1 / 26

Developments in US Data Security Law OFII General Counsel Conference

Developments in US Data Security Law OFII General Counsel Conference. Edward McNicholas October 16, 2009. Twin Cities Privacy Retreat 15 January 2009 * Travelers Headquarters, St. Paul. The Reality Facing Global Corporations .

didier
Download Presentation

Developments in US Data Security Law OFII General Counsel Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Developments in US Data Security LawOFII General Counsel Conference Edward McNicholas October 16, 2009 Twin Cities Privacy Retreat 15 January 2009 * Travelers Headquarters, St. Paul

  2. The Reality Facing Global Corporations • Broad complexity and wide variety of national (and sub-national) privacy and data security laws complicates compliance • Significant cultural – and legal – differences exist in the meaning and nuances of privacy and data protection • Achieving compliance with overlapping federal, state, national, sub-national and multilateral rules is costly and distracting • Enforcement has been sporadic, but it is increasing • Trend towards stricter, more prescriptive laws, with more complexity and greater enforcement appears likely

  3. Federal Principles for Information Security • Programs must not be deceptive or unfair • Security programs must adapt to changing threats • Security programs must be appropriate under the circumstances • Breaches are not per se evidence of a violation • Absence of a breach is not per se evidence of adequacy

  4. Federal Innovations? • Consumer Financial Protection Agency (CFPA) • Administration has proposed the creation of a single primary federal consumer protection supervisor to protect consumers of credit, savings, payment, and other consumer financial products and services • Would transfer some rulemaking and enforcement powers from the FTC and banking agencies • FTC would still have “backup enforcement authority” • Comprehensive federal security legislation? • House Energy and Commerce Committee passed a data security bill requires entities that hold personal information to adopt appropriate security measures and, if a breach occurs, they must notify consumers.

  5. FACTA Red Flags Rules • Almost all businesses must now have a Board-approved “red flags” policy to help combat identity theft by responding to a laundry list of “red flags” • The FTC and others promulgated these Identity Theft Red Flags Regulations pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) • The final rule was effective January 1, 2008. • The FTC extended its deadline for enforcement to November 1, 2009.

  6. Data Breach Statute Developments • Data breach notification laws are becoming settled • 45 states plus DC have breach notification requirements • Some states also require reporting the data breach to certain state government agencies • New federal breach notice requirements under HITECH • Encryption remains a key issue • It creates a safe harbor from the state data breach notice laws • Nevada requires encryption for certain personal data in transit • Numerous state laws also impose • Affirmative data security requirements • Data disposal restrictions • SSN protections and restrictions on use

  7. Other Implicated State Laws • California Constitution (and some others) provides privacy right enforceable against private entities • Little FTC Acts (also known as UDAP statutes) • Privacy, Negligence, Defamation and Other Torts • State tort laws protect against privacy invasions, negligence, misappropriation, defamatory speech, trespass to chattel, stalking, etc.

  8. California Data Security Obligations • California requires businesses to: • “Implement and maintain reasonable security proceduresand practices appropriate to the nature of the information” • “Protect the personal informationfrom unauthorized access, destruction, use, modification, or disclosure” • Applies to computerized and non-computerized “personal information” • Reasonableness remains the norm, but new Massachusetts regulations are significantly more prescriptive

  9. Requirements Must Be Passed Through to Service Providers “A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

  10. Massachusetts Data Security Regulations • Requires anyone that owns, licenses, stores or maintains resident’s personal information to develop and implement a written comprehensive information security programto safeguard personal information of residents • Requires specific controls including encryption in transmission and on portable media • Personal information is defined as: • first name or initial and last name, plus SSN, driver’s license number or other state-issued identification number, or credit or debit card number or other financial account number (with or without any required PIN or access code) • Now effective March 1, 2010, but changes possible • Office of Consumer Affairs and Business Regulation 201 CMR 17.00

