0
FEBRUARY 4 – 6, 2014 / THE HILTON NEW YORK

Ripped from the Headlines: Cautionary
Tales from the Annals of Data Privacy
Mo...
Target and Neimans and Snapchat, Oh
My! The Year in Data Privacy
• Privacy Jeopardy:
 The Rules
 The Categories
 The Pr...
EU-U.S. Safe Harbor and the “Snowden Effect”
Poll Question:
The FTC recently announced settlements with 12 U.S.
companies ...
Social Media Security Fails in 2013

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Associated Press Twitter Account Hack
April 2013
• The Associated Press' Twitter account was
hacked.
• Moments later, the ...
Associated Press Twitter Account Hack
• The message spread quickly, with Twitter users
immediately wondering if the accoun...
Associated Press Twitter Account Hack
The Syrian Electronic Army, an organization that
supports Syrian President Bashar al...
Associated Press Twitter Account Hack
Real Repercussions

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Associated Press Twitter Account Hack
Poll Question:
Which of these ‘strong’ passwords should have the
Associated Press us...
Chrysler Social Media Faux Pas

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Chrysler Social Media Faux Pas
Poll Question:
If your vendor causes a security or privacy event for
you, what could be you...
Burger King’s Twitter Account Hijacked

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
• The account was hacked by an unknown group, which
changed the company’s logo and ...
Burger King’s Twitter Account Hijacked

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Burger King’s Twitter Account Hijacked
Poll Question:
What do you suppose is the biggest risk from having
your SM account ...
Lessons Learned?
Poor Pwd Management: The companies didn’t know who had access to the
account or to the passwords. If the ...
Location, Location, Location- Why it
REALLY Matters
US vs. EU
Conflict with respect to Personal Data*
• EU: everything is prohibited unless expressly permitted by law
• US: e...
Incident #1- Dude - Where’s My Data?

Data

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #1
Poll Question:
Which of the following is Personal Data?
a)
b)
c)
d)
e)

Car registration plate
Work email addr...
Incident #1
Poll Question:
Which of the following is NOT an adequate way of
transferring Personal Data to a third party co...
Incident #1- Dude - Where’s My Data?
• DPDHL UK entity engaged with UK supplier to acquire a claims handling system
• The ...
Incident #2- Show Me the Data!

DATA !

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Incident #2
Poll Question:

Which of the following is deemed valid consent for the
purposes of transferring Personal Data?...
Incident #2
Poll Question:
Which of the following is true?
a) E-discovery rules override the EU Data Protection
Directive
...
Incident #2- Show Me the Data!
• US based employee seconded to Germany
• The new role never transpired

• Employee sought ...
Incident #2- Show Me the Data!
• DPDHL had to implement adequate measures which included:
 Giving German employees an opp...
Lessons Learned?
• From the outset ask suppliers about server locations
and DR sites
• Quiz your business folk on the type...
Privacy Enforcement in the U.S.

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Oregon Woman Awarded $18.6 MILLION
Over Equifax Credit Report Mix-Up
July 2013
(Reduced to $ 1.62 Million in Appeal on
Jan...
FTC Collects $3.5 Million From
TeleCheck For Failing To Investigate
Disputes Or Correct Errors
January 16, 2014

LEGALTECH...
FTC Expands FCRA Coverage to Mobile
Industry – Criminal Records Search Apps
January 10, 2013

LEGALTECH NEW YORK / FEBRUAR...
FCRA
Poll Question:
A consumer reporting agency falls under the FCR
Act, if it sells consumer reports to:
a) Banks, Insura...
FTC Announces First Settlement
Involving Privacy and the "Internet of
Things" – The TRENDnet Case
September 2013

LEGALTEC...
Section 5 (a) of the FTC Act
Poll Question:
A company has an obligation under section 5 (a) of
the FTC Act to provide reas...
WellPoint Pays HHS $1.7 Million for
Leaving Information Accessible Over
Internet
July 2013

LEGALTECH NEW YORK / FEBRUARY ...
HIPPA
Poll Question:
The following entities must comply with HIPAA
Privacy and Security Rules:
a) Law firms that handle PH...
Lessons Learned?
• Data Brokers and App Developers: If you quack like a duck…you are a duck.
Regardless of your ToS, if yo...
Questions?

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
Upcoming SlideShare
Loading in...5
×

Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy

757

Published on

Every week seems to bring another story of a data breach or significant privacy gaffe. Learn how to help keep your company out of the Privacy Hall of Shame.
This interactive panel was the closing plenary session at LegalTech NY 2014.
This panel was moderated by Dori Anne Kuchinsky, Assistant General Counsel Litigation and Global Privacy, W.R. Grace & Co..
The chapter on Social Media Security Fails in 2013 was presented by Al Raymond, CIPP/US, CISSP, Head of US Privacy & Social Media Compliance, TD Bank. The chapter "Location, Location, Location: Why it REALLY matters" was presented by Kamal Patheja, Legal Director Global Software Licensing DHL GBS (UK).
The final chapter "Privacy Enforcement in the U.S." was presented by Monique Altheim, CIPP/US/E, Founder and Managing Partner of The Law Office of Monique Altheim.
Many thanks to Patrick Oot, Senior Special Counsel for Electronic Discovery at U.S. Securities and Exchange Commission, for providing the polling questions technology.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
757
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy"

