SlideShare a Scribd company logo

Privacy Law Strategies for Handling Personal Data

W
WhitmeyerTuffin

Strategies for Handling Personal Information

TechnologyBusiness
1 of 48
Download to read offline
Privacy Law Update: Strategies for Handling Personal Information Sponsored by Financial Directions, Inc. February 21, 2012 Randy Whitmeyer Whitmeyer Tuffin PLLC www.whit-law.com
The Backdrop: Mobile technology and the Internet • Organizations store more and more information in electronic form and are increasingly reliant on the Internet for accessing data and systems • Many employees have smartphones that are constantly connected to the Internet • Information sharing through Facebook, Twitter, and other social networks is ubiquitous • Active and growing “hacker” industry
The result: (1) Expanding laws and regulations relating to the use and handling of private information, and (2) increased government enforcement activities and class actions by plaintiffs’ attorneys
The challenge for businesses: Handle personal information in a way that is compliant with rules and regulations and limit your risk
Specific Topics • Legal obligations on use of personal information • NC statutes relating to treatment of personal information • Massachusetts Information Security law and other state laws • Federal privacy/security update, including HIPAA and Hi-Tech (treatment of medical records) • Employers’ use of and access to employee’s communications/computer systems, and social network use • Elements of effective information security/privacy policies and social media policies • Other proactive steps to manage information privacy and security risks – contracting and insurance
NC Identity Theft Protection Act of 2005 • Similar to a myriad of similar acts in almost all states, originally California in 2003 (California law updated as of 1/1/2012 to require more specific disclosures relating to security breaches) • Violations of the statute are generally considered unfair or deceptive act or practice
Sect. 75-65: Protection from Security Breaches • Security breaches affecting personal information of NC residents must be reported to affected individuals • Security breach must involve either “illegal use” (or a reasonable likelihood thereof) or a material risk of harm • If records are encrypted, only need to provide notice if the associated key or confidential process is also breached • If the breach does not involve data which you own or license (i.e., you are a contractor), then you notify the owner or licensee, not the affected individual
Sect. 75-65: Protection from Security Breaches • Notice must be made without unreasonable delay, taking into account law enforcement needs, verification of contact information and scope of breach, and need to restore security • Notice must be clear and conspicuous, and provide a description of: • The incident • Type of personal information affected • Remedial actions of the business • Telephone number to get further information • Advice to monitor account statements and free credit reports
Sect. 75-65: Protection from Security Breaches • Notice may be in writing, by e-mail (if consented), and in writing • If the cost of notice is > $250,000, and in certain other situations, general notice may be given publicly • If the case involves more than 1,000 persons, NC attorney general’s office must also be notified
Section 75-62: SSN Protection • A business may not: • Intentionally communicate a person’s Social Security number to the public • Intentionally place an SSN on a card required to access products or services • Require an SSN to be transmitted over the Internet, unless encrypted
Section 75-62: SSN Protection • A business may not: • Require an individual to use SSN to access an internet web site, unless a password or PIN is also required • Print an individual’s SSN on any materials mailed to the individual, unless otherwise required by law • Sell or disclose an SSN to a third party if it is known or should be known that the third party lacks a legitimate purpose
Section 75-62: SSN Protection • The Exceptions--restrictions do not apply to: • Redacted SSN • When required by law • To the government • To the opening of an account or payment for a product or services authorized by the individual • To the collection, use, or release of an SSN for internal verification or administrative purposes
Section 75-62: SSN Protection • The Exceptions, continued: • When an SSN is included in an application or in documents related to an enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN for the purpose of obtaining a credit reports (with limits on mailing) • To investigate or prevent fraud, conduct background checks, conduct certain research, collect a debt, obtain a credit report, for a permissible Gramm-Leach-Bliley purpose, or locate a missing individual, lost relative, or one due a benefit
Section 75-63: Security Freeze • The ITPA of 2005 add a “consumer right” to put a security freeze on consumer credit reports • The security freeze may be temporarily lifted by the consumer • If a consumer security freeze is in place, the consumer reporting agency may not change the consumer’s name, date of birth, SSN, or address change, without sending a written confirmation within 30 days of the changes • Consumer reporting agencies are required to give NC residents specific notice of their rights under this provision
Section 75-64: Destruction of Personal Information Records • NC businesses MUST : • Implement and monitor compliance with policies and procedures that require the destruction of papers that include personal information • Implement and monitor compliance with policies and procedures that require the destruction or erasure of electronic media that contain personal information • Describe procedures relating to the destruction of personal records as official policy in the writings of the business
