770 likes | 1.03k Views
Privacy, Data Protection, and Cybersecurity: Developments and Strategies. Edward McNicholas SIDLEY AUSTIN LLP. Agenda. The Imperative of Information Governance Cybersecurity The Evolution of US Privacy Law New EU Data Protection Regulation Privacy Litigation and Enforcement
E N D
Privacy, Data Protection,and Cybersecurity:Developments and Strategies Edward McNicholas SIDLEY AUSTIN LLP
Agenda The Imperative of Information Governance Cybersecurity The Evolution of US Privacy Law New EU Data Protection Regulation Privacy Litigation and Enforcement Cloud Computing Social Media Governance Strategies
Data Security: Atop the Corporate Radar • According to FTI Consulting/Corporate Board Member Survey: • Data Security is the top legal concern in 2012 for both Directors and General Counsel • The percentage of Directors and GCs concerned re: data security has doubled since 2008 • The median annualized cost of cyber-crime per company averaged $5.9 million • The survey noted participants’ opinion that cyber risks are invisible, ever-changing, pervasive, and costly • Only 42 percent of survey participants said their company had a data crisis management plan in place
Corporate Practices on Cybersecurity: Lack of Board Involvement Governance of Enterprise Security: CyLab 2012 Report • Boards of Energy/Utility Companies • 71% rarely or never review privacy and security budgets • 79% rarely or never review roles and responsibilities • 64% rarely or never review top-level policies • 57% rarely or never review security program assessments • Boards of Financial Sector Companies • 42% rarely or never review annual privacy/security budgets • 39% rarely or never review roles and responsibilities • 56% do not actively address computer/information security • 52% do not review cyber insurance
The Reality Facing Global Corporations Broad complexity and wide variety of national (and sub-national) privacy and data security laws complicates compliance Significant cultural – and legal – differences exist in the meaning and nuances of privacy and data protection Achieving compliance with overlapping federal, state, national, sub-national and multilateral rules is complex and burdensome Trend towards stricter, more prescriptive laws, with more complexity and greater enforcement appears likely Evolving cybersecurity threats have evolved from hackers and identity thieves to groups with the potential to inflict material harm
The Cost of Getting Governance Wrong Privileged and Confidential • Attorney Work Product • Attorney Client Communications • Breaches and data incidents can be extremely painful • Hard costs: • Notifying affected individuals, credit monitoring, investigation and legal fees • Potential costs: • FTC, State AG, and regulatory investigations; class actions by data subjects; litigation with business partners over hard costs; legal defense fees • Enterprise value risk from cybersecurity exposures • Brand/Reputation harm: • Charges of deceptive or unfair business practices; lost confidence / uncertainty in clients and employees; lost profits or business partners
Cybersecurity • Cyber attacks against Google (which it attributed to China) were a "wake-up call" about vulnerabilities that could cripple the US economy (Dennis Blair, U.S. Director of National Intelligence) • Sophisticated foreign or competitive hacking, system penetration, network intrusion • “Advanced persistent threat” • Government contractors, regulated entities, etc., could have specific legal, regulatory or contractual requirements to safeguard and/or notify of intrusions • Employee training and awareness critical to prevent, detect and abate cyber-risks
Not Just National Security: Corporate Data at Risk • DHS announcement in May 2012 of ongoing, coordinated cyber attack on the control systems of U.S. gas pipelines • NCIX report in 2011 detailing economic cyber sabotage against U.S., originating in China or Russia • 2011 hack of top secure identity management firm RSA through phishing emails • Hack in 2011 of NASDAQ “Directors Desk” portal with confidential board materials for public companies • McAfee’s claim in 2011 that Chinese hackers responsible for cyber attacks on 72 international firms and the UN over a 4 year period • DoD revelation in 2010 of upload in 2008 of malicious code from flash drive onto networks containing classified information run by U.S. Central Command and government contractors • Spike in industrial espionage reported by NCIX to cost as much as $400 billion each year
Notable Victims of Hacking Attacks • Global Payments (March 2012) – 10 million records • Zappos (January 2012) – 24 million records • Sony (May 2011) – 25 million records • Sony (April 2011) – 77 million records • Heartland Payment Systems (2010) – over 100 million compromised credit cards ($100 million settlement fund established) • RockYou (Dec. 2009) – 32 million records • TJX (Jan. 2007) – 94 million records • CardSystems (June 2005) – 40 million records
What’s at Risk? • Valuable IP assets, proprietary information, business, transaction and negotiating records, financial data • Account information and access to funds • Disruption of business • Debilitating impact on critical infrastructure and essential services • Communications • Supply chain management • SCADA (supervisory control and data acquisition): • industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes • National security
Congress on Cybersecurity • Numerous bills proposed in the past year; none passed. • Minimal consensus • Combating cyber-attacks is national priority • Critical infrastructure must be protected (utilities, electrical grid, telecommunications, financial services, defense contractors) • Not enough being done by private sector to address risks • FISMA must be updated • House action on 3 bills put onus on Senate • Threat of presidential veto for House CIPSA bill • Executive Order likely • Effects on private sector 12
