Privacy, Data Protection, and Cybersecurity: Developments and Strategies

2012 OFII General Counsel Conference Washington, D.C.

Edward McNicholasSIDLEY AUSTIN LLP

Privacy, Data Protection,and Cybersecurity:

Developments and Strategies


Agenda• The Imperative of Information Governance• Cybersecurity• The Evolution of US Privacy Law• New EU Data Protection Regulation• Privacy Litigation and Enforcement• Cloud Computing• Social Media• Governance Strategies

2


Data Security: Atop the Corporate Radar

• According to FTI Consulting/Corporate Board Member Survey:– Data Security is the top legal concern in 2012 for both Directors and

General Counsel• The percentage of Directors and GCs concerned re: data security has

doubled since 2008

– The median annualized cost of cyber-crime per company averaged $5.9 million

– The survey noted participants’ opinion that cyber risks are invisible, ever-changing, pervasive, and costly

– Only 42 percent of survey participants said their company had a data crisis management plan in place

3


Corporate Practices on Cybersecurity: Lack of Board Involvement

• Boards of Energy/Utility Companies– 71% rarely or never review privacy and security budgets

– 79% rarely or never review roles and responsibilities

– 64% rarely or never review top-level policies

– 57% rarely or never review security program assessments

• Boards of Financial Sector Companies– 42% rarely or never review annual privacy/security budgets

– 39% rarely or never review roles and responsibilities

– 56% do not actively address computer/information security

– 52% do not review cyber insuranceGovernance of Enterprise Security:

CyLab 2012 Report

4


The Reality Facing Global Corporations

• Broad complexity and wide variety of national (and sub-national) privacy and data security laws complicates compliance

• Significant cultural – and legal – differences exist in the meaning and nuances of privacy and data protection

• Achieving compliance with overlapping federal, state, national, sub-national and multilateral rules is complex and burdensome

• Trend towards stricter, more prescriptive laws, with more complexity and greater enforcement appears likely

• Evolving cybersecurity threats have evolved from hackers and identity thieves to groups with the potential to inflict material harm

5


The Cost of Getting Governance Wrong• Breaches and data incidents can be extremely painful• Hard costs:

– Notifying affected individuals, credit monitoring, investigation and legal fees

• Potential costs:– FTC, State AG, and regulatory investigations; class actions by data

subjects; litigation with business partners over hard costs; legal defense fees

• Enterprise value risk from cybersecurity exposures• Brand/Reputation harm:

– Charges of deceptive or unfair business practices; lost confidence / uncertainty in clients and employees; lost profits or business partners

Privileged and Confidential • Attorney Work Product • Attorney Client Communications

6


CYBERSECURITY

7


Cybersecurity

• Cyber attacks against Google (which it attributed to China) were a "wake-up call" about vulnerabilities that could cripple the US economy (Dennis Blair, U.S. Director of National Intelligence)– Sophisticated foreign or competitive hacking, system penetration,

network intrusion

– “Advanced persistent threat”

• Government contractors, regulated entities, etc., could have specific legal, regulatory or contractual requirements to safeguard and/or notify of intrusions

• Employee training and awareness critical to prevent, detect and abate cyber-risks

8


Not Just National Security: Corporate Data at Risk

• DHS announcement in May 2012 of ongoing, coordinated cyber attack on the control systems of U.S. gas pipelines

• NCIX report in 2011 detailing economic cyber sabotage against U.S., originating in China or Russia

• 2011 hack of top secure identity management firm RSA through phishing emails• Hack in 2011 of NASDAQ “Directors Desk” portal with confidential board materials

for public companies• McAfee’s claim in 2011 that Chinese hackers responsible for cyber attacks on 72

international firms and the UN over a 4 year period• DoD revelation in 2010 of upload in 2008 of malicious code from flash drive onto

networks containing classified information run by U.S. Central Command and government contractors

• Spike in industrial espionage reported by NCIX to cost as much as $400 billion each year

9


Notable Victims of Hacking Attacks

• Global Payments (March 2012) – 10 million records• Zappos (January 2012) – 24 million records• Sony (May 2011) – 25 million records• Sony (April 2011) – 77 million records• Heartland Payment Systems (2010) – over 100 million

compromised credit cards ($100 million settlement fund established)

