1 / 60

Privacy And Data Security Risk Management And Avoidance

Presented by Amy Rubin Fox Rothschild, LLP Peter J. Sheptak World Omni Financial Corp. Association of Corporate Counsel Conference September 22, 2011. Privacy And Data Security Risk Management And Avoidance. Topics For Discussion. What is a data security breach?

xuxa
Télécharger la présentation

Privacy And Data Security Risk Management And Avoidance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented by Amy Rubin Fox Rothschild, LLP Peter J. Sheptak World Omni Financial Corp. Association of Corporate Counsel Conference September 22, 2011 Privacy And Data SecurityRisk Management And Avoidance

  2. Topics For Discussion • What is a data security breach? • The need for an information security program/response plan • Creation of an information security program • Responding to a data security breach • State requirements • Regulatory enforcement • Litigation

  3. What Is A Data Security Breach? • A breach of the security of the system that involves personal information that has been, or is reasonably believed to have been, acquired by an unauthorized person. • Federal and State statutes and regulations require notification to affected individuals and, in certain instances, regulatory agencies and law enforcement.

  4. What Is Personal Information? • “Personal information” • First name or initial and last name with one or more of the following (when either name or data element is not encrypted): • Social security number; • Driver’s license number; • Credit card or debit card number; or • Financial account number with information such as PINs, passwords or authorization codes.

  5. What Is Personal Information? • Other Sensitive Information That May Give Rise to a Security Breach Liability • Credit history; • Medical and health insurance information and history; • Employee information.

  6. What Is A Data Security Breach? • “Breach of the security of the system” • Some states expressly require notice of unauthorized access to non-computerized data • New York: “lost or stolen computer or other device containing information” or “information has been downloaded or copied” • Hawaii and North Carolina: data includes “personal information in any form (whether computerized, paper, or otherwise)”

  7. What Is A Data Security Breach? • Generally, only need “reasonable” belief the information has been acquired by unauthorized person to trigger notification requirements • Certain states require risk or harm • Arkansas: no notice if “no reasonable likelihood of harm to customers” • Michigan: no notice if “not likely to cause substantial loss or injury to, or result in identity theft”

  8. What Is A Data Security Breach? • Distinguish between entity that “owns or licenses” data and entity that “maintains” data • Data owner has ultimate responsibility to notify consumers of a breach • Non-owners required to notify owners

  9. 2010 Statistics • Identity Theft Resource Center reports 662breaches during 2010, exposing over 16,167,542records • 498 breaches during 2009, exposing 222,477,043 records • 20% of reported breaches in 2010 were paper records • Malicious attacks account for more breaches than human error.

  10. Cost Of A Data Security Breach • Based on the results of a 2010 study, the average cost of a data security breach is $7.2m. • $214 per compromised record • Includes direct costs (communications, investigations, legal) and indirect costs (lost business, public relations) • Compare to costs of having preventative measures in place such as privacy and security policies, training and encrypting sensitive information

  11. Recent Data Breaches in Florida • Jackson Health System (2011) • 1,800 hospital patient records potentially exposed • Offered free credit card fraud protection for all patients impacted by the breach, which was discovered after an internal investigation • AvMed (2010) • Two laptops containing 1.2 million records were stolen (1.19 million of which are Florida residents). • University of North Florida (2010) • 106,884 people potentially affected by data breach

  12. Data Breaches Employee Personal Information • Department of Veterans Affairs (May 2006) • Laptop computer and disk stolen from home of VA employee • Contained personal information of 26.5 million veterans who served in the military and have been discharged since 1976 • Recovered by FBI with no evidence of unauthorized access • Under class action settlement, VA agreed to pay $20 million to defendants who were harmed by incident -- either physical manifestations of emotional distress or cost of credit monitoring

  13. Data Breaches Employee Personal Information • CVS Caremark Corporation (2007) • Discarded clearly readable materials containing personal information of consumers and employees in publicly accessible trash dumpsters • Prescription bottles, pharmacy labels, computer printouts, credit card receipts and employee records • Entered into consent order with the FTC • Paid $2.25 million to settle related HIPPA violations

