Information Governance in an Era of Rapid Privacy and Data Security Change

1
Information Governance in an Era of Rapid Privacy
and Data Security Change
Edward McNicholasSIDLEY AUSTIN LLP
2
What Can Go Wrong

• ChoicePoint - FTC obtained record 10 million
  fine and 5 million restitution, plus substantial
  injunctive requirements 500,000 settlement with
  43 state AGs 12 million spent on security
  upgrades since 2005
• TJX - computer intrusion and stolen customer
  transaction data leads to government
  investigations and scores of putative class
  actions around US and Canada (46 million
  customers)
• Monster.com - 1.6 million job searches
  compromised by Trojan horse and phishing attacks
• Telefonica Espana - fined 840,000 by the Spanish
  Data Protection Authority for sharing an
  individuals data with one of its subsidiaries
  for marketing purposes
• Tyco Healthcare fined 30,000 (40,972) by the
  French Data Protection Authority (CNIL) for
  improper storage and cross-border transfer of
  employee data (April 2007)
• Lilly FTC investigation started by single
  errant e-mail

3
The Cost of Getting Data Protection Wrong

• Breaches and data incidents can be extremely
  painful
• Hard costs
• Cost of notifying affected individuals
• Credit monitoring
• Investigation and legal fees
• Potential costs
• FTC, State AG, and regulatory investigations
• Class actions by data subjects
• Litigation with business partners over hard costs
• Legal defense fees
• Brand/Reputation harm
• Charges of deceptive / unfair business practices
• Lost confidence / uncertainty in clients /
  employees
• Lost profits / business partners

4
SEC Cybersecurity Guidance

• SEC issued significant new guidance suggesting
  that public companies should evaluate disclosure
  of cybersecurity risks.
• Several existing regulations could require
  disclosure of actual cyber-attacks, but
  that potential cyber-attacks should also be
  disclosed in some circumstances. 

5
Advanced Persistent Threat

• Cyberattacks against Google were "wake-up call"
  about vulnerabilities that could cripple US
  economy (DNI)
• Cybersecurity legislation will seek to
• Enhance coordination and prioritization of
  federal research and development
• Promote development of technical standards
• Improve the transfer of cybersecurity
  technologies to the marketplace
• Government contractors and companies involved in
  critical infrastructure should assess their
  technical and legal responses to cybersecurity
  risks
• DOD advanced notice of proposed rulemaking for
  defense contractors

6
The Reality Facing Global Corporations

• Broad complexity and wide variety of national
  (and sub-national) privacy and data security laws
  complicates compliance
• Significant cultural and legal differences
  exist in the meaning and nuances of privacy and
  data protection
• Achieving compliance with overlapping federal,
  state, national, sub-national and multilateral
  rules is complex and burdensome
• Trend towards stricter, more prescriptive laws,
  with more complexity and greater enforcement
  appears likely

7
U.S. Governmental Response

• States have responded with increased statutory
  protections for personal information
• Congress has passed sector-specific privacy and
  information security laws
• Omnibus privacy and information security actively
  under debate in Congress

8
Overview of U.S. Privacy Law

• No comprehensive federal privacy statute
• In U.S., privacy is regulated via
• Federal sector-specific and ad hoc statutes and
  regulations
• FTC regulation and enforcement
• State laws, AG enforcement actions and private
  litigation
• Industry self-regulation through company privacy
  policies, and association codes
• Changes likely in Washington

9
Federal Legislation and Regulation

• Gramm-Leach-Bliley Act of 1999 (GLBA)
• Regulates privacy of personally identifiable,
  nonpublic financial information disclosed to
  non-affiliated third parties by financial
  institutions
• Requires administrative, technical, and physical
  safeguards
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA) / Health Information
  Technology for Economic and Clinical Health Act
  of 2009 (HITECH)
• HIPAA rules protect confidentiality and security
  of medical information in hands of covered
  entities and business associates such as
  healthcare poviders, hospitals,
  employer-sponsored health plans, etc.

