This document summarizes the current state of privacy law and data security concerns. It notes that data breaches can result in identity theft, financial loss, reputational damage, and lawsuits. While there is no single federal privacy standard, states have enacted their own breach notification laws which differ in what constitutes private information and enforcement powers. Delaware has its own privacy laws but risks and liabilities are increasing, so companies need to assess risks, prioritize sensitive data, implement security policies, and get started addressing privacy and security issues.

1. The “Current” State
of Privacy Law
Technology Forum of Delaware
Data Security
September 16, 2015

2. Why Should We Be Concerned
About Data Privacy and
Cybersecurity?
• Data Loss
• Exposure to Identity
Theft
• Exposure to Financial Loss
• Exposure to Reputational
Damage
• Lawsuits
– Some 24 various legal theories being asserted
• 2015 Data Breach Litigation Report, Bryan Cave LLP
– Federal Enforcement by FTC

3. “Breaches” Take All Forms
• August 2015
– IT Governance Blog, Lewis Morgan
• Thomson (travel), names, addresses, telephone and
flight info
• Akron Children’s hospital – missing hard drive
containing patient information
• URI – breach of email and Facebook accounts
• Tremco – lost laptop w/ data on thousands of
employees
• SterlingBackCheck laptop stolen – 100K individuals
• IRS agent misplaces flash drive
• UVA shuts down servers after cyberattack

4. Costs Of Data Loss and Breaches
• IBM & Ponemon Institute: 2015
Cost of Data Breach Study:
Global Analysis:
• “The average cost paid for
each lost or stolen record
containing sensitive and
confidential information
increased 6 percent, jumping
from $145 in 2014 to $154 in
2015. The lowest cost per lost
or stolen record is in the
transportation industry, at $121,
and the public sector, at $68.
On the other hand, the retail
industry’s average cost
increased dramatically, from
$105 last year to $165.”

5. No Comprehensive Approach
• No single federal standard for data privacy
– A “Vertical” approach
• HIPAA/HITECH, COPPA, GLBA, FCRA, TCPA, FERPA, CTPA,
VPPA
• Other industries receiving guidance
– National Institute of Standards and Technology (NIST)
• Developed framework for cybersecurity practices for the federal
government
• Being used as framework for other businesses
– Federal Trade Commission (FTC)
• Administrative proceedings/consent decrees

6. States Are Filling the Gaps
• Protectionism
• 47 states now have breach
notification laws
– NOT identical
• Internal inconsistencies
– What constitutes Personally Identifying Information
(PII)
– Who has enforcement power
• Private right of action or Consumer Protection Division
• Protection at all stages of information life
– Obtaining, retaining, destroying

7. Delaware’s Privacy Related Laws
• Computer Security Breaches
• Safe Destruction of Documents Containing
PII
• Delaware Online Privacy Protection Act
(DOPPA) – signed August 7, 2015
• Student Data Privacy Protection Act
(SDPPA)
– signed August 7, 2015

8. Increasing Potential Liabilities
• Federal Trade Commission (FTC)
– Wyndham v. FTC decision
• Class Actions
– Actual damages/Standing
– Remijas v. Neiman Marcus Group, LLC
• D&O Liability – Caremark and Utter Failure
• Damages
– $ and reputation

9. Increasing Client/Customer
Demands
• Demanding Protection
• Want to know
information is safe
• Want indemnity
agreements
• Want to see vendor agreements
• Want to review insurance policies
• Want to know you have a plan
– Doc retention, breach response

10. So What Do We Do?
• Assess the Risks
– Prioritize/categorize information
– Think about both physical and electronic impediments
• Attack the easy things
• Create a culture of privacy in your business
• Implement (and enforce)
policies regarding safe
handling of data
• Take advantage of “Safe
Harbors” – encryption
• Get started today!

11. BIOGRAPHY
Chuck co-chairs the firm’s Data Privacy and Information
Governance Group. In this role, Chuck advises companies and
clients on data security, data management, privacy and
appropriate exercise of fiduciary duties when dealing with
privacy
and data management issues. Chuck is a member of the
International Association of Privacy Professionals (IAPP), the
Technology Forum of Delaware, and is a frequent author of
articles relating to privacy, data management, and recent
developments in Delaware law and legislation relating to these
issues.
Carl “Chuck” N. Kunz, III
Partner, Data Privacy and Information Governance
500 Delaware Avenue, Suite 1500
Wilmington, Delaware 19801-1494
T 302.888.6811
ckunz@morrisjames.com