Magazine Feature
-
Upload
dchin25 -
Category
Technology
-
view
408 -
download
0
description
Transcript of Magazine Feature
DATA SECURITY BREACHES 25
MODERATOR: Charlene, I want to start with you this morning. Give us a sense of the continued importance of privacy and data security. I have the distinct feeling, since we did our last panel, that there’s even more heat, light and focus on the issue.
BROWNLEE: I would agree 100 percent. In terms of
statistics, 2008 is half over, and we’re already had the
same number of security breaches as for the entire year
2007. Why are we seeing higher statistics? More than
44 states require notification of data breaches resulting
in the disclosure of personally identifiable information
(such as Social Security numbers, drivers’ license numbers
and financial information). The majority of information
is digital, processed and stored electronically, and often
on portable media. The No. 1 cause of data breaches is
negligence. Some 50 percent of data breaches are caused
by employees leaving laptops at home or in their cars, and
there’s a break-in. Only 4 percent of data breaches are
caused by hackers, which tells us that, as counsel and as
privacy officers and IT professionals, we can do more to
bring those numbers down.
MODERATOR: Let’s go into the growing legal framework that governs privacy.
DENNEDY: The word “framework” is critical here. When you
approach this as a global entity—and we do business in
more than 140 countries around the world--there is no such
thing as localized data, if you’re using any sort of system
that interfaces with the Web. As you review the framework,
start by asking where the data is, from an IT perspective.
Data security continues to be a hot topic for general counsel and privacy officers. Breaches have not
abated; organized computer crime makes front-page news. The legal framework continues to grow,
both from state regulators, Attorneys General, the FTC and the EU. We’ve asked three top experts
in the field for their assistance in laying out what to do. They are Charlene Brownlee, a partner with
Davis Wright Tremaine in Seattle; Ruth Boardman, a partner with Bird & Bird in London; and Michelle Dennedy, chief data strategy and privacy officer at Sun Microsystems in Mountain View. This is an
abridged transcript of a live event held Sept. 26, 2008, in San Francisco, moderated by freelance
legal affairs writer Susan Kostal, and reported for Jan Brown & Associates by Valerie E. Jensen.
Phot
o By
: Ja
son
Doi
y
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N
ADVERTISING SECTION
DATA SECURITY:Managing the risk
26 DATA SECURITY BREACHES
Who is managing it, leading it, and paying for it? Then look
to the various jurisdictions that cover those interactions and
come up with a framework that includes laws like PIPEDA,
the EU Directive and all of its member states, what’s going
on in Asia, Korea, Argentina. Look at the map, and that’s
your framework. If it sounds overwhelming, it is. You can
get very geeky on this very quickly. But there is hope. A
risk-based approach, rather than a black-and-white, find-
the-answers approach, will cover you 80 percent of the
time.
BOARDMAN: The EU has had data privacy legislation
since before the 1995 Directive. But when we’re talking
about security breach notification, we’re playing catch-up.
Although we have general security principles in the EU, we
don’t yet have a breach notification law. But that is coming.
We have two main data privacy directives in the EU: one
general, and one specific to the communications sector.
The communications sector directive is being rewritten,
as we speak. One of the changes being made to it is to
introduce breach notification requirements. That will
then have to be transposed into the law of each member
state. In the UK, our regulator has been given increased
powers following an enormous data breach by Revenue and
Customs. Also recently, Nationwide Building Society lost a
laptop, and the society was fined 1 million pounds because
it didn’t have appropriate procedures in place to know what
to do in such situations. They waited three weeks deciding
what to do.
BROWNLEE: In the absence of federal legislation, in the
U.S. you must take a state-by-state approach. Are people
familiar with the Nevada encryption legislation that went
into effect Oct. 1?
DENNEDY: You’re about to be depressed.
BROWNLEE: In addition to the new Nevada law, which
requires encryption during transmission, Massachusetts
has just adopted regulations that require encryption before
and after transmission. In addition to a state-by-state
approach, you also need an industry/ sector analysis. Health
care information, for example, is covered under HIPPA. The
financial sector is covered by Gramm-Leach-Bliley, and
now, as of November, the red flag rules pursuant to FACTA.
The only federal legislation that deals directly with the
collection of information online is the Children’s Online
Privacy Protection Act, COPPA. There’s no other generally
applicable federal legislation for consumer transactions
over the Internet. But the FTC has been increasingly
aggressive about regulating companies that fail to live
up to their posted privacy policies. In 2006, the FTC
established a Division of Privacy and Identity Protection,
which is specifically targeted to investigate data breaches.
As of March 2008, the FTC had brought more than 20
cases against businesses for failure to maintain reasonable
security measures. If you are subject to an investigation
and settle, usually there will be a fine, and a requirement
to conduct independent audits, sometimes for as long
as 20 years. One of the biggest cases to date involved
ChoicePoint. They were assessed $10 million in fines, had
to allow $5 million for consumer redress, and agreed to be
audited for 20 years.
