Privacy Law Update: Strategies for Handling Personal Information       Sponsored by Financial Directions, Inc.            ...
The Backdrop: Mobile technology            and the Internet•   Organizations store more and more information in electronic...
The result: (1) Expanding laws and   regulations relating to the use and  handling of private information, and(2) increase...
The challenge for businesses: Handle personal information in a way that is compliant with rules and regulations          a...
Specific Topics•   Legal obligations on use of personal information    • NC statutes relating to treatment of personal inf...
NC Identity Theft Protection Act of                    2005•   Similar to a myriad of similar acts in almost all states,  ...
Sect. 75-65: Protection from Security                 Breaches•   Security breaches affecting personal information of NC  ...
Sect. 75-65: Protection from Security                 Breaches•   Notice must be made without unreasonable delay, taking i...
Sect. 75-65: Protection from Security                 Breaches•   Notice may be in writing, by e-mail (if consented), and ...
Section 75-62: SSN Protection•   A business may not:    •   Intentionally communicate a person’s Social Security        nu...
Section 75-62: SSN Protection•   A business may not:    •   Require an individual to use SSN to access an internet web    ...
Section 75-62: SSN Protection•   The Exceptions--restrictions do not apply to:    •   Redacted SSN    •   When required by...
Section 75-62: SSN Protection•   The Exceptions, continued:    •   When an SSN is included in an application or in documen...
Section 75-63: Security Freeze•   The ITPA of 2005 add a “consumer right” to put a security    freeze on consumer credit r...
Section 75-64: Destruction of           Personal Information Records•   NC businesses MUST :    •   Implement and monitor ...
Section 75-64: Destruction of            Personal Information Records•   If a 3rd party records destruction company is use...
Other State Law                   Developments•   At least 10 states have data security laws that generally require    com...
Massachusetts Data Security Act• Implemented in 2010, requires organizations that handle  information about Mass. resident...
Federal Laws• Generally “industry sector specific” – Gramm-Leach-Bliley  (Financial); HIPAA (Healthcare); COPPA (Children’...
Federal Trade Commission• FTC has broad authority to monitor compliance with federal privacy  laws, including breach of a ...
Federal Legislative Proposals• Momentum is growing for a federal cybersecurity bill• Latest bi-partisan bill was introduce...
HIPAA Privacy and Security Rule• Privacy Rule generally effective April 2003; Security Rule generally  effective April 200...
HIPAA Privacy Rule•   Protected Health Information Def’n:    •   all Individually Identifiable Health Information that is ...
HIPAA Privacy Rule•   PHI can be disclosed if:     Emergency  or public health need    Judicial and administrative proce...
HIPAA Privacy Rule•   Minimum Amount Necessary rule: CE’s must make reasonable    efforts to limit scope of disclosures or...
HIPAA Privacy Rule•   Right to Receive Notice of Privacy Practices•   Right to Access PHI•   Right to Request Corrections ...
HIPAA Privacy Rule•   Business Associate must have written contract with the    following provisions:     Must follow Pri...
HIPAA Security Rule•   Security Rule requires covered entities to adopt (for    some requirements) and consider adoption o...
International Privacy Landscape• Many countries have much broader protections for individual privacy• EU Data Protection D...
What can organizations do now to       manage privacy/security risk?•   Implement and maintain an Information Security pro...
Information Security Program•   Required by:    • Records Disposal portion of North Carolina’s ITPA    • HIPAA Security Ru...
Process for implementing an Info              Security Program•   Not just an IT issue, need input from management, legal,...
Information Security Program•   Written Policy     • Purpose of Policy     • Types/Levels of Confidential Information     ...
Information Security Program•   ID’s and Passwords    •   Password Guidelines - Strong vs. Weak Passwords    •   Mandatory...
Information Security Program•   Social Media Policy•   Software Use and Licensing Policy•   Mobile Computing Policy (lapto...
Summary of Key Security Measures•   Adopt Defense in Depth – keep external computers in a    “DMZ”•   Manage passwords agg...
Types of Contracts to Consider for               Privacy Issues•   Software and IT service vendors, including cloud comput...
