Magazine Feature


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Magazine Feature

  1. 1. ADVERTISING SECTION P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtabl e DISCUSSION DATA SECURITY: Managing the risk Photo By: Jason Doiy ata security continues to be a hot topic for general counsel and privacy officers. Breaches have not D abated; organized computer crime makes front-page news. The legal framework continues to grow, both from state regulators, Attorneys General, the FTC and the EU. We’ve asked three top experts in the field for their assistance in laying out what to do. They are Charlene Brownlee, a partner with Davis Wright Tremaine in Seattle; Ruth Boardman, a partner with Bird & Bird in London; and Michelle Dennedy, chief data strategy and privacy officer at Sun Microsystems in Mountain View. This is an abridged transcript of a live event held Sept. 26, 2008, in San Francisco, moderated by freelance legal affairs writer Susan Kostal, and reported for Jan Brown & Associates by Valerie E. Jensen. MODERATOR: Charlene, I want to start with you this morning. negligence. Some 50 percent of data breaches are caused Give us a sense of the continued importance of privacy and by employees leaving laptops at home or in their cars, and data security. I have the distinct feeling, since we did our there’s a break-in. Only 4 percent of data breaches are last panel, that there’s even more heat, light and focus on the caused by hackers, which tells us that, as counsel and as issue. privacy officers and IT professionals, we can do more to bring those numbers down. BROWNLEE: I would agree 100 percent. In terms of statistics, 2008 is half over, and we’re already had the MODERATOR: Let’s go into the growing legal framework that same number of security breaches as for the entire year governs privacy. 2007. Why are we seeing higher statistics? More than 44 states require notification of data breaches resulting DENNEDY: The word “framework” is critical here. When you in the disclosure of personally identifiable information approach this as a global entity—and we do business in (such as Social Security numbers, drivers’ license numbers more than 140 countries around the world--there is no such and financial information). The majority of information thing as localized data, if you’re using any sort of system is digital, processed and stored electronically, and often that interfaces with the Web. As you review the framework, on portable media. The No. 1 cause of data breaches is start by asking where the data is, from an IT perspective. DATA SECURITY BREACHES 25
  2. 2. ADVERTISING SECTION P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION Who is managing it, leading it, and paying for it? Then look to the various jurisdictions that cover those interactions and come up with a framework that includes laws like PIPEDA, the EU Directive and all of its member states, what’s going on in Asia, Korea, Argentina. Look at the map, and that’s your framework. If it sounds overwhelming, it is. You can get very geeky on this very quickly. But there is hope. A risk-based approach, rather than a black-and-white, find- the-answers approach, will cover you 80 percent of the time. BOARDMAN: The EU has had data privacy legislation since before the 1995 Directive. But when we’re talking about security breach notification, we’re playing catch-up. Although we have general security principles in the EU, we don’t yet have a breach notification law. But that is coming. We have two main data privacy directives in the EU: one general, and one specific to the communications sector. The communications sector directive is being rewritten, as we speak. One of the changes being made to it is to introduce breach notification requirements. That will Jason Doiy then have to be transposed into the law of each member state. In the UK, our regulator has been given increased powers following an enormous data breach by Revenue and Customs. Also recently, Nationwide Building Society lost a laptop, and the society was fined 1 million pounds because “A risk-based approach, rather than a black-and- it didn’t have appropriate procedures in place to know what to do in such situations. They waited three weeks deciding white, find-the-answers approach, will cover you what to do. 80 percent of the time.” BROWNLEE: In the absence of federal legislation, in the U.S. you must take a state-by-state approach. Are people — Michelle Dennedy familiar with the Nevada encryption legislation that went into effect Oct. 1? Sun Microsystems DENNEDY: You’re about to be depressed. ChoicePoint. They were assessed $10 million in fines, had to allow $5 million for consumer redress, and agreed to be BROWNLEE: In addition to the new Nevada law, which audited for 20 years. requires encryption during transmission, Massachusetts has just adopted regulations that require encryption before DENNEDY: We are a big provider for companies in the and after transmission. In addition to a state-by-state financial services sector, so many of our customers are approach, you also need an industry/ sector analysis. Health impacted by the November 1 FACTA deadline. That care information, for example, is covered under HIPPA. The regulation points out the synergy between privacy rules and financial sector is covered by Gramm-Leach-Bliley, and data transfer regulations, which until two years ago could be now, as of November, the red flag rules pursuant to FACTA. managed fairly well by notice and consent. That was really The only federal legislation that deals directly with the where the locus of control and focus and meeting most of collection of information online is the Children’s Online Privacy Protection Act, COPPA. There’s no other generally these regulatory issues came in. What FACTA presents and applicable federal legislation for consumer transactions what the financial services sector