SEC Cybersecurity Guidance • Corporation Finance guidance issued Oct. 13, 2011 • Cyber attacks: • Target theft of financial assets, intellectual property, other sensitive information • Customer or business partner data could be implicated • Objectives could include disrupting business operations • Disclosure if cyber-risks “are among the most significant factors that make an investment in the company speculative or risky” • Consider frequency of prior incidents and probability and potential harm of future incidents • “Specify how each risk affects the registrant” • Avoid generic language 13
International Attention to Cybersecurity • The fundamental difficulties of attribution • Budapest Convention on Cybercrime • Only international treaty addressing computer crimes • Drafted by Council of Europe; signed by 47 countries (ratified by 33) • Signed in 2001; in force since 2004; ratified by U.S. in 2006 • Attempt to harmonize national laws, improve investigative techniques, increase cooperation • Inadequate for scale of current threat • NATO: “Strategic Concept for the Defence and Security of The Members of the North Atlantic Treaty Organization” • Adopted at Lisbon summit in 2010 • Cooperative Cyber Defense Centre of Excellence (CCDCOE) • White House Report on “International Strategy for Cyberspace” 14
EU on Cybersecurity • European Union’s Council Framework Decision on attacks against information systems • Mirrors the Budapest Convention; binding on Member States • Digital Agenda for Europe • Improve the EU’s ability to prevent, detect and respond to network and information security incidents • European Network and Information Security Agency (ENISA) • To ensure a “high and effective level of network information security” in the EU extended through 2020 through creation of EU CERT • Establishment of EU Cybercrime Center with Interpol • Netherlands, January 2013 • Member State initiatives • France, Germany, Netherlands, UK, etc. 15
EU on Cybersecurity Cont’d • EU-US Cooperation on Cybersecurity • Challenge: fundamentally different view of privacy leads to different approach on both data protection and cybersecurity • EU-US Working Group on Cyber-Security and Cyber-Crime • Established in November 2010 to work collaboratively on coordinated responses to: • Cyber incident management • Public-private partnerships • Awareness raising • Cybercrime • First joint EU-US cybersecurity exercises (defense stress tests) conducted in November 2011 16
China on Cybersecurity • U.S.-China Economic and Security Review Commission Report on Chinese Cyber Capabilities (March 2012) • Threats posed both by Chinese military and by nongovernmental actors • Reports that Chinese military relies on “civilian universities[,] private commercial IT firms … or hundreds of smaller niche firms” as collaborators • “Supply chain” threat: Some Chinese manufacturers are feared to sell equipment or parts to intelligence targets will place code within devices to give Chinese military or intelligence actors means of intercepting the communications traffic • May 2012: US and Chinese defense ministers Panetta and Liang agree to work together to strengthen cybersecurity in both countries 17
Privacy Paradigms and Problems • American data protection model versus European • US: Relatively flexible regulation combined with federal and state enforcement and private litigation • Rigorous data breach and data security state laws (e.g., MA, CA) • Corporate compliance infrastructure and accountability; outside scrutiny • EU: Prescriptive regulations with greater regulatory involvement • Trends and Issues: • Privacy surprises: (WSJ “What They Know” Series) • Data breach/ID Theft; Cyber-attacks • Online data collection, behavioral ads, tracking, location • Cookies, smart phones, mobile apps, social media, children • Cloud computing, conflict of laws, government access 19
Overview of U.S. Privacy Law • No comprehensive federal privacy statute • In U.S., privacy is regulated via: • Federal sector-specific and ad hoc statutes and regulations • FTC regulation and enforcement • State laws, AG enforcement actions and private litigation • Industry self-regulation through company privacy policies, and association codes • Changes likely in Washington, but no comprehensive statute on the horizon
Existing Privacy and Data Security Laws • FTC Act (“unfair or deceptive”); GLBA (financial); HIPAA (medical) • Do not support private rights of action • Lanham Act • Electronics Communications Privacy Act (ECPA) • Computer Fraud and Abuse Act (CFAA) • Privacy Act, Fair Credit Reporting, Video Privacy, Educational Records, Drivers Privacy, Court Filings, FISMA, etc. • State Unfair or Deceptive Acts and Practices Statutes (UDAP) • State Statutory (or Constitutional) Privacy Rights • State (and Federal) data security and data breach laws • Common Law Negligence • Common Law Privacy Torts 21
Federal Sectoral Legislation and Regulation • Gramm-Leach-Bliley Act of 1999 (GLBA) • Regulates privacy of personally identifiable, nonpublic financial information disclosed to non-affiliated third parties by financial institutions • Requires administrative, technical, and physical safeguards • Health Insurance Portability and Accountability Act of 1996 (HIPAA) / Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) • HIPAA rules protect confidentiality and security of medical information in hands of “covered entities” and “business associates” such as healthcare poviders, hospitals, employer-sponsored health plans, etc.
