1 / 38

MCCA 301: Data Privacy & The Ongoing Potential Litigation

MCCA 301: Data Privacy & The Ongoing Potential Litigation. Wednesday, March 12, 2014. Overview. Importance Data Privacy and PII The Many Laws Privacy Programs Litigation FTC Actions HHS Actions Recent Case Law Issues on the Horizon. Privacy & Data Security Why Be Concerned?.

xena-henry
Télécharger la présentation

MCCA 301: Data Privacy & The Ongoing Potential Litigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MCCA 301: Data Privacy & The Ongoing Potential Litigation Wednesday, March 12, 2014

  2. Overview • Importance • Data Privacy and PII • The Many Laws • Privacy Programs • Litigation • FTC Actions • HHS Actions • Recent Case Law • Issues on the Horizon

  3. Privacy & Data Security Why Be Concerned? According to Identity Theft Resource Center 2013 Report : • 614 Breaches • Healthcare = 269 (43.8%) • Business = 211 (34.4%) • 91,979,574 Records Exposed • Healthcare= 8,811,051 • Business = 77,260,183 http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html

  4. The Cost of a Data Breach…. Average organizational cost of data incident = $5.4 million • Lost Business Costs = $3.03 million average • Detection and Escalation Costs = $400,000 average • Notification Costs = $560,000 average • After-the-Fact Costs = $1.4 million average 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2013, http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon-2013

  5. Mega Breaches Cost Much More … • Target = 70 million records, incident costs are estimated to reach $400 - $450 million • TJX Company = 90 million records, costs exceeded $250 million (Boston Globe, August 15, 2007) • Adobe = 38 million records, estimated cost $700 million+ • Schnucks = 2.4 million credit cards, estimated cost $444 million+

  6. Data Privacy & Potential Litigation Cyberspace has created a new front in the battle to maintain data privacy and prevent identity theft. • How has the use or misuse of customer information by businesses created opportunities and dangers? • What are emerging data issues for companies?

  7. What is Data Privacy About? The authorized “processing” of Personally Identifiable Information (PII) • Notice / Transparency • Consent / Choice • Accountability • Security Security ≠ Privacy The devil’s in the details.

  8. What is PII? • Formally: Any data that identifies an individual or from which identity or contact information of an individual can be derived • Practically: Includes otherwise non-personal information when associated or combined with personal information • Not dependent on medium (i.e. paper, web, telephony) • Some “sensitive” PI requires greater protection • Anonymous or aggregated data is not PI • Frighteningly: May include anyinformation that can reasonablybe linked to a person or a system

  9. What Law Governs…. Privacy Framework and Applicable Law

  10. Country Specific Laws (Sampling)

  11. Privacy Frameworks • Fair Information Practice Principles (FIPPS) • OECD Guidelines • Generally Accepted Privacy Principles (GAPP) • APEC Cross Border Privacy Rules • ISO 27002 • 1995 EU Data Protection Directive • U.S.-EU Safe Harbor Agreement

