Data 101: The New World of Privacy & Security

Chicago | Indianapolis | Madison | Milwaukee | Naples | Phoenix | Tampa | Tucson | Washington, D.C.

Data 101: The New World of Privacy and Security Heather L. BuchtaQuarles & Brady LLPArizona Tech CouncilCouncil ConnectOctober 15, 2014

3

• You receive a new assignment…

• This “data thing” is your new priority.

• So, now what?

It’s Monday Morning…

4

• Terminology

–Data Privacy

–Data Security

– Cybersecurity

– Big Data

• Legal Framework

– Sectoral

– Comprehensive

Background

5

• Not actually a new topic– Warren and Brandeis - 1890

– Prosser – 1960

– Fair Information Practices – 1973

– Guidelines Governing the Protection or Privacy and Transborder Data Flows of Personal Data – 1980

– Council of Europe 1981 and resulting EU Data Protection Directive in 1995

– Privacy Framework – 2004

• But the speed of regulation has changed

A Bit of Historical Context…

6

• Very broad topic

–Health Care

–Financial

–Employer/Employee

–Trade Secrets

– Internet of Things

–BYOD

And Our Disclaimer…

7

So what do you do first?

8

http://artchive.com/artchive/M/munch/scream.jpg.html

9

• Legal Risk

–Regulators

–Class Actions

• Valuation Impact–Reputation

–$$$$

Why do we care?

10

• Privacy Assessment

• Components

–Due Diligence

–Ask Questions

– Interview

– Investigate

Privacy Audit

11

• What data is collected?

– Passively or actively?

– Online or offline?

– Mobile apps?

• Which business unit collects it?

• How is it collected?

– Purchases

– Sweepstakes

• Where does it sit: in-house or offsite?

What are you looking for?

12

• Third party data host or company leased co-location facility?

• How is the data used?

• Who is it shared with?

– No one? Probably not

– Affiliates?

– Vendors?

– Third parties?

– Resellers?

– Franchisors?

What are you looking for? (cont.)

13

• United States

• Canada

• Europe

• Australia

• Other jurisdictions?

Understand Geographic Source of Data

14

• Create data map

• Is it “sensitive”?

–Personally identifiable (PII)

–Kids

–Financial (NPI)

–Credit cards

–Health (PHI)

Categorize Your Data

15

• What applies to you and what is your risk/exposure profile?

• Cannot outsource obligations

• Personally Identifiable?

– Definition Varies

• By state

–ZIP Code – Michael’s decision

– IP Address

• By statute - COPPA

Regulatory Review (U.S.)

16

• Use of Personal Information - Federal

– FTC

• Section 5 of the FTC Act

• Red Flags Rule

• Telemarketing Sales Rule

– COPPA – enforced by FTC

– CAN-SPAM – enforced by FTC

– TCPA – enforced by FCC

– FERPA – enforced by USDOE

Regulatory Review (U.S.)

17

• New Bills – Location Privacy Protection Act of 2014

• S.2171, Sen. Franken, March 27, 2014

– Personal Data Privacy and Security Act of 2014

• S.1897, Sen. Leahy, January 8, 2014

– Data Security Act of 2014

• S.1927, Sen. Carper, January 15, 2014

– Commercial Privacy Bill of Rights of 2014

• S.2378, Sen. Menendez, May 21, 2014

• Other Initiatives– Do Not Track movement - CalOPPA

– Big Data: Seizing Opportunity, Preserving Value, May 2014, Executive Office of the President

Regulatory Review (U.S.)

18

• State

– Security breach notification statutes

– Point of sale collection – Michael’s case

– Security Obligations - MA 201 CMR 17.00

– State consumer protection laws

– FERPA-like

– HIPAA-like

– ECPA-like

Regulatory Review (U.S.)

19

• California

–CALOPPA, BPC 22575-22579

• Now includes Do Not Track as of 1/1/14

–Shine the Light, CA Civ Code 1798.83

–CALCOPPA, S.B.568

–SB-1 – California’s GLB

Regulatory Review (U.S.)

20

• Health Information

– HIPAA/HITECH – enforced primarily by OCR of HHS

• LabMD – overlapping with FTC

• State Attorneys’ General

– Health Breach Notification Rule – enforced by FTC

– GINA – enforced by EEOC

Regulatory Review (U.S.)

21

• Financial Information

– GLB

• Privacy Rule – FTC and CFPB

• Safeguards Rule – FTC and CFPB

– FCRA – FTC, CFPB and state attorneys’ general

– FACTA – FTC, CFPB and banking regulators

• Red Flags Rule – FTC

Regulatory Review (U.S.)

22

• EU

– Directives – Personal Information and Cookie

– DPAs

– Works Councils

• Canada

– PIPEDA

– CASL

• Australia – Privacy Amendment Act 2012

Regulatory Review (Int’l)

23

• Credit Card Data

– PCI DSS v.3

– Nevada 603A.215

– Minnesota 325E.64

• Online Tracking

– Digital Advertising Alliance

– OBA and retargeting

• NIST

– Media Sanitization

– Cybersecurity Framework

• NERC

• Contractual obligations and self-imposed obligations

Industry Review

24

• “systematic, measurable technical assessment of how the organization's security policy is employed at a specific site” (Symantec 2003)

• “appropriate” and “reasonable”

• What is involved?

– Personal interviews

– Vulnerability scans (pen-testing)

– Examinations of operating system settings

– Analyses of network shares and other data

• Go to the experts

– Find the right vendor

– Set parameters

Security Audit

25

• WISP

• Consider Insurance Options

• Identify Key Team Members

– Key Executives

– Compliance – CISO?

– Legal

– Marketing/HR

– PR

– IT/Forensics

– Incident Response Vendor?

• Incident Response Plan

• Tabletop Exercises

When, Not If

26

• Internal Privacy Program–Education

–Sensitization

• Data Retention Schedule

• Regularly Review

Next Steps

27

Heather L. Buchta

Quarles & Brady LLP

[email protected]

(602) 229-5228

©2014 Quarles & Brady LLP.  This document provides information of a general nature. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations or issues. Additional facts and information or future developments may affect the subjects addressed in this document. You should consult with a lawyer about your particular circumstances before acting on any of this information because it may not be applicable to you or your situation.