Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
543
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privacy Law & Financial Advisors Brendon M. Tavelli Associate, Privacy & Data Security Practice Group November 20, 2009 1 Financial Advisor Webinar Series 2009
  • 2. Agenda • The inter-relationship between privacy and data security ð can’t have privacy without security • Brief overview of the potentially applicable legal regimes at the federal and state level • Exposure points for financial advisors • Recommendations to minimize privacy risks 2 Financial Advisor Webinar Series 2009
  • 3. Privacy Law v. Data Security Law • Privacy is the appropriate use of personal information or PII • Privacy is impossible without security • All the privacy promises in the world are worthless if appropriate data security measures are not in place • Shift in legal focus from privacy disclosures (e.g., privacy policies and breach notification) to affirmative security obligations 3 Financial Advisor Webinar Series 2009
  • 4. Domestic Privacy Law Is Sectoral • No omnibus, across the board privacy law in the United States - Compare -- EU and Canada take a wholistic approach to protecting the privacy of personal information • Privacy law in the United States is a patchwork of federal, state, and other laws, regulations and standards of conduct • Financial services industry is no stranger to privacy regulation 4 Financial Advisor Webinar Series 2009
  • 5. Major Financial Privacy Laws • Fair Credit Reporting Act (FCRA) • Fair and Accurate Credit Transactions Act (FACTA) • Gramm-Leach-Bliley Act (GLBA) - Privacy Rule imposes information-sharing restrictions and notice obligations on financial institutions - Safeguards Rule requires institutions to have a security plan to protect the confidentiality and integrity of personal consumer information 5 Financial Advisor Webinar Series 2009
  • 6. Federal Data Security Enforcement • FTC is authorized to regulate unfair or deceptive acts or practices in or affecting commerce • FTC exercises this power with respect to data security in 2 ways: - Unfair ð inadequate data privacy and security - Deceptive ð misrepresentations with respect to these practices • FTC cannot impose fines under the FTC Act, but can (and does) impose rigorous data security requirements 6 Financial Advisor Webinar Series 2009
  • 7. Exemplary Federal Enforcement Actions • BJ’s Wholesale Club, Inc - hackers exploited network security weakness to steal credit card data - BJ’s must implement a comprehensive information security program with administrative, technical, and physical safeguards - Must obtain independent program audit every other year for 20 years • Eli Lilly - e-mail addresses of Prozac users inadvertently sent in “To” line - settled FTC investigation by agreeing to implement 4-stage program designed to protect sensitive personal information - paid fine to state AGs and agreed to improve data security standards 7 Financial Advisor Webinar Series 2009
  • 8. Exemplary Federal Enforcement Actions (cont’d) • CVS Caremark Corp. - sensitive information found in insecure trash containers outside stores - FTC and HHS each entered into separate agreements to resolve issues related to violations of FTC Act and HIPAA - must implement detailed data security program + standard audits - $2.25M penalty paid to HHS • ChoicePoint - personal information sold to alleged crime ring w/o proper authorization - FTC alleged violations of Fair Credit Reporting Act - must implement detailed data security program + standard audits - Paid $10M civil penalty to FTC + $5M consumer redress 8 Financial Advisor Webinar Series 2009
  • 9. Other Potentially Applicable Legal Regimes • California Online Privacy Protection Act • State security breach notification obligations • State data security regulations - Massachusetts - Nevada - Other • Federal and state e-mail & telephone marketing regulations 9 Financial Advisor Webinar Series 2009
  • 10. California Online Privacy Protection Act • Cal. Bus. & Prof. Code § 22575 • Any person that collects “personally identifiable information” from California residents online must post an online privacy policy - NOT dependent upon the location of the person collecting PII • Policy must disclose what types of PII are collected online and how PII may be disclosed • Must be posted “conspicuously” 10 Financial Advisor Webinar Series 2009
  • 11. What is “personal information?” • Most legal regimes in the United States apply to certain forms of “personal information” or “personally identifiable information” • Definition of PII often varies depending on the objective of the statute and the jurisdiction • One common definition encompasses first name or first initial and last name in combination with one or more of the following: - a Social Security number - drivers license number or government issued ID number - account number, and/or credit or debit card information including numbers and passwords, PINs and access codes 11 Financial Advisor Webinar Series 2009
  • 12. State Security Breach Notice Requirements • 45 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands require that you provide notice to individuals when the security of their unencrypted PII is compromised • Some states include broader definitions of PII • Notice requirements vary by jurisdiction - Heightened thresholds to trigger notice obligation - Content of notices - Notice to state regulatory bodies 12 Financial Advisor Webinar Series 2009
  • 13. Anatomy Lesson: What Does a Breach Look Like? • Network Hacking • Peer-to-peer software • Lost or Stolen Laptops • Breaches in Physical Security • Spyware, Phishing and Pretexting • Botched Software Updates/Upgrades • Insecure Media Disposal • Human Error • Hacked Card Swiping Devices • Rogue or Disgruntled Employees • Security Vulnerabilities On Mobile Devices • Lost or Stolen Media • Misdirected Mail and Faxes • And more . . . • Insecure wireless networks 13 Financial Advisor Webinar Series 2009