  12. Unlike EU, US Privacy Law Is Sectoral

  13. 2013 California Privacy Legislation AB 370 - “Do-Not-Track” Amendment to California Online Privacy Protection Act.: Requires commercial web site or online service operator to disclose in its privacy policy how it responds to a web browser Do Not Track signal or similar mechanism providing consumers with the ability to exercise choice about online tracking services. Requires the operator to disclose whether third parties are or may be conducting such tracking on the operator’s site or service. Business and Professions Code § 22575 SB 46 - Amendment to California’s Security Breach Notification Law: Amends the breach notice law to require notification of breaches of user ID and password permitting access to online accounts. Civil Code §§ 1798.29 & 1798.82 AB 658 - Amendment to California’s Confidentiality of Medical Information Act (CMIA): Applies the prohibitions of CIMA to any business that offers medical application software that is designed to allow individuals to manage their health information, as defined, or care. The Act’s requirements include keeping medical information confidential when creating, maintaining or disposing of it. Civil Code § 56.06 SB 568 - Digital Privacy Rights for Minors: As of January 1, 2015, this law adds two new sections to the California Business & Professions Code. The first prohibits websites, mobile applications, and other online services from marketing to minors certain enumerated products or services that minors cannot legally purchase or use, such as alcohol, firearms, and tobacco. The second creates a deletion right for minors who are registered users of a website, mobile application, or other online service, to request and obtain removal of information posted by the minor. This section also requires that online service providers notify minors of their deletion rights. Business and Professions Code §§ 22580-22582 AB 1149 - Data Breach Notification: Imposes data breach notification law, including SB 46 on local government agencies. Civil Code § 1798.29 AB 1274 - Privacy of Customer Electrical and Natural Gas Usage Data: Extends many of the consumer privacy protections that apply to customer usage data maintained by electric and gas utilities to other third-party business that may handle the data. It prohibits such businesses from sharing, disclosing or otherwise making customer usage data accessible to any third party without the customer’s express content. It requires conspicuous disclosure of with whom such data will be shared and how it will be used, and requires businesses to implement and maintain reasonable security to protect the data from unauthorized disclosure. It also prohibits a business form offering incentives or discounts for accessing the data and provides a private right of action for damages for willful violation. Civil Code §§ 1798.98-1798.99

  14. Pending Legislation To Watch • EU General Data Protection Regulation (GDPR) • Personal Data Privacy and Security Act of 2014 • Would establish a national standard for data breach notification, and require businesses to safeguard personal information from cyber threats. • Data Security Act • Would require companies accepting credit cards to have information security plans aimed at protecting data and incident response plans. Also would require companies to notify affected customers and federal authorities of breach, and to provide credit monitoring services if over 5,000 customers are affected.

  15. Information Accountability and Governance Privacy & Security Compliance Program

  16. Accountability Ecosystem Context, Processes, and Demonstration of Capacity Oversight Integrated Governance Identify Risks and Opportunities Commitment Implementation Validation • Mechanisms to ensure policies and commitments are put into effect with employees • Monitoring and assurance programs that validate both coverage and effectiveness of implementation • Solid policies aligned to external criteria • Management commitment • Full transparency Contextual Approach Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board) Demonstration Demonstrate capacity to external stakeholders (Trust Agents, Regulators) Demonstrate capacity to individual data subjects

  17. RISKS POSED BY BUSINESSES’ USE OF PII

  18. Big Data Can Create Significant Value • Big data can make information more transparent and useable. • Big data can enable companies to boost performance by tracking input data closely and conducting experiments to inform decision making. • Companies can use big data to tailor goods and services to customers more precisely. • Businesses can subject big data to sophisticated analyses to improve decision-making. • Companies can use big data to enhance the development of future products and services.

  19. Storing and Using Large Volumes of PII Poses Risks • External hackers steal trade secrets and customer information. • Malware and denial of service attacks disrupt business. • Organized crime groups commit data extortion. • Activists attack information in protest. • Disgruntled employees sabotage or steal data. • Negligence leads to lost devices and the unintended release of information.

  20. In the Past, Thieves Focused on Particular Types of Businesses When asked why he robbed banks, Willie Sutton answered, “I rob banks because that’s where the money is.”

  21. What has changed… Banks still have money, but bank robberies have declined. • According to FBI statistics, the average bank robbery brought in approximately $7,600 in 2011. • In total, bank robberies of federally insured institutions totaled $38 million in 2011.

  22. Thieves Have Changed: Many Have Transitioned to Crimes Exploiting Stolen PII Rashia Wilson defrauded the IRS of more than $3 million using personally identifiable information.

  23. Most Data Breaches Are Motivated by Financial Gain • In 2012, 75% of data breaches were motivated by financial gain. (Verizon 2013 Data Breach Investigations Report.) • About 33% of consumers who received a data breach notification in 2013 became data theft victims. (Javelin Strategies & Associates 2014.) • Stolen identity refund fraud yielded nearly $3,500 in fraud per identity in 2011. • In total, stolen identity refund fraud exceeded $5 billion in 2011.