Section 75-64: Destruction of Personal Information Records • If a 3rd party records destruction company is used, one or more of these due diligence steps must be taken: • Review an independent audit • Obtain references from reliable sources and review certification from a reputable source • Review and evaluate the disposal business’ information security policies or procedures. • Disposal companies must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with information security policies and procedures • This section does not apply if the company is already covered by GLB, HIPAA, or Fair Credit Reporting Act
Other State Law Developments • At least 10 states have data security laws that generally require companies to use “reasonable security” to protect personal information • Connecticut and Delaware require employers to provide notice to employees before monitoring email communications or internet access • California and other states require prominent web site privacy policies
Massachusetts Data Security Act • Implemented in 2010, requires organizations that handle information about Mass. residents to have a comprehensive written information security program • Requires certain personal information to be encrypted • Starting March 1, 2012, all contracts with vendors who handle information re: Mass. residents must require the vendors to also implement and maintain appropriate security measures
Federal Laws • Generally “industry sector specific” – Gramm-Leach-Bliley (Financial); HIPAA (Healthcare); COPPA (Children’s information); FERPA (Education); Video Rentals Privacy Act • Electronic Privacy and Communications Act of 1986 – before Internet and widespread e-mail usage in workplace • Limits access to stored and “in transit” electronic communications • Exceptions for access to employer-provided systems and when access is consented to. • National Labor Relations Board has investigated numerous cases involving firings based on posts on social media networks. • Concern is that right to engage in “concerted” employee activity may be infringed
Federal Trade Commission • FTC has broad authority to monitor compliance with federal privacy laws, including breach of a published privacy policy. Authority is based on its mandate to regulate and prevent unfair and deceptive trade practices. • In 2011, FTC entered into enforcement proceedings against the major social networks (Twitter, Google, and Facebook). • Have focused on need for consent prior to changing a privacy policy • Concerns have increased from use and sale of personal information, to use of IP addresses, device identifiers, and other information not normally considered as personally identifiable.
Federal Legislative Proposals • Momentum is growing for a federal cybersecurity bill • Latest bi-partisan bill was introduced last week. The bill: • Establishes liability protections for sharing of information relating to information security threats • Clarifies that info system owners may undertake countermeasures to combat cybersecurity threats • Allows government to establish cybersecurity performance standards for certain critical infrastructure (finance, utilities, etc.) • Other federal proposals seek to establish a national data breach reporting standard
HIPAA Privacy and Security Rule • Privacy Rule generally effective April 2003; Security Rule generally effective April 2005. HIPAA rules are dense and lengthy. • Enforcement of Privacy Rule generally friendly, but over 200 referrals to Department of Justice for criminal investigation. Audits for several hundred entities announced in late 2011 • Covered Entities -- directly affected • Health care providers who engage in electronic Standard Transactions • Health Plans • Data Clearinghouses • HI-TECH Act (2009) added direct obligations on service providers (“Business Associates”) who deal with protected health information
HIPAA Privacy Rule • Protected Health Information Def’n: • all Individually Identifiable Health Information that is transmitted or maintained by a covered entity in any form, including paper and oral records and communications • PHI can be disclosed only if:  Purpose is treatment, payment or business operations  With Authorization (needed for, e.g., Disclosures to employers; fundraising; marketing) • special authorization needed for psychotherapy notes  Other Specified Purposes • Written authorization cannot be a condition for treatment or payment
HIPAA Privacy Rule • PHI can be disclosed if:  Emergency or public health need Judicial and administrative proceedings  To law enforcement in certain circumstances  For research purposes, if written IRB or Privacy Board approval  Where required by law
HIPAA Privacy Rule • Minimum Amount Necessary rule: CE’s must make reasonable efforts to limit scope of disclosures or requests to only what is needed. With exceptions for these Disclosures/Requests: • To/By the Individual • To/By Another Provider for Treatment • Under an Authorization • To DHHS for HIPAA Compliance • To comply with Transaction Standards • Otherwise required by law • De-identification Rule  Long list of De-ID requirements  Also “no reason to believe” that recipient can combine the information with other information to identify the individual
HIPAA Privacy Rule • Right to Receive Notice of Privacy Practices • Right to Access PHI • Right to Request Corrections in PHI • Right to Receive Disclosure Information • Right to Request Additional Restrictions
HIPAA Privacy Rule • Business Associate must have written contract with the following provisions:  Must follow Privacy Regulations  Use appropriate safeguards to prevent unauthorized disclosure  Report any unauthorized disclosure  Make PHI available in accordance with patient access rights  Make books and records available to HHS  Incorporate PHI updates received from patients  Flow contract obligations to subcontractors
HIPAA Security Rule • Security Rule requires covered entities to adopt (for some requirements) and consider adoption of (for other requirements) a laundry list of administrative, technical, and physical safeguards for protecting patient information. • The rule generally adopts a technologically-neutral and flexible approach. • CE’s are required to adopt various security policies.