  11. Massachusetts Data Security Regulations • Secure user authentication protocols • Secure access control measures • Encrypt personal information: • in transmission over Internet • on all wireless transmissions • on portable storage media • Reasonable monitoring of systems, for unauthorized use of or access to personal information • Reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information • Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions • Education and training of employees on the proper use of the computer security system and the importance of personal information security

  12. Nevada Information Security Law • Previously required encryption for transmission of specified personal information • Nevada has amended its encryption law to include mobile storage devices holding personal information that move outside of secured physical and logical boundaries of the covered entity • Nevada also requires businesses that accept credit or debit cards to meet Payment Card Industry Data Security Standards • Payment Card Industry norm now part of state law

  13. Top Ten Types of State Laws To Watch • Data breach notification measures that require notice of a data breach. • Credit freeze provisions that allow consumers to curtail access to credit histories. • Social Security Number protection laws that require special limitations on the collection, use and display of federal SSNs. • Secure Disposal Laws that require businesses disposing of records containing personal information to make the personal information indecipherable. • Information Security Laws with varying protections. • Identity Theft criminalization and deterrence measures; either enhance prison sentences or assist identity theft victims. • RFID bills that prohibit the nonconsensual use or reading of RFID chips. Missouri criminal law against employers requiring implants.. • Genetic privacy – restrictions on the use of test results and the use, disclosure and protection of biometric data. • Employee Surveillance – two states (DE and CT) have notice rules • Locational Privacy – new restrictions on use of GPS-enabled devices

  14. US Privacy Litigation Comes of Age • In absence of actual identity theft or quantifiable harms, the majority of courts reject emotional and dignitary injury and require evidence of concrete, economic harms from privacy violations to support standing and damages claims • Courts continue to reject risk of harm claims from loss of personal data, but some are finding standing • Quantifying the value of privacy continues to be an obstacle for plaintiffs, but three important trends make privacy litigation increasingly risky for corporations: • Standing • Competitor privacy litigation • Collateral data breach litigation

  15. TJX Data Breach Litigation • Disclosed in 2007 that in 2005 and 2006 unauthorized intruders accessed computer systems that process cardholder data • Settlement reached with 41 state AGs • TJX agreed to pay $9.75 million and to implement a comprehensive information security program: • Designate an employee to be accountable for the program • Replace or upgrade all wired and wireless systems in retail stores to a specified level of security • Segment the portions of its computer system that process personal information, including credit card information, from the other parts of its system • 120 days to certify compliance • Agrees to participate in industry pilot programs to test new security for payment cards

  16. Standing Changes • Pisciotta v. Old National Bancorp – 7th Cir., 2007 • Bank web site breached and customer information lost • Plaintiffs claimed potential economic damages and emotional distress, but conceded no direct financial loss or actual identity theft • On appeal, Seventh Circuit disagreed with several district courts and deemed mere fear of future identity theft sufficient to establish standing • Ruiz v. Gap, Inc. – N.D. Cal., 2008 • Laptops containing unencrypted personal information of 800,000 job applicants stolen from clothing retailer • Plaintiffs alleged increased risk of future identity theft only • District court held plaintiffs had preliminary standing to pursue claim that retailer negligently failed to protect applicants’ personal data

  17. Litigating Competitors’ Privacy Practices • Companies can use privacy offensively to stop competitors that neglect privacy concerns • In CollegeNET, Inc. v. XAP Corp., 2008 WL 1805539, No. 03-CV-1229-BR (D. Or. Apr. 17, 2008), a company used the Lanham Act to enjoin an online software competitor from engaging in misleading privacy practices • Privacy can also be used offensively to hamstring aggressive discovery efforts • Certain statutes provide remedies to companies who are harmed by violations of the statute’s requirements. Example: Computer Fraud and Abuse Act, 18 U.S.C. § 1030