  14. Information Security Program • Why is it Important to Have an Information Security Program? • Legal • Litigation • Customer Trust • Reputation

  15. Information Security Program • Purpose of an Information Security Program • Ensure security and confidentiality of sensitive personal information • Protect against anticipated threats or hazards to the integrity of sensitive personal information • Protect against unauthorized access to or use of sensitive personal information that could result in harm or inconvenience to any impacted person

  16. Information Security Program: Elements • Designate a Privacy Officer to Oversee the Program • Conduct an Information Security Risk Assessment • Identify reasonably foreseeable internal and external threats that could result in data breach or misuse/destruction of info • Determine the likelihood and potential damage of various threats • Determine the sufficiency of current policies, procedures, controls and systems

  17. Information Security Program: Elements • Design and implement an Information Security Program • Based on results of Risk Assessment • Comprehensive company information security and privacy policy • Proper access controls • Employee background checks • Employee training and awareness program • Oversight program for service providers • Regular auditing and re-evaluations of the program • Data Breach Response Plan

  18. What Is The Objective?Fill In The Gap • Information Security Program • Criminal prosecution • Civil prosecution How to Manage the Data Security Breach

  19. Why Do You Need AResponse Plan? Thoughtful and Prepared Reaction Better Decision Making Minimized Risk and Loss

  20. Response Plan:Create A First Response Team • Information technology (computer & technology resources) • Information security (physical security & access) • Human resources (private employee information – health & medical, payroll, tax, retirement) • Legal counsel (in-house and/or outside counsel) • Compliance • Business heads (consumer information) • Public relations/investor relations

  21. Assign Tasks To Members Of The First Response Team • Establish a point person • Identify key personnel for each task • Prioritize and assign tasks • Calculate timelines and set deadlines • Communicate with management • Establish attorney-client privilege for investigation and communications Project Management Is Critical

  22. Determine The Nature And Scope Of The Breach • Investigate facts • Interview witnesses • Determine type of information that may have been compromised • Identify and assess potential kinds of liability • Identify individuals potentially at risk and determine state or country of residence Preserve Company’s Assets, Reputation and Integrity

  23. Understand Data BreachNotice Laws • State laws: • What constitutes personal information • When is a notice required • Who must be notified • Timing • What information must be included in the notice • Method of delivering notice • Other state specific requirements • Applicable industry-specific laws • Applicable international laws

  24. Determine Appropriate Notices • Consumers • Employees • Law enforcement (Federal/State) • Federal regulatory agencies • State agencies • Consumer reporting agencies • Third-party vendors • Insurers • Media

  25. Prepare State Law Notices • General description of the incident • Type of information that may have been compromised • Steps to protect information from further unauthorized access • Contact information (e.g., email address; 1-800 number) • Advice to affected individuals (e.g., credit reporting, review account activity)

  26. Prepare State Law Notices • Delivery method (e.g., certified letters, e-mail, website) • Timing of notices • Tailor notices based on recipient • Use single fact description for all notices

  27. State Laws - Florida • “Personal Information” • “[A]n individual’s first name, first initial and last name, or any middle name and last name,” in combination with one or more of the following data elements (when the data elements are not encrypted): • (a) Social security number. • (b) Driver’s license number or Florida Identification Card number. • (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account

  28. State Laws - Florida • Notice requirement applies to “[a]ny person who conducts business in this state and maintains computerized data in a system that includes personal information” • Requires notification to any Florida resident “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” Fla. Stat. § 817.5681 (1)(a) (2010).

  29. State Laws - Florida • Notification must “be made without unreasonable delay,” and “no later than 45 days following the determination of the breach unless otherwise provided in this section.” • “Any person required to make notification under paragraph (a) who fails to do so within 45 days following the determination of a breach . . . is liable for an administrative fine not to exceed $500,000 . . . .” Fla. Stat. § 817.5681 (1)(b) (2010).

