The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor
Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on the rise Costing businesses more money than ever Confusion in marketplace who s responsible? 2
Proposed Consumer Privacy Bill of Rights Act Provide reasonable notice to individuals about a covered entity s privacy and security practices Provide individuals with reasonable means to control the processing of personal data about them Enforcement by the Federal Trade Commission, State Attorneys General Civil penalties up to $35,000 per day or $5,000 per affected consumer, with a maximum penalty of $25 million No private right of action Safe harbor Enforceable Codes of Conduct Stuck in committee 3
Cyber Intelligence Sharing and Protection Act Would provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities Ex. If the government detects a cyber attack that might take down Facebook or Google, for example, they could notify those companies. At the same time, Facebook or Google could inform the feds if they notice unusual activity on their networks that might suggest a cyber attack. Problem: opponents said that it would allow companies to easily hand over users' private information to the government thanks to a liability clause. Approved by House; moved to Senate; White House has threatened to veto 4
Executive Order Promoting Private Sector Cybersecurity Information Sharing Encourage the development of Information Sharing Organizations Develop a common set of voluntary standards for information sharing organizations Will include privacy and civil liberty protections Streamline private sector companies ability to access classified cybersecurity threat information Provide legal safe harbor for companies that share cyber threat information with the government or each other through a special Department of Homeland Security portal 5
Executive Order (cont.) Authorizing Sanctions Against Persons Engaged In Significant Malicious, Cyber-Related Activities Significant threats to the national security, foreign policy or economic health or financial stability of the United States Includes persons who aid and abet such activities Identified individuals or entities will be added to list of Specially Designated Nationals and Blocked Persons (SDN List) U.S. assets are frozen Prohibited from doing business with U.S. persons/entities Cannot engage in dollar-denominated transactions (effectively cut off from the U.S. banking system) 6
Proposed Data Security and Breach Notification Act Companies must implement and maintain reasonable security measures and practices to protect and secure personal information Broader definition of personal information than most state data breach laws Only required to provide notice if there is a reasonable risk of identity theft, economic loss, economic harm, or financial harm Must provide notice to affected individuals within 30 days after discovery of a breach Preempts all state data breach notification laws Enforcement by the FTC or State Attorneys General (no private right of action) Stuck in committee 7
State Legislation Companies must comply with laws and regulations of all states in which they do business or have employees 8
Georgia s Personal Identity Protection Act (GPIPA) Security Breach Definition - Unauthorized acquisition of an individual s electronic data that compromises the security, confidentiality, or integrity of personal information (PI) maintained by an information broker or data collector Application: Data Collector - Any state or local agency or any of its subdivisions that maintains computerized PI Information Broker - Any person or entity who, for money, engages in, in whole or in part, the business of transferring computerized PI to a nonaffiliated third party 9
GPIPA (cont.) Personal Information Definition - An individual s first name or first initial and last name, in combination with any one or more of the following data elements, when either the name or the data elements are NOT encrypted or redacted: Social Security number Drivers license number or state identification card number Account number, credit or debit card number, if such number could be used without any additional identifying information, access codes or passwords Account passwords or personal identification numbers or other access codes; or Any of the above when, not in connection with a person s first name or first initial and last name, would be sufficient to perform or attempt identity theft PI does NOT include publicly available information that is lawfully made available to the general public from federal, state or local government records 10
GPIPA - Notice Individual - Must disclose PI was, or is reasonably believed to have been, acquired by an unauthorized person Consumer Reporting Agencies - If required to notify more than 10,000 residents at one time, must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and content of the notices Third-Party Data - Any person or business that maintains computerized PI on behalf of an information broker or data collector must notify them of any breach of security within 24 hours of discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person Notice must be made in most expedient time possible 11
GPIPA - Substitute Notice The cost of providing notice would exceed $50,000, or the affected class exceeds 100,000 or if the information broker or data collector does not have sufficient contact information Substitute notice must consist of ALL of the following: Email notice when the email address is known; Conspicuous posting of the notice on the information broker s or data collector s website page if they maintain one; and Notification to major statewide media. Exception - An information broker or data collector may follow the procedures of its own notification policy if it is consistent with the timing requirements of the statute 12
Massachusetts Data Security Regulation (Mass. Regs. Code tit. 201 17.00) Stringent and detailed data security requirements Applies to any person (legal entity or natural person), wherever located, that owns or licenses personal information about a MA resident Includes any organization that receives, stores, maintains, processes or otherwise has access to personal information either for the provision of goods or services or employment Must develop, implement and maintain a comprehensive written information security program ( WISP ) that contains administrative, technical and physical safeguards that are appropriate to the size, scope and type of the person s business, the person s available resources, the amount of stored data, and the need for security and confidentiality of both consumer and employee information Massachusetts AG recently targeted a Rhode Island hospital for failing to encrypt consumer information resulted in a $150,000 settlement 13
Recent Cases / Breach Notifications Target Corp. One of the largest breaches of payment-card security in U.S. retail history Hackers, through HVAC contractor systems, stole debit-card info of about 110 million customers Class action suit raised 7 different claims including violation of data breach notification statutes Court discusses the enforceability of data-breach notice statutes: Attorney General/Government enforcement only: Ex. Arkansas, Connecticut, Idaho [no private right of action, plaintiff s claim is barred] Ambiguous or explicitly non-exclusive: Ex. Colorado [permissive language of may allows plaintiff s claim to survive dismissal] No enforcement provision - Ex. Georgia 10-1-912 is silent to enforcement [plaintiff s claim survives dismissal] 14
Recent Cases / Breach Notifications Maloney Properties, Inc. Loss of one laptop with unencrypted personal information of approximately 621 residents No evidence that personal information was accessed or used by an unauthorized person or for unauthorized purpose Resulted in $15,000 settlement along with other required action by MPI: Ensuring that personal information is not unnecessarily stored on portable devices Ensuring that stored personal information is encrypted on portable devices Ensuring that portable devices with personal information are stored in a secure location Effectively training employees on the policies and procedures with respect to maintaining the security of personal information 15
Recent Cases / Breach Notifications Tierney et al. v. Advocate Health and Hospitals Corp. (Seventh Circuit, Case No. 14-3168) Proposed class action claiming FCRA violations by failing to safeguard health data stolen from its offices District Court threw out the FCRA claims, ruling that the hospital can t be considered a credit reporting agency under the FCRA Plaintiffs appealed to 7 th circuit UPDATE released August 12, 2015 - affirmed lower Court Why extend the FCRA? Penalties range from $100 to $1,000 per willful violation 16
Insider Threat Detection Using big data analytics and software to identify potential insider threats in the workplace High risk, high reward Rewards Preventing fraud, intellectual property theft and workplace violence Risks Data is discoverable in litigation Discrimination claims against employer Best Practices Transparency Clearly stated policies that are consistently enforced 17
Insider Threat Detection Best Practices (cont.) Systematic logging, monitoring and auditing of employee network activity Blocking unauthorized emailing or uploading of company data outside the company network Comprehensive employee termination procedures 18
Top 10 for Employers 1. Policies/Protocols 2. Training 3. Data Access Points 4. BYOD 5. Telecommuting 6. Passwords 7. Discipline Policies 8. Data Retention 9. Impartial Use of Data 10. Data Mining/Analytics 19
Questions? Jodi D. Taylor jtaylor@bakerdonelson.com 404.589.3413 20