  18. Litigating to Recoup Costs of Data Breaches • Banks increasingly seek to recoup costs (est. $50-60 per customer) of cancelling and reissuing cards after data breaches. Courts shifting in banks’ favor. • In Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392 (3rd Cir. July 13, 2008), card-issuing banks sued BJW and its merchant bank to recover cost of issuing new cards after data breach, claiming breach of contract under third-party beneficiary theory. • Third Circuit reversed dismissal of banks’ complaint, holding that banks stated claim as incidental third-party beneficiaries to merchant bank’s agreement with VISA. • Decision may open route for issuing banks indirectly to recoup costs from merchants • May spawn collateral indemnification actions by merchant banks against merchants

  19. Litigation When Services Outsourced • In Quon v. ArchWireless, No. 07-55282 (9th Cir. 2008), the Ninth Circuit held that public employer violated privacy rights of employee under California Constitution by reading text messages sent over employer-provided pager • Pager provided through a third-party telecommunications vendor • Formal employer policy provided that employee had no expectation of privacy in pager system • But informal employer policy permitted employer to audit employee messages unless employee reimbursed employer for “overage” charges • Ninth Circuit held that informal policy trumped formal policy and created an expectation of privacy in employees

  20. USA PATRIOT Act Renewal • Three key USA PATRIOT Act provisions are set to expire Dec. 31, 2009: • Section 215, which allows the FBI to seek an order from the Foreign Intelligence Surveillance Court (FISC) to force a business to turn over customer records for a terrorism investigation • the "lone wolf" authority to go after individual terrorist suspects who may not readily be associated with a foreign power • roving wiretaps • Senate Judiciary committee approved renewal on October 8, 2009

  21. National Security Letters (NSLs) • Allow the FBI to obtain records without any court approval, including from telephone and internet service providers and financial institutions • The Second Circuit held that the telecommunications NLS provision, § 2709(c), is unconstitutional to the extent they impose a nondisclosure requirement on NSL recipients; Existing NSLs are still valid • No court has ruled on the Fourth Amendment issues regarding the hundreds of thousands of NSLs • Judiciary USA PATRIOT Act renewal bill creates new four-year sunset for currently nonexpiring NSL provisions • Effect of sunset would be to put the NSL provisions back to their pre 9/11 status

  22. Governmental Surveillance and Privacy • Border Searches: Ninth Circuit expansions of Border Search Doctrine inhibit international travelers carrying sensitive information • Executives traveling from foreign countries often carry clean computers across borders • Litigation over alleged corporate involvement in governmental surveillance continues – SWIFT case, NSA Telecommunications Records litigation

  23. Deep Packet Inspection • New security technologies, such as deep packet inspection • Create possibilities for analyzing and targeting traffic • Effective for recognizing harmful content • Require Wiretap Act analysis • Behavioral advertising controversy under consideration by Congress and FTC • FTC guidance: • Transparency and Consumer Control • Reasonable Security and Limited Retention • Affirmative Express Consent for Material Changes to Promises • Affirmative Express Consent for Use of Sensitive Data

  24. Information Governance Will Dominate • Paradigm shift in which privacy becomes merely a part of information governance • Duties of privacy officers will expand or become subsumed • Information Security • Privacy • Marketing • Customer Sales • Records Management • eDiscovery

  25. Global Changes Will Impact Business • Outsourcing and international IT systems will make the need for international cooperation a necessity • OECD, EU DPAs, UN, ITU, ISO, HLCG, APEC • What does it all mean? • Possibly more “safe harbor” structures? • Enhanced enforcement to prove strength of regulation? • Uncertainty in international business. • Privacy Commissioners to consider choice of law issue

  26. Edward McNicholas Sidley Austin LLP 1501 K Street, NW Washington, DC 20005 emcnicholas@sidley.com (202) 736-8010 www.sidley.com/InfoLaw Questions? This presentation has been prepared by Sidley Austin LLP as of October 16, 2009, for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

More Related