Information Privacy, Security and Ethical Considerations
MASLA Summer Conference July 2019
Douglas Gerhardt
Partner
© Harris Beach PLLC, 2019
Information Privacy, Use & Security Solving the Compliance Puzzle
© Harris Beach PLLC, 2019
Learning Objectives
Data Privacy Laws
Compliance Obligations
Security Safeguards
Case Study – Wire Transfer Fraud/Phishing
© Harris Beach PLLC, 2019
The Carrot & The Stick
THE STICK • Financial Risk - Penalties
• Reputational Harm
• Loss of Clients
THE CARROT • Build Company Reputation
• More Secure Company
• Reduce Risk
• Attract New Clients
• Competitive Edge
© Harris Beach PLLC, 2019
Information Classification
Confidential
Information relating to the representation of a client and proprietary
Firm information.
Highly Sensitive
Information protected by laws, regulations, or contractual
obligations.
Biometric Record
Drivers’ License Number
Education Record
Financial Account Information
Healthcare Delivery
Healthcare Payment
NOT ALL INFORMATION IS
CREATED EQUAL
Medical Record
Social Security Number
Student Identification Number
© Harris Beach PLLC, 2019
The Legal Landscape
• FTC Act
• GLBA
• FERPA
• HIPAA
• GBS 899-AA
• 23 NYCRR500
• Education Law
• GDPR (EU)
• PIPEDA (Canada)
• APPI (Japan)
• PCI-DSS
• ISO/IEC 2700
• NIST
• Contractual
• Professional
Conduct - Rule
1.6c
© Harris Beach PLLC, 2019
Federal Trade Commission Act (15 U.S.C. §§41-58)
What Is It? Federal consumer protection law that prohibits unfair or deceptive business practices
Who Must Comply? Persons, partnerships, or corporations in or affecting U.S. commerce
Information Protected? SSN, Credit Card or Financial, Other Sensitive Data (credit reports/employee background screens)
Breach Notification Required? None
© Harris Beach PLLC, 2019
Gramm-Leach-Bliley Act (15 U.S.C. §§6801-6827)
What Is It? Federal law regulating the collection, use and disclosure of financial information
Who Must Comply? Financial Institutions that provide financial services and products (banks, securities firms, insurance companies)
Information Protected? PII provided, resulting from a transaction or otherwise obtained (§6809(4))
Breach Notification Required? Affected Customers and Law Enforcement/Credit Bureaus if applicable
© Harris Beach PLLC, 2019
New York State General Business Law (§899-AA)
What Is It? State law requiring notification of unauthorized acquisition of private information
Who Must Comply? Businesses operating in New York state
Information Protected? SSN, Drivers’ License Number, Financial Account information
Breach Notification Required? Affected Persons, State Attorney General, Department of State, Division of
State Police
© Harris Beach PLLC, 2019
NYS DFS Cybersecurity (23 NYCRR 500)
What Is It? State law designed to promote the protection of customer information
Who Must Comply? Person operating under or required to operate under the Banking, Insurance or
Financial Services law
Information Protected? SSN, Drivers’ License Number, Financial Account information, Security Code, Biometric, Health Information
Breach Notification Required? Superintendent of DFS
© Harris Beach PLLC, 2019
General Data Protection Regulation (GDPR)
What Is It? International law regulating the processing of personal data of individuals in the EU
Who Must Comply? Organizations that process personal data of individuals in the EU (regardless of where the information is processed or whether or not the organization is established in the EU)
Information Protected? Identification Numbers, Financial Information, Healthcare/Physical Characteristics,
Religion, Sexual Orientation, Criminal Offense (see protected information for full list)
Breach Notification Required? Data Subject, Supervisory Authority, Controller (processor role)
© Harris Beach PLLC, 2019
Industry Standards
Payment Card Industry Data Security Standard (PCI-DSS)
ISO/IEC 27000 Family
National Institute of Standards and Technology (NIST)
Contractual Obligations (sometimes laws/regulations a client must comply with)
© Harris Beach PLLC, 2019
New York Rule of Professional Conduct 1.6(c)
What Is It? An ethical requirement that requires attorneys to make “reasonable efforts” to
prevent unauthorized use or disclosure of client confidential information
Who Must Comply? All attorneys who practice law in New York State
Information Protected? Any confidential information relating to an attorney’s representation of a client
Breach Notification? Attorneys have an ethical duty to communicate any circumstance that materially
impacts the representation of a current client
© Harris Beach PLLC, 2019
Protected Information – The Bottom Line
Protected Information: Biometric Record
Drivers’ License Number
Education Record
Financial Account Information
Healthcare Delivery Information
Healthcare Payment Information
Medical Record
Social Security Number
Student Identification Number
Protected Information (GDPR):
Contact Information
Identification Numbers
Dates
Biometric/Genetics
Education/Training
Dates
Religion
Philosophical Beliefs
Criminal/Legal Status
Data about Sex Life
Name/Role
Personal Characteristics
Financial Information
Healthcare/Physical Characteristics
Physical/Electronic Tracking
Customer Relationship Manager
Politics
Trade Union Membership
Sexual Orientation
Survey Responses
© Harris Beach PLLC, 2019
Protected Information – Handling Guidelines
Always secure
paper documents
containing
protected
information
including during
disposal
Never leave
protected
information on
voicemail
Always use a
secure method
when
transmitting
protected
information
[SEND SECURE]
ShareFile
Always secure
documents
containing
protected
information in
NetDocs to those
individuals that
require access.
