Data Privacy and Information Security Compliance Under Heightened Scrutiny: Responding to a Data Breach or Cyber Attack - Strafford ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Presenting a live 90-minute webinar with interactive Q&A
Data Privacy and Information Security
Compliance Under Heightened Scrutiny:
Responding to a Data Breach or Cyber Attack
WEDNESDAY, MAY 29, 2019
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
Today’s faculty features:
Robert D. Brownstone, Technology & eDiscovery Counsel, Fenwick & West, Mountain View, Calif.
Isis Miranda, Attorney, Freeman Mathis & Gary, Los Angeles, Calif.
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 2.
Program Materials FOR LIVE EVENT ONLY
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Data Privacy and Information Security
Compliance Under Heightened Scrutiny
Robert Brownstone
and
Isis Miranda
May 29, 2019
© 2019 the presenters and their respective firms
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL
UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS
SHOULD SEEK ADVICE OF COUNSEL.
Panelists
6
Agenda
I. NEW PRIVACY LEGISLATION
• The data privacy phenomenon
• Complying with the CCPA
II. DATA BREACHES
• Proactively preventing data breaches
• Reactively responding to data breaches
III. CYBERSECURITY INSURANCE
• Coverage for data breaches and privacy violations
• Other risk transfer strategies
7
I. NEW PRIVACY LEGISLATION
The Privacy Phenomenon (Global)
58% 10% 21% 12%
Countries with Countries with Countries with Countries with
Legislation Draft Legislation No Legislation No Data
9
The Privacy Phenomenon (U.S.)
WA: SB5376 ND: HB14185
NY: S224
& SB S8641 MA: SD341/S120
RI: S0234
NV: Chapter 603A CT: RB1108
CA: CCPA IL: HB 3358
NV: SB220 NJ: S2834
MD: SB613
NM: SB176
HI: SB418 TX: HB4518
& HB4390
Law Passed Federal privacy laws:
Legislation Pending HIPPA, GLBA, COPPA, ECPA, etc.
10Key Influences (driving new legislation)
• Expanding digital footprint
• Rise of data brokers (e.g. Acxiom)
• Online behavioral advertising
• Edward Snowden
• Governmental surveillance (global)
• Massive data breaches
• Cambridge Analytica
Texas Public Radio: https://www.tpr.org/post/views-brews-
whos-tracking-your-digital-footprint
11Online Behavioral Advertising
The Future of Privacy Forum: https://fpf.org/2016/05/20/14382/
1213
CCPA Overview
• The California Consumer Privacy Act (CCPA) provides California residents with:
1. Privacy Rights: certain rights to control personal information (broadly
defined) pertaining to them; and
2. Private Right of Action: right to sue for statutory damages whenever their
personal information (narrowly defined) is breached and the breach is
caused by the failure to maintain reasonable security measures.
• The CCPA was rushed through the legislative process to avoid a stricter privacy
law being placed on the voter ballot.
• As a result, the law has many ambiguities and internal inconsistencies.
• Many amendments to revise and/or clarify the CCPA are pending.
• Nonetheless, the act takes effect on January 1, 2020.
• The attorney general (AG) may begin enforcement actions 6 months after
publishing guidance or on July 1, 2020, whichever is earlier.
• Many states are following CA’s lead, and many more are expected.
14DISCLAIMER
The CCPA has numerous ambiguities and internal inconsistencies
on account of the record-breaking speed with which it was written and enacted.
The materials provided herein, which do not constitute legal advice,
are designed to aid in understanding the CCPA in spite of those factors.
15CCPA Covered Entities
• The CCPA applies to for-profit entities doing business in California:
a) with at least $25 million in annual revenue;
b) that receive or share the personal information of 50,000 or more
consumers, households, or devices annually; or
c) derive 50% or more of revenues from the sale of consumers’
personal information.
• Consumer: A “natural person who is a California resident . . .
however identified, including by any unique identifier.”
• Business: Determines the “purposes and means” of processing PI.
• Service Provider: Processes information on behalf of a business
pursuant to a written contract that prohibits the service provider
from using PI for any other purpose.