• RockYou (Dec. 2009) – 32 million records• TJX (Jan. 2007) – 94 million records• CardSystems (June 2005) – 40 million records

10


What’s at Risk?• Valuable IP assets, proprietary information, business, transaction

and negotiating records, financial data• Account information and access to funds• Disruption of business• Debilitating impact on critical infrastructure and essential services• Communications• Supply chain management• SCADA (supervisory control and data acquisition):

– industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes

• National security

11


Congress on Cybersecurity

• Numerous bills proposed in the past year; none passed.• Minimal consensus

– Combating cyber-attacks is national priority

– Critical infrastructure must be protected (utilities, electrical grid, telecommunications, financial services, defense contractors)

– Not enough being done by private sector to address risks

– FISMA must be updated

• House action on 3 bills put onus on Senate• Threat of presidential veto for House CIPSA bill• Executive Order likely

– Effects on private sector

1212


SEC Cybersecurity Guidance• Corporation Finance guidance issued Oct. 13, 2011• Cyber attacks:

– Target theft of financial assets, intellectual property, other sensitive information

– Customer or business partner data could be implicated

– Objectives could include disrupting business operations

• Disclosure if cyber-risks “are among the most significant factors that make an investment in the company speculative or risky” – Consider frequency of prior incidents and probability and potential harm

of future incidents

– “Specify how each risk affects the registrant”

– Avoid generic language

1313


International Attention to Cybersecurity

• The fundamental difficulties of attribution

• Budapest Convention on Cybercrime– Only international treaty addressing computer crimes– Drafted by Council of Europe; signed by 47 countries (ratified by 33)– Signed in 2001; in force since 2004; ratified by U.S. in 2006– Attempt to harmonize national laws, improve investigative techniques, increase

cooperation– Inadequate for scale of current threat

• NATO: “Strategic Concept for the Defence and Security of The Members of the North Atlantic Treaty Organization”

– Adopted at Lisbon summit in 2010– Cooperative Cyber Defense Centre of Excellence (CCDCOE)– White House Report on “International Strategy for Cyberspace”

1414


EU on Cybersecurity• European Union’s Council Framework Decision on attacks against

information systems – Mirrors the Budapest Convention; binding on Member States

• Digital Agenda for Europe– Improve the EU’s ability to prevent, detect and respond to network and

information security incidents

• European Network and Information Security Agency (ENISA) – To ensure a “high and effective level of network information security” in the EU

extended through 2020 through creation of EU CERT

• Establishment of EU Cybercrime Center with Interpol– Netherlands, January 2013

• Member State initiatives– France, Germany, Netherlands, UK, etc.

1515


EU on Cybersecurity Cont’d• EU-US Cooperation on Cybersecurity

– Challenge: fundamentally different view of privacy leads to different approach on both data protection and cybersecurity

– EU-US Working Group on Cyber-Security and Cyber-Crime

• Established in November 2010 to work collaboratively on coordinated responses to:

– Cyber incident management

– Public-private partnerships

– Awareness raising

– Cybercrime

– First joint EU-US cybersecurity exercises (defense stress tests) conducted in November 2011

1616


China on Cybersecurity• U.S.-China Economic and Security Review Commission Report on

Chinese Cyber Capabilities (March 2012)– Threats posed both by Chinese military and by nongovernmental actors

– Reports that Chinese military relies on “civilian universities[,] private commercial IT firms … or hundreds of smaller niche firms” as collaborators

– “Supply chain” threat: Some Chinese manufacturers are feared to sell equipment or parts to intelligence targets will place code within devices to give Chinese military or intelligence actors means of intercepting the communications traffic

• May 2012: US and Chinese defense ministers Panetta and Liang agree to work together to strengthen cybersecurity in both countries

1717


PRIVACY LAW: U.S. AND INTERNATIONAL

18


Privacy Paradigms and Problems• American data protection model versus European

– US: Relatively flexible regulation combined with federal and state enforcement and private litigation

• Rigorous data breach and data security state laws (e.g., MA, CA)• Corporate compliance infrastructure and accountability; outside scrutiny

– EU: Prescriptive regulations with greater regulatory involvement

• Trends and Issues:– Privacy surprises: (WSJ “What They Know” Series)

