Privacy And Data Security Risk Management And Avoidance - PowerPoint PPT Presentation


PPT – Privacy And Data Security Risk Management And Avoidance PowerPoint presentation | free to download - id: 6ac4aa-MTM3M


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Privacy And Data Security Risk Management And Avoidance


Privacy And Data Security Risk Management And Avoidance Presented by Amy C. Purcell, Esq. Scott L. Vernick, Esq. DELVACCA Labor & Employment Committee – PowerPoint PPT presentation

Number of Views:231
Avg rating:3.0/5.0
Slides: 56
Provided by: accComchap6
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Privacy And Data Security Risk Management And Avoidance

Privacy And Data SecurityRisk Management And
  • Presented by
  • Amy C. Purcell, Esq.
  • Scott L. Vernick, Esq.
  • DELVACCA Labor Employment Committee
  • March 4, 2010

Topics For Discussion
  • Why do you need a response plan?
  • What is a data security breach?
  • Responding to a data security breach
  • State requirements and legislative update
  • Regulatory enforcement and litigation

2009 Statistics
  • Identity Theft Resource Center reports 498
    breaches during 2009, exposing over 222,000,000
  • 656 breaches during 2008, exposing 35,000,000
  • 26 of reported breaches were paper records
  • Of the 498 breaches, only 6 reported that the
    data was encrypted or protected by some other
    security feature
  • Malicious attacks have surpassed human error

Cost Of A Data Security Breach
  • Based on the results of a 2009 study, the average
    cost of a data security breach is 6.75m.
  • 204 per record
  • Includes direct costs (communications,
    investigations, legal) and indirect costs (lost
    business, public relations)
  • Compare to costs of having preventative measures
    in place such as privacy and security policies,
    training and encrypting sensitive information

Data Breaches Employee Personal Information
  • CVS Caremark Corporation (2007)
  • Discarded clearly readable materials containing
    personal information of consumers and employees
    in publicly accessible trash dumpsters
  • Prescription bottles, pharmacy labels, computer
    printouts, credit card receipts and employee
  • Entered into consent order with the FTC
  • Paid 2.25 million to settle related HIPPA

Data Breaches Employee Personal Information
  • Aetna Inc. (May 2009)
  • Exposed 450,000 current, former and prospective
    employees personal information by allowing
    hackers to gain access to a job application
  • Discovered breach because individuals received
    spam e-mails that appeared to come from Aetna and
    purported to be a response to a job inquiry
  • Notified 65,000 current, former and potential
  • Class action lawsuit pending in District Court
    for the Eastern District of Pennsylvania

Data Breaches Employee Personal Information
  • Federal Trade Commission (Feb. 2010)
  • Notified almost 100 organizations that personal
    information about their customers, students or
    employees had been shared from their computer
    networks on peer-to-peer file sharing sites
  • Urged organizations to review their internal
    security procedures, as well as the procedures of
    their third-party service providers
  • Recommended that companies identify affected
    individuals and consider whether to notify them
    of potential risks

Data Breaches Employee Personal Information
  • Department of Veterans Affairs (May 2006)
  • Laptop computer and disk stolen from home of VA
  • Contained personal information of 26.5 million
    veterans who served in the military and have been
    discharged since 1976
  • Recovered by FBI with no evidence of unauthorized
  • Under class action settlement, VA agreed to pay
    20 million to defendants who were harmed by
    incident -- either physical manifestations of
    emotional distress or cost of credit monitoring

What Is The Objective?Fill In The Gap
  • Protection
  • Compliance
  • Audits
  • Criminal prosecution
  • Civil prosecution

How to Manage the Data Security Breach
Why Do You Need AResponse Plan?
Thoughtful and Prepared Reaction
Better Decision Making
Minimized Risk and Loss
What Is A Data Security Breach?
  • A breach of the security of the system that
    involves unencrypted computerized personal
    information that has been, or is reasonably
    believed to have been, acquired by an
    unauthorized person.
  • State statutes require notification to affected
    individuals and, in certain instances, regulatory
    agencies and law enforcement.