  30. Prepare Press Release • Include the following information: • Facts surrounding the incident • Actions to prevent further unauthorized access • Steps to prevent future data security breaches • Contact Information for questions • Review by legal counsel

  31. Prepare Answers To Inquiries • Draft FAQ’s with responses • Establish hotline • Assign group of contact employees • Train employees to respond to inquiries • Develop clear escalation path for difficult questions • Track questions and answers

  32. Consider Offering Assistance To Affected Individuals • Free credit reporting • Free credit monitoring with alerts • ID theft insurance • Access to fraud resolution specialists • Toll-free hotline

  33. Enforcement Actions • Federal Trade Commission – Section 5 of FTC Act • Enforce privacy policies and challenge data security practices that cause substantial consumer injury • State Attorney General – State Notification Statutes • Connecticut: “Failure to comply . . . shall constitute an unfair trade practice . . .” • Virginia: “The Attorney General may bring an action to address violations.” Moreover, “nothing in this section shall limit an individual from recovering direct economic damages”. • Litigation in federal or state courts

  34. FTC Actions CVS Caremark Corporation • In June 2009, the FTC filed a complaint against CVS Caremark Corporation for violations of the Federal Trade Commission Act • FTC investigated in response to reports from television stations and other media outlets that reported finding personal information of consumers and employees in dumpsters used by CVS pharmacies in at least 15 cities throughout the United States • In its complaint, the FTC stated that CVS “routinely obtains information from or about its customers” and also “collects sensitive information from or about its employees, including, but not limited to, Social Security number.”

  35. FTC ActionsCVS Caremark Corporation • FTC complaint alleged that CVS “failed to provide reasonable and appropriate security for personal information” because it did not: • Implement policies and procedures to dispose securely of personal information (including making the information “unreadable” at the time of disposal) • Train employees to dispose securely of personal information • Use “reasonable measures” to assess compliance with its established procedures for disposal of personal information • Employ a “reasonable process” for discovering and remedying risks to personal information

  36. FTC ActionsCVS Caremark Corporation • Consent order (dated June 2009): • Expressly stated that definition of “personal information” shall include “an employee, and an individual seeking to become an employee” • Required CVS to: • Establish, implement and maintain a written comprehensive information security program “reasonably designed to protect the security, confidentiality, and integrity of personal information” • Obtain initial and biennial assessments and reports from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession” for 20 years • Make available to the FTC (upon request) for inspection and copying documents relating to compliance • File with FTC a report setting forth “in detail the manner and form” in which it has complied with consent order

  37. Other FTC Actions • Other FTC settlements: • SettlementOne Credit Corp. • ValueClick (civil penalties = $2,900,000) • Goal Financial • Life Is Good • Premiere Capital Lending, Inc. • Reed Elsevier Inc.

  38. CT Attorney General ActionBlue Cross and Blue Shield • Data contained on stolen laptop included names, addresses, taxpayer identification numbers and social security numbers of approximately 19,000 health care providers in CT • CT statute requires notice “without reasonable delay” • In November 2009, the CT Attorney General instituted an investigation regarding whether waiting 2 months to notify affected individuals violated the CT statute • CT Attorney General stated that failure to comply with the state statute constituted an “unfair trade practice” and may subject BCBS to fines of up to $5,000 for each affected resident and require BCBS to provide restitution to these residents

  39. NY Attorney General ActionCS Stars LLC • Theft of computer containing personal information of approximately 540,000 worker’s compensation recipients discovered on May 9, 2006 • CS Stars LLC “maintained” personal information • CS Stars notified data “owner” of potential breach on June 29, 2006 • Data owner notified appropriate entities and consumers immediately • FBI recovered computer • No unauthorized use of personal information

  40. NY Attorney General ActionCS Stars LLC • Attorney General criticized delay between discovery of missing computer and CS Stars’ notification to data owner • Settlement (April 2007) required CS Stars to: • Implement precautionary measures to safeguard information • Comply with New York data breach notification statute in the event of any future breach • Pay $60,000 to cover costs related to investigation

  41. CT Dept. of Consumer Protection Action Bank of New York Mellon • Lost backup tape containing personal information of more than 600,000 Connecticut residents • Governor of Connecticut directed Commissioner of the Department of Consumer Protection to pursue all remedies available to affected Connecticut residents • BNY Mellon notified each affected consumer and provided 24 months of credit protection • To date, BNY has spent over $3.48 million to provide credit protection