International Privacy Landscape • Many countries have much broader protections for individual privacy • EU Data Protection Directive provides comprehensive regulation for use of personal information. In January 2012, detailed revisions proposed to make the law more uniform across the EU, and increases protections and possible penalties • US companies seeking to transfer personal information from EU to US must follow a safe harbor certification/filing approach or other rules to comply with EU regulations • EU also has a Privacy and Electronic Communications Directive that regulates the use of cookies • Note: under French and German data privacy laws, personal social networks cannot be searched for employment decisions
What can organizations do now to manage privacy/security risk? • Implement and maintain an Information Security program • Perform security audit • Perform due diligence and add privacy/security contract provisions for key vendors and other business partners • Consider cyber insurance
Information Security Program • Required by: • Records Disposal portion of North Carolina’s ITPA • HIPAA Security Rule • Massachusetts and other state laws • Extremely helpful for: • Handling security breach and SSN portions of ITPA • Dealing with FTC-Style enforcements • Assuring compliance with required privacy notices (e.g. California requirement) • Protecting intellectual property • Satisfying officer and director fiduciary obligations • Complying with contracts • Increasing value of company to buyers • Dealing with subpoenas and related requests for electronic information in discovery
Process for implementing an Info Security Program • Not just an IT issue, need input from management, legal, and risk advisors. Rapidly becoming a corporate governance issue. • Laws and regulations focus more on the process rather than specific results • Don’t just use a form policy from the internet, but tailor to the specific issues and risks faced by the organization • Perform an initial security review and gap analysis • Update on a regular basis, at least annually
Information Security Program • Written Policy • Purpose of Policy • Types/Levels of Confidential Information • Training • Sanctions • Privacy/Security Officer • Notification of no expectation of privacy in use of company assets • Publicity; Dealing with News Media • Incident Response Procedures • Physical Security Measures
Information Security Program • ID’s and Passwords • Password Guidelines - Strong vs. Weak Passwords • Mandatory Password Changes • Access Controls and Network Resources • Firewalls • Authentication • Use of Networks • Wireless Network Usage • Remote Access Policy • Use of Encryption • Electronic Communications • Destruction of Computing Resources and Information • Virus Prevention and Detection
Information Security Program • Social Media Policy • Software Use and Licensing Policy • Mobile Computing Policy (laptops, pda’s, keydisks, etc.) • System Modification Procedures • Record Retention Schedules • Litigation and Subpoena Issues • Disaster Recovery
Summary of Key Security Measures • Adopt Defense in Depth – keep external computers in a “DMZ” • Manage passwords aggressively • Implement all operating system and security software patches • Train against social engineering • Audit controls, especially remote access points
Types of Contracts to Consider for Privacy Issues • Software and IT service vendors, including cloud computing • Software as a Service (Salesforce) • Infrastructure as a Service (Amazon EC2) • Marketing and distribution partners • Side note: Who owns the data? • Order fulfillment vendors • Records disposal vendor contracts • Any other contract where the other party will have rights to access, use or store your personally identifiable data • Consider standalone information security agreement • Rather than trying to figure out how to amend the other party’s form of service contract
Security and Privacy Contract Terms • Confidentiality • Obligation to maintain reasonable and effective physical, technical and administrative security measures • Compliance with all applicable data privacy and security laws • Third-Party security audits • Right to review detailed security/disaster recovery policies
Security and Privacy Contract Terms • Right to audit and test security • Notification in the case of breach • Indemnification for breaches/payment of costs of required notices to customers • Encryption • Restrictions on use of subcontractors and downstream sharing of information • Restrictions on where data can be stored
CyberInsurance • Review existing insurance for coverage of data breaches and electronic privacy issues, and consider adding cyberinsurance policies • Sony for example is in litigation with Zurich American Insurance re: coverage for recent security breaches • SEC has issued guidance requiring disclosure of material cyber attacks including a description of relevant insurance coverage • Look for (or add) coverage for lost business, notification costs, legal and investigation costs, and credit monitoring services
Cloud Computing v. Traditional I.T. Structures
Graphic Courtesy of Hosted Solutions
Graphic Courtesy of Hosted Solutions
Cloud Computing Services • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS)
Cloud Computing Contract Structures • Typically service-based, not licensed • OPEX, not CAPEX • Often offered via “click and accept” agreements • Sometimes incorporate by reference other terms of use and policies • Sometimes purport to be changeable without notice by the vendor
Cloud Computing and Security Advantages Disadvantages • Data Dispersal • Lack of Transparency • Data Fragmentation • Lack of Responsiveness • “Trading Market” of • “Tier 1” Data Centers Subcontractors • Multiple Customer Demands • Vendor Lock-In • Easier Patching and Updates • Lack of Security Details
Key Takeaways • Increased regulatory and legal scrutiny of personal information handling is unavoidable • Companies (especially IT vendors and outsourcers) should review the laws applicable to their situation, and update security practices, policies and procedures as needed • When dealing with cloud computing vendors and other business partners, perform appropriate due diligence and consider contract negotiations • Review insurance policies and possibility for additional insurance
Any questions? Randy Whitmeyer Whitmeyer Tuffin PLLC randy@whit-law.com 919-880-6880

