Data Privacy & Security:
Essential Questions
Every Business Must Ask
Presented by:
Riddell Williams P.S.
Riddell Williams P.S. May 6, 2015 #4841-4703-9779
2 2
Innocent?
Overview
3 basic questions every business should ask
Are you ready to respond to a hack or data loss?
Do you have appropriate insurance?
4 4
Why Make Privacy
and Data Security
a Priority?
5 5
Data Security Risk Is Real and Imminent
19% chance of data breach
involving at least 10,000 records in next 24 months
(2014 Ponemon Institute Research Report)
“60% of small businesses
that are hacked go out of business within six months.”
(Ted Devine, CEO of Insureon, a small business insurer)
Consequences Are Serious and Long-Lasting
Reputational damage
Business interruption
Response costs
Liability to partners and vendors
Regulatory action
7 7
3 Questions Everyone Should Ask
1.
What
are you collecting?
2. How are you
using
it?
3. How are you
protecting
it?
8 8
Question 1:
What Data Are You
Collecting (and Why)?
10 10
Personal Information, Generally
Information that separatelyor in combination
reveals a person’s identity
Washington = name plus:
SSN
Driver’s license
Number and access code
4/23/15 amendment:
Is personal information “secured”?
Did intruder have access to encryption key or ability to decipher?
Standard for encryption
11 11
Other Personal Information
Health information
Employee information
E-mail address
Utility and service use
Zip code
Why Are You Collecting That Information?
Don’t have it = can’t get in trouble for it
How does the consumer benefit from
data collection?
Collecting the least you
need?
13 13
Do You Disclose Data Collection?
Does your website
need a privacy
statement?
YES
, unless you are
sure you do not
collect personal
information.
14 14
Privacy Statement – Tips
Talk to an expert
Keep it current
Key elements:
Whatyou collect
Howyou collect it
What do you dowith it
What do you sharewith
third parties
Additional issues:
Opt-out
Changes to the statement
Question 2:
How Are You Using
16 16
What Are You Doing With It?
Existing legitimate business purpose versus
possible future use
Using only for the purposes you disclosed to
consumers
Disclosing it to third parties?
17 17
Laws May Limit Collection and Use
HIPAA and Health Information Technology for
Economic and Clinical Health Act (HITECH)
Gramm-Leach-Bliley Act (GLBA)
FTC Act and other consumer protection laws
CAN-SPAM Act
Telephone Consumer Protection Act (TCPA)
Children’s Online Privacy Protection Act (COPPA)
State laws, e.g., California’s
“Eraser Button” law
Data Retention
Are you retaining personal information for longer than
necessary?
Does your company’s data retention policy:
Require destruction of records when they no longer serve a business purpose?
19 19
Question 3:
How Are You Protecting
Information You Collect?
20 20
When and How Much Protection Do You Need?
Protection should be proportionateto the
sensitivityof the information
Protect at allstages
Collection
Storage
Handling
Transit
Disposal
Five Simple Steps (WSJ April 19, 2015)
1. Accelerate software patch timelines
2. Limit online “doors” (many devices don’t need to
be online)
3. Encrypt your data
4. Eliminate or supplement passwords
22 22
Four Administrative Measures
1. Implement a cybersecurity framework or
information security program (NIST, etc.)
2. Institute an employee training program
3. Develop and practice an incident response plan
4. Evaluate available insurance (every year)
23 23
Risks Posed By Vendors
Any party who shares customer or employee
information with a vendor is at risk
Claims based on vendor selection
(FTC, private lawsuits)
Vendor Due Diligence
Web sites and sales materials
Gartner and other third parties
Create a checklist/application
Financial condition and insurance
Information security controls
Employee training and awareness
25 25
Provisions to Consider in Vendor Contracts
Confidentiality
Ownership and use of data
Use of subcontractors
Requirement to notify and to disclose breach
Information security provisions
Indemnity
26 26
Are You Ready to
Respond to a Hack
or Data Loss?
Response Readiness Checklist
Do you have a disaster recovery plan?
Internal incident response team identified and trained
Finders, fixers, communicators, regulators
Responding well
Assess
Mitigate and preserve
Privilege
28 28
Do You Have
Appropriate
Insurance?
29 29Which Coverages Align With Your Risks?
Regulatory response
Notification costs
Crisis management
Credit monitoring
Media liability
Theft and fraud
Forensic investigation
Business interruption
Computer data loss and restoration
Extortion
Do You Have Appropriate Coverage?
1. Understand the coverage you have
2. Investigate additional coverage options and
costs
31 31
Legal Challenges
from the
Internet of Things
32 32 Internet of Things What is it? Notcomputers, phones, tablets
Any product or sensor that connects to the Internet Car or Home or Wearables
The Mission and The Team
The Mission
To provide “reasonable security”
The Team
Who is in charge of privacy and security issues?
Single Individual or a Team?
Employee training?
34 34
Emerging Risks and
Issues with Big Data
35 35
General Principles What characterizes it?
Large amounts of data (duh)
Often originally collected for other purposes
Use of advanced analytics
Machine learning
What laws apply?
No special laws (yet)
Should we have a right to have certain things forgotten?
Emerging Issues With Big Data
Adequate Disclosure
Does disclosure clearly cover all uses?
Unexpected correlations
Analytics and machine learning anticipate
consumer decisions and behavior
Sensitive/personal situations can be revealed –
especially through combined data sets Public Relations Risk
Questions?
Please contact us any time with additional questions. Gavin Skok Riddell Williams P.S. 206.389.1731 [email protected] Bruce Goto Riddell Williams P.S. 206.389.1567 [email protected] Shata Stucky Riddell Williams P.S. 206.389.1786 [email protected]