Security and Privacy Contract Terms•   Confidentiality•   Obligation to maintain reasonable and effective physical,    tec...
Security and Privacy Contract Terms•   Right to audit and test security•   Notification in the case of breach•   Indemnifi...
CyberInsurance•   Review existing insurance for coverage of data breaches and    electronic privacy issues, and consider a...
Cloud Computing             v.Traditional I.T. Structures
Graphic Courtesy of Hosted Solutions
Graphic Courtesy of Hosted Solutions
Cloud Computing Services•   Software as a Service (SaaS)•   Platform as a Service (PaaS)•   Infrastructure as a Service (I...
Cloud Computing Contract             Structures• Typically service-based, not licensed• OPEX, not CAPEX• Often offered via...
Cloud Computing and SecurityAdvantages                        Disadvantages•   Data Dispersal                  •   Lack of...
Key Takeaways• Increased regulatory and legal scrutiny of personal  information handling is unavoidable• Companies (especi...
Any questions?   Randy WhitmeyerWhitmeyer Tuffin PLLC randy@whit-law.com    919-880-6880
Upcoming SlideShare
Loading in …5
×

Privacy law-update-whitmeyer-tuffin

1,017 views

Published on

Strategies for Handling Personal Information

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,017
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privacy law-update-whitmeyer-tuffin

  1. 1. Privacy Law Update: Strategies for Handling Personal Information Sponsored by Financial Directions, Inc. February 21, 2012 Randy Whitmeyer Whitmeyer Tuffin PLLC www.whit-law.com
  2. 2. The Backdrop: Mobile technology and the Internet• Organizations store more and more information in electronic form and are increasingly reliant on the Internet for accessing data and systems• Many employees have smartphones that are constantly connected to the Internet• Information sharing through Facebook, Twitter, and other social networks is ubiquitous• Active and growing “hacker” industry
  3. 3. The result: (1) Expanding laws and regulations relating to the use and handling of private information, and(2) increased government enforcementactivities and class actions by plaintiffs’ attorneys
  4. 4. The challenge for businesses: Handle personal information in a way that is compliant with rules and regulations and limit your risk
  5. 5. Specific Topics• Legal obligations on use of personal information • NC statutes relating to treatment of personal information • Massachusetts Information Security law and other state laws • Federal privacy/security update, including HIPAA and Hi-Tech (treatment of medical records)• Employers’ use of and access to employee’s communications/computer systems, and social network use• Elements of effective information security/privacy policies and social media policies• Other proactive steps to manage information privacy and security risks – contracting and insurance
  6. 6. NC Identity Theft Protection Act of 2005• Similar to a myriad of similar acts in almost all states, originally California in 2003 (California law updated as of 1/1/2012 to require more specific disclosures relating to security breaches)• Violations of the statute are generally considered unfair or deceptive act or practice
  7. 7. Sect. 75-65: Protection from Security Breaches• Security breaches affecting personal information of NC residents must be reported to affected individuals• Security breach must involve either “illegal use” (or a reasonable likelihood thereof) or a material risk of harm• If records are encrypted, only need to provide notice if the associated key or confidential process is also breached• If the breach does not involve data which you own or license (i.e., you are a contractor), then you notify the owner or licensee, not the affected individual
  8. 8. Sect. 75-65: Protection from Security Breaches• Notice must be made without unreasonable delay, taking into account law enforcement needs, verification of contact information and scope of breach, and need to restore security• Notice must be clear and conspicuous, and provide a description of: • The incident • Type of personal information affected • Remedial actions of the business • Telephone number to get further information • Advice to monitor account statements and free credit reports
  9. 9. Sect. 75-65: Protection from Security Breaches• Notice may be in writing, by e-mail (if consented), and in writing• If the cost of notice is > $250,000, and in certain other situations, general notice may be given publicly• If the case involves more than 1,000 persons, NC attorney general’s office must also be notified
  10. 10. Section 75-62: SSN Protection• A business may not: • Intentionally communicate a person’s Social Security number to the public • Intentionally place an SSN on a card required to access products or services • Require an SSN to be transmitted over the Internet, unless encrypted