– Data breach/ID Theft; Cyber-attacks

– Online data collection, behavioral ads, tracking, location

– Cookies, smart phones, mobile apps, social media, children

– Cloud computing, conflict of laws, government access

1919


Overview of U.S. Privacy Law

• No comprehensive federal privacy statute• In U.S., privacy is regulated via:

– Federal sector-specific and ad hoc statutes and regulations

– FTC regulation and enforcement

– State laws, AG enforcement actions and private litigation

• Industry self-regulation through company privacy policies, and association codes

• Changes likely in Washington, but no comprehensive statute on the horizon

20


Existing Privacy and Data Security Laws• FTC Act (“unfair or deceptive”); GLBA (financial); HIPAA (medical)

– Do not support private rights of action– Lanham Act

• Electronics Communications Privacy Act (ECPA)

• Computer Fraud and Abuse Act (CFAA)

• Privacy Act, Fair Credit Reporting, Video Privacy, Educational Records, Drivers Privacy, Court Filings, FISMA, etc.

• State Unfair or Deceptive Acts and Practices Statutes (UDAP)

• State Statutory (or Constitutional) Privacy Rights

• State (and Federal) data security and data breach laws

• Common Law Negligence

• Common Law Privacy Torts

2121


Federal Sectoral Legislation and Regulation

• Gramm-Leach-Bliley Act of 1999 (GLBA)– Regulates privacy of personally identifiable, nonpublic financial

information disclosed to non-affiliated third parties by financial institutions

– Requires administrative, technical, and physical safeguards

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) / Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)– HIPAA rules protect confidentiality and security of medical information

in hands of “covered entities” and “business associates” such as healthcare poviders, hospitals, employer-sponsored health plans, etc.

22


Communications Privacy

Electronic Communications Privacy Act (ECPA) • ECPA governs interception (“wiretap”), access to and disclosure – by

government and/or private entities – of contents of communications, or transactional and routing information related to communications, by providers of communications services and remote computing services

Computer Fraud and Abuse Act (CFAA) • Prohibits hacking or accessing computers in violation of, or in excess of,

authorization

Telecommunications Act • “Every telecommunications carrier has a duty to protect the confidentiality of

proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers”

23


Data Breach Statutes• Data breach notification laws are pervasive

– 46 states, DC, Puerto Rico, the Virgin Islands, and Guam have breach notification requirements

– Some states require reporting to government agencies

• Triggers Vary– Risk of harm

– Pure acquisition

• Encryption remains a key issue– Creates safe harbor from many state data breach notice laws

– Laptops, portable media (such as USB drives)

– Wireless transmission; transmission over public network

24


Data Breach Legislation Developments• Federal

– Data Security and Breach Notification Act

– Introduced by 5 Republican Senators on June 21

• State– Vermont, effective July 1

• Must notify AG in 14 business days if “reasonable belief” of breach

• But may notify AG if prior, written attestation that incident response policies and procedures are consistent with Vermont law

• Factors for identifying acquisition

– Connecticut, effective October 1

• Notify AG no later than the time notice is provided to residents

25


State Data Security Standards

• Massachusetts:– Regulation 201 CMR 17.00– Requires anyone that owns, licenses, stores or maintains resident’s

personal information to develop and implement a written comprehensive information security program

– Requirements passed through to vendors

• Nevada:– PCI-DSS standards codified into law

26


State Issues To Watch• Social Security Number Protection laws that require special limitations on

the collection, use and display of SSNs

• State “Unfair and Deceptive Acts and Practices” (UDAP) Statutes

• Secure Disposal Laws requiring secure disposal of personal data records

• Privacy Torts: Privacy invasions, negligence, misappropriation, defamatory speech, trespass to chattel, stalking, etc.

