Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy Law


Published on

  • Be the first to comment

Privacy Law

  1. 1. Privacy Law & Financial Advisors Brendon M. Tavelli Associate, Privacy & Data Security Practice Group November 20, 2009 1 Financial Advisor Webinar Series 2009
  2. 2. Agenda • The inter-relationship between privacy and data security ð can’t have privacy without security • Brief overview of the potentially applicable legal regimes at the federal and state level • Exposure points for financial advisors • Recommendations to minimize privacy risks 2 Financial Advisor Webinar Series 2009
  3. 3. Privacy Law v. Data Security Law • Privacy is the appropriate use of personal information or PII • Privacy is impossible without security • All the privacy promises in the world are worthless if appropriate data security measures are not in place • Shift in legal focus from privacy disclosures (e.g., privacy policies and breach notification) to affirmative security obligations 3 Financial Advisor Webinar Series 2009
  4. 4. Domestic Privacy Law Is Sectoral • No omnibus, across the board privacy law in the United States - Compare -- EU and Canada take a wholistic approach to protecting the privacy of personal information • Privacy law in the United States is a patchwork of federal, state, and other laws, regulations and standards of conduct • Financial services industry is no stranger to privacy regulation 4 Financial Advisor Webinar Series 2009
  5. 5. Major Financial Privacy Laws • Fair Credit Reporting Act (FCRA) • Fair and Accurate Credit Transactions Act (FACTA) • Gramm-Leach-Bliley Act (GLBA) - Privacy Rule imposes information-sharing restrictions and notice obligations on financial institutions - Safeguards Rule requires institutions to have a security plan to protect the confidentiality and integrity of personal consumer information 5 Financial Advisor Webinar Series 2009
  6. 6. Federal Data Security Enforcement • FTC is authorized to regulate unfair or deceptive acts or practices in or affecting commerce • FTC exercises this power with respect to data security in 2 ways: - Unfair ð inadequate data privacy and security - Deceptive ð misrepresentations with respect to these practices • FTC cannot impose fines under the FTC Act, but can (and does) impose rigorous data security requirements 6 Financial Advisor Webinar Series 2009
  7. 7. Exemplary Federal Enforcement Actions • BJ’s Wholesale Club, Inc - hackers exploited network security weakness to steal credit card data - BJ’s must implement a comprehensive information security program with administrative, technical, and physical safeguards - Must obtain independent program audit every other year for 20 years • Eli Lilly - e-mail addresses of Prozac users inadvertently sent in “To” line - settled FTC investigation by agreeing to implement 4-stage program designed to protect sensitive personal information - paid fine to state AGs and agreed to improve data security standards 7 Financial Advisor Webinar Series 2009
  8. 8. Exemplary Federal Enforcement Actions (cont’d) • CVS Caremark Corp. - sensitive information found in insecure trash containers outside stores - FTC and HHS each entered into separate agreements to resolve issues related to violations of FTC Act and HIPAA - must implement detailed data security program + standard audits - $2.25M penalty paid to HHS • ChoicePoint - personal information sold to alleged crime ring w/o proper authorization - FTC alleged violations of Fair Credit Reporting Act - must implement detailed data security program + standard audits - Paid $10M civil penalty to FTC + $5M consumer redress 8 Financial Advisor Webinar Series 2009
  9. 9. Other Potentially Applicable Legal Regimes • California Online Privacy Protection Act • State security breach notification obligations • State data security regulations - Massachusetts - Nevada - Other • Federal and state e-mail & telephone marketing regulations 9 Financial Advisor Webinar Series 2009
  10. 10. California Online Privacy Protection Act • Cal. Bus. & Prof. Code § 22575 • Any person that collects “personally identifiable information” from California residents online must post an online privacy policy - NOT dependent upon the location of the person collecting PII • Policy must disclose what types of PII are collected online and how PII may be disclosed • Must be posted “conspicuously” 10 Financial Advisor Webinar Series 2009
  11. 11. What is “personal information?” • Most legal regimes in the United States apply to certain forms of “personal information” or “personally identifiable information” • Definition of PII often varies depending on the objective of the statute and the jurisdiction • One common definition encompasses first name or first initial and last name in combination with one or more of the following: - a Social Security number - drivers license number or government issued ID number - account number, and/or credit or debit card information including numbers and passwords, PINs and access codes 11 Financial Advisor Webinar Series 2009
  12. 12. State Security Breach Notice Requirements • 45 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands require that you provide notice to individuals when the security of their unencrypted PII is compromised • Some states include broader definitions of PII • Notice requirements vary by jurisdiction - Heightened thresholds to trigger notice obligation - Content of notices - Notice to state regulatory bodies 12 Financial Advisor Webinar Series 2009
  13. 13. Anatomy Lesson: What Does a Breach Look Like? • Network Hacking • Peer-to-peer software • Lost or Stolen Laptops • Breaches in Physical Security • Spyware, Phishing and Pretexting • Botched Software Updates/Upgrades • Insecure Media Disposal • Human Error • Hacked Card Swiping Devices • Rogue or Disgruntled Employees • Security Vulnerabilities On Mobile Devices • Lost or Stolen Media • Misdirected Mail and Faxes • And more . . . • Insecure wireless networks 13 Financial Advisor Webinar Series 2009
