Data Security and Privacy Proposed Threshold Questions and Initial Due Diligence Personal information means any information that can be used to identify a specific individual, for example, such individual s name, physical address, telephone number, fax number, email address. Sensitive Personal Information means information that requires special protection such as Social Security number, government identification number, credit card number, bank account information, driver s license number, information regarding an individual s health, race, ethnicity, religious or philosophical belief, trade union membership, political beliefs, sexual orientation, criminal background. Issue Threshold Question Annotation Privacy: Types of Data Collected Privacy: Locations of Company and Data Collection Privacy: Direct Marketing Activities List all the categories of Personal Information and/or Sensitive Personal Information the Company and its affiliates collect, use, or process (i.e., employee, customer, supplier, consumer data, payment card data, biometrics, any information about children, healthcare/medical information, government identifiers or driver s license information). In what countries does Company or its affiliates have a presence, including employees, offices, data centers, or bases of operation? From which countries does Company or affiliates collect Personal Information from individuals, including employees, customers and consumers? Is Personal Information shared between or among affiliates? If yes, which types? Does Company or its affiliates (or a vendor on behalf of Company or its affiliates) use Personal Information to engage in direct marketing (i.e., e-mail It is important to get an understanding regarding the types of Personal Information and/or Sensitive Personal Information the target and its affiliates are collecting, using, and/or processing. This understanding helps determine the overall privacy risk of the target. Enforcement of privacy legislation centers either on: (1) the jurisdictions in which the target, its employees, and its data resides, or (2) the jurisdictions in which the data is collected or processed. It s also important to understand the target s philosophy regarding the sharing of data with affiliates. Many of today s privacy regulations have been promulgated to regulate the use of data in 1
Privacy: Tracking Functionality Privacy: Use of De- Identified/Anonymized Personal Information Privacy: Information Collected or Held as a Vendor or Service Provider for Others postal mail, telemarketing [inbound or outbound], delivery of marketing and non-marketing text messages, fax advertising, delivery of marketing and non-marketing prerecorded messages, use of an autodialer to place marketing and non-marketing calls to cell phones)? vendor on behalf of Company or its affiliates) use Sensitive Personal Information to engage in direct marketing? vendor on behalf of Company and its affiliates) use technical or other tracking functionality to track individuals for the purpose of online behavioral advertising, retargeting, content personalization, content delivery through methods such as cookies, beacons/tags, JavaScript, local storage, browser fingerprinting, or other, similar means? vendor on behalf of Company and its affiliates) de-identify/anonymize Personal Information for any purpose including but not limited to improvement of internal systems, research or academia (e.g. white papers), or marketing of any kind? If so, please describe the means of deidentification or anonymization and provide copies of any applicable or legally required employee and customer consents for such use. Does Company or its affiliates host Personal Information on behalf of another company as a service provider? Does Company or its affiliates have access to the Personal marketing activities. So it s imperative to understand the target s use of data in such marketing activities, and whether the target or its affiliate also uses Sensitive Personal Information in marketing activities (for which there is a higher use standard and penalty in almost all jurisdictions). In response to recent Cookie legislation worldwide, this question is now imperative to ensure target compliance with the use of tracker technologies. Many jurisdictions now regulate even the use of de-identified/anonymized data. So it s important to ask the target whether it has business models or other uses of de-identified data, and whether appropriate consents are in place. Many jurisdictions now have a higher privacy standard for companies operating as ISPs or hosting providers, and thus it s important to understand if this is also 2
Privacy: Compliance Policies and Documents Privacy: Notices Privacy and Data Security: Data Security Breach Privacy and Data Security: Existing/Prior Privacy or Data Security Investigation Information of its customers customers? Provide copies of the Company s internal policies relating to privacy and data security activities (i.e., technology use policy, product development guidelines, privacy impact assessments, breach notification procedure). Provide copies of all Data Protection Authority ( DPA ) registrations, notifications and/or authorizations. Please provide copies of all current or prior notices to individuals provided by Company or its affiliates relating to employees, consumers, websites, and customers. Has Company or any affiliate had a data security breach or an unauthorized access or acquisition of Personal Information ( Breach )? If yes, please describe any actual Breaches that have occurred in the last 5 years. Has Company or any affiliate received any complaint, notice of suspicious activities on systems, regulatory inquiries, consent decrees, citations, fines, administrative actions and pending, resolved, or threatened litigation regarding privacy or data security? If yes, please describe. part of the target s business model and, if so, what kinds of data are hosted and whether affiliates have access to such data. Best practices today require internal policies with respect to target s privacy practices vis-à-vis its employees and contingent workers. Several jurisdictions also require registration of databases (DPA) so copies of the registrations are necessary. A basic requirement of nearly every jurisdiction today is an appropriate external privacy notice. It is important to know whether target has experienced any data breaches. This understanding is required since some companies have longer term requirements from regulators in order to resolve past data breaches. It also demonstrates what type of organization the target is from a data protection perspective (if the target has experienced several breaches). It is also important to understand whether the target is a usual target for regulatory or 3 rd party investigation for perceived or actual data protection violations. 3
Privacy and Data Security: Data Disclosure to Third Parties and Vendors Data Security: Policies and Procedures Data Security: Malware Attacks and Response Data Security: Audits and Controls Assessments Does Company or its affiliates share, disclose, sell, or rent Personal Information with unaffiliated third parties (including sharing customers, service providers and other third parties)? If so, please explain and provide all contracts relating to such sharing. Provide any policy documentation relating to administrative, technical, and physical controls to protect against the unauthorized access, use, or disclosure of Personal Information or Sensitive Personal information and describe: (i) practices and procedures associated with such policies; and (ii) capabilities used to protect Personal Information and access to the Company network(including but not limited to anti-virus/security software, physical security controls to facilities and sensitive areas, password policies, access controls, Internet access and firewall policies, security of data in storage and in transmission, retention periods). Has the Company, affiliates, or supplier supported functions ever had any significant outages or had to rebuild any systems supporting the Company, in whole or in part, due to virus outbreak, breach, or malware infestation? Provide any external audit reports or standard evaluations regarding the integrity of your systems/network controls (i.e., SAS70, ISO27001 certification, SOC II. response to customer/partner queries) for the past 5 years While many statutes world-wide allow sharing of data with affiliates, far fewer allow sharing of data with non-affiliates. So it s important to understand the target s practices in this regard, and the mechanism by which they justify sharing of data with non-affiliates. Many regulations require information security policy and procedures or other detailed documentation or controls which govern the target s physical, administrative, or technical security safeguards. This threshold question reveals whether a target has been injured or otherwise affected, in-fact, by attacks (which helps reveal the level of scrutiny given to the target s security systems and controls). Whether the security audit is conducted at the target s request, or at 3 rd party request, it s important to be able to review the results of such audits. 4
Data Security / Regulatory Compliance Does Company or its affiliates have access to information that touches on sectoral regulations including but not limited to payment card information, healthcare, financial, marketing, children, etc? This residuary question is important in determining which sectors (and related sectoral regulations) affect the target. 5