  11. 11. Section 75-62: SSN Protection• A business may not: • Require an individual to use SSN to access an internet web site, unless a password or PIN is also required • Print an individual’s SSN on any materials mailed to the individual, unless otherwise required by law • Sell or disclose an SSN to a third party if it is known or should be known that the third party lacks a legitimate purpose
  12. 12. Section 75-62: SSN Protection• The Exceptions--restrictions do not apply to: • Redacted SSN • When required by law • To the government • To the opening of an account or payment for a product or services authorized by the individual • To the collection, use, or release of an SSN for internal verification or administrative purposes
  13. 13. Section 75-62: SSN Protection• The Exceptions, continued: • When an SSN is included in an application or in documents related to an enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN for the purpose of obtaining a credit reports (with limits on mailing) • To investigate or prevent fraud, conduct background checks, conduct certain research, collect a debt, obtain a credit report, for a permissible Gramm-Leach-Bliley purpose, or locate a missing individual, lost relative, or one due a benefit
  14. 14. Section 75-63: Security Freeze• The ITPA of 2005 add a “consumer right” to put a security freeze on consumer credit reports• The security freeze may be temporarily lifted by the consumer• If a consumer security freeze is in place, the consumer reporting agency may not change the consumer’s name, date of birth, SSN, or address change, without sending a written confirmation within 30 days of the changes• Consumer reporting agencies are required to give NC residents specific notice of their rights under this provision
  15. 15. Section 75-64: Destruction of Personal Information Records• NC businesses MUST : • Implement and monitor compliance with policies and procedures that require the destruction of papers that include personal information • Implement and monitor compliance with policies and procedures that require the destruction or erasure of electronic media that contain personal information • Describe procedures relating to the destruction of personal records as official policy in the writings of the business
  16. 16. Section 75-64: Destruction of Personal Information Records• If a 3rd party records destruction company is used, one or more of these due diligence steps must be taken: • Review an independent audit • Obtain references from reliable sources and review certification from a reputable source • Review and evaluate the disposal business’ information security policies or procedures.• Disposal companies must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with information security policies and procedures• This section does not apply if the company is already covered by GLB, HIPAA, or Fair Credit Reporting Act
  17. 17. Other State Law Developments• At least 10 states have data security laws that generally require companies to use “reasonable security” to protect personal information• Connecticut and Delaware require employers to provide notice to employees before monitoring email communications or internet access• California and other states require prominent web site privacy policies
  18. 18. Massachusetts Data Security Act• Implemented in 2010, requires organizations that handle information about Mass. residents to have a comprehensive written information security program• Requires certain personal information to be encrypted• Starting March 1, 2012, all contracts with vendors who handle information re: Mass. residents must require the vendors to also implement and maintain appropriate security measures
  19. 19. Federal Laws• Generally “industry sector specific” – Gramm-Leach-Bliley (Financial); HIPAA (Healthcare); COPPA (Children’s information); FERPA (Education); Video Rentals Privacy Act• Electronic Privacy and Communications Act of 1986 – before Internet and widespread e-mail usage in workplace • Limits access to stored and “in transit” electronic communications • Exceptions for access to employer-provided systems and when access is consented to.• National Labor Relations Board has investigated numerous cases involving firings based on posts on social media networks. • Concern is that right to engage in “concerted” employee activity may be infringed
  20. 20. Federal Trade Commission• FTC has broad authority to monitor compliance with federal privacy laws, including breach of a published privacy policy. Authority is based on its mandate to regulate and prevent unfair and deceptive trade practices.• In 2011, FTC entered into enforcement proceedings against the major social networks (Twitter, Google, and Facebook).• Have focused on need for consent prior to changing a privacy policy• Concerns have increased from use and sale of personal information, to use of IP addresses, device identifiers, and other information not normally considered as personally identifiable.