DENNEDY: We are a big provider for companies in the
financial services sector, so many of our customers are
impacted by the November 1 FACTA deadline. That
regulation points out the synergy between privacy rules and
data transfer regulations, which until two years ago could be
managed fairly well by notice and consent. That was really
where the locus of control and focus and meeting most of
these regulatory issues came in. What FACTA presents and
what the financial services sector is going through right
now, what HIPPA has foreshadowed, is that the growing
framework, on both a federal level and internationally, is
about to get much more specific about what companies,
tactically, must do to get out of either a negligence theory
or a statutory theory for data losses.
It’s also important to understand server-based computing.
Today’s buzzword is “the cloud.” Everything is “in the
cloud.” Nothing is in the cloud but rain, folks. It’s all on
a server somewhere, and that server has jurisdiction stuck
all over it. It is physically located somewhere. You have to
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N
ADVERTISING SECTION
“A risk-based approach, rather than a black-and-white, find-the-answers approach, will cover you 80 percent of the time.”
— Michelle DennedySun Microsystems
Jaso
n D
oiy
DATA SECURITY BREACHES 27
be aware of where your data is and make sure that your
clients know where their data is so that you can provide
appropriate legal advice. You may be missing jurisdictions
you haven’t even thought of. Who is the account customer
base, the employees? Where are they coming from? Are
they working from home? Where is the data going to and in
what format? Is it encrypted? Has it been severed from any
sort of personal information so it cannot be reconstituted?
You must know the answers to these questions. Lawyers are
being increasingly dragged into IT and HR, and other areas
you may not have traditionally considered in your area of
practice.
Be aware of the technological realities, the people, the
processes and the technology synergy, so when you’re
crafting your legal memoranda about all these new rules,
regulations, cases and fines, you are giving people like me
something I can consume.
BROWNLEE: The FTC’s position is clear: “Companies
that collect sensitive consumer information have a
responsibility to keep it secure.” And that responsibility to
implement appropriate IT securities and safeguards is also
a requirement of approximately half of the 44 state data
breach notification laws. So, from a corporate perspective,
it is not a gray area. It is clear that companies must deploy
appropriate physical safeguards. A company would be
well served by looking at the obligations that are imposed
upon financial institutions and adopt a similar data breach
notification strategy. When these breaches occur, you need
a methodical plan, so you are not acting in crisis mode.
MODERATOR: It seems redundant at this point to use the word “global,” but tell us about the concerns inherent in data transfer and outsourcing.
BOARDMAN: Movements of data outside the EU are
prohibited. So emailing and transferring data to a server
outside the EU--even traveling with a laptop outside the
EU--engages the prohibition. The only countries that you
can transfer data to from the EU are ones that have been
approved by the European Commission and, so far, that
list is limited to Argentina, Switzerland, certain Canadian
organizations covered by PIPEDA, the Isle of Man, Jersey,
and Guernsey. So it’s a fairly small list.
There are four main methods to deal with this. If data is
being transferred from the EU to an organization in the
US that participates in the Safe Harbor scheme, that data
transfer is fine. From an EU perspective, Safe Harbor is
very easy for organizations to deal with. A second option is
freely given consent. That sounds good, but it’s hard to do
in practice, especially in the employment context. In many
countries in the EU, you have to get a permit from the
data protection authority to export the data, and you have
to explain the basis on which you’re asking for the permit.
In some countries, if you say, “This is employee data,
but we’ve got consent,” as a matter of principle, the data
protection authority will reject your application, because
they’ve taken a paternalistic view toward employees.
The other alternative is to use European Commission-
approved contract clauses. These are data export contracts
that oblige the importing organization to offer EU protection
for data. The idea is great, but they can be bureaucratic.
The clauses require registration in about 18 out of the
27 member states, which is a time-consuming process.
The other problem is that you have to complete an annex
describing what you’re doing. And with my clients, I’ve
found that you complete that and then a year or two
years later, the client will do something different; they’ll
want to implement a different HR system, and then you
have to redo the clauses. The last alternative is to adopt
“binding corporate rules.” The idea behind these is that
ADVERTISING SECTION
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N
ADVERTISING SECTION
“FTCʼs position is clear: 'Companies that collect sensitive consumer information have a responsibility to keep it secure.' And that responsibility to implement appropriate IT securities and safeguards is also a requirement of approximately half of the 44 state data breach notification laws. So, from a corporate perspective, it is not a gray area.”
