Data Privacy & Security: Essential Questions Every Business Must Ask

Transcription

1 Data Privacy & Security: Essential Questions Every Business Must Ask Presented by: Riddell Williams P.S. Riddell Williams P.S. May 6, 2015 # Innocent? 2 Overview 3 basic questions every business should ask Are you ready to respond to a hack or data loss? Do you have appropriate insurance? Emerging risks and issues 3 1

2 Why Make Privacy and Data Security a Priority? 4 Data Security Risk Is Real and Imminent 19% chance of data breach involving at least 10,000 records in next 24 months (2014 Ponemon Institute Research Report) 60% of small businesses that are hacked go out of business within six months. (Ted Devine, CEO of Insureon, a small business insurer) 5 Consequences Are Serious and Long-Lasting Reputational damage Business interruption Response costs Liability to partners and vendors Regulatory action Lawsuits 6 2

3 3 Questions Everyone Should Ask 1. What are you collecting? 2. How are you using it? 3. How are you protecting it? 7 Question 1: What Data Are You Collecting (and Why)? 8 What Do Customers Consider Private? 9 3

4 Personal Information, Generally Information that separately or in combination reveals a person s identity Washington = name plus: SSN Driver s license Number and access code 4/23/15 amendment: Is personal information secured? Did intruder have access to encryption key or ability to decipher? Standard for encryption 10 Other Personal Information Health information Employee information address Utility and service use Zip code 11 Why Are You Collecting That Information? Don t have it = can t get in trouble for it How does the consumer benefit from data collection? Collecting the least you need? Authorized to collect it? 12 4

5 Do You Disclose Data Collection? Does your website need a privacy statement? YES, unless you are sure you do not collect personal information. 13 Privacy Statement Tips Talk to an expert Keep it current Key elements: What you collect How you collect it What do you do with it What do you share with third parties Additional issues: Opt-out Changes to the statement 14 Question 2: How Are You Using Information You Collect? 15 5

6 What Are You Doing With It? Existing legitimate business purpose versus possible future use Using only for the purposes you disclosed to consumers Disclosing it to third parties? 16 Laws May Limit Collection and Use HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) Gramm-Leach-Bliley Act (GLBA) FTC Act and other consumer protection laws CAN-SPAM Act Telephone Consumer Protection Act (TCPA) Children s Online Privacy Protection Act (COPPA) State laws, e.g., California s Eraser Button law 17 Data Retention Are you retaining personal information for longer than necessary? Does your company s data retention policy: Require destruction of records when they no longer serve a business purpose? Have procedures for secure destruction? 18 6

7 Question 3: How Are You Protecting Information You Collect? 19 When and How Much Protection Do You Need? Protection should be proportionate to the sensitivity of the information Protect at all stages Collection Storage Handling Transit Disposal 20 Five Simple Steps (WSJ April 19, 2015) 1. Accelerate software patch timelines 2. Limit online doors (many devices don t need to be online) 3. Encrypt your data 4. Eliminate or supplement passwords 5. Improve due diligence on vendors 21 7

8 Four Administrative Measures 1. Implement a cybersecurity framework or information security program (NIST, etc.) 2. Institute an employee training program 3. Develop and practice an incident response plan 4. Evaluate available insurance (every year) 22 Risks Posed By Vendors Any party who shares customer or employee information with a vendor is at risk Claims based on vendor selection (FTC, private lawsuits) 23 Vendor Due Diligence Web sites and sales materials Gartner and other third parties Create a checklist/application Financial condition and insurance Information security controls Employee training and awareness Incident response 24 8

9 Provisions to Consider in Vendor Contracts Confidentiality Ownership and use of data Use of subcontractors Requirement to notify and to disclose breach Information security provisions Indemnity 25 Are You Ready to Respond to a Hack or Data Loss? 26 Response Readiness Checklist Do you have a disaster recovery plan? Internal incident response team identified and trained Finders, fixers, communicators, regulators Responding well Assess Mitigate and preserve Privilege Notification Contractual requirements? 27 9

10 Do You Have Appropriate Insurance? 28 Which Coverages Align With Your Risks? Regulatory response Notification costs Crisis management Credit monitoring Media liability Theft and fraud Forensic investigation Business interruption Computer data loss and restoration Extortion 29 Do You Have Appropriate Coverage? 1. Understand the coverage you have 2. Investigate additional coverage options and costs 3. Select the right coverage for your business 30 10

11 Legal Challenges from the Internet of Things 31 Internet of Things What is it? Not computers, phones, tablets Any product or sensor that connects to the Internet Car or Home or Wearables 32 The Mission and The Team The Mission To provide reasonable security The Team Who is in charge of privacy and security issues? Single Individual or a Team? Employee training? Involve outside counsel early Privilege Expertise 33 11

12 Emerging Risks and Issues with Big Data 34 General Principles What characterizes it? Large amounts of data (duh) Often originally collected for other purposes Use of advanced analytics Machine learning What laws apply? No special laws (yet) Should we have a right to have certain things forgotten? 35 Emerging Issues With Big Data Adequate Disclosure Does disclosure clearly cover all uses? Unexpected correlations Analytics and machine learning anticipate consumer decisions and behavior Sensitive/personal situations can be revealed especially through combined data sets Public Relations Risk Just because you can, doesn t mean you should 36 12

13 Questions? Please contact us any time with additional questions. Bruce Goto Riddell Williams P.S Gavin Skok Riddell Williams P.S Shata Stucky Riddell Williams P.S