10
Federal Trade Commission (FTC)

• FTC is de facto federal privacy enforcement
  authorityFTC Act 5 (15 U.S.C. 45)
• FTC charged with preventing "unfair methods of
  competition in or affecting commerce and unfair
  or deceptive acts or practices in or affecting
  commerce"
• FTC enforces against companies that engage in the
  deceptive practice of failing to adhere to
  their own privacy and/or information security
  policies
• FTC enforces against companies that engage in the
  unfair practice of failing to provide adequate
  security for consumer data
• FTC enforces Gramm-Leach-Bliley Act Fair Credit
  Reporting Act Children's Online Privacy
  Protection Act

11
FTC Investigative Demand

• All policies adopted or statements made regarding
  the collection, disclosure, use and protection of
  personal information
• All documents sufficient to identify and describe
  in detail all systems and/or databases that
  collect, maintain, store, transmit or otherwise
  handle personal information
• Any risk assessments conducted to identify risks
  to the security and confidentiality of personal
  information
• All documents that set forth, assess, evaluate,
  question, challenge, contest or recommend changes
  to the security procedures, practices, policies,
  and defenses with respect to personal information
• All service providers that receive, maintain,
  process or otherwise are permitted to access
  personal information
• All documents that reflect, concern or relate to
  incidents of possible unauthorized access to
  personal information
• EU Privacy safe harbor compliance documentation

12
Communications Privacy

• Electronic Communications Privacy Act (ECPA)
• ECPA governs interception (wiretap), access to
  and disclosure by government and/or private
  entities of contents of communications, or
  transactional and routing information related to
  communications, by providers of communications
  services and remote computing services
• Computer Fraud and Abuse Act (CFAA)
• Prohibits hacking or accessing computers in
  violation of, or in excess of, authorization
• Telecommunications Act
• Every telecommunications carrier has a duty to
  protect the confidentiality of proprietary
  information of, and relating to, other
  telecommunication carriers, equipment
  manufacturers, and customers

13
Data Breach Statutes

• Data breach notification laws are pervasive
• 46 states, DC, Puerto Rico, and the Virgin
  Islands have breach notification requirements
• Some states require reporting to government
  agencies
• Triggers Vary
• Risk of harm
• Pure acquisition
• Encryption remains a key issue
• Creates safe harbor from state data breach notice
  laws
• Laptops, portable media (such as USB drives)
• Wireless transmission transmission over public
  network

14
Massachusetts Data Security Standards

• Regulation 201 CMR 17.00 (effective March 1,
  2010)
• Requires anyone that owns, licenses, stores or
  maintains residents personal information to
  develop and implement a comprehensive written
  information security program
• Requirements passed through to vendors
• Personal information is defined as
• Name plus SSN, drivers license number or other
  state-issued identification number, or credit or
  debit card number or other financial account
  number
• Applies to electronic or paper data

15
Massachusetts Data Security Regulations

• Collect only minimum personal information
  necessary
• Retain information only as long as necessary for
  purpose originally collected
• Limit access to those with need to know
• Promptly deactivate user name/password of
  terminated employee authorized to access personal
  information
• Encrypt personal information
• in transmission over Internet
• on all wireless transmissions
• on portable storage media
• Develop policy to regulate when and how personal
  information may be transported, stored and
  accessed off-site
• Develop policies for telecommuting
• Passwords required
• Monitor access to personal information and review
  audit trails

16
Other State Issues To Watch

• Social Security Number Protection laws that
  require special limitations on the collection,
  use and display of SSNs
• State Unfair and Deceptive Acts and Practices
  (UDAP) Statutes
• Secure Disposal Laws that require businesses to
  dispose of personal data records securely
• Privacy Torts Privacy invasions, negligence,
  misappropriation, defamatory speech, trespass to
  chattel, stalking, etc.
• RFID bills that prohibit the nonconsensual use or
  reading of RFID chips Missouri criminal law
  against employers requiring implants
• Medical or Genetic Privacy restrictions on the
  use of test results and the use, disclosure and
  protection of biometric data
• Employee Surveillance DE and CT have notice
  rules
• Locational Privacy restrictions on use of
  GPS-enabled devices
• Behavioral Tracking and Advertising

17
Privacy in Congress

• Cybersecurity
• ECPA USA PATRIOT Act
• Senators Kerry and McCain have lead on privacy
  bill
• fair information principles-based, omnibus
  privacy bill
• right for data subjects to receive a clear and
  concise notice of uses that they might not
  reasonably anticipate
• opt-out of unanticipated uses of PII opt-in
  consent required for uses of sensitive PII or
  third party transfer
• mechanism for individuals to access and correct
  PII
• new Commerce Office of Commercial Privacy Policy
• enforcement by state Attorneys General and FTC

