Protecting Employee and Customer Privacy in an Era of Big Data Monitoring

Transcription

1 FEBRUARY 3 5, 2015 / THE HILTON NEW YORK Protecting Employee and Customer Privacy in an Era of Big Data Monitoring This program addresses the challenges associated with protecting employee and customer privacy in the wake of accelerated monitoring, collection and analysis of data for the purposes of security, marketing and business intelligence.

2 Protecting Employee and Customer Privacy in an Era of Big Data Monitoring Jason R. Baron Moderator Of Counsel, Drinker, Biddle & Reath, LLP Alan Friel, Esq. Partner, BakerHostetler Heidi Wachs, Esq. Special Counsel, Jenner & Block Julia Horwitz, Esq. Consumer Protection Counsel Electronic Privacy Information Center (EPIC) Sheryl Ann Yamuder, Esq. Senior Managing Counsel, Privacy & Data Protection MasterCard THE OPINIONS AND VIEWS EXPRESSED HERE ARE ENTIRELY OUR OWN AND DO NOT NECESSARILY REPRESENT OUR EMPLOYERS POSITIONS, STRATEGIES, OR OPINIONS. PLEASE REFRAIN FROM QUOTING OR PARAPHRASING THE SPEAKERS REMARKS WITHOUT EXPRESS PERMISSION.

3 Protecting Employee and Customer Privacy Program Format How are we monitored and why? Best practices in policy and security controls What makes effective privacy, BYOD, computer and network usage policies? Reasonable expectations of privacy in US today US privacy laws vs. EU environment

4 Mistrust 91% feel like they ve lost control over the way their personal data is collected and used 80% of Americans are worried about the government s monitoring of phone and Internet communications. - Wall Street Journal, citing Pew Study: Public Perceptions of Privacy and Security in the Post- Snowden Era

5 Mistrust (cont.) 72% worried about what companies do with information 76% worry about how much data online services collect 57% of Americans see data collection as an invasion of privacy Survey of 2500 US adults 18+, by file-transfer service, WeTransfer 72% of Americans will avoid wearing Google Glass in public. Study by market research and data collection firm Toluna

6 How Are We Monitored and Why? In the Workplace In Your Private Life Network Communications Monitoring Web, including social media Access to structured data Access to files on structured repositories Mobile devices (app usage, corp data access, , social media, websites visited) GPS tracking of vehicles and mobile devices Website activity Social media activity Mobile device usage, including GPS location Mobile app usage Point of sale in stores Use of smart products (TVs, refrigerators, asthma inhalers, video game consoles, your car, farming equipment )

7 Mass Resignation? Privacy will be the new taboo and will not be appreciated or understood by upcoming generations. -- Anonymous Respondent Source: The Future of Privacy, Authors Lee Rainie and Janna Anderson, Pew Research Internet Project

8 Reasonable Expectation of Privacy? There will be no real or sustained privacy. Every human on this planet can be detected, and any communication to or from him or her can, and will, be monitored. David Hughes, a retired US Army Colonel who, from 1972, was a pioneer in individual to/from digital telecommunications It would help if people would stop saying that privacy is dead get over it. There is no law of physics that says that it is impossible to have privacy. We can have privacy, if that is what we as a society choose. Barbara Simons, a highly decorated retired IBM computer scientist, former president of the ACM, and current board chair for Verified Voting Source: The Future of Privacy, Authors Lee Rainie and Janna Anderson, Pew Research Internet Project

9 US Privacy Law Federal Trade Commission jurisdiction Sector-by-sector laws FIPS (Federal Information Processing Standards)

10 Regulatory Scrutiny Deceptive Statements? We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about our guests. We safeguard our Customers personally identifiable information by using industry standard practices. Scope of Investigation Not just whether company implemented reasonable security measures They look broadly at all information collection, use, and sharing practices (e.g., US-EU Safe Harbor compliance status) Compliments of Baker Hostetler. Not for re-use. 10

11 The Pending Wyndham Case FTC v. Wyndham Worldwide Co. et al. (on appeal in 3 rd Circuit) The FTC initiated an enforcement action against Wyndham Worldwide Corp. and three of its subsidiaries in 2012, alleging that computer network intrusions led to more than $10.6 million in payment card fraud losses. Wyndham and its subsidiaries moved to dismiss the case, arguing that the FTC exceeded its congressional authority and that its use of data security enforcement actions lacked regulatory backing and failed to give them notice of which practices were lawful.

12 Wyndham (con t) FTC v. Wyndham Worldwide Co. et al. (pending in 3 rd Circuit) Lower court denied a motion to dismiss by Hotels and Resorts, ruling that the FTC has authority under the unfairness prong of Section 5 of the FTC Act, 15 U.S.C. 45(a), to bring a data security enforcement action against the company (FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887, 2014 BL (D.N.J. Apr. 7, 2014)). Specifically, the court said the FTC didn't need express authority from Congress to bring data security enforcement actions under the FTC Act and didn't have to promulgate prior data security

13 Wyndham (con t) FTC v. Wyndham Worldwide Co. et al. (pending in 3 rd Circuit) The district court ordered the following questions to be certified: Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. 45(a). Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. 45(a).

