610 likes | 1.05k Views
Data Privacy & Security Legal Requirements and Best Practices. Deborah Shinbein, Esq., CIPP Data Law Group, LLC. Agenda. Overview of selected privacy/security laws Recommended privacy/security policies Data breach planning and response Monitoring compliance of your service providers
E N D
Data Privacy & SecurityLegal Requirementsand Best Practices Deborah Shinbein, Esq., CIPP Data Law Group, LLC
Agenda Overview of selected privacy/security laws Recommended privacy/security policies Data breach planning and response Monitoring compliance of your service providers This presentation is just a brief overview of applicable laws, security precautions, and other considerations, there are many more!
Initial Assessment • There are numerous different state and federal laws and regulations governing the collection, use, and security of personally identifiable information (“PII”) • Perform an assessment to determine which are applicable to your entity: • What type of PII do you have • From where is the PII collected? • In what format(s) is the PII stored? • How is the PII used today? Future plans? • Is the PII shared with others (service providers, other parties) • From which states/countries is PII obtained?
State Information Security Laws • Many state laws applicable to PII, including security, destruction, use, transfer, and breach notification • Applicable based on either/both: • Location of the data subject (scholarship applicant, donor, etc.), or • Location of the entity • Various definitions of PII in different state laws • Typically SSN, drivers license, credit/debit or financial acct. w/ password • Sometimes other user ID # with password, biometric data, or other identifiers
State Information Security Laws • The most stringent state information security law: MA 201 CMR 17.00 • Requires implementation of a Written Information Security Plan (“WISP”) and specific security measures • Administrative, technical & physical measures • Reasonable collection, storage of PII • Encryption requirements for electronic records • Entities have a legal responsibility to “oversee” service providers: • Take reasonable steps to select and retain providers capable of maintaining appropriate security measures for PII • Contractually require service providers to implement and maintain appropriate security measures for PII
State Information Security Laws • CO 6-1-713. Disposal of personal identifying documents • Public and private entities in CO that use documents containing PII must develop a policy for the destruction or proper disposal of paper documents containing PII • PII means: social security #; personal identification #; password; driver's license or state ID; passport #; biometric data; employer, student, or military ID #; or a financial transaction device.
State Information Security Laws State Information Security Laws • CA requires businesses that own or license PII about residents of CA to: • Implement and maintain “reasonable” security procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure, and • Contractually require nonaffiliated third parties that receive the PII to also maintain reasonable security procedures
Employee Privacy • Various state and federal requirements apply to how an entity handles the collection, use, disclosure, safeguarding and disposal of its employee information • Background Checks: The FCRA requires prior disclosure and written consent when an employer requests a consumer report about the individual from a consumer reporting agency • There are special considerations if an employer plans to use the information in the consumer report in connection with an “adverse action” such as not hiring, promoting, rescinding a job offer, etc. • Employee monitoring – various laws require entities to develop comprehensive communications policies that govern the use of employer’s laptops, mobile devices, etc. and to provide employees with clear notice of the entity’s communications monitoring practices.
FERPA – Federal Education Rights and Privacy Act • Applies to any entity with educational data which accepts any amount of funds from the federal government • Covered data: “Student education records” broadly defined: • records, files, or documents that contain information directly related to a student and that are maintained by or for an educational agency or institution • includes PII such as name, address, SSN, DOB, other PII • Requires reasonable security measures to prevent unauthorized access/disclosure of records
FERPA (cont.) • Limits disclosure of education records without written parent or eligible student consent • Consent requirements include: • Written consent including signature and date • Must identify • Specific records to be disclosed • Purpose of disclosure • To whom disclosure may be made (parties/classes of parties) • Certain exceptions to consent requirement • Access by “school officials” with legitimate educational interest • Anonymous or de-identified information • Information provided in connection with financial aid • Provided to schools to which the student seeks to enroll or has already enrolled
FERPA (cont.) • Recent guidance re: “school official” exception • May include third party providers if all requirements met: • Performs an institutional service or function for which the school/district would otherwise use its own employees • Must be under the “direct control” of the school/district regarding use/maintenance of records • Uses records only for authorized purposes (including purpose for which it was disclosed), and not re-disclose PII to other parties without authorization • School/district should enter into a contract restricting the vendor from using PII for unauthorized purposes and provide ability to direct the vendor to use, transfer, or delete records only at the instruction of the school/district • Online terms of services must comply w/ FERPA or the school/district can’t use the exception • Parents/eligible students must be granted access to the records
