Privacy law-update-whitmeyer-tuffin
-
Upload
whitmeyertuffin -
Category
Technology
-
view
467 -
download
0
description
Transcript of Privacy law-update-whitmeyer-tuffin
Sponsored by Financial Directions, Inc.
February 21, 2012
Randy Whitmeyer
Whitmeyer Tuffin PLLC
www.whit-law.com
Privacy Law Update: Strategies for
Handling Personal Information
The Backdrop: Mobile technology
and the Internet
• Organizations store more and more information in electronic
form and are increasingly reliant on the Internet for accessing
data and systems
• Many employees have smartphones that are constantly
connected to the Internet
• Information sharing through Facebook, Twitter, and other
social networks is ubiquitous
• Active and growing “hacker” industry
The result: (1) Expanding laws and
regulations relating to the use and
handling of private information, and
(2) increased government enforcement
activities and class actions by plaintiffs’
attorneys
The challenge for businesses: Handle
personal information in a way that is
compliant with rules and regulations
and limit your risk
Specific Topics
• Legal obligations on use of personal information
• NC statutes relating to treatment of personal information
• Massachusetts Information Security law and other state laws
• Federal privacy/security update, including HIPAA and Hi-Tech
(treatment of medical records)
• Employers’ use of and access to employee’s
communications/computer systems, and social network
use
• Elements of effective information security/privacy policies
and social media policies
• Other proactive steps to manage information privacy and
security risks – contracting and insurance
NC Identity Theft Protection Act of
2005
• Similar to a myriad of similar acts in almost all states, originally California in 2003 (California law updated as of 1/1/2012 to require more specific disclosures relating to security breaches)
• Violations of the statute are generally considered unfair or deceptive act or practice
Sect. 75-65: Protection from Security
Breaches
• Security breaches affecting personal information of NC residents must be reported to affected individuals
• Security breach must involve either “illegal use” (or a reasonable likelihood thereof) or a material risk of harm
• If records are encrypted, only need to provide notice if the associated key or confidential process is also breached
• If the breach does not involve data which you own or license (i.e., you are a contractor), then you notify the owner or licensee, not the affected individual
Sect. 75-65: Protection from Security
Breaches
• Notice must be made without unreasonable delay, taking into account law enforcement needs, verification of contact information and scope of breach, and need to restore security
• Notice must be clear and conspicuous, and provide a description of:
• The incident
• Type of personal information affected
• Remedial actions of the business
• Telephone number to get further information
• Advice to monitor account statements and free credit reports
Sect. 75-65: Protection from Security
Breaches
• Notice may be in writing, by e-mail (if consented), and in writing
• If the cost of notice is > $250,000, and in certain other situations, general notice may be given publicly
• If the case involves more than 1,000 persons, NC attorney general’s office must also be notified
Section 75-62: SSN Protection
• A business may not:
• Intentionally communicate a person’s Social Security
number to the public
• Intentionally place an SSN on a card required to access
products or services
• Require an SSN to be transmitted over the Internet, unless
encrypted
Section 75-62: SSN Protection
• A business may not:
• Require an individual to use SSN to access an internet web
site, unless a password or PIN is also required
• Print an individual’s SSN on any materials mailed to the
individual, unless otherwise required by law
• Sell or disclose an SSN to a third party if it is known or
should be known that the third party lacks a legitimate
purpose
Section 75-62: SSN Protection • The Exceptions--restrictions do not apply to:
• Redacted SSN
• When required by law
• To the government
• To the opening of an account or payment for a product or
services authorized by the individual
• To the collection, use, or release of an SSN for internal
verification or administrative purposes
Section 75-62: SSN Protection • The Exceptions, continued:
• When an SSN is included in an application or in documents related to an enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN for the purpose of obtaining a credit reports (with limits on mailing)
• To investigate or prevent fraud, conduct background checks, conduct certain research, collect a debt, obtain a credit report, for a permissible Gramm-Leach-Bliley purpose, or locate a missing individual, lost relative, or one due a benefit
Section 75-63: Security Freeze
• The ITPA of 2005 add a “consumer right” to put a security freeze on consumer credit reports
• The security freeze may be temporarily lifted by the consumer
• If a consumer security freeze is in place, the consumer reporting agency may not change the consumer’s name, date of birth, SSN, or address change, without sending a written confirmation within 30 days of the changes
• Consumer reporting agencies are required to give NC residents specific notice of their rights under this provision
Section 75-64: Destruction of
Personal Information Records
• NC businesses MUST :
• Implement and monitor compliance with policies and procedures that require the destruction of papers that include personal information
• Implement and monitor compliance with policies and procedures that require the destruction or erasure of electronic media that contain personal information
• Describe procedures relating to the destruction of personal records as official policy in the writings of the business
Section 75-64: Destruction of
Personal Information Records
• If a 3rd party records destruction company is used, one or more of these due diligence steps must be taken:
• Review an independent audit
• Obtain references from reliable sources and review certification from a reputable source
• Review and evaluate the disposal business’ information security policies or procedures.
