Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy and Data Security: Risk Management and Avoidance


Published on

Published in: Technology, Business
  • Be the first to comment

Privacy and Data Security: Risk Management and Avoidance

  1. 1. © 2013 Fox RothschildPrivacy and DataSecurityRisk Management andAvoidance
  2. 2. Topics For Discussion• What is a “data security breach”?• Why do you need a response plan?• Responding to a data security breach• State statutory requirements• Regulatory update• Regulatory enforcement actions and litigation2
  3. 3. 2012 Statistics• According to Verizon’s 2013 Data BreachInvestigations Report, in 2012, there were 621confirmed data breaches and 47,000 reportedsecurity incidents.– 92% perpetrated by outsiders.– 76% caused by exploiting weak or stolen passwords.3
  4. 4. 2012 Statistics• The FTC instituted 109 consumer protectionenforcement actions.– Up from 83 enforcement actions in 2011.• The FTC ordered civil penalties totaling $63.6million.– Up from $9.75 million in 2011.• Identity theft represents the largest category ofconsumer complaint received by the FTC(approximately 18%).4
  5. 5. Cost Of A Data Security Breach• In 2011, data breaches cost organizations anaverage of $5.5 million.– $222 per record– Includes direct costs (communications, investigations,legal) and indirect costs (lost business, publicrelations)– Compare to costs of having preventative measures inplace (e.g., policies related to passwords, firewalls,mobile devices), training employees and encryptingsensitive information5
  6. 6. Types of Data Security Breaches• Devices are lost or stolen• Insider or employee misuse• Unintended disclosure• Security patches are not installed• Malware• Hacking6
  7. 7. What Is The Objective?Fill In The Gap• Protection• Compliance• Audits• Criminal prosecution• Civil liabilityHow to Manage the Data Security Breach7
  8. 8. Why Do You Need AResponse Plan?Thoughtful and Prepared ReactionBetter Decision MakingMinimized Risk and Loss8
  9. 9. Collect Relevant Information• Data location lists• Confidentialityagreements• Customer contracts• Third-party vendorcontracts• Privacy policy• Information securitypolicy• Ethics policy• Litigation hold template• Contact list9
  10. 10. Create A First Response Team• Information technology (computer & technologyresources)• Information security (physical security & access)• Human resources (private employee informationhealth & medical, payroll, tax, retirement)10
  11. 11. Create A First Response Team(cont’d)• Legal counsel (in-house and/or outside counsel)• Compliance• Business heads (consumer information)• Public relations/investor relations11
  12. 12. Assign Tasks To MembersOf The First Response Team• Establish a point person• Identify key personnel for each task• Prioritize and assign tasks• Calculate timelines and set deadlines• Communicate with management• Establish attorney-client privilege for investigationand communicationsProject Management Is Critical12
  13. 13. Determine The NatureAnd Scope Of The Breach• Investigate facts• Interview witnesses• Determine type of information that may have beencompromised• Identify and assess potential kinds of liability• Identify individuals potentially at risk and determinestate or country of residencePreserve Company’s Assets, Reputation and Integrity13
  14. 14. Understand Data BreachNotice Laws• State laws:– What constitutes personal information?– When is a notice required?– Who must be notified? (e.g.,State Attorney General)– Timing?– What information must be included in the notice?– Method of delivering notice?– Other state specific requirements?• Applicable industry-specific laws• Applicable international laws14
  15. 15. Determine Appropriate Notices• Consumers• Employees• Law enforcement (Federal/State)• Federal regulatory agencies• State agencies (State Attorney General)• Consumer reporting agencies• Business partners• Insurers• Media15
  16. 16. Data Security Breach Notification• Alabama, Kentucky, New Mexico and SouthDakota are the only states that do not have adata security breach notification statute.• California statute served as a model for laterstate statutes.– State involvement began in California, after series ofbreaches received national attention.– Passed in 2002, went into effect in mid-2003.16
  17. 17. Data Security Breach Notification• “Any person or business that conducts business inCalifornia, and that owns or licenses computerizeddata that includes personal information, shalldisclose any breach of security of the systemfollowing discovery or notification of the breach inthe security of the data to any resident of Californiawhose unencrypted personal information was, or isreasonably believed to have been, acquired by anunauthorized person.”See Cal. Civ. Code § 1798.29.17