Recommended

GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR OverviewGydeline Ltd
 

Recommended

GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016John Greenwood
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR OverviewGydeline Ltd
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key ChangesCraig Clark ITIL, CIS LI,EU GDPR P
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for TechiesLilian Edwards
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for OpsKamil Rextin
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies Benoît De Nayer
 
Data Protection and IDEA
Data Protection and IDEAData Protection and IDEA
Data Protection and IDEAAuditWare Systems Ltd.
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRHans Demeyer
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 

More Related Content

What's hot

Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for OpsKamil Rextin
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRHans Demeyer
 

What's hot (18)

GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for Ops
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
 
Data Protection and IDEA
Data Protection and IDEAData Protection and IDEA
Data Protection and IDEA
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
 

Similar to Privacy Law Strategies for Handling Personal Data

Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issuesJagdeepSingh394
 
IT risk discusion qustion.pdf
IT risk discusion qustion.pdfIT risk discusion qustion.pdf
IT risk discusion qustion.pdfstirlingvwriters
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...Quarles & Brady
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?Affiliate Summit
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 

Similar to Privacy Law Strategies for Handling Personal Data (20)

Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
IT risk discusion qustion.pdf
IT risk discusion qustion.pdfIT risk discusion qustion.pdf
IT risk discusion qustion.pdf
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 
Gdpr for business full
Gdpr for business fullGdpr for business full
Gdpr for business full
 
Ppt
PptPpt
Ppt
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 

More from WhitmeyerTuffin

Managed Service Provider Contracts
Managed Service Provider ContractsManaged Service Provider Contracts
Managed Service Provider ContractsWhitmeyerTuffin
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
Executive Briefing: Strategic Issues Surrounding Cloud ServicesExecutive Briefing: Strategic Issues Surrounding Cloud Services
Executive Briefing: Strategic Issues Surrounding Cloud ServicesWhitmeyerTuffin
 
Intellectual Property 101 for Entrepreneurs
Intellectual Property 101 for EntrepreneursIntellectual Property 101 for Entrepreneurs
Intellectual Property 101 for EntrepreneursWhitmeyerTuffin
 
Strategies and Structure to Get the Most out of the Deal
Strategies and Structure to Get the Most out of the DealStrategies and Structure to Get the Most out of the Deal
Strategies and Structure to Get the Most out of the DealWhitmeyerTuffin
 
