SlideShare a Scribd company logo

Privacy and Data Security: Risk Management and Avoidance

Download as PPT, PDF
A
Amy Purcell

The document discusses data security breach risk management and response planning. It provides statistics on data breaches in 2012, the average costs of breaches, and common types of breaches. It also discusses why a response plan is needed, what constitutes a data security breach under various state laws, and outlines steps to take in responding to a breach, including investigating the incident, understanding notification laws, notifying affected parties, answering inquiries, issuing press releases, and offering assistance.

Technology
Related topics:
Data Privacy Data SecurityData Breach Insights
1 of 50
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
© 2013 Fox Rothschild Privacy and Data Security Risk Management and Avoidance .
Topics For Discussion • Why do you need a response plan? • What is a “data security breach”? • Responding to a data security breach • State requirements and legislative update • Regulatory enforcement and litigation
2012 Statistics • According to Verizon’s 2013 Data Breach Investigations Reports, in 2012, there were 621 confirmed data breaches and 47,000 reported security incidents. – 92% perpetrated by outsiders. – 76% caused by exploiting weak or stolen passwords.
Cost Of A Data Security Breach • In 2011, data breaches cost organizations an average of $5.5 million. – $222 per record – Includes direct costs (communications, investigations, legal) and indirect costs (lost business, public relations) – Compare to costs of having preventative measures in place such as privacy and security policies, training and encrypting sensitive information
Types of Data Security Breaches • Devices are lost or stolen. • Insider or employee misuse. • Unintended disclosure. • Security patches are not installed. • Malware. • Hacking.
What Is The Objective? Fill In The Gap • Protection • Compliance • Audits • Criminal prosecution • Civil prosecution How to Manage the Data Security Breach
Why Do You Need A Response Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss
What Is A Data Security Breach? • Alabama, Kentucky, New Mexico and South Dakota are the only states that do not have a data security breach notification statute. • California statute served as a model for later state statutes. – State involvement began in California, after series of breaches received national attention. – Passed in 2002, went into effect in mid-2003.
What Is A Data Security Breach? • “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.29.
What Is A Data Security Breach? • “Personal information” – First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes.
What Is A Data Security Breach? • Some states have expanded the definition of “personal information” to include: • Medical information or health insurance information (California); • Biometric data (Indiana); • Mother’s maiden name, birth/death/marriage certificate and electronic signature (North Dakota).
What Is A Data Security Breach? • “Breach of the security of the system” – Some states expressly require notice of unauthorized access to non-computerized data • New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied” • Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”
What Is A Data Security Breach? • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements – Certain states require risk or harm • Arkansas: no notice if “no reasonable likelihood of harm to customers” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”
What Is A Data Security Breach? • Distinguish between entity that “owns or licenses” data and entity that “maintains” data – Data owner has ultimate responsibility to notify consumers of a breach – Non-owners required to notify owners
Collect Relevant Documents and Information • Data location lists • Confidentiality agreements • Customer contracts • Third-party vendor contracts • Privacy policy • Information security policy • Ethics policy • Litigation hold template • Contact list
Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Human resources (private employee information – health & medical, payroll, tax, retirement) • Legal counsel (in-house and/or outside counsel) • Compliance • Business heads (consumer information) • Public relations/investor relations
Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical
Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Determine type of information that may have been compromised • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity
Understand Data Breach Notice Laws • State laws: – What constitutes personal information? – When is a notice required? – Who must be notified? (e.g.,State Attorney General) – Timing? – What information must be included in the notice? – Method of delivering notice? – Other state specific requirements? • Applicable industry-specific laws • Applicable international laws
Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies • Consumer reporting agencies • Third-party vendors • Insurers • Media
Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity)
Prepare State Law Notices • Delivery method (e.g., certified letters, e- mail, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices
State Laws - Florida
State Laws - Florida
State Laws - California • Applies to any business that “owns or licenses” or “maintains” computerized data that includes “personal information” • Requires notices to California resident if “unencrypted” personal information “was, or is reasonably believed to have been, acquired by an unauthorized person”
State Laws - California • Personal information” includes: – “Medical information”: an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional – “Health insurance information”: an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeal records
State Laws - Massachusetts • Applies to information regardless of physical form (includes paper) – “Unencrypted data or, encrypted electronic data and the confidential process or key” – Data encrypted at “128-bit or higher algorithmic process” is not a security breach, unless the encryption key is also lost
State Laws - Massachusetts • Requires notice “as soon as practicable and without unreasonable delay” • Requires business that owns or licenses data to notify: – Attorney general – Director of consumer affairs and business regulation • Director shall identify and report to any relevant consumer reporting agencies and state agencies – Affected Massachusetts resident
State Laws - Massachusetts • State statute also requires the department of consumer affairs to adopt data security regulations: “Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts” • Regulations went into effect on March 1, 2010