Never save
protected
information on
removable media
unless
absolutely
necessary and
only if it is
encrypted.
© Harris Beach PLLC, 2019
Future Trends
PERSONAL INFORMATION IS THE
CURRENCY OF THE 21st
CENTURY
LAWS WITHOUT BORDERS
TRANSFER OF POWER
STATES TAKE ACTION
© Harris Beach PLLC, 2019
Laws Without Borders
NYS SHIELD ACT APPLIES TO ANY PERSON OR BUSINESS–
Section 2
which [conducts business in New York state, and which] owns or licenses
computerized data which includes the private information of any resident of
New York state.
Section 3
which maintains computerized data (of any resident of New York state) which
includes private information which such person or business does not own.
NEW APPROACH – FOCUSED ON THE JURISDICTION OF THE
DATA SUBJECT INSTEAD OF THE
ORGANIZATION
© Harris Beach PLLC, 2019
Transfer of Power
RIGHT TO BE
INFORMED
RIGHT OF ACCESS
RIGHT TO
RECTIFICATION
RIGHT TO ERASURE
RIGHT TO
RESTRICTION OF
PROCESSING
RIGHT TO DATA
PORTABILITY
RIGHT TO OBJECT
RIGHTS REGARDING
AUTOMATED
DECISION MAKING
RIGHTS OF
THE DATA
SUBJECT
GDPR
CA
Privacy Act
© Harris Beach PLLC, 2019
States Take Action
As of March 2018, all
50 states have enacted
some form of data
privacy laws…
Consumer Privacy Act of 2018
Effective 1/1/2020
SHIELD Act
Introduced 11/2017
© Harris Beach PLLC, 2019
States Take Action
NYS SHIELD
ACT
Private Information Extended
Breach Notification Standard
Jurisdiction Extended
Increased Fines
Data Security Protections
© Harris Beach PLLC, 2019
Security Safeguards
INFORMATION
TECHNICAL
PHYSICAL
ADMINISTRATIVE
© Harris Beach PLLC, 2019
TECHNICAL
PHYSICAL
Focus on policies and procedures
and the administrative actions that
support them.
Security Safeguards
ADMINISTRATIVE
INFORMATION
© Harris Beach PLLC, 2019
TECHNICAL
Focus on physical measures,
policies, and procedures that
protect information, systems,
equipment, and facilities from
natural disasters, environmental
hazards, and unauthorized
intrusion.
PHYSICAL
INFORMATION
ADMINISTRATIVE
Security Safeguards
© Harris Beach PLLC, 2019
Security Safeguards
Designed to protect
electronic information from
unauthorized access and to
control access to it.
TECHNICAL
INFORMATION
ADMINISTRATIVE
PHYSICAL
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
60
15
30
45 Sixty
Second
Timer
The clock
has Started 5
10
20
25 35
40
50
55 Can you identify the
seven workplace
security violations in
less than a minute?
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
WINDOWS KEY + L
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
W
O
R
K
S
P
A
C
E
V
I
O
L
A
T
I
O
N
© Harris Beach PLLC, 2019
External Information Transfer
[Send Secure]
© Harris Beach PLLC, 2019
A Case Study – O’Neill, Bragg & Staffin v Bank of America
WIRE TRANSFER FRAUD
© Harris Beach PLLC, 2019
The Scam
Gary Bragg Alvin Staffin
OH NO!
OH NO!
OH NO! It was
too late!
© Harris Beach PLLC, 2019
Level of Sophistication
Emails sent from a known account
Content implies knowledge of the matter
The account numbers were correct
Attack timed to coincide with travel and plausible
request
Attention to detail – Hi Mel
© Harris Beach PLLC, 2019
Fraud Prevention
Always verify wire transfer instructions
by calling a known phone number of an
individual on the other side of the transaction
Do not initiate a wire transfer based solely on instructions
received via email
Always follow the Harris Beach Wire Transfer Policy and
Procedure
AVOID FRAUD
© Harris Beach PLLC, 2019
Court Ruling
Federal judge dismissed the lawsuit
The firm failed to show that the Bank of America
breached any agreement, violated federal
regulations or breached the Pennsylvania
Commercial Code
O’Neill, Bragg & Staffin lost more than a half million
dollars
© Harris Beach PLLC, 2019
Court Ruling
“What is alleged to have happened to the law firm
here is indeed unfortunate. The computer hacker, of
course, is the real culprit but is not a party to this
lawsuit…. [A]s between the law firm and the bank,
the law firm must bear the loss.”
Thank you!
Douglas Gerhardt
(518) 701-2738
mailto:[email protected]Top Related