Key Intellectual Property, Contract, and Information Technology Issues in an ...
Key Intellectual Property, Contract, and Information Technology Issues in an ...Key Intellectual Property, Contract, and Information Technology Issues in an ...
Key Intellectual Property, Contract, and Information Technology Issues in an ...WhitmeyerTuffin
 
M&A Trends, Valuation and Financial Preparation for an M&A Deal
M&A Trends, Valuation and Financial Preparation for an M&A DealM&A Trends, Valuation and Financial Preparation for an M&A Deal
M&A Trends, Valuation and Financial Preparation for an M&A DealWhitmeyerTuffin
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsNCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsWhitmeyerTuffin
 

More from WhitmeyerTuffin (7)

Managed Service Provider Contracts
Managed Service Provider ContractsManaged Service Provider Contracts
Managed Service Provider Contracts
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
Executive Briefing: Strategic Issues Surrounding Cloud ServicesExecutive Briefing: Strategic Issues Surrounding Cloud Services
Executive Briefing: Strategic Issues Surrounding Cloud Services
 
Intellectual Property 101 for Entrepreneurs
Intellectual Property 101 for EntrepreneursIntellectual Property 101 for Entrepreneurs
Intellectual Property 101 for Entrepreneurs
 
Strategies and Structure to Get the Most out of the Deal
Strategies and Structure to Get the Most out of the DealStrategies and Structure to Get the Most out of the Deal
Strategies and Structure to Get the Most out of the Deal
 
Key Intellectual Property, Contract, and Information Technology Issues in an ...
Key Intellectual Property, Contract, and Information Technology Issues in an ...Key Intellectual Property, Contract, and Information Technology Issues in an ...
Key Intellectual Property, Contract, and Information Technology Issues in an ...
 
M&A Trends, Valuation and Financial Preparation for an M&A Deal
M&A Trends, Valuation and Financial Preparation for an M&A DealM&A Trends, Valuation and Financial Preparation for an M&A Deal
M&A Trends, Valuation and Financial Preparation for an M&A Deal
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing VendorsNCHICA - Contracts with Healthcare Cloud Computing Vendors
NCHICA - Contracts with Healthcare Cloud Computing Vendors
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Privacy Law Strategies for Handling Personal Data

