Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Privacy Law Strategies for Handling Personal Data
1. Privacy Law Update: Strategies for
Handling Personal Information
Sponsored by Financial Directions, Inc.
February 21, 2012
Randy Whitmeyer
Whitmeyer Tuffin PLLC
www.whit-law.com
2. The Backdrop: Mobile technology
and the Internet
• Organizations store more and more information in electronic
form and are increasingly reliant on the Internet for accessing
data and systems
• Many employees have smartphones that are constantly
connected to the Internet
• Information sharing through Facebook, Twitter, and other
social networks is ubiquitous
• Active and growing “hacker” industry
3. The result: (1) Expanding laws and
regulations relating to the use and
handling of private information, and
(2) increased government enforcement
activities and class actions by plaintiffs’
attorneys
4. The challenge for businesses: Handle
personal information in a way that is
compliant with rules and regulations
and limit your risk
5. Specific Topics
• Legal obligations on use of personal information
• NC statutes relating to treatment of personal information
• Massachusetts Information Security law and other state laws
• Federal privacy/security update, including HIPAA and Hi-Tech
(treatment of medical records)
• Employers’ use of and access to employee’s
communications/computer systems, and social network
use
• Elements of effective information security/privacy policies
and social media policies
• Other proactive steps to manage information privacy and
security risks – contracting and insurance
6. NC Identity Theft Protection Act of
2005
• Similar to a myriad of similar acts in almost all states,
originally California in 2003 (California law updated as of
1/1/2012 to require more specific disclosures relating to
security breaches)
• Violations of the statute are generally considered unfair or
deceptive act or practice
7. Sect. 75-65: Protection from Security
Breaches
• Security breaches affecting personal information of NC
residents must be reported to affected individuals
• Security breach must involve either “illegal use” (or a
reasonable likelihood thereof) or a material risk of harm
• If records are encrypted, only need to provide notice if the
associated key or confidential process is also breached
• If the breach does not involve data which you own or license
(i.e., you are a contractor), then you notify the owner or
licensee, not the affected individual
8. Sect. 75-65: Protection from Security
Breaches
• Notice must be made without unreasonable delay, taking into
account law enforcement needs, verification of contact
information and scope of breach, and need to restore
security
• Notice must be clear and conspicuous, and provide a
description of:
• The incident
• Type of personal information affected
• Remedial actions of the business
• Telephone number to get further information
• Advice to monitor account statements and free credit reports
9. Sect. 75-65: Protection from Security
Breaches
• Notice may be in writing, by e-mail (if consented), and in
writing
• If the cost of notice is > $250,000, and in certain other
situations, general notice may be given publicly
• If the case involves more than 1,000 persons, NC attorney
general’s office must also be notified
10. Section 75-62: SSN Protection
• A business may not:
• Intentionally communicate a person’s Social Security
number to the public
• Intentionally place an SSN on a card required to access
products or services
• Require an SSN to be transmitted over the Internet, unless
encrypted
11. Section 75-62: SSN Protection
• A business may not:
• Require an individual to use SSN to access an internet web
site, unless a password or PIN is also required
• Print an individual’s SSN on any materials mailed to the
individual, unless otherwise required by law
• Sell or disclose an SSN to a third party if it is known or
should be known that the third party lacks a legitimate
purpose
12. Section 75-62: SSN Protection
• The Exceptions--restrictions do not apply to:
• Redacted SSN
• When required by law
• To the government
• To the opening of an account or payment for a product or
services authorized by the individual
• To the collection, use, or release of an SSN for internal
verification or administrative purposes
13. Section 75-62: SSN Protection
• The Exceptions, continued:
• When an SSN is included in an application or in documents
related to an enrollment process, or to establish, amend or
terminate an account, contract or policy, or to confirm the
accuracy of the SSN for the purpose of obtaining a credit
reports (with limits on mailing)
• To investigate or prevent fraud, conduct background
