Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security & Privacy Team November 5, 2015

2 The Reality Data and systems security and related privacy issues are critical operational considerations for every organization that: Handles sensitive personal and financial information, including customer and employee information; Uses computer networks to process sensitive information Threats to this data come from every angle: Negligent employees Disgruntled employees or former employees Hackers Organized crime Unethical competitors Terrorist or other rogue organizations Most experts say it’s a matter of “when” not “if” you will be faced with a data breach event.

3 Key Laws & Regulations Laws and regulations exist or are pending in all 50 states: generally data breach notification laws Federal Laws such as Gramm-Leach-Bliley, HIPAA, HITECH Act and Mass. data security regulations require protective steps Generally cover electronic and paper records containing: Name plus one of following: Social Security Number Drivers license or state ID members Account numbers & passwords Health information Financial information Credit card information Other sensitive personally identifiable information Overarching Goal: Protect individuals (primarily) and organizations against identity theft, financial fraud, other related harms No uniform federal statute re: data breach so each state has its own requirements covering its citizens

4 Key Laws & Regulations (cont.) Presidential Executive Order – Feb. 12, 2013 Covers recommendations for cyber security measures for critical infrastructure systems In data protection space, Massachusetts law imposes the most stringent state-level requirements for proactive data protection PCI Standards – payment card security standards – Industry- developed standards European Union Data Privacy Directive The United States “Safe Harbor” has been overruled by the EU legal tribunal Laws and regulations provide a wide range of fines, penalties, civil liability Officers and Directors of public companies and companies in certain regulated industries (healthcare, financial, etc.) could face certain liability for failure to employ mitigation tactics

5 Fundamental Data Protection Requirements HIPAA/HITECH, Mass. Data Security Regulations: Active efforts to protect subject information by: Technical means (encryption, passwords, firewalls, etc.) Physical security (locked doors, swipe cards, storage cabinets, etc.) Administrative procedures (training, written policies or storage, training incident response) Training and education – ongoing Case law also developing around negligence and “reasonable actions” Ongoing process review to maintain the protections Annual review of policies and actions

6 Risk Mitigation Tactics Operational/Administrative Actions Up-to-date technology (encryption, passwords, biometrics, etc.) Technical intrusion testing – external & internal Written information security policy – assessment of risks and protocols for addressing (required by Mass. Statute and HIPAA) Regular training of employees Contractual Protections Contractual – with third parties and own personnel Insurance – your own and vendors Representations and Warranties from Payment and Data Processors Beware the unknowns of “cloud computing” – understand the risks and responsibilities and be very precise in contracts for such services

7 Risk Mitigation Tactics (cont.) Insurance Coverage Insurance coverage is more widely available and cost-effective Key is to work with a broker who understands the space and then review coverage, exclusions and limits closely Policy coverage varies significantly among carriers Key coverage: Data loss Business interruption Breach notification, PR, credit monitoring Employee privacy Defense costs

Questions & Answers