Privacy & Data Security May 9, 2014 Presented at: SWBA 39 TH ANNUAL CONFERENCE by: James E. Prendergast, Esq.
Overview Data Privacy Concerns: Unauthorized access, use, acquisition or disclosure of information
What information is at stake? Personally identifiable information (PII) Social Security numbers, driver s license numbers, financial account information, medical information Broader view: email addresses, phone numbers, dates of birth CA: Effective 2014: adds email, user names, passwords, security questions Protected Health Information (PHI) Payment Card Industry (PCI) Zip Codes? (CA and MA)
WHOSE INFO? Employees Clients and customers Vendors Insureds, claimants and beneficiaries Business partners WHAT THREATS? Malicious Employees Business partners
Regulations & Statutes State notice and compliance regulations Federal statutes Proposed federal legislation PCI DSS (Data Security Standard) Cyber security Executive Order International laws
State Regulations: Notice 46 states & 4 U.S. jurisdictions require notice to customers after unauthorized access to PII Follow timing requirements for notifying resident consumers - without unreasonable delay but not later than 45 days Notify State Attorneys General, law enforcement, consumer protection agencies and credit reporting agencies Follow timing requirements for notifying regulators and credit reporting agencies - 48 hours; fourteen days; before notice to residents Some states require specific notice content
State Regulations: Examples Massachusetts 201 CMR 17: Standards for the Protection of Personal Information Mandates procedures to reduce likelihood and impact of breaches Requires a written information security program Specific requirements for user IDs, passwords, encryption, firewalls, data storage on laptops Applies to all businesses, wherever situated, that store residents PII
State Regulations: Examples California Confidentiality of Medical Information Act (CMIA): Cal. Civ. Code 56 Requires notice to California Department of Health and affected individuals within 5 days State fines of up to $250,000 per violation Allows for private right of action ie., UCLA breach litigation
Federal Laws Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Fair and Accurate Credit Transactions Act (FACTA) Gramm-Leach-Bliley Act Sarbanes-Oxley
HIPAA HIPAA Privacy Rule - set of national standards for protection of certain health information HIPAA Security Rule - set of national standards to protect ephi that is created, received, used, or maintained applies to covered entities and business associates when a data event occurs, a breach is presumed risk of harm now low probability
HITECH Act 2009 expansion of Health Insurance Portability and Accountability Act (HIPAA) Allows State AGs to bring civil actions in federal court Provides for mandatory audits by DHHS Civil monetary penalties range from $100 - $50K per violation and $25K - $1.5M within a calendar year Mandates physical and technical safeguards Final Rule went into effect September 2013.
Gramm-Leach-Bliley Act Applies to financial services industry Enacted in 1999 to reform industry and address concerns relating to consumer financial privacy Includes insurance companies! GLBA Privacy Rule notification GLBA Safeguards Rule written security plan
Sarbanes-Oxley Applies to publicly held companies and accounting firms Rigorous data protection requirements Affects storage, access and retrieval of customer records Guidance disclosure factors: Probability of cyber incident Magnitude of the risk Potential costs and consequences of an incident
Identity Theft Enforcement and Restitution Act (ITERA) Identity theft offenders must pay an amount equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense. 18 U.S.C.A. 3663(b)(6). Potential impact on class actions
PCI DSS Payment Card Industry Security Standards Council AmEx, Discover, JCB International, Mastercard, Visa Created in 2006 to establish and control industry standards, including Data Security Standards (DSS) Requires merchants and service providers to abide by certain protocols to protect customers credit card information
PCI DSS (cont.) Imposes fines and penalties on offending merchants and service providers Violations of PCI DSS have multiple consequences Significant financial penalties Impact on standard of care industry investigations, outside lawsuits Small minority of states have incorporated PCI-DSS requirements into data protection laws
Cyber-security Executive Order Goal- safeguarding the nation s critical infrastructure against cyber-attacks by developing and implementing baseline cyber-security standards NIST required to develop a cyber-security framework to include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks by February 2014 DHS to encourage designated owners and operators of critical infrastructure to adopt voluntary cybersecurity program
International Laws EU and more than 45 other countries have data protection or privacy laws, with more coming U.S. companies with control of PII for international customers must consider notification requirements of foreign jurisdictions
International Laws (cont.) Canada National Law PIPEDA Act (Personal Information Protection and Electronic Documents Act) applies to all businesses and organizations Some provinces (e.g., Alberta, Ontario) have passed notification and compliance laws
Response Discovery of data event/ clock starts Incident Response Plan Facts Law Vendors Regulatory Investigation
Case Studies Online retailer sees customers blogging about credit card fraud finds it was victim of SQL attack through its website storefront exposing 50,000 individuals credit cards - Forensics and PFI (PCI Forensic Investigation) - Public relations - Substitute notice, notice to regulators - PCI Fines - Remediation and PCI compliance
Case Studies State College shares database with State University system University student accesses 120,000 College alumni/student Social Security numbers - Forensics coordinated with University and with law enforcement - Notification timing and messaging coordinated with University (who had over 450,000 affected) - Call center and credit monitoring
Case Studies Hospital employee steals info. from medical records to obtain credit fraudulently. - Complicated forensics to distinguish authorized employee activity from criminal activity (otherwise notice to the 11 individuals affected would have been notice to over 70,000 potentially accessed!) - Law enforcement subpoena of employee computer further complicated forensics - HIPAA/HITECH notice imposed deadlines.