is going through right over the Internet. But the FTC has been increasingly now, what HIPPA has foreshadowed, is that the growing aggressive about regulating companies that fail to live framework, on both a federal level and internationally, is up to their posted privacy policies. In 2006, the FTC about to get much more specific about what companies, established a Division of Privacy and Identity Protection, tactically, must do to get out of either a negligence theory which is specifically targeted to investigate data breaches. or a statutory theory for data losses. As of March 2008, the FTC had brought more than 20 cases against businesses for failure to maintain reasonable It’s also important to understand server-based computing. security measures. If you are subject to an investigation Today’s buzzword is “the cloud.” Everything is “in the and settle, usually there will be a fine, and a requirement cloud.” Nothing is in the cloud but rain, folks. It’s all on to conduct independent audits, sometimes for as long a server somewhere, and that server has jurisdiction stuck as 20 years. One of the biggest cases to date involved all over it. It is physically located somewhere. You have to 26 DATA SECURITY BREACHES
  3. 3. ADVERTISINGSECTION ADVERTISING SECTION P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION crafting your legal memoranda about all these new rules, regulations, cases and fines, you are giving people like me something I can consume. BROWNLEE: The FTC’s position is clear: “Companies that collect sensitive consumer information have a responsibility to keep it secure.” And that responsibility to implement appropriate IT securities and safeguards is also a requirement of approximately half of the 44 state data breach notification laws. So, from a corporate perspective, it is not a gray area. It is clear that companies must deploy appropriate physical safeguards. A company would be well served by looking at the obligations that are imposed upon financial institutions and adopt a similar data breach notification strategy. When these breaches occur, you need a methodical plan, so you are not acting in crisis mode. MODERATOR: It seems redundant at this point to use the word “global,” but tell us about the concerns inherent in data Jason Doiy transfer and outsourcing. BOARDMAN: Movements of data outside the EU are prohibited. So emailing and transferring data to a server outside the EU--even traveling with a laptop outside the EU--engages the prohibition. The only countries that you “FTCʼs position is clear: 'Companies that can transfer data to from the EU are ones that have been collect sensitive consumer information have approved by the European Commission and, so far, that list is limited to Argentina, Switzerland, certain Canadian a responsibility to keep it secure.' And that organizations covered by PIPEDA, the Isle of Man, Jersey, and Guernsey. So it’s a fairly small list. responsibility to implement appropriate IT securities and safeguards is also a requirement There are four main methods to deal with this. If data is being transferred from the EU to an organization in the of approximately half of the 44 state data US that participates in the Safe Harbor scheme, that data transfer is fine. From an EU perspective, Safe Harbor is breach notification laws. So, from a corporate very easy for organizations to deal with. A second option is perspective, it is not a gray area.” freely given consent. That sounds good, but it’s hard to do in practice, especially in the employment context. In many countries in the EU, you have to get a permit from the — Charlene Brownlee data protection authority to export the data, and you have to explain the basis on which you’re asking for the permit. Davis Wright Tremaine In some countries, if you say, “This is employee data, but we’ve got consent,” as a matter of principle, the data be aware of where your data is and make sure that your protection authority will reject your application, because clients know where their data is so that you can provide they’ve taken a paternalistic view toward employees. appropriate legal advice. You may be missing jurisdictions The other alternative is to use European Commission- you haven’t even thought of. Who is the account customer approved contract clauses. These are data export contracts base, the employees? Where are they coming from? Are that oblige the importing organization to offer EU protection they working from home? Where is the data going to and in for data. The idea is great, but they can be bureaucratic. what format? Is it encrypted? Has it been severed from any The clauses require registration in about 18 out of the sort of personal information so it cannot be reconstituted? 27 member states, which is a time-consuming process. You must know the answers to these questions. Lawyers are The other problem is that you have to complete an annex being increasingly dragged into IT and HR, and other areas describing what you’re doing. And with my clients, I’ve you may not have traditionally considered in your area of found that you complete that and then a year or two practice. years later, the client will do something different; they’ll want to implement a different HR system, and then you Be aware of the technological realities, the people, the have to redo the clauses. The last alternative is to adopt processes and the technology synergy, so when you’re “binding corporate rules.” The idea behind these is that DATA SECURITY BREACHES 27