  24. Thieves Have Found Countless Ways to Profit from PII • Tax Fraud • Bank Fraud • Wire Fraud • Health Care Fraud • Unemployment Compensation Fraud • Government Benefits Fraud • Credit Card Fraud

  25. Government Enforcement Actions: Federal Trade Commission • FTC refers to itself as the “top cop on the consumer data security and privacy beat.” • FTC has pursued numerous privacy enforcement actions against companies. • See, e.g., Complaint, Twitter, Inc., FTC File No. 092 3093 (June 24, 2010) (alleged failure to safeguard user information); Complaint, Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011) (alleged disclosure of PII to third parties). • Many companies settle, but Wyndham Hotels is currently litigating whether FTC has the authority under section 5 to regulate data security. Motion to Dismiss, FTC v. Wyndham Worldwide Corp., No. 13-cv-1887 (D.N.J. Filed Apr. 26, 2013).

  26. Costs Arising from Government Enforcement Actions: Health and Human Services Office for Civil Rights • Cignet Health (Maryland) • In March 2011, HHS OCR imposed first-ever civil monetary penalty for HIPAA violation since the rule took effect in 2003. • $4.3 million • Affinity Health Plan (New York) • Failed to erase photocopier properly and impermissibly disclosed the electronically protected health information of 344,579 individuals • $1.2 million • Wellpoint (Indiana) • Failed to implement policies for accessing electronic protected health information and impermissibly disclosed names, dates of birth, and social security numbers of 621,000 individuals • $1.7 million

  27. Plaintiffs Lawyers Inevitably Will Come • Privacy more than just a hot topic in the news; plaintiffs’ bar has seen an opportunity in “big data.” • Explosion of privacy class actions beginning in 2010 – in large part due to increased attention by FTC to data privacy and voluntary disclosure of PII. • Enforcement actions got the ball rolling on consumer internet privacy issues. E.g., In re Sears Holdings Mgmt. Corp., FTC File No. 082 3099 (Aug. 31, 2009) (consent order). • Government investigates, affected company discloses the issue, and privacy class action lawyers pounce.

  28. Pre-Internet Federal Statutes Rammed Into A Web 2.0 World • There is no federal online privacy legislation. Instead, plaintiffs’ lawyers invoke laws written long ago. • Computer Fraud and Abuse Act (1986) • Electronic Communications Privacy Act (1986) • Title I (Wiretap Act) • Title II (Stored Communications Act) • Video Privacy Protection Act (1988) • Fair Debt Collections Practices Act (1977)

  29. Pre-Internet Federal Statutes Rammed Into A Web 2.0 World • Plaintiffs’ lawyers find these statutes attractive for several reasons. • Federal laws apply nationwide, increasing the possibility of representing a nationwide class. • In some jurisdictions, they can avoid Article III standing problems by alleging technical statutory violations in the absence of actual injury. • These statutes also provide for statutory damages or attorneys’ fees (or both), further encouraging plaintiffs’ lawyers to file lawsuits despite the fact that actual damages are typically nonexistent.

  30. Current State of Online Privacy Litigation • Data Breach cases have been and will remain popular. • See, e.g., In re Sony Gaming Networks & Customer Data Security Breach Litig., ---, F. Supp. 2d ----, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014). Other targets of pending lawsuits include Neiman Marcus, Target, Wyndham Hotels. • Despite a lack of relevant statutes, plaintiffs see large targets and easy complaints to file on the back of FTC investigations, congressional hearings, news reports, and company disclosures. • Companies with large volumes of user data also attract class action attention. • See, e.g., In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013).

