Negotiating Payment Processing Agreements: A How-To Guide

Negotiating Payment Processing Agreements: A How-To Guide

Credit cards are the primary form of payment received by most retailers. In order to process a credit card a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach including the cost to investigate an incident, defend litigation, and defend a regulatory investigation. The following provides a snapshot of information concerning payment processing agreements. …

nego

Security Due Diligence In A Merger Or Acquisition: A How-To Guide

Security Due Diligence In A Merger Or Acquisition: A How-To Guide

The FTC can hold an acquirer responsible for the bad data security practices of a company that it acquires. Evaluating a potential target’s data security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed. For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, but were discovered months after a transaction closed. The following provides a snapshot of information concerning hacking. …

secutiry

Privacy Due Diligence In A Merger Or Acquisition: A How-To Guide

Privacy Due Diligence In a Merger Or Acquisition: A How-To Guide

The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete. The following provides a snapshot of information concerning privacy violation penalties. …

privacy due

Credit Cards and the Payment Card Industry Data Security Standard

Credit Cards and the Payment Card Industry Data Security Standard

For most retailers the primary source of revenue comes from credit card transactions. In order to accept credit cards, a retailer must enter into a contractual agreement with a payment processor and a merchant bank. As discussed in previous sections, those agreements typically required that the retailer represent and warrant its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). Alternatively, they require a representation and warranty that the retailer complies with the rules of the payment card brands (i.e.,American Express, Discover, MasterCard, and Visa), and some of the payment brand rules could be interpreted as requiring that a retailer be compliant with the PCI DSS. …

credit cards and the

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Online retailers often learn information about a consumer that may be used by them to help identify other products, services, or companies that may be of interest to the consumer. For example, if a person purchases an airplane ticket to Washington DC, the person may want information about hotels, popular restaurants, or amenities at the airport. …

passing

Class Action Litigation Trends: A How-To Guide

Class Action Litigation Trends: A How-To Guide

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. …

class action lit

 

Fingerprint Identification Technology: A How-To Guide

Fingerprint Identification Technology: A How-To Guide

Fingerprint identification technology uses fingerprints to uniquely identify individuals. The technology has been used by law enforcement agencies for decades, and dozens of statutes regulate when government agencies may collect fingerprints, how they are permitted to use them, and with whom they can be shared. Advances in fingerprint recognition software have lead some private entities to begin using the technology to authenticate consumers. For example, some mobile devices have integrated fingerprint recognition technology to replace, or supplement, passwords or pass codes. Some employers are also using fingerprint recognition technology to increase the accuracy and efficiency of employee timekeeping systems. …

FIT

Cybersecurity Disclosures: A How-To Guide

Cybersecurity Disclosures: A How-To Guide

In October of 2011, the U.S. Securities and Exchange Commission (“SEC”) issued guidance regarding a public company’s obligations to disclose cybersecurity risks and cyber incidents (the “Cybersecurity Disclosure Guidance”).1 The Cybersecurity Disclosure Guidance applies to all SEC registrants and relates to disclosures under the Securities Act of 1933 and the Securities Exchange Act of 1934. …

cd

Facial Recognition Technology: A How-To Guide

Facial Recognition Technology: A How-To Guide

Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). …

facial recognition

 

Data Breach Notification Laws: A How-To Guide

Data Breach Notification Law: A How-To Guide

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 48 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breach not

Is Your Company’s Crisis Communications Plan Prepared for Cybersecurity Incidents?

A well-written and consistently updated crisis communication plan ensures that a company has the infrastructure in place to respond to a range of natural or man-made crises. While many companies have a crisis communication plan in place, not all plans are equipped to handle cybersecurity-related incidents. Below are six key elements to ensure that your crisis communication plan is prepared to effectively handle cybersecurity incidents.

  1. The plan is comprehensible, short, and flexible.

One of the most common mistakes that a company can make when creating a crisis communication plan is attempting to cover every “what if” situation and making the document too complicated for an employee to comprehend. Especially during times of crisis, making a plan overly complex can paralyze the employee in charge and cause additional confusion. In certain circumstances, this lack of action or unnecessary delay can make a company susceptible to allegations of misconduct or negligence.

  1. One individual should be designated as the spokesperson.

One individual should be designated as the primary spokesperson to represent the company and answer media questions throughout the crisis. Allowing one individual to be designated as a spokesperson ensures the company is able to control its message and prevents the public and its employees from receiving information that may be untrue or potentially misleading. In addition, a company’s employees should be instructed to refrain from making any comments until directed by the company. In order to prevent rumors from spreading, the company may want to consider creating an FAQ of pre-approved questions and answers once detailed information about the breach has been gathered. This could be used on a public website, or to respond to media or consumer inquiries about the cybersecurity incident.

  1. A legal representative should be involved in the crisis communication process.

A company’s in-house counsel or outside counsel should be involved in the crisis communication process by discussing, reviewing, and approving all external messages. Obtaining feedback from counsel reduces the risk that confidential attorney-client information is inadvertently released, or that misleading statements are inadvertently made about the incident. Releasing confidential information and providing false or misleading statements may damage the company’s chances of prevailing in potential litigation, and injure the company’s reputation.

  1. The plan provides proper and clear guidance to the public.

Many crisis communication plans take an obligatory, proactive approach to notifying the public with a statement like the following: “The company is aware of the crisis and is responding rapidly and responsibly.” While this approach may be appropriate for an earthquake or an active shooter, it may not be the right approach for a cybersecurity incident. Unlike crisis situations where the details of an event are usually known and then released in a matter of hours, data security incidents are often extremely complex and accurate information about a breach may not be known for days or even weeks.

Furthermore, a company may not want to issue a public statement prior to understanding whether a breach actually occurred or the magnitude of the breach. A premature public statement about an incident that turns out to be false can have serious ramifications for the company’s data subjects. These data subjects may be subjected to unnecessary worry, cost, and inconvenience, or attempt to mitigate a harm that may never materialize or exist.

  1. The plan does not conflict with other corporate plans or policies.

A company’s communication plan for a cybersecurity event is typically used in conjunction with an incident response plan. The crisis communication plan must be reviewed and vetted against the company’s incident response plan and with consideration for other policies to ensure that there are no conflicts between policies. Any discrepancies or conflicts between these policies may create delay, confusion, or inaction, and could have serious legal and economic ramifications for both the company and the individuals impacted by the security incident. Discrepancies and conflicts between various plans may also make a company susceptible to allegations of misconduct.

  1. The plan is tested on a yearly basis.

An incident response plan should be tested on a yearly basis. During the annual test, it is important not to neglect a company’s crisis communication plan. Conducting a walkthrough or tabletop exercise will allow a company to address any performance issues or policy gaps that may arise during the testing process. Testing the policy also allows company counsel to effectively train employees on how to handle a real crisis.

Collecting Information From Children: A How-To Guide

Collecting Information From Children: A How-To Guide

There are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information, post a specific form of privacy policy that complies with the statute, safeguard the information that is received from a child, and give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

collecting info

Reputation Management: A How-To Guide

Reputation Management: A How-To Guide

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability. Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation m

Email Marketing In Canada (CASL): A How-To Guide

Email Marketing in Canada (CASL): A How-To Guide

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. 1 These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions. …

CASL

Email Marketing: A How-To Guide

Email Marketing: A How-To Guide

Email is ubiquitous in modern life with billions of emails – wanted and unwanted – sent each day. Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves. Failure to follow the CAN-SPAM Act can lead to penalties of up to $16,000 per violation. …

email marketing

Outsourcing your organization’s DPO duties? Consider this

The General Data Protection Regulation will come into effect on May 25, 2018, and will provide a modernized compliance framework for data protection. Because of the extraterritorial reach, entities that operate in the U.S. should take note and consider complying with the regulation.  While having a data protection officer, as mandated under the GDPR, is not a new concept and is required for entities operating in countries such as Singapore and Germany, the extraterritorial scope of GDPR greatly broadens the number of companies that may need to hire one. Article 37(1) of GDPR requires the designation of a DPO in the following circumstances: where the processing is carried out by a public authority or body; where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions or offenses.

Due to the extraterritorial scope of GDPR, many companies will be required to spend money on either an internal DPO or a third-party entity such as a law or IT firm to act as their external DPO. According to one study by the IAPP, more than 28,000 new DPOs need to be hired by 2018, and that’s just in the EU and U.S. Applied globally, the IAPP found that number looks more like 75,000. With the shortage of individuals trained to handle DPO responsibilities, it is likely that many entities will look to hire an external third-party DPO. Before hiring an external DPO, entities should consider the following issues:

Can the DPO be adequately involved with an entity’s data privacy program and do the costs justify hiring an external DPO?

Contrary to common belief, a DPO’s duties do not solely involve responding to breach situations and cooperating with supervisory authorities. In addition, the GDPR states that a DPO’s duties are broad and include tasks such as: monitoring an entity’s compliance with GDPR; providing advice when conducting data protection impact assessments; informing the entity and its employee of data protection obligations, and cooperating with various supervisory authorities. Article 29 Working Party’s guidance on DPOs provides further clarification that a DPO should be invited to participate regularly in meetings with senior and middle management and also should be easily accessible within the organization.