Communications Privacy Electronic Communications Privacy Act (ECPA) • ECPA governs interception (“wiretap”), access to and disclosure – by government and/or private entities – of contents of communications, or transactional and routing information related to communications, by providers of communications services and remote computing services Computer Fraud and Abuse Act (CFAA) • Prohibits hacking or accessing computers in violation of, or in excess of, authorization Telecommunications Act • “Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers”
Data Breach Statutes • Data breach notification laws are pervasive • 46 states, DC, Puerto Rico, the Virgin Islands, and Guam have breach notification requirements • Some states require reporting to government agencies • Triggers Vary • Risk of harm • Pure acquisition • Encryption remains a key issue • Creates safe harbor from many state data breach notice laws • Laptops, portable media (such as USB drives) • Wireless transmission; transmission over public network
Data Breach Legislation Developments • Federal • Data Security and Breach Notification Act • Introduced by 5 Republican Senators on June 21 • State • Vermont, effective July 1 • Must notify AG in 14 business days if “reasonable belief” of breach • But may notify AG if prior, written attestation that incident response policies and procedures are consistent with Vermont law • Factors for identifying acquisition • Connecticut, effective October 1 • Notify AG no later than the time notice is provided to residents
State Data Security Standards • Massachusetts: • Regulation 201 CMR 17.00 • Requires anyone that owns, licenses, stores or maintains resident’s personal information to develop and implement a written comprehensive information security program • Requirements passed through to vendors • Nevada: • PCI-DSS standards codified into law
State Issues To Watch • Social Security Number Protection laws that require special limitations on the collection, use and display of SSNs • State “Unfair and Deceptive Acts and Practices” (UDAP) Statutes • Secure Disposal Laws requiring secure disposal of personal data records • Privacy Torts: Privacy invasions, negligence, misappropriation, defamatory speech, trespass to chattel, stalking, etc. • RFID bills that prohibit the nonconsensual use or reading of RFID chips • Medical or Genetic privacy – restrictions on the use of test results and the use, disclosure and protection of biometric data • Employee Surveillance –DE and CT have notice rules • Locational Privacy – restrictions on use of GPS-enabled devices • Behavioral Tracking and Advertising
Privacy in Congress • Cybersecurity Legislation • ECPA & USA PATRIOT Act Revisions • Sen. Kerry and McCain effort to pass omnibus privacy legislation • Fair information principles-based, omnibus privacy bill • Right for data subjects to receive a clear and concise notice of uses that they might not reasonably anticipate • Opt out of unanticipated uses of PII; opt in consent required for uses of sensitive PII or third party transfer • Mechanism for individuals to access and correct PII • New Commerce Office of Commercial Privacy Policy • Enforcement by state Attorneys General and FTC
Administration and Agency Initiatives • Inter-agency “Subcommittee on Privacy and Internet Policy” as part of National Science and Technology Council’s Committee on Technology • Focusing on commercial privacy policy issues • Addressing global privacy policy challenges and pursuing interoperable international policies • Coordinating Administration positions on privacy and Internet legislation • Department of Commerce Green Paper • FTC Staff Report
White House Plan: A Consumer Bill of Rights Based on Fair Information Practice Principles (FIPPs) • Individual Control, Transparency • Respect for Context • Security, Access and Accuracy • Focused Collection, Accountability BUT: • Does not really depend on Congressional action • Relies on FTC for enforcement • Does not include “Privacy by Design” • Promotes industry self-regulation • Tasks NTIA (Commerce): “to convene stakeholders, including our international partners, todevelop enforceable codes of conduct that build on the ConsumerPrivacy Bill of Rights.”