• Disposal companies must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with information security policies and procedures
• This section does not apply if the company is already covered by GLB, HIPAA, or Fair Credit Reporting Act
Other State Law
Developments
• At least 10 states have data security laws that generally require
companies to use “reasonable security” to protect personal
information
• Connecticut and Delaware require employers to provide notice to
employees before monitoring email communications or internet
access
• California and other states require prominent web site privacy
policies
Massachusetts Data Security Act
• Implemented in 2010, requires organizations that handle
information about Mass. residents to have a
comprehensive written information security program
• Requires certain personal information to be encrypted
• Starting March 1, 2012, all contracts with vendors who
handle information re: Mass. residents must require the
vendors to also implement and maintain appropriate
security measures
Federal Laws
• Generally “industry sector specific” – Gramm-Leach-Bliley
(Financial); HIPAA (Healthcare); COPPA (Children’s information);
FERPA (Education); Video Rentals Privacy Act
• Electronic Privacy and Communications Act of 1986 – before
Internet and widespread e-mail usage in workplace
• Limits access to stored and “in transit” electronic communications
• Exceptions for access to employer-provided systems and when
access is consented to.
• National Labor Relations Board has investigated numerous cases
involving firings based on posts on social media networks.
• Concern is that right to engage in “concerted” employee activity
may be infringed
Federal Trade Commission
• FTC has broad authority to monitor compliance with federal privacy laws, including breach of a published privacy policy. Authority is based on its mandate to regulate and prevent unfair and deceptive trade practices.
• In 2011, FTC entered into enforcement proceedings against the major social networks (Twitter, Google, and Facebook).
• Have focused on need for consent prior to changing a privacy policy
• Concerns have increased from use and sale of personal information, to use of IP addresses, device identifiers, and other information not normally considered as personally identifiable.
Federal Legislative Proposals
• Momentum is growing for a federal cybersecurity bill
• Latest bi-partisan bill was introduced last week. The bill:
• Establishes liability protections for sharing of information relating
to information security threats
• Clarifies that info system owners may undertake countermeasures
to combat cybersecurity threats
• Allows government to establish cybersecurity performance
standards for certain critical infrastructure (finance, utilities, etc.)
• Other federal proposals seek to establish a national data breach
reporting standard
HIPAA Privacy and Security Rule
• Privacy Rule generally effective April 2003; Security Rule generally effective April 2005. HIPAA rules are dense and lengthy.
• Enforcement of Privacy Rule generally friendly, but over 200 referrals to Department of Justice for criminal investigation. Audits for several hundred entities announced in late 2011
• Covered Entities -- directly affected
• Health care providers who engage in electronic Standard Transactions
• Health Plans
• Data Clearinghouses
• HI-TECH Act (2009) added direct obligations on service providers (“Business Associates”) who deal with protected health information
HIPAA Privacy Rule
• Protected Health Information Def’n: • all Individually Identifiable Health Information that is transmitted or
maintained by a covered entity in any form, including paper and oral records and communications
• PHI can be disclosed only if: Purpose is treatment, payment or business operations
With Authorization (needed for, e.g., Disclosures to employers; fundraising; marketing)
• special authorization needed for psychotherapy notes
Other Specified Purposes
• Written authorization cannot be a condition for treatment or payment
HIPAA Privacy Rule
• PHI can be disclosed if:
Emergency or public health need
Judicial and administrative proceedings
To law enforcement in certain circumstances
For research purposes, if written IRB or Privacy Board
approval
Where required by law
HIPAA Privacy Rule
• Minimum Amount Necessary rule: CE’s must make reasonable efforts to limit scope of disclosures or requests to only what is needed. With exceptions for these Disclosures/Requests: • To/By the Individual
• To/By Another Provider for Treatment
• Under an Authorization
• To DHHS for HIPAA Compliance
• To comply with Transaction Standards
• Otherwise required by law
• De-identification Rule Long list of De-ID requirements
Also “no reason to believe” that recipient can combine the information with other information to identify the individual
HIPAA Privacy Rule
• Right to Receive Notice of Privacy Practices
• Right to Access PHI
• Right to Request Corrections in PHI
• Right to Receive Disclosure Information
• Right to Request Additional Restrictions
HIPAA Privacy Rule
• Business Associate must have written contract with the following provisions: Must follow Privacy Regulations
Use appropriate safeguards to prevent unauthorized disclosure
Report any unauthorized disclosure
Make PHI available in accordance with patient access rights
Make books and records available to HHS
Incorporate PHI updates received from patients
Flow contract obligations to subcontractors
HIPAA Security Rule
• Security Rule requires covered entities to adopt (for
some requirements) and consider adoption of (for
other requirements) a laundry list of administrative,
technical, and physical safeguards for protecting
patient information.
• The rule generally adopts a technologically-neutral
and flexible approach.
• CE’s are required to adopt various security policies.
International Privacy Landscape
• Many countries have much broader protections for individual privacy
• EU Data Protection Directive provides comprehensive regulation for
use of personal information. In January 2012, detailed revisions
proposed to make the law more uniform across the EU, and
increases protections and possible penalties
• US companies seeking to transfer personal information from EU to
US must follow a safe harbor certification/filing approach or other
rules to comply with EU regulations
• EU also has a Privacy and Electronic Communications Directive that
regulates the use of cookies
• Note: under French and German data privacy laws, personal social
networks cannot be searched for employment decisions
What can organizations do now to
manage privacy/security risk?