Traditionally, law firms and IT consulting firms either charge by the hour or have a fixed budget (or semi-fixed budget) to provide their services. It is important to consider that certain responsibilities, such as attending meetings and monitoring an entity’s compliance with GDPR, may be extremely time consuming and expensive on a per-hour basis. Certain service providers have created a fixed-fee arrangement that may provide cost savings, but at the risk of sacrificing quality by putting less qualified and experienced individuals on certain DPO related duties. In a fixed fee or semi-fixed fee arrangement, an entity should consider the included services along with the experience of the individuals that will be performing those services.

Can the service provider act independently in performing its DPO duties?

According to GDPR Article 38(3) and Article 29 Working Party’s guidance on DPOs, a DPO must perform its duties and tasks in an independent manner. In other words, the DPO must not be instructed on how to deal with a matter and cannot be instructed to take a certain stance related to a data privacy issue. However, for many third party providers, this could be a potential issue, especially if the service provider has many engagements with the entity in question. If an entity has a close prior relationship with the service provider, the line may be easily blurred and may lead to instances where the service provider may be asked or may feel pressure to take a stance in a certain manner.

Does the DPO have other privacy, data security, or IT related engagements with the entity that could potentially create a conflict of interest?

According to GDPR Article 38(6) and Article 29 Working Party’s guidance on DPOs, a DPO is allowed to fulfill other tasks and duties. However, it requires that those tasks and duties do not result in a conflict of interest with its DPO duties. For many service providers, this can be an issue, especially if a service provider has worked with the entity’s management in designing an entity’s privacy program or assisted an entity in interpreting privacy rules and regulations. Service providers may be compelled or feel uncomfortable in making determinations that are contrary to the advice that the service provider provided in a previous engagement. In order to prevent issues of independence, U.S. publicly traded companies often use a different audit firm for Sarbanes Oxley corporate internal controls issues, as compared to general audit services. Other conflicts to consider include hiring the same external DPO as an entity’s Qualified Security Assessor under the Payment Card Industry Rules or hiring the same DPO as an entity’s security-information event-management firm.

Below is a list of questions and issues to consider prior to hiring an external DPO:

  • Do you envision the external DPO being extremely hands on?
  • What kind of fee engagement is the external DPO offering?
  • If the fee engagement is fixed: Are the included services adequate for your organization? Are the individuals handling DPO duties qualified?
  • If the fee engagement is on a per hour basis: Are the rates reasonable given the experience of the individuals performing DPO duties? Are there available discounts for a prepayment of expenses? What kind of duties do you envision the DPO handling?
  • Does the DPO represent other entities in your sector?
  • Does your entity have a close relationship with the external DPO that may cause independence issues?
  • Has the external DPO engaged in any privacy or data security work for your entity in the past? Could that work cause a conflict of interest?

 

This article first appeared in The Privacy Advisor.

Credit Monitoring Services: A How-To Guide

Credit Monitoring Services: A How-To Guide

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them. …

credit monitoring

Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction from the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”). …

RFIDD

Selecting a Forensic Investigator: A How-To Guide

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident. …

Forensic

It’s Time to Take Data Privacy Seriously in Singapore

It’s Time to Take Data Privacy Seriously in Singapore

In the past decade, there has been an explosion of new data privacy laws in Asia. However, at the same time, there has been a lack of enforcement of those laws. While certain countries like Malaysia have not actively been enforcing their privacy laws, recently, a number of countries like Singapore have substantially increased enforcement of their data privacy laws.

Even though the city-state of Singapore is only 720 square kilometers in size, it plays an integral role in the world economy. Singapore, along with Hong Kong, has often been called the “business nexus of the East.” In fact, a recent study conducted by Tower Watson states that Singapore is home to roughly 41 percent of the Asia Pacific headquarters for Fortune 500 companies (compared to 34 percent for Hong Kong and 16 percent for Mainland China).[1]

In 2012, Singapore passed the Personal Data Protection Act (PDPA), which established a general data protection law in Singapore. Among other things, the PDPA governs the collection, use, disclosure, and protection of individuals’ personal data by organizations. The main enforcement agency in charge of enforcing the PDPA is the Personal Data Protection Commission (PDPC). The PDPA provides the PDPC powers to: (1) investigate organizations’ data protection practices, (2) obligate organizations to cease activities which are in violation of PDPA, (3) obligate organizations to destroy personal data collected in contravention of PDPA, (4) obligate organizations to comply with any other orders by PDPC, and (5) obligate organizations to pay a fine which may not exceed US$ 1 million.[2]

PDPA guidance on enforcement actions

On April 21, 2016, the PDPC revised the Advisory Guidelines on the Enforcement of the Personal Data Protection Act (Enforcement Guidelines).[3] While the Enforcement Guidelines are not legally binding, they provide guidance on how the PDPC decides which organizations to target for an investigation and what fines it will seek.

The Enforcement Guidelines state that the PDPC may commence an investigation into any organization that the PDPC considers that an investigation is warranted based on the information that it obtained (whether from a complaint or otherwise).[4] Among other things, the PDPC looks at the following factors to decide whether to investigate and/or whether financial penalties may be assessed: whether the organization may have failed to comply with the PDPA, whether the organization has systematically failed to comply with the PDPA, or the potential harm and severity of the misconduct.[5]

Enforcement actions

In the past, the PDPC published enforcement actions related to “do-not-call” rules, which are a set of regulations loosely similar to the US Do-Not-Call rules. However, only recently has Singapore actively enforced and provided guidance on how the PDPC will approach enforcement of other parts of the PDPA.

First shots fired

On April 21, 2016, Singapore’s PDPC published its first set of 11 enforcement actions.[6] The organizations involved in the 11 enforcement actions range from small businesses to multinationals such as China’s Xiaomi subsidiary. Of the 11 enforcement actions, four organizations were fined for violations of the PDPA and six other organizations were issued warnings.[7] From the first set of 11 enforcement actions, a majority, eight out of 11 enforcement actions were based on a breach of Section 24 of the PDPA for failing to implement proper and adequate protective measures, which resulted in the unauthorized disclosure of personal data.[8] Section 24 of the PDPA provides that an organization shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. [9]

The largest assessed fine by the PDPC was to K-Box Entertainment Group Pte Ltd for S$50,000.[10] In 2014, it was published that over 300,000 K-Box members’ information had been leaked and uploaded online.[11] The breach impacted the following types of data: names, contact numbers, and residential addresses.[12] K-Box was found by the PDPC to have failed to put into place adequate security measures to protect personal data in its possession.[13] Among other things, K-Box allegedly failed to enforce a password policy, provide reasonable controls over unused accounts, utilize new version of software, or conduct security audits.[14]

The PDPC also assessed a fine to Finantech Holding, K-Box’s IT service provider. Finantech was in charge of developing, hosting, and managing K-Box’s Content Management System (CMS).[15] As a data intermediary, Finantech allegedly did not implement adequate data security measures for the CMS, such as by patching security vulnerabilities or using a complex password for an administrative account.[16]

Continued enforcement of data privacy laws

Since April 21, 2016, Singapore has increased its rate of enforcement actions. The PDPC released details of 11 more enforcement actions.[17] Of the 11 new enforcement actions, seven companies received fines ranging from S$500 to S$25,000, and four companies received warnings.[18] Similar to the first set of enforcement actions released on April 21, the majority (eight out of 11) relate to a breach of Section 24 of the PDPA for allegedly failing to implement proper and adequate protection measures.
Among the most recent enforcement actions, the PDPC fined Toh-Shi Printing (Toh-Shi) on two separate occasions for failing to implement proper and adequate protection measures.[19] In both instances, Toh-Shi was a service provider in charge of printing and sending paper notices on behalf of consumers.[20] In both cases, Toh-Shi accidently sent sensitive financial information to the wrong customers.[21] The PDPC fined Toh-Shi for allegedly failing to provide adequate quality control and employee training.[22] The Toh-Shi cases suggest that enforcement of Section 24 of the PDPA is not limited to just IT security related measures, but includes non-technical measures of quality control and employee training.

Perhaps the most interesting aspect of the Toh-Shi enforcement actions is that the two different companies that hired Toh-Shi as a service provider were not fined or found in violation of Section 24 of the PDPA.[23] This contrasts with the K-Box enforcement action. Even though Finantech managed part of K-Box’s IT operations, K-Box was still fined for a breach of the PDPA.[24]

The K-Box enforcement action differs from the Toh-Shi enforcement action in two distinct ways. First, while Finantech was responsible for handling some of K-Box’s  IT operations, it did not manage all of K-Box’s IT operations.[25] K-Box still maintained some IT related responsibilities and the failures of those responsibilities contributed to the breach of over 300,000 customer records.[26] Under the Toh-Shi enforcement actions, Toh-Shi’s customer outsourced all parts of the printing operation, from the initial printing to the mailing of financial records.[27] This suggests that there may be less privacy risk with respect to enforcement actions if organizations use service providers to complete all aspects of a process.  Second, Unlike K-Box, which did not have any data protection provisions in its contract with Finantech, Toh-Shi’s customers contractually required Toh-Shi to put in to place adequate security policies, procedures and controls.[28] In other words, the PDPC’s actions suggest that the PDPC believes imposing contractual requirements on a vendor may discharge a company’s obligations to take “reasonable and appropriate” steps to secure information.

The Toh-Shi enforcement actions also show how a systematic and continuous disregard to adequate security measures may increase the magnitude of a company’s fines.[29] The systematic and continuous disregard for security measures likely resulted in an increase in Toh-Shi’s second fine, from S$5,000 to S$25,000.