— Charlene BrownleeDavis Wright Tremaine
Jaso
n D
oiy
28 DATA SECURITY BREACHES
you embed data privacy in the organization’s culture. So,
for example, with employee data, you might develop a
workforce data privacy policy. If you can show that that
is binding and really enforceable within the organization,
then you can take these rules and procedures to EU data
protection authorities and get them approved, which then
allows you to transfer data freely within the organization,
without additional consent, or registering standard contract
clauses. You have to keep the data protection authorities
up to date if new members of the group come on board or
if you change your processing significantly, but it should
be a much-lighter-touch approach than the registration
process.
BROWNLEE: Binding corporate rules (BCRs) are a bit
controversial, because they’re very expensive to develop
and implement, and they only protect the flow of data
among those corporate entities. For example, BCRs do not
address the flow of information from an EU member state
to a country that is deemed to have inadequate safeguards.
So it’s not a one-stop-shopping solution; you still have to
layer BCRs with other privacy mechanisms, such as Safe
Harbor certification.
BOARDMAN: You make several good points. It is a pioneering
effort. It started in 2003, and by 2005, we only had one
application that had been authorized. But there’s a real
sense that it’s starting to become more manageable. The
reason for the initial cost is you need to go and negotiate
with the protection authorities, many of which have little
expertise or familiarity with how organizations work. But
we’re starting to see a critical mass of applications come t
hrough.
My clients have been able to leverage existing privacy
policies and procedures. And in some instances, once there
is a UK authorization, other data protection authorities are
happy with that, and granted authorization on that basis
alone. The advantage is once you have a BCR, there are
fewer bureaucratic restrictions to them. If you have data
that is going from the EU to a U.S. entity, which will then
be transferred to a third party in the U.S., you would need
separate contract terms to deal with that. But you would, in
any event, under EU commission clauses or Safe Harbor.
MODERATOR: So how do companies best mitigate the risk?
BROWNLEE: Let’s use, as an example, the lawsuit filed
against Accenture in 2007. The Connecticut Attorney
General hired Accenture to transfer some taxpayer and
other personally identifiable information into a PeopleSoft
database. A backup tape containing the information
was stolen. The state had a contract with Accenture
that included provisions requiring Accenture to employ
reasonable safeguards. Accenture was subject to a
negligence claim, and also breach of contract. The take-
away here is that you must have a written agreement
with all third parties transferring or processing your data,
whether an information destruction/storage vendor or
an electronic discovery provider. The agreement should
provide that the vendor retains ownership/control at all
times, does not subcontract without your permission, uses
reasonable safeguards, and agrees to indemnify you in the
event of a data breach.
Your agreement should include a clause requiring your
vendor to allow you to have a third party come in and audit
your service provider’s information systems and ensure that
your service provider notifies you within a very short period
of time if there is any sort of breach or suspected breach.
“The idea behind binding corporate rules is that you embed data privacy in the organization's culture. With employee data, for example, you might develop a workforce data privacy policy. If you can show that that is binding and enforceable within the organization, you can have them approved by EU data protection authorities, which then allows you to transfer data freely within the organization, without additional consent or registering standard contract clauses. “
— Ruth BoardmanBird & Bird
Jaso
n D
oiy
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N
ADVERTISING SECTION
DATA SECURITY BREACHES 29
DENNEDY: My favorite phrase in contract negotiations is
“from time to time.” Every now and again we get this
clause in an outsourcing context or some context that
is a data-intensive relationship. It will say, “reasonable
security as may change from time to time.” “Reasonable”
five years ago did not include comprehensive encryption.
“Reasonable” five years ago did not require background
checks for every single worker in every single facility. That
clause is going to screw you later. The most important
element of mitigating legal risk in the contracting context
is to really understand the deal. You need to really
understand the scope and the shape and the possibility of
data transfer, either from individual contractors that come
in, or people who are able to somehow carry your data out.
Really do your homework. As a lawyer, you need to become
a much bigger player in the decision-making process. In
the statement of work, you need to understand what kind
of information needs to be transferred from organization to
organization and to various downstream processing, and in
what context. You have to be very careful in the indemnity
section. It plays both ways. Auditing is one of hottest
negotiation topics right now because, inherently, by having
a third-party auditor in my data center, I am compromising
the security of my other customers or I’m possibly exposing
them to third-party distribution, under law, by allowing
them in. In laying out the deal, look at what people really
need access to the data, not based on any hierarchy or
organization chart, but by what role they really perform.
BOARDMAN: I would completely agree with everything that
Michelle and Charlene have said about risk, and would add
two additional points. One is there are specific obligations
in the EU when you appoint the kind of third party that
Charlene mentioned; in EU terms, this agent is called
a processor. But if you do due diligence and take the
approach that’s been described, then you will do what is
required in the EU. The other point to note is that in the
EU, under the Data Protection Directive, if you are the
organization that controls the data, you’re responsible for
it. When you appoint a third party to hold the information
or to do anything with the information on your behalf, then
you are responsible for what that third party does. So, if
there is a security breach, then you are still on the hook to
individuals, even though it might be the third party who was
responsible. Again, there are a couple of nice examples of
this in the UK involving lost laptops that weren’t encrypted.
