Jun 14, 2015
Chicago | Indianapolis | Madison | Milwaukee | Naples | Phoenix | Tampa | Tucson | Washington, D.C.
Data 101: The New World of Privacy and Security Heather L. BuchtaQuarles & Brady LLPArizona Tech CouncilCouncil ConnectOctober 15, 2014
3
• You receive a new assignment…
• This “data thing” is your new priority.
• So, now what?
It’s Monday Morning…
4
• Terminology
–Data Privacy
–Data Security
– Cybersecurity
– Big Data
• Legal Framework
– Sectoral
– Comprehensive
Background
5
• Not actually a new topic– Warren and Brandeis - 1890
– Prosser – 1960
– Fair Information Practices – 1973
– Guidelines Governing the Protection or Privacy and Transborder Data Flows of Personal Data – 1980
– Council of Europe 1981 and resulting EU Data Protection Directive in 1995
– Privacy Framework – 2004
• But the speed of regulation has changed
A Bit of Historical Context…
6
• Very broad topic
–Health Care
–Financial
–Employer/Employee
–Trade Secrets
– Internet of Things
–BYOD
And Our Disclaimer…
7
So what do you do first?
8
http://artchive.com/artchive/M/munch/scream.jpg.html
9
• Legal Risk
–Regulators
–Class Actions
• Valuation Impact–Reputation
–$$$$
Why do we care?
10
• Privacy Assessment
• Components
–Due Diligence
–Ask Questions
– Interview
– Investigate
Privacy Audit
11
• What data is collected?
– Passively or actively?
– Online or offline?
– Mobile apps?
• Which business unit collects it?
• How is it collected?
– Purchases
– Sweepstakes
• Where does it sit: in-house or offsite?
What are you looking for?
12
• Third party data host or company leased co-location facility?
• How is the data used?
• Who is it shared with?
– No one? Probably not
– Affiliates?
– Vendors?
– Third parties?
– Resellers?
– Franchisors?
What are you looking for? (cont.)
13
• United States
• Canada
• Europe
• Australia
• Other jurisdictions?
Understand Geographic Source of Data
14
• Create data map
• Is it “sensitive”?
–Personally identifiable (PII)
–Kids
–Financial (NPI)
–Credit cards
–Health (PHI)
Categorize Your Data
15
• What applies to you and what is your risk/exposure profile?
• Cannot outsource obligations
• Personally Identifiable?
– Definition Varies
• By state
–ZIP Code – Michael’s decision
– IP Address
• By statute - COPPA
Regulatory Review (U.S.)
16
• Use of Personal Information - Federal
– FTC
• Section 5 of the FTC Act
• Red Flags Rule
• Telemarketing Sales Rule
– COPPA – enforced by FTC
– CAN-SPAM – enforced by FTC
– TCPA – enforced by FCC
– FERPA – enforced by USDOE
Regulatory Review (U.S.)
17
• New Bills – Location Privacy Protection Act of 2014
• S.2171, Sen. Franken, March 27, 2014
– Personal Data Privacy and Security Act of 2014
• S.1897, Sen. Leahy, January 8, 2014
– Data Security Act of 2014
• S.1927, Sen. Carper, January 15, 2014
– Commercial Privacy Bill of Rights of 2014
• S.2378, Sen. Menendez, May 21, 2014
• Other Initiatives– Do Not Track movement - CalOPPA
– Big Data: Seizing Opportunity, Preserving Value, May 2014, Executive Office of the President
Regulatory Review (U.S.)
18
• State
– Security breach notification statutes
– Point of sale collection – Michael’s case
– Security Obligations - MA 201 CMR 17.00
– State consumer protection laws
– FERPA-like
– HIPAA-like
– ECPA-like
Regulatory Review (U.S.)
19
• California
–CALOPPA, BPC 22575-22579
• Now includes Do Not Track as of 1/1/14
–Shine the Light, CA Civ Code 1798.83
–CALCOPPA, S.B.568
–SB-1 – California’s GLB
Regulatory Review (U.S.)
20
• Health Information
– HIPAA/HITECH – enforced primarily by OCR of HHS
• LabMD – overlapping with FTC
• State Attorneys’ General
– Health Breach Notification Rule – enforced by FTC
– GINA – enforced by EEOC
Regulatory Review (U.S.)
21
• Financial Information
– GLB
• Privacy Rule – FTC and CFPB
• Safeguards Rule – FTC and CFPB
– FCRA – FTC, CFPB and state attorneys’ general
– FACTA – FTC, CFPB and banking regulators
• Red Flags Rule – FTC
Regulatory Review (U.S.)
22
• EU
– Directives – Personal Information and Cookie
– DPAs
– Works Councils
• Canada
– PIPEDA
– CASL
• Australia – Privacy Amendment Act 2012
Regulatory Review (Int’l)
23
• Credit Card Data
– PCI DSS v.3
– Nevada 603A.215
– Minnesota 325E.64
• Online Tracking
– Digital Advertising Alliance
– OBA and retargeting
• NIST
– Media Sanitization
– Cybersecurity Framework
• NERC
• Contractual obligations and self-imposed obligations
Industry Review
24
• “systematic, measurable technical assessment of how the organization's security policy is employed at a specific site” (Symantec 2003)
• “appropriate” and “reasonable”
• What is involved?
– Personal interviews
– Vulnerability scans (pen-testing)
– Examinations of operating system settings
– Analyses of network shares and other data
• Go to the experts
– Find the right vendor
– Set parameters
Security Audit
25
• WISP
• Consider Insurance Options
• Identify Key Team Members
– Key Executives
– Compliance – CISO?
– Legal
– Marketing/HR
– PR
– IT/Forensics
– Incident Response Vendor?
• Incident Response Plan
• Tabletop Exercises
When, Not If
26
• Internal Privacy Program–Education
–Sensitization
• Data Retention Schedule
• Regularly Review
Next Steps
27
Heather L. Buchta
Quarles & Brady LLP
(602) 229-5228
©2014 Quarles & Brady LLP. This document provides information of a general nature. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations or issues. Additional facts and information or future developments may affect the subjects addressed in this document. You should consult with a lawyer about your particular circumstances before acting on any of this information because it may not be applicable to you or your situation.