18
White House

• 2011 as Year of Privacy?
• Chartering of inter-agency Subcommittee on
  Privacy and Internet Policy as part of National
  Science and Technology Councils Committee on
  Technology
• Focus on commercial privacy policy issues
• Address global privacy policy challenges and
  pursue coordinated policy around the globe
• Promote favorable environment for cross-border
  information flows
• Coordinate Administration positions on privacy
  and Internet legislation
• No privacy czar inter-agency committee
• White House Leadership

19
Federal Trade Commission Preliminary Staff
Report

• Protecting Consumer Privacy in an Era of Rapid
  Change A Proposed Framework for Businesses and
  Policymakers

20
FTC Vision of Privacy by Design

• Promote consumer privacy throughout the
  organizations and at every stage of the
  development of the products and services.
• Incorporate substantive privacy protections into
  practices, such as
• data security,
• reasonable collection limits,
• sound retention practices, and
• data accuracy.
• Maintain comprehensive data management procedures
  throughout the life cycle of products and
  services.

21
Doubly Broad Applicability

• All commercial entities that collect consumer
  data in both offline and online contexts,
  regardless of whether such entities interact
  directly with consumers
• For any data that can be reasonably linked to a
  specific consumer, computer, or other device

22
Three Key Principles

• Privacy by Design
• Internal safeguards by commercial entities
• Comprehensive business privacy programs
• Simplified Choice
• Just in time notice and consumer choice
• Standardized exceptions to the notice and
  choice
• Do Not Track (national analog to Do Not Call)
• Greater Transparency
• Consumer access to, and ability to correct,
  personal data
• Prominent notification and express affirmative
  consent required from consumers before a company
  uses consumer data in a materially different
  manner than notified at collection

23
Department of Commerce Green Paper

• Commercial Data Privacy and Innovation in the
  Internet Economy A Dynamic Policy Framework
• Draft White Paper (December ?)

24
Fair Information Practice Principles (FIPPs)

• Transparency
• Individual Participation
• Purpose Specification
• Data Minimization
• Use Limitation
• Data Quality and Integrity
• Security
• Accountability and Auditing

25
Privacy Impact Assessments (PIAs)

• PIAs would require organizations to identify and
  evaluate privacy risks arising from the use of
  personal information in new technologies or
  information practices
• The report contemplates that such PIAs would be
  prepared in sufficient detail and made public
• Purposes
• create consumer awareness of privacy risks in a
  new technological context
• help organizations to decide whether it is
  appropriate to engage in the particular activity
  at all, and to identify alternative approaches
  that would help to reduce relevant privacy risks

26
Commercial Privacy Policy Office
27
EU Impacts

• EU Data Protection Directive (1995)
• Limits on collection, processing, transfer, and
  export
• EU member states prohibit or restrict transfers
  of personal information to the United States
  unless certain compliance mechanisms are in place
• EU standards (derived originally from U.S. and
  OECD fair information principles) require
• Notice of collection and use of personal
  information
• Choice (consent) to uses of information
• Access to information to review, correct or
  expunge
• Integrity/security of data
• Enforcement/redress of privacy rights
• Member states differ significantly in approach

28
EU International Data Transfer Restrictions

• Articles 25 and 26 of the Data Protection
  Directive prohibit transfer of personal data to
  countries outside EEA that do not ensure an
  adequate level of protection
• Possible means for dealing with data transfers
  outside the EU include
• Consent but consent must be informed and freely
  given
• Model Contracts
• US Safe Harbor
• Binding Corporate Rules
• Article 26(1)(d) transfer necessary or legally
  required on important public interest grounds or
  for establishment, exercise or defence of legal
  claims
• Hague Convention compliance with request under
  Hague Convention provides formal basis for
  transfer of personal data but some EU Member
  States have not signed Convention or have signed
  with reservations regarding civil discovery