FERPA (cont.) • Dept. of Education recent guidance re: best practices for contracting w/ online service providers • Establish policies and procedures to evaluate and approve vendors prior to implementation • Use a written contract when possible, to maintain required “direct control” over the use and maintenance of student data • Address data ownership, responsibilities in the event of breach, and minimum security controls • Specify information to be collected • Define purposes for which provider may use information, and limit to those uses • Specify whether school, parents, and students will be permitted to access the data, and describe the process to obtain access • Establish procedures for modifying and terminating the agreement, and how information will be disposed upon termination • Indemnification obligations and what the provider must do to remedy violation of laws/compensate the school for violation • Employ extra caution when using click-wrap terms • Be transparent w/ parents & students about how the school collects, shares, protects and uses student data (in addition to required notices under FERPA and PPRA) • Consider on a case-by-case basis whether obtaining parental consent may be appropriate (even if not required by FERPA)
Gramm Leach Bliley Act (GLBA) • Applies to any “Financial Institution” - defined as any U.S. Company that is “significantly engaged” in financial activities. It regulates management of “personally identifiable financial information” • provided to a financial institution by a consumer or • that results from a transaction or • service performed for the consumer or is otherwise obtained by the financial institution • Safeguards Rule requires companies to develop a WISP that describes their program to protect customer information. • Physical, technical, administrative safeguards • appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles • select service providers that can maintain appropriate safeguards, require this by contract, and oversee their handling of PII • numerous other requirements
Important Security Policies • Organizations with PII or other confidential information should implement certain important policies for data security • Several of the laws and regulatory requirements discussed earlier require a written information security plan (“WISP”), which is an overarching policy about all things data security within the organization • Best practices mandate additional policies and procedures to ensure employees are aware of requirements, to prepare for breaches, to address other matters not included in the WISP
Written Information Security Plan • WISP should contain the following basic terms, although requirements vary based on specific laws/regulations: 1. Definition of information covered (applicable laws) • State laws - personal information (typically SS#, drivers license, credit card, account information) • GLBA - consumer financial transaction data • HIPAA – protected health information • PCI - cardholder data
Written Information Security Plan (Cont.) 2. Designate a Data Security Coordinator • Required duties vary based on laws/regulations: • Implement and enforce the WISP • Train employees • Evaluate vendors for security compliance • Grant appropriate access • Test the WISP’s security measures • Evaluate and revise the WISP annually • Document potential and actual security breaches and measures taken
Written Information Security Plan (Cont.) 3. List organization’s internal risk mitigation procedures • Distribute WISP to all employees, get written acknowledgement of receipt • Limit access to customer and employee records (by person, location, remote) • Procedures to eliminate access for terminated employees • Password policies • Reporting obligations (suspicious access, requests, uses)
Written Information Security Plan (Cont.) (Internal risk mitigation, continued) • Clean desk policy • Security breach plan and procedures • Each department must implement its own rules re: safeguarding records within that department • Limit which employees have remote access to systems • Record retention and disposal policies • Physical access restrictions (visitors, badges, etc.)
Written Information Security Plan (Cont.) 4. List company’s external risk mitigation procedures • Network firewalls • Regular updates to system security software, malware protection, operating system patches, etc. • Procedures to monitor computers and network for unauthorized use of records • Strong authentication procedures • Encryption requirements for records (in transit, at rest, on all devices)
Written Information Security Plan (Cont.) WISP Worksheet (handout) • Complete what you can now • Take the worksheet back to your office to discuss with others and complete. You may need to meet with representatives from: • Scholarship administration • IT • HR • Accounting/finance • Marketing
Employee Device Policy (“BYOD”) • Security risks posed by allowing employees to use their own laptops, smartphones or tablets to perform work for the company • Major risks: • Loss of devices • Insecure devices/networks allowing remote access • Unauthorized parties accessing devices
BYOD Policies (Cont.) Consider requiring remote device management software: • Remote deletion capabilities • Lost/stolen • Designated # inaccurate password attempts • Security software to ensure storage and transmissions are in accordance with the firm’s security standards • Automatic remote backups of the device on a regular basis
BYOD Policies (Cont.) Terms to consider for BYOD policies (tailor for business needs and data): • Limit the type of information that may be accessed from personal devices • Require that certain information be encrypted • Employees must immediately report suspected loss or theft • Prohibit storing the company’s information in cloud storage services other than those provided or approved by the company • Employees must consent to the employer’s access to the device’s data if needed for legal reasons • Consider limiting type of devices employees may use for work