14 Improving Policies Checklist Driven by increased employee mobility and rulings, such as U.S. Supreme Court, in Riley v. California, organizations are seeking to optimize policies. State the specific business purposes for monitoring and inform employees of the specific types of monitoring that will be used. Confirm company ownership of business data in any format, even on personal smartphones and laptops. Require installation of security software to enforce password protection, to enable the location of devices, as well as remote wiping. Spell out the employer s right to access and protect its information and data even if contained on the employee s personal cell phone or laptop. Sources: Employee Benefit News (EBN), Supreme Court limits search of data stored on cell phones, Walter Kruger ISACA.ORG, Employee Monitoring and Surveillance The Growing Trend, Robin Wakefield

15 Improving Policies Checklist (cont.) Require surrender of cell phones and passwords upon separation of employment for examination to accomplish removal of company data. Confirm that the employee may have no reasonable expectation of privacy with devices used to store company data and access company systems. Clarify permitted or prohibited use of company mobile devices for personal purposes, and whether company business is permitted to be conducted on personal devices. Clearly outline the forms of communication and the websites that are prohibited. Define the acceptable use of company networks and and set clear boundaries for the personal use of company networks. Determine and inform employees of the the consequences for policy violations. Sources: Employee Benefit News (EBN), Supreme Court limits search of data stored on cell phones, Walter Kruger ISACA.ORG, Employee Monitoring and Surveillance The Growing Trend, Robin Wakefield

16 Sources of Breaches Serviced By Beazley, 1/1/14 8/31/14 Compliments of Baker Hostetler. Not for re-use.

17 Victims By the Numbers Adapted from Mandiant s MTrends Beyond the Breach: 2014 Threat Report Compliments of Baker Hostetler. Not for re-use. 17

18 Victims By the Numbers Adapted from Mandiant s MTrends Beyond the Breach: 2014 Threat Report Compliments of Baker Hostetler. Not for re-use. 18

19 Companies are Still Too Optimistic About Ability to Detect an Attack Within 72 hours or less Within a week Within a month Within three months Not confident that we can detect critical Responses (%) *Information from Tripwire Breach Detection Survey, June 24, 2014; Mandiant s MTrends Beyond the Breach: 2014 Threat Report Compliments of Baker Hostetler. Not for re-use.

20 A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short-Term Crisis Handling the Long-Term Consequences Theft, loss, or Unauthorized Disclosure of Personally Identifiable Non-Public Information or Third Party Corporate Information that is in the care, custody or control of the Insured Organization, or a third party for whom the Insured Organization is legally liable Forensic Investigation and Legal Review Notification and Credit Monitoring Public Relations Class-Action Lawsuits Regulatory Fines, Penalties, and Consumer Redress Reputational Damage Income Loss Compliments of Baker Hostetler. Not for re-use.

21 State Laws 47 states, D.C., & U.S. territories Laws vary between jurisdictions Varying levels of enforcement by state attorneys general Limited precedent What does access mean? What is a reasonable notice time? Compliments of Baker Hostetler. Not for re-use.

22 Who needs to be notified? Customers Government Agencies Attorneys General Law Enforcement Credit Reporting Agencies (CRA's) SEC Disclosures Compliments of Baker Hostetler. Not for re-use. 22

23 Costs of Response Forensics Notification costs Credit monitoring Call center Crisis response Legal fees Defense costs/settlement expenses PCI fines/assessments & regulatory fines Compliments of Baker Hostetler. Not for re-use. 23

24 Reputational Challenges After incident affecting 145 million users, ebay saw: Decline in user activity 15% of buyer accounts still have not reset passwords 49% of adults online less inclined to use ebay going forward Lowered annual sales target by $200 million Stock: 5/20/14 close: $ /10/14 close: Why do some incidents seem to have less of an impact? Timing/frequency of post-incident customer interaction Is company viewed as handling incident well? *Information from SC Magazine, Compliments of Baker Hostetler. Not for re-use.

25 SEC Guidance on Cyber-Security Disclosure Obligations SEC Guidelines Issued October 13, 2011 Suggests that publicly traded companies: Disclose incidents of cyber intrusions in SEC filings Disclose risk factors of cyber intrusions Guidance was careful to note that a company is not required to make disclosures that could provide a roadmap for the company s vulnerabilities. SEC has issued letters requesting certain high-profile cyber intrusions be disclosed Amazon s Zappos.com breach Google Although not mandatory, SEC s activity here seen as foreshadowing to future mandatory obligations The SEC s Office of Compliance Inspections and Examinations (OCIE) released a document in April 2014 that highlights sample questions and potential areas of informational requests that the OCIE may use in conducting examinations of registrants regarding cybersecurity. In a speech on June 10, 2014, Commissioner Luis Aguilar stated that corporate boards should have a role in preparing for cyber-security risks as well as coordinating responses when breaches occur. More focus from the SEC could encourage private litigants to bring actions against public companies for breach of fiduciary duty, mismanagement, waste of corporate assets and abuse of control. D&O lawsuit against Target Compliments of Baker Hostetler. Not for re-use. 25

26 Cyber-Security Boardroom/Executive Issue Compliments of Baker Hostetler. Not for re-use.

27