DATA PRIVACY IN NORTH AMERICA - Boies Schiller ...... RISK & COMPLIANCE Apr-Jun 2014 3 DATA PRIVACY...

JAN-MAR 2014www.riskandcompliancemagazine.com

RCrisk &compliance&

Inside this issue:

FEATURE

The evolving role of the chief risk officer

EXPERT FORUM

Managing your company’s regulatory exposure

HOT TOPIC

Data privacy in Europe

REPRINTED FROM:RISK & COMPLIANCE MAGAZINE

JAN-MAR 2014 ISSUE

DATA PRIVACY IN EUROPE

www.riskandcompliancemagazine.com

Visit the website to request a free copy of the full e-magazine

Published by Financier Worldwide [email protected]

© 2014 Financier Worldwide Ltd. All rights reserved.

R E P R I N T RCrisk &compliance&

DATA PRIVACY IN NORTH AMERICA

��

��

��

��

��

��

��

��

��

risk &complianceRC&

RC_Apr14.indd 1 4/4/14 14:09:30

REPRINTED FROM:RISK & COMPLIANCE MAGAZINE

APR-JUN 2014 ISSUE

www.riskandcompliancemagazine.com

Visit the website to requesta free copy of the full e-magazine

Published by Financier Worldwide [email protected]

© 2014 Financier Worldwide Ltd. All rights reserved.

2 www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

RISK & COMPLIANCE Apr-Jun 2014

MINI-ROUNDTABLE


www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2014 3

MINI-ROUNDTABLEDATA PRIVACY IN NORTH AMERICA

Michael J. Gottlieb

Partner

Boies, Schiller & Flexner LLP

T: +1 (202) 237 9617

E: [email protected]

Kenneth K. Dort

Partner

Drinker Biddle & Reath LLP

T: +1 (312) 569 1458


Brenda Sharton

Partner

Goodwin Procter LLP

T: +1 (617) 570 1214

E: bsharton@goodwinprocter.

com

Christopher Wolf

Partner

Hogan Lovells US LLP

T: +1 (202) 637 5600

E: christopher.

[email protected]

Michael Gottlieb is a partner in the firm’s Washington, DC office. His practice focuses on crisis management and government response, including criminal and civil investigations, prosecutions, and enforcement actions initiated by federal and state regulatory agencies, securities litigation and enforcement, and appellate and constitutional litigation. Mr Gottlieb joined the firm after more than five years in senior positions in the Executive Branch, including three years as Special Assistant to the President and Associate White House Counsel, where one of his focus areas was legal national security issues, including cyber security and data privacy.

Kenneth K. Dort is a partner with Drinker Biddle & Reath LLP, in the firm’s Chicago office. He is a member of its Intellectual Property Practice Group and chairman of the firm’s Technology Committee. His practice is focused on information technology and intellectual property law issues, particularly software development and licensing, systems development and integration, data encryption and security, trade secret protection, and patent, copyright and trademark licensing and protection. He is the current chairman of the ABA Intellectual Property Law Section’s Online Data, Transactions and Security Committee.

Brenda Sharton is a member of the Goodwin Procter’s Executive Committee, the chair of the firm’s Business Litigation group, and the co-chair of the firm’s Privacy & Data Security practice. She is a nationally recognised expert in the area of privacy law and has handled privacy related litigation matters, data privacy breach investigations and class actions.

Christopher Wolf leads the global Privacy and Information Management practice at the law firm of Hogan Lovells US LLP. Mr Wolf founded and co-chairs the Future of Privacy Forum and is a founder of the Coalition for Privacy and Free Trade. He has focused on internet and privacy law since the early days of those disciplines. Mr Wolf has contributed to legal treatises, authored papers on law enforcement and national security access to Cloud data, and co-authored with Abraham H. Foxman, National Director of the Anti-Defamation League, of the book, Viral Hate: Containing Its Spread on the Internet.

S. Keith Moulsdale represents clients with respect to a range of tech-related legal issues, including cyber-security, electronic commerce, privacy, compliance, file-sharing, music and video downloading, publishing, software development, certification programs, OS licence compliance programs and other IP issues. He also represents cyber security technology and service companies, as well as organisations that have been the target of security breach attempts (due to theft, SQL injection attacks, phishing, brute-force attacks and other methods), and leads cross-functional assessment, containment and response efforts, develops mitigation strategies, and assists clients in assessing and complying with statutory notification requirements and preparing information security policies.

S. Keith Moulsdale

Partner

Whiteford, Taylor & Preston LLP

T: +1 (410) 347 8721


PANEL EXPERTS


MINI-ROUNDTABLE


RC: Could you outline the latest legal and regulatory developments affecting corporate handling of data in North America?