  18. 18. Data Security Breach Notification• “Personal information”– First name or initial and last name with one or more ofthe following (when either name or data element isnot encrypted):• Social security number;• Driver’s license number;• Credit card or debit card number; or• Financial account number with information such asPINs, passwords or authorization codes.18
  19. 19. Data Security Breach Notification• Some states have expanded the definition of“personal information” to include:• Medical information or health insurance information(California);• Biometric data (Indiana);• Mother’s maiden name, birth/death/marriagecertificate and electronic signature (North Dakota).19
  20. 20. Data Security Breach Notification• Last month, the California Senate passed S.B.46 to expand the definition of “personalinformation” to include:– “a username or email address, in combination with apassword or security question and answer that wouldpermit access to an online account.”– S.B. 46 is now before the Assembly.20
  21. 21. Data Security Breach Notification• “Breach of the security of the system”– Some states expressly require notice of unauthorizedaccess to non-computerized data• New York: “lost or stolen computer or other devicecontaining information” or “information has been downloadedor copied”• Hawaii and North Carolina: data includes “personalinformation in any form (whether computerized, paper, orotherwise)”21
  22. 22. Data Security Breach Notification• Generally, only need “reasonable” belief theinformation has been acquired by unauthorizedperson to trigger notification requirements.– Certain states require risk or harm• Arkansas: no notice if “no reasonable likelihood of harm tocustomers”• Michigan: no notice if “not likely to cause substantial loss orinjury to, or result in identity theft”22
  23. 23. Data Security Breach Notification• Distinguish between entity that “owns orlicenses” data and entity that “maintains” data– Data owner has ultimate responsibility to notifyconsumers of a breach– Non-owners required to notify owners23
  24. 24. Florida Breach Notification StatuteF.S.A. §817.5681• Applies to “any person who conducts business inthis state and maintains computerized data in asystem that includes personal information.”• Requires business to “provide notice of anybreach of the security of the system . . . to anyresident of this state whose unencryptedpersonal information was, or is reasonablybelieved to have been, acquired by anunauthorized person.”24
  25. 25. Florida Breach Notification StatuteF.S.A. §817.5681• Requires notification to consumers “withoutunreasonable delay” and “no later than 45 daysfollowing the determination of the breach.”– Permits an “administrative fine” not to exceed$500,000 for failing to comply with this section.• Allows delay in notification “upon a reasonablerequest by law enforcement”.25
  26. 26. Florida Breach Notification StatuteF.S.A. §817.5681• “Breach of the security of the system” means an“unlawful and unauthorized acquisition ofcomputerized data that materially compromisesthe security, confidentiality, or integrity ofpersonal information.”26
  27. 27. Florida Breach Notification StatuteF.S.A. §817.5681• “Personal information” means “an individual’s first name, firstinitial and last name, or any middle name and last name, incombination with any one or more of the following dataelements when the data elements are not encrypted:– Social security number;– Driver’s license number or Florida Identification Card number;– Account number, credit card number, or debit card number incombination with any security code, access code or password.27
  28. 28. Florida Breach Notification StatuteF.S.A. §817.5681• Does not require notification if “after anappropriate investigation or after consultationwith relevant federal, state and local agenciesresponsible for law enforcement, the personreasonably determines that the breach has notand will not likely result in harm.”– Determination must be documented in writing andmaintained for 5 years.28
  29. 29. Prepare State Law Notices• General description of the incident• Type of information that may have beencompromised• Steps to protect information from furtherunauthorized access• Contact information (e.g., email address; 1-800number)• Advice to affected individuals (e.g., creditreporting, review account activity)29
  30. 30. Prepare State Law Notices• Delivery method (e.g., certified letters, e-mail,website)• Timing of notices• Tailor notices based on recipient• Use single fact description for all notices30
  31. 31. Prepare Answers To Inquiries• Draft FAQ’s with responses• Establish hotline• Assign group of contact employees• Train employees to respond to inquiries• Develop clear escalation path for difficultquestions• Track questions and answers31
  32. 32. Prepare Press Release• Include the following information:– Facts surrounding the incident– Actions to prevent further unauthorized access– Steps to prevent future data security breaches– Contact Information for questions• Review by legal counsel32