While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest as compared to million dollar fines issued by EU countries or the United States, the real cost of an investigation by the PDPC comes in the form of highly negative publicity and the expenditure of legal fees and human capital related to defend an investigation by the PDPC.

Future considerations

As Singapore’s PDPC gains more experience and refines its interpretation of the PDPA, we expect to see more enforcement actions in Singapore. According to Singapore’s government directory, there are 18 individuals who work in the Personal Data Protection Commission.[30] Of those 18 employees, roughly a third of the employees have been employed at the PDPC for less than 18 months.[31] Unfortunately, a detailed breakdown of headcount is not available from the Singapore government, but we speculate that as these new employees become more experienced and fully integrated with the PDPC, more enforcement actions will likely occur.

We understand that the PDPC is actively working with entities in Singapore by putting together data protection and security related training and educational sessions. However, the current list of enforcement actions shows that Singapore is also serious about its enforcement of the PDPA. Of the 22 enforcement actions, a sizeable majority of the companies are companies that may be deemed to be either a small or mid-size company. We speculate that this may be due to the fact that the PDPC is still a relatively new government organization and that it may want to pick relatively easy targets that either have egregious security practices or do not have the resources to challenge the PDPC in court. The PDPC may also be following an old Chinese idiom of (杀鸡儆猴) or kill the weak to scare the strong). Picking relatively small companies with egregious security practices to fine may be a method for the PDPC to show the general public that they are serious about enforcement of the PDPA and allows the PDPC to set an example of a few small companies in order to scare larger companies who may not be taking data protection seriously. As the PDPC becomes more experienced, we expect that larger organizations may be targeted and higher fines may be assessed.

Lastly, since data breaches are now high profile events often creating rapid and widespread media attention, we expect Singapore to focus heavily on Section 24 of the PDPA on implementing proper and adequate protective measures of personal data. 16 of the 22 enforcement actions involved a failure for entities to maintain proper and adequate protective measures of personal data.[32]

Considerations for entities operating in Singapore

Recent enforcement actions have showed a propensity for the PDPC to focus heavily on implementing proper and adequate protective measures for personal data. The PDPC recently released the Advisory Guidelines on Key Concepts In the Personal Data Protection Act (Guidelines).[33] Similar to the “I know it when I see it” standard for obscenity in the United States, the Guidelines do not provide a binary list of what an organization must do in order to be compliant under Section 24 of the PDPC. Instead, the Guidelines state that there is no one size fits all solution for data security, rather, security obligations depend on the nature of the information, the form of the information, and the possible impact of the unauthorized disclosure of the information.[34] Among other things, we recommend companies consider the following measures:

  1. Conduct a privacy and security assessment of policies and procedures. Conducting a data privacy and security assessment allows an organization to review current policies to determine whether (a) the policies and procedures need to be updated and (b) the company actually follows the stated policies and procedures. It is also important to remember that going through the motions of a security assessment is not enough. For example, the PDPC issued a warning to Metro Pte Ltd for not addressing SQL injection vulnerabilities that were discovered in earlier IT security audits.[35] To effectively lower risk, an organization needs to address issues found through security assessments and audits. In order to have an unbiased and truthful opinion of an organization’s security measures, an organization should consider using a third party vendor.

Organizations should consider at a minimum, implementing/acquiring the following policies and procedures:

  • Incident response plan.
  • Mobile IT policy.
  • Record retention policy
  • Password management policy.
  • User access and management policy.
  • IT vendor management process.
  1. Conduct an internal data inventory. Knowing the type of data collected and held allows an organization to review the sensitivity of the data and determine whether current security measures are appropriate and reasonable.

Organizations should consider the following when conducting a data inventory:

  • The types of data collected.
  • Where the data is physically housed (g., the building or location).
  • Where the data is logically housed (g., the electronic location within a server).
  • Whether encryption is applied to the data in transit (e., when it is moving). If it is, what encryption standard is being used?[36]
  • Whether encryption is applied to the data at rest (e., when it is being stored). If it is, what encryption standard is being used?[37]
  • The custodian of the data (e., who is responsible for it).
  • Who has access within the organization to the data.
  • Who has access outside of the organization to the data.
  • Whether the data crosses national boundaries.
  • The retention schedule (if any) applied to the data.[38]
  1. Review IT service provider contracts for adequate data protection provisions. The Toh-Shi enforcement actions suggest that one way an organization can protect itself against a possible enforcement action is to include adequate data protection measures in service provider contracts.

Consider adding the following provisions:

  • Limitations to the use of personal data.
  • Breach notification requirements.
  • Representations, warranties and covenants relating to data privacy and security.
  • Indemnification obligations.
  • Compliance with applicable data protection laws.
  • Data transfer limitations.
  • Audit or monitoring rights.
  • List of certain IT technical safeguards (i.e., encryption standard, access control).
  • Data maintenance/deletion obligations.
  1. Request IT service provider complete a security questionnaire. Taking a proactive approach of requesting a service provider complete a security questionnaire may avoid an organization the headache of selecting a service provider that does not have adequate security procedures and hence, lowers the risk of a potential data breach.

When drafting a security questionnaire, consider the following:

  • Designated employee responsible for overseeing security program.
  • Procedures for appropriately destroying documents with sensitive information.
  • Encryption standards for mobile devices.
  • Encryption standards for transmitting sensitive information.
  • Employee training.
  • Data breach incident response.
  • Vendor management process.
  • Process for provisioning user access.
  • Process for de-provisioning user access.
  • Disciplinary measures for security violations.
  1. Conduct data security/privacy training for employees. Conducting data security/privacy training for employees may prevent potential security incidents. This preventive measure allows employees to detect issues earlier and may prevent more serious security incidents in the future.

For good reason, Singapore is one of the most popular places for multinational companies to establish their APAC company headquarters. With a strong rule of law, Singapore takes enforcement of its laws serious and the PDPA is no exception. The increase in the number of PDPC enforcement actions shows the country’s intention of enforcing the PDPA. While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest, it does not take into account the time and reputational costs associated with a PDPC investigation. Entities that operate in Singapore would be wise to conform their compliance to the PDPA and to pay attention to the PDPA’s actions and public statements.

 

[1] PriceWaterhouseCooper, The Preferred Asian HQ Location, (January 28, 2015), available at http://www.pwc.com/sg/en/singapore-budget-2015/budget-2015-01.html.

[2]    Personal Data Protection Act of 2012, Section 28-30, https://www.pdpc.gov.sg/legislation-and-guidelines/legislation   http://statutes.agc.gov.sg/aol/search/display/view.w3p;ident=566a39d6-31e9-44fa-8bb7-2d5bf3c8389a;page=0;query=DocId%3Aea8b8b45-51b8-48cf-83bf-81d01478e50b%20Depth%3A0%20Status%3Ainforce;rec=0#pr28-he-.

[3] Personal Data Protection Commission, Advisory Guidelines on Enforcement of the Data Protection Provisions, (April 21, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines-on-enforcement/advisory-guidelines-on-enforcement-of-dp-provisions-(210416).pdf?sfvrsn=2.

[4] Id. at Section 2.

[5] Id. at Sections 15.3 and 25.

[6]  Government of Singapore, PDPC Takes Action Against 11 Organizations for Breaching Data Protection Obligations, April 21, 2016, https://www.pdpc.gov.sg/docs/default-source/media/media-release-for-dp-enforcement-action-(25-apr-2016)(clean).pdf?sfvrsn=0

[7] Id.

[8] Id.

[9] Section 24 of the PDPA.

[10]  Decision of the Personal Data Protection Commission, K Box Entertainment Group PTE. LTD., Finantech Holdings PTE. LTD., [2016] SGPDPC 1, Section 44 (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—k-box-entertainment-(210416).pdf?sfvrsn=4.

[11] Id. at Section 2.

[12] Id. at Section 3.

[13] Id. at Section 30.

[14] Id. at Sections 26 to 29.

[15] Id. at Section at 5.

[16] Id. at Section 39.

[17] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016); as of November 18, 2016.

[18]  Id.

[19] See Decision of the Personal Data Protection Commission, Aviva Ltd. and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 15, (September 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision-aviva-ltd-and-toh-shi-printing-singapore-(210916).pdf?sfvrsn=0; Decision of the Personal Data Protection Commission, Central Depository (PTE) Limited and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 11, (July 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—toh-shi-(210716).pdf?sfvrsn=4.

[20] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[21] [2016] SGPDPC 15 at Section 8; [2016] SGPDPC 11 at Section 7.

[22] [2016] SGPDPC 15 at Section 34.

[23] [2016] SGPDPC 15 at Section 28; [2016] SGPDPC 11 at Section 18.

[24] [2016] SGPDPC 1, at Section 39.

[25] See generally, [2016] SGPDPC 1.

[26] Id. at Sections 9 to12.

[27] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[28] See [2016] SGPDPC 1 at Section 12; see also SGPDPC 15 at Section 27 and [2016] SGPDPC 11 at Section 17.

[29] [2016] SGPDPC 15 at Section 38.

[30]  See Singapore Government Directory for a list of Personal Data Protection Commission employees, https://www.gov.sg/sgdi/ministries/mci/statutory-boards/imda/departments/pdpc (last accessed November 18, 2016).