State Regulations - Massachusetts • Applies to entities that “own or license personal information” of a Massachusetts resident – Explicitly includes personal information “in connection with employment” • Requires entities to develop, implement and maintain a written data security program – Must take into account an entity’s size, nature of its business, type of records it maintains and risk of identity theft posed by entity’s operations – Must include certain administrative, technical and physical safeguards
State Regulations - Massachusetts • Requires entities to take steps to select and retain third-party service providers that are capable of appropriately safeguarding personal information • Requires entities to impose contractual obligations on their third-party service providers to safeguard personal information
Prepare Answers To Inquiries • Draft FAQ’s with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers
Prepare Press Release • Include the following information: – Facts surrounding the incident – Actions to prevent further unauthorized access – Steps to prevent future data security breaches – Contact Information for questions • Review by legal counsel
Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline
Regulatory Update • California’s Right to Know Act of 2013 (AB 1291): – Would require businesses that collect consumer information to provide customers with the names and addresses of all data brokers, advertisers and others who were granted access to the information, as well as details regarding the data that was disclosed. – Businesses would have 30 days to answer a request for the information.
Regulatory Update • California’s Right to Know Act of 2013 (AB 1291): – Applies to businesses who “retain” personal data or disclose the information to a third party. – Defines “retain” to mean “store or otherwise hold personal information” whether the information is collected or obtained directly from the consumer or any third party.
Regulatory Update • California’s Right to Know Act of 2013 (AB 1291): – Faced opposition by companies such as Google and Facebook. – Assemblywoman Bonnie Lowenthal delayed action on the bill by turning it into a two-year bill. – Lowenthal plans to spend the remainder of the year educating her colleagues about the importance of the proposed legislation. – Assembly will consider AB 1291 again in 2014.
Regulatory Update
Regulatory Update
Regulatory Update
Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act – Enforce privacy policies and challenge data security practices that cause substantial consumer injury • State Attorney General – State Notification Statutes – Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” – Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”. • Litigation in federal or state courts
Litigation Typical Claims By Plaintiffs • Plaintiffs (consumers or employees) typically allege the following causes of action: – Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty – Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts
Litigation Plaintiffs Lack Standing • Certain courts have dismissed data breach cases on ground of standing. – Hinton v. Heartland Payment Sys., Inc., Civ. A. No. 09-594, 2009 U.S. Dist. LEXIS 20675 (D.N.J. March 16, 2009): • Increased risk of fraud and identity theft do not constitute “actual or imminent injury in fact” and “amount to nothing more than mere speculation. – Amburgy v. Express Scripts, Inc., Civ. A. No. 09-705, 2009 U.S. Dist. LEXIS 109100 (E.D. Miss. Nov. 23, 2009): • “Plaintiff does not claim that his personal information has in fact been stolen and/or his identity compromised.” • “For plaintiff to suffer the injury and harm he alleges here, many ‘ifs’ would have to come to pass.”
Litigation Plaintiffs Have Standing • However, “[t]he recent trend in ‘lost data cases,’ . . . seems to be in favor of finding subject matter jurisdiction.” (i.e., standing). McLoughlin v. People’s United Bank, Inc., Civ. A. No. 08-944, 2009 U.S. Dist. LEXIS 78065, at *12 (D. Conn. Aug. 31, 2009). – Pisciotta v. Old Nat’l. Bancorp., 499 F.3d 629 (7th Cir. 2007) (injury in fact satisfied by “threat of future harm” or “increasing the risk of future harm”); – Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (increased risk of identity theft constituted sufficient “injury in fact” for purposes of standing); – Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008).
Litigation Plaintiffs Cannot Prove Damages • Pisciotta v. Old Nat’l. Bancorp.: customers sought compensation for past and future credit monitoring services, after hacker obtained access to their personal information through bank website – Seventh Circuit affirmed district decision granting defendant bank’s motion for judgment on the pleadings and dismissed claims for negligence and breach of contract – Exposure to identity theft or increased risk of identity theft, without more, does not constitute “compensable injury” or “a harm that the law is prepared to remedy” – Credit monitoring costs do not constitute “compensable damages”
Litigation Plaintiffs Cannot Prove Damages • Ruiz v. Gap, Inc.: laptop computer stolen, which contained approximately 750,000 Gap job applications (including name and social security no.) – Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of contract – “At a minimum, Ruiz would be required to present evidence establishing a significant exposure of his personal information” – “Because Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft” – “Ruiz cannot show he was actually damaged by pointing to his fear of future identity theft”
Litigation Unusual Court Rulings • Caudle v. Towers, Perrin, Forster & Crosby: laptop computer stolen from employer’s pension consultant, which contained personal information (including name and social security no. of employees) – Employee named employer’s pension consultant as a defendant, but did not include employer – Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty – Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer
Litigation Unusual Court Rulings • Rowe v. UniCare Life & Health Ins. Co., Civ. A. No. 09- 2286, 2010 U.S. Dist. LEXIS 1579 (N.D. Ill. Jan. 5, 2010): personal information of plaintiff was temporarily accessible to the public on defendants’ Internet Website – In deciding motion to dismiss, Court found that plaintiff satisfied minimal pleading standard and allowed claims to proceed – But, the Court stated that claims may ultimately be dismissed if plaintiff cannot show a basis for damages other than alleged increased risk of future harm such as identity theft – Plaintiff may prevail “only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.”
Avoid Future Data Security Breaches • Limit access to personally identifiable information • Encryption • Establish privacy compliance program • Train and test employees • Periodic audits • Update and revise procedures • Enhance technology to strengthen security and reduce risk • Credential third party vendors
Amy Purcell, Esq. 215.299.2798 apurcell@foxrothschild.com