  • 1. Privacy Law Update: Strategies for Handling Personal Information Sponsored by Financial Directions, Inc. February 21, 2012 Randy Whitmeyer Whitmeyer Tuffin PLLC www.whit-law.com
  • 2. The Backdrop: Mobile technology and the Internet • Organizations store more and more information in electronic form and are increasingly reliant on the Internet for accessing data and systems • Many employees have smartphones that are constantly connected to the Internet • Information sharing through Facebook, Twitter, and other social networks is ubiquitous • Active and growing “hacker” industry
  • 3. The result: (1) Expanding laws and regulations relating to the use and handling of private information, and (2) increased government enforcement activities and class actions by plaintiffs’ attorneys
  • 4. The challenge for businesses: Handle personal information in a way that is compliant with rules and regulations and limit your risk
  • 5. Specific Topics • Legal obligations on use of personal information • NC statutes relating to treatment of personal information • Massachusetts Information Security law and other state laws • Federal privacy/security update, including HIPAA and Hi-Tech (treatment of medical records) • Employers’ use of and access to employee’s communications/computer systems, and social network use • Elements of effective information security/privacy policies and social media policies • Other proactive steps to manage information privacy and security risks – contracting and insurance
  • 6. NC Identity Theft Protection Act of 2005 • Similar to a myriad of similar acts in almost all states, originally California in 2003 (California law updated as of 1/1/2012 to require more specific disclosures relating to security breaches) • Violations of the statute are generally considered unfair or deceptive act or practice
  • 7. Sect. 75-65: Protection from Security Breaches • Security breaches affecting personal information of NC residents must be reported to affected individuals • Security breach must involve either “illegal use” (or a reasonable likelihood thereof) or a material risk of harm • If records are encrypted, only need to provide notice if the associated key or confidential process is also breached • If the breach does not involve data which you own or license (i.e., you are a contractor), then you notify the owner or licensee, not the affected individual
  • 8. Sect. 75-65: Protection from Security Breaches • Notice must be made without unreasonable delay, taking into account law enforcement needs, verification of contact information and scope of breach, and need to restore security • Notice must be clear and conspicuous, and provide a description of: • The incident • Type of personal information affected • Remedial actions of the business • Telephone number to get further information • Advice to monitor account statements and free credit reports
  • 9. Sect. 75-65: Protection from Security Breaches • Notice may be in writing, by e-mail (if consented), and in writing • If the cost of notice is > $250,000, and in certain other situations, general notice may be given publicly • If the case involves more than 1,000 persons, NC attorney general’s office must also be notified
  • 10. Section 75-62: SSN Protection • A business may not: • Intentionally communicate a person’s Social Security number to the public • Intentionally place an SSN on a card required to access products or services • Require an SSN to be transmitted over the Internet, unless encrypted
  • 11. Section 75-62: SSN Protection • A business may not: • Require an individual to use SSN to access an internet web site, unless a password or PIN is also required • Print an individual’s SSN on any materials mailed to the individual, unless otherwise required by law • Sell or disclose an SSN to a third party if it is known or should be known that the third party lacks a legitimate purpose
  • 12. Section 75-62: SSN Protection • The Exceptions--restrictions do not apply to: • Redacted SSN • When required by law • To the government • To the opening of an account or payment for a product or services authorized by the individual • To the collection, use, or release of an SSN for internal verification or administrative purposes
  • 13. Section 75-62: SSN Protection • The Exceptions, continued: • When an SSN is included in an application or in documents related to an enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN for the purpose of obtaining a credit reports (with limits on mailing) • To investigate or prevent fraud, conduct background checks, conduct certain research, collect a debt, obtain a credit report, for a permissible Gramm-Leach-Bliley purpose, or locate a missing individual, lost relative, or one due a benefit
  • 14. Section 75-63: Security Freeze • The ITPA of 2005 add a “consumer right” to put a security freeze on consumer credit reports • The security freeze may be temporarily lifted by the consumer • If a consumer security freeze is in place, the consumer reporting agency may not change the consumer’s name, date of birth, SSN, or address change, without sending a written confirmation within 30 days of the changes • Consumer reporting agencies are required to give NC residents specific notice of their rights under this provision
  • 15. Section 75-64: Destruction of Personal Information Records • NC businesses MUST : • Implement and monitor compliance with policies and procedures that require the destruction of papers that include personal information • Implement and monitor compliance with policies and procedures that require the destruction or erasure of electronic media that contain personal information • Describe procedures relating to the destruction of personal records as official policy in the writings of the business
  • 16. Section 75-64: Destruction of Personal Information Records • If a 3rd party records destruction company is used, one or more of these due diligence steps must be taken: • Review an independent audit • Obtain references from reliable sources and review certification from a reputable source • Review and evaluate the disposal business’ information security policies or procedures. • Disposal companies must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with information security policies and procedures • This section does not apply if the company is already covered by GLB, HIPAA, or Fair Credit Reporting Act