Gottlieb: Federal regulators are focusing on

data security more than ever before. To date, the

FTC has brought over 50 enforcement actions

concerning data breaches. These actions typically

result in a settlement in which the target company

agrees to bring a monitor in house and follow a

privacy framework. There is pending litigation that

has challenged the scope of the FTC’s authority

to regulate corporate data security practices,

and if the Government loses in that litigation, its

authority to regulate private data security practices

will weaken without new legislation. Congress is

considering legislation that would authorise the

Commission to seek civil penalties for data security

violations. Following Dodd-Frank, the SEC and the

CFTC promulgated Regulation S-ID, which requires

certain financial institutions and creditors to

implement comprehensive identity theft programs

to protect customer data. And earlier this year, the

SEC and FINRA both announced that they would be

enhancing their focus on cyber attacks and data

breaches. Finally, in February 2014, following an

Executive Order from President Obama, the National

Institute of Standards and Technology (NIST) released

the Framework for Improving Critical Infrastructure

Cybersecurity. While the Framework is voluntary,

companies may over time face serious pressure

to adopt its standards even outside of the critical

infrastructure area.

Dort: Over the last few years, the legal

developments affecting corporate handling of

data in North America have been both extensive

and intense at the federal and state levels. At the

federal level, the Sarbanes-Oxley Act’s requirement

of certifying financial statements by publicly traded

corporations has had the effect of mandating the

implementation of detailed data security policies so

as to guard the credibility of underlying corporate

data – such as inventory levels, revenue receipts

and cost levels – so as to enable a valid certification

of the resulting financial statements disclosed to

the public. On a related front, the SEC has recently

mandated that publicly traded corporations promptly

report and identify cyber risks that may have a

material impact on overall performance. In addition,

on the health front, the HITECH Act has federalised

the reporting of security breaches involving personal

health information, thereby taking that issue out

of the states’ hands. On the litigation front, the

plaintiffs’ bar has gradually evolved the theories

and approaches by which to sue corporations

incurring large data breaches. For example, while

the basic theories of negligence and breach of

contract have been in place for years in this sector,

the issue of causation has posed a dilemma. Recent



MINI-ROUNDTABLE

cases have gradually lowered the bar on this issue,

at least at the pleading stage, thereby increasing

corporate exposure on this front. Finally, the FTC

and various state attorneys general have tightened

their requirements for website information collection

practices by requiring clear and detailed descriptions

of the website operators’ collection and handling

practices so as to give site visitors the opportunity to

decide whether to provide such information to the

operator. Violations of this standard are enforced as

unfair trade practices under the applicable law.

Sharton: Regulatory enforcement

of corporate data handling and privacy

issues seems to be on the rise, at the

state, federal and international level.

Moreover, there seems to have been a

shift in attitude from the regulators to

a more prosecutorial and enforcement

oriented stance. Recent enforcement

actions and settlements highlight

regulators’ strong desire to demonstrate

that they are taking privacy seriously.

Among the states, California continues to

be a leader on data privacy legislation. For example,

California recently expanded its statutory definition

of personal information to include usernames and

email addresses in combination with password,

sweeping data breaches that compromise more

than just traditional sensitive financial information

into the state’s regulatory purview. At the national

level, the Federal Trade Commission amended

the Children’s Online Privacy Protection Rule to,

among other things, expand their definition of

personal information that cannot be collected

without parental notice and consent to include

geolocation information, photographs and videos,

and require that covered website operators

adopt reasonable procedures for data retention

and deletion. Additionally, the US Department of

Health and Human Services issued the final HIPAA

Omnibus Rule, expanding HIPAA’s scope to business

associates and subcontractors such that almost any

company that touches personal health information

must comply with HIPAA requirements.

Wolf: There have been recent legal and regulatory

developments at all levels of regulation in the US,

federal, state and administrative. At the federal


Brenda ShartonPartner

“Recent enforcement actions and settlements highlight regulators’ strong desire to demonstrate that they are taking privacy seriously.”


MINI-ROUNDTABLE


level, there is increased scrutiny of data brokers,

big data and data breaches. At the state level, there

is increased attorneys general enforcement and

new state laws – especially in California. And at

the administrative level, the work of the National

Institute of Science and Technology on cyber-

security, into which business has had input, is likely

to be an influential benchmark of US practices.

Moulsdale: In Canada, a bill that would have

given the federal personal information protection

statute (PIPEDA) teeth – by making breach

notification mandatory – failed once again; currently

it is merely voluntary. Alberta is the only province

that has made breach notification mandatory so

far. In the USA, a federal Personal Data Privacy and

Security Act has been proposed for the umpteenth

time, but it is unlikely to pass in a divided Congress.