  4. 4. ADVERTISING SECTION P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION you embed data privacy in the organization’s culture. So, for example, with employee data, you might develop a workforce data privacy policy. If you can show that that is binding and really enforceable within the organization, then you can take these rules and procedures to EU data protection authorities and get them approved, which then allows you to transfer data freely within the organization, without additional consent, or registering standard contract clauses. You have to keep the data protection authorities up to date if new members of the group come on board or if you change your processing significantly, but it should be a much-lighter-touch approach than the registration process. BROWNLEE: Binding corporate rules (BCRs) are a bit controversial, because they’re very expensive to develop and implement, and they only protect the flow of data among those corporate entities. For example, BCRs do not address the flow of information from an EU member state to a country that is deemed to have inadequate safeguards. Jason Doiy So it’s not a one-stop-shopping solution; you still have to layer BCRs with other privacy mechanisms, such as Safe Harbor certification. BOARDMAN: You make several good points. It is a pioneering effort. It started in 2003, and by 2005, we only had one “The idea behind binding corporate rules is that application that had been authorized. But there’s a real sense that it’s starting to become more manageable. The you embed data privacy in the organization's reason for the initial cost is you need to go and negotiate culture. With employee data, for example, you with the protection authorities, many of which have little expertise or familiarity with how organizations work. But might develop a workforce data privacy policy. If we’re starting to see a critical mass of applications come t hrough. you can show that that is binding and enforceable within the organization, you can have them My clients have been able to leverage existing privacy policies and procedures. And in some instances, once there approved by EU data protection authorities, which is a UK authorization, other data protection authorities are happy with that, and granted authorization on that basis then allows you to transfer data freely within alone. The advantage is once you have a BCR, there are the organization, without additional consent or registering standard contract clauses. “ fewer bureaucratic restrictions to them. If you have data that is going from the EU to a U.S. entity, which will then be transferred to a third party in the U.S., you would need separate contract terms to deal with that. But you would, in any event, under EU commission clauses or Safe Harbor. — Ruth Boardman MODERATOR: So how do companies best mitigate the risk? Bird & Bird BROWNLEE: Let’s use, as an example, the lawsuit filed against Accenture in 2007. The Connecticut Attorney provide that the vendor retains ownership/control at all General hired Accenture to transfer some taxpayer and other personally identifiable information into a PeopleSoft times, does not subcontract without your permission, uses database. A backup tape containing the information reasonable safeguards, and agrees to indemnify you in the was stolen. The state had a contract with Accenture event of a data breach. that included provisions requiring Accenture to employ reasonable safeguards. Accenture was subject to a Your agreement should include a clause requiring your negligence claim, and also breach of contract. The take- vendor to allow you to have a third party come in and audit away here is that you must have a written agreement with all third parties transferring or processing your data, your service provider’s information systems and ensure that whether an information destruction/storage vendor or your service provider notifies you within a very short period an electronic discovery provider. The agreement should of time if there is any sort of breach or suspected breach. 28 DATA SECURITY BREACHES
  5. 5. ADVERTISING SECTION ADVERTISING SECTION P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION DENNEDY: My favorite phrase in contract negotiations is it. When you appoint a third party to hold the information “from time to time.” Every now and again we get this or to do anything with the information on your behalf, then clause in an outsourcing context or some context that you are responsible for what that third party does. So, if is a data-intensive relationship. It will say, “reasonable there is a security breach, then you are still on the hook to security as may change from time to time.” “Reasonable” individuals, even though it might be the third party who was five years ago did not include comprehensive encryption. responsible. Again, there are a couple of nice examples of “Reasonable” five years ago did not require background this in the UK involving lost laptops that weren’t encrypted. checks for every single worker in every single facility. That In each case, it was the client organization that ended up clause is going to screw you later. The most important on the receiving end of an enforcement notice from the element of mitigating legal risk in the contracting context Information Commissioner, which required the client to roll is to really understand the deal. You need to really out encryption and caused the organization and contractor understand the scope and the shape and the possibility of to report back on a regular basis to the commissioner. data transfer, either from individual contractors that come in, or people who are able to somehow carry your data out. So I reinforce the point that having appropriate contract Really do your homework. As a lawyer, you need to become terms is vital. You want to be checking your contract and a much bigger player in the decision-making process. In looking at that indemnity. the statement of work, you need to understand what kind of information needs to be transferred from organization to BROWNLEE: There are four practical ways to mitigate or organization and to various downstream processing, and in prevent data breaches. The first one is obvious: don’t what context. You have to be very careful in the indemnity collect