Privacy Law Developments Handling the sensitive personal information of others. A high stakes venture.
Hypothetical Your office is broke into and several company files and company computers are stolen… Sensitive personal info...
Bummer… Legal Problems <ul><li>Over 40 states now have security breach notification statutes. </li></ul><ul><li>Many state...
Nevada 1.  Current law was enacted on October 1, 2008 and requires that  “a  business in this state” must encrypt personal...
Connecticut <ul><li>The Connecticut statute was adopted on Oct. 1, 2008 and  reads: </li></ul><ul><li>“ Any person in poss...
Massachusetts <ul><li>Law goes into effect January 1, 2010. Compliance is required by March 1, 2010. </li></ul><ul><li>Mas...
Risks of non-compliance <ul><li>In Massachusetts the penalties for violation carry a civil penalty of not more than $5,000...
Real Risk is the Damage to Brand Image: What is the value of your brand’s image? “ I t takes many good deeds to build a go...
Security Breach = Brand Damage In today’s world, handling people’s sensitive personal information can be a high stakes ven...
Best Privacy Practices 1. Review the SPI of individuals which you are collecting information from  and the residencies of ...
David Mink Dream Systems Media, Owner/Counsel http://www.dreamsystemsmedia.com @dmmink  on Twitter
Upcoming SlideShare
Loading in …5
×

Pubcon Privacy Legal Presentation by David Mink

1,403 views

Published on

Learn from David Minks presentation at Pubcon 2009 about privacy issues.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,403
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pubcon Privacy Legal Presentation by David Mink

  1. Privacy Law Developments Handling the sensitive personal information of others. A high stakes venture.
  2. Hypothetical Your office is broke into and several company files and company computers are stolen… Sensitive personal information (“SPI”) of your customers is included in these files/computers…
  3. Bummer… Legal Problems <ul><li>Over 40 states now have security breach notification statutes. </li></ul><ul><li>Many states have statutes which impose general obligations to maintain “reasonable” security procedures and practices to protect the personal information of state residents from unauthorized access or use. </li></ul><ul><li>Three states have taken data security statutes a step further… mandating that companies take specific actions including encryption to prevent security breaches. (Massachusetts, Nevada, and Connecticut) </li></ul><ul><li>Two other states have legislation pending, which will require encryption of personal information. </li></ul><ul><li>(Michigan and Wisconsin) </li></ul>
  4. Nevada 1. Current law was enacted on October 1, 2008 and requires that “a business in this state” must encrypt personal information of a customer prior to transmission. On January 1, 2010 law will be expanded to also require encryption when data storage devices containing SPI are moved beyond the physical controls of the business. 2. The law does not define “business in this state”, nor does it define “customer” or “personal information”.. . so we do not know whether these definitions are limited to Nevada residents. Therefore, the law appears very broad on its face. 3. Encryption is defined broadly as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: A. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; B. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or C. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
  5. Connecticut <ul><li>The Connecticut statute was adopted on Oct. 1, 2008 and reads: </li></ul><ul><li>“ Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.” </li></ul><ul><li>2. The law appears to cover both 1) Connecticut businesses storing personal information about other states’ resident s, as well as 2) businesses located in other states storing personal information of Connecticut residents . </li></ul><ul><li>3. The Connecticut law requires safeguarding when a company electronically transfers information and erasure or destruction when disposing of information. </li></ul><ul><li>4. In addition, the Connecticut law requires companies to “create a privacy protection policy which shall be published or publicly displayed. </li></ul>
  6. Massachusetts <ul><li>Law goes into effect January 1, 2010. Compliance is required by March 1, 2010. </li></ul><ul><li>Massachusetts requires encryption* of all sensitive personal information (“SPI”)* of a Massachusetts’ resident that is stored in portable devices or transmitted electronically. </li></ul><ul><li>Any business that owns, licenses, stores or maintains SPI about a Massachusetts’ resident must implement a comprehensive information security program (12 specific procedural elements and 8 specific technical elements.) </li></ul><ul><li>And you must take reasonable steps to ensure and verify that all third party service providers with access to your customer or employee SPI have the ability to protect that information. </li></ul><ul><li>* SPI is defined as a person’s first and last name or first initial and last name + 1) social security number, 2) driver’s license number, 3) credit card number, or 4) other financial account number </li></ul><ul><li>* Encryption is defined as the transformation of data though the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key </li></ul>
  7. Risks of non-compliance <ul><li>In Massachusetts the penalties for violation carry a civil penalty of not more than $5,000.00. </li></ul><ul><li>Additionally, the Attorney General may bring an enforcement action under the statute, permitting injunctive relief and attorney's fees. Private civil lawsuits are available to Massachusetts consumers seeking damages under the protection statute. </li></ul><ul><li>2. Nevada does not specify the penalties under the statute. </li></ul><ul><li>3. Connecticut law mandates a civil penalty of $500.00 for each violation, up to a maximum penalty of $500,000.00. </li></ul>
  8. Real Risk is the Damage to Brand Image: What is the value of your brand’s image? “ I t takes many good deeds to build a good reputation, and only one bad one to lose it.” -Benjamin Franklin
  9. Security Breach = Brand Damage In today’s world, handling people’s sensitive personal information can be a high stakes venture.
  10. Best Privacy Practices 1. Review the SPI of individuals which you are collecting information from and the residencies of those individuals. 2. Is it necessary to both collect and store the SPI? Or, to electronically transfer the information? 3. If so, where do you store the SPI? Do you send the SPI to any third parties? 4. Review your Privacy Policy to make sure it is consistent with your business practice of collecting and storing data. 5. Take inventory of how the data is protected. Should it be encrypted? 6. Do you have a “comprehensive information security plan?” How about third parties with access to the SPI?
  11. David Mink Dream Systems Media, Owner/Counsel http://www.dreamsystemsmedia.com @dmmink on Twitter

×