[31] Of the 18 individuals listed on the Singapore Government Directory, we found 13 of the individuals on LinkedIn. The information was based on a review of their LinkedIn profiles on November 18, 2016.

[32] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016).

[33] Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Personal Data Protection Act (July 15, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines/advisory-guidelines-on-key-concepts-in-the-pdpa-(15july16).pdf?sfvrsn=2.

[34] Id at Section 17.

[35] Decision of the Personal Data Protection Commission, Metro Pte Ltd., [2016] SGPDPC 7, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—metro-(210416).pdf?sfvrsn=2.

[36] In a recent enforcement action, the PDPC cautioned against the sole use of the common MD5 hash standard to encrypt passwords; see Decision of the Personal Data Protection Commission, Fei Fah Medical Manufacturing Pte Ltd., [2016] SGPDPC 3, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—fei-fah-medical-manufacturing-(210416).pdf?sfvrsn=2.

[37] Id.

[38] Zetoony, David, Data Privacy and Security: A Practical Guide for In-House Counsel, Pg. 2-3, May 2016.

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Smartphones, smartphone apps, websites, and other connected devices (e.g., “wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates. …

Knowing

Incident Response Plans: A How-To Guide

Incident Response Plans: A How-To Guide

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan. …

incident

Video Viewing Information: A How-To Guide

Video Viewing Information: A How-To Guide

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

VVI

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

The Privacy Act of 1988 (Privacy Act), which includes the 13 Australian Privacy Principles (APPs), is Australia’s federal law regulating the collection, use, and disclosure of personal information. Recently, the Office of the Australian Information Commissioner (OAIC) has stepped up its enforcement of the Privacy Act. This article reviews OAIC’s recent privacy determinations and discusses practical data security related takeaways that can help companies ensure compliance. …

acc

Wire Transfer Fraud: A How-To Guide

Wire Transfer Fraud: A How-To Guide

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account. …

Wire transfer

Online Behavioral Advertising: A How-To Guide

Online Behavioral Advertising: A How-To Guide

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a company’s website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the company’s website, so that those individuals can be monitored across a behavioral advertising network. …

online behavoiral

FDIC Cybersecurity Examinations: A How-To Guide

FDIC Cybersecurity Examinations: A How-To Guide

FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers. …

FDIC

Social Media Privacy Concerns: A How-To Guide

Social Media Privacy Concerns: A How-To Guide

The majority of organizations utilize social media to market their products and services, interact with consumers, and manage their brand identity.  Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns.  Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers.  To the extent that the social media platform’s privacy practices are not consistent with the practices of your own organization, they may contradict or violate the privacy notice that you provide to the public. …

social media privacy

Ransomware: A How-To Guide

Ransomware: A How-To Guide

Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013. …

ransomware

 

Employee Monitoring: A How-To Guide

Employee Monitoring: A How-To Guide

Federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks. As a result, under federal law, when private-sector employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment. …

emp monitoring

Cyber-Extortion: A How-To Guide

Cyber-Extortion: A How-To Guide

Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators. …

cyber ext

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Bounty or Bug Programs: A How-To Guide

Bounty or Bug Programs: A How-To Guide

Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. …

bounty

Tax Filing Fraud

Tax Filing Fraud

Tax returns and W-2s are information rich documents that contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Each year cyber-attackers target these documents. If successful, an attacker may attempt to sell sensitive information contained in the file. Other attackers may attempt to use tax-related documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of obtaining any refund owed to an employee. …

tax filing

Employer Privacy Policies: A How-To Guide

Employer Privacy Policies: A How-To Guide

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees. New York adopted a similar statute. Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context. …EPP

Cyber Insurance: A How-To Guide

Cyber Insurance: A How-To Guide

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal. The following provides a snapshot of information concerning cyber insurance. …

cyber insurance

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

Privacy Certifications and Trustbrands: A How-To Guide

Privacy Certifications and Trustbrands: A How-To Guide

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. …

privacy certs

Document Retention Periods: A How-To Guide

Document Retention Periods: A How-To Guide

Data minimization can be a powerful – and seemingly simple – data security measure. The term refers to retaining the least amount of personal information necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen. …

Doc Retention

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

Data Protection Officers A Comparison of US Law, EU Law, and Soon-to-be-EU Law

 

 

Mobile App Privacy Policies: A How-To Guide

Mobile App Privacy Policies: A How-To Guide

Many of the most popular mobile apps collect personally identifiable information. Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store, or Google Play). In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA discussed in the previous section. …

app provacy

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”). After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016. If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document. While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique. …

NYDFS

Collecting Information From Children In The EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Collecting Information From Children in the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes.

 

collecting

Social Security Number Privacy Policies: A How-To Guide

Social Security Number Privacy Policies: A How-To Guide

Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1   Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN. …

social security

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-to-be EU Law

In the United States, privacy certifications, or “trustbrands,” are seals licensed by organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. Certifications or trustbrands, however, are voluntary in nature, and, for the most part are not offered by government agencies and companies are not required to obtain them. …

Privacy certifications

Guidelines for De-Identification, Anonymization, and Pseudonymization

Guidelines for De-Identification, Anonymization, and Pseudonymization

De-identification of data refers to the process used to prevent personal identifiers from being connected with information. The FTC indicated in its 2012 report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers that the FTC’s privacy framework only applies to data that is “reasonably linkable” to a consumer.1 The report explains that “data is not ‘reasonably linkable’ to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.” …

de-identification

 

Seeing the Silver Lining: 4 Positive Aspects of GDPR for Businesses

Since the General Data Protection Regulation (GDPR) was proposed, IT professionals, lawyers, and consultants have been talking about the potentially game-changing effect that it may have on businesses around the world. Similar to how US citizens in the 1950s and 60s were trained to prepare for a nuclear war, the vast majority of articles and presentations on GDPR relate to how one should prepare for a potential doomsday scenario. The looming risks and challenges to GDPR are real and daunting. Among other things, the regulation has an over-reaching territorial scope, includes the potential requirement of a Data Protection Officer in company practices, and encourages the incorporation of Data Protection Impact Assessments into an amended privacy program. However, there is a silver lining for almost everything, and GDPR compliance is no exception. This article discusses four “silver lining” benefits of GDPR as compared to the current data protection scheme in Europe.

 

Harmonization of EU privacy laws

One of the biggest complaints from companies operating in Europe is that they have to monitor and comply with the laws of 28 different countries. Under the EU Directive 95/96/EC (“EU Directive”), data privacy laws are essentially addressed at the member state level. To put it in another way, the EU Directive provides a framework for EU countries to develop and maintain their own privacy rules and regulations. This results in current data privacy laws essentially being a patchwork of different laws from various member states, which often leads to uncertainty for businesses and their EU-based clients, as well as substantial costs associated with compliance efforts.

Except for employment or national security-related privacy matters, GDPR will allow companies to focus on one all-encompassing, uniform set of data privacy regulations. This has the potential to help small- to mid-sized companies operating in or collecting information from EU residents. Rather than deciding between “full” compliance, which involves spending significant amounts on legal fees and relying on subjective analyses of various EU member state laws, or rolling the dice with non-compliance in certain EU countries, GDPR may permit companies to save costs and reduce risk by following a uniform set of rules that apply to the entire European Union.

 

Lead authority one-stop shop

Under the aforementioned EU Directive, there are over 20 different privacy regulations that a company operating in Europe must comply with. Although the EU Directive created a mechanism that was designed to facilitate communication between member state data protection authorities, investigations and enforcement actions are often done separately by various member states.

While companies would have preferred a system where one single privacy regulator has exclusive competence over regulation, GDPR allows companies to deal with one “lead authority” in the company’s place of main establishment. Various state data protection authorities will still have the ability to investigate and enforce data protection issues if a complaint is directed to them, but they must notify the lead authority of its intention to investigate or take action.

The lead authority will then have three weeks to determine whether it wishes to intervene and operate in a joint manner. While there are other nuances and exceptions, as a whole, GDPR’s designation of a lead authority has the potential to effectively promote various countries to work together on enforcement and investigation matters in a predictable and efficient manner, allowing companies to focus time, energy, and resources on dealing with one regulator.

 

Data breach reporting

The United States does not have a general federal breach reporting statute. Instead, most US states have their own data breach reporting rules and regulations. The current EU Directive also does not contain a general data breach-reporting obligation. Rather, data breach reporting requirements are predetermined by each member country. Some member states like Germany and the Netherlands have implemented data breach reporting obligations, while other countries such as the United Kingdom, Denmark, and Ireland have not. GDPR introduces a general obligation to report data breaches. GDPR Article 33(1) states that the breached entity must, without undue delay, notify the supervisory authority within 72 hours of becoming aware of personal data breach.

GDPR’s breach notification requirement may be advantageous to most companies. Similar to the burden of keeping track of changes in breach reporting statutes in the United States, the current EU Directive creates a burden upon companies to keep track of breach reporting statutes with member countries. For in-house counsel, contract negotiation over data breach provisions can be lessened and streamlined by virtue of the vendor company, providing detailed data breach reporting obligation provisions in their standard contracts as a component of GDPR compliance. Furthermore, it is often hectic during a data breach. In addition to keeping up with breach reporting regulations, breached companies also have to deal with contractual liability, PCI-DSS issues, and internal business/PR issues. Having to report to only one supervisory authority rather than figuring out which member states to report to saves time and energy for in-house counsel, particularly for smaller in-house departments. GDPR allows companies to have one all-encompassing EU data breach response plan.