checks, conduct certain research, collect a debt, obtain a
credit report, for a permissible Gramm-Leach-Bliley
purpose, or locate a missing individual, lost relative, or one
due a benefit
14. Section 75-63: Security Freeze
• The ITPA of 2005 add a “consumer right” to put a security
freeze on consumer credit reports
• The security freeze may be temporarily lifted by the
consumer
• If a consumer security freeze is in place, the consumer
reporting agency may not change the consumer’s name,
date of birth, SSN, or address change, without sending a
written confirmation within 30 days of the changes
• Consumer reporting agencies are required to give NC
residents specific notice of their rights under this provision
15. Section 75-64: Destruction of
Personal Information Records
• NC businesses MUST :
• Implement and monitor compliance with policies and
procedures that require the destruction of papers that
include personal information
• Implement and monitor compliance with policies and
procedures that require the destruction or erasure of
electronic media that contain personal information
• Describe procedures relating to the destruction of personal
records as official policy in the writings of the business
16. Section 75-64: Destruction of
Personal Information Records
• If a 3rd party records destruction company is used, one or more of
these due diligence steps must be taken:
• Review an independent audit
• Obtain references from reliable sources and review certification from a reputable
source
• Review and evaluate the disposal business’ information security policies or
procedures.
• Disposal companies must take all reasonable measures to dispose
of records containing personal information by implementing and
monitoring compliance with information security policies and
procedures
• This section does not apply if the company is already covered by
GLB, HIPAA, or Fair Credit Reporting Act
17. Other State Law
Developments
• At least 10 states have data security laws that generally require
companies to use “reasonable security” to protect personal
information
• Connecticut and Delaware require employers to provide notice to
employees before monitoring email communications or internet
access
• California and other states require prominent web site privacy
policies
18. Massachusetts Data Security Act
• Implemented in 2010, requires organizations that handle
information about Mass. residents to have a
comprehensive written information security program
• Requires certain personal information to be encrypted
• Starting March 1, 2012, all contracts with vendors who
handle information re: Mass. residents must require the
vendors to also implement and maintain appropriate
security measures
19. Federal Laws
• Generally “industry sector specific” – Gramm-Leach-Bliley
(Financial); HIPAA (Healthcare); COPPA (Children’s information);
FERPA (Education); Video Rentals Privacy Act
• Electronic Privacy and Communications Act of 1986 – before
Internet and widespread e-mail usage in workplace
• Limits access to stored and “in transit” electronic communications
• Exceptions for access to employer-provided systems and when
access is consented to.
• National Labor Relations Board has investigated numerous cases
involving firings based on posts on social media networks.
• Concern is that right to engage in “concerted” employee activity
may be infringed
20. Federal Trade Commission
• FTC has broad authority to monitor compliance with federal privacy
laws, including breach of a published privacy policy. Authority is
based on its mandate to regulate and prevent unfair and deceptive
trade practices.
• In 2011, FTC entered into enforcement proceedings against the
major social networks (Twitter, Google, and Facebook).
• Have focused on need for consent prior to changing a privacy policy
• Concerns have increased from use and sale of personal information,
to use of IP addresses, device identifiers, and other information not
normally considered as personally identifiable.
21. Federal Legislative Proposals
• Momentum is growing for a federal cybersecurity bill
• Latest bi-partisan bill was introduced last week. The bill:
• Establishes liability protections for sharing of information relating
to information security threats
• Clarifies that info system owners may undertake countermeasures
to combat cybersecurity threats
• Allows government to establish cybersecurity performance
standards for certain critical infrastructure (finance, utilities, etc.)
• Other federal proposals seek to establish a national data breach
reporting standard
22. HIPAA Privacy and Security Rule
• Privacy Rule generally effective April 2003; Security Rule generally
effective April 2005. HIPAA rules are dense and lengthy.