  1. 1. FEBRUARY 4 – 6, 2014 / THE HILTON NEW YORK Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy Monique Altheim Principal, The Law Office Monique Altheim Dori Anne Kuchinsky Assistant General Counsel, Litigation & Global Privacy W.R. Grace & Co. Kamal Patheja Legal Director Global Software Licensing DHL Albert M. Raymond Head of U.S. Privacy & Social Media Compliance TD Bank
  2. 2. Target and Neimans and Snapchat, Oh My! The Year in Data Privacy • Privacy Jeopardy:  The Rules  The Categories  The Prizes LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  3. 3. EU-U.S. Safe Harbor and the “Snowden Effect” Poll Question: The FTC recently announced settlements with 12 U.S. companies for Safe Harbor violations. The violation charged was: a) Allowing the NSA to access EU data transferred under Safe Harbor b) Using Safe Harbor to justify transfers to inadequate countries c) Falsely claiming they had current Safe Harbor certifications d) None of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  4. 4. Social Media Security Fails in 2013 LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  5. 5. Associated Press Twitter Account Hack April 2013 • The Associated Press' Twitter account was hacked. • Moments later, the Syrian Electronic Army claimed responsibility for the attack. LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  6. 6. Associated Press Twitter Account Hack • The message spread quickly, with Twitter users immediately wondering if the account had been hacked. • The Associated Press’ clarified the tweet was a fake a shortly thereafter. LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  7. 7. Associated Press Twitter Account Hack The Syrian Electronic Army, an organization that supports Syrian President Bashar al-Assad, tweeted: LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  8. 8. Associated Press Twitter Account Hack Real Repercussions LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  9. 9. Associated Press Twitter Account Hack Poll Question: Which of these ‘strong’ passwords should have the Associated Press used to protect its Twitter account? a) b) c) d) Password Qwerty Abc123 Muj@hideen2# LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  10. 10. Chrysler Social Media Faux Pas LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  11. 11. Chrysler Social Media Faux Pas LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  12. 12. Chrysler Social Media Faux Pas LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  13. 13. Chrysler Social Media Faux Pas Poll Question: If your vendor causes a security or privacy event for you, what could be your recourse? a) b) c) d) Legal action Nothing. Your vendor’s action are your own Depends on the contract Run over someone with a Chrysler 300 Hemi LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  14. 14. Burger King’s Twitter Account Hijacked LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  15. 15. Burger King’s Twitter Account Hijacked LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  16. 16. Burger King’s Twitter Account Hijacked • The account was hacked by an unknown group, which changed the company’s logo and profile name to McDonald’s. It then started tweeting offensive messages, along with a message the company was “bought out” by McDonald’s. • After nearly an hour and a half of “tasteless” tweets filled with drug references and obscenities, Twitter finally suspended the account. • Afterwards, Burger King actually gained almost 30,000 followers after the incident!  300% in conversations on BK site (450,000 tweets!) LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  17. 17. Burger King’s Twitter Account Hijacked LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  18. 18. Burger King’s Twitter Account Hijacked LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  19. 19. Burger King’s Twitter Account Hijacked LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  20. 20. Burger King’s Twitter Account Hijacked LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  21. 21. Burger King’s Twitter Account Hijacked Poll Question: What do you suppose is the biggest risk from having your SM account hijacked? a) b) c) d) Brand risk Reputation risk Both A & B Loss of the formula for ‘secret sauce’ LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  22. 22. Lessons Learned? Poor Pwd Management: The companies didn’t know who had access to the account or to the passwords. If the same password can be used across multiple accounts, that’s poor password management. Newsflash!: Passwords need to be changed on a periodic basis. Weakest Link: Any system can be compromised with enough time and effort. Many ways into the crown jewels exist including phishing, smishing, social engineering, software, or applications. Inside Job: Malcontent employees (current or former) who have/had access to the passwords make it difficult to know if the account truly was hacked or if it was an a rogue employee. Many social media accounts are not tied to Active Directory or LDAP systems. Vendor Management: If you lack the skills inside the organization to run your SM site, you may rely on an external firm. Burger King and Chrysler were both highly dependent on external agencies to manage and control their Twitter accounts. Improper governance and oversight led to epic Social Media Fails# LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  23. 23. Location, Location, Location- Why it REALLY Matters