29
International Privacy
Argentina Cyprus Lithuania Lithuania Netherlands Netherlands Netherlands Italy Italy Spain Spain Spain
Tunisia Malta Estonia Estonia Austria Austria Austria Denmark Denmark France France France
Slovakia Czech Republic Czech Republic Czech Republic Czech Republic Ireland Ireland Ireland Finland Finland Germany Germany Germany
Iceland Greece Greece Slovenia Slovenia Slovenia Suisse Suisse Poland Poland Poland
Latvia Liechtenstein Liechtenstein Liechtenstein Liechtenstein Sweden Sweden Sweden Japan Japan Portugal Portugal Portugal
Luxembourg Belgium Belgium Belgium
Singapore Mexico Mexico Israel Israel Israel Israel Romania Romania Romania
Dubai Dubai Hungary Hungary Hungary
Chile South Africa Norway
Paraguay Hong Kong Canada Canada Canada
Russia Australia Australia Australia United Kingdom United Kingdom United Kingdom United Kingdom
Korea Korea New Zealand New Zealand New Zealand New Zealand New Zealand New Zealand
Taiwan United States United States United States United States
Bulgaria
Malaysia Serbia
Bosnia China China China China
Africa Many Latin American countries Many Latin American countries Many Latin American countries Many Latin American countries
Most Asian countries Most Asian countries Most Asian countries


30
Uncertainty in the Clouds

• Not specifically regulated but a plethora of
  divergent laws and enforcement approaches apply
  around the world
• Many laws relating to data privacy are outdated
  and it is unclear how they will be applied in
  Cloud circumstances
• Laws of multiple jurisdictions may apply to
  transactions involving a single data set
• Transferring data to a Cloud provider may lead to
  ambiguity regarding data protections
• Liability for, and uncertainty about duties for
  responding to, data breaches, unauthorized
  access, loss of data, demands for access to data

31
Top Cloud Issues to Consider

• Where Are the Data? Territorial jurisdiction
  continues
• Privacy/Security Requirements
• Incident Response and Control
• Outages / Disaster Recovery
• Service Levels / Speed
• Termination / Migration to a Different Provider
• Insurance / Indemnification / Risk Shifting
• Government and Litigant Access to Information

32
Threat of Cloud Balkanization Complying with EU
Privacy Law?

• Leading EU Parliamentarians are concerned about
  the US governments ability to seek and obtain
  information without notice to data subjects in
  the name of national security
• Does the Commission consider that the U.S.
  PATRIOT Act thus effectively overrules the E.U.
  Directive on Data Protection? What will the
  Commission do to remedy this situation, and
  ensure that E.U. data protection rules can be
  effectively enforced and that third country
  legislation does not take precedence over E.U.
  legislation?Essentially what is at stake is
  whether Europe can enforce its own laws in its
  own territory, or if the laws of a third country
  prevail.

33
Beginning of a Digital Trade War?

• Bloomberg (9/13/11) Deutsche Telekom Wants
  German Cloud to Shield Data From U.S.
• Deutsche Telekom AG's T-Systems information
  technology unit is pushing regulators to
  introduce a certificate for German or European
  cloud operators to help companies guard data from
  the U.S. government.
• The Americans say that no matter what happens
  I'll release the data to the government if I'm
  forced to do so, from anywhere in the world,'
  Clemens said. Certain German companies don't
  want others to access their systems. That's why
  we're well-positioned if we can say we're a
  European provider in a European legal sphere and
  no American can get to them.
• Clemens said A German cloud would be a safe
  cloud.

34
CNIL (French DPA)

• CNIL has facilitated the use of outsourcing
  services performed in France on behalf of
  non-European companies (15 March 2011)
• Exempts required notification to CNIL for
  processing performed in the field of human
  resources and clients and prospects management by
  French service providers acting on behalf of
  companies established outside the European Union.
  
• CNIL wants to be realistic and pragmatic in
  applying the French law to such situations
  ensure a high level of protection of personal
  data while, at the same time, generating
  practical solutions in order not to hamper the
  development of service provisions propositions by
  French companies.
• CNIL decided to exempt from declaration the
  processing of human resources, client management
  and prospects files. This exemption relates to
  the processing performed by French service
  providers on behalf of data controllers
  established outside the EU.
• CNIL wishes to encourage a reflection on how to
  improve and make more effective the rules
  relating to the national applicable law. The
  revision of the EU Directive, currently in
  progress, certainly provides a unique opportunity
  to embark on this path.