  • 17. Other State Law Developments • At least 10 states have data security laws that generally require companies to use “reasonable security” to protect personal information • Connecticut and Delaware require employers to provide notice to employees before monitoring email communications or internet access • California and other states require prominent web site privacy policies
  • 18. Massachusetts Data Security Act • Implemented in 2010, requires organizations that handle information about Mass. residents to have a comprehensive written information security program • Requires certain personal information to be encrypted • Starting March 1, 2012, all contracts with vendors who handle information re: Mass. residents must require the vendors to also implement and maintain appropriate security measures
  • 19. Federal Laws • Generally “industry sector specific” – Gramm-Leach-Bliley (Financial); HIPAA (Healthcare); COPPA (Children’s information); FERPA (Education); Video Rentals Privacy Act • Electronic Privacy and Communications Act of 1986 – before Internet and widespread e-mail usage in workplace • Limits access to stored and “in transit” electronic communications • Exceptions for access to employer-provided systems and when access is consented to. • National Labor Relations Board has investigated numerous cases involving firings based on posts on social media networks. • Concern is that right to engage in “concerted” employee activity may be infringed
  • 20. Federal Trade Commission • FTC has broad authority to monitor compliance with federal privacy laws, including breach of a published privacy policy. Authority is based on its mandate to regulate and prevent unfair and deceptive trade practices. • In 2011, FTC entered into enforcement proceedings against the major social networks (Twitter, Google, and Facebook). • Have focused on need for consent prior to changing a privacy policy • Concerns have increased from use and sale of personal information, to use of IP addresses, device identifiers, and other information not normally considered as personally identifiable.
  • 21. Federal Legislative Proposals • Momentum is growing for a federal cybersecurity bill • Latest bi-partisan bill was introduced last week. The bill: • Establishes liability protections for sharing of information relating to information security threats • Clarifies that info system owners may undertake countermeasures to combat cybersecurity threats • Allows government to establish cybersecurity performance standards for certain critical infrastructure (finance, utilities, etc.) • Other federal proposals seek to establish a national data breach reporting standard
  • 22. HIPAA Privacy and Security Rule • Privacy Rule generally effective April 2003; Security Rule generally effective April 2005. HIPAA rules are dense and lengthy. • Enforcement of Privacy Rule generally friendly, but over 200 referrals to Department of Justice for criminal investigation. Audits for several hundred entities announced in late 2011 • Covered Entities -- directly affected • Health care providers who engage in electronic Standard Transactions • Health Plans • Data Clearinghouses • HI-TECH Act (2009) added direct obligations on service providers (“Business Associates”) who deal with protected health information
  • 23. HIPAA Privacy Rule • Protected Health Information Def’n: • all Individually Identifiable Health Information that is transmitted or maintained by a covered entity in any form, including paper and oral records and communications • PHI can be disclosed only if:  Purpose is treatment, payment or business operations  With Authorization (needed for, e.g., Disclosures to employers; fundraising; marketing) • special authorization needed for psychotherapy notes  Other Specified Purposes • Written authorization cannot be a condition for treatment or payment
  • 24. HIPAA Privacy Rule • PHI can be disclosed if:  Emergency or public health need Judicial and administrative proceedings  To law enforcement in certain circumstances  For research purposes, if written IRB or Privacy Board approval  Where required by law
  • 25. HIPAA Privacy Rule • Minimum Amount Necessary rule: CE’s must make reasonable efforts to limit scope of disclosures or requests to only what is needed. With exceptions for these Disclosures/Requests: • To/By the Individual • To/By Another Provider for Treatment • Under an Authorization • To DHHS for HIPAA Compliance • To comply with Transaction Standards • Otherwise required by law • De-identification Rule  Long list of De-ID requirements  Also “no reason to believe” that recipient can combine the information with other information to identify the individual
  • 26. HIPAA Privacy Rule • Right to Receive Notice of Privacy Practices • Right to Access PHI • Right to Request Corrections in PHI • Right to Receive Disclosure Information • Right to Request Additional Restrictions
  • 27. HIPAA Privacy Rule • Business Associate must have written contract with the following provisions:  Must follow Privacy Regulations  Use appropriate safeguards to prevent unauthorized disclosure  Report any unauthorized disclosure  Make PHI available in accordance with patient access rights  Make books and records available to HHS  Incorporate PHI updates received from patients  Flow contract obligations to subcontractors
  • 28. HIPAA Security Rule • Security Rule requires covered entities to adopt (for some requirements) and consider adoption of (for other requirements) a laundry list of administrative, technical, and physical safeguards for protecting patient information. • The rule generally adopts a technologically-neutral and flexible approach. • CE’s are required to adopt various security policies.
