With a transactional practice, covering the areas of e-commerce, software and technology, Heather Buchta, with Quarles & Brady LLP, presented the different cloud regulations that impact our industry; from data privacy to compliance. Learn all the legal Internet/cloud considerations CIOs are faced with today and apply them to your value proposition.
6. Personal Information
• FEDERAL
– FTC Act
– COPPA
– CAN-SPAM
– TCPA
– FERPA
• STATE
– Breach
Notification
– Point of Sale
Collection
– State
Consumer
Protection
– Security
Obligations
Health Information
• FEDERAL
– HIPAA
– HITECH
– Health
Breach
Notification
Rule
– GINA
• STATE
– HIPAA-like
Financial Information
• FEDERAL
– GLB
– FCRA
– FACTA
• STATE
– GLB-like
Employee
Information
• FEDERAL
– ERISA
– FMLA
– Whistleblower
Protection Act
• STATE
– Contract
law
Current State
8. A Bit of Historical Context….
• Not actually a new topic
– Warren and Brandeis – 1890
– Prosser – 1960
– Fair Information Practices – 1973
– Guidelines Governing the Protection of Privacy and
Transborder Data Flows of Personal Data – 1980
– Council of Europe – 1981
– EU Data Protection Directive – 1995
– APEC Privacy Framework – 2004
9. Regulatory Environment – Disclaimer
• Data Privacy and Protection
– Health Care
– Financial
– Labor & Employment
– Trade Secrets
– Internet of Things
– BYOD
• Other Regulations
– Online contracting
– All other offline business regulations – FCC, FTC, etc.
10. Regulatory Environment
• Understand applicable obligations
– Geographic Source of Data
– What Kind of Data – Defined by States and/or
Statutes
• Personally Identifiable Information (PII)
• Nonpublic Personal Information (NPI)
• Protected Health Information (PHI)
• Types of Obligations
– Privacy
– Security
11. Regulatory Environment
• Understand Applicable Obligations
– Personal Information
• Federal
– FTC
» Section 5 of the FTC Act
» Telemarketing Sales Rule
» COPPA
» CAN-SPAM
– FCC
» Telephone Consumer Protection Act
– USDOE
» FERPA
– Electronic Communications Privacy Act
12. Regulatory Environment
• New Bills
– Location Privacy Protection Act of 2014
• S.2171, Sen. Franken, March 27, 2014
– Personal Data Privacy and Security Act of 2014
• S.1897, Sen. Leahy, January 8, 2014
– Data Security Act of 2014
• S.1927, Sen. Carper, January 15, 2014
– Commercial Privacy Bill of Rights of 2014
• S.2378, Sen. Menendez, May 21, 2014
• Other Initiatives
– Do Not Track movement
– Big Data: Seizing Opportunity, Preserving Value, May
2014, Executive Office of the President
13. Regulatory Environment
• Understand Applicable Obligations
– Personal Information
• State
– Security Breach Notification Statutes
– Point of Sale Collection
– Security Obligations – MA 201 CMR 17.00, Nev. 603A.215
– State Consumer Protection Laws
– FERPA-like
– ECPA-like
– California
» CALOPPA, BPC 22575-22579
» Shine the Light, CA Civ Code 1798.83
» CALCOPPA, S.B. 568
14. Regulatory Environment
• Understand Applicable Obligations
– Health Information
• HIPAA/HITECH – OCR of HHS
–LabMD – overlapping jurisdiction with
FTC
–State Attorneys General
• Health Breach Notification Rule – FTC
• GINA – EEOC
• States also have similar legislation
15. Regulatory Environment
• Understand Applicable Obligations
– Financial Information
• GLB
–Privacy Rule – FTC and CFPB
–Safeguards Rule – FTC and CFPB
–Banking Regulators
• FCRA – FTC, CFPB and State Attorneys General
• FACTA – FTC, CFPB and State Attorneys General
–Red Flags Rule
• Some states have similar legislation
16. Regulatory Environment
• Understand Applicable Obligations
– Employee Information
• ADA
• HIPAA
• State Specific Rules – social media
• Employee Handbooks
• Union Agreements/Collective Bargaining Agreements
17. Regulatory Environment
• Understand Applicable Obligations
– EU
• Directives – Personal Information and Cookie
• DPAs
• Works Councils
– Canada
• PIPEDA
• CASL
– Australia
• Privacy Amendment Act 2012
18. Regulatory Environment
• Credit Card Data
– PCI DSS v.3
– Nevada 603A.215
– Minnesota 325E.64
• Online Tracking
– Digital Advertising Alliance
– OBA and retargeting
• NIST
– Media Sanitization
– Cybersecurity Framework
• NERC
• Contractual obligations and self-imposed obligations
19. Regulatory Environment
• Security Audit
– “systematic, measurable technical assessment of how the
organization's security policy is employed at a specific site”
(Symantec 2003)
– “appropriate” and “reasonable”
• What is involved?
