Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 IMPROVING COMPLIANCE IN THE FACE OF COMPLEX PRIVACY AND SECURITY REGULATIONS Peter McLaughlin Senior Counsel Foley & Larder LLP Patrick Manzo Chief Privacy Officer Monster Worldwide Cartoon by Peter Steiner published July 5, 1993 in The New Yorker
Agenda Outlining the issues Creating an effective privacy compliance program Building privacy and security into your products and services Complying with Massachusetts data security regulations Addressing the PR issues of a data incident Outlining the Issues
Privacy Quotes We need to stop talking about privacy and start talking about control over data... Users may be overwhelmed when first setting up an account, but when they get more comfortable with an application, they will exert more control. Esther Dyson Privacy is not just a compliance issue for the legal department. It should be a priority for everyone. You have to translate privacy into a customer issue because this is really becoming the holy grail of doing business for everyone in an on-line world. Larry Ponemon Privacy Quotes Privacy is not something that I'm merely entitled to, it's an absolute prerequisite. Marlon Brando AND, in a nod to the Facebook generation It is no use to keep private information which you can't show off. Mark Twain
Personal Data is Increasingly Migrating Online
New Collection and Analysis Techniques Make More and Better Data Available Consumer Behavior Changes in Response to Security Issues
Data Security Data Privacy Trust Privacy Compliance Program
Privacy Compliance Program Key reasons for creating a privacy function Maintain data about employees and customers What data your company is managing? Where does it reside? Who has access? How is it used? Need to participate in business decisions with a privacy lens Industry requirements may feed legal requirements (e.g., PCI) Changing legal and regulatory environment Changing business models - ecommerce, international, email marketing Getting Started Several key areas addressed in first months of program development Stakeholder engagement Create Privacy Council, evaluate membership and schedule quarterly meetings and deliverables Identify key business partners and clarify data privacy roles - Legal, IT Security, Corporate Security, Corporate Compliance Data Inventory Partner with Internal Audit Begin a PII inventory Data Incident Response Plan Roadmap for investigating all suspected incidents of data loss Include stakeholders from all key groups Socialize plan with stakeholders and gain approval of process/roles Include templates and processes for notification Created a log of all incidents investigated to identify trends to address through procedural change, policy and/or education
Key Program Deliverables Incident Investigation (Legal, Corporate Security, IT, Communications, Business Owners) Investigate incidents using Data Incident Response Plan (DIRP) Keep log of all investigations and report up to Council Update DIRP as needed and review completely annually including reaching out to all stakeholders to ensure they are the appropriate contacts Run test of DIRP if no incident within one year Stakeholder Engagement (Business Owners) Continue Quarterly Privacy Council meetings and ongoing evaluation/adjustment of members and agenda Semi-annual reports to Corporate Compliance Committee on privacy work Issue-specific presentations to cross functional groups or committees Identifying data incidents FTC Red Flags requirements Key Program Deliverables Vendor Management (Legal, Procurement, IT, Internal Audit, Business Owners) Appropriate data security and privacy language in vendor contracts Awareness of privacy and data security as an important criteria in the vendor selection process Inventory of all vendors managing PII Business Process Issues (Corporate Security, IT, HR) Product design and review Laptops - reporting loss, replacement process, evaluating encryption Employment applications Retail PII issues- POS, training, secured storage, shredders Business issues involving PII i.e. customer relationship binders, customer email International Data Transfers Awareness of international initiatives Determination of best method to address i.e. model contract, Safe Harbor
Security Tools Risk, Risk Management & Responses
So far this year Security Issues Online crime is organized (La Cosa Nostra) Increasing sophistication of tools and techniques Surprising value of simple bits of information (structure and content) Application of business principles to crime specialization, barter, Software-as-a-service Challenges applying effective security controls - Convenience Store - Airport Spectrum
Security Issues Prevalence of phishing Spread to retail, ecommerce and social networking Must assume compromise FTC Reasonableness Standard Process-oriented approach that emphasizes identifying and mitigating risks There is no one size fits all solution take into account the size and complexity of the business operations and the sensitivity of the information at stake