  21. 21. Federal Legislative Proposals• Momentum is growing for a federal cybersecurity bill• Latest bi-partisan bill was introduced last week. The bill: • Establishes liability protections for sharing of information relating to information security threats • Clarifies that info system owners may undertake countermeasures to combat cybersecurity threats • Allows government to establish cybersecurity performance standards for certain critical infrastructure (finance, utilities, etc.)• Other federal proposals seek to establish a national data breach reporting standard
  22. 22. HIPAA Privacy and Security Rule• Privacy Rule generally effective April 2003; Security Rule generally effective April 2005. HIPAA rules are dense and lengthy.• Enforcement of Privacy Rule generally friendly, but over 200 referrals to Department of Justice for criminal investigation. Audits for several hundred entities announced in late 2011• Covered Entities -- directly affected • Health care providers who engage in electronic Standard Transactions • Health Plans • Data Clearinghouses• HI-TECH Act (2009) added direct obligations on service providers (“Business Associates”) who deal with protected health information
  23. 23. HIPAA Privacy Rule• Protected Health Information Def’n: • all Individually Identifiable Health Information that is transmitted or maintained by a covered entity in any form, including paper and oral records and communications• PHI can be disclosed only if:  Purpose is treatment, payment or business operations  With Authorization (needed for, e.g., Disclosures to employers; fundraising; marketing) • special authorization needed for psychotherapy notes  Other Specified Purposes• Written authorization cannot be a condition for treatment or payment
  24. 24. HIPAA Privacy Rule• PHI can be disclosed if:  Emergency or public health need Judicial and administrative proceedings  To law enforcement in certain circumstances  For research purposes, if written IRB or Privacy Board approval  Where required by law
  25. 25. HIPAA Privacy Rule• Minimum Amount Necessary rule: CE’s must make reasonable efforts to limit scope of disclosures or requests to only what is needed. With exceptions for these Disclosures/Requests: • To/By the Individual • To/By Another Provider for Treatment • Under an Authorization • To DHHS for HIPAA Compliance • To comply with Transaction Standards • Otherwise required by law• De-identification Rule  Long list of De-ID requirements  Also “no reason to believe” that recipient can combine the information with other information to identify the individual
  26. 26. HIPAA Privacy Rule• Right to Receive Notice of Privacy Practices• Right to Access PHI• Right to Request Corrections in PHI• Right to Receive Disclosure Information• Right to Request Additional Restrictions
  27. 27. HIPAA Privacy Rule• Business Associate must have written contract with the following provisions:  Must follow Privacy Regulations  Use appropriate safeguards to prevent unauthorized disclosure  Report any unauthorized disclosure  Make PHI available in accordance with patient access rights  Make books and records available to HHS  Incorporate PHI updates received from patients  Flow contract obligations to subcontractors
  28. 28. HIPAA Security Rule• Security Rule requires covered entities to adopt (for some requirements) and consider adoption of (for other requirements) a laundry list of administrative, technical, and physical safeguards for protecting patient information.• The rule generally adopts a technologically-neutral and flexible approach.• CE’s are required to adopt various security policies.
  29. 29. International Privacy Landscape• Many countries have much broader protections for individual privacy• EU Data Protection Directive provides comprehensive regulation for use of personal information. In January 2012, detailed revisions proposed to make the law more uniform across the EU, and increases protections and possible penalties • US companies seeking to transfer personal information from EU to US must follow a safe harbor certification/filing approach or other rules to comply with EU regulations• EU also has a Privacy and Electronic Communications Directive that regulates the use of cookies• Note: under French and German data privacy laws, personal social networks cannot be searched for employment decisions
  30. 30. What can organizations do now to manage privacy/security risk?• Implement and maintain an Information Security program• Perform security audit• Perform due diligence and add privacy/security contract provisions for key vendors and other business partners• Consider cyber insurance
  31. 31. Information Security Program• Required by: • Records Disposal portion of North Carolina’s ITPA • HIPAA Security Rule • Massachusetts and other state laws• Extremely helpful for: • Handling security breach and SSN portions of ITPA • Dealing with FTC-Style enforcements • Assuring compliance with required privacy notices (e.g. California requirement) • Protecting intellectual property • Satisfying officer and director fiduciary obligations • Complying with contracts • Increasing value of company to buyers • Dealing with subpoenas and related requests for electronic information in discovery
