Privacy and Data Breach Issues

Transcription

1 Privacy and Data Breach Issues Konstantin Dino Tsibouris Founding Principal Tsibouris & Associates Columbus, Ohio Kirk Herath Associate General Counsel Nationwide Insurance Columbus, Ohio Table of Contents Privacy and Data Breach Issues PowerPoint Presentation... 1 Privacy and Data Breach Issues i

2 ii Privacy and Data Breach Issues

3 Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates What is Big Data? Big Data 1. Exponential Growth in Data Generation Web Tracking Techniques Internet Enabled Mobile Devices 2. Innovations in Data Use Increase in Computing Capability Falling Cost of Data Storage Advances in Statistical Analysis Risks? Privacy and Data Breach Issues 1

4 GLBA and State Law Progeny Data Lakes Data accumulates from a variety of sources Customers, Consumers, Affiliates, and 3 rd Parties Data Governance & Preference Management Data accuracy, completeness, and security Is data fit for a particular purpose? Record Retention Is the data expired? Opt Out Preferences or a Failure to Opt In? TCPA Collecting Phone Numbers Notice and Consent? Use Limitations? July 10, 2015 FCC Declaratory Ruling and Order Key: Definition of an Auto Dialer 2 Privacy and Data Breach Issues

5 Using Big Data to Gauge Risk Traditional Consumer Reporting Agencies v. ZestFinancial FICO = Variables to Derive a Risk Score ZestFinancial = 1,000+ Variables to Derive a Risk Score Is this better? What are the risks? Regulator Uncertainty and Scrutiny Consumer Protection Considerations FCRA Consumer Reporting Agencies 3 rd Party Reports 7 Factor Data Used for a Permissible Purpose Duties Accuracy and Completeness Transparency and Redress Private Right of Action & Statutory Damages Privacy and Data Breach Issues 3

6 Laws ECOA/Reg B Fair Housing Act UDAAP Discrimination Disparate Treatment Disparate Impact Fair Lending Themes and Trends 4 Privacy and Data Breach Issues

7 Closer Look at Wyndham 3 data breaches at hotels in less than 2 years. Privacy and security representations made. FTC alleges that Wyndham failed to: Use complex IDs and passwords, Use firewalls and network segmentation, Patch systems, and Follow incident response procedures. Compromised 500K credit cards. Typical FTC 5 Enforcement Action Designate employee responsible for privacy or security program. Conduct risk assessment and employee training. Test and monitor risk identified. Implement and maintain protections. Evaluate and adjust of program. Biennial third party assessments. In effect for 20 years. Privacy and Data Breach Issues 5

8 Zappos MA AG Enforcement Zappos agreed to pay $106K Unauthorized access to: Names, addresses, phone numbers, Last 4 digits of credit card numbers, and Login credentials of customers. Zappos MA AG Enforcement Settlement requires: Maintenance and compliance with information security policies, Providing the AG with information, Demonstrating compliance with PCI DSS for two years, Third party audit, providing copy to MA AG, and addressing deficiencies, and Annual training. 6 Privacy and Data Breach Issues

9 SHA1 MD5 The Legal Response Proposed federal legislation Expanding state legislation Federal and state level enforcement Civil liability Privacy and Data Breach Issues 7

10 A Push for Federal Data Breach Legislation Personal Data Notification & Protection Act Proposed by President Obama at the State of the Union Address on January 20, 2015 Pre empts state laws Must notify in 30 days No private right of action FTC enforcement Personal Data Notification & Protection Act Triggers First and last name/or first initial and last name along with any two: Home address or phone number Mother s maiden name Full birth date SSN, DL, passport, alien registration number Biometric data Unique account ID (user name, routing code) 8 Privacy and Data Breach Issues

11 Personal Data Notification & Protection Act Triggers Any combination of the following three elements: First and last name/first initial and last name Unique account ID Any security code/source code that could generate a security code or password Personal Data Notification & Protection Act Risk of harm analysis Must send notice 30 days after discovery Individual notice ( acceptable with consent) Notice to media Notice to Federal law enforcement Notice to credit reporting agencies Privacy and Data Breach Issues 9

12 A Push for State Law and Regulation Timing and content of breach notice Definition of personal data /password information Non HIPAA health data Requirements to inform media/regulators Contracting 3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation. 10 Privacy and Data Breach Issues

13 Security Breaches Remediation Notification Individuals, Regulators, Media Litigation Privacy and Data Breach Issues 11

14 General Data Protection Regulation EU member states in final stages of negotiations. Expected in the next year or so. Includes data breach notification obligation. Fines as high as %2 of annual turnover. Questions & Answers Dino Tsibouris (614) Kirk Herath 12 Privacy and Data Breach Issues