More Related Content

PPT
Privacy and personal information
Uc Man
 
PPTX
Information Privacy
primeteacher32
 
PPTX
Information Privacy
imehreenx
 
PDF
Data Privacy & Security
Eryk Budi Pratama
 
PPTX
Information privacy and Security
AnuMarySunny
 
PPTX
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
PPT
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
PPTX
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
Privacy and personal information
Uc Man
 
Information Privacy
primeteacher32
 
Information Privacy
imehreenx
 
Data Privacy & Security
Eryk Budi Pratama
 
Information privacy and Security
AnuMarySunny
 
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 

What's hot (19)

PPTX
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
PDF
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
PDF
Managing Personally Identifiable Information (PII)
KP Naidu
 
PDF
Privacy and Data Security
WilmerHale
 
PPTX
3rd party considerations Under GDPR and Privacy Laws
Joe Orlando
 
PDF
3rd party considerations gdpr
Joe Orlando
 
PPTX
Privacy 101
Trish McGinity, CCSK
 
PPT
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
PDF
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Burton Lee
 
PPT
Guernsey Data Protection Legislation
jonbarclay
 
PPTX
GDPR: The Catalyst for Customer 360
DataStax
 
PDF
Cybercrime and the Healthcare Industry
EMC
 
PPT
“Privacy Today” Slide Presentation
tomasztopa
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
PDF
Data Privacy
cliff_rudolph
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
Data protection ppt
grahamwell
 
PPTX
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
PPTX
Cybersecurity Seminar March 2015
Lawley Insurance
 
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Managing Personally Identifiable Information (PII)
KP Naidu
 
Privacy and Data Security
WilmerHale
 
3rd party considerations Under GDPR and Privacy Laws
Joe Orlando
 
3rd party considerations gdpr
Joe Orlando
 
Privacy 101
Trish McGinity, CCSK
 
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Burton Lee
 
Guernsey Data Protection Legislation
jonbarclay
 
GDPR: The Catalyst for Customer 360
DataStax
 
Cybercrime and the Healthcare Industry
EMC
 
“Privacy Today” Slide Presentation
tomasztopa
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
Data Privacy
cliff_rudolph
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
Data protection ppt
grahamwell
 
