department of Health Education and Welfare: Records, Computers and the Rights of Citizens –No secret personal data record-keeping –Right to know what information is collected and how it is used –Right to prevent multi-purpose use –Right to correct or amend records –Assurance of reliability –Prevent misuse Adopted by OECD Endorsed by Dept. of Commerce in 1981

5. GSBlaw.com 5 No Unified Rule – A Patchwork Silos –Financial information –Healthcare –Children Focus is on access not collection

6. GSBlaw.com 6 Applicable Law Federal –Privacy Act –Federal Information Security Management Act –Veterans Affairs Information Security Act –Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH) –Gramm-Leach Bliley (GLB) –Children’s Online Privacy Protection Act (COPPA) –FTC Act

7. GSBlaw.com 7 Patchwork (Con’t.) –Fair Credit Reporting Act (FCRA); Fair and Accurate Transactions Act (FACTA) –Sarbanes Oxley (SOX) State –Privacy Policy –State Privacy Acts –Common Law –Contract

8. GSBlaw.com 8 Unifying Theme: Manage and Protect Data Problem: –22.4 Million sensitive records breached as of June 2011 –$7.2 Million per data breach event Data Breach Laws –Federal –46 States –Requirements –Private right of action; penalties

9. GSBlaw.com 9 Data Breach Obligations Breach: Unauthorized access to/acquisition of personal information. Notice to each individual whose personal information was disclosed. –Personal information: first name/initial and last name plus another personal identifier (e.g. soc security number, driver’s license, account number). Some states also cover medical and health insurance information, employer taxpayer id, or biometric data. –Electronic or hard copy

10. GSBlaw.com 10 Data Breach Obligations (Con’t.) Exceptions –Encrypted –Investigation indicates identity theft is not likely to result Timing of notice –Most expedient time possible and without undue delay –Some states establish times for notice: 45 days after discovery of the breach; California 10 days. Form of notice –Written notice, electronic notice, telephonic notice –Substitute notice: email + statewide media + posting

11. GSBlaw.com 11 Data Breach Obligations (Con’t.) Content of notice –Incident in general terms –Type of information obtained –Telephone number for additional information –Contact number for credit reporting agencies –Advice to monitor accounts and credit reports Notice to third parties –Notice to state agencies and/or credit reporting agencies

12. GSBlaw.com 12 Best Practices Before data breach –Develop policies and procedures for handling data –Conduct training –Collect the minimum necessary and retain it for the minimum amount of time –Inventory records and devices that contain data

13. GSBlaw.com 13 Best Practices (Con’t.) Classify data by sensitivity Employ physical and technological safeguards, e.g. access controls, incident logging, etc. Limit the number of mobile devices that contain data and the number of people with access to them Do not use personal data in testing Use encryption De-identify data

14. GSBlaw.com 14 Best Practices (Con’t.) Dispose of records and devices that contain data securely Audit systems to understand vulnerabilities; Monitor Require service providers to comply –Require remediation plan –Indemnity –Audit rights

15. GSBlaw.com 15 Best Practices (Con’t.) After the breach –Contain the breach –Engage response team –Analyze the breach –Determine legal requirements and manage to highest requirement –Contact insurance –Develop communications plan –Prepare for litigation, e.g. litigation hold –Perform assessment against your plan

16. GSBlaw.com 16 Resources “Protecting Personal Information: A Guide for Business”, FTC: www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf “Security Breach Notification Laws” NCSL: www.ncsl.org/Default.aspx?TabId=13489 www.ncsl.org/Default.aspx?TabId=13489 “Chronology of Data Breaches”, Privacy Rights Clearinghouse: www.privacyrights.org/data-breachwww.privacyrights.org/data-breach “U.S. Cost of a Data Breach”, Ponemon: www.symantec.com/about/news/resources/press_kits/d etail.jsp?pkid=ponemon www.symantec.com/about/news/resources/press_kits/d etail.jsp?pkid=ponemon

17. GSBlaw.com 17 Resources (Con’t.) “Guide to Protecting the Confidentiality of Personally Identifiable Information”, NIST: csrc.nist.gov/publications/nistbul/april-2010_guide- protecting-pii.pdf csrc.nist.gov/publications/nistbul/april-2010_guide- protecting-pii.pdf “Best Practices in Data Protection”, Ponemon: http://www.ponemon.org/blog/post/best-practices-in- data-protection-study-released http://www.ponemon.org/blog/post/best-practices-in- data-protection-study-released “Recommended Practices on Notice of Security Breach Involving Personal Information” California Office of Privacy Protection: www.privacy.ca.gov/res/docs/pdf/secbreach.pdf www.privacy.ca.gov/res/docs/pdf/secbreach.pdf

18. GSBlaw.com TAX AND LEGAL CONSIDERATIONS ASSOCIATED WITH OPERATING A DATA STORAGE AND SECURED SYSTEMS BUSINESS November 16, 2011 Gary P. Tober gtober@gsblaw.com Garvey Schubert Barer Portland, Oregon, and Seattle, Washington

19. GSBlaw.com 19 Tax and Legal Considerations Associated With Operating a Data Storage and Secured Systems Business I.Tax Considerations II.Sources of Legal Liability III.Contract Strategies 2

20. GSBlaw.com 20 I.Tax Consideration A.Nexus 1.Permanent Establishment a.“Fixed place of business through which the business of an enterprise is wholly or partly carried on” 2.PE Applied to Electronic Commerce a.Website – not fixed to a physical place b.Server – located at a physical place and can be viewed as a fixed place of business 3

21. GSBlaw.com 21 I.Tax Consideration (Con’t.) B.Characterization of Revenue 1.How is revenue from electronic commerce characterized? C.Deduction of Expenses 4

22. GSBlaw.com 22 II. Sources of Legal Liability A.International Privacy Laws and National Breach Laws 1.Supra-national organizations 2.National laws B.Third Party Sources of Risk 1.Data hosts, processors, advertisers, marketing partners, etc. 5

23. GSBlaw.com 23 III. Contract Strategies A.Notice 1.Immediate notification of any actual, probable or reasonably suspected breach of security B.Cooperation 1.Assistance in investigating, remedying, etc. C.Standard of Care D.Indemnity 1.Any failure to comply with a contractual obligation 6

24. GSBlaw.com 24 III. Contract Strategies (Con’t.) E.Limitation of Liability 1.Exclusion of indirect and consequential damages F.Arbitration 7