In the absence of an omnibus, federal data

protection law, substantive changes continue to be

driven by Presidential Executive Orders and state

legislatures. At the Presidential level, President

Obama directed development of a ‘baseline’

Cybersecurity Framework to reduce cyber risks

to critical infrastructure, which was finalised and

released in February 2014 by the National Institute

of Standards and Technology as a ‘Framework for

Improving Critical Infrastructure Cybersecurity’. At

the state level, California expanded the definition

of protected ‘personal information’ to include “a

user name or email address, in combination with

a password or security question and answer that

would permit access to an online account”.

RC: What penalties can authorities or private individuals seek to impose upon companies and their D&Os in the event of a breach or violation of data privacy laws in North America?

Sharton: Almost every US state has now adopted

a breach notification law, but the specifics of those

laws can vary substantially from state to state. Not

every state statute has explicit penalty provisions

for failure to comply with notification procedures,

but those that do have explicit penalties may

assess those penalties differently than others. Some

states calculate penalties based on the number of

consumers affected or the length of the notification

delay, while others simply provide a maximum civil

penalty per breach. Still others employ a hybrid

approach, factoring in both the number of affected

customers and the length of the delay, with a

maximum fine for a single security breach. Federal

regulatory agencies can also assess civil monetary

penalties for breaches within their regulatory

industries. And beyond statutory penalties specific

to privacy breaches, many state and federal officials

can bring suit under general consumer protection

laws which may open the door to additional, and

possibly more substantial, damages.



MINI-ROUNDTABLE

Moulsdale: In the US, penalties in a particular

case depend on which of the many state or federal

data privacy or security laws is at issue. But,

generally speaking, remedies may include damages,

restitution, civil penalties and, in some cases,

criminal penalties. Violations of HIPAA, for example,

may result in civil penalties up to $1.5m per calendar

year, or criminal penalties of up to $250,000 and 10

years in prison. Violations of the COPPA Rule may

result in civil penalties of up to $16,000 per violation.

Data protection-related class action lawsuits are

also a real risk in the US, and the cost of merely

defending a case can prove to be a penalty in itself,

as in retailer Kmart’s $3m class action settlement in

connection with alleged use of background checks

to make employment decisions, or social media

provider Facebook’s $20m settlement for allegedly

putting users in an advertising program without their

permission. On the D&O level, directors and officers

can face derivative suits by shareholders who allege

breach of fiduciary duties by failing to take sufficient

steps to protect the company from a data breach,

as was the case in two lawsuits filed in January 2014

against the directors and officers of retailer Target.

Wolf: Depending on the nature of the violation,

regulators can enjoin allegedly unlawful conduct or

seek civil penalties. At the federal level, the Federal

Trade Commission (FTC) uses its authority to regulate

unfair or deceptive trade practices to enforce privacy

and security standards. Companies settling with

the FTC must implement independently auditable

privacy or security programs, with further missteps

resulting in significant fines. Specific federal agencies

are authorised to seek monetary fines for unlawful

conduct involving certain types of data or industry

sectors, such as healthcare, children’s data and

financial information. State attorneys general enforce

similar laws at the state level. Many state and federal

privacy laws allow individuals to recover statutory

damages. For example, the federal Video Privacy

Protection Act establishes minimum damages of

$2500 per violation. A class action lawsuit under

that statute seeking damages for conduct affecting

10,000 people could result in an award of at least

$25m.

Gottlieb: Litigation has become the norm

following significant data breaches. The massive

data breach at Target, for example, has already

prompted dozens of lawsuits, including consumer

class actions, suits by financial institutions

and derivative suits. Thus far, consumers have

struggled to find legal footing. The costs of personal

information disclosure vary greatly, and plaintiffs

often cannot prove harm. The speculative nature

of data breach claims has caused most consumer

class actions to fail to overcome early procedural

hurdles. Banks that issue credit and debit cards bear

the brunt of the costs after a data breach, usually

through reimbursing fraudulent charges and issuing

replacement cards. As breaches become more



MINI-ROUNDTABLE


common, banks will demand that their business

partners comply with data protection standards, and

banks may become more frequent players in post-

breach litigation. State attorneys general and the

FTC have had moderate success settling data breach

suits, and those settlements often impose significant

penalties and compliance costs. The SEC, CFTC

and FINRA all have the power to impose penalties

against the financial institutions they regulate for

failing to adopt reasonable data protection policies

or ignoring red flags of security threats.

Dort: The penalties that may be imposed on

companies in the event of a breach or violation of

data privacy laws are varied. First, a government

agency may impose fines, usually based on the

egregiousness and level of harm of the specific

case, along with multi-year consent decrees

requiring companies to periodically report to that

agency regarding its follow-up efforts to comply

with the agency’s directives as laid out in the order.