Case Studies Business Associate document conversion company loses volume of non-electronic hospital records. - Notice under HIPAA due to the hospital, but hospital will seek recovery of all costs from the Business Associate - Exposed documents recovered had to be analyzed manually to identify affected population and details of exposure - $500K investigation costs alone.
Case Studies Municipality posts employee benefits info online exposing individuals Social Security numbers and dates of birth. - Unique public relations issues: During election cycle, challenger uses incident for political gain - Entire response, including web site notice, individual notice, credit monitoring, assistance with responses to inquiries and notice to state regulators
Case Studies Bank website collecting loan application information is hacked exposing hundreds (maybe thousands) of applicants sensitive information. - Public relations messaging must ensure account holders who were not affected are distinguished from applicants. - Although small numbers affected at client, attack was part of larger operation under investigation by FBI and Secret Service involved Syrian Electronic Army and Anonymous - Banks can be subject to higher regulatory scrutiny
Response Counsel Data Breach Coach Expert outside counsel Manage investigation Legal compliance Litigation position client to avoid or defend class, regulatory, and/or individual action. Document preservation Best Practices - Analysis of system security/company procedures
Response Counsel (cont.) Vendors Forensic IT investigators/ PFI Public relations Document review (e-discovery) Printing, mailing, call-center and substitute notice services Identity/credit monitoring, identity theft restoration
Evaluation of Breach What systems/networks/records were accessed? computerized vs. paper What is nature of breach? Is it over? What kind of data was accessed/copied/stolen/ viewed? access vs. acquisition Individuals affected? individual vs. business Are duties triggered?
Notification Must comply even where no theft or damage Effects of poor breach response: Reputational harm Higher out-of-pocket expenses Target on back
Notification Checklist Electronic data or paper documents? What type of data elements are at stake? Has the personal information been misused? Is it likely to be misused? What type of entity suffered the breach? How many individuals affected?
Notification Checklist (cont.) What laws apply? Does a federal statute apply? If so, is the state statute preempted? Is there a preexisting security protocol in place? Should fraud protection and credit monitoring services be offered preemptively? Notify state authorities? Notify consumer reporting agencies?
Overreact or underreact? Quick responders spend 54% more than slow responders. Source: Ponemon Institute BUT Response can factor into lawsuits and reputational harm!
Lawsuits/Actions Single Plaintiff Class Action Government Action Banks PCI Subrogation/ Indemnity
Defending the Lawsuit/Action Specialized considerations when defending a data breach class action Multi-District Litigation Class certification discovery Joinder of all necessary and appropriate parties E-Discovery Experts Spoliation
Defending the Lawsuit Stollenwerk v. Tri West 9 th Cir. must assert actual identity theft. Krottner v. Starbucks Corp. 9 th Cir. increased risk of identity theft constitutes an injury-in-fact. Anderson v. Hannaford 1 st Cir. alleged actual fraud and money spent in mitigation efforts defeat dismissal Resnick v. AvMed 11 th Cir. Similar to Anderson; also held unjust enrichment claims viable for failure to keep promise to protect information. Heartland 5 th Cir. banks and credit unions not barred by economic loss doctrine from recouping card reissuance costs.
Preparation 96% of breaches were avoidable through simple or intermediate controls Source: Verizon 2011 Data Breach Investigations Report The cost of data breach has lowered, suggesting that companies are investing more resources in prevention and detection, such as improving their data protection practices and implementing incidence response plans Source: Ponemon Institute
Evaluate the Risks Has insured ever experienced a data event? Does insured collect, store, or transact any personal, financial or health data? Does insured outsource any computer network operations, data storage or network management? Does insured share data with business partners or vendors?
Evaluate the Risks (cont.) Does a posted Privacy Policy actually align with internal data management practices? Has insured had a recent cyber risk assessment? How long does insured maintain records? Are insureds electronic devices encrypted? Is insureds intrusion detection software/protocol current?
Safeguard Controls People: proper security budget, supervision, training and vigilance during and after employment Processes/policies: ISO27002, HITECH ready employee education and training, change management processes, incident response plan Technology: proven IDS/IPS capabilities, hardened and patched servers (tested), full encryption of PII
Managing the Risks Education: Learn about the various types of privacy violations that can occur Handheld devices Manage BYOD Limit data maintained or made available Encrypting laptops, smartphones, etc.
Managing the Risks (cont.) Mock breaches aka tabletop exercises Limit online access to data storage servers Policies not enough Destruction of hard drives to remove all PII
Managing the Risks (cont.) Incident Response Plans (IRPs) Various laws and regulations require IRPs Financial institutions, Oregon entities Many laws imply IRPs must be developed Gramm Leach Bliley, Sarbanes Oxley, HIPAA, Massachusetts, FACTA Existence of an IRP is best practice mitigate chances of breach, mitigate damages when a breach that occurs
Emerging Issues Cloud Computing Pre-breach Security Standards Subrogation Social Media Geo-location Tracking Collection and Use
Cloud Computing A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source: U.S. Department of Commerce National Institute of Standards and Technology
Cloud Computing Assessment of Cloud Server Selecting the right company Physical capabilities: storage, backup Ability to respond to breaches, coverage Adequate services agreement Private, community, or public? Jurisdictional/geographic issues
Subrogation Data breach response laws impose costly duties on data owners regardless of intent or negligence Possibility to transfer cost to responsible parties Vendors Sub-contractors Negligence grounds lost laptops Breach of contract failure to provide adequate security
Conclusion What to do? Assess Address Plan and Insure Repeat
Questions?
Contact Information Jim Prendergast: Jim.Prenergast@lewisbrisbois.com (215) 977-4058