Massachusetts regulations (201 CMR 17.00) The Regulations impose two main requirements: (i) the duty to develop, implement and maintain a very comprehensive written information security program that meets very specific requirements; and (ii) the obligation to meet specific computer information security requirements Computer System Security Requirements 1. Secure Access Protocols (cont.) control of data security passwords to ensure that passwords are kept in a location and/or format that does not compromise the security of the data they protect restricting access to active users and active user accounts only blocking access to records and files containing personal information to those who need such information to perform their job duties; and assigning unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls
Computer System Security Requirements 2. Encryption requirement in transmission: Encryption of all transmitted records and files containing personal information on public networks, and encryption of all data to be transmitted wirelessly 3. Reasonable monitoring of systems: Monitoring for unauthorized use of or access to personal information 4. Encryption requirement in stored information: Encryption of all personal information stored on laptops or other portable devices Computer System Security Requirements 5. Firewall protection: For files containing personal information on a system that is connected to the Internet, the system must have reasonably up-todate firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information 6. Malware and virus protection: The system must have reasonably up-todate versions of the system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis 7. Education and training: Each covered entity must train employees on the proper use of the computer security system and the importance of personal information security.
It Is Not About Strong Security Measures Strong security measures do not, per se, provide reasonable security Recent case involving laptop theft Full disk encryption With the password taped to the laptop Industry Practice? May represent minimum requirements Company must implement standard practices where such standards have gained sufficient industry acceptance and adoption such that adherence to the standards would not unreasonably place [company] at a competitive disadvantage. Ziff-Davis FTC Consent Decree But not necessarily a guarantee of compliance [An industry] never may set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission. T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)
Incident Response and Massachusetts Data Security Regulations Have a plan (DIRP) Know what data is (generally) where Consider engaging external forensic specialists Do not delay Be proactive in communicating Know the facts and discuss remediation Product Development Considerations
Product Development Considerations Consider the nature of the data Data minimization Data elements (Name, SSN, c/c number, diagnosis) Regulatory environment Applicable guidance and standards CCHIT certifications for EHRs Your product is not HIPAA Compliant NIST Mobility, Wireless and Internet Encryption Software coding weaknesses (SQL attacks, an FTC favorite) Technical Support and Lease Returns Privacy by Design ISO/IEC 27002:2005 Contains best practices of control objectives and controls in the following areas of information security management: security policy organization of information security asset management human resources security physical and environmental security communications and operations management access control information systems acquisition, development and maintenance information security incident management business continuity management compliance 32
Looming challenges More outsourcing of non-core activities Cloud computing Expanded use of social networking sites for business purposes 33 Legacy Systems Not Built for Privacy Access Controls a significant issue Systems built for Information Sharing Not Privacy Systems were built for Cross-sharing of information without provisions to capture client preferences (e.g. Do Not Solicit /Opt Out) Challenge: respecting clients preferences and choices, then getting this integrated with front office systems (front line staff/marketing)
Security Challenges Related Privacy Issues In order to insure the continued availability of data with which to provide relevant products to consumers, business may need to go beyond regulatory minimums to meet the reasonable expectations of consumers. Sometimes, uninformed consumer expectations (or regulator expectations) may not be reasonable. Managing those expectations is critical. This data has significant value to businesses, to criminal organizations to governments and perhaps most importantly, to consumers.
It Is All In the Process Identify the assets to be protected Both under company control and outsourced Conduct a risk assessment Identify and evaluate threats, vulnerabilities, and damages Consider available options Identify & implement appropriate security controls That are responsive to the risk assessment That address the required categories of controls Continually monitor, reassess, and adjust To ensure that it is effective To address new threats, vulnerabilities, and business changes Address third parties THANK YOU Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500