• RFID bills that prohibit the nonconsensual use or reading of RFID chips

• Medical or Genetic privacy – restrictions on the use of test results and the use, disclosure and protection of biometric data

• Employee Surveillance –DE and CT have notice rules

• Locational Privacy – restrictions on use of GPS-enabled devices

• Behavioral Tracking and Advertising

27


Privacy in Congress

• Cybersecurity Legislation• ECPA & USA PATRIOT Act Revisions• Sen. Kerry and McCain effort to pass omnibus privacy legislation

– Fair information principles-based, omnibus privacy bill

– Right for data subjects to receive a clear and concise notice of uses that they might not reasonably anticipate

– Opt out of unanticipated uses of PII; opt in consent required for uses of sensitive PII or third party transfer

– Mechanism for individuals to access and correct PII

– New Commerce Office of Commercial Privacy Policy

– Enforcement by state Attorneys General and FTC

28


Administration and Agency Initiatives

• Inter-agency “Subcommittee on Privacy and Internet Policy” as part of National Science and Technology Council’s Committee on Technology– Focusing on commercial privacy policy issues– Addressing global privacy policy challenges and pursuing

interoperable international policies– Coordinating Administration positions on privacy and Internet

legislation

• Department of Commerce Green Paper

• FTC Staff Report

29


White House Plan: A Consumer Bill of Rights Based on Fair Information Practice Principles (FIPPs)

• Individual Control, Transparency• Respect for Context• Security, Access and Accuracy• Focused Collection, Accountability

BUT:• Does not really depend on Congressional action• Relies on FTC for enforcement• Does not include “Privacy by Design”• Promotes industry self-regulation • Tasks NTIA (Commerce):

“to convene stakeholders, including our international partners, todevelop enforceable codes of conduct that build on the ConsumerPrivacy Bill of Rights.”

30


Privacy Impact Assessments (PIAs)

• PIAs would “require organizations to identify and evaluate privacy risks arising from the use of personal information in new technologies or information practices”

• The Department of Commerce Green Paper contemplates that such PIAs would be “prepared in sufficient detail and made public”

• Purpose for PIAs– To “create consumer awareness of privacy risks in a new technological

context”

– To “help organizations to decide whether it is appropriate to engage in the particular activity at all, and to identify alternative approaches that would help to reduce relevant privacy risks”

31


Federal Trade Commission (FTC)

• FTC is de facto federal privacy enforcement authority under FTC Act Section 5 (15 U.S.C. § 45)

• FTC charged with preventing "unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce" – FTC enforces against companies that engage in the “deceptive” practice

of failing to adhere to their own privacy and/or information security policies

• FTC enforces against companies that engage in the “unfair” practice of failing to provide adequate security for consumer data

• FTC enforces Gramm-Leach-Bliley Act; Fair Credit Reporting Act; Children's Online Privacy Protection Act

32


FTC Vision of Privacy By Design

• Promote consumer privacy throughout the organizations and at every stage of the development of the products and services

• Incorporate substantive privacy protections into practices, such as:– data security

– reasonable collection limits

– sound retention practices, and

– data accuracy

• Maintain comprehensive data management procedures throughout the life cycle of products and services

33


Three Key Principles from the FTC“Privacy by Design”

Internal safeguards by commercial entities

Comprehensive business privacy programs“Simplified Choice”

“Just in time” notice and consumer choice

Standardized exceptions to the notice and choice

Do Not Track (national analog to Do Not Call)

“Greater Transparency”Consumer access to, and ability to correct, personal data

Prominent notification and express affirmative consent required from consumers before a company uses consumer data in a materially different manner than notified at collection

34


INTERNATIONAL PRIVACY

35


Current Status in the European Union

• EU Data Protection Directive (1995)– Limits on collection, processing, transfer, and export

– EU member states prohibit or restrict transfers of personal information to the United States unless certain compliance mechanisms are in place

– EU standards (derived originally from U.S. and OECD fair information principles) require:

• Notice of collection and use of personal information• Choice (consent) to uses of information • Access to information to review, correct or expunge• Integrity/security of data• Enforcement/redress of privacy rights

– Member states differ significantly in approach• Other Directives: e-Privacy; Data Retention• Member State implementation

36


EU Proposed Data Protection Regulation

• Proposed EU Data Protection Regulation released on January 25 2012

• Aims to increase harmonisation throughout EU and reduce burdens and costs

• Regulation will replace the existing EU Data Protection Directive

• May be adopted around 2014 following consultation with Council of Ministers and European Parliament

• Will apply to non-EU-based businesses selling to or monitoring online behaviour of EU residents

3737


Proposed EU Data Protection Regulation

• Greater Enforcement – Fines up to 2% of annual worldwide turnover

• Class Actions – Consumer organisations may bring class actions (“collective redress”), even

without individuals’ consent

• Data Breach Notification – Possible 24-hour deadline (notice to DPAs; individuals)

