Privacy & Data Security

Privacy & Data Security

May 9, 2014

Presented at:

SWBA 39

ANNUAL CONFERENCE

by:

Overview

Data Privacy Concerns:

Unauthorized access, use,

acquisition or disclosure of

information

What information is at stake?

• Personally identifiable information (PII)

– Social Security numbers, driver’s license numbers, financial account information, medical information

– Broader view: email addresses, phone numbers, dates of birth

– CA: Effective 2014: adds email, user names, passwords, security questions

• Protected Health Information (PHI) • Payment Card Industry (PCI)

• Employees

• Clients and customers • Vendors

• Insureds, claimants and beneficiaries • Business partners

WHAT THREATS?

WHOSE INFO?

Regulations & Statutes

• State notice and compliance regulations

• Federal statutes

• Proposed federal legislation

• PCI DSS (Data Security Standard)

• Cyber security Executive Order

State Regulations: Notice

• 46 states & 4 U.S. jurisdictions require notice to customers after unauthorized access to PII

– Follow timing requirements for notifying resident consumers - “without unreasonable delay” but not later than 45 days – Notify State Attorneys General, law enforcement, consumer

protection agencies and credit reporting agencies

– Follow timing requirements for notifying regulators and credit reporting agencies

- 48 hours; fourteen days; before notice to residents – Some states require specific notice content

State Regulations: Examples

Massachusetts 201 CMR 17:

Standards for the Protection of

Personal Information

• Mandates procedures to reduce likelihood and impact of breaches

• Requires a “written information security program”

• Specific requirements for user IDs, passwords, encryption, firewalls, data storage on laptops

• Applies to all businesses, wherever situated, that store residents’ PII

State Regulations: Examples

California Confidentiality of

Medical Information Act

(CMIA): Cal. Civ. Code § 56

• Requires notice to California Department of Health and affected individuals within 5 days

• State fines of up to $250,000 per violation

• Allows for private right of action

Federal Laws

• Health Insurance Portability and Accountability Act (HIPAA)

• Health Information Technology for Economic and Clinical Health Act (HITECH)

• Fair and Accurate Credit Transactions Act (FACTA) • Gramm-Leach-Bliley Act

HIPAA

• HIPAA Privacy Rule - set of national standards for protection of certain health information

• HIPAA Security Rule - set of national standards to protect ePHI that is created, received, used, or

maintained

– applies to “covered entities” and “business associates”

– when a data event occurs, a “breach” is presumed

HITECH Act

• 2009 expansion of Health Insurance Portability and Accountability Act (HIPAA)

• Allows State AGs to bring civil actions in federal court • Provides for mandatory audits by DHHS

• Civil monetary penalties range from $100 - $50K per violation and $25K - $1.5M within a calendar year

• Mandates physical and technical safeguards • Final Rule went into effect September 2013.

Gramm-Leach-Bliley Act

• Applies to financial services industry

• Enacted in 1999 to reform industry and

address concerns relating to consumer

financial privacy

• Includes insurance companies!

• GLBA Privacy Rule – notification

• GLBA Safeguards Rule – written

Sarbanes-Oxley

• Applies to publicly held companies and

accounting firms

• Rigorous data protection requirements

– Affects storage, access and retrieval of customer records

• Guidance disclosure factors:

Identity Theft Enforcement and Restitution Act (ITERA)

• Identity theft offenders must

– “pay an amount equal to the value of the

time reasonably spent by the victim in an

attempt to remediate the intended or actual

harm incurred by the victim from the

offense.” 18 U.S.C.A. § 3663(b)(6).

PCI DSS

• Payment Card Industry Security Standards

Council

– AmEx, Discover, JCB International,

Mastercard, Visa

• Created in 2006 to establish and control

industry standards, including “Data Security

Standards” (DSS)

• Requires merchants and service providers to

abide by certain protocols to protect

PCI DSS (cont.)