 

Competitive advantage for GDPR compliant US entities

Compliance with GDPR, in addition to the cost and time savings mentioned above, can also serve as a competitive advantage in the US marketplace. Although not directly applicable in the context of a US-based customer company in most cases, a vendor company has the optical advantage of boasting its compliance with more stringent data privacy regulations in the form of GDPR than required under US law. This engenders trust in the vendor, and provides the customer company with the tangible benefits of transparency, privacy, and security with respect to the vendor’s treatment of the customer’s data. Customer companies are increasingly seeking to rely upon their vendors’ regulatory compliance as part of their overall compliance policies, and vendors that comply with GDPR support furthering those initiatives.

Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are not required to inventory the type of data that they maintain, or map where that data flows in (and out) of their organization. That said, knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most mature data privacy and data security programs. For example, while the law does not require that companies inventory the data that they collect, federal and state law is being interpreted as requiring that companies use, at a minimum, reasonable and appropriate security to protect certain types of “sensitive” information such as Social Security Numbers. It is difficult for many companies to defend their security practices if they lack confidence as to whether they are collecting sensitive information and, if so, where it is being maintained. As a result, while it is not a legal requirement to conduct a data inventory it is, for many, a de facto step to comply with other legal requirements. …data-maps

Guidelines for Written Information Security Policies

Guidelines for Written Information Security Policies

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. …

written-info-securities

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are permitted to transfer personal information – including sensitive personal information – as needed between their offices, locations, and corporate affiliates. For example, there are no restrictions that prevent a company from sending personal information collected within the US to a company data center located outside of the US. In the European Union, the EU Data Protection Directive 95/46/EC (the “Directive”) creates a legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. …

eu-binding

Guidelines for Negotiating Payment Processing Agreements

Guidelines for Negotiating Payment Processing Agreements

Credit cards are the primary form of payment received by most retailers. In order to process a credit card a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach including the cost to investigate an incident, defend litigation, and defend a regulatory investigation. The following provides a snapshot of information concerning payment processing agreements. …

guidelines-for-payment-processing

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

data-protection-officers

 

Class Action Litigation Trends

Class Action Litigation Trends

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. The following provides an overview of the risks associated with lawsuits following data security breaches. …

class-action

Guidelines for Radio Frequency Identification (“RFID”)

Guidelines for Radio Frequency Identification (“RFID”)

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction form the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”). …

rfid

Guidelines for Retaining a Forensic Investigator

Guidelines for Retaining a Forensic Investigator

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident…

guidelines-for-retaining-a-forensic-investigator1

How to Prepare for an FDIC Cybersecurity Examination

How to Prepare for an FDIC Cybersecurity Examination

FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers….
how-to-prepare-for-an-fdic-cybersecurity-exampination

Guidelines for Facial Recognition Technology

Guidelines for Facial Recognition Technology

Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). …

facial-recog

Data Breach Notification Laws: What to consider

Data Breach Notification Laws: What to consider

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data-breach-notification-laws

 

Companies Perceived By FTC As Emerging Threats

Companies Perceived By FTC As Emerging Threats

As discussed in the previous section, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.Each month DPI creates a “Surge” report that identifies those organizations with the greatest increase in consumer complaint volume. For each organization listed the report indicates the quantity of complaints received in the past two months, the jurisdiction in which the organization is based, and a summary of the complaints filed. …

companies-perceived-by-ftc

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

Data Breach Decision Points: Part 8

Data Breach Decision Points: Part 8

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.This is part 8 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4Part 5, Part 6, and Part 7. …data-breach-pt-8

New Insider Threat and Cybersecurity Requirements Pose Significant Costs for Smaller Government Contractors

New Insider Threat and Cybersecurity Requirements Pose Significant Costs for Smaller Government Contractors

In a recent article in the National Defense Magazine, Bryan Cave attorneys point out that recent changes to the National Industrial Security Program Operating Manual, or NISPOM, may make it more difficult for companies, particularly those that are unable to spread costs across multiple high-dollar contracts, to compete for government contracts requiring access to classified information. As a result, the efforts by the Department of Defense to increase competition and innovation by turning to smaller companies ultimately may be unsuccessful.
To read the full article, click here. 

Data Breach Decision Points: Part 7

Data Breach Decision Points: Part 7

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 7 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4, Part 5, and Part 6. …

data-breach-part-7

Guidelines for Reputation Management

Guidelines for Reputation Management

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability.

Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation

Data Breach Decision Points: Part 6

Data Breach Decision Points: Part 6

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 6 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4, and Part 5. …

part-6

Guidelines for Third-Party Vendor Management Programs

Guidelines for Third-Party Vendor Management Programs

Third-party service providers present difficult and unique privacy and cybersecurity challenges. Vendor management is important throughout the life of your relationship with your vendors. Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship. The goal is to effectively improve the service your vendors provide to your company and allow your customers to realize the benefits of the arrangement, while mitigating the risk inherent in the vendor relationship. …third-party-vendors

Data Breach Decision Points: Part 5

Data Breach Decision Points: Part 5

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 5 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2, Part 3, and Part 4. …

pt-5

Guidelines for Cloud Computing

Guidelines for Cloud Computing

Most companies now use some form of cloud computing whether through software as a service, platform as a service, or infrastructure as a service. Cloud computing’s cost-effective scalability can offer significant advantages to an organization, but it can also raise significant security concerns. Although many cloud providers offer assurances that their systems are secure, many are also unwilling to contractually guarantee the security of data placed in the cloud and are unwilling to fully indemnify a company in the event that the cloud storage is breached. …

bush

How to Avoid Being the Next OCR Target for a HIPAA CMP

Bryan Cave – How to Avoid Being the Next OCR Target for a HIPAA CMP

In 2016, the Office for Civil Rights (“OCR”) imposed civil monetary penalties (“CMPs”) of over $22.8 million on 12 entities, including a business associate. The most frequent violations of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act regulations (“HIPAA Laws”) are not hacking! …

how-to-avoid

Data Breach Decision Points: Part 4

Data Breach Decision Points: Part 4

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

data-breach-4

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

 

guidelines-for-collecting

Guidelines for Privacy Certifications and Trustbrands

Guidelines for Privacy Certifications and Trustbrands

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. …

privacy-cert

 

Data Breach Decision Points: Part 3

Data Breach Decision Points: Part 3

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

This is part 3 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here, and Part 2 can be found here. …

data-breach-pt-3

Should Hotels, Restaurants, Bars, and Shopping Centers Stop Offering Open WiFi Connections?

Should Hotels, Restaurants, Bars, and Shopping Centers Stop Offering Open WiFi Connections?

The answer in Germany is “yes.” To understand why, you have to understand the principle of “co-liability” or Störerhaftung. Under the principle of co-liability, operators of an open WiFi network can be held liable for the legal infringements of the users of their networks. This means that if someone uses your company’s free WiFi network to illegally download music, your company could be sent a warning (or could be subject to liability) for permitting the use.

The European Court of Justice recently addressed this issue in a case that dealt with the applicability of the E-Privacy Directive on private operators of internet connections. The case was presented to the European Court of Justice by the Regional Court of Munich, and involved a warning letter that had been sent by Sony Music Group to the operator of a business that offered free WiFi in its sales areas. According to Sony, a guest had allegedly used the free WiFi connection to illegally download music. …

 

krampitz

Guidelines for Data Maps and Data Inventories

Guidelines for Data Maps and Data Inventories

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization. In addition, it is important to remember that data constantly changes within an organization. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful. …

guidelines-for-data-maps

Data Breach Decision Points: Part 2

Data Breach Decision Points: Part 2

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

This is part 2 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here. …

 

data-points-part-2

 

How to Avoid Risk When Renting, Selling or Streaming Video Content

How to Avoid Risk When Renting, Selling or Streaming Video Content

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

video-viewing

Companies Perceived By The FTC as Top Violators

Companies Perceived by the FTC as Top Violators

As discussed in the previous section, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.