• Consent – Data controller has burden to demonstrate consent (which may be withdrawn at

any time) – Validity of consent undermined where significant imbalance of power

• Right to be Forgotten

• Right of Data Portability

3838


Proposed EU Data Protection Regulation• Accountability and Privacy by Default/Design

– Process only as necessary for specified/disclosed purposes

– Retain data for minimum time necessary

– Restrict access to those with legitimate need to know

• Data Protection Notifications Streamlined

– DPAs no longer must be notified of data processing activities; but prior consultation required for data protection impact assessments

• Data Protection Impact Assessments

– Conduct impact assessments where processing poses specific risks (i.e., health data)

3939


• Article 29 Working Party guidance to encourage use of cloud services.– Requires data controllers to conduct a comprehensive risk analysis of cloud providers

– Cloud providers must ensure adequacy of organizational and technical measures

– International transfers must be legitimated

– Transparency required in subcontracting

• Article 29 Working Party issued working document on Binding Corporate Rules for data processors, WP 195

– Previously, BCRs only for data controllers; now, more streamlined method for global companies who act as service providers to process data for EU clients

• Article 29 Working Party issued opinion analyzing cookie exemption in e-Privacy Directive

– Directive requires prior opt-in consent for cookies. Exemption applies if (1) user requests service with cookies or if cookies are necessary to provide service; and (2) cookies expire when no longer needed

– Opinion lists specific cookies that are exempted

40

EU Developments


EU International Transfer Rules• Transfers permitted only to countries with “adequate” level of

protection (unless mechanism below in force)

– The decline of consent

– US-EU Safe Harbor

• Mounting EU skepticism

– Model Contracts

– Binding Corporate Rules (BCRs)

• The Rise of Binding Corporate Rules

• Effectively exports EU law to the entire organization

41


EU Member State Developments

• France:– Data breach notification guidance for electronic communication providers

• Describes specific circumstances when CNIL notification is required

• Procedures for notifying CNIL

– Cloud computing guidance also issued• Generally consistent with Working Party guidance

• UK– ICO’s largest data breach penalty ever

• Imposed on Sussex University Hospitals NHS Trust• Breach of health data on hard drives sold at auction in 2010

– Draft “Anonymisation Code of Practice”• How to structure anonymization process• How to avoid re-indentifying an individual• Renewed investigation of Google Street View

42


Recent Non-EU Developments

• Australia: – New data protection legislation pending (Privacy Amendment)– Data breach notification guidance issued

• Notification of individuals and Office of the Australian Information Commissioner is “highly recommended” for breach

• Breach trigger: “real risk of serious harm”

• 4 steps for incident response

• China– Amendments to Internet and Mobile Devices regulations

• Philippines– New Data Privacy Act modeled on EU/APEC

43


PRIVACY LITIGATION

44


Examples of Litigation Exposure• Customer whose bank funds were stolen by hackers alleged that bank holding

did not do enough to prevent hack» Patco Construction Co. v. People’s Ocean Bank (D. Me.) (summary judgment

granted to def., 2011)» Anderson v. Hannaford Bros.: Hack of credit card magnetic strip; merchants

have implied contractual duty to safeguard customer financial data • Bank sued to avoid refunding customers funds taken from their account by

Romanian hackers with valid credentials» PlainsCapital Bank v. Hillary Machinery, Inc. (E.D. Tex.) (settled, 2010)

• Data breach litigation following cyber attacks– E.g., class actions filed against Sony after PlayStation hack

• Failure to safeguard could expose boards to shareholder suits alleging negligence or breach of fiduciary duty

– Delaware Caremark decision: duty of care to safeguard digital assets?