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
Cybersecurity Seminar March 2015
Lawley Insurance
 
Ad

Similar to Privacy and Data Security: Risk Management and Avoidance (20)

PPT
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
PDF
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
PDF
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
PDF
Data Breach Response: Before and After the Breach
Financial Poise
 
PDF
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
PPT
Cyber Risks
RickWaldman
 
PPTX
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
gorsline
 
PPT
Powerpoint mack jackson
aiimnevada
 
PPT
George Gavras 2010 Fowler Seminar
Don Grauel
 
PDF
Data Breaches
sstose
 
PDF
Data breaches at home and abroad
Law Practice Strategy
 
PPTX
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Richik Sarkar
 
PDF
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
PPT
Legal issues of domain names & trademarks
Matt Siltala
 
PPTX
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
 
PPTX
International Perspectives on Data Breach
Constantine Karbaliotis
 
PPT
Data breach protection from a DB2 perspective
Craig Mullins
 
PPT
Data Risks In A Digital Age
padler01
 
PDF
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
PDF
Privacy law-update-whitmeyer-tuffin
WhitmeyerTuffin
 
Cyber-Security: A Shared Responsibility -- November 2013
Amy Purcell
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Data Breach Response: Before and After the Breach
Financial Poise
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Cyber Risks
RickWaldman
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
gorsline
 
Powerpoint mack jackson
aiimnevada
 
George Gavras 2010 Fowler Seminar
Don Grauel
 
Data Breaches
sstose
 
Data breaches at home and abroad
Law Practice Strategy
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Richik Sarkar
 
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
Legal issues of domain names & trademarks
Matt Siltala
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
 
International Perspectives on Data Breach
Constantine Karbaliotis
 
Data breach protection from a DB2 perspective
Craig Mullins
 
Data Risks In A Digital Age
padler01
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
Privacy law-update-whitmeyer-tuffin
WhitmeyerTuffin
 
Ad

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Approach and Philosophy of On baking technology
30anthuong17
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