Alternatively, government agencies and individuals

may commence litigation arising from company

violations and seek compensation for the damages

caused by the violation. In addition, corporate

directors and officers of companies incurring a data

breach or violation of law may face claims asserting

that they violated fiduciary duties to take steps to

assure that the company’s data security system was

properly designed and implemented, or otherwise

failed to exercise reasonable care in overseeing the

company’s IT functions.

RC: In your experience, to what extent are companies aware of their obligation to secure and protect the privacy of the sensitive data that they store or transfer in the course of their business?

Moulsdale: Most mid-market and large

companies have begun to focus on data security

risks in structuring processes and products, and

in dealing with vendors and customers. Those

companies recognise that they must make

meaningful changes to keep pace with data security

and legal risks flowing from their ever-increasing

collection, storage and use of proprietary and

personal data. Although many firms of all sizes lag

woefully behind, the greatest lack of awareness

and compliance is among small and non-profit

organisations, which are either unaware of the risks

or obligations, or inadequately staffed or financed to

deal with them. This is a particularly tough challenge

for companies that do business across state and

international lines because data security laws and

enforcement vary across industries and jurisdictions.

Gottlieb: Companies are increasingly aware of

their obligations, and companies that were unaware

prior to the high profile data breaches at Target and

Neiman Marcus are likely paying attention now. Even



MINI-ROUNDTABLE

before those breaches, survey data

showed that data security was

a top priority of more corporate

counsel and directors than any

other issue. There are certainly

companies that continue to view

data security and privacy to be

mostly IT rather than legal or senior

executive issues. That said, the

problem is less that companies

are not aware that they need to

protect sensitive data, and more

that companies are inadequately

prepared to address the political,

legal, and communications fallout

from a significant breach. One

separate but related problem is

that companies may not be aware

of the numerous disclosure obligations imposed by

rapidly changing laws at the federal and state level.

These disclosure obligations often apply even to

isolated incidents, and a failure to comply may lead

to unnecessary investigation, compliance costs and

embarrassment for the company.

Dort: For the most part, companies are quite

aware of their general obligations regarding the

safeguarding of sensitive data. However, quite often

they are not aware of implementation issues and

problems that may be rendering them susceptible to

a breach or similar problem. In addition, companies

often fail to acquire a firm grasp of the many

details found in data security laws and regulations,

both domestically and globally for international

companies. Indeed, for international companies the

task soon mushrooms as the number of jurisdictions

that need to be considered expands with their

growing operations. It often becomes a serious

problem to be sure that you are complying with

all applicable laws and regulations across multiple

jurisdictions.

Wolf: Most of the companies that I advise are

keenly aware of their obligations, and they embrace



MINI-ROUNDTABLE


their roles as stewards of the consumer data that

they collect, process and share. Consumer-facing

companies know that consumer trust is vital to

success. The spotlight is trained on data collection

and use practices. Consumers are more willing than

ever to switch companies or stop using services

following reports of privacy or security missteps,

and many consumers are now proactively shopping

for privacy- and security-promoting goods and

services. That means that privacy and

security can no longer be check-box

compliance functions. They must become

integral parts of business models. In

my experience, many companies have

accomplished or are on their way to

accomplishing that goal.

Sharton: In my experience, most

companies are very aware of their

obligation to protect the sensitive data

that they may handle in the course

of their business, and they take that

obligation very seriously. Reputational risk, attention

to consumer concerns, as well as increased

regulatory and enforcement activity all contribute to

an atmosphere of attention to privacy issues by US

companies. In the absence of a federal regulatory

scheme addressing privacy, companies that

proactively adapt their privacy and data protection

practices to changing technologies and customer

expectations stand the best chance of staying out of

court and out of the regulators’ crosshairs on privacy

issues.

RC: What advice can you offer to companies on maintaining compliance with evolving data and privacy laws?

Dort: It is critical for companies attempting to

comply with evolving data and privacy laws to take

the following steps. First, delegate to a specific

officer the overall responsibility over IT performance

and data security. Second, budget for and allocate

sufficient resources to install an IT staff necessary

to handle all operational and develop tasks. Third,

delegate one person to be responsible for all legal

compliance. Fourth, implement training sessions for

all employees to impress on them the importance

of data security and the need to follow all security


Christopher Wolf,Hogan Lovells US LLP

“The baseline activity for all companies is to monitor legal and regulatory developments. Don’t look just at what is coming next week or next month.”


MINI-ROUNDTABLE

procedures. Finally, continually monitor the security

protocols to be sure they meet and address the

changing cyber risk landscape, and to implement

any modifications as necessary to address changing

risks and threats.

