Privacy Law Perils in California, the Nation and Beyond: Securing Data, Responding to Theft of Data and Other Business Assets, Assessing Your Company s Privacy Policy, Evaluating Risks Presented by Your Employees Computer Use, and Understanding Government Enforcement Mechanisms Guylyn Cummins, Esq. Elizabeth Balfour, Esq. Sheppard, Mullin, Richter & Hampton LLP 2008
Securing Data: Information Security is no longer just good business practice, it is becoming a legal obligation.
Securing Corporate Data Businesses have an obligation to provide appropriate security for their own data, as well as in connection with electronic transactions they enter into. What is appropriate?
Appropriateness depends on the industry HIPAA (Health Insurance Portability & Accountability Act) Gramm Leach Bliley Act FACTA (Fair and Accurate Credit Transactions Act) SEC regulations to safeguard customer records Sarbanes Oxley 302 certifications re: internal controls
A legal standard is emerging that focuses on a process approach to determining reasonable security measures for a particular business: Simply implementing certain tools in a checklist (firewalls, passwords, encryption, etc.) is not sufficient. The process approach ensures that the information security system is tailored to the specific security threats that pose a risk for that company.
(1) identify the company s information assets (2) conduct periodic risk assessments to identify specific threats and vulnerabilities (3) develop and implement a security program to manage the risks identified (4) monitor and test the program to ensure it s effective (5) continually review and adjust the program (6) oversee third party service arrangements
What if there is a security breach? Responding to Theft of Data and Other Business Assets Possible Causes: Disgruntled Employee Criminal Activity of third parties Hackers Negligence
Corporate Victims More widespread than we think: ChoicePoint Countrywide Lending Tree Bank of America SAIC University of San Diego
California s Notification Law, Civil Code 1798.29 Applies to: Personally Identifiable Information (PII) Name (or first initial and last name) + any one of the following: social security number driver s license or state ID number financial institution account number in combination with a password medical information health insurance information
Companies doing business in California are subject to other statutes that regulate use of personal information: Song-Beverly Credit Card Act California Financial Information Privacy Act California Consumer Credit Reporting Agencies Act California Confidentiality of Medical Information Act
Privacy Protections for Data other than Personally Identifiable Information: Emails, Text Messages, Telephone Calls, Where you are Driving. When can third parties legally read your emails or text messages, or listen to your telephone calls?
When you are at the office, what information are employers permitted to access? Company policies regarding employee use of the internet and company devices (cell phones, PDA s) need to be clearly communicated and enforced in order to remain viable. Expectations of privacy in the workplace may differ depending on whether the employee has been properly informed. A person s consent to disclosure is a defense to a claim of invasion of privacy.
Can employers use knowledge of employees computer use to fire or discipline employees? California Labor laws: Cal. Lab. Code 432.2 (use of lie detector and polygraph testing) FCRA Exception for consumer reports obtained in connection with an investigation of suspected employment-related misconduct: 15 USC 1681a(x)(2)
Protection of Business Assets and Proprietary Information Company Identity and Territory on the Internet: Domain Names Protection of Domain Names Domain Name Disputes
Privacy Protections for Exchange of Information on the Internet? Blogging List-serves Online searches
Restrictions on Companies Doing Business Over the Internet: CAN-SPAM FTC Enforcement
Companies that collect information about their customers, or who offer products or services over the Internet need enforceable privacy policies for their customers. The FTC enforces compliance with the terms of privacy policies under Section 5 of the FTCA. The FTC identified five core principals of privacy protection, which have become known as the Fair Information Practice Principles: (1) notice and awareness (2) choice and consent (3) access and participation (4) integrity and security (5) enforcement and redress
California Laws that Affect Companies Doing Business Online: Online Privacy Protection Act California s Shine the Light Law
Enforcing Privacy Policies Online Enforcement by the Company: Clickwrap v. Browsewrap Enforcement by the Government: FTC Actions
Challenges for Innovative Marketing on the Internet Behavioral Marketing Personalized Advertising Cookies v. Web Beacons
FTC Principles for Behavioral Marketing: Transparency Consumer Control Reasonable Security Limited Data Retention Affirmative Express Consent for Material Changes to Existing Privacy Promises Prohibition Against Using Sensitive Data for Behavioral Advertising (Without Consumer Consent)
Special Challenges Related to Children s Use of the Internet Children s Online Privacy Protection Act 15 USC 6501-08 Applies to Websites directed to children under 13
Standards for Business Transactions that Are Completed Online What is a digital signature? Removing legal barriers to electronic commerce E-SIGN Electronic Signatures in Global and National Commerce Act UETA Uniform Electronic Transactions Act
Who is responsible for ensuring appropriate data security measures are developed and implemented in the corporate environment? Chief Information Officers? CEO s? CFOs? Members of the Board of Directors? In-house counsel?
Questions? Guylyn Cummins, Esq. gcummins@sheppardmullin.com 619.338.6645 Elizabeth Balfour, Esq. ebalfour@sheppardmullin.com 858.720.8985