4545


Privacy at the U.S. Supreme Court in 2012

• First American Financial Corp. v. Edwards – Supreme Court dismissed its writ, leaving Ninth Circuit ruling in place– The Ninth Circuit panel held, in effect, that an alleged technical violation of RESPA

could create Article III standing; that is, the case could proceed regardless of whether a particular plaintiff was actually harmed

• U.S. v. Jones– Raised property theory of Fourth Amendment protections– Several Justices openly questioned prevailing analysis

• FAA v. Cooper– “Actual damages” does not include non-pecuniary losses like emotional distress or

humiliation– No waiver of sovereign immunity, notwithstanding minimum statutory damages of

$1,000

46


Difficulty for Plaintiffs: Showing Harm or Damages

• Federal and State courts have shown:– Standing/cause of action is difficult to establish where no

statutory violation or concrete harm is alleged– Standing/cause of action easier for statutory violations, or where

concrete allegations of tangible harm– But Plaintiffs still face an uphill battle to show that they are

entitled to relief

4747


THE COST OF GETTING DATA SECURITY WRONG

48


Privacy and Data Breach Awards• $100 million settlement fund established by Heartland Payment Systems for

Visa and MasterCard customers (over 100 million compromised credit cards) (2010)

• $10 million settlement between ChoicePoint and shareholders (inadequate security; compromise of over 13,000 consumer records) (2010)

• $9 million settlement between Netflix and customers (release of video records and payment information) (2012)

• $8.5 million settlement between Google and customers (privacy violations concerning Google Buzz) (2011)

• $5 million settlement between BMW and customers (recording customer calls without consent) (2012)

• $2 million settlement between Adaptive Inc. and NY Attorney General (improper collection of credit card information from third-party retailers) (2012)

4949


FTC Recoveries

• $30 million court order against “Cash Grant Institute” (2.7 million robocalls to parties on Do Not Call registry) (2012)

• $15 million settlement with ChoicePoint (improper provision of PII and consumer reports to non-legitimate users)($10 million civil penalty plus $5 million consumer redress) (2006)

• $11 million settlement with LifeLock (misrepresenting identity theft safeguards) (2010)

• $2.9 million settlement with ValueClick Inc. and Hi-Speed Media (CAN-SPAM Act allegations) (2008)

• COPPA Penalties: Playdom, Inc. ($3 million, 2011), RockYou ($250,000, 2012)

5050


HIPAA Settlements

• $2.25 million settlement with CVS (inadequate data disposal security) (2009)

• $1.5 million settlement with Blue Cross Blue Shield of Tennessee (data breach involving PHI of one million members) (2012)

• $1 million settlement with Mass. Gen. Hospital (employee removal and loss of sensitive PHI) (2011)

• $1 million settlement with Rite Aid (disposal of labeled pill bottles in publicly accessible dumpsters) (2010)

5151


EU Fines• $5.2 million penalty imposed by U.K. Financial Services Authority

against HSBC (failure to protect customer information) (2009)• $3.49 million penalty imposed by U.K. Financial Services Authority

against Zurich Insurance U.K. (loss of personal information of 46,000 customers) (2010)

• $264,856 penalty imposed by Hamburg data protection authority against German bank Hamburger Sparkasse AG (unlawfully accessing customer data and creating customer profiles) (2010)

• $220,689 penalty imposed by U.K. Information Commissioner’s Office against Scottish government Midlothian Council (misdirecting personal data on five occasions) (2012)

• $141,664 penalty imposed by French data protection authority (CNIL) against Google (collection of unsecured wireless internet) (2011)

5252


CLOUD COMPUTING CONSIDERATIONS

53


Cloud Issues and Risks - Overview

• Balkanization of the Cloud is a real threat and could impair value for governments, businesses and consumers

• Europe is a problem, but could be moving in the right direction (especially with helpful prodding)

• Legal jurisdiction is confusing and controversial• Cloud policies and standards are a bit of a mess • Business Clouds and consumer Clouds are different• Privacy, security and control will pose ongoing challenges• Government and litigation access to Cloud data need rationalization

54


Threat of Cloud Balkanization:USA PATRIOT Act and EU Privacy Law?

• US and European governments have similar approaches to the balance between privacy and national security:

– USA PATRIOT Act provides the FBI access to any business record with a court order, and expands the government’s ability to obtain records pursuant to a National Security letter; “probable cause” warrant or equivalent typically required for acquisition of communications or sensitive information

– EU Data Protection Directive – Article 13 specifically exempts “national security” from otherwise applicable privacy protections

– EU Treaty of Lisbon expressly allows member countries to impose derogations on personal privacy where necessary for national security purposes

– Specific European countries, such as the Netherlands and Spain, have created carve-outs in personal data privacy protections for activities conducted under the rubric of national security or certain law enforcement activities.