  33. 33. Consider OfferingAssistance To Affected Individuals• Free credit reporting• Free credit monitoring with alerts• ID theft insurance• Access to fraud resolution specialists• Toll-free hotline33
  34. 34. Regulatory UpdateThe FTC And Mobile Applications• In February 2013, the FTC issued a Staff Reporttitled “Mobile Privacy Disclosures: Building TrustThrough Transparency.”• The Staff Report recommends ways that keyplayers in the mobile marketplace can betterinform consumers about their data practices.34
  35. 35. Regulatory UpdateThe FTC And Mobile Applications• The recommendations ensure that consumers get timelyand easy-to-understand disclosures about what data theycollect and how the data is used.• The Report makes specific recommendations to:– Mobile platform developers;– Application developers;– Advertising networks and analytics companies; and– Application developer trade associations.35
  36. 36. Regulatory UpdateCalifornia’s Right To Know Act• Assembly Bill 1291• Would require businesses that collect consumerinformation to provide customers with the namesand addresses of all data brokers, advertisers andothers who were granted access to theinformation, as well as details regarding the datathat was disclosed.• Businesses would have 30 days to answer arequest for the information.36
  37. 37. Regulatory UpdateCalifornia’s Right To Know Act• Applies to businesses who “retain” personal dataor disclose the information to a third party.• Defines “retain” to mean “store or otherwise holdpersonal information” whether the information iscollected or obtained directly from the consumeror any third party.37
  38. 38. Regulatory UpdateCalifornia’s Right To Know Act• Faced opposition by companies such as Googleand Facebook.• Assemblywoman Bonnie Lowenthal delayedaction on the bill by turning it into a two-year bill.• Lowenthal plans to spend the remainder of theyear educating her colleagues about theimportance of the proposed legislation.• Assembly will consider AB 1291 again in 2014.38
  39. 39. Regulatory UpdateCalifornia And Mobile Applications• In 2012, the California Attorney General enteredinto an agreement with 6 companies whoseplatforms comprise the majority of the mobileapps market (i.e., Amazon, Apple, Google,Hewlett-Packard, Microsoft and RIM).• The agreement is designed to ensure that mobileapps comply with the California Online PrivacyProtection Action (CalOPPA).39
  40. 40. Regulatory UpdateCalifornia And Mobile Applications• CalOPPA requires operators of commercial websites andonline services, including mobile apps, who collectpersonal information about California residents toconspicuously post a privacy policy.• In October 2012, the California Attorney General issued100 enforcement letters to companies like Delta Airlineswho operate mobile apps.• In December 2012, the California Attorney General filedits first mobile app enforcement lawsuit against Deltabased upon alleged lack of privacy disclosures in its app.40
  41. 41. Regulatory UpdateCalifornia And Mobile Applications• On January 10, 2013, the California AttorneyGeneral issued a report titled “Privacy On theGo: Recommendations for the MobileEcosystem.”• The Report announced suggested changes inhow companies address consumer privacy intheir mobile applications.41
  42. 42. Regulatory UpdateCalifornia And Mobile Applications• Examples of the recommendations in theCalifornia Attorney General’s Report:– Personal information is not limited to name and emailaddress.– Maintain list of what information app will collect, as well ashow it will be used and stored.– Only collect personal information necessary to an app’sfunctionality.– Privacy policies must be “readable.”– Companies should not rely upon their general privacy policy.42
  43. 43. Enforcement Actions• Federal Trade Commission – Section 5 of FTC Act– Enforce privacy policies and challenge data securitypractices deemed “deceptive” or “unfair.”• State Attorney General – State Notification Statutes– Connecticut: “Failure to comply . . . shall constitute anunfair trade practice . . .”– Virginia: “The Attorney General may bring an action toaddress violations.” Moreover, “nothing in this sectionshall limit an individual from recovering direct economicdamages.”• Litigation in federal and state courts.43
  44. 44. Federal Trade Commission• In June 2012, the FTC instituted litigation in federalcourt against Wyndham Worldwide Corporation.• In its complaint, the FTC alleges that, beginning inApril 2008 and through January 2010,cybercriminals hacked into Wyndham’s computernetwork and the networks of certain Wyndhamhotels, exposing credit card information of hotelguests.44