• Imposes “fines” and “penalties” on offending

merchants and service providers

• Violations of PCI DSS have multiple

consequences

– Significant financial penalties

– Impact on standard of care – industry

investigations, outside lawsuits

• Small minority of states have incorporated

PCI-DSS requirements into data protection

laws

Cyber-security Executive Order

• Goal- safeguarding the nation’s critical infrastructure against cyber-attacks by developing and

implementing baseline “cyber-security standards” • NIST required to develop a “cyber-security

framework” to include a set of standards,

methodologies, procedures and processes that align policy, business and technological approaches to

address cyber risks by February 2014

• DHS to encourage designated owners and operators of critical infrastructure to adopt voluntary cyber-security program

International Laws

• EU and more than 45 other countries

have data protection or privacy laws,

with more coming

• U.S. companies with control of PII for

international customers must consider

notification requirements of foreign

International Laws (cont.)

Canada – National Law

• PIPEDA Act (Personal Information

Protection and Electronic Documents

Act) applies to all businesses and

organizations

• Some provinces (e.g., Alberta, Ontario)

have passed notification and

Response

• Discovery of data event/ clock starts

• Incident Response Plan

• Facts

• Law

• Vendors

Case Studies

Online retailer sees customers blogging about

credit card fraud – finds it was victim of SQL

attack through its website storefront exposing

50,000 individuals’ credit cards

- Forensics and PFI (PCI Forensic Investigation) - Public relations

- Substitute notice, notice to regulators - PCI Fines

Case Studies

State College shares database with State

University system – University student

accesses 120,000 College alumni/student

Social Security numbers

- Forensics coordinated with University and with law enforcement

- Notification timing and messaging coordinated with University (who had over 450,000 affected)

Case Studies

Hospital employee steals info. from medical

records to obtain credit fraudulently.

- Complicated forensics to distinguish authorized employee activity from criminal activity (otherwise

notice to the 11 individuals affected would have been notice to over 70,000 potentially accessed!)

- Law enforcement subpoena of employee computer further complicated forensics

Case Studies

Business Associate document conversion

company loses volume of non-electronic

hospital records.

- Notice under HIPAA due to the hospital, but hospital will seek recovery of all costs from the Business

Associate

- Exposed documents recovered had to be analyzed manually to identify affected population and details of exposure - $500K investigation costs alone.

Case Studies

Municipality posts employee benefits info online

exposing individuals’ Social Security numbers

and dates of birth.

- Unique public relations issues: During election cycle, challenger uses incident for political gain

- Entire response, including web site notice, individual notice, credit monitoring, assistance with responses to inquiries and notice to state regulators

Case Studies

Bank website collecting loan application

information is hacked exposing hundreds

(maybe thousands) of applicants’ sensitive

information.

- Public relations messaging must ensure account

holders who were not affected are distinguished from applicants.

- Although small numbers affected at client, attack was part of larger operation under investigation by FBI

and Secret Service – involved “Syrian Electronic Army” and “Anonymous”

Response Counsel

Data Breach Coach – Expert outside counsel

• Manage investigation • Legal compliance

• Litigation – position client to avoid or defend class, regulatory, and/or individual action.

– Document preservation

• Best Practices - Analysis of system security/company procedures

Response Counsel (cont.)

Vendors

• Forensic IT investigators/ PFI • Public relations

• Document review (e-discovery)

• Printing, mailing, call-center and substitute notice services

Evaluation of Breach

• What systems/networks/records were

accessed?

– computerized vs. paper

• What is nature of breach? Is it over? What

kind of data was accessed/copied/stolen/

viewed?

– access vs. acquisition

• Individuals affected?

– individual vs. business

• Are duties triggered?

Notification

• Must comply even where no theft or

damage

• Effects of poor breach response:

– Reputational harm

– Higher out-of-pocket expenses

– Target on back

Notification Checklist

• Electronic data or paper documents?

• What type of data elements are at

stake?

• Has the personal information been

misused? Is it likely to be misused?

• What type of entity suffered the breach?

• How many individuals affected?

Notification Checklist (cont.)

• What laws apply?

– Does a federal statute apply? If so, is the

state statute preempted?

• Is there a preexisting security protocol in

place?

• Should fraud protection and credit monitoring

services be offered preemptively?

• Notify state authorities?

Overreact or underreact?

Quick responders spend 54% more

than slow responders.