55


Uncertainty for Cloud Users

• Not specifically regulated but a plethora of divergent laws and enforcement approaches apply around the world

• Many laws relating to data privacy are outdated and it is unclear how they will be applied in Cloud circumstances

• Laws of multiple jurisdictions may apply to transactions involving a single data set

• Transferring data to a Cloud provider may lead to ambiguity regarding data protections

• Liability for, and uncertainty about duties for responding to, data breaches, unauthorized access, loss of data, demands for access to data

56


Corporate Cloud Strategies• Recognize that Cloud legal issues concern B2B as well as consumer

(privacy) issues

• Take stock of where in the world your data are (conduct data inventory and track flows of): personal information, IP and trade secrets, HR data, other valuable information assets

• Engage in careful contracting: preserve control, reduce risk of disclosure, assign security obligations and enforcement costs

– Affirmatively deny consent to interception or disclosure of data conveyed by/through Cloud provider to governments or litigants

– Require notification of breach/disclosures/requests for data– Deny access unless specifically authorized in advance or compelled by law (in

which case notification is requested)– Require maximum possible resistance to disclosure– Determine access controls and encryption protocols

57


SOCIAL MEDIA CONSIDERATIONS

58


Accessing Facebook Pages & Passwords

Close to 50% of HR professional use applicant social media sites as part of their background screening process.

-- EmployeeScreenIQ, Annual Background Screening Trends Survey , 2012

5959

“If an employer were to gain access to an applicant’s page and decide not to hire them, was that decision made because of their age, sexual orientation, religious affiliation? That has a lawsuit written all over it.”

- - Sen. Steve Hobbs, D-Lake Stevens, Senate Democrats Washington State Blog


Accessing Facebook Pages & Passwords

• Potential legal consequences . . .

Discrimination claims

Disparate impact claims

NLRA claims

Knowledge creates obligations

• Proposed laws:– State – Maryland, California, Delaware, Illinois, Massachusetts, Michigan,

Minnesota, Missouri, New Jersey, New York, South Carolina, Washington . . . – Federal - Social Networking Online Protection Act (SNOPA)

• More to come as the DOJ, FTC and EEOC are expected to investigate whether such practices violate federal law

6060


Corporate Social Media Policies

• Unlawful policies– Lack of limiting examples and definitions

– Savings clauses

– Unilateral implementation

• Lawful policies? – Context is the “key” to the reasonableness of an employee’s

interpretation

• Emerging recognition of employer’s legitimate interests?– G4S Communications (USA), Inc., 28-CA-23380 (NLRB Div. of Judges,

Mar. 29, 2012), upholding a “no-photo” policy provision because the employer “clearly [had] legitimate reasons” for the policy

6161


FTC Privacy Guidance for Social Media• FTC Commissioner Julie Brill: “social media have raised privacy

concerns that we are addressing through our policy and law enforcement efforts.”– Social media is about choosing what to share with whom; social

networks need to honor those choices

• Build privacy and security protections into new products and services – “Privacy by Design”

• Provide simplified, understandable policies; describe choices clearly and concisely – “just-in-time” notice

• Respect “context” of transaction or relationship – no disagreeable privacy surprises

• Greater transparency around data collection, use and retention

6262

2012 OFII General Counsel Conference Washington, D.C.63

Other Regulators: Financial

“Social media is landscape-shifting. It converts the traditional two-party, adviser-to-client communication into an interactive, multi-party dialogue among advisers, clients, and prospects, within an open architecture accessible to third-party observers. It also converts a static medium, such as a website, where viewers passively receive content, into a medium where users actively create content.”

National Examination Risk Alert (January 4, 2012)

SEC Office of Compliance Inspections and Examinations

63


Other Regulators: FDA“Because consumers increasingly use the Internet to search for information about medical conditions and treatments, firms may receive public requests for off label information about their products through, for example, product websites, discussion boards, chat rooms, or other public electronic forums that they maintain and over which they have full control. Firms may also encounter requests for off-label information on third-party sites (i.e., websites and other venues that are either entirely independent of a firm’s control and influence or not fully controlled by a firm).”