Wolf: The baseline activity for all companies

is to monitor legal and regulatory developments.

Don’t look just at what is coming next week or

next month. Even simple changes to privacy or

security regulations can require significant and

costly adjustments to business operations. Too

often, I have seen companies wait until the last

minute to address new compliance obligations. That

can lead to unnecessary stress and expense. I also

recommend that companies proactively engage in

the development of privacy and security standards,

as well as breach response. If companies take a

reactive stance and wait for changes to come to

them, they risk being subject to unduly burdensome

laws and regulations that ignore industry realities.

By engaging with self-regulatory bodies, multi-

stakeholder groups and, when appropriate,

regulators and lawmakers, companies can provide

valuable input to the development of privacy

and security frameworks that address consumer

concerns and promote innovation.

Sharton: Data security breaches can have

significant business, legal and reputational costs for

companies. Companies should guard against data

breaches by implementing a robust, comprehensive

privacy and information security program.

Understanding that there is no such thing as perfect

security, however, it is essential that companies

acknowledge the inevitability of data breaches these

days and adopt a proactive – rather than reactive

– strategy to combat risk. It is imperative to have a

crisis management plan and a designated response

team organised before any incident occurs. Not only

will this expedite any response, it will also protect

against regulatory risks as regulators want to see

that companies have a reasonable plan in place

to address incidents and have made a good faith

effort to follow that plan. Moreover, it is advisable

to develop a working relationship with legal counsel

who has expertise in the privacy arena. Given

the reputational costs of bungling a data breach

response, it is not in a company’s best interest to

just be compliant with privacy laws and regulations

or industry minimum standards. Companies should

guard customers’ personal information in the same

way they protect their trade secrets.

Gottlieb: Forward-thinking corporate counsel

should invest in data privacy the same way that

they have previously invested in compliance with

the Foreign Corrupt Practices Act or the federal

securities laws. Companies need to commit

themselves to understanding, at a minimum: the

types of sensitive data they hold that may be

subject to state and federal laws; the systems in



MINI-ROUNDTABLE


place to protect that data, including the plan to

ensure that employees comply with data protection

requirements; the company’s communications to

customers, investors and regulators regarding its

protection efforts; and the company’s plan in the

event of a breach, including applicable disclosure

obligations at the state and federal level.

Moulsdale: At its heart, effective data security

and privacy fundamentally require the adoption

and periodic review of processes that ensure an

organisation stays abreast of, and timely addresses,

rapidly changing technologies, electronic threats

and other risks. In fact, most organisations must

periodically monitor those processes because some

state-level data security laws impose a general duty

to implement and maintain ‘reasonable’ security

procedures and practices that are ‘appropriate’

to the nature of underlying personally identifiable

information, and the nature and size of a business

and its operations. And the strictest state laws, such

as in Massachusetts, and certain sector-specific

US federal laws, such as HIPAA, require ‘regular”

monitoring or ‘periodic’ evaluations. Organisations

should view the rapidly changing legal landscape

as another risk factor that must be regularly or

periodically monitored and addressed, much like

technological risk factors. In order to ensure that

those evolving legal and other risks are properly

monitored, organisations should designate an

executive to be responsible for data security and

privacy, ensure that the executive has complete

C-suite support for that responsibility, and enable

the executive to assemble, or seek the support of,

multi-disciplinary teams of people who understand

data security, including lawyers and data security

specialists.

RC: If a company suspects or confirms that it has been the victim of a serious breach resulting in compromised data, what immediate steps should it take to manage the situation?

Wolf: First, convene the company’s incident

response team to manage the company’s response.

Identify the source of the breach and limit further

data loss. In doing so, take steps to ensure that

evidence of the breach is preserved. Determine

what is likely to happen to the data that was

compromised. If possible and appropriate, dedicate

resources to recovering the data before it is used

to facilitate identity theft, fraud or other unlawful

activities. Identify the types of data compromised;

the individuals and entities that may have been

affected; and the laws, regulations and agreements

that may dictate how the company must respond to

the breach. Anticipate the reactions of consumers

and business customers. Develop a consistent

communications strategy that addresses reasonable

concerns and shows that the company takes its

obligations seriously. Importantly, prepare all written



MINI-ROUNDTABLE

reports at the direction of counsel and subject to

attorney-client privilege.

Gottlieb: It should go without saying that the

best time to prepare to manage a breach is before

a breach ever occurs. Having a management plan in

place will help a company avoid unforced errors and

minimise damage as quickly as possible. Generally

speaking, the first step should be to investigate

the breach to determine its scope, the type of

data that may have been compromised,

whether the threat remains ongoing, and

the relevant disclosure obligations the

company may face. This should begin

immediately – delays in understanding

the breadth of a data breach may end

up seriously costing a company. One

critical element of any response to a

breach will be harmonising the company’s

communications to customers, investors,

regulators, Congress and the press.