  45. 45. Federal Trade Commission• The FTC alleges that hackers compromisedadministrator accounts and installed memory-scraping malware to access credit cardinformation.• The FTC contends that hackers compromisedover 619,000 credit card account numbers andthat the incidents caused more than $10.6 millionin fraud losses.45
  46. 46. Federal Trade Commission• Under Section 5 of the FTC Act, which prohibits“unfair and deceptive acts or practices,” the FTCalleges that:– Wyndham’s data security protections amounted to“unfair” trade practices because they were not“reasonable and appropriate”; and– Wyndham “deceived” consumers by stating on itswebsite that it used “commercially reasonable efforts” tosecure credit card information that it collects fromconsumers.46
  47. 47. Federal Trade Commission• In an unprecedented move, Wyndham refused tosettle this dispute and filed a motion to dismiss thecomplaint.– Wyndham argues that the FTC is overreaching its authoritybecause “Section 5’s prohibition on ‘unfair’ trade practicesdoes not give the FTC authority to prescribe data-securitystandards for all private businesses.”– Wyndham argues that, because Congress has not yetpassed data security legislation, the FTC has the authority toregulate data security in limited contexts (e.g., Gramm-Leach-Bliley Act).47
  48. 48. Federal Trade Commission– Wyndham further argues that Section 5 of the FTC Act“provides no meaningful notice to regulated parties”because it does not contain any guidance about whatpractices might be deemed “unfair” or “deceptive.”Similarly, the FTC has not published any rules orregulations “explaining what data security practices acompany must adopt to be in compliance with the statute.”– As such, “businesses are left to guess as to what they mustdo to comply with the law.”– This case is pending in the United States District Court forthe District of New Jersey (Civil Action No. 13-01887).48
  49. 49. Federal Trade Commission• This is the first litigated case challenging the FTC’sauthority under Section 5 of the FTC Act related todata security.• Generally, FTC enforcement actions result in asettlement.– FTC provides a defendant with a proposed draftcomplaint.– FTC “negotiates” the terms of a consent order.49
  50. 50. State Attorney General• Last month, the Connecticut and Maryland AttorneysGeneral questioned LivingSocial Inc. about thespecifics of a recent data breach that exposed thepersonal information of approximately 50 millionusers.• The Connecticut and Maryland Attorneys Generalissued to LivingSocial 15 written questions regardingthe scope of the breach, as well as its privacy andsecurity policies.50
  51. 51. State Attorney General• Examples of questions posed by Attorneys Generalinclude:– Detailed timeline of the incident– Number of affected individuals in each state– Types of personal information compromised– Steps taken to determine that no financial or credit cardinformation was compromised– Steps taken to protect user passwords– How the company collects user data and how long it retainssuch data– Copies of any privacy policies– Plans developed to prevent another breach51
  52. 52. State Attorney General• Both Connecticut and Maryland have statutesthat require a company to report a data securitybreach to the Attorney General, as well as toindividual consumers.• Questions posed by these Attorneys Generalprovide guidance on issues companies shouldconsider in responding to a data security breach.52
  53. 53. LitigationTypical Claims By Plaintiffs• Plaintiffs (consumers or employees) typicallyallege the following causes of action:– Common law claims of negligence, breach ofcontract, breach of implied covenant or breach offiduciary duty.– Claims for violations of state consumer protectionstatutes – deceptive/unfair trade practices acts.• Historically, courts have dismissed these casesbased upon lack of standing.53
  54. 54. LitigationPlaintiffs Lack Standing• In re LinkedIn User Privacy Litig. (N.D. Cal. 2012):– Plaintiffs filed complaint against LinkedIn inconnection with a data breach incident in whichapproximately 6.5 million users’ passwords and emailaddresses were stolen and posted on the Internet.– Plaintiff argued that they had standing to sue becausethey suffered economic harm by not receiving the fullbenefit of the bargain they paid for premiummemberships.– The Court granted LinkedIn’s motion to dismiss thecomplaint.54
  55. 55. LitigationPlaintiffs Lack Standing• In re LinkedIn User Privacy Litig. (N.D. Cal. 2012):– The Court held that, “[t]o satisfy Article III standing,plaintiff must allege:• (1) an injury-in-fact that is concrete and particularized,as well as actual and imminent;• (2) that injury is fairly traceable to the challenged actionof the defendant; and• (3) that it is likely (not merely speculative) that injury willbe redressed by a favorable decision.”55