BYOD Policies (Cont.) Potential terms, continued: • Consent to employer monitoring of the device if appropriate • Procedures regarding the employee’s termination • Limitations for using devices on unsecured public wi-fi networks • Prohibit using personal email accounts for work • Requirements regarding the device’s internal security settings and which alterations, if any, may be made • Strong passwords (company policy) • Two factor authentication for company accounts
BYOD Policies (Cont.) Potential terms, continued: • Require implementation of all system updates • If automatic backup is not possible, establish manual backup procedures and frequency • Restrict use of the device by friends and family (or establish a separate walled user log-in for company information) • Other terms as applicable depending on the nature of the data and your company’s needs • Require employees to sign the BYOD policy • Some provide firm-owned devices to employees, giving the company greater control and rights
BYOD Policies (Cont.) BYOD Worksheet (handout) • Complete what you can now • Take the worksheet back to your office to discuss with others and complete. You may need to meet with representatives from: • IT • HR
Email/Network Use Policy • Limit use of company email for company functions • No emailing confidential data, applications containing PII, etc. unless encrypted • If you receive confidential information via email, delete the message, notify the sender of the company’s policy and require encryption next time • Do not have email forwarded to a non-company account • Require archiving and deletion of email according to company schedule • Company may monitor email and network use at any time and without notice
Email/Network Use Policy (cont.) • No use of network to transmit unauthorized files/information • No downloading software unless approved by IT dept. • Outside devices may not connect to company network • Recommend a separate guest network • Cloud storage only as approved by IT dept. • Remote connection to network through VPN whenever possible • Other requirements based on the nature of the company and data
Email/Network Use Policy (cont.) Email/Network Use Worksheet (handout) • Complete what you can now • Take the worksheet back to your office to discuss with others and complete. You may need to meet with representatives from: • IT • HR • Administration • Others? (understand unique departmental needs)
Password Policy Require strong passwords on all computers/devices used by employees (company owned or employee owned) • Require new passwords at least every 90 days • Use a company database/system to track changes and require new passwords each time (no repeats) • Complexity requirements – contain at least 4 of the following: • Upper case letters • Lower case letters • Numbers • “Special” characters (e.g. @#$%&) • Punctuation marks • At least 10 (TBD) alphanumeric characters
Password Policy (cont.) Do NOT use passwords with the following characteristics: • A word found in a dictionary (English or foreign) • Name of family, pets, friends, co-workers, fantasy characters, etc. • The company’s name, a nearby city name or derivation • Computer terms and names, commands, sites, companies, hardware, software • Birthdays and other personal information such as addresses and phone numbers • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321 • Any of the above preceded or followed by a digit (e.g., secret1, 1secret) • Any of the above spelled backwards
Password Policy (cont.) Additional password recommendations: • Always decline the use of the "Remember Password" feature of applications • Use different passwords for company accounts from other non-company access • Use different passwords for various company access needs whenever possible • Do not share company passwords with anyone, including administrative assistants • Passwords should never be written down or stored on-line without encryption
Website/Mobile App Privacy Policy • Essential terms to include • Data collected (how/when collected) • How the data is used • Under what circumstances is data shared (and with whom) • Avoid over-promising “we will never share your data” • Ability for users to modify/delete their PII • Ability to opt-out of sharing with third parties, use for marketing, etc. • Notice of material changes • No use inconsistent with original policy unless notice and choice • Disclosures if using cookies/similar tracking technologies • CA required disclosures: • How site responds to browser do not track signals • Use of cookies to track users across sites • EU: must disclose use of cookies and obtain consent • Consent to transfer to U.S. if applicable • Effective date (governs all data collected under that policy) • Contact information
Website/Mobile App Privacy (cont.) • FTC enforcement actions – must follow your own privacy policy, no deceptive or unfair practices • Not having reasonable data security has been deemed unfair/deceptive • Enforcement re: failures leading to security breaches
Other Policies to Consider • Data Retention Policy • Data Destruction Policy • Remote Access Policy • Backup Policy • Social Media Policy • Many others…
Before a Breach Occurs • Limit the type and amount of personal data collected • Don’t use SSN as identifier • Is DOB really necessary? • Evaluate other identifiers • Employee measures • Restrict who has access to personal data • Train staff re: how to spot a breach, what to do if a breach is suspected • Monitor data access and use on ongoing basis • Use software to notify of: • Outside access requests (potential hackers) • Suspicious patterns of use • Unusually large access requests/downloads • Access by unauthorized departments
Before a Breach Occurs (cont.) • Segregate data to limit risks • Use separate networks, firewalls, access controls • Encrypt data (eliminates many notification requirements) • Data destruction • Schedule for destruction; all types of data/formats • Compliance with state laws (shred, erase, make unreadable) • Evaluate cyber liability insurance • Be sure to read exclusions carefully!