  32. 32. Process for implementing an Info Security Program• Not just an IT issue, need input from management, legal, and risk advisors. Rapidly becoming a corporate governance issue.• Laws and regulations focus more on the process rather than specific results• Don’t just use a form policy from the internet, but tailor to the specific issues and risks faced by the organization• Perform an initial security review and gap analysis• Update on a regular basis, at least annually
  33. 33. Information Security Program• Written Policy • Purpose of Policy • Types/Levels of Confidential Information • Training • Sanctions • Privacy/Security Officer• Notification of no expectation of privacy in use of company assets• Publicity; Dealing with News Media• Incident Response Procedures• Physical Security Measures
  34. 34. Information Security Program• ID’s and Passwords • Password Guidelines - Strong vs. Weak Passwords • Mandatory Password Changes• Access Controls and Network Resources • Firewalls • Authentication • Use of Networks • Wireless Network Usage • Remote Access Policy• Use of Encryption• Electronic Communications• Destruction of Computing Resources and Information• Virus Prevention and Detection
  35. 35. Information Security Program• Social Media Policy• Software Use and Licensing Policy• Mobile Computing Policy (laptops, pda’s, keydisks, etc.)• System Modification Procedures• Record Retention Schedules• Litigation and Subpoena Issues• Disaster Recovery
  36. 36. Summary of Key Security Measures• Adopt Defense in Depth – keep external computers in a “DMZ”• Manage passwords aggressively• Implement all operating system and security software patches• Train against social engineering• Audit controls, especially remote access points
  37. 37. Types of Contracts to Consider for Privacy Issues• Software and IT service vendors, including cloud computing • Software as a Service (Salesforce) • Infrastructure as a Service (Amazon EC2)• Marketing and distribution partners • Side note: Who owns the data?• Order fulfillment vendors• Records disposal vendor contracts• Any other contract where the other party will have rights to access, use or store your personally identifiable data• Consider standalone information security agreement • Rather than trying to figure out how to amend the other party’s form of service contract
  38. 38. Security and Privacy Contract Terms• Confidentiality• Obligation to maintain reasonable and effective physical, technical and administrative security measures• Compliance with all applicable data privacy and security laws• Third-Party security audits• Right to review detailed security/disaster recovery policies
  39. 39. Security and Privacy Contract Terms• Right to audit and test security• Notification in the case of breach• Indemnification for breaches/payment of costs of required notices to customers• Encryption• Restrictions on use of subcontractors and downstream sharing of information• Restrictions on where data can be stored
  40. 40. CyberInsurance• Review existing insurance for coverage of data breaches and electronic privacy issues, and consider adding cyberinsurance policies• Sony for example is in litigation with Zurich American Insurance re: coverage for recent security breaches• SEC has issued guidance requiring disclosure of material cyber attacks including a description of relevant insurance coverage• Look for (or add) coverage for lost business, notification costs, legal and investigation costs, and credit monitoring services
  41. 41. Cloud Computing v.Traditional I.T. Structures
  42. 42. Graphic Courtesy of Hosted Solutions
  43. 43. Graphic Courtesy of Hosted Solutions
  44. 44. Cloud Computing Services• Software as a Service (SaaS)• Platform as a Service (PaaS)• Infrastructure as a Service (IaaS)
  45. 45. Cloud Computing Contract Structures• Typically service-based, not licensed• OPEX, not CAPEX• Often offered via “click and accept” agreements• Sometimes incorporate by reference other terms of use and policies• Sometimes purport to be changeable without notice by the vendor
  46. 46. Cloud Computing and SecurityAdvantages Disadvantages• Data Dispersal • Lack of Transparency• Data Fragmentation • Lack of Responsiveness • “Trading Market” of• “Tier 1” Data Centers Subcontractors• Multiple Customer Demands • Vendor Lock-In• Easier Patching and Updates • Lack of Security Details
  47. 47. Key Takeaways• Increased regulatory and legal scrutiny of personal information handling is unavoidable• Companies (especially IT vendors and outsourcers) should review the laws applicable to their situation, and update security practices, policies and procedures as needed• When dealing with cloud computing vendors and other business partners, perform appropriate due diligence and consider contract negotiations• Review insurance policies and possibility for additional insurance
  48. 48. Any questions? Randy WhitmeyerWhitmeyer Tuffin PLLC randy@whit-law.com 919-880-6880

×