Companies should not make public

representations about a breach without

appropriate qualifications given the state of the

investigation. It is important for counsel to be

involved early in order to protect relevant privileges

and anticipate possible investigation and litigation

risks. In particular, companies must avoid the

temptation to downplay the extent of a breach in

the press prematurely, as misstatements can lead to

regulatory actions or shareholder suits.

Sharton: Ideally, a company will have prepared a

comprehensive crisis management plan in advance

and would activate that plan immediately upon

discovering any suspected breach. That said, first

and foremost a company must take steps to contain

the breach as a technical matter. Right from the

outset, the company should inform and involve legal

counsel. It is vital that the response is conducted

in consultation with and at the direction of counsel

– whether internal or external – to help preserve

legal privileges, potentially coordinate with law

enforcement, and safeguard against other legal risks.

It is advisable to have outside legal counsel employ

any forensic team hired to protect the integrity of

the data and any evidence under privilege. Forensic

experts are often required to help determine the

scope of the breach and the type of data affected.


Michael J. Gottlieb,Boies, Schiller & Flexner LLP

“One critical element of any response to a breach will be harmonising the company’s communications to customers, investors, regulators, Congress and the press.”


MINI-ROUNDTABLE


Once the breach has been contained, legal counsel

and management should work together to assess if

and when notification should – or must – be given

to potentially affected individuals or governmental

agencies in light of regulatory and business

requirements and to develop a strategy for internal

and external communications.

Moulsdale: A company’s first step should be

to activate its Breach Response/Mitigation Plan,

provided it had the foresight to create

one in advance. If not, then the company

should assemble a breach response

team led by a C-suite executive, such as

CFO or COO. The response team’s first

steps should be to engage experienced,

independent legal counsel and forensic

specialists, and then work with those

experts to: contain the breach and prevent

further harm; preserve data and evidence,

particularly log files in the case of a

hacking-type breach; forensically assess

the causes and impact of the breach;

check insurance policies for possible

coverage and follow any required steps to trigger

coverage; determine the scope of the company’s

duty to notify potential victims, government agencies

or others under state, provincial or federal laws;

review customer and vendor agreements for

contractual duties or rights that may have been

triggered by the breach; and manage and contain

communications.

Dort: A company’s response to a data breach

begins before the breach even occurs. First, the

company must prepare alternative contingency

plans that key off of the various types of sensitive

data they have. Second, the company should

identify the personnel who will play a role in those

contingency plans, and drill them so that in the

event of a breach, they are familiar with the tasks

required of them. Third, in the event of a data

breach, a company should immediately activate the

appropriate plan and put the correct personnel into

action – forensic IT investigators, public relations,

management and legal. In this way, the company

will not waste time ‘improvising’ under a clear crisis


S. Keith Moulsdale,Whiteford, Taylor & Preston LLP

“Together, insider theft and employee error or negligence account for roughly 15 percent of data security breaches.”


MINI-ROUNDTABLE

environment, and risk compounding the effects of

the breach or failing to comply with all applicable

laws as it responds to the breach.

RC: What can and should companies do to manage internal threats to data privacy, including the actions of rogue employees?

Gottlieb: Most companies spend their IT security

budget on trying to keep unauthorised personnel

– or hackers – out of a company’s network. Often,

however, damage to a company is inflicted by an

authorised user of its network: an employee. The

two most famous ‘insider’ threats – Bradley Manning

and Edward Snowden – exploited US government

networks carrying top secret information. These

incidents highlight the significant harm that an

insider can inflict on an organisation. To mitigate

insider threats, companies need to link the

operations of Human Resources, Physical Security

and IT Security departments. When an employee is

preparing to leave a company, whether voluntarily or

involuntarily, the HR department should immediately

notify IT Security to monitor for unauthorised

activity on the network. Moreover, IT must disable

employees’ network access in a timely manner.

When an employee has demonstrated erratic

behaviour or is being disciplined, supervisors may

need to request special monitoring of their network

usage. Corporate Security or HR can also monitor

public databases for red flags requiring enhanced

network monitoring. There are specialised insider

threat detection technologies that can help identify

malicious insider activity in real time. But there are

significant limitations to these technologies; for

instance, they do not detect activity that is gradual or

is part of an employee’s normal behaviour pattern.

