• No results found

Mastering Data Privacy, Protection, & Forensics Law

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Mastering Data Privacy, Protection, & Forensics Law"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

April 15, 2015

Data Breach Notification and Cybersecurity Developments in 2015

Melissa J. Krasnow, Dorsey & Whitney LLP,

and Certified Information Privacy Professional/US

Mastering Data Privacy, Protection,

& Forensics Law

This presentation was created by Dorsey & Whitney LLP, 50 South Sixth Street, Suite 1500, Minneapolis, MN 55402. This presentation is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by sending and/or receiving this presentation. Members of Dorsey & Whitney will be pleased to provide further information regarding the matters discussed in this presentation.

(2)

2015 state data breach notification requirements

• 18 state laws, plus Puerto Rico law, also require

notification of a breach to a state attorney general or regulator in addition to the affected individuals

Effective October 1, 2015: 19 state laws with the addition of Montana

• California and Florida laws define personal

information as covering online account information Effective July 1, 2015: 3 state laws with the addition of Wyoming

(3)

Cybersecurity laws and guidance and provisions in contracts and policies

• Issued in January 2015:

– Federal: Federal Trade Commission Staff Report on Internet of Things

(4)

Resources (continued)

Cybersecurity (continued)

• Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

http://www.dorsey.com/files/upload/Krasnow-MA-Data-Security-Regulation-mar-2015.pdf

• Guidance for Managing Cybersecurity Risks

http://www.irmi.com/expert/articles/2014/krasnow05-cyber-privacy-risk-insurance.aspx

• National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

• Cybersecurity in the Golden State https://oag.ca.gov/cybersecurity

(5)

Resources (continued)

Boards of Directors and Corporate Governance

• Board Oversight of Cyberrisks: Directors and Officers Litigation

http://www.irmi.com/expert/articles/2015/krasnow02-cyber-privacy-risk-insurance.aspx

• Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus

http://www.sec.gov/News/Speech/Detail/Speech/1370542 057946#.VDvmOa1OXct

• National Association of Corporate Directors 2014 Cyber-Risk Oversight Handbook

(6)

Questions & Answers

Melissa J. Krasnow (612) 492-6106

(7)

October 22, 2014

Data Breach Notification and Cybersecurity Developments in 2014

Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US

Mastering Data Privacy, Social Media,

& Cyber Law

1

7KLVSUHVHQWDWLRQZDVFUHDWHGE\'RUVH\ :KLWQH\//36RXWK6L[WK6WUHHW6XLWH0LQQHDSROLV017KLVSUHVHQWDWLRQLVLQWHQGHGIRUJHQHUDO LQIRUPDWLRQSXUSRVHVRQO\DQGVKRXOGQRWEHFRQVWUXHGDVOHJDODGYLFHRUOHJDORSLQLRQVRQDQ\VSHFLILFIDFWVRUFLUFXPVWDQFHV$QDWWRUQH\FOLHQWUHODWLRQVKLSLVQRW FUHDWHGRUFRQWLQXHGE\VHQGLQJDQGRUUHFHLYLQJWKLVSUHVHQWDWLRQ0HPEHUVRI'RUVH\ :KLWQH\ZLOOEHSOHDVHGWRSURYLGHIXUWKHULQIRUPDWLRQUHJDUGLQJWKHPDWWHUV GLVFXVVHGLQWKLVSUHVHQWDWLRQ

(8)

State breach notification laws

• 47 states, plus the District of Columbia, Guam, Puerto Rico and Virgin Islands, have breach

notification laws (Alabama, New Mexico, and South Dakota do not have these laws)

• These laws require notification of a breach to affected individuals

• These laws cover breaches involving personal information in electronic format

(9)

2014 state breach notification law developments

• 18 state laws, plus Puerto Rico law, also require

notification of a breach to a state attorney general or regulator in addition to the affected individuals

• 7 state laws cover breaches involving personal information in both electronic and paper formats • California and Florida laws define personal

information as covering online account information • New Kentucky breach notification law

(10)

California breach notification law

amendment effective January 1, 2015

Where a person or business was the source of a breach, the person or business providing breach notification must offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost to an affected individual for not

less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed his or her first name or first initial and last name, together with any of the following data elements, where the name or the data elements are not encrypted:

• SSN

(11)

Breach notification in federal and foreign laws

and provisions in contracts and policies

• Federal HIPAA / HITECH Act breach notification for covered entities and business associates regarding protected health information

• Laws in other countries (e.g., Canada) • Provisions in contracts and policies

(12)

Cybersecurity laws and guidance and

provisions in contracts and policies

• State security procedures laws: Massachusetts and certain other states (e.g., California)

• Issued in February 2014:

– Federal: National Institute of Standards and Technology critical infrastructure cybersecurity framework