Privacy and Data Security: Risk Management and Avoidance

  • 1. © 2013 Fox Rothschild Privacy and Data Security Risk Management and Avoidance .
  • 2. Topics For Discussion • Why do you need a response plan? • What is a “data security breach”? • Responding to a data security breach • State requirements and legislative update • Regulatory enforcement and litigation
  • 3. 2012 Statistics • According to Verizon’s 2013 Data Breach Investigations Reports, in 2012, there were 621 confirmed data breaches and 47,000 reported security incidents. – 92% perpetrated by outsiders. – 76% caused by exploiting weak or stolen passwords.
  • 4. Cost Of A Data Security Breach • In 2011, data breaches cost organizations an average of $5.5 million. – $222 per record – Includes direct costs (communications, investigations, legal) and indirect costs (lost business, public relations) – Compare to costs of having preventative measures in place such as privacy and security policies, training and encrypting sensitive information
  • 5. Types of Data Security Breaches • Devices are lost or stolen. • Insider or employee misuse. • Unintended disclosure. • Security patches are not installed. • Malware. • Hacking.
  • 6. What Is The Objective? Fill In The Gap • Protection • Compliance • Audits • Criminal prosecution • Civil prosecution How to Manage the Data Security Breach
  • 7. Why Do You Need A Response Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss
  • 8. What Is A Data Security Breach? • Alabama, Kentucky, New Mexico and South Dakota are the only states that do not have a data security breach notification statute. • California statute served as a model for later state statutes. – State involvement began in California, after series of breaches received national attention. – Passed in 2002, went into effect in mid-2003.
  • 9. What Is A Data Security Breach? • “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” See Cal. Civ. Code § 1798.29.
  • 10. What Is A Data Security Breach? • “Personal information” – First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes.
  • 11. What Is A Data Security Breach? • Some states have expanded the definition of “personal information” to include: • Medical information or health insurance information (California); • Biometric data (Indiana); • Mother’s maiden name, birth/death/marriage certificate and electronic signature (North Dakota).
  • 12. What Is A Data Security Breach? • “Breach of the security of the system” – Some states expressly require notice of unauthorized access to non-computerized data • New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied” • Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”
  • 13. What Is A Data Security Breach? • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements – Certain states require risk or harm • Arkansas: no notice if “no reasonable likelihood of harm to customers” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”
  • 14. What Is A Data Security Breach? • Distinguish between entity that “owns or licenses” data and entity that “maintains” data – Data owner has ultimate responsibility to notify consumers of a breach – Non-owners required to notify owners
  • 15. Collect Relevant Documents and Information • Data location lists • Confidentiality agreements • Customer contracts • Third-party vendor contracts • Privacy policy • Information security policy • Ethics policy • Litigation hold template • Contact list
  • 16. Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Human resources (private employee information – health & medical, payroll, tax, retirement) • Legal counsel (in-house and/or outside counsel) • Compliance • Business heads (consumer information) • Public relations/investor relations
  • 17. Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical
  • 18. Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Determine type of information that may have been compromised • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity
  • 19. Understand Data Breach Notice Laws • State laws: – What constitutes personal information? – When is a notice required? – Who must be notified? (e.g.,State Attorney General) – Timing? – What information must be included in the notice? – Method of delivering notice? – Other state specific requirements? • Applicable industry-specific laws • Applicable international laws
  • 20. Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies • Consumer reporting agencies • Third-party vendors • Insurers • Media
  • 21. Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity)
  • 22. Prepare State Law Notices • Delivery method (e.g., certified letters, e- mail, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices
  • 23. State Laws - Florida
  • 24. State Laws - Florida
  • 25. State Laws - California • Applies to any business that “owns or licenses” or “maintains” computerized data that includes “personal information” • Requires notices to California resident if “unencrypted” personal information “was, or is reasonably believed to have been, acquired by an unauthorized person”
  • 26. State Laws - California • Personal information” includes: – “Medical information”: an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional – “Health insurance information”: an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeal records
  • 27. State Laws - Massachusetts • Applies to information regardless of physical form (includes paper) – “Unencrypted data or, encrypted electronic data and the confidential process or key” – Data encrypted at “128-bit or higher algorithmic process” is not a security breach, unless the encryption key is also lost
  • 28. State Laws - Massachusetts • Requires notice “as soon as practicable and without unreasonable delay” • Requires business that owns or licenses data to notify: – Attorney general – Director of consumer affairs and business regulation • Director shall identify and report to any relevant consumer reporting agencies and state agencies – Affected Massachusetts resident
  • 29. State Laws - Massachusetts • State statute also requires the department of consumer affairs to adopt data security regulations: “Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts” • Regulations went into effect on March 1, 2010
  • 30. State Regulations - Massachusetts • Applies to entities that “own or license personal information” of a Massachusetts resident – Explicitly includes personal information “in connection with employment” • Requires entities to develop, implement and maintain a written data security program – Must take into account an entity’s size, nature of its business, type of records it maintains and risk of identity theft posed by entity’s operations – Must include certain administrative, technical and physical safeguards