Source: Ponemon Institute

BUT…

Response can factor into lawsuits and

reputational harm!

Lawsuits/Actions

• Single Plaintiff

• Class Action

• Government Action

• Banks

• PCI

• Subrogation/ Indemnity

Defending the Lawsuit/Action

Specialized considerations when

defending a data breach class action

• Multi-District Litigation

• Class certification discovery

• Joinder of all necessary and appropriate

parties

• E-Discovery

• Experts

Defending the Lawsuit

• Stollenwerk v. Tri West – 9th _{Cir. – must assert actual}

identity theft.

• Krottner v. Starbucks Corp. – 9th _{Cir. – increased risk of}

identity theft constitutes an injury-in-fact.

• Anderson v. Hannaford – 1st _{Cir. – alleged actual fraud}

and money spent in mitigation efforts defeat dismissal • Resnick v. AvMed – 11th _{Cir. – Similar to Anderson; also}

held unjust enrichment claims viable for failure to keep promise to protect information.

• Heartland – 5th _{Cir. – banks and credit unions not barred}

by economic loss doctrine from recouping card reissuance costs.

Preparation

• 96% of breaches were avoidable

through simple or intermediate controls

Source: Verizon 2011 Data Breach Investigations Report

• The cost of data breach has lowered,

suggesting that companies are investing

more resources in prevention and

detection, such as improving their data

protection practices and implementing

incidence response plans

Evaluate the Risks

• Has insured ever experienced a data event?

• Does insured collect, store, or transact any personal,

financial or health data?

• Does insured outsource any computer network

operations, data storage or network management?

• Does insured share data with business partners or

Evaluate the Risks (cont.)

• Does a posted Privacy Policy actually align with

internal data management practices?

• Has insured had a recent cyber risk

assessment?

• How long does insured maintain records?

• Are insureds’ electronic devices encrypted?

• Is insureds’ intrusion detection

Safeguard Controls

• People: proper security budget, supervision,

training and vigilance during and after

employment

• Processes/policies: ISO27002, HITECH

ready employee education and training,

change management processes, incident

response plan

• Technology: proven IDS/IPS capabilities,

hardened and patched servers (tested), full

encryption of PII

Managing the Risks

• Education: Learn about the various types

of privacy violations that can occur

• Handheld devices

• Manage BYOD

• Limit data maintained or made available

• Encrypting laptops, smartphones, etc.

Managing the Risks (cont.)

• Mock breaches – aka “tabletop

exercises”

• Limit online access to data storage

servers

• Policies not enough

• Destruction of hard drives to remove all

PII

Managing the Risks (cont.)

Incident Response Plans (IRPs)

– Various laws and regulations require IRPs

• Financial institutions, Oregon entities

– Many laws imply IRPs must be developed

• Gramm Leach Bliley, Sarbanes Oxley, HIPAA, Massachusetts, FACTA

– Existence of an IRP is best practice

• mitigate chances of breach, mitigate damages when a breach that occurs

Emerging Issues

• Cloud Computing

• Pre-breach Security Standards

• Subrogation

• Social Media

• Geo-location Tracking

• Collection and Use

Cloud Computing

“A model for enabling ubiquitous,

convenient, on-demand network access

to a shared pool of configurable

computing resources (e.g., networks,

servers, storage, applications, and

services) that can be rapidly provisioned

and released with minimal management

effort or service provider interaction.”

Source: U.S. Department of Commerce National Institute of Standards and Technology

Cloud Computing

Assessment of Cloud Server

• Selecting the right company

– Physical capabilities: storage, backup

– Ability to respond to breaches, coverage

• Adequate services agreement

• Private, community, or public?

• Jurisdictional/geographic issues

Subrogation

• Data breach response laws impose costly

duties on data owners regardless of intent or

negligence

• Possibility to transfer cost to responsible

parties

– Vendors

– Sub-contractors

• Negligence grounds – lost laptops

• Breach of contract – failure to provide

adequate security

Conclusion – What to do?

• Assess

• Address

• Plan and Insure

• Repeat

Contact Information

Jim Prendergast:

[email protected]

(215) 977-4058