Each month the FTC’s Division of Planning and Information (“DPI”) creates a “Top Violators” report that ranks the fifty organizations with the greatest volume of consumer complaints in that month. The report indicates whether each organization listed was included in the previous month’s report, whether its rank has changed, and the number of complaints received by the FTC that month. For organizations that are new to the report, DPI reviews their complaints and summarizes the issue, or issues, that have been raised by consumers. …

 

companies

Data Breach Decision Points: Part 1

Data Breach Decision Points: Part 1

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

data-breach-pt-1

 

Guidelines for Written Information Security Policies

Guidelines for Written Information Security Policies

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. …

 

written-info

Guidelines for Email Marketing in Canada (CASL)

Guidelines for Email Marketing in Canada

On July 1, 2014, the central provisions of the Canadian Anti-Spam Law (“CASL”) came into force. [1] These provisions generally prohibit the sending of a Commercial Electronic Message (“CEM”) without a recipient’s express consent, and unless the CEM contains certain proscribed sender identification information and an effective unsubscribe mechanism. CASL provides a number of nuanced exceptions to the express consent requirements of the law. The primary enforcement agency of CASL is the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC has several compliance tools to enforce CASL, including the issuance of Administrative Monetary Penalties (AMPs) against individuals and organizations that have violated CASL’s provisions. …guidelines-for-email-marketing

Healthcare Business Associates

Healthcare Business Associates

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of Business Associates (“BA”) and their responsibilities and liabilities. …
healthcare-business

Organizing Data Privacy Within A Company

Organizing Data Privacy Within a Company

Although organizations have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure, dedicated employees, and/or dedicated resources. While in some organizations “privacy” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues and that report to a Chief Privacy Officer (“CPO”). There is little commonality in how these offices are staffed, funded, or organized. For example, while some CPOs report directly to senior management, others report through a General Counsel or a Chief Compliance Officer. …

 

organizing-data

Healthcare Data Breach Enforcements and Fines At A Glance

Healthcare Data Breach Enforcements and Fines At A Glance

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005. Furthermore, covered entities and business associates were required to comply with the HIPAA Breach Notification Rule beginning on September 23, 2009. ….

healthcare-data

Guest Op-ed: What I’ve Learned from 5,000 Data Breaches

When clients ask me to describe the biggest risks surrounding a data breach I sometimes say: “(1) reputation, (2) reputation, and (3) litigation, regulatory, and contractual.” Our guest columnist this week talks about her own opinion of the role of reputation and the impact that customer service plays on that. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony


What I’ve Learned from 5,000 Data Breaches

By Jamie May, AllClear ID

  1. How has the breach response landscape changed over the last year?

Over the last year, the biggest shift we’ve seen in the industry relates to the activities that occur well before a data breach. We’ve all seen the devastating consequences a botched response can have on brand reputation, customer retention and the bottom line. Today, more and more businesses are engaging with partners like Bryan Cave early on, and taking proactive steps to be ready to address their customers quickly and with care when a data breach does occur.

 

  1. After a breach, losing customer trust is a big concern for brands. What can companies do before and after a breach to ensure customer trust remains intact?

Companies should place excellent customer service as their guiding principle during response planning and execution. Taking the time to plan for an incident with the customer in mind will go a long way in preserving customer trust when a breach occurs. All communications to customers need to be clear and helpful to minimize confusion and anger.  It is much easier to have clear communications when you think through the flow and complexities in advance of a real incident. Keep in mind, your customers’ first interaction with your brand after a breach may be with the identity protection services and support center, so getting that experience right is crucial to success. To make this easier, look for a partner who can help provide:

  • Identity protection services that are user-friendly and available to every affected customer
  • Guaranteed access to quality, scalable call center services
  • Call center agents who are trained in soft skills as well as identity theft protection best practices

 

  1. What is the single most important thing companies can do to ensure a breach response goes smoothly?

In my experience, companies across all industries that focus on their customers before, during and after a data breach fare far better than those that do not, both in terms of overall response and the speed at which they are able to return to normal business operations.  To do this well, securing the resources you need before an incident occurs is absolutely critical. Even the best planning is rendered useless if your customers experience hour-long hold times when they call in to the call center for help.  To avoid this negative customer experience, companies should partner with response providers who offer them a contractual guarantee that the resources they need will be available when they need them – this is the most critical component of true breach readiness.

  1. What trends are you currently seeing in the breach response space?

We’re working with more and more companies who are taking proactive steps to be ready to respond well before an incident event occurs. We help these companies build out the operational details of their customer-facing response plan. Part of this process involves testing that plan through a breach simulation. We create a mock breach scenario and use the response plan to actually walk through how the company would respond.  This exercise exposes any gaps in the response plan and allows the response team to practice in a controlled environment.

Another trend we’re seeing is that businesses want a guarantee that we will be available to help them respond to their customers should they ever need us. To address this need, we created our Reserved Response program, which allows companies to reserve guaranteed response manpower. They invest upfront, and we guarantee we will be available when they need us.  This takes a lot of the uncertainty out of breach response.


Jamie May is Vice President of Operations at AllClear ID. Since joining the company in 2007, she has managed the implementation and execution of over 5,000 data breaches, including 3 of the 4 largest and most complex breach responses in history. She advises Fortune 1000 companies, government agencies, and healthcare organizations on all aspects of breach readiness and response and is a sought-after industry expert.

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information. For example, if an organization promises within its privacy policy that it will never share personal information with a “third party,” and does not include an exception for requests made in civil litigation or through judicial process, a consumer could argue that by producing information pursuant to a subpoena or discovery request an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

how-to-respond

Causes of Healthcare Data Breaches

Causes of Healthcare Data Breaches

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the healthcare industry.
The data collected by HHS concerning breaches affecting 500 or more individuals in 2015 shows that unauthorized access or disclosure, such as misdirected mailings, break-ins of physical premises, and employees accessing PHI that is not necessary for their duties, is the most common form of data breach in the health sector – surpassing theft of hardware, which was the leading cause for health data breach in 2014. …causes-of-healthcare-data-breaches

Guest Op-ed: Frequently Asked Questions Regarding Cyber Insurance

Our clients have a lot of questions when it comes to cyber insurance. For this week’s op-ed, we asked Tim Burke, director of cyber risk at IMA, Inc., if he could discuss the two main questions that he receives from clients who are investigating cyber insurance as well as his typical response. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony


Frequently Asked Questions Regarding Cyber Insurance

By Tim Burke, IMA, Inc.

We have now reached a recognition by most commercial entities that cyber insurance is a “need to have” as opposed to a “nice to have.” Having been involved with cyber insurance dating to 1999, I have seen quite a bit of change in the marketing and scope of this coverage. Today, my job often involves presenting on this topic to a wide variety of audiences who pose engaging questions. Therefore, I have addressed within this post some of the most commonly received inquiries pertaining to cyber insurance.

Q: What is the biggest mistake you see in consideration of purchase of this coverage?

A: One consistent issue I see is companies viewing this issue as exclusively related to privacy breaches. If I do not maintain a significant amount of confidential information (ex. PII, PHI, PCI) then we have no relevant exposure. That logic may be accurate to an extent but the primary intent of the coverage is to address operational risks associated with failures of security and safeguarding confidential information. This can extend to internal operational errors as well as outsourced functions. The scope of coverage is broader than most realize and extends to first-party risks such as business interruption and costs to replace data. A recent example of this is the number of highly publicized ransomware attacks where there was significant operational disruption, including down time and loss of data. Since most traditional property and casualty policies do not address new and emerging perils (malware, denial of service, encryption), cyber insurance policies have been specifically designed to address those gaps in your insurance portfolio. I often pose this guiding question: what is the enterprise value of your intangible property vs. tangible property and how does your insurance program reflect that?

Q: What suggestions can you provide for an effective procurement of this coverage?

A: The first suggestion is to recognize this is an enterprise risk issue, not an “IT” issue. As part of that consideration, you need to break down the silos within the organization to foster dialogue and awareness. Bring together a cross spectrum of relevant stakeholders (CISO, CIO, Legal, Risk Management, Finance, Marketing) to identify and quantify unique operational risks. Examples of unique “blind spots” we come across are outsourcing, industry specific regulation, M&A and reputational impact. Build a consensus and then develop a list of coverage priorities. These priorities should then dictate your marketing goals. The cyber market is highly competitive (50 + carriers) with creative underwriters eager to write new business. You should also engage in direct dialogue with a prospective insurer as underwriters welcome the opportunity to learn more about your operations. It also provides an opportunity for you and your broker to pose questions of them. As part of that discussion, include a representative from the claims department to discuss experience handling your peers’ claims, industry trends and expectations in the event of a claim. Ultimately, a well-thought-out strategy results in you dictating the pace to the marketplace as opposed to vice versa and eliminates any questions you may have on the viability of your coverage.


Tim Burke is the Director of Cyber Risk at IMA, Inc. As the national practice leader, he is in charge of researching emerging issues and creating proprietary solutions. Areas of focus include creation of custom risk transfer programs based on industry segment, loss control solutions and fostering partnerships with service providers. Tim has over 15 years of experience underwriting and selling cyber insurance. He has assisted numerous clients manage through high-profile data breaches. Those experiences allow him a unique perspective on both the design and claims protocol of cyber insurance. He specializes in working with companies in the energy, retail, hospitality, financial and healthcare industries. He is a frequent presenter at industry conferences and a recognized innovator in the rapidly evolving area of cyber risk. Tim can be reached by email at tim.burke@imacorp.com.

How to Respond to National Security Letters That Ask for Personal Information

National Security Letters (“NSLs”) refer to a collection of statutes that authorize certain government agencies to obtain information and simultaneously impose a secrecy obligation upon the recipient of the letter.

Four statutes permit government agencies to issue NSLs: (1) the Electronic Communication Privacy Act,1 (2) the Right to Financial Privacy Act,2 (3) the National Security Act,3 and the (4) Fair Credit Reporting Act.4 Although differences exist between the NSLs issued under each statute, in general, all of the NSLs permit a requesting agency to prevent an organization that receives the NSL from disclosing the fact that it received the request, or the type of information that was requested, if disclosure may result in a danger to national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of a person. If the recipient of a NSL wishes to challenge a non-disclosure request accompanying a NSL, the recipient may file a petition with a U.S. district court in the district where the person does business,5 or, the recipient may request that the requesting agency obtain judicial review of the nondisclosure request.6 In both instances, the requesting agency must file an application with the court setting forth the reasons for the nondisclosure request. …

zetoony-microsite-scrnsht

Op-ed: Let’s Not Kid Ourselves – There Is No Insurance for the Big Data Risk

Cyber-insurance is on the minds of most Boards (and, therefore, most CEOs, CFOs, and GCs).  As a result, clients often ask us to benchmark their cyber-insurance policies, or to work with their brokers to make sure that the policies they purchase have real coverage.

