Post on 11-Apr-2017
Page 3
Introductions: Today’s Speakers
• Gant Redmon, Esq. - General Counsel, Co3 Systems
• 15 years corporate counsel, CIPP
• Andrew Serwin, Esq. - Partner, Foley & Lardner LLP
• CIPP/E, CIPP/US, CIPP/G
• Chair: Privacy Security and Information Management Practice
• Author of "Information Security and Privacy: A Guide to Federal
and State Law and Compliance," and "Information Security and
Privacy: A Guide to International Law and Compliance."
Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion
Page 5
About Foley & Larder LLP
• Chambers 2012
• “Lawyers in the group are particularly strong in FTC representation,
healthcare privacy matters and privacy litigation. The practice is
noteworthy for its international clientele, including a series of internet
giants . ..”
• Legal 500 2012
• “Foley & Lardner LLP’s well-respected Andrew Serwin in San Diego,
chair of the practice and co-chair of the privacy litigation team, has a
high profile in privacy and data security. ‘He literally wrote the book,’
comments one client. Clients appreciate the group’s ‘excellent service
and terrific, responsive advisors’. Highlights included providing
strategic advice to social gaming company Playdom, a subsidiary of
Disney Enterprises, in a ground breaking matter before the FTC.”
Page 6
About Foley & Larder LLP
• In the Matter of Spokeo, Inc., • Represented Spokeo, a data broker, in the first FTC matter alleging violations of the FCRA and
Section 5, arising from the sale of Internet information, as well as an alleged violation of the
endorsement guidelines.
• In the Matter of CVS Caremark, • Represents CVS/Caremark before the FTC and the Office of Civil Rights in connection with a
consent decree and resolution agreement arising from allegations related to information security.
• In the Matter of Playdom, Inc., a subsidiary of Disney Enterprises, Inc., • Represented company before the FTC in an investigation alleging a violation of COPPA and Section
5.
• In the Matter of MySpace, • Represents MySpace before the FTC in a matter alleging violation of Section 5.
• F.T.C. v. Lights of America, Inc., et. al, • Represents defendants in an FTC litigation matter brought in the Central District of California.
Page 8
2012 Recap
The White House Privacy Bill of Rights
• Came out in February
• Looks like FIPs: the 1973 US Department of Health,
Education, and Welfare (known today as the Department
of Health and Human Services) Code of Fair Information
Practices
Page 9
2012 Recap
The White House Privacy Bill of Rights
• Recent Developments: In July, the Commerce
Department began holding meetings to decide concrete
enforcement terms for the Privacy Bill of Rights with a
focus on creating a consumer data transparency code of
conduct for mobile apps.
• Possible Future: Something for NIST to work with as part
of Cyber Security Standards
Page 10
2012 Recap
• Access v. Acquisition
• Information Liability
• Miscellaneous State Updates
• Advertising Liability
Page 11
2012 Recap
Canada: C-12 The Safeguarding Canadians’ Personal
Information Act
• Bill C-12 will amend the Personal Information Protection
and Electronic Documents Act (PIPEDA)
• Introduced in the House of Commons by the Minister of
Industry on 29 September 2011
• Creates national breach notification obligation. PIPEDA’s
notice provision is not mandatory.
Page 12
2012 Recap
Canada: C-12 The Safeguarding Canadians’ Personal
Information Act
• Recent Development: On 12/11/12, Privacy
Commissioner, Jennifer Stoddart, “no longer certain I can
provide wholehearted support for the legislation as
currently drafted.”
• Not happy with inability to fine. As drafted, must take the
company to court.
Page 13
2012 Recap
EU General Data Protection Regulation
• Published December 2011
• Extends the jurisdictional reach of EU privacy laws to any data
controller that processing data of EU residents, no matter
where the controller is located or the processing occurs
• Most remarkable for the 24 hour notice period, sanctions up to
5% of annual revenue, and the right to be forgotten.
• Seems stalled, but Viviane Reding, Vice-President of the
European Commission has until 2014 to get these items
passed.
Page 14
2012 Recap
EU General Data Protection Regulation
• Recent Plan B: EU’s executive committee plans to
introduce their recommendation in February of 2013 that
critical companies provide breach notification to EU
authorities. These include mobile carriers, banks, energy
companies, and other critical infrastructure providers.
• Starting to look sectorial based rather than
comprehensive.
Page 15
2012 Recap
• Brand Issues
• Employment Issues
• Dissemination Of Confidential Information
• Computer Crimes
• “Operator” Liability
Page 17
2013 Predictions
• Breach Levels
• Emerging Breach Issues
• De-Identification v. Transparency & Access
• FTC Act
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages
for privacy look like.”
GARTNER
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
Andrew Serwin
Chair: Privacy Security and Information
Management Practice
Foley & Lardner LLP
aserwin@foley.com