  • 14. State Data Security Regulations • Some states require businesses to use “reasonable procedures and practices” to protect PII • Some states impose obligations to properly dispose of records containing PII - Required or recommended disposal methods include shredding, erasing, or otherwise rendering unreadable - Businesses may “outsource” disposal, but generally must monitor for compliance • Massachusetts and Nevada are leading the charge by requiring businesses to take specific, affirmative steps to protect PII 14 Financial Advisor Webinar Series 2009
  • 15. Massachusetts Data Security Regulations • 201 C.M.R. § 17.00 enacted in September 2008 • Regulations harshly criticized by the business community and others as unworkable and unduly burdensome • Revised twice and compliance deadlines extended • Any person that owns or licenses personal information about a Massachusetts resident must comply by March 1, 2010 15 Financial Advisor Webinar Series 2009
  • 16. Massachusetts Data Security Regulations • Must develop, implement and maintain a comprehensive, written information security program that includes administrative, technical, and physical safeguards • Flexible ð program may be tailored to the organization - Size, scope and type of business - Available resources - Amount of stored data - Security / confidentiality needs for consumer and employee data 16 Financial Advisor Webinar Series 2009
  • 17. 201 C.M.R. § 17.00: Specific Requirements • Massachusetts data security regulations are flexible, but written information security programs must include certain components: - Designating one or more “responsible” employees - Identifying and assessing reasonably foreseeable risks - Security policies for employees regarding handling PII - Disciplinary measures for program violations - Access restrictions - Service-provider oversight - Program monitoring and updating to ensure continued effectiveness - Documenting breach response 17 Financial Advisor Webinar Series 2009
  • 18. 201 C.M.R. § 17.00: Specific Requirements (cont’d) • Massachusetts regulations require persons that own or license PII to implement computer system security measures: - Secure user authentication protocols - Access restrictions (e.g., need-to-know access) - Encryption (in transit and stored on portable devices) - “Reasonable” monitoring of systems for unauthorized access - Up-to-date firewalls, patches, antivirus software - Employee training on proper use of systems and importance of PII security • CAVEAT: computer system security measures must be implemented “to the extent technically feasible” 18 Financial Advisor Webinar Series 2009
  • 19. 201 C.M.R. § 17.04: Encryption • “Encrypted” means “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key” - OCABR abandoned specific encryption technology • Records and files that contain PII which are transmitted wirelessly and/or across public networks must be encrypted • PII stored on laptops or other portable devices must be encrypted 19 Financial Advisor Webinar Series 2009
  • 20. Nev. Rev. Stat. § 603A: Encryption • Nev. Rev. Stat. § 597.970 prohibits electronic transmission of PII outside secure system (other than a fax) unless encrypted • S.B. 227 amends § 597.970 to require encryption of all PII leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device” - Data storage device = computers, cell phones, magnetic tape, computer drives, and the medium itself • S.B. 227 requires use of encryption technology that has been adopted by an established standards setting body and proper management and safeguards of cryptographic keys 20 Financial Advisor Webinar Series 2009
  • 21. Nev. Rev. Stat. § 603A: Encryption (cont’d) • Safe harbor ð data collector not liable for a breach if compliant with encryption law and no gross negligence or intentional misconduct • Some questions remain - Who can enforce? - Is there a private right of action? - What does it mean to be “doing business in this State” 21 Financial Advisor Webinar Series 2009
  • 22. Federal and State Marketing Regulations • CAN-SPAM Act - E-mail Communications • Telemarketing regulations - Telephone solicitations • Behavioral Targeting Guidelines 22 Financial Advisor Webinar Series 2009
  • 23. Advisor Exposure Points • Customer Relationship Management (“CRM”) databases - Strong access restrictions - Minimize collection and storage of sensitive PII - Train employees on proper access and use • Portable electronic devices - Encrypt devices that store PII - Implement physical security policies • Hard copy documents - Some breach notification laws apply - Disposal rules may apply 23 Financial Advisor Webinar Series 2009
  • 24. Advisor Exposure Points (cont’d) • Client communications - What types of PII should be included in transmissions (e.g., redact PII in performance reports) - Compliance with federal and state marketing restrictions • Externally-facing policies on privacy and data security - Do you have a policy? - Do you know what it says? - Does your policy accurately reflect your practices? 24 Financial Advisor Webinar Series 2009
  • 25. Recommendations: 6 Simple Steps • Step 1: Take ownership ð avoid a tragedy of the commons • Step 2: Identify what you have ð ask the questions! • Step 3: Identify the appropriate level(s) of security • Step 4: Document your program • Step 5: Communicate your program to affected individuals • Step 6: Manage your program ð provide oversight, update 25 Financial Advisor Webinar Series 2009
  • 26. Thank You! http://privacylaw.proskauer.com/ Brendon M. Tavelli btavelli@proskauer.com 202.416.6896 26 Financial Advisor Webinar Series 2009