The State of US State Privacy Laws An Update & Eye Opener

1. The State of US State Privacy Laws An Update & Eye Opener December 4, 2018

2. Robert Jett Senior Privacy Consultant Rebecca Perry, CIPP US/G Director of Professional Services SPEAKERS Phil Yannella Partner

3. US State Privacy Laws: An Update

4. Expanding Data Privacy & Cybersecurity Regulations

6. Colorado’s Protections for Consumer Data Privacy Law • Top Things to know: • Colorado Residents (Employees & Consumers) • Reasonable Security Measures • Routine Document Destruction • Third-Party Service Provider Controls • Data Breach Notification Policy

7. California’s Consumer Privacy Act • Top Things to know: • Applicability • California Residents (Employees & Consumers) • Dramatically Expands Privacy Rights • Fines for Violations • Private Right of Action • Data Retention & Disposal • Accountable for Third Parties • 12-Month Look Back

8. New York State’s DFS Cybersecurity Regulation23 NY CRR 500 • Top Things to know: • Formalize Cybersecurity Program • Annual Board Certifications • CISO Reporting to Board • Data Retention & Disposal • Cybersecurity Awareness Training • Third-Party Due Diligence

9. South Carolina • Top Things to know: • Resembles NYS DFS 23 NYCRR 500 • 72 Hour Data Breach Notification • Board Oversight • Commissioner Certification • Define Retention & Disposal Schedule • Third-Party Due Diligence First State to Adopt NAIC’s Model Data Security Law

10. Ohio’s Data Security Law • Top Things to know: • Provides Liability Shield • Recognized Cybersecurity Framework Ohio’s Data Security Law

11. Illinois Biometric Information Privacy Act (BIPA) • Top Things to know: • Enacted in 2008 • Protect Individual’s Biological Data (retina scan, fingerprint, voiceprint, handprint, face geometry, etc. ) • Retention & Destruction Guidelines • Third-Party Oversight • Recent Focus of Plaintiffs’ Bar

12. Is a US Federal law on the horizon? Is a Federal law on the horizon?

13. US State Privacy Laws: An Eye Opener

14. The Plaintiffs’ Bar’s Campaign to Expand Data Privacy and Security Litigation

17. Pennsylvania Ruling May Open Floodgates for Plaintiffs’ Attorneys The justices ruled that the University of Pittsburgh Medical Center's collection of sensitive personal information from workers in the course of their employment meant that it had a common law duty to exercise "reasonable care" to protect that information. "It's likely that the plaintiffs bar will be all over this and we'll see a new rash of lawsuits," Jeskie said. "I suspect they'll be trying to use the opinion to expand the common-law duty beyond sensitive employee data as well." "Certainly I think there's going to be an uptick in litigation because of this ruling," he told Law360. "This certainly is a groundbreaking decision in Pennsylvania, and it might be a decision that's utilized by lawyers in other states to try and extend precedents there," he said.

18. “What is reasonable will be further defined through the case law that evolves as a result of the enforcement of this law as well as other state laws with the same or similar standard,” - Annie Skinner, Spokeswoman with CO Attorney General’s Office

19. US State Privacy Laws: What should companies do?

20. Establish Routine Compliance Processes Program Stakeholders Up-To-Date Data Inventory Privacy by Design Vendor Risk Profiling Data Retention & Deletion Data Subject Access Requests Information Security Enhancements

21. HR: Onboarding Processing activity Develop a Sustainable Data Inventory Current Employees | Past Employees | Job CandidatesMinors/Children | Beneficiaries Data Subjects Applicability First/Last Name | Background Check | Immigration/VISA | Professional License Date of Birth | National ID # | Marital Status | Trade Union Membership | Veteran Status Personal Data • All Processing Activities • All Media Types • All Locations • All Retention Requirements Collection Web Form Email Paper Form SAP Office 365 M-Files Applications HR - Benefits | Finance - Payroll | HR - Recruiting | Distribution Operations Legal & Compliance Departments Shared Drives Laptops Email File Cabinets Locations Third Parties Payroll Records Personnel Records Recruiting Records Retention AUT 7 Years BEL 5 Years NLD 5 Years ITA 5 Years USA 7 Years

22. How do I comply?

23. Vendor Risk Profile Identify Regulatory Applicability & Risks

24. Priority/Regulated Vendors Vendor Risk Profile Identify Regulatory Applicability & Risks High-Risk Vendors Non-Regulated Vendors

25. Priority/Regulated Vendors 1 Comprehensive Assessment OR NIST CSF NIST SP 800 171 COBITISO 27000 High-Risk Vendors RequisiteReporting 2 Utilize Other Approaches Repeat

26. Third-Party Diligence- • Onboarding diligence • Categories of Data Touched & Access Granted • Specific Data Processing Activities • Information Security Policy & Program • Disaster/Business Continuity Planning • History of Enforcement or Breaches • Breach Detection, Notification, Response • Your Vendor’s Vendors (4th Party Risks) • Cyber Insurance • RECURRING DILIGENCE (repeat routinely) Top 10 LIST

27. A Clear Path to Data Minimization Maintain Implement • Develop • Retention Schedules • Scheduling Logic • Policies • Deletion Strategies • Hold Process • Program Training • Attestation • Email • File Share • Structured Data • Paper Records • Audit Trail • Documentation • Program Monitoring • Program Updates • Annual Review • Data Inventory • Retention Standards • Deletion Strategies • Email • Electronic • Paper

28. Bet-Your-Job Questions… How did we develop (and how will we maintain) our data inventory? 1 • Which of our third parties are subject to data privacy and cybersecurity regulations? 2 Do we retain any personal data longer than business or regulatory requirements? 3 • Are your SEC disclosures aligned with SOX controls and cyber risk analysis? 4

29. Robert Jett Senior Privacy Consultant Rebecca Perry, CIPP US/G Director of Professional Servicesrperry@jordanlawrence.com QUESTIONS Phil Yannella Partner yannellap@ballardspahr.com