• Third Party: an entity that is not a Business or a Service Provider
16
(with some caveats).CCPA Consumer Rights
1. Right to know what personal information is being collected
2. Right to access & portability
3. Right to delete, unless information is needed:
• To complete transactions with the consumer or associated
internal uses
• To detect security breaches
• To identify and repair errors that impair existing functionality
• To protect against or prosecute illegal activity
• Comply with a legal obligation
• Other exceptions also apply
4. Right to opt-out of the “sale” (or opt-in for minors)
5. Right not to be discriminated against for exercising their rights
17CCPA Definition of PI
“Personal Information means information that identifies or could
reasonably be linked to a particular consumer or household.”
Personal Information “Categories”
(A) “Identifiers, such as “real name, alias, postal address, unique personal identifier, online identifier, Internet
Protocol address, email address, account name, social security number, driver’s license number, passport
number, and other similar identifiers.”
(B) “Any categories of personal information described in [1798.90(e)].”
(C) “Characteristics of protected classifications under California or Federal law.”
(D) “Commercial information, including records of personal property, products or services purchased,
obtained, or considered, or other purchasing or consumer histories or tendencies.”
(E) “Biometric information.”
(F) “Internet or other electronic network activity, including, but not limited to, browsing history, search history,
and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”
(G) “Geolocation data.”
(H) “Audio, electronic, visual, thermal, olfactory, or similar information.”
(I) “Professional or employment-related information.”
(J) “Education information, defined as information that is not publicly available personally identifiable
information as defined in the Family Educational Rights and Privacy Act.”
(K) “Inferences drawn from any of the information identified in this subdivision to create a profile about a
consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences,
predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
18CCPA Rights and Obligations
Consumer’s Rights Business Obligations (unless specified otherwise)
Right to access PI • Inform consumers of the categories of PI to be collected and the
collected (§§ 1798.100; purpose for which the information will be used.
1798.110) • Upon request, disclose:
• The categories of PI collected
• Sources of information
• Business or commercial purpose for collecting
• Categories of third parties with whom PI is shared
• The specific pieces of PI collected in prior 12 months
Right to delete PI • Inform consumers of their right to delete.
collected (§ 1798.105) • Upon request, delete PI collected (stored by the Business or a
Service Provider), unless exception applies.
Right to know what • Upon request, disclose:
PI is sold or disclosed • The categories of PI sold in prior 12 months and the categories
(§ 1798.115) of third parties to whom the PI was sold (matrix format).
• The categories of PI disclosed for a business purpose and the
categories of entities to whom the data was disclosed.
• Third Parties must provide consumers with explicit notice and
opportunity to opt-out before re-selling PI they have purchased.
Right to opt-out from • Inform consumers that their PI may be sold and that they have the
sale of PI (§ 1798.120) right to opt-out (or opt-in for minors)
• Upon request (or lack of consent for minors), refrain from selling
19 PICCPA Enforcement & Fines
• Privacy Violations:
• The AG may bring actions if businesses fail to cure the violation
within 30 days of receiving notice and may seek civil penalties
of $2,500 per violation or $7,500 for each intentional violation.
• Data Breaches (Private Right of Action:
• In addition to enforcement actions by the AG, consumers may
bring suit, individually or as part of a class action, if businesses
fail to cure the violation within 30 days of receiving notice and
may recover statutory damages of between $100 and $750 per
consumer per incident or actual damages, whichever is greater.
• Consumers can also sue for actual damages at any time.
20CCPA Compliance – Data Map
• Prepare a data map indicating the location, age, and type of personal
information:
1. Collected from consumers
2. Obtained from other entities
3. Shared with other entities, including:
a. Service providers for business purposes (not a “sale”)
b. Third parties to whom the consumer directs the disclosure of their
information or intentionally interacts (not a “sale” provided that the
third-party does not sell the information)
c. Third parties or other entities for monetary or other valuable
consideration (constitutes a “sale”)
• Prioritize data security, including documenting basis for decisions, focusing
on highly sensitive information stored in the least protected manner.
21CCPA Compliance – New Processes
• Develop processes (including system changes, training staff, etc.) to:
• Exclude consumers from the “sale” of information when they
click the “Do Not Sell My Personal Information” button on your
website, as well as the sale of information pertaining to minors
(age 16 or younger) absent appropriate consent.
• Provide consumer with actual PI collected for prior 12 months
and/or delete all PI, upon a verifiable request.
• Must be achievable within 45 days of receiving request but
may be extended by up to an additional 45 (or 90?) days
where reasonably necessary.
• Includes information stored by Service Providers, but not
Third Parties
• Must be delivered though the consumer’s account or by
email, in a readily usable format, or by mail.