  14. 14. State Data Security Regulations • Some states require businesses to use “reasonable procedures and practices” to protect PII • Some states impose obligations to properly dispose of records containing PII - Required or recommended disposal methods include shredding, erasing, or otherwise rendering unreadable - Businesses may “outsource” disposal, but generally must monitor for compliance • Massachusetts and Nevada are leading the charge by requiring businesses to take specific, affirmative steps to protect PII 14 Financial Advisor Webinar Series 2009
  15. 15. Massachusetts Data Security Regulations • 201 C.M.R. § 17.00 enacted in September 2008 • Regulations harshly criticized by the business community and others as unworkable and unduly burdensome • Revised twice and compliance deadlines extended • Any person that owns or licenses personal information about a Massachusetts resident must comply by March 1, 2010 15 Financial Advisor Webinar Series 2009
  16. 16. Massachusetts Data Security Regulations • Must develop, implement and maintain a comprehensive, written information security program that includes administrative, technical, and physical safeguards • Flexible ð program may be tailored to the organization - Size, scope and type of business - Available resources - Amount of stored data - Security / confidentiality needs for consumer and employee data 16 Financial Advisor Webinar Series 2009
  17. 17. 201 C.M.R. § 17.00: Specific Requirements • Massachusetts data security regulations are flexible, but written information security programs must include certain components: - Designating one or more “responsible” employees - Identifying and assessing reasonably foreseeable risks - Security policies for employees regarding handling PII - Disciplinary measures for program violations - Access restrictions - Service-provider oversight - Program monitoring and updating to ensure continued effectiveness - Documenting breach response 17 Financial Advisor Webinar Series 2009
  18. 18. 201 C.M.R. § 17.00: Specific Requirements (cont’d) • Massachusetts regulations require persons that own or license PII to implement computer system security measures: - Secure user authentication protocols - Access restrictions (e.g., need-to-know access) - Encryption (in transit and stored on portable devices) - “Reasonable” monitoring of systems for unauthorized access - Up-to-date firewalls, patches, antivirus software - Employee training on proper use of systems and importance of PII security • CAVEAT: computer system security measures must be implemented “to the extent technically feasible” 18 Financial Advisor Webinar Series 2009
  19. 19. 201 C.M.R. § 17.04: Encryption • “Encrypted” means “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key” - OCABR abandoned specific encryption technology • Records and files that contain PII which are transmitted wirelessly and/or across public networks must be encrypted • PII stored on laptops or other portable devices must be encrypted 19 Financial Advisor Webinar Series 2009
  20. 20. Nev. Rev. Stat. § 603A: Encryption • Nev. Rev. Stat. § 597.970 prohibits electronic transmission of PII outside secure system (other than a fax) unless encrypted • S.B. 227 amends § 597.970 to require encryption of all PII leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device” - Data storage device = computers, cell phones, magnetic tape, computer drives, and the medium itself • S.B. 227 requires use of encryption technology that has been adopted by an established standards setting body and proper management and safeguards of cryptographic keys 20 Financial Advisor Webinar Series 2009
  21. 21. Nev. Rev. Stat. § 603A: Encryption (cont’d) • Safe harbor ð data collector not liable for a breach if compliant with encryption law and no gross negligence or intentional misconduct • Some questions remain - Who can enforce? - Is there a private right of action? - What does it mean to be “doing business in this State” 21 Financial Advisor Webinar Series 2009
  22. 22. Federal and State Marketing Regulations • CAN-SPAM Act - E-mail Communications • Telemarketing regulations - Telephone solicitations • Behavioral Targeting Guidelines 22 Financial Advisor Webinar Series 2009
  23. 23. Advisor Exposure Points • Customer Relationship Management (“CRM”) databases - Strong access restrictions - Minimize collection and storage of sensitive PII - Train employees on proper access and use • Portable electronic devices - Encrypt devices that store PII - Implement physical security policies • Hard copy documents - Some breach notification laws apply - Disposal rules may apply 23 Financial Advisor Webinar Series 2009
  24. 24. Advisor Exposure Points (cont’d) • Client communications - What types of PII should be included in transmissions (e.g., redact PII in performance reports) - Compliance with federal and state marketing restrictions • Externally-facing policies on privacy and data security - Do you have a policy? - Do you know what it says? - Does your policy accurately reflect your practices? 24 Financial Advisor Webinar Series 2009
  25. 25. Recommendations: 6 Simple Steps • Step 1: Take ownership ð avoid a tragedy of the commons • Step 2: Identify what you have ð ask the questions! • Step 3: Identify the appropriate level(s) of security • Step 4: Document your program • Step 5: Communicate your program to affected individuals • Step 6: Manage your program ð provide oversight, update 25 Financial Advisor Webinar Series 2009
  26. 26. Thank You! Brendon M. Tavelli 202.416.6896 26 Financial Advisor Webinar Series 2009