– Personal interviews
– Vulnerability scans (pen-testing)
– Examinations of operating system settings
– Analyses of network shares and other data
• Go to the experts
– Find the right vendor
– Set parameters
22. Why Do We Care
• The Regulators are Coming….
–FTC
–Attorneys’ General
• And they are bringing bad press, fines
and Enforcement Orders
23. Why Do We Care
• Corporate Governance Issues
– SEC Investigations
– Officer Liability
– Have to Stay Informed
– NACD White Paper – Cybersecurity Boardroom
Implications (2014)
– SEC Cybersecurity Roundtable Transcript, 3/28/14,
available at www.sec.gov
24. Why Do We Care
• Valuation
– Reputational Value
– Corporate Deals - M&A
• High Profile Deals
– WhatsApp, Moves, Nest
• Impacting the Bottom Line
• Restricting Ability to Transfer
25. Why Do We Care
• Vendor Relationships
– Implicates both privacy and security
– Outsourcing does not mean relinquishing
obligations or liability
• Must do due diligence
• Appropriate contractual provisions
• Maintain level of control and knowledge of
activities
26. Why Do We Care
• Mobile App Development
– Privacy By Design
• Hosting Facilities
– Security Requirements
– Breach Notifications
• SaaS
– Data Ownership/Access/Return
– Data Usage
• Marketing
– Retargeting
– OBA
27. Why Do We Care
• Ask Questions
• Then Ask More Questions
• Which will lead to more questions
• Must understand the data flows, retention,
sharing and usage
28. Why Do We Care
• Key Provisions to Consider
– Audit Rights
– Security Audit Reports – SSAE16/ISAE3402
– Disaster Recovery/Business Continuity
– Compliance with Laws
– Ownership/Usage/Destruction
– Indemnities
– Warranties
– Exclusions to Limitations of Liability
– Insurance
29. Why Do We Care
• Responsibility for breach of security is a function
of who controls the data
• Liability for breach of security is a function of the
contract
• Compliance with laws may be a domestic and/or
foreign matter
30. Other Considerations
• IP law trailing the technology evolution of the
Cloud
• Trade Secrets and the Cloud may be
incompatible
– Potential third-party disclosures
– US PATRIOT Act
• Evolving licensing models
• Potential data location issues
• Legacy software and systems issues
31. Other Considerations
• Ownership of Data
• Preservation of Data
• Preservation may be easier on the cloud…or not
– Courts may not distinguish servers in the cloud
– Physical location of Data may be unknown
– Compliance with e-discovery and litigation holds
• Spoliation
• Data Integrity
– Must be free from corruption
32. Other Considerations
• Determine accountability for data preservation
– Who is liable for stolen data
– What does indemnification cover
– What happens in bankruptcy
– What notice is provided for security breach
– What happens if lose co-lo contract or lose lease
33. Other Considerations
• Intellectual Property
– Whose software
– Whose network
• Ownership
– Customizations or configurations
– Works made for hire
• Same contractual provisions come into play –
now from an IP perspective
34. Other Considerations
• Service Levels
• Online contracting – Enforceability
– Notice
• Conspicuous
– Choice
• Meaningful
• Contract of Adhesion