• Enforcement of Privacy Rule generally friendly, but over 200
referrals to Department of Justice for criminal investigation. Audits
for several hundred entities announced in late 2011
• Covered Entities -- directly affected
• Health care providers who engage in electronic Standard
Transactions
• Health Plans
• Data Clearinghouses
• HI-TECH Act (2009) added direct obligations on service providers
(“Business Associates”) who deal with protected health information
23. HIPAA Privacy Rule
• Protected Health Information Def’n:
• all Individually Identifiable Health Information that is transmitted or
maintained by a covered entity in any form, including paper and oral
records and communications
• PHI can be disclosed only if:
Purpose is treatment, payment or business operations
With Authorization (needed for, e.g., Disclosures to employers; fundraising;
marketing)
• special authorization needed for psychotherapy notes
Other Specified Purposes
• Written authorization cannot be a condition for treatment or
payment
24. HIPAA Privacy Rule
• PHI can be disclosed if:
Emergency or public health need
Judicial and administrative proceedings
To law enforcement in certain circumstances
For research purposes, if written IRB or Privacy Board
approval
Where required by law
25. HIPAA Privacy Rule
• Minimum Amount Necessary rule: CE’s must make reasonable
efforts to limit scope of disclosures or requests to only what is needed.
With exceptions for these Disclosures/Requests:
• To/By the Individual
• To/By Another Provider for Treatment
• Under an Authorization
• To DHHS for HIPAA Compliance
• To comply with Transaction Standards
• Otherwise required by law
• De-identification Rule
Long list of De-ID requirements
Also “no reason to believe” that recipient can combine the information
with other information to identify the individual
26. HIPAA Privacy Rule
• Right to Receive Notice of Privacy Practices
• Right to Access PHI
• Right to Request Corrections in PHI
• Right to Receive Disclosure Information
• Right to Request Additional Restrictions
27. HIPAA Privacy Rule
• Business Associate must have written contract with the
following provisions:
Must follow Privacy Regulations
Use appropriate safeguards to prevent unauthorized disclosure
Report any unauthorized disclosure
Make PHI available in accordance with patient access rights
Make books and records available to HHS
Incorporate PHI updates received from patients
Flow contract obligations to subcontractors
28. HIPAA Security Rule
• Security Rule requires covered entities to adopt (for
some requirements) and consider adoption of (for
other requirements) a laundry list of administrative,
technical, and physical safeguards for protecting
patient information.
• The rule generally adopts a technologically-neutral
and flexible approach.
• CE’s are required to adopt various security policies.
29. International Privacy Landscape
• Many countries have much broader protections for individual privacy
• EU Data Protection Directive provides comprehensive regulation for
use of personal information. In January 2012, detailed revisions
proposed to make the law more uniform across the EU, and
increases protections and possible penalties
• US companies seeking to transfer personal information from EU to
US must follow a safe harbor certification/filing approach or other
rules to comply with EU regulations
• EU also has a Privacy and Electronic Communications Directive that
regulates the use of cookies
• Note: under French and German data privacy laws, personal social
networks cannot be searched for employment decisions
30. What can organizations do now to
manage privacy/security risk?
• Implement and maintain an Information Security program
• Perform security audit
• Perform due diligence and add privacy/security contract
provisions for key vendors and other business partners
• Consider cyber insurance
31. Information Security Program
• Required by:
• Records Disposal portion of North Carolina’s ITPA
• HIPAA Security Rule
• Massachusetts and other state laws
• Extremely helpful for:
• Handling security breach and SSN portions of ITPA
• Dealing with FTC-Style enforcements
• Assuring compliance with required privacy notices (e.g. California requirement)
• Protecting intellectual property
• Satisfying officer and director fiduciary obligations
• Complying with contracts
• Increasing value of company to buyers
• Dealing with subpoenas and related requests for electronic information in
discovery
32. Process for implementing an Info
Security Program
• Not just an IT issue, need input from management, legal,
and risk advisors. Rapidly becoming a corporate
governance issue.