Dort: To manage internal threats, such as those

posed by rogue employees, a company must

implement strict security policies grounded on a

‘need to know’ basis, thus permitting access to

sensitive data by only those personnel with a true

need to access and handle it. In addition, companies

should design into their IT systems sophisticated log-

in functions such that trails will be left in the system

tracking all details of system events – the ‘who,

what, where and when’ data that will be needed

to determine what happened and to determine

the appropriate remedies. In addition, companies

should train employees thoroughly about the need

for data security and how to properly implement the

company’s applicable security protocols, and make

clear to employees the rationale underlying those

protocols.

Moulsdale: Together, insider theft and employee

error or negligence account for roughly 15 percent

of data security breaches. So, it is as critical to

manage potential internal risks as it is to manage

external threats. Management of internal risks



MINI-ROUNDTABLE


should include: routine, but legally compliant, use

of background checks when hiring employees

or subcontractors with access to sensitive data

or systems; routine data security training; data

classification and segregation; limiting access to a

data class, particularly any sensitive classes, based

on a need to know; deletion of stale or unneeded

personal data; and implementation and enforcement

of a written information security plan or ‘WISP’,

including any policies related to data security, such

as a ‘bring your own device’ to work policy.

Sharton: Five things that a company can do

to manage internal threats to data privacy are as

follows. First, educate employees as to their roles

and responsibilities with respect to information

security. Second, set the tone at the top that privacy

is mission-critical to the organisation. Third, develop

a comprehensive incident response plan. Fourth,

consistently monitor what data the company

has, where that data is located and the data’s

current security status. Finally, employ role-based

access controls so that no employee has greater

information access than is necessary to capably

perform his or her job function and that access is

cut-off as soon as employment ends. While this list

is far from exhaustive, implementation of these five

practices in any company not currently employing

such practices will greatly improve internal data

security.

Wolf: Technological measures are useful, but

they can only do so much. The lapses of well-

meaning individuals and the nefarious actions of

rogue employees can lead to data loss even when

the most sophisticated measures are in place.

For that reason, it is essential that companies

foster a culture of privacy and security awareness.

Management should consistently communicate

the importance of privacy and security, develop

robust training programs, and integrate privacy and

security awareness into evaluation metrics. When

employees integrate the lessons from privacy and

security trainings into their day-to-day activities,

they are far less likely to inadvertently compromise

or inappropriately use personal information.

Furthermore, the actions of a rogue employee are

likely to stand out in an organisation that embraces

and fosters a culture of privacy and security

awareness.

RC: What challenges do responsible companies face when they seek to deliver innovative products and services while promoting privacy and security?

Dort: In general, companies need to develop a

clear understanding of all the data that they will

be collecting and how they will be handling it, both

internally, and if applicable, as to third parties. For

example, as to the developing ‘internet of things’ in

which products will communicate via the internet



MINI-ROUNDTABLE

with external systems to maximise performance,

such links will be susceptible to compromise by third

parties. The growth of Wi-Fi communications with

products such as medical devices that communicate

directly with physicians could compromise PHI

absent appropriate security protocols. Thus, for

any given business model, the company must fully

understand the implications of how it handles data

so that it proactively addresses potential

problems, thereby avoiding them or at

least minimising the risk thereof.

Wolf: One of the greatest challenges for

companies seeking to deliver innovative

products and services is that they are

often forced to comply with privacy

and security frameworks that were

designed to address the issues raised by

now-obsolete technologies. Technology

often outpaces regulation. Some of

the US privacy laws were drafted back

when chirping modems announced our

connections to the internet and we stored all of our

data locally. Yet we see people trying to fit the square

pegs of cloud computing, social media, Big Data and

personalisation into the round holes of decades-

old laws and regulations. We need to allow more

room for innovation when it comes to promoting

privacy and security. The Fair Information Practice

Principles were designed as high-level guidelines

for organisations’ privacy practices. Companies

should be encouraged to promote those principles

without being forced to adopt the privacy-promoting

mechanisms that were made for another era.

Gottlieb: There is often a tension inside

a company between enhanced security and

increased technology deployment. Companies

are obviously interested in deploying the latest

innovative technology that will increase revenue and

efficiency, but can they do so in a safe and secure

manner that will protect the company’s intellectual

property and personal records? The solution for

sophisticated businesses is often a long testing cycle

for innovative products and services to ensure that

the functionality that these products and services

produce also meets the privacy and security

standards that the company expects. Taking time


Kenneth K. Dort,Drinker Biddle & Reath LLP

“In general, companies need to develop a clear understanding of all the data that they will be collecting and how they will be handling it, both internally, and if applicable, as to third parties.”

18

MINI-ROUNDTABLE


to conduct adequate security testing may delay the

deployment of an innovative product or service, but

may nonetheless be necessary to mitigate risks.