Privacy Impact Assessments (PIAs) • PIAs would “require organizations to identify and evaluate privacy risks arising from the use of personal information in new technologies or information practices” • The Department of Commerce Green Paper contemplates that such PIAs would be “prepared in sufficient detail and made public” • Purpose for PIAs • To “create consumer awareness of privacy risks in a new technological context” • To “help organizations to decide whether it is appropriate to engage in the particular activity at all, and to identify alternative approaches that would help to reduce relevant privacy risks”
Federal Trade Commission (FTC) • FTC is de facto federal privacy enforcement authority under FTC Act Section 5 (15 U.S.C. § 45) • FTC charged with preventing "unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce" • FTC enforces against companies that engage in the “deceptive” practice of failing to adhere to their own privacy and/or information security policies • FTC enforces against companies that engage in the “unfair” practice of failing to provide adequate security for consumer data • FTC enforces Gramm-Leach-Bliley Act; Fair Credit Reporting Act; Children's Online Privacy Protection Act
FTC Vision of Privacy By Design • Promote consumer privacy throughout the organizations and at every stage of the development of the products and services • Incorporate substantive privacy protections into practices, such as: • data security • reasonable collection limits • sound retention practices, and • data accuracy • Maintain comprehensive data management procedures throughout the life cycle of products and services
Three Key Principles from the FTC “Privacy by Design” Internal safeguards by commercial entities Comprehensive business privacy programs “Simplified Choice” “Just in time” notice and consumer choice Standardized exceptions to the notice and choice Do Not Track (national analog to Do Not Call) “Greater Transparency” Consumer access to, and ability to correct, personal data Prominent notification and express affirmative consent required from consumers before a company uses consumer data in a materially different manner than notified at collection
Current Status in the European Union • EU Data Protection Directive (1995) • Limits on collection, processing, transfer, and export • EU member states prohibit or restrict transfers of personal information to the United States unless certain compliance mechanisms are in place • EU standards (derived originally from U.S. and OECD fair information principles) require: • Notice of collection and use of personal information • Choice (consent) to uses of information • Access to information to review, correct or expunge • Integrity/security of data • Enforcement/redress of privacy rights • Member states differ significantly in approach • Other Directives: e-Privacy; Data Retention • Member State implementation
EU Proposed Data Protection Regulation Proposed EU Data Protection Regulation released on January 25 2012 Aims to increase harmonisation throughout EU and reduce burdens and costs Regulation will replace the existing EU Data Protection Directive May be adopted around 2014 following consultation with Council of Ministers and European Parliament Will apply to non-EU-based businesses selling to or monitoring online behaviour of EU residents 37
Proposed EU Data Protection Regulation • Greater Enforcement • Fines up to 2% of annual worldwide turnover • Class Actions • Consumer organisations may bring class actions (“collective redress”), even without individuals’ consent • Data Breach Notification • Possible 24-hour deadline (notice to DPAs; individuals) • Consent • Data controller has burden to demonstrate consent (which may be withdrawn at any time) • Validity of consent undermined where significant imbalance of power • Right to be Forgotten • Right of Data Portability 38
Proposed EU Data Protection Regulation • Accountability and Privacy by Default/Design • Process only as necessary for specified/disclosed purposes • Retain data for minimum time necessary • Restrict access to those with legitimate need to know • Data Protection Notifications Streamlined • DPAs no longer must be notified of data processing activities; but prior consultation required for data protection impact assessments • Data Protection Impact Assessments • Conduct impact assessments where processing poses specific risks (i.e., health data) 39
EU Developments • Article 29 Working Party guidance to encourage use of cloud services. • Requires data controllers to conduct a comprehensive risk analysis of cloud providers • Cloud providers must ensure adequacy of organizational and technical measures • International transfers must be legitimated • Transparency required in subcontracting • Article 29 Working Party issued working document on Binding Corporate Rules for data processors, WP 195 • Previously, BCRs only for data controllers; now, more streamlined method for global companies who act as service providers to process data for EU clients • Article 29 Working Party issued opinion analyzing cookie exemption in e-Privacy Directive • Directive requires prior opt-in consent for cookies. Exemption applies if (1) user requests service with cookies or if cookies are necessary to provide service; and (2) cookies expire when no longer needed • Opinion lists specific cookies that are exempted