  56. 56. LitigationPlaintiffs Lack Standing• In re LinkedIn User Privacy Litig. (N.D. Cal. 2012):– Plaintiffs failed to allege that “included in Plaintiffs’ bargainfor premium membership was the promise of a particular(or greater) level of scrutiny that was not part of the freemembership.”– Plaintiffs did not allege that they relied upon (or even read)LinkedIn’s representations regarding safeguardingpersonal information.– Plaintiffs’ allegation that their LinkedIn passwords were“publicly posted on the Internet” does not amount to a“legally cognizable injury, such as, for example, identitytheft or theft of her personally identifiable information.”56
  57. 57. LitigationPlaintiffs Have Standing• Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal.2009) (increased risk of identity theft constitutedsufficient “injury in fact” for purposes of standing).• Krottner v. Starbucks Corp., 628 F. 3d 1139 (9thCir.2010) (“a credible threat of real and immediate harmstemming from theft of a laptop containingunencrypted personal information” sufficient todemonstrate standing).57
  58. 58. LitigationPlaintiffs Cannot Allege Damages• Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir.2010).– “[O]ur holding that Plaintiffs-Appellants pled an injury-in-fact for purposes of Article III standing does not establishthat they adequately pled damages for purposes of theirstate-law claims.”– “[A]ctual loss or damage is an essential element in theformulation of the traditional elements necessary for acause of action in negligence.”– Court dismissed case because Plaintiffs alleged “no loss.”58
  59. 59. LitigationPlaintiffs Cannot Allege Damages• In re: Sony Gaming Networks and Customer DataSecurity Breach Litig., MDL No. 2258 (S.D. Cal. 2011):– Hackers accessed the personal information of millions ofSony’s customers.– Plaintiffs did not allege any identity theft or unauthorizeduse of personal information “causing a pecuniary loss.”– The Court granted Sony’s motion to dismiss and foundthat, “without specific factual statements that Plaintiffs’Personal Information has been misused, in the form of anopen bank account, or un-reimbursed charges, the meredanger of future harm unaccompanied by present damage,will not support a negligence action.”59
  60. 60. LitigationPlaintiffs Cannot Allege Damages• Holmes v. Countrywide Fin. Corp., No. 08-0205, 2012U.S. Dist. LEXIS 96587 (W.D. Ky. 2012) (court dismissedcase where “scant evidence exists demonstrating that[the theives] misused the customers’ information orengaged in any kind of financial fraud”).• Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill.2012) (court dismissed negligence claim becauseplaintiff did not allege that his personal information was“misused”).60
  61. 61. LitigationPlaintiffs Allege Damages• Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1stCir.2011):– Hackers stole 4.2 million credit and debit card numbers,and security codes.– Defendant acknowledged that more than 1,800 incidentsof identity theft resulted from the breach.– Many victims had to pay to cancel their cards or purchasecredit monitoring services. Others incurred unauthorizedcharges.– Court denied motion to dismiss.61
  62. 62. LitigationPlaintiffs Allege Damages• Resnick v. AvMed, Inc., 693 F.3d 1317 (11thCir. 2012):– Thieves stole 2 laptops containing names, addresses,phone numbers and social security numbers of 1.2 millionAvMed customers.– Ten months after the incident, a bank account was openedand credit card issued in the name of one of the AvMedcustomers.– Four months later, an E*Trade account was opened in thename of another AvMed customer.– Unauthorized purchases were made from both accounts.– Court denied motion to dismiss because plaintiffs alleged“financial injury.”62
  63. 63. Avoid Future DataSecurity Breaches• Understand what types of personal information iscollected, how, where and how long it is stored, and whohas access to it.• Collect only personal information necessary to conductbusiness.• Retain personal information for shortest time necessaryto conduct business.• Limit access to personal information.• Encrypt data.63
  64. 64. Avoid Future DataSecurity Breaches• Establish internal policies to protect personalinformation.– e.g., robust passwords, usage policies for laptops andmobile phones, secure disposal policies.• Comply with promises made to consumers or employeesregarding privacy and security of personal information.– Disclosures about collection, maintenance, use anddissemination of personal information must be accurateand complete.64
  65. 65. Avoid Future DataSecurity Breaches• Train employees.• Conduct periodic audits.• Update and revise policies and procedures regularly.• Enhance technology to strengthen security and reducerisk.– e.g., strong firewalls, scans for vulnerabilities, up-to-dateanti-virus software.• Use care when engaging third-party vendors and holdthem to high standards.65
  66. 66. Amy Purcell, Esq.215.299.2798apurcell@foxrothschild.com66