• Implement and maintain an Information Security program
• Perform security audit
• Perform due diligence and add privacy/security contract
provisions for key vendors and other business partners
• Consider cyber insurance
Information Security Program
• Required by: • Records Disposal portion of North Carolina’s ITPA
• HIPAA Security Rule
• Massachusetts and other state laws
• Extremely helpful for: • Handling security breach and SSN portions of ITPA
• Dealing with FTC-Style enforcements
• Assuring compliance with required privacy notices (e.g. California requirement)
• Protecting intellectual property
• Satisfying officer and director fiduciary obligations
• Complying with contracts
• Increasing value of company to buyers
• Dealing with subpoenas and related requests for electronic information in discovery
Process for implementing an Info
Security Program
• Not just an IT issue, need input from management, legal,
and risk advisors. Rapidly becoming a corporate
governance issue.
• Laws and regulations focus more on the process rather
than specific results
• Don’t just use a form policy from the internet, but tailor to
the specific issues and risks faced by the organization
• Perform an initial security review and gap analysis
• Update on a regular basis, at least annually
Information Security Program
• Written Policy
• Purpose of Policy
• Types/Levels of Confidential Information
• Training
• Sanctions
• Privacy/Security Officer
• Notification of no expectation of privacy in use of company assets
• Publicity; Dealing with News Media
• Incident Response Procedures
• Physical Security Measures
Information Security Program
• ID’s and Passwords
• Password Guidelines - Strong vs. Weak Passwords • Mandatory Password Changes
• Access Controls and Network Resources • Firewalls • Authentication • Use of Networks • Wireless Network Usage • Remote Access Policy
• Use of Encryption • Electronic Communications • Destruction of Computing Resources and Information • Virus Prevention and Detection
Information Security Program
• Social Media Policy
• Software Use and Licensing Policy
• Mobile Computing Policy (laptops, pda’s, keydisks, etc.)
• System Modification Procedures
• Record Retention Schedules
• Litigation and Subpoena Issues
• Disaster Recovery
Summary of Key Security Measures
• Adopt Defense in Depth – keep external computers in a
“DMZ”
• Manage passwords aggressively
• Implement all operating system and security software
patches
• Train against social engineering
• Audit controls, especially remote access points
Types of Contracts to Consider for
Privacy Issues
• Software and IT service vendors, including cloud computing
• Software as a Service (Salesforce)
• Infrastructure as a Service (Amazon EC2)
• Marketing and distribution partners
• Side note: Who owns the data?
• Order fulfillment vendors
• Records disposal vendor contracts
• Any other contract where the other party will have rights to access,
use or store your personally identifiable data
• Consider standalone information security agreement
• Rather than trying to figure out how to amend the other party’s
form of service contract
Security and Privacy Contract Terms
• Confidentiality
• Obligation to maintain reasonable and effective physical,
technical and administrative security measures
• Compliance with all applicable data privacy and security
laws
• Third-Party security audits
• Right to review detailed security/disaster recovery policies
Security and Privacy Contract Terms
• Right to audit and test security
• Notification in the case of breach
• Indemnification for breaches/payment of costs of required
notices to customers
• Encryption
• Restrictions on use of subcontractors and downstream
sharing of information
• Restrictions on where data can be stored
CyberInsurance
• Review existing insurance for coverage of data breaches and
electronic privacy issues, and consider adding cyberinsurance
policies
• Sony for example is in litigation with Zurich American Insurance re:
coverage for recent security breaches
• SEC has issued guidance requiring disclosure of material cyber
attacks including a description of relevant insurance coverage
• Look for (or add) coverage for lost business, notification costs, legal
and investigation costs, and credit monitoring services
Cloud Computing
v.
Traditional I.T. Structures
Graphic Courtesy of Hosted Solutions
Graphic Courtesy of Hosted Solutions
Cloud Computing Services
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
Cloud Computing Contract
Structures
• Typically service-based, not licensed
• OPEX, not CAPEX
• Often offered via “click and accept” agreements
• Sometimes incorporate by reference other terms
of use and policies
• Sometimes purport to be changeable without
notice by the vendor
Cloud Computing and Security
Disadvantages
• Lack of Transparency
• Lack of Responsiveness
• “Trading Market” of
Subcontractors
• Vendor Lock-In
• Lack of Security Details
Advantages
• Data Dispersal
• Data Fragmentation
• “Tier 1” Data Centers
• Multiple Customer Demands
• Easier Patching and Updates
Key Takeaways
• Increased regulatory and legal scrutiny of personal
information handling is unavoidable
• Companies (especially IT vendors and outsourcers) should
review the laws applicable to their situation, and update
security practices, policies and procedures as needed
• When dealing with cloud computing vendors and other
business partners, perform appropriate due diligence and
consider contract negotiations
• Review insurance policies and possibility for additional
insurance
Randy Whitmeyer
Whitmeyer Tuffin PLLC
919-880-6880
Any questions?