In each case, it was the client organization that ended up
on the receiving end of an enforcement notice from the
Information Commissioner, which required the client to roll
out encryption and caused the organization and contractor
to report back on a regular basis to the commissioner.
So I reinforce the point that having appropriate contract
terms is vital. You want to be checking your contract and
looking at that indemnity.
BROWNLEE: There are four practical ways to mitigate or
prevent data breaches. The first one is obvious: don’t
collect what you don’t need. Secondly, destroy or redact
what you don’t need. Follow the federal laws, such as
FACTA, on secure disposal of personally identifiable
information. Thirdly, ensure that any laptops you recycle,
donate to charity or send back to a vendor are scrubbed.
Lastly, conduct a conduct a privacy impact assessment
prior to the launch of any new product or service. Encourage
your teams—marketing, IT, product development, legal—to
review what information can be collected from the product,
and what the legal ramifications are.
DENNEDY: There are technical solutions out there. I won’t
make a company pitch. I agree with Ruth and Charlene,
though—don’t collect more than you need, and don’t travel
with more than you need. There are various strategies
where you can take advantage of server-based computing
to keep your crown jewels in a place where IT professionals
are surrounding them with, truly, not just “the reasonable
security from time to time” but actual security.
ADVERTISING SECTION
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N
ADVERTISING SECTION
30 DATA SECURITY BREACHES
CHARLENE A. BROWNLEE is a partner with the law firm Davis Wright Tremaine LLP. She
advises clients on global privacy and data security matters, development of records
management programs, e-discovery best practices and technology transactions. She
co-authored the legal treatise Privacy Law (Law Journal Press). Charlene has lectured and
published widely on privacy, records management and e-discovery. She is a US delegate for
the APEC Privacy Data Security Working Group and serves on the University of Washington's
Advisory Board for its EDiscovery Certification Program launching in 2009.
DAVIS WRIGHT TREMAINE LLP The regulation of privacy and data security continues to
expand at both a state and federal level. We can assist your organization in determining
what policies, procedures and technology are required to comply and
ensure proactive information governance. From developing record
retention schedules and litigation hold policies, to advising on responding to a data breach, we
have the experience and business oriented perspective that clients value.
RUTH BOARDMAN is a partner in the London office of Bird & Bird. Ruth advises on all
aspects of European information law, including data protection, freedom of information,
database rights and confidentiality, with a specific emphasis on IT, e-commerce and
public procurement. She is the co-author of Data Protection Strategy, published by Sweet
& Maxwell. She also edits the Encyclopedia of Data Protection, from the same publisher,
and is on the editorial board of Data Protection Law & Policy.
BIRD & BIRD is a leading European and Asian law firm, with offices in Belgium, Czech
Republic, Finland, France, Germany, Hungary, Italy, Poland, PRC, Slovakia, Spain,
Sweden, The Netherlands and The UK.
We are ranked as a leading firm for data privacy advice, where we advise a wide range of
international companies as well as companies for whom personal data is a key asset.
We provide a full range of legal services: commercial, corporate, corporate restructuring & insolvency, dispute
resolution, employment, EU & competition law, finance, intellectual property,
outsourcing, public procurement, real estate and regulatory & administrative tax.
MICHELLE DENNEDY is Chief Privacy Officer for SUN MICROSYSTEMS, INC. Michelle is
responsible for the continued development and implementation of Sun’s data privacy
policies and practices, working across Sun’s business groups to drive the company’s
continued data privacy excellence. Data privacy is a cornerstone of Sun’s approach to
compliance with complex, demanding regulations including Sarbanes-Oxley, the EU
Directive, California State Senate Bills, as well as escalating policy and process-oriented
requirements being imposed globally. Michelle also works with Sun’s product development
teams and partners to deliver best-practice privacy enabling products and services. She
is the co-founder of Sun’s internal Privacy Council, an organization that includes and
engages with stakeholders from across the company and is dedicated to promoting and
promulgating a cohesive practice throughout the organization to protect Sun’s relationships
with its customers.
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N
ADVERTISING SECTION
JAN BROWN & ASSOCIATES is a worldwide deposition reporting and legal video company. We offer the latest
in technical expertise and the highest quality in the rendition of these services. Our services include realtime
depositions, video conferencing, full service legal videography, document scanning, on-line repository, DVD or
CD-ROM, case management services for large complex cases. We are Certified Livenote Providers and offer
conference rooms. Our services are utilized by the top firms in the country and we are the court reporters and
videographers of choice. www.janbrownassociates.com 800.522.7096