• Verify consumer requests, including determining whether they
are made by or on behalf of a California resident. 22CCPA Compliance – Website Updates
• Determine whether a separate website is needed for California consumers.
• Add a “Do Not Sell My Personal Information” button conspicuously displayed on
the homepage or a California-specific website.
• Add a toll-free number consumers may call to submit requests.
• Add a website form for submitting requests
• Update privacy policy to include:
• A description of consumers’ rights under the CCPA and a link to the webpage
containing the “Do Not Sell My Personal Information” button.
• Information collected: The categories of personal information collected, the
categories of the sources of the information, and the commercial and business
purposes for which the personal information is collected.
• Information shared: The categories of personal information sold or disclosed, the
categories of entities with whom the information is shared, and the business or
commercial purpose for sharing the information.
• Description of any financial incentives for providing data or not exercising rights.
• Two or more designated methods for submitting requests, including a toll-free
23
number and a website address (if applicable).CCPA Compliance – Training
• A business must ensure that all individuals
responsible for handling consumer inquiries about
the business’ privacy practices, including how the
business complies with CCPA, must be informed
of all of the requirements in [the transparency and
access provisions] and how to direct consumers to
exercise their rights under those sections.
24CCPA Compliance – Contract Updates
• Update contracts with service providers to include
a certification that the service provider understands
and will comply with the restrictions set forth in
the CCPA [See section 1798.20(v) and (w)].
• A business that discloses personal information to a
service provider (pursuant to a written agreement
containing a certification of compliance) shall not
be liable if the service provider violates the CCPA
provided that, at the time the information was
disclosed, the business does not have “actual
knowledge, or reason to believe, that the service
provider intends to commit such a violation.” [See
section 1798.20(w)].
25CCPA Data Security “Requirements”
• The CCPA has no express requirements pertaining to data security.
• There is a provision (Section 1798.150(a)(1))that provides a remedy for
the breach of a consumer’s personal information as a result of a
business’s violation of its duty to maintain reasonable security
measures that is not defined elsewhere in the CCPA.
• Nonetheless, notice must be provided to the business as to which
provisions of the CCPA it has violated.
• Although the business has the opportunity to “cure” the breach within
30 days, it is unclear how that is possible in a data breach context.
• A business is required to attest that the violation has been cured AND
that “no further violations shall occur.”
26II. DATA BREACHES
28
II. A. Proactive Prevention of
Data Breaches – Introduction
Divide the Universe, e.g., into:
1. Policies/Practices Applicable to
All Information, Including PII
2. Policies/Practices Applicable to Personal
Information as to Non- Employee Individuals
3. Policies/Practices Applicable to
PII Collected From Employees
4. Data-Storage Contracts with Third-
Party Host-ers (Cloud, etc.)
29II(A). Policies – Enforcement
AND Training
Kompliance KUMBAYA?!
Clear, well-thought-out language regarding which
multiple constituencies have weighed in . . .
Compliance’s “3 E’s” = Establish/Educate/Enforce
(Nancy Flynn, ePolicy Institute, as discussed here)
30II(A). Compliance’s
Three E’s (c’t’d)
Train managers and staff re: access,
nondisclosure and safeguarding
Review pertinent segments of certain
Employee Handbook policies, e.g.
Code of Conduct; Confidentiality Policy
Technology-Acceptable-Use-Policy
(TAUP)/No-Employee-Expectation- of-
Privacy Policy (NoEEP)
Social-Media
BYOD (Mobile Devices)
Separating Employee Policy [& related
checklist(s) from IT Dep’t, HR Dep’t, etc.]
31II(A). Training (c’t’d)
[Spear-]Phishing
Test users periodically
Capture metrics
Encourage vigilance
Ransomware
Keep patches up to date
Back-up regimen – rule of 3
Bitcoin?
32II(A). 1. Proactive
Prevention (c’t’d)
Many tips/tools discussed in:
Brownstone/Moore Cyber Security Practitioner
article (May ’17) downloadable here
Koenig, et al., Equifax Breach: 3 Immediate Steps Leading
Companies Are Taking To Respond, Fenwick & West Alert (9/22/17)
Hobbs, et al., New Concerns for Employers and HR Departments
post-Equifax Cyber Breach, Holland & Hart (9/18/17)
Argento, et al., Vendor Breaches and Their
Implications for Employers, Littler (9/15/17)
33II(A). Prevention (c’t’d) – 2. Passwords;
Access; & Central Storage
Passwords
Lockout . . . No sharing . . . Password manager?