RC: Would you say there is a strong culture of data protection developing in North America? Are companies proactively implementing appropriate controls and risk management processes?

Sharton: I think there is a strong culture of data

protection developing in the United States. The US

companies with which I have dealt have made data

protection and privacy a priority by setting a tone

from the top that privacy is a core value of their

business. These companies take data protection

very seriously, and development of a privacy culture

and appropriate risk management controls seem to

be driven by reputational, business and competitive

concerns. These concerns seem paramount, rather

than other factors such as enforcement activity

on the part of the government. High profile data

breaches only add to the competitive pressures to

make sure that one’s data privacy house is in order.

Gottlieb: Corporate culture surrounding data

protection is certainly improving. On the positive

side, companies are training more employees on

risks, and monitoring security practices more than at

any time before. Executives are increasingly involved

in sending a message from senior management

about the importance of cyber risk management.

And the development of the NIST framework has the

potential to establish norms and standards that


18 RISK & COMPLIANCE Apr-Jun 2014 www.riskandcompliancemagazine.com


MINI-ROUNDTABLE

will spread beyond the critical infrastructure space

and improve corporate risk management over

time. But there is still a long way to go. Executives

must continue to build cybersecurity into the

organisational structure of businesses, rather than

segregating the issue solely as an IT or compliance

function. Moreover, companies must train their

employees on why cyber security is essential to their

position as stewards of corporate and customer

information. In today’s environment, one misstep

can cause potentially catastrophic damage to the

company.

Wolf: Companies are embracing their roles as

stewards of consumer data. While I cannot speak for

all companies, in my experience most companies

are dedicating significant resources to proactively

addressing privacy and security concerns.

Companies do not want to be part of the next media

story announcing a data breach or privacy misstep.

The fallout from such an event can be crippling.

Instead, companies want to be known for their

positive efforts to cultivate and implement privacy

and security innovations. Companies recognise that

data is the new oil. And they also recognise that

without consumer trust and engagement, the data

will not flow.

Dort: The culture of data protection, while quite

weak 10 years ago, is now becoming stronger day

to day. Given the massive public relations damage

suffered by many companies over the last few years

in response to data security breaches, companies

are greatly motivated to protect sensitive data so as

to avoid these disasters. Moreover, governments at

both the federal and state levels are becoming more

proactive and aggressive in mandating effective

data security procedures. Finally, the courts have

become instruments of remedy for affected persons

– on both an individual and class basis – in response

to breaches. As a result, companies are becoming

much more proactive both domestically and

internationally in their handling of sensitive data.

Moulsdale: The blossoms of a strong culture of

data protection are beginning to form in the US. After

years of relative corporate and consumer apathy,

this shift is primarily being driven by enforcement

actions taken by state attorneys general and the

FTC, as well as a rising level of consumer awareness

– which has been triggered by daily news reports

of data security breaches that have touched every

business sector. In particular, that awareness has

spiked recently due to revelations about alleged

privacy violations of the National Security Agency.

That said, complying with a complex patchwork

of US and foreign data protection laws can be

expensive; while most companies would prefer full

compliance with applicable laws, the expense of full

compliance can be prohibitive. RC&


RISK & COMPLIANCE Apr-Jun 201420 www.riskandcompliancemagazine.com

EDITORIAL PARTNER

Michael J. Gottlieb

Partner

Washington, DC, US

T: +1 (202) 237 9617


Karen L. Dunn

Partner

Washington, DC, US

T: +1 (202) 895 5235


Lee S. Wolosky

Partner

New York, NY, US

T: +1 (212) 754 4205


KE

Y

CO

NT

AC

TS

Boies, Schiller & Flexner LLP, founded

in 1997, has close to 300 lawyers practicing

in the US and the UK. We regularly serve

as lead counsel in the most significant and

highest profile disputes in the world. In less

than a decade, we have won and saved our

clients billions of dollars in trials, arbitrations

and settlements. Our Crisis Management

and Government Response practice focuses

on enterprise-threatening events involving

overlapping civil or criminal litigation, intense

media scrutiny and inquiries by legislative and

regulatory authorities. Our partners have served

in senior positions in Congress, the White House,

the DOJ, FTC, SEC and both federal and state

prosecutors’ offices.

E D I T O R I A L PA RT N E R

Boies, Schiller & Flexner LLPwww.bs f l l p. com

DATA PRIVACY IN NORTH AMERICA - Boies Schiller ...... RISK & COMPLIANCE Apr-Jun 2014 3 DATA PRIVACY...

Documents

Transcript of DATA PRIVACY IN NORTH AMERICA - Boies Schiller ...... RISK & COMPLIANCE Apr-Jun 2014 3 DATA PRIVACY...