– California cybersecurity guidance

(13)

Cyber liability insurance

Main coverages in a traditional cyber liability insurance policy include:

• Security and privacy liability insurance that responds to third party liability

• Event management insurance that responds by paying costs for breach notification, public relations and other services to assist in managing a covered privacy or network security incident

• Cyber extortion insurance that pays to settle network security-related extortion demands made against the insured

• Network business interruption insurance that responds to an insured’s loss of income and operating expenses when

business operations are interrupted or suspended due to a failure of network security

(14)

Enforcement, litigation and other

consequences

• Federal Trade Commission

• Department of Health and Human Services • State attorneys general (e.g., California and

Massachusetts) • Foreign regulators • Litigation

(15)

Some steps companies are taking to

prepare

• Preparing, revising and testing incident response plans

Tabletop Exercise (TTX)

A TTX is intended to generate discussion of various issues regarding a hypothetical, simulated emergency. TTXs can be used to enhance general awareness, validate plans and

procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined

incident. Generally, TTXs are aimed at facilitating conceptual understanding, identifying strengths and areas for

improvement, and/or achieving changes in perceptions.

Source: Homeland Security Exercise and Evaluation Program (HSEEP) (April 2013)

(16)

Some steps companies are taking to

prepare (continued)

• Preparing and revising company policies and programs, including training

• Procuring security and data breach services

(17)

Resources

Data breach

• California Privacy Laws Change: Identity Theft Prevention and

Mitigation Services

http://www.irmi.com/expert/articles/2014/krasnow10-cyber-privacy-risk-insurance.aspx

• Changes in State Breach Notification Laws

http://www.irmi.com/expert/articles/2014/krasnow08-cyber-privacy-risk-insurance.aspx

• California’s Breach Notification Law Expands to Include Online

Account Information

http://www.dorsey.com/psm_ca_breach_online_account_info/

• Verizon 2014 Data Breach Investigations Report

http://www.verizonenterprise.com/DBIR/2014/ Cybersecurity

• Cybersecurity White Paper

http://www.dorsey.com/files/Upload/Cybersecurity-White-Paper.pdf

(18)

Resources (continued)

Cybersecurity (continued)

• Written Information Security Programs: Compliance with the Massachusetts Data

Security Regulation

http://www.dorsey.com/files/Upload/Written%20Information%20Security%20Progra

ms%20Compliance%20with%20the%20Massachusetts%20%287-523-1520%29.pdf

• Guidance for Managing Cybersecurity Risks

http://www.irmi.com/expert/articles/2014/krasnow05-cyber-privacy-risk-insurance.aspx

• National Institute of Standards and Technology Framework for Improving Critical

Infrastructure Cybersecurity

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

• Cybersecurity in the Golden State

https://oag.ca.gov/cybersecurity

• Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the

Focus

(19)

Melissa J. Krasnow 612-492-6106

[email protected]

Questions & Answers

References

Download now ( PDF - 19 Page - 92.04 KB )

Related documents

Design and evaluation of a custom ZigBee platform

Network performance is evaluated using Packet Error Rate (PER), goodput and latency measurements, and power consumption results are obtained by measuring the current drawn by

FLEXIDOME starlight HD 720p60 RD

There are many ways to access the camera’s video and IVA-based features: using a web browser, with the Bosch Video Management System, with the Bosch Recording System, with

J S P R. Xiaomin Li 1, Hongjian Cao 1,2, Jing Lan 1, Xiaoyan Ju 3, Yingxian Zheng 1, Yi Chen 1, Nan Zhou 1, and Xiaoyi Fang 1.

Specifically, couples’ initial conflict resolution styles were associated with their initial levels of marital quality (i.e., in general, spouses classified in the more

Knowledge development in MNC subsidiaries: The influence of MNC internal and external knowledge and control mechanisms

In their study on the impact of control mechanisms on external embeddedness, Andersson, Björkman, and Forsgren (2005) also examined the influence of subsidiary embeddedness in

HP 5400R zl2 Switches

Under certain circumstances, depending on the cable used and the lengths of the cable runs, an external Mode Conditioning Patch Cord may need to be installed between the Gigabit-LX

"Tests for Multivariate Analysis of Variance in High Dimension Under Non-Normality"

For dimension p larger than the sample size N , this testing problem has also been recently considered in the literature by Srivastava and Fujikoshi[7], Srivastava[5], and Schott[3]

The Effectiveness of Bioserum Injection on Agarwood Resin (Aquilariamalaccensis) Formation with Several Injection Hole Distances

[r]

Market shaping dynamics : interplay of actor engagement and institutional work

Findings: The paper develops a dynamic, iterative framework of market shaping through increased resource density, revealing the interplay between seven types of