The market for cyber-insurance is incredibly diverse, and there are a hundred traps for the unwary.  If you are interested in understanding the gaps to look for, the exclusions to avoid, and how to get a reality check on limits, we’ve published several guides on the topic and have recorded several presentations.[1]  Understanding the traps can help steer you from buying a “junk” policy that provides no real coverage.  But that’s not necessarily where the role of attorneys stops.

I always try to remind my clients to keep one thing in mind.  There is no insurance for the “big” data risk.  Why?  The “big” data risk is your company’s reputation.

There are few instances I can think of where the potential reputational impact from the mishandling of data did not outweigh (exponentially) the possible legal liability.  While some insurance policies provide access to public relations experts (at least in the case of a breach), and a few policies attempt to compute reputational damage by comparing earnings in the 12 months preceding a data event with earnings after a data event, no policy can make a company whole for the long term impact of losing the trust of customers and the public.

Managing the reputational risk is, unfortunately, a lot more complex than buying an insurance policy.  It means making strategic decisions about what you collect, how you use it, with whom you share it, and how you will respond to a crisis – like a data breach – when it occurs.  Those decisions require creativity, planning, and practice that can’t be purchased, but can turn out to be priceless.

[1]  See http://bryancavedatamatters.com/wp-content/uploads/2015/02/Cyber-Insurance_At-A-Glance.pdf; https://d11m3yrngt251b.cloudfront.net/images/content/8/1/v2/81918/Credit-Card-Data-Breaches-Protecting-Your-Company-from-the-Hid.pdf;

How to Respond to Government Subpoenas and Document Requests That Ask for Personal Information

Federal and state agencies traditionally obtain information for law enforcement purposes using a variety of methods including:

  • court issued subpoenas,
  • grand jury subpoenas,
  • search warrants,
  • litigation discovery requests, and
  • administrative subpoenas.1

A request by a government agency for personal information about one, or more, consumers may conflict with consumers’ expectations of privacy, and, in some instances, may arguably conflict with legal obligations imposed upon an organization not to produce information.  For example, if an organization promises within its privacy policy that it will never share the information that it collects with a “third party” and does not include an exception for requests from law enforcement, or government agencies, a consumer could argue that by producing information pursuant to a government request, an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

subpoenas

Guest Op-ed: Addressing Cyber Risks Inherent in M&A Transactions

Data privacy and security law has impacted (or, depending on your perspective, infected) almost every area of traditional practice. As a result, lawyers in different practice areas are finding that they need a working knowledge of data issues, just like they need a working knowledge of torts, administrative law, labor and employment, insurance, etc. This is particularly true in the world of mergers and acquisitions. Every corporate seller is conveying, among other things, data and IT infrastructure; every corporate buyer is purchasing data and, potentially, a security vulnerability or unknown data breach.

Today’s guest writer discusses the need to mature data security due diligence so the parties have a better understanding of the data risks and assets in the transaction. Although many companies still rely primarily on contractual representations and warranties of sound security practices, lack of a thorough assessment on both sides can lead to litigation if the parties find out post-closing that the world was not as one, or both of them, believed. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.  

– David Zetoony


Addressing Cyber Risks Inherent in M&A Transactions
By Shawn Henry, CrowdStrike Services, Inc.

The year 2015 marked the highest ever value of mergers & acquisitions with an astounding $4.6 trillion. If 2016 follows this trajectory, we’re looking at over 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding $50B. With figures this staggering, you can’t afford to take on a partner organization without exploring ALL areas of risk – financial calculations can no longer be the only factor considered. Cybersecurity risks must be thoroughly explored since they will directly impact the value of the company to be acquired, as well as potentially lead to significant costs to remediate gaps or defend litigation post merger.

I equate it to buying a home, which is usually the biggest personal investment one makes. Your realtor is there to protect you and, with the inspector, asks the important questions that likely won’t come up during your house hunting. Are there structural problems with the house? What about termites? Is this home in a flood plain? What’s the condition of the electrical and plumbing systems? Similarly, a substantial business investment often occurs with an M&A event. You wouldn’t make that home purchase without the inspection; why, then, would you accept less vigilance when it comes to your business?

It is essential that the acquirer thoroughly explores the critical security questions for companies, and avoid introducing unnecessary risk to an organization prior to a merger. By performing a comprehensive assessment, the acquirer should identify the gaps in the partner organization’s security posture and develop ways to solidify it before integration with your brand occurs. In addition to a comprehensive technical evaluation, the assessment should encompass an examination of security documentation, a review of IT processes, and interviews of key staff to understand where on their list of priorities cybersecurity falls.

Some questions to explore include:

  • Are there vulnerabilities in the partner organization that could be exploited to access your systems?
  • How secure will the organizations’ data be during the integration process?
  • Has their network been compromised in advance of the merger?
  • What security risks are there in merging your environment with theirs?
  • Does their organization have the same level of security controls in place that meet the standards of yours, even if you’re not absorbing their technological resources?

I realize every organization, every M&A, and every security setup is unique; and therefore, assessment must be customized to meet specific needs. In order to provide the best protection for your most valuable assets, you should prioritize resources based on the actual risk, an implementation plan of effective detection measures, and a comprehensive security strategy to actually prevent damage.

Throughout my previous law enforcement career, I saw time and again that the nominal cost of being proactive and predictive about security saved significant time and money in the long run…underscoring, bolding and italicizing the word ‘significant’. It’s ALWAYS harder and more expensive to react to something than preventing it from happening in the first place.


Shawn Henry is the President of CrowdStrike Services, Inc., a Google-backed cybersecurity company that provides pre- and post-breach services to mitigate the risks and damage associated with cyber compromises. Prior to joining CrowdStrike, Mr. Henry served as the executive assistant director of the FBI and is credited with boosting the FBI’s computer crime and cybersecurity investigative capabilities. He oversaw computer crime investigations spanning the globe, including denial-of-service attacks, bank and corporate breaches, and state-sponsored intrusions.

Op-ed: Don’t Blame Companies for Convoluted Privacy Policies

It’s a myth that consumers read privacy policies. They don’t. I know that because I like privacy policies more than almost anyone – I’ve written them, I’ve defended them, I’ve analyzed them – and yet I can’t remember the last time that I went to purchase something online for myself and read the company’s privacy policy. If privacy lawyers don’t pause to read them, I’m confident that average consumers do not.

It’s no surprise why consumers don’t read them. Assuming that a consumer cares about privacy and assuming that they think about reading a policy before submitting information online, privacy policies read like mini legal treatises. They refer to technology that may be hard to understand (e.g., what is a clear gif?), and subtle but significant differences that might not be obvious to some consumers (e.g., what does it mean to share data for “joint marketing with a third party,” but not for a third party to market themselves?).

About a year ago, I was asked to moderate a panel discussion on “best practices” when drafting privacy policies. We had a great panel of regulators, noted privacy officers, and general counsel, and I was excited to hear some new perspectives. I turned the discussion to a topic that has been on my mind for years – is it possible to draft a truly simple privacy policy that would be quick and easy for a consumer to read and understand? We talked about various companies that had attempted this by trying to use plain language, reducing word counts, or using matrices, graphics, tables, hyperlinks, roll overs, or cross-references. At the end of the day, despite some commendable efforts nobody could think of a truly successful attempt at making a privacy policy digestible.

There was some agreement as to the reason policies tend toward being long, convoluted, and legalistic. Privacy practices are complex and plaintiffs’ attorneys and regulators can be unforgiving. For example, a company that does not intend to sell, rent, or share information, may want to simply say that to consumers using those eight words “we do not sell, rent or share information.” The truth is, however, that there are no definitives when it comes to information. If the company has service providers (as most companies do), it inevitably shares information with consultants, lawyers, product fulfillment companies, etc. If a company receives a subpoena (which any company could), it may have to share information with the government. If the company is acquired (which many companies are), it will sell the information to the acquirer. If the company is sued, it may have to share the information with a plaintiff. The eight word statement, suddenly becomes a 100 word list of exceptions and exclusions to ensure that a company is not accused of deception by carrying out normal (and in most cases unavoidable) sharing practices.

The net result is that the precision that the plaintiff’s bar and some regulators have demanded, forces companies away from brevity and toward legalese. The end result is a precise policy that no consumer has the time (or attention span) to read.

Guest Op-ed: Developing a Better Approach – The Benefits of Public–Private Collaborations

There is no shortage of data-privacy and security laws in the United States.  By our count, there are now about 300 state and federal statutes.  They include breach-notification laws, data-disposal laws, data-safeguard laws, payment card information-protection laws … the list goes on and on.  Quantity does not, unfortunately, always translate into quality.  Most legislators and regulators have displayed relatively little creative thinking and pass largely redundant statutes that often confuse the business community rather than facilitate better practices.  A distinct exception was a legislative proposal from the New York Attorney General’s Office last year that would have created a new framework for state data security regulation benefiting consumers, the business community, and regulators.  We asked Kathleen McGee, Chief of the Bureau of Internet and Technology within the Office of the Attorney General of the State of New York, and the architect of the proposal, to explain the process by which that proposal was created. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.  