What Is A Data Security Breach?
  • Personal information
  • First name or initial and last name with one or
    more of the following (when either name or data
    element is not encrypted)
  • Social security number
  • Drivers license number
  • Credit card or debit card number or
  • Financial account number with information such as
    PINs, passwords or authorization codes.
  • Some states have expanded the definition to
    include medical information or health insurance

What Is A Data Security Breach?
  • Breach of the security of the system
  • Some states expressly require notice of
    unauthorized access to non-computerized data
  • New York lost or stolen computer or other
    device containing information or information
    has been downloaded or copied
  • Hawaii and North Carolina data includes
    personal information in any form (whether
    computerized, paper, or otherwise)

What Is A Data Security Breach?
  • Generally, only need reasonable belief the
    information has been acquired by unauthorized
    person to trigger notification requirements
  • Certain states require risk or harm
  • Arkansas no notice if no reasonable likelihood
    of harm to customers
  • Michigan no notice if not likely to cause
    substantial loss or injury to, or result in
    identity theft

What Is A Data Security Breach?
  • Distinguish between entity that owns or
    licenses data and entity that maintains data
  • Data owner has ultimate responsibility to notify
    consumers of a breach
  • Non-owners required to notify owners

Collect Relevant Documents and Information
  • Data location lists
  • Confidentiality agreements
  • Customer contracts
  • Third-party vendor contracts
  • Privacy policy
  • Information security policy
  • Ethics policy
  • Litigation hold template
  • Contact list

Create A First Response Team
  • Information technology (computer technology
  • Information security (physical security access)
  • Human resources (private employee information
    health medical, payroll, tax, retirement)
  • Legal counsel (in-house and/or outside counsel)
  • Compliance
  • Business heads (consumer information)
  • Public relations/investor relations

Assign Tasks To Members Of The First Response
  • Establish a point person
  • Identify key personnel for each task
  • Prioritize and assign tasks
  • Calculate timelines and set deadlines
  • Communicate with management
  • Establish attorney-client privilege for
    investigation and communications

Project Management Is Critical
Determine The Nature And Scope Of The Breach
  • Investigate facts
  • Interview witnesses
  • Determine type of information that may have been
  • Identify and assess potential kinds of liability
  • Identify individuals potentially at risk and
    determine state or country of residence

Preserve Companys Assets, Reputation and
Understand Data BreachNotice Laws
  • State laws
  • What constitutes personal information?
  • When is a notice required?
  • Who must be notified?
  • Timing?
  • What information must be included in the notice?
  • Method of delivering notice?
  • Other state specific requirements?
  • Applicable industry-specific laws
  • Applicable international laws

Determine Appropriate Notices
  • Consumers
  • Employees
  • Law enforcement (Federal/State)
  • Federal regulatory agencies
  • State agencies
  • Consumer reporting agencies
  • Third-party vendors
  • Insurers
  • Media

Prepare State Law Notices
  • General description of the incident
  • Type of information that may have been
  • Steps to protect information from further
    unauthorized access
  • Contact information (e.g., email address 1-800
  • Advice to affected individuals (e.g., credit
    reporting, review account activity)

Prepare State Law Notices
  • Delivery method (e.g., certified letters, e-mail,
  • Timing of notices
  • Tailor notices based on recipient
  • Use single fact description for all notices

State Laws - California
  • State involvement began in California, after
    series of breaches received national attention
  • Passed in 2002, went into effect in mid-2003
  • Served as a model for later state statutes
  • Today, 45 states, the District of Columbia,
    Puerto Rico and the US Virgin Islands now have
    breach notification laws

State Laws - California
  • Applies to any business that owns or licenses
    or maintains computerized data that includes
    personal information
  • Requires notices to California resident if
    unencrypted personal information was, or is
    reasonably believed to have been, acquired by an
    unauthorized person

State Laws - California
  • Personal information includes
  • Medical information an individuals medical
    history, mental or physical condition, or medical
    treatment or diagnosis by a health care
  • Health insurance information an individuals
    health insurance policy number or subscriber
    identification number, any unique identifier used
    by a health insurer to identify the individual,
    or any information in an individuals application
    and claims history, including any appeal records