35
Google All Governments Seek Data

• Google statistics on the number of requests it
  receives for the personal data of its users from
  governments around the world
• Governments of France, Germany, Italy, Spain, the
  United Kingdom, and the Netherlands all submitted
  significant numbers of requests for user data
• Other government requests do not seem
  disproportionately more circumspect or privacy
  protective than the number of requests received
  from the U.S. government
• Accordingly, it not useful or accurate to single
  the United States out as significantly more
  intrusive on the Internet than other governments

36
Government Access National Security

• US and European governments have similar
  approaches to the balance between privacy and
  national security
• USA PATRIOT Act provides the FBI access to any
  business record with a court order, and expands
  the governments ability to obtain records
  pursuant to a National Security letter probable
  cause warrant or equivalent typically required
  for acquisition of communications or sensitive
  information
• EU Data Protection Directive Article 13
  specifically exempts national security from
  otherwise applicable privacy protections
• EU Treaty of Lisbon, which ensured personal data
  protection in the EU, expressly allows member
  countries to impose derogations on personal
  privacy where necessary for national security
  purposes
• Specific European countries, such as the
  Netherlands and Spain, have created carve-outs in
  personal data privacy protections for activities
  conducted under the rubric of national security
  or certain law enforcement activities.
• Some Europeans have exaggerated the differences
  between US and EU law regarding governmental
  access to personal data for national security
  purposes

37
Corporate Cloud Strategies

• Recognize that Cloud legal issues concern B2B as
  well as consumer (privacy) issues
• Take stock of where in the world your data are
  (conduct data inventory and track flows of)
  personal information, IP and trade secrets, HR
  data, other valuable information assets
• Engage in careful contracting preserve control,
  reduce risk of disclosure, assign security
  obligations and enforcement costs
• Affirmatively deny consent to interception or
  disclosure of data conveyed by/through Cloud
  provider to governments or litigants
• Require notification of breach/disclosures/request
  s for data
• Deny access unless specifically authorized in
  advance or compelled by law (in which case
  notification is requested)
• Require maximum possible resistance to disclosure
• Determine access controls and encryption protocols

38
Privacy Challenges in Social Media

• Internal Challenges
• Mosaic leakage
• Whistle-blowers
• Employee leakage

• External challenges
• Customers
• Hacktivists
• Hackers
• Journalists
• Regulators

39
German Ban on Like Button

• From a German law perspective, any company
  operating a Facebook fanpage and using Facebook
  Insight as a service may well be considered to
  have a data processing relationship with Facebook
• Schleswig-Holstein DPA Thilo Weichert ordered
  businesses to remove the Facebook  like button
  from their websites and shut down so-called fan
  pages
• Weichert emphasized that the wording in the
  conditions of use and privacy statements of 
  Facebook  do not meet the legal requirements for
  compliance of legal notice, privacy consent, and
  general terms of use

40
Privacy in Social Media Google Buzz

• FTC charged that Google used deceptive tactics
  and violated its own privacy promises to
  consumers when it launched a social network by
  pulling information from Gmail accounts
• Buzz settlement is the first to require
  implementation of a comprehensive Privacy by
  Design program to protect the privacy of
  consumers information, including
• Risk assessment to identify reasonably-foreseeable
  risks and assess the sufficiency of safeguards
• Regularly test or monitor the effectiveness of
  the programs key privacy controls and procedures
• Settlement mandates a compliance and reporting
  program, including biennial assessments and
  reports from a qualified, independent third-party
  

41
NLRA Claims
Whether it takes place on Facebook or at the
water cooler, it was employees talking jointly
about working conditions . . . and they have a
right to do that. -- Lafe Solomon, GC of the
NLRB, on the Facebook firing case

• NLRA claims challenge employer decisions and
  policies that interfere with employees right to
  engage in concerted activity.
• NLRA protects all employees regardless of union
  status.
• Recently, NLRB has issued complaints against
  employers in the context of social networking.
• The NLRB has also issued advice memoranda
  addressing social networking issues.