– David Zetoony


Developing a Better Approach – The Benefits of Public–Private Collaborations
By Kathleen McGee, New York State Attorney General’s Office

Public–private collaborations and regulation are not commonly perceived as the norm.  But, in the New York Attorney General’s approach to addressing the data breach crisis, public-private collaboration was considered crucial to successful regulation.

Under New York State General Business Law section 899-aa, anyone who maintains private information of New Yorkers and subsequently experienced a breach of that information is required to notify the Office of the New York Attorney General, as well as two other state agencies.  And in 2014, in the wake of some of the largest mega-breaches to date, NYAG undertook an analysis of all such data breach notifications to our office (the report may be found on our website at http://www.ag.ny.gov/pdfs/data_breach_report071414.pdf).

Our analysis yielded some interesting results.  While breaches due to third-party intrusions were on the rise, so too were breaches resulting from negligence or other internal failures within a company.  In other words, companies themselves were reporting that they were increasingly unable to protect the private information they maintained from their own internal failures.  Confronted with this information, we asked ourselves: what about the current state of data security was working, what was failing, and what could NYAG do to strengthen data security for New Yorkers and the companies who did business in New York?

We first turned to an analysis of our existing state law and other data breach security laws across the country.  We knew that many of the companies servicing New Yorkers operated nationally and therefore had to conform to the strictest laws of the land, even if those weren’t in New York.  New York’s law was clearly not the most demanding – that honor went to states like California and Massachusetts, who had set the highest standards for reporting and encryption, for example.  Nor was New York’s law prescriptive, like Oregon’s, which established reasonable guideposts any company could follow to better secure private information.  Yet, breaches of New Yorkers’ private information were on an upward trajectory.  Would a change in New York law have a positive impact on data security?

To find out, we turned to companies and consumer groups and, for six months, took our data and legal analysis on tour, so to speak.  We asked these groups about their biggest concerns and obstacles in data security and also what they thought worked well in the existing regulatory landscape.  The resulting conversations were forthright and candid, ranging from the principles to the practice of data security.  We observed that generally, companies were incentivized to not have a breach.  However, what incentivized companies – regulatory hammers, class actions, and bad press, to name a few – was not sufficiently laying the groundwork for meaningful data security.  Bluntly put, strict deterrence alone was not positively affecting companies’ security of private information.

Could positive incentives and guideposts towards a better data security program be the answer?  If so, how could New York craft legislation that reflected the real concerns of companies and consumers and yet be flexible enough to grow with the rapidly evolving data collection landscape and security concerns?  In answer, and in collaboration with the private sector, NYAG crafted a simple set of affirmative incentives – a safe harbor for top-shelf data security and a rebuttable presumption for achieving commendable data security benchmarks – that would encourage and reward best practices for companies and ensure reasonable data security for consumers.  And, we proposed a set of practical and reasonable data security guideposts companies could follow regardless of size or industry.  The result was the NYAG’s Data Security Act, a practical prescription to the real concerns faced by business and consumer alike.

The public-private collaboration was critical to the end product.  Taking the time to fully consider the applications of regulation to a company’s practice, appreciating how data is collected and utilized by companies, should be a hallmark of any data security legislation.  A version of the Act had bipartisan support but fell short of passage this year.  But we will continue to work with partners in industry to raise awareness of the issue next year, in hopes of passing the Data Security Act into law.  Smart business and smart government alike can benefit from working together towards a better regulatory solution to data security.


Kathleen McGee is Chief of the Bureau of Internet & Technology for the New York State Attorney General’s Office.  The Bureau of Internet & Technology is responsible for the enforcement of New York’s privacy and consumer protection laws in the online and technology environment, as well as enforcement of New York’s data breach notification laws.  The office investigates a wide range of issues affecting the internet and technology space, including spyware, spam, online privacy, child safety, gambling, free speech and fraud.  Recent investigations have included Daily Fantasy Sports, Broadband Internet Speeds, the online sale of tickets to events, and the teen chat websites.  Kathleen can be reached by email at Kathleen.McGee@ag.ny.gov.

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 2 of 2)

What Happens if I Join Privacy Shield and an Employee Submits a Complaint? (Part 2 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, a “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission). Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee.

In our fifth installment, we provided a roadmap of the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. In this sixth installment, we provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the ways in which an employee might file a complaint against an employer.

hrdara

 

Guest Op-ed: Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage

Most of our clients have to make decisions regarding cyber insurance every year – whether they are deciding to go to market for the first time, coming up for renewal, or considering switching providers. We asked a cyber insurance expert her opinion as to whether it’s worth testing the cyber insurance market even if you decide not to move forward on coverage. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave. 

– David Zetoony


Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage
By Florence Levy, JLT Specialty USA

The process of purchasing cyber insurance can be a daunting task. With the onslaught of cyber and privacy-related breaches in the news, including prevalent ransomware attacks and social engineering tactics to impersonate high-level executives for the improper funds transfer, the risks are high. The good news is that today’s more rigorous submission process can uncover a number of opportunities for companies to improve their cyber defenses.

Underwriters are becoming savvier with their due diligence in an effort to keep up with technology and associated exposures.  Some employ internal resources like risk engineers, or outsource the more technical aspects to network security professionals. The questions can be numerous, topics can be diverse, and it takes a multi-disciplined, enterprise-wide approach to answer them.

For example, in review of your contracts for limitations of liability as it relates to cyber exposures, you may discover that you do not have “standard” wording regarding cyber-related exposures for clients or vendors. This may encourage you to work with your legal and sales staff to revamp your contractual language and ensure the appropriate limitations of liability and hold harmless clauses are in place.

You may also discover that your company does little to no training for employees regarding cyber and privacy awareness. With a significant number of incidents stemming from internal employee error, negligence, or frankly rogue employee incidents, it’s imperative to appropriately train your staff on security and privacy risks.  Consequently, you may work closely with your HR and legal departments to ensure that new employees are properly vetted, and sign off on a cyber-risk training program that includes data retention, access and classification policies.

This process will assist you in quantifying and qualifying cyber risk, through taking inventory of information assets, reviewing and adopting any relevant or necessary compliance frameworks, identifying key vulnerabilities, and potentially creating internal positions that you may have never thought were important or relevant (the role of Chief Privacy Officer, for example, isn’t so out of the box anymore).

The process will also oblige you to identify owners of cyber risk management within your company, document processes and technology, and construct and test your incident response/crisis management plans.  While underwriters care about the technical aspects of your risk (With whom do you outsource for various technology processes? Do you have firewall protection? Do you encrypt sensitive data at rest and in transit?), they care just as much about your corporate culture around cyber and data privacy risks. As a result, you’re compelled to proactively define your security posture, and tell your story around risk mitigation and breach preparedness.

This in-depth, intra-company process facilitates open communication across disciplines. The end result is a positive one – you’ve aligned your firm’s awareness and preparedness with unique risks and exposures, while potentially procuring a financial risk transfer solution that will perform in the event of a loss, protecting your company’s most precious assets.


Florence Levy, Esq. is the senior vice president of the Cyber / Errors & Omissions (E&O) Practice at JLT Specialty USA where she focuses on creating cyber and E&O risk management programs for companies in a wide array of industries. Her expertise lies in identifying exposures, program design, contract language, negotiation and claims advocacy to ensure her consultancy reflects her clients’ unique exposures. Florence has more than 15 years of experience in the insurance industry as a cyber and commercial E&O specialist. Prior to joining JLT, she was head of the U.S. Global Technology and Privacy Practice for Lockton Companies, as well as the national practice leader for Aon’s Professional Risk Solutions Group. Florence has spoken at many industrywide events and been quoted in a variety of trade publications. She was selected by Business Insurance among the 2015 Women to Watch. Florence can be reached by email at Florence.Levy@jltus.com or phone at 720-530-9934.

We Really Mean It This Time: Recently Enacted FOIA Improvement Act of 2016 Mandates

On June 13, Congress passed the FOIA Improvement Act of 2016, and President Obama signed the bill into law on June 30, nearly 50 years after the original Freedom of Information Act (“FOIA”) was first enacted. The new law was effective as of June 30.

On July 19, the U.S. Department of Justice Office of Information Policy (“OIP”) issued its first guidelines relating to the Act, prompting agencies to begin carrying out new FOIA mandates in the way they respond to and give notice regarding FOIA requests. OIP said it will continue to issue guidance on the Act “on a rolling basis.”….

foiaschwartz

Questions to Consider When Shopping for Cyber Insurance

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But a substantial portion of organizations do not carry coverage for data breaches despite numerous high-profile breaches.  While many insurance companies offer cyber insurance, not all policies are created equal….

aug1dp

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 1 of 2)

What Happens if I Join Privacy Shield and Someone Submits a Complaint? (Part 1 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions that we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, every “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission).

Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee. In this fifth installment, we provide a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. Our next installment will provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved.non-hr

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Controller Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affiliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data controllers that were based in the US complied with the Directive by entering the pre-approved controller-controller model clauses or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-controller model clauses; the use of those clauses became far and away the most popular way to comply with the Directive if you were a data controller.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-by-side comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons has already included a Privacy Shield/Safe Harbor side-by-side comparison and a Privacy Shield/Controller-Processor Clauses side-by-side comparison.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Controller Model Clauses.

contro-control