State Laws - Massachusetts
  • Applies to information regardless of physical
    form (includes paper)
  • Unencrypted data or, encrypted electronic data
    and the confidential process or key
  • Data encrypted at 128-bit or higher algorithmic
    process is not a security breach, unless the
    encryption key is also lost

State Laws - Massachusetts
  • Requires notice as soon as practicable and
    without unreasonable delay
  • Requires business that owns or licenses data to
  • Attorney general
  • Director of consumer affairs and business
  • Director shall identify and report to any
    relevant consumer reporting agencies and state
  • Affected Massachusetts resident

State Laws - Massachusetts
  • State statute also requires the department of
    consumer affairs to adopt data security
    regulations Standards for the Protection of
    Personal Information of Residents of the
    Commonwealth of Massachusetts
  • Regulations went into effect on March 1, 2010

State Regulations - Massachusetts
  • Applies to entities that own or license personal
    information of a Massachusetts resident
  • Explicitly includes personal information in
    connection with employment
  • Requires entities to develop, implement and
    maintain a written data security program
  • Must take into account an entitys size, nature
    of its business, type of records it maintains and
    risk of identity theft posed by entitys
  • Must include certain administrative, technical
    and physical safeguards

State Regulations - Massachusetts
  • Requires entities to take steps to select and
    retain third-party service providers that are
    capable of appropriately safeguarding personal
  • Requires entities to impose contractual
    obligations on their third-party service
    providers to safeguard personal information

State Laws - Pennsylvania
  • Applies to an entity that maintains, stores or
    manages computerized data
  • Requires notice to any resident whose
    unencrypted and unredacted personal information
    was or is reasonably believed to have been
    accessed and acquired by an unauthorized person
  • Definition of personal information has not been
    expanded to include medical or health insurance
  • Notice shall be made without reasonable delay
  • Requires notice to all consumer reporting
    agencies that compile and maintain files on
    consumers on a nationwide basis if the entity
    provides notification, under the statute, to more
    than 1,000 persons at one time

State Laws - New Jersey Proposed Rules
  • Requires businesses to implement a comprehensive
    written information security program
  • If disclosure required under state statute, in
    advance of disclosure to affected individuals,
    business shall notify the Division of State
    Police of the Department of Law and Public Safety
  • Disclosure to affected individuals and/or the
    State Police is not required if misuse of the
    personal information accessed is not reasonably
  • Requires destruction of documents that contain
    personal information if a business is not
    required to retain such documents under its
    record retention policy

Prepare Answers To Inquiries
  • Draft FAQs with responses
  • Establish hotline
  • Assign group of contact employees
  • Train employees to respond to inquiries
  • Develop clear escalation path for difficult
  • Track questions and answers

Prepare Press Release
  • Include the following information
  • Facts surrounding the incident
  • Actions to prevent further unauthorized access
  • Steps to prevent future data security breaches
  • Contact Information for questions
  • Review by legal counsel

Consider Offering Assistance To Affected
  • Free credit reporting
  • Free credit monitoring with alerts
  • ID theft insurance
  • Access to fraud resolution specialists
  • Toll-free hotline

Enforcement Actions
  • Federal Trade Commission Section 5 of FTC Act
  • Enforce privacy policies and challenge data
    security practices that cause substantial
    consumer injury
  • State Attorney General State Notification
  • Connecticut Failure to comply . . . shall
    constitute an unfair trade practice . . .
  • Virginia The Attorney General may bring an
    action to address violations. Moreover,
    nothing in this section shall limit an
    individual from recovering direct economic
  • Litigation in federal or state courts

FTC Actions CVS Caremark Corporation
  • In June 2009, the FTC filed a complaint against
    CVS Caremark Corporation for violations of the
    Federal Trade Commission Act
  • FTC investigated in response to reports from
    television stations and other media outlets that
    reported finding personal information of
    consumers and employees in dumpsters used by CVS
    pharmacies in at least 15 cities throughout the
    United States
  • In its complaint, the FTC stated that CVS
    routinely obtains information from or about its
    customers and also collects sensitive
    information from or about its employees,
    including, but not limited to, Social Security