what you don’t need. Secondly, destroy or redact section. It plays both ways. Auditing is one of hottest what you don’t need. Follow the federal laws, such as negotiation topics right now because, inherently, by having FACTA, on secure disposal of personally identifiable a third-party auditor in my data center, I am compromising the security of my other customers or I’m possibly exposing information. Thirdly, ensure that any laptops you recycle, them to third-party distribution, under law, by allowing donate to charity or send back to a vendor are scrubbed. them in. In laying out the deal, look at what people really Lastly, conduct a conduct a privacy impact assessment need access to the data, not based on any hierarchy or prior to the launch of any new product or service. Encourage organization chart, but by what role they really perform. your teams—marketing, IT, product development, legal—to review what information can be collected from the product, BOARDMAN: I would completely agree with everything that and what the legal ramifications are. Michelle and Charlene have said about risk, and would add two additional points. One is there are specific obligations DENNEDY: There are technical solutions out there. I won’t in the EU when you appoint the kind of third party that make a company pitch. I agree with Ruth and Charlene, Charlene mentioned; in EU terms, this agent is called though—don’t collect more than you need, and don’t travel a processor. But if you do due diligence and take the with more than you need. There are various strategies approach that’s been described, then you will do what is where you can take advantage of server-based computing required in the EU. The other point to note is that in the to keep your crown jewels in a place where IT professionals EU, under the Data Protection Directive, if you are the are surrounding them with, truly, not just “the reasonable organization that controls the data, you’re responsible for security from time to time” but actual security. DATA SECURITY BREACHES 29
  6. 6. ADVERTISING SECTION P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION CHARLENE A. BROWNLEE is a partner with the law firm Davis Wright Tremaine LLP. She advises clients on global privacy and data security matters, development of records management programs, e-discovery best practices and technology transactions. She co-authored the legal treatise Privacy Law (Law Journal Press). Charlene has lectured and published widely on privacy, records management and e-discovery. She is a US delegate for the APEC Privacy Data Security Working Group and serves on the University of Washington's Advisory Board for its EDiscovery Certification Program launching in 2009. DAVIS WRIGHT TREMAINE LLP The regulation of privacy and data security continues to expand at both a state and federal level. We can assist your organization in determining what policies, procedures and technology are required to comply and ensure proactive information governance. From developing record retention schedules and litigation hold policies, to advising on responding to a data breach, we have the experience and business oriented perspective that clients value. RUTH BOARDMAN is a partner in the London office of Bird & Bird. Ruth advises on all aspects of European information law, including data protection, freedom of information, database rights and confidentiality, with a specific emphasis on IT, e-commerce and public procurement. She is the co-author of Data Protection Strategy, published by Sweet & Maxwell. She also edits the Encyclopedia of Data Protection, from the same publisher, and is on the editorial board of Data Protection Law & Policy. BIRD & BIRD is a leading European and Asian law firm, with offices in Belgium, Czech Republic, Finland, France, Germany, Hungary, Italy, Poland, PRC, Slovakia, Spain, Sweden, The Netherlands and The UK. We are ranked as a leading firm for data privacy advice, where we advise a wide range of international companies as well as companies for whom personal data is a key asset. We provide a full range of legal services: commercial, corporate, corporate restructuring & insolvency, dispute resolution, employment, EU & competition law, finance, intellectual property, outsourcing, public procurement, real estate and regulatory & administrative tax. MICHELLE DENNEDY is Chief Privacy Officer for SUN MICROSYSTEMS, INC. Michelle is responsible for the continued development and implementation of Sun’s data privacy policies and practices, working across Sun’s business groups to drive the company’s continued data privacy excellence. Data privacy is a cornerstone of Sun’s approach to compliance with complex, demanding regulations including Sarbanes-Oxley, the EU Directive, California State Senate Bills, as well as escalating policy and process-oriented requirements being imposed globally. Michelle also works with Sun’s product development teams and partners to deliver best-practice privacy enabling products and services. She is the co-founder of Sun’s internal Privacy Council, an organization that includes and engages with stakeholders from across the company and is dedicated to promoting and promulgating a cohesive practice throughout the organization to protect Sun’s relationships with its customers. JAN BROWN & ASSOCIATES is a worldwide deposition reporting and legal video company. We offer the latest in technical expertise and the highest quality in the rendition of these services. Our services include realtime depositions, video conferencing, full service legal videography, document scanning, on-line repository, DVD or CD-ROM, case management services for large complex cases. We are Certified Livenote Providers and offer conference rooms. Our services are utilized by the top firms in the country and we are the court reporters and videographers of choice. 800.522.7096 30 DATA SECURITY BREACHES