  • 29. International Privacy Landscape • Many countries have much broader protections for individual privacy • EU Data Protection Directive provides comprehensive regulation for use of personal information. In January 2012, detailed revisions proposed to make the law more uniform across the EU, and increases protections and possible penalties • US companies seeking to transfer personal information from EU to US must follow a safe harbor certification/filing approach or other rules to comply with EU regulations • EU also has a Privacy and Electronic Communications Directive that regulates the use of cookies • Note: under French and German data privacy laws, personal social networks cannot be searched for employment decisions
  • 30. What can organizations do now to manage privacy/security risk? • Implement and maintain an Information Security program • Perform security audit • Perform due diligence and add privacy/security contract provisions for key vendors and other business partners • Consider cyber insurance
  • 31. Information Security Program • Required by: • Records Disposal portion of North Carolina’s ITPA • HIPAA Security Rule • Massachusetts and other state laws • Extremely helpful for: • Handling security breach and SSN portions of ITPA • Dealing with FTC-Style enforcements • Assuring compliance with required privacy notices (e.g. California requirement) • Protecting intellectual property • Satisfying officer and director fiduciary obligations • Complying with contracts • Increasing value of company to buyers • Dealing with subpoenas and related requests for electronic information in discovery
  • 32. Process for implementing an Info Security Program • Not just an IT issue, need input from management, legal, and risk advisors. Rapidly becoming a corporate governance issue. • Laws and regulations focus more on the process rather than specific results • Don’t just use a form policy from the internet, but tailor to the specific issues and risks faced by the organization • Perform an initial security review and gap analysis • Update on a regular basis, at least annually
  • 33. Information Security Program • Written Policy • Purpose of Policy • Types/Levels of Confidential Information • Training • Sanctions • Privacy/Security Officer • Notification of no expectation of privacy in use of company assets • Publicity; Dealing with News Media • Incident Response Procedures • Physical Security Measures
  • 34. Information Security Program • ID’s and Passwords • Password Guidelines - Strong vs. Weak Passwords • Mandatory Password Changes • Access Controls and Network Resources • Firewalls • Authentication • Use of Networks • Wireless Network Usage • Remote Access Policy • Use of Encryption • Electronic Communications • Destruction of Computing Resources and Information • Virus Prevention and Detection
  • 35. Information Security Program • Social Media Policy • Software Use and Licensing Policy • Mobile Computing Policy (laptops, pda’s, keydisks, etc.) • System Modification Procedures • Record Retention Schedules • Litigation and Subpoena Issues • Disaster Recovery
  • 36. Summary of Key Security Measures • Adopt Defense in Depth – keep external computers in a “DMZ” • Manage passwords aggressively • Implement all operating system and security software patches • Train against social engineering • Audit controls, especially remote access points
  • 37. Types of Contracts to Consider for Privacy Issues • Software and IT service vendors, including cloud computing • Software as a Service (Salesforce) • Infrastructure as a Service (Amazon EC2) • Marketing and distribution partners • Side note: Who owns the data? • Order fulfillment vendors • Records disposal vendor contracts • Any other contract where the other party will have rights to access, use or store your personally identifiable data • Consider standalone information security agreement • Rather than trying to figure out how to amend the other party’s form of service contract
  • 38. Security and Privacy Contract Terms • Confidentiality • Obligation to maintain reasonable and effective physical, technical and administrative security measures • Compliance with all applicable data privacy and security laws • Third-Party security audits • Right to review detailed security/disaster recovery policies
  • 39. Security and Privacy Contract Terms • Right to audit and test security • Notification in the case of breach • Indemnification for breaches/payment of costs of required notices to customers • Encryption • Restrictions on use of subcontractors and downstream sharing of information • Restrictions on where data can be stored
  • 40. CyberInsurance • Review existing insurance for coverage of data breaches and electronic privacy issues, and consider adding cyberinsurance policies • Sony for example is in litigation with Zurich American Insurance re: coverage for recent security breaches • SEC has issued guidance requiring disclosure of material cyber attacks including a description of relevant insurance coverage • Look for (or add) coverage for lost business, notification costs, legal and investigation costs, and credit monitoring services
  • 41. Cloud Computing v. Traditional I.T. Structures
  • 42. Graphic Courtesy of Hosted Solutions
  • 43. Graphic Courtesy of Hosted Solutions
  • 44. Cloud Computing Services • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS)
  • 45. Cloud Computing Contract Structures • Typically service-based, not licensed • OPEX, not CAPEX • Often offered via “click and accept” agreements • Sometimes incorporate by reference other terms of use and policies • Sometimes purport to be changeable without notice by the vendor
  • 46. Cloud Computing and Security Advantages Disadvantages • Data Dispersal • Lack of Transparency • Data Fragmentation • Lack of Responsiveness • “Trading Market” of • “Tier 1” Data Centers Subcontractors • Multiple Customer Demands • Vendor Lock-In • Easier Patching and Updates • Lack of Security Details
  • 47. Key Takeaways • Increased regulatory and legal scrutiny of personal information handling is unavoidable • Companies (especially IT vendors and outsourcers) should review the laws applicable to their situation, and update security practices, policies and procedures as needed • When dealing with cloud computing vendors and other business partners, perform appropriate due diligence and consider contract negotiations • Review insurance policies and possibility for additional insurance
  • 48. Any questions? Randy Whitmeyer Whitmeyer Tuffin PLLC randy@whit-law.com 919-880-6880