EU International Transfer Rules • Transfers permitted only to countries with “adequate” level of protection (unless mechanism below in force) • The decline of consent • US-EU Safe Harbor • Mounting EU skepticism • Model Contracts • Binding Corporate Rules (BCRs) • The Rise of Binding Corporate Rules • Effectively exports EU law to the entire organization
EU Member State Developments • France: • Data breach notification guidance for electronic communication providers • Describes specific circumstances when CNIL notification is required • Procedures for notifying CNIL • Cloud computing guidance also issued • Generally consistent with Working Party guidance • UK • ICO’s largest data breach penalty ever • Imposed on Sussex University Hospitals NHS Trust • Breach of health data on hard drives sold at auction in 2010 • Draft “Anonymisation Code of Practice” • How to structure anonymization process • How to avoid re-indentifying an individual • Renewed investigation of Google Street View
Recent Non-EU Developments • Australia: • New data protection legislation pending (Privacy Amendment) • Data breach notification guidance issued • Notification of individuals and Office of the Australian Information Commissioner is “highly recommended” for breach • Breach trigger: “real risk of serious harm” • 4 steps for incident response • China • Amendments to Internet and Mobile Devices regulations • Philippines • New Data Privacy Act modeled on EU/APEC
Examples of Litigation Exposure • Customer whose bank funds were stolen by hackers alleged that bank holding did not do enough to prevent hack • Patco Construction Co. v. People’s Ocean Bank (D. Me.) (summary judgment granted to def., 2011) • Anderson v. Hannaford Bros.: Hack of credit card magnetic strip; merchants have implied contractual duty to safeguard customer financial data • Bank sued to avoid refunding customers funds taken from their account by Romanian hackers with valid credentials • PlainsCapital Bank v. Hillary Machinery, Inc. (E.D. Tex.) (settled, 2010) • Data breach litigation following cyber attacks • E.g., class actions filed against Sony after PlayStation hack • Failure to safeguard could expose boards to shareholder suits alleging negligence or breach of fiduciary duty • Delaware Caremark decision: duty of care to safeguard digital assets? 45
Privacy at the U.S. Supreme Court in 2012 • First American Financial Corp. v. Edwards • Supreme Court dismissed its writ, leaving Ninth Circuit ruling in place • The Ninth Circuit panel held, in effect, that an alleged technical violation of RESPA could create Article III standing; that is, the case could proceed regardless of whether a particular plaintiff was actually harmed • U.S. v. Jones • Raised property theory of Fourth Amendment protections • Several Justices openly questioned prevailing analysis • FAA v. Cooper • “Actual damages” does not include non-pecuniary losses like emotional distress or humiliation • No waiver of sovereign immunity, notwithstanding minimum statutory damages of $1,000
Difficulty for Plaintiffs: Showing Harm or Damages • Federal and State courts have shown: • Standing/cause of action is difficult to establish where no statutory violation or concrete harm is alleged • Standing/cause of action easier for statutory violations, or where concrete allegations of tangible harm • But Plaintiffs still face an uphill battle to show that they are entitled to relief 47
Privacy and Data Breach Awards $100 million settlement fund established by Heartland Payment Systems for Visa and MasterCard customers (over 100 million compromised credit cards) (2010) $10 million settlement between ChoicePoint and shareholders (inadequate security; compromise of over 13,000 consumer records) (2010) $9 million settlement between Netflix and customers (release of video records and payment information) (2012) $8.5 million settlement between Google and customers (privacy violations concerning Google Buzz) (2011) $5 million settlement between BMW and customers (recording customer calls without consent) (2012) $2 million settlement between Adaptive Inc. and NY Attorney General (improper collection of credit card information from third-party retailers) (2012) 49
FTC Recoveries $30 million court order against “Cash Grant Institute” (2.7 million robocalls to parties on Do Not Call registry) (2012) $15 million settlement with ChoicePoint (improper provision of PII and consumer reports to non-legitimate users)($10 million civil penalty plus $5 million consumer redress) (2006) $11 million settlement with LifeLock (misrepresenting identity theft safeguards) (2010) $2.9 million settlement with ValueClick Inc. and Hi-Speed Media (CAN-SPAM Act allegations) (2008) COPPA Penalties: Playdom, Inc. ($3 million, 2011), RockYou ($250,000, 2012) 50