42
Employment Privacy Issues

• Duty to investigate sites where it knows of facts
  or has reliable objective evidence that would
  lead a reasonably prudent person to investigate a
  prospective or current employee
• Past history or recent threats of violence
• Complaints of harassment, sexual or otherwise
• Knowledge of other conduct such as involvement
  in racist or hate groups that could create
  liability for the company
• Employer responsible for employee posts on
  his/her blog during non-work hours on non-work
  equipment? It depends . . .
• The nature of the post
• Whether the employee clearly identified himself
  or herself as an individual (as opposed to an
  employee of the company)
• Whether the individual truly acts as an
  individual, with no apparent nexus to the
  company

43
Employment Privacy Issues To Monitor or Not To
Monitor

• Steps Forward

• Steps to Avoid

• Use to screen in and screen out applicants
• Bona fide qualifications
• Honesty in resume
• Get FCRA Consent
• Obey terms of use
• Use consistent approach
• Use non-decision maker
• Investigate when prudent

• Private sites
• Protected groups
• Protected activities (wages, hours, safety)
• Consumption Statutes
• Lifestyle Discrimination
• California prohibits discrimination for any
  off-dutyconduct

44
Corporate Strategies Assessment

• Factual assessment
• Map how personal data is collected, stored and
  transferred
• Cultural assessment
• Assess privacy training and employee awareness
• How does privacy fit within the goals of the
  organization?
• Legal assessment
• Analyze existing policies and procedures
• Review vendor contractual provisions
• Find a transborder data flow solution
• Review website policies
• Labor Unions / Workers councils
• Registrations with DPAs
• Security assessment
• Document information security vulnerabilities and
  protections
• Third party service providers and their policies

45
Mind the Common Compliance Gaps

• The ability to deliver on privacy and security
  compliance obligations is often outpaced by
  market, technological, and organizational
  changes
• Vendors, Vendors, Vendors
• New Technologies
• Analog Problems in a Digital World
• People, People, People
• Wireless and Slippery Devices
• Organizational Commitment

46
Shift to Information Governance

• Paradigm shift in which privacy becomes merely a
  part of information governance
• Duties of privacy officers expanding or being
  subsumed
• Information Security
• Privacy
• Marketing
• Customer Sales
• Records Management
• eDiscovery

47
Key Insights

• The issue is information governance collection,
  use, sharing, security, eDiscovery, retention and
  disposal
• Focus on data security, particularly due
  diligence over Internet systems and service
  providers
• Clear legal obligations will generally lag
  industry standards, reasonable practices, and new
  technologies
• Include privacy in the design of new projects
• Ensure board and senior management involvement

48
Ten Items to Worry About

• Locational privacy geo-located ubiquitous mobile
  web devices
• Security Will cybersecurity overwhelm privacy?
• Children Protecting digital natives, without
  breaking the web
• Smart grid Will appliances become surveillance
  machines?
• Face recognition Will useful apps enable mass
  surveillance?
• Privacy Notices Are privacy policies useful?
  What is next?
• Anonymization Is everything on a spectrum of
  identifiability?
• Analyzing social media Birds of a feather.
• Droit a l'Oubli Is forgetting censorship?
• Conflicts in the cloud Is the global web
  balkanizing?

49

• Edward McNicholas
• Partner
• Sidley Austin LLP
• 1501 K Street, NW
• Washington, DC 20005
• (202) 736-8010
• www.sidley.com/infolaw

This presentation has been prepared by Sidley
Austin LLP as of November 14, 2011, for
educational and informational purposes only. It
does not constitute legal advice. This
information is not intended to create, and
receipt of it does not constitute, a
lawyer-client relationship. Readers should not
act upon this without seeking personalized advice
from professional advisers. Sidley Austin LLP, a
Delaware limited liability partnership which
operates at the firms offices other than
Chicago, London, Hong Kong, Singapore and Sydney,
is affiliated with other partnerships, including
Sidley Austin LLP, an Illinois limited liability
partnership (Chicago) Sidley Austin LLP, a
separate Delaware limited liability partnership
(London) Sidley Austin LLP, a separate Delaware
limited liability partnership (Singapore) Sidley
Austin, a New York general partnership (Hong
Kong) Sidley Austin, a Delaware general
partnership of registered foreign lawyers
restricted to practicing foreign law (Sydney)
and Sidley Austin Nishikawa Foreign Law Joint
Enterprise (Tokyo). The affiliated partnerships
are referred to herein collectively as Sidley
Austin, Sidley, or the firm.