  31. Current State of Online Privacy Litigation • Plaintiffs’ bar panning for gold in attacking companies’ collection and sharing of PII. • Seventh Circuit’s denial of Rule 23(f) relief in massive comScore privacy class action (10 million+ potential class members) will further encourage class actions under federal statutes providing for statutory damages. See Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. Apr. 2, 2013). • Social media providers currently ripe targets. • See, e.g., Fraley v. Facebook, Inc., 830 F. Supp. 2d 785 (N.D. Cal. 2011); Low v. LinkedIn, 900 F. Supp. 2d 1010 (N.D. Cal. 2012); Lane v. Facebook, 696 F.3d 811 (9th Cir. 2012), cert. denied sub nom. Marek v. Lane, 134 S. Ct. 8 (2013) (but will cy pres settlements last?).

  32. VPPA – Plaintiffs Going After Corporations for Social Media Integration • But plaintiffs’ lawyers are always looking for new targets. . . . • Hulu Litigation one to watch. • Hulu sued in 2011 for allegedly doing two things: (1) sending viewing histories and user ID numbers to metrics firms like comScore and Nielsen (without ever matching the two) and (2) integrating Facebook into its website and allowing Facebook users to publish their viewing information to their Facebook pages. • In rare victories, plaintiffs, despite no showing of actual injury, survived motion to dismiss and summary judgment. 2013 WL 6773794 (N.D. Cal. Dec. 20, 2013). • Statute applies to “video cassette tapes or other similar audio visual materials.” 18 U.S.C. § 2710. The court stretched the statute to cover streaming online videos. • Statute also provides for $2500 in damages per violation. There’s no way that Congress intended for such damage awards to be multiplied by millions of class members.

  33. VPPA – Examples of Plaintiffs Going After Corporations for Social Media Integration • States also add fuel to the fire by expanding these federal statutes still further. • Michigan’s version of the federal VPPA also covers audio cassettes and provides for $5,000 in damages. • Naturally, then, a plaintiff brought a putative class action against Pandora under the state statute for allegedly disclosing users’ listening histories and related data through Facebook-integrated profiles. • The court didn’t buy it, this time. See Deacon v. Pandora Media, Inc., 2012 WL 4497796 (N.D. Cal. Sept. 28, 2012) (dismissing claims with leave to amend, but remarking that “it is questionable whether Plaintiff will be able to allege the requisite facts to establish a claim”).

  34. FDCPA – The Plaintiffs’ Bar Will Be Watching The CFPB • Plaintiffs may be able to atomize their lawsuits into numerous smaller class actions in order to avoid the statutory cap on damages. • See LaRocque v. TRS Recovery Servs. Inc., 2013 WL 30055 (D. Me. Jan. 2, 2013). • Plaintiffs’ bar likely to see an opportunity in CFPB rulemaking and increased enforcement. • Even without private right of action under Dodd-Frank, will look to use FDCPA or “borrow” violations of CFPB’s interpretation of Dodd-Frank and recast them as violations of state consumer protection laws (e.g., California’s UCL).

  35. Unresolved Issues In Online Privacy And Social Media Litigation • Because the sheer size of most of these class actions forces defendants to settle even meritless cases once a class is certified, many questions remain: • Is good faith or reasonable care a defense in data breach cases? • Does users’ assent to a privacy policy that permits sharing of PII bar their claims? • Can statutory minimum damages really be multiplied across millions of internet users? • Will courts consider those damages mandatory? • Will it take a bankrupting damages award (comScore, Hulu) to force Congress’s hand?

  36. What Does The Future Hold? • Data breach, behavioral advertising, and other online privacy litigation not going away. • Plaintiffs will continue to look to extend pre-Internet statutes to companies’ use of new technologies and social media. • Expect the Plaintiffs’ bar to follow the government’s lead. • Will Congress step in with updated privacy legislation for a digital age?

  37. In the Meantime, Prevention Is Key Data breach and litigation costs related thereto can be decreased by planning…. • knowing the applicable law • a strong security posture • a tested incident response plan • appointment of Chief Information Security Officers • consulting support

  38. Contact

More Related