FDA Guidance for Industry: Responding to Unsolicited Requests for Off-Label Information About Prescription Drugs and Medical Devices (December 2011)

64


Social Media and EU Data Privacy

• Data privacy is major concern with social media• Under EU Data Protection Directive, a company is a “data

controller” of personal data collected through its social media• Where sensitive personal data is processed, consent is likely to be

required (which is difficult for third party data)• Proposed EU Data Protection Regulation authorizes fines of up to

2% of annual worldwide turnover and class actions• Proposed EU Data Protection Regulation also has new right to be

forgotten and a right of data portability (i.e. to transfer data to a new provider)

65


Best Practices and Risk Mitigation

Social Media Projects (authorized company sites)- Require early consultation with legal, privacy and regulatory compliance teams

(“Privacy by design”)- Appoint social media project owner- Develop social media monitoring and Public Relations plan (offense and defense)

Policies; Employee training and accountability- Disclose collection, use, sharing of personal data; provide choices; address data

security; comply with policies: RESPECT CONTEXT/NO PRIVACY SURPRISES!- Build monitoring into internal audit and performance evaluation processes- Ensure appropriate employee training

Develop and publish policies for specific social media channels –

– E.g., Facebook; Twitter; etc.

66


Social Media Checklist Maintain list of websites under “management or responsibility” Social media project owner is in place Early consultation with the legal, privacy and compliance teams Publish terms and conditions of use and privacy policies Adopt “take down” and social media incident response procedures Conform privacy policy, collection, uses and sharing to FTC guidelines and industry

best practices; comply with own policies Conform advertising and endorsement practices to FTC testimonial policies Processes and controls to monitor content on social media sites for misleading

statements and impermissible content Monitor regulatory, enforcement and litigation developments Train employees to understand social media policies Thorough review of relevant third-party terms and conditions

67


GOVERNANCE STRATEGIES

68


Strategies for Information Governance

• Take stock of your data: – Conduct data inventory and track flows of: PII, HR data, social media,

trade secrets, IP and other valuable information assets

• Implement policies and impose responsibility for privacy compliance and data protection, cybersecurity and international data transfers– Educate, train and sensitize executives and employees on privacy;

address social networking

– Build in: “privacy by design”; privacy impact analysis; accountability

• Conduct due diligence and maintain control over internal systems, and potential and current Cloud and data service providers:– Carefully limit access/use/disclosure of data

– Require reporting of breaches and third-party requests

69


Corporate Strategies: Assessment• Factual assessment

– Map how personal data is collected, stored and transferred • Cultural assessment

– Assess privacy training and employee awareness– How does privacy fit within the goals of the organization?

• Legal assessment– Analyze existing policies and procedures– Review vendor contractual provisions– Find a trans-border data flow solution – Review website policies – Labor Unions / Worker’s councils – Registrations with DPAs

• Security assessment – Document information security vulnerabilities and protections

• Third party service providers and their policies

70


Mind the Common Compliance Gaps

The ability to deliver on privacy and securitycompliance obligations is often being outpaced bymarket, technological, and organizational changes

Vendors New Technologies Analog Problems in a Digital World People Wireless and Mobile Devices Organizational Commitment

71


Key Insights

• The issue is information governance – collection, use, sharing, security, eDiscovery, retention and disposal

• Focus on data security, particularly due diligence over Internet systems and service providers

• Clear legal obligations will generally lag industry standards, reasonable practices, and new technologies

• Include privacy in the design of new projects• Ensure board and senior management involvement

72


Internal Controls for Privacy, Cybersecurity and International Data Transfers

• Establish information governance program – Monitor changes in US and international privacy law– Comprehensive written information security plan– Data breach and incident response planning– Internal accountability, resources and reporting

• Address domestic and international compliance risks– Ensure compliance with local data security laws (e.g., MA) – Develop Cybersecurity safeguards and anticipate “penetration” – Multi-jurisdictional internal, litigation and governmental investigations; document

requests– International data transfers

73


Edward McNicholasPartner

Sidley Austin LLP1501 K Street, NW

Washington, DC 20005(202) 736-8010

www.sidley.com/infolaw

This presentation has been prepared by Sidley Austin LLP as of September 11, 2012, for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-

client relationship. Readers should not act upon this without seeking personalized advice from professional advisers.

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership

(Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware

general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

74

Privacy, Data Protection, and Cybersecurity: Developments and Strategies

Documents

Transcript of Privacy, Data Protection, and Cybersecurity: Developments and Strategies