• Laws and regulations focus more on the process rather
than specific results
• Don’t just use a form policy from the internet, but tailor to
the specific issues and risks faced by the organization
• Perform an initial security review and gap analysis
• Update on a regular basis, at least annually
33. Information Security Program
• Written Policy
• Purpose of Policy
• Types/Levels of Confidential Information
• Training
• Sanctions
• Privacy/Security Officer
• Notification of no expectation of privacy in use of company
assets
• Publicity; Dealing with News Media
• Incident Response Procedures
• Physical Security Measures
34. Information Security Program
• ID’s and Passwords
• Password Guidelines - Strong vs. Weak Passwords
• Mandatory Password Changes
• Access Controls and Network Resources
• Firewalls
• Authentication
• Use of Networks
• Wireless Network Usage
• Remote Access Policy
• Use of Encryption
• Electronic Communications
• Destruction of Computing Resources and Information
• Virus Prevention and Detection
35. Information Security Program
• Social Media Policy
• Software Use and Licensing Policy
• Mobile Computing Policy (laptops, pda’s, keydisks, etc.)
• System Modification Procedures
• Record Retention Schedules
• Litigation and Subpoena Issues
• Disaster Recovery
36. Summary of Key Security Measures
• Adopt Defense in Depth – keep external computers in a
“DMZ”
• Manage passwords aggressively
• Implement all operating system and security software
patches
• Train against social engineering
• Audit controls, especially remote access points
37. Types of Contracts to Consider for
Privacy Issues
• Software and IT service vendors, including cloud computing
• Software as a Service (Salesforce)
• Infrastructure as a Service (Amazon EC2)
• Marketing and distribution partners
• Side note: Who owns the data?
• Order fulfillment vendors
• Records disposal vendor contracts
• Any other contract where the other party will have rights to access,
use or store your personally identifiable data
• Consider standalone information security agreement
• Rather than trying to figure out how to amend the other party’s
form of service contract
38. Security and Privacy Contract Terms
• Confidentiality
• Obligation to maintain reasonable and effective physical,
technical and administrative security measures
• Compliance with all applicable data privacy and security
laws
• Third-Party security audits
• Right to review detailed security/disaster recovery policies
39. Security and Privacy Contract Terms
• Right to audit and test security
• Notification in the case of breach
• Indemnification for breaches/payment of costs of required
notices to customers
• Encryption
• Restrictions on use of subcontractors and downstream
sharing of information
• Restrictions on where data can be stored
40. CyberInsurance
• Review existing insurance for coverage of data breaches and
electronic privacy issues, and consider adding cyberinsurance
policies
• Sony for example is in litigation with Zurich American Insurance re:
coverage for recent security breaches
• SEC has issued guidance requiring disclosure of material cyber
attacks including a description of relevant insurance coverage
• Look for (or add) coverage for lost business, notification costs, legal
and investigation costs, and credit monitoring services
44. Cloud Computing Services
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
45. Cloud Computing Contract
Structures
• Typically service-based, not licensed
• OPEX, not CAPEX
• Often offered via “click and accept” agreements
• Sometimes incorporate by reference other terms
of use and policies
• Sometimes purport to be changeable without
notice by the vendor
46. Cloud Computing and Security
Advantages Disadvantages
• Data Dispersal • Lack of Transparency
• Data Fragmentation • Lack of Responsiveness
• “Trading Market” of
• “Tier 1” Data Centers
Subcontractors
• Multiple Customer Demands
• Vendor Lock-In
• Easier Patching and Updates
• Lack of Security Details
47. Key Takeaways
• Increased regulatory and legal scrutiny of personal
information handling is unavoidable
• Companies (especially IT vendors and outsourcers) should
review the laws applicable to their situation, and update
security practices, policies and procedures as needed
• When dealing with cloud computing vendors and other
business partners, perform appropriate due diligence and
consider contract negotiations
• Review insurance policies and possibility for additional
insurance
48. Any questions?
Randy Whitmeyer
Whitmeyer Tuffin PLLC
randy@whit-law.com
919-880-6880