  42. CT Dept. of Consumer Protection Action Bank of New York Mellon • Settlement required BNY Mellon to: • Reimburse consumers for any funds stolen as a direct result of breach • Pay $150,000 to the State of Connecticut

  43. LitigationTypical Claims By Plaintiffs • Plaintiffs (consumers or employees) typically allege the following causes of action: • Common law claims of negligence, breach of contract, breach of implied covenant or breach of fiduciary duty • Claims for violations of state consumer protection statutes – deceptive/unfair trade practices acts

  44. LitigationPlaintiffs Lack Standing • Certain courts have dismissed data breach cases on ground of standing. • Hinton v. Heartland Payment Sys., Inc., Civ. A. No. 09-594, 2009 U.S. Dist. LEXIS 20675 (D.N.J. March 16, 2009): • Increased risk of fraud and identity theft do not constitute “actual or imminent injury in fact” and “amount to nothing more than mere speculation. • Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009): • “Plaintiff does not claim that his personal information has in fact been stolen and/or his identity compromised.” • “For plaintiff to suffer the injury and harm he alleges here, many ‘ifs’ would have to come to pass.”

  45. LitigationPlaintiffs Have Standing • However, “[t]he recent trend in ‘lost data cases,’ . . . seems to be in favor of finding subject matter jurisdiction.” (i.e., standing). McLoughlin v. People’s United Bank, Inc., Civ. A. No. 08-944, 2009 U.S. Dist. LEXIS 78065, at *12 (D. Conn. Aug. 31, 2009). • Pisciotta v. Old Nat’l. Bancorp., 499 F.3d 629 (7th Cir. 2007) (injury in fact satisfied by “threat of future harm” or “increasing the risk of future harm”); • Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009) (increased risk of identity theft constituted sufficient “injury in fact” for purposes of standing); • Caudle v. Towers, Perrin, Forster & Crosby, 580 F. Supp. 2d 273 (S.D.N.Y. 2008).

  46. LitigationPlaintiffs Cannot Prove Damages • Pisciotta v. Old Nat’l. Bancorp.: customers sought compensation for past and future credit monitoring services, after hacker obtained access to their personal information through bank website • Seventh Circuit affirmed district decision granting defendant bank’s motion for judgment on the pleadings and dismissed claims for negligence and breach of contract • Exposure to identity theft or increased risk of identity theft, without more, does not constitute “compensable injury” or “a harm that the law is prepared to remedy” • Credit monitoring costs do not constitute “compensable damages”

  47. Litigation Plaintiffs Cannot Prove Damages • Ruiz v. Gap, Inc.: laptop computer stolen, which contained approximately 750,000 Gap job applications (including name and social security no.) • Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of contract • “At a minimum, Ruiz would be required to present evidence establishing a significant exposure of his personal information” • “Because Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft” • “Ruiz cannot show he was actually damaged by pointing to his fear of future identity theft”

  48. Litigation Unusual Court Rulings • Caudle v. Towers, Perrin, Forster & Crosby: laptop computer stolen from employer’s pension consultant, which contained personal information (including name and social security no. of employees) • Employee named employer’s pension consultant as a defendant, but did not include employer • Court granted defendant’s motion for summary judgment and dismissed claims for negligence and breach of fiduciary duty • Court denied motion with respect to claim that plaintiff was third-party beneficiary between defendant and plaintiff’s employer

  49. Litigation Unusual Court Rulings • Rowe v. UniCare Life & Health Ins. Co., Civ. A. No. 09-2286, 2010 U.S. Dist. LEXIS 1576 (N.D. Ill. Jan. 5, 2010): personal information of plaintiff was temporarily accessible to the public on defendants’ Internet Website • In deciding motion to dismiss, Court found that plaintiff satisfied minimal pleading standard and allowed claims to proceed • But the Court stated that claims may ultimately be dismissed if plaintiff cannot show a basis for damages other than alleged increased risk of future harm such as identity theft • Plaintiff may prevail “only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.”

  50. Contact Information Amy Rubin, Esquire 561.804.4433 ARubin@foxrothschild.com Peter J. Sheptak, VP, General Counsel 954.429.2174 Peter.Sheptak@jmfamily.com

More Related