FTC ActionsCVS Caremark Corporation
  • FTC complaint alleged that CVS failed to provide
    reasonable and appropriate security for personal
    information because it did not
  • Implement policies and procedures to dispose
    securely of personal information (including
    making the information unreadable at the time
    of disposal)
  • Train employees to dispose securely of personal
  • Use reasonable measures to assess compliance
    with its established procedures for disposal of
    personal information
  • Employ a reasonable process for discovering and
    remedying risks to personal information

FTC ActionsCVS Caremark Corporation
  • Consent order (dated June 2009)
  • Expressly stated that definition of personal
    information shall include an employee, and an
    individual seeking to become an employee
  • Required CVS to
  • Establish, implement and maintain a written
    comprehensive information security program
    reasonably designed to protect the security,
    confidentiality, and integrity of personal
  • Obtain initial and biennial assessments and
    reports from a qualified, objective, independent
    third-party professional, who uses procedures and
    standards generally accepted in the profession
    for 20 years
  • Make available to the FTC (upon request) for
    inspection and copying documents relating to
  • File with FTC a report setting forth in detail
    the manner and form in which it has complied
    with consent order

Other FTC Actions
  • Other FTC settlements
  • ValueClick (civil penalties 2,900,000)
  • Goal Financial
  • Life Is Good
  • Premiere Capital Lending, Inc.
  • Reed Elsevier Inc.

CT Attorney General ActionBlue Cross and Blue
  • Data contained on stolen laptop included names,
    addresses, taxpayer identification numbers and
    social security numbers of approximately 19,000
    health care providers in CT
  • CT statute requires notice without reasonable
  • In November 2009, the CT Attorney General
    instituted an investigation regarding whether
    waiting 2 months to notify affected individuals
    violated the CT statute
  • CT Attorney General stated that failure to comply
    with the state statute constituted an unfair
    trade practice and may subject BCBS to fines of
    up to 5,000 for each affected resident and
    require BCBS to provide restitution to these

NY Attorney General ActionCS Stars LLC
  • Theft of computer containing personal information
    of approximately 540,000 workers compensation
    recipients discovered on May 9, 2006
  • CS Stars LLC maintained personal information
  • CS Stars notified data owner of potential
    breach on June 29, 2006
  • Data owner notified appropriate entities and
    consumers immediately
  • FBI recovered computer
  • No unauthorized use of personal information

NY Attorney General ActionCS Stars LLC
  • Attorney General criticized delay between
    discovery of missing computer and CS Stars
    notification to data owner
  • Settlement (April 2007) required CS Stars to
  • Implement precautionary measures to safeguard
  • Comply with New York data breach notification
    statute in the event of any future breach
  • Pay 60,000 to cover costs related to

CT Dept. of Consumer Protection Action Bank of
New York Mellon
  • Lost backup tape containing personal information
    of more than 600,000 Connecticut residents
  • Governor of Connecticut directed Commissioner of
    the Department of Consumer Protection to pursue
    all remedies available to affected Connecticut
  • BNY Mellon notified each affected consumer and
    provided 24 months of credit protection
  • To date, BNY has spent over 3.48 million to
    provide credit protection

CT Dept. of Consumer Protection Action Bank of
New York Mellon
  • Settlement required BNY Mellon to
  • Reimburse consumers for any funds stolen as a
    direct result of breach
  • Pay 150,000 to the State of Connecticut

LitigationTypical Claims By Plaintiffs
  • Plaintiffs (consumers or employees) typically
    allege the following causes of action
  • Common law claims of negligence, breach of
    contract, breach of implied covenant or breach of
    fiduciary duty
  • Claims for violations of state consumer
    protection statutes deceptive/unfair trade
    practices acts