  24. 24. US vs. EU Conflict with respect to Personal Data* • EU: everything is prohibited unless expressly permitted by law • US: everything is permitted unless expressly prohibited by law *Art. 2 Directive 95/46/EC: “Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  25. 25. Incident #1- Dude - Where’s My Data? Data LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  26. 26. Incident #1 Poll Question: Which of the following is Personal Data? a) b) c) d) e) Car registration plate Work email address Employee number Employee status on corporate live chat system All of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  27. 27. Incident #1 Poll Question: Which of the following is NOT an adequate way of transferring Personal Data to a third party company outside of the EEA? a) b) c) d) e) Model Clauses Safe Harbor registration White Listed Countries Binding Corporate Rules None of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  28. 28. Incident #1- Dude - Where’s My Data? • DPDHL UK entity engaged with UK supplier to acquire a claims handling system • The solution involved the hosting of claims related information of DPDHL employees • Contract governed by English law • Contract provides for DPDHL providing personal data to supplier in UK • Contract completed ready for sign off • DPDHL Legal enquire as to supplier’s server location • “Oops, forgot to tell you”: Data to be hosted in US! By a third party! • 3 months later we sign off the deal after arduous negotiations surrounding the data protection provisions – supplier did not see what the big deal was for DPDHL! LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  29. 29. Incident #2- Show Me the Data! DATA ! LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  30. 30. Incident #2 Poll Question: Which of the following is deemed valid consent for the purposes of transferring Personal Data? a) Data subject’s waiver in the form of posting of same Personal Data to social media b) A formal consent form signed by the company’s CEO authorizing the transfer of employee Personal Data c) A formal consent form signed by an administrative assistant authorizing transfer of his/her personal data d) An email by CEO authorizing transfer of his/her personal data e) None of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  31. 31. Incident #2 Poll Question: Which of the following is true? a) E-discovery rules override the EU Data Protection Directive b) EU Data Protection Directive overrides E-discovery rules c) The EU Data Protection Directive can be ignored by US Company only doing business in the US d) Companies can select which privacy regime to follow based on country of registration e) None of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  32. 32. Incident #2- Show Me the Data! • US based employee seconded to Germany • The new role never transpired • Employee sought reinstatement to her original role in US • Old role filled!!! • Employee commenced proceedings in US against DPDHL alleging wrongful termination and harassment • Plaintiff produced altered emails • DHL had to collect emails from executives and non-executives in Germany to disprove P’s allegations • US litigators barred by EU Data Protection from collecting data LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  33. 33. Incident #2- Show Me the Data! • DPDHL had to implement adequate measures which included:  Giving German employees an opportunity to consult with DPDHL Data Protection Officers  DPDHL Officers consulting with German Worker’s Council  US lawyers to disclose data needed, where it would be sent to and how it would be used  US lawyers had to obtain consent from each custodian, subject to refusal or withdrawal  EU employees to self-collect  Data subject to protective order  Then and only then data could be used in litigation LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  34. 34. Lessons Learned? • From the outset ask suppliers about server locations and DR sites • Quiz your business folk on the type of data to be processed/hosted/stored • In any litigation matter be mindful of any European aspects to the case • Seek Local legal advice on national law issues • The EU Directive has been implemented by all EU members in their local legislation with varying degrees of formality e.g. Germany compared to UK LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  35. 35. Privacy Enforcement in the U.S. LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  36. 36. Oregon Woman Awarded $18.6 MILLION Over Equifax Credit Report Mix-Up July 2013 (Reduced to $ 1.62 Million in Appeal on January 29, 2014) LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  37. 37. FTC Collects $3.5 Million From TeleCheck For Failing To Investigate Disputes Or Correct Errors January 16, 2014 LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  38. 38. FTC Expands FCRA Coverage to Mobile Industry – Criminal Records Search Apps January 10, 2013 LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  39. 39. FCRA Poll Question: A consumer reporting agency falls under the FCR Act, if it sells consumer reports to: a) Banks, Insurance Companies, Employers and Consumers b) Banks, Insurance Companies, Employers and for Other Business Purposes c) Banks, Insurance Companies, Employers, Marketers, and Dating Sites d) All of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  40. 40. FTC Announces First Settlement Involving Privacy and the "Internet of Things" – The TRENDnet Case September 2013 LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  41. 41. Section 5 (a) of the FTC Act Poll Question: A company has an obligation under section 5 (a) of the FTC Act to provide reasonable security for its PII: a) b) c) d) Always Only if there is risk of substantial damage Only if it promises to do so Never LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  42. 42. WellPoint Pays HHS $1.7 Million for Leaving Information Accessible Over Internet July 2013 LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  43. 43. HIPPA Poll Question: The following entities must comply with HIPAA Privacy and Security Rules: a) Law firms that handle PHI from insurance companies, hospitals or health care providers b) Webmd.com and Patientslikeme.com c) H.R. departments d) All of the above LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  44. 44. Lessons Learned? • Data Brokers and App Developers: If you quack like a duck…you are a duck. Regardless of your ToS, if you act as a consumer reporting agency, you need to be compliant with the FCRA requirements to avoid steep fines from the FTC and law suits from wronged consumers. • Companies under jurisdiction of FTC: Say what you mean and mean what you say in your privacy policies. Don’t make promises you will not keep, lest the FTC will accuse you of deceptive practices under Section 5 (a) FTCA. If you handle sensitive data, the breach of which may result in substantial damage, you must have a data security program in place, lest the FTC will accuse you of unfair practices under Section 5(a) FTCA. • All companies processing PH data from HIPAA “covered entities”: As “business associates” you must comply with HIPAA Privacy and Security Rules as well. HHS/FTC are after you! LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  45. 45. Questions? LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×