  • 31. State Regulations - Massachusetts • Requires entities to take steps to select and retain third-party service providers that are capable of appropriately safeguarding personal information • Requires entities to impose contractual obligations on their third-party service providers to safeguard personal information
  • 32. Prepare Answers To Inquiries • Draft FAQ’s with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers
  • 33. Prepare Press Release • Include the following information: – Facts surrounding the incident – Actions to prevent further unauthorized access – Steps to prevent future data security breaches – Contact Information for questions • Review by legal counsel
  • 34. Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline
  • 35. Regulatory Update • California’s Right to Know Act of 2013 (AB 1291): – Would require businesses that collect consumer information to provide customers with the names and addresses of all data brokers, advertisers and others who were granted access to the information, as well as details regarding the data that was disclosed. – Businesses would have 30 days to answer a request for the information.
  • 36. Regulatory Update • California’s Right to Know Act of 2013 (AB 1291): – Applies to businesses who “retain” personal data or disclose the information to a third party. – Defines “retain” to mean “store or otherwise hold personal information” whether the information is collected or obtained directly from the consumer or any third party.
  • 37. Regulatory Update • California’s Right to Know Act of 2013 (AB 1291): – Faced opposition by companies such as Google and Facebook. – Assemblywoman Bonnie Lowenthal delayed action on the bill by turning it into a two-year bill. – Lowenthal plans to spend the remainder of the year educating her colleagues about the importance of the proposed legislation. – Assembly will consider AB 1291 again in 2014.
  • 41. Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act – Enforce privacy policies and challenge data security practices that cause substantial consumer injury • State Attorney General – State Notification Statutes – Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” – Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”. • Litigation in federal or state courts
  • 42. Litigation Typical Claims By Plaintiffs • Plaintiffs (consumers or employees) typically allege the following causes of action: – Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty – Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts
  • 43. Litigation Plaintiffs Lack Standing • Certain courts have dismissed data breach cases on ground of standing. – Hinton v. Heartland Payment Sys., Inc., Civ. A. No. 09-594, 2009 U.S. Dist. LEXIS 20675 (D.N.J. March 16, 2009): • Increased risk of fraud and identity theft do not constitute “actual or imminent injury in fact” and “amount to nothing more than mere speculation. – Amburgy v. Express Scripts, Inc., Civ. A. No. 09-705, 2009 U.S. Dist. LEXIS 109100 (E.D. Miss. Nov. 23, 2009): • “Plaintiff does not claim that his personal information has in fact been stolen and/or his identity compromised.” • “For plaintiff to suffer the injury and harm he alleges here, many ‘ifs’ would have to come to pass.”
  • 44. Litigation Plaintiffs Have Standing • However, “[t]he recent trend in ‘lost data cases,’ . . . seems to be in favor of finding subject matter jurisdiction.” (i.e., standing). McLoughlin v. People’s United Bank, Inc., Civ. A. No. 08-944, 2009 U.S. Dist. LEXIS 78065, at *12 (D. Conn. Aug. 31, 2009). – Pisciotta v. Old Nat’l. Bancorp., 499 F.3d 629 (7th Cir. 2007) (injury in fact satisfied by “threat of future harm” or “increasing the risk of future harm”); – Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (increased risk of identity theft constituted sufficient “injury in fact” for purposes of standing); – Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008).
  • 45. Litigation Plaintiffs Cannot Prove Damages • Pisciotta v. Old Nat’l. Bancorp.: customers sought compensation for past and future credit monitoring services, after hacker obtained access to their personal information through bank website – Seventh Circuit affirmed district decision granting defendant bank’s motion for judgment on the pleadings and dismissed claims for negligence and breach of contract – Exposure to identity theft or increased risk of identity theft, without more, does not constitute “compensable injury” or “a harm that the law is prepared to remedy” – Credit monitoring costs do not constitute “compensable damages”
  • 46. Litigation Plaintiffs Cannot Prove Damages • Ruiz v. Gap, Inc.: laptop computer stolen, which contained approximately 750,000 Gap job applications (including name and social security no.) – Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of contract – “At a minimum, Ruiz would be required to present evidence establishing a significant exposure of his personal information” – “Because Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft” – “Ruiz cannot show he was actually damaged by pointing to his fear of future identity theft”
  • 47. Litigation Unusual Court Rulings • Caudle v. Towers, Perrin, Forster & Crosby: laptop computer stolen from employer’s pension consultant, which contained personal information (including name and social security no. of employees) – Employee named employer’s pension consultant as a defendant, but did not include employer – Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty – Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer
  • 48. Litigation Unusual Court Rulings • Rowe v. UniCare Life & Health Ins. Co., Civ. A. No. 09- 2286, 2010 U.S. Dist. LEXIS 1579 (N.D. Ill. Jan. 5, 2010): personal information of plaintiff was temporarily accessible to the public on defendants’ Internet Website – In deciding motion to dismiss, Court found that plaintiff satisfied minimal pleading standard and allowed claims to proceed – But, the Court stated that claims may ultimately be dismissed if plaintiff cannot show a basis for damages other than alleged increased risk of future harm such as identity theft – Plaintiff may prevail “only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.”
  • 49. Avoid Future Data Security Breaches • Limit access to personally identifiable information • Encryption • Establish privacy compliance program • Train and test employees • Periodic audits • Update and revise procedures • Enhance technology to strengthen security and reduce risk • Credential third party vendors