LitigationPlaintiffs Lack Standing
  • Certain courts have dismissed data breach cases
    on ground of standing.
  • Hinton v. Heartland Payment Sys., Inc., Civ. A.
    No. 09-594, 2009 U.S. Dist. LEXIS 20675 (D.N.J.
    March 16, 2009)
  • Increased risk of fraud and identity theft do not
    constitute actual or imminent injury in fact
    and amount to nothing more than mere
  • Amburgy v. Express Scripts, Inc., Civ. A. No.
    09-705, 2009 U.S. Dist. LEXIS 109100 (E.D. Miss.
    Nov. 23, 2009)
  • Plaintiff does not claim that his personal
    information has in fact been stolen and/or his
    identity compromised.
  • For plaintiff to suffer the injury and harm he
    alleges here, many ifs would have to come to

LitigationPlaintiffs Have Standing
  • However, the recent trend in lost data
    cases, . . . seems to be in favor of finding
    subject matter jurisdiction. (i.e., standing).
    McLoughlin v. Peoples United Bank, Inc., Civ. A.
    No. 08-944, 2009 U.S. Dist. LEXIS 78065, at 12
    (D. Conn. Aug. 31, 2009).
  • Pisciotta v. Old Natl. Bancorp., 499 F.3d 629
    (7th Cir. 2007) (injury in fact satisfied by
    threat of future harm or increasing the risk
    of future harm)
  • Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal.
    2009) (increased risk of identity theft
    constituted sufficient injury in fact for
    purposes of standing)
  • Caudle v. Towers, Perrin, Forster Crosby, 580
    F. Supp. 2d 273 (S.D.N.Y. 2008).

LitigationPlaintiffs Cannot Prove Damages
  • Pisciotta v. Old Natl. Bancorp. customers
    sought compensation for past and future credit
    monitoring services, after hacker obtained access
    to their personal information through bank
  • Seventh Circuit affirmed district decision
    granting defendant banks motion for judgment on
    the pleadings and dismissed claims for negligence
    and breach of contract
  • Exposure to identity theft or increased risk of
    identity theft, without more, does not constitute
    compensable injury or a harm that the law is
    prepared to remedy
  • Credit monitoring costs do not constitute
    compensable damages

Litigation Plaintiffs Cannot Prove Damages
  • Ruiz v. Gap, Inc. laptop computer stolen, which
    contained approximately 750,000 Gap job
    applications (including name and social security
  • Court granted defendants motion for summary
    judgment and dismissed claims for negligence and
    breach of contract
  • At a minimum, Ruiz would be required to present
    evidence establishing a significant exposure of
    his personal information
  • Because Ruiz has not been a victim of identity
    theft, he can present no evidence of appreciable
    and actual damage as a result of the theft
  • Ruiz cannot show he was actually damaged by
    pointing to his fear of future identity theft

Litigation Unusual Court Rulings
  • Caudle v. Towers, Perrin, Forster Crosby
    laptop computer stolen from employers pension
    consultant, which contained personal information
    (including name and social security no. of
  • Employee named employers pension consultant as a
    defendant, but did not include employer
  • Court granted defendants motion for summary
    judgment and dismissed claims for negligence and
    breach of fiduciary duty
  • Court denied motion with respect to claim that
    plaintiff was third-party beneficiary between
    defendant and plaintiffs employer

Litigation Unusual Court Rulings
  • Rowe v. UniCare Life Health Ins. Co., Civ. A.
    No. 09-2286, 2010 U.S. Dist. LEXIS 1579 (N.D.
    Ill. Jan. 5, 2010) personal information of
    plaintiff was temporarily accessible to the
    public on defendants Internet Website
  • In deciding motion to dismiss, Court found that
    plaintiff satisfied minimal pleading standard and
    allowed claims to proceed
  • But, the Court stated that claims may ultimately
    be dismissed if plaintiff cannot show a basis for
    damages other than alleged increased risk of
    future harm such as identity theft
  • Plaintiff may prevail only if he can show that
    he suffered from some present injury beyond the
    mere exposure of his information to the public.

Avoid Future DataSecurity Breaches
  • Limit access to personally identifiable
  • Encryption
  • Establish privacy compliance program
  • Train and test employees
  • Periodic audits
  • Update and revise procedures
  • Enhance technology to strengthen security and
    reduce risk
  • Credential third party vendors

Contact Information
  • Amy C. Purcell, Esquire
  • 215.299.2798
  • Scott L. Vernick, Esquire
  • 215.299.2860