Create a Breach Plan Draft a Breach Plan including the following: • Company contacts: • Designate an incident response team and the team lead • Other individuals (management, board, IT dept., etc.) • Include all means of contact for all individuals to be notified: cell/home/work phone, multiple email addresses, to be used 24x7 • External parties to be notified • Third parties for whom you process data • Third parties storing/processing your data • Law enforcement if applicable • Criteria to assess which notification laws are triggered • Data forensics specialist to contact for investigation • Evaluate several options and enter a contract in advance • Attorney to assist if a breach occurs • PR firm to manage media coverage if applicable • List of states from which the entity has personal information triggering notification requirements (update frequently)
Create a Breach Plan (cont.) • List steps to take immediately: • Document the date and time the breach was discovered • Document everything known about the breach (who discovered/reported, who is aware of it, how it was discovered, any evidence, etc.) • Secure the premises or take other measures to preserve evidence • Assess what data may have been accessed • Analyze backups or reconstructed data sources • Ascertain the number of people who may be impacted and type of information accessed • Take steps to identify specific individuals’ data potentially compromised • Contact data forensics expert • Contact outside breach counsel • Contact PR representative (if media coverage is likely)
Breaches – Immediate Actions (cont.) • Remediation: • If lost device – implement remote deletion (after consultation with data forensics) • If network breach – contain the breach as feasible • Terminate outside access to the network • Review log files for suspected intrusions/IP addresses • If an identifiable system has been compromised: • Before shutting down system, collect evidence (pursuant to instructions of data forensics specialist): • Make a list of processes running on the system • Check status of network interface • List all listening ports and active network connections • Make exact copies of compromised system’s hard drive
Breaches - Notification • Legal notification requirements • State requirements • Based on location of the data subject, not the company • Additional requirements for other laws • Tricky issues: • Various definitions of what triggers notification • Carve-outs for encryption in some states • PII triggers vary in different states • Timing • Some states require notification within X days • Most merely require notice as soon as possible • Notification may be delayed if it may interfere with investigation • Additional third party notifications required • Vary among states • State attorney general, credit bureaus, etc.) • Content of notification varies among states • Some require specific elements, others prohibit certain details
Breaches – Notification (cont.) • Alternate notice in some cases • Mail/printed notices typically required • Electronic (email) often allowed if that is the primary means of communication (laws vary) • Publication in media in some states, if substantial number of consumers and unable to reach many via mail or email • If a substantial number, evaluate whether a call center’s services would be helpful • Evaluate whether to obtain credit monitoring or other services for impacted consumers • If you may want this, negotiate pre-breach for better rates • Most consumers don’t take advantage of this even if offered
You Can’t Outsource Compliance • When companies use third party vendors to collect, process, or provide other data management services, the company is responsible to ensure the vendors maintain security practices in accordance with applicable laws and regulations governing the company’s PII • Take adequate internal precautions to prevent unauthorized access to data and networks by your vendors • Before engaging a vendor, be sure it can comply on your behalf • According to a study published by PwC in Nov. 2013: “Although 71% of companies expressed confidence that their security activities are effective, only 32% require third-parties to comply with their policies.”
Selecting a Provider – Due Diligence • When choosing third party service providers who will have access to PII, ask for the following (as applicable): • Require them to complete a vendor compliance questionnaire • Legal compliance documentation • Data security measures (copy of their WISP if possible) • Network, firewalls, encryption standards, backups, etc. - may potentially include dozens of questions as needed (or more) • Third party audits and certifications • Employee training, background checks, confidentiality policies • Cyber insurance • Location of data centers • Visit their facilities, meet the team • Obtain and check customer references
Negotiating Vendor Contracts • Key considerations: • Contractually shift responsibility when you trust an outside entity with data • Evaluate whether to include specific/detailed requirements or merely require compliance with “applicable laws and regulations”
Negotiating Vendor Contracts Restrictions on vendor access and use of PII • Specify use parameters - only in the performance of this agreement • List permitted means of access • How data will be transferred to/from vendor, etc. • Timing limitations
Negotiating Vendor Contracts Information Security Requirements • Specific IT measures to comply with acceptable industry practices: • encryption of data (in transit, at rest, web-facing applications) • firewalls • network security • mobile security • access controls/authentication • segregation of vendor’s data/systems • vendor application of latest security patches • Employee background checks/training • Limit physical access to facilities • Other requirements based on applicable laws • Data centers: location requirements needed if processing PII or ePHI to comply with data import/export regulations and local laws