2 factor authentication
Traditionally, these have been
considered best practices:
minimum 8 (or 12) characters complex
reuse restriction
90 day expiration
But see new NIST SP 800-63: Digital Identity Guidelines
(6/22/17) and this Aug. ’17 NIST paper/bulletin
34II(A)(2). Access (c’t’d) –
RBAC
“Least Privileged Access" approach
[“role-based access control (RBAC)”]
Data and physical
Default is "deny all” – i.e.,
cannot gain access unless:
affirmative need shown; and
specifically authorized
For lawyers: “ 'Need to Know’
Security” (LTN 4/24/17)
(LEXIS login needed)
Central vs. Local Storage
Digital Rights Management (DRM)?
35II(A). Prevention (c’t’d) –
3. Encryption of ESI
Altruism and . . . . Selfishness
Especially PII & Mobile Data
At rest and in transit . . .
Best to avoid ROT-13
“rotate by 13 places”
can be broken in seconds
Best to use Advanced Encryption
Standards (AES) cryptographic cipher
basically unbreakable
36II(A)(3). Prevention–
Encryption of ESI (c’t’d)
1. Website & Extranet Servers (> SSL)
2. Virtual Private Network (VPN) Software
3. Cloud: secure file transfer protocol (.ftp) sites
(Citrix ShareFile; Filezilla; and OneHub, e.g.)
4. Email Messages and Attachments
[Transport Layer Security (TLS)]
5. End-user devices
Desktop PC’s, Laptops and Macs
Tablets and Smartphones
Mobile Devices and Portable Media
37II(A). Prevention (c’t’d) –
4. Commuting/Travel
Use privacy screen/filter
Security When Traveling
Avoid using shared computers in cyber cafes,
public areas or hotel business centers
If must use public/hotel WiFi, use a VPN
(VMware Horizon or Cisco AnyConnect, e.g.)
Avoid public hotspots unless use, e.g., iPass
Borrow/buy MiFi device?
Do not use devices belonging to other
travelers, colleagues or friends
38II(A)(4). Commuting/
Travel (c’t’d)
International Travel Tips:
Recommended: change any and
all passwords before leaving
abroad and again when return
Do not take regular laptop,
tablet or phone to China
Potentially same re: EU travels
Avoid sending sensitive emails
U.S. Customs & Border
Protection (CBP) has increased
scrutiny of laptops, devices, etc.
39II(A)(4). Commuting/
Travel (c’t’d)
CBP (c’t’d)
Upon citizens returning to the States, CBP
asking for passwords, including social-media
Adi Robertson, Former Mozilla CTO files complaint against
border patrol over warrantless phone search, Verge (4/2/19)
Darlene Storm, NASA scientist detained at U.S. border until
handing over PIN to unlock his phone, Computerworld (2/13/17)
Sen. Ron Wyden (OR), letter to then HHS Secretary Kelly (2/20/17)
Assert attorney-client privilege (or another
basis for confidentiality such as privacy?)
But don’t go so far as to get detained ? !
40II(A). Prevention (c’t’d) –
5. Metadata & Netiquette
Metadata and Redactions
Metadata – Goalkeeper Prompts in
Workshare Protect , for example . . .
41II(A)(5). Metadata and
Netiquette (c’t’d)
Metadata and Redactions (c’t’d)
Ex: Manafort filing in Collusion Investigation
42II(A)(5). Metadata and
Netiquette (c’t’d)
Metadata and Redactions (c’t’d)
Workshare settings (incl. re: .pdf’s)
Redactions
DO
USE Adobe Acrobat Pro
Don’t’s:
Word: borders/shading or highlighter
Acrobat: text box or shapes-drawing tool
43II(A)(5). Metadata and
Netiquette (c’t’d)
Social Media
Bcc’s
Emails to “All” (companywide)
Auto-complete
Reply All
44II(A). Prevention (c’t’d) – 6. Network
Monitoring and Pen Tests
Firewall
Anti-Virus/Malware (incl. macros)/Spyware
enabling regular updates/patches
Spam filtering plus phishing protection
Ex: ProofPoint, including URL defense
Periodic vulnerability assessments and pen
(etration) tests by independent consultant
45II. B. Reactively Responding –
Incident-Response
Top Ten
FOLLOW PROCESS (IF ANY!) . . .
10. Policy/Protocols/Checklists
Internal team leaders members ID’d, e.g.
InfoSec, Legal & Public Relations
Outside contacts listed, e.g., Information-
Security consulting firm, Counsel, Law
enforcement & Insurance carrier
46II(B). Incident-Response (c’t’d) –
Top Ten Tips
10. Big-Picture Process (c’t’d)
Categories defined?
Data- and machine- handling protocol
Workflow/Communication chart re:
Discover/Assess/Contain
Remediate/Close/Mitigate
47II(B). TOP TEN
TIPS (c’t’d)
FACT INTAKE . . . 4 W’s-plus
9. Who, what, where, when re: info.?
8. Encrypted?
7. If encrypted, key compromised?
48II(B). TOP TEN
TIPS (c’t’d)
GET YOUR BEARINGS . . .
6. If a contractual relationship:
Look at the contract
Decide if will try to negotiate re: notice
5. If law enforcement is involved,
open a dialogue . . .
4. See if, under strictest statute, > 1
notice trigger has kicked in
49II(B). TOP TEN
TIPS (c’t’d)
TO GIVE NOTICE OR NOT TO GIVE NOTICE. . .
3. If MUST give notice, tackle the required:
Method and Contents
E.g., Cal. SB 24 (specifying some required contents of
notice of breach of PII or PHI under Cal. Civ. Code)
Recipients (might include an AG., e.g.)
Timing (might be OK, under law, to delay)
2. If COULD give notice, discuss
customer-relations with C level
1. If WILL give notice, work with PR as to
theme(s), timing & press release (if any)
50III. CYBERSECURITY INSURANCE
51III. Cyber Policies (c’t’d)
Must understand data and scope of coverage to manage risk
Comprehensive General Liability (CGL) policies not
written to cover – and may expressly exclude – cyber risks
Often need cyber coverage on top of (CGL)
CGL does not consider data tangible property
Sony PlayStation breach: Third party hackers
didn’t violate privacy clause in CGL policy/ies
Private info. posted (e.g., PHI on dark web)
Insurer may have duty to defend if info. “published”
Grey area: Clauses limiting CGL policies for some cyber risk
may still not get insurer off hook when information gets published
52III. Cyber Policies (c’t’d)
Personal injury/ies based on advertising injury
risk may be covered by CGL duty to defend,
depending on how “publication” defined
See Travelers Indem. v. Portal Healthcare
Solutions, 644 Fed. Appx. 245, 2016 WL
1399517 (4/11/16) (unpublished)
(unintentional publication still a publication)
See also Andrew G. Simpson, Fallout from
Travelers CGL Cyber Ruling: Insurance Buyers
and Sellers Beware, Ins. J. (4/25/16),
cautioning against total reliance on Travelers
53III. Cyber Policies (c’t’d)
Cyber policies’ terms are still in flux
no form policies
lots of variation
Increased uncertainty of scope of coverage
carriers sometimes more willing to negotiate
Some concerns:
May need phishing rider to address biggest risk
Terrorism exclusion could apply if hackers are
nation states or could extend to all hackers
54III. Cyber Policies (c’t’d)
Insurer may be able to deny coverage if insured
didn’t have reasonable security measures. . . .
Opening phishing emails may be deemed non-reasonable
Theft by social-engineering / tricking does not equal theft
– need coverage specifically for that category of activity
Some Tips
Don’t voluntarily admit fault
May negate coverage
Duty to defend
Insurers have teams on standby to mitigate breach, etc.
Small businesses don’t have that critical capability
55III. Cyber Policies (c’t’d)
Some Tips (c’t’d)
“Industry standards language” not sensible
should be red flag
Seek coverage for litigation judgments,
settlement payments and GDPR fines
First party vs. third party insurance
First party: Direct costs to company such as credit
monitoring, PR, forensics, ransom, business interruption
Third party: Failure to prevent cyber attacks
on others or privacy of others . . . .
56III. Cyber Policies (c’t’d)
Some Tips (c’t’d)
Third Party Coverage (c’t’d)– could include:
Failure to disclose data breach
Distributed Denial of Service (DDOS) attack
Payment Card Industry Data Security
Standard (PCI DSS) non-compliance
P.F. Chang's China Bistro, Inc. v. Federal Ins. Co.,
2016 WL 3055111 (Chubb) (D. Az. 5/31/16)
57You can also read
