d ata p rivacy & s ecurity l egal r equirements and b est p ractices deborah shinbein, esq.,...
TRANSCRIPT
DATA PRIVACY & SECURITY
LEGAL REQUIREMENTSAND BEST PRACTICES
Deborah Shinbein, Esq., CIPPData Law Group, LLC
AGENDAOverview of selected privacy/security laws
Recommended privacy/security policies
Data breach planning and response
Monitoring compliance of your service providers
This presentation is just a brief overview of applicable laws, security precautions, and other
considerations, there are many more!
INITIAL ASSESSMENT There are numerous different state and federal laws
and regulations governing the collection, use, and security of personally identifiable information (“PII”)
Perform an assessment to determine which are applicable to your entity: What type of PII do you have From where is the PII collected? In what format(s) is the PII stored? How is the PII used today? Future plans? Is the PII shared with others (service providers, other
parties) From which states/countries is PII obtained?
STATE INFORMATION SECURITY LAWS
Many state laws applicable to PII, including security, destruction, use, transfer, and breach notification Applicable based on either/both:
Location of the data subject (scholarship applicant, donor, etc.), or Location of the entity
Various definitions of PII in different state laws Typically SSN, drivers license, credit/debit or financial acct. w/
password Sometimes other user ID # with password, biometric data, or other
identifiers
STATE INFORMATION SECURITY LAWS
The most stringent state information security law: MA 201 CMR 17.00 Requires implementation of a Written Information
Security Plan (“WISP”) and specific security measures Administrative, technical & physical measures Reasonable collection, storage of PII Encryption requirements for electronic records
Entities have a legal responsibility to “oversee” service providers: Take reasonable steps to select and retain providers capable of
maintaining appropriate security measures for PII Contractually require service providers to implement and
maintain appropriate security measures for PII
STATE INFORMATION SECURITY LAWS
CO 6-1-713. Disposal of personal identifying documents Public and private entities in CO that use
documents containing PII must develop a policy for the destruction or proper disposal of paper documents containing PII
PII means: social security #; personal identification #; password; driver's license or state ID; passport #; biometric data; employer, student, or military ID #; or a financial transaction device.
STATE INFORMATION SECURITY LAWS STATE
INFORMATION SECURITY LAWS CA requires businesses that own or license PII
about residents of CA to: Implement and maintain “reasonable” security
procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure, and
Contractually require nonaffiliated third parties that receive the PII to also maintain reasonable security procedures
EMPLOYEE PRIVACY Various state and federal requirements apply to how an entity
handles the collection, use, disclosure, safeguarding and disposal of its employee information
Background Checks: The FCRA requires prior disclosure and written consent when an employer requests a consumer report about the individual from a consumer reporting agency There are special considerations if an employer plans to use the information in
the consumer report in connection with an “adverse action” such as not hiring, promoting, rescinding a job offer, etc.
Employee monitoring – various laws require entities to develop comprehensive communications policies that govern the use of employer’s laptops, mobile devices, etc. and to provide employees with clear notice of the entity’s communications monitoring practices.
FERPA – FEDERAL EDUCATION RIGHTS AND
PRIVACY ACT Applies to any entity with educational data which
accepts any amount of funds from the federal government
Covered data: “Student education records” broadly defined: records, files, or documents that contain information
directly related to a student and that are maintained by or for an educational agency or institution
includes PII such as name, address, SSN, DOB, other PII
Requires reasonable security measures to prevent unauthorized access/disclosure of records
FERPA (CONT.) Limits disclosure of education records without written parent
or eligible student consent Consent requirements include:
Written consent including signature and date Must identify
Specific records to be disclosed
Purpose of disclosure
To whom disclosure may be made (parties/classes of parties)
Certain exceptions to consent requirement Access by “school officials” with legitimate educational interest
Anonymous or de-identified information
Information provided in connection with financial aid
Provided to schools to which the student seeks to enroll or has already enrolled
FERPA (CONT.) Recent guidance re: “school official” exception
May include third party providers if all requirements met: Performs an institutional service or function for which the school/district would otherwise
use its own employees
Must be under the “direct control” of the school/district regarding use/maintenance of records
Uses records only for authorized purposes (including purpose for which it was disclosed), and not re-disclose PII to other parties without authorization
School/district should enter into a contract restricting the vendor from using PII for unauthorized purposes and provide ability to direct the vendor to use, transfer, or delete records only at the instruction of the school/district Online terms of services must comply w/ FERPA or the school/district can’t use the
exception
Parents/eligible students must be granted access to the records
FERPA (CONT.) Dept. of Education recent guidance re: best practices for contracting w/ online
service providers Establish policies and procedures to evaluate and approve vendors prior to
implementation
Use a written contract when possible, to maintain required “direct control” over the use and maintenance of student data Address data ownership, responsibilities in the event of breach, and minimum security controls
Specify information to be collected
Define purposes for which provider may use information, and limit to those uses
Specify whether school, parents, and students will be permitted to access the data, and describe the process to obtain access
Establish procedures for modifying and terminating the agreement, and how information will be disposed upon termination
Indemnification obligations and what the provider must do to remedy violation of laws/compensate the school for violation
Employ extra caution when using click-wrap terms
Be transparent w/ parents & students about how the school collects, shares, protects and uses student data (in addition to required notices under FERPA and PPRA)
Consider on a case-by-case basis whether obtaining parental consent may be appropriate (even if not required by FERPA)
GRAMM LEACH BLILEY ACT (GLBA)
Applies to any “Financial Institution” - defined as any U.S. Company that is “significantly engaged” in financial activities. It regulates management of “personally identifiable financial information” provided to a financial institution by a consumer or that results from a transaction or service performed for the consumer or is otherwise obtained by
the financial institution
Safeguards Rule requires companies to develop a WISP that describes their program to protect customer information. Physical, technical, administrative safeguards appropriate to the company’s size and complexity, the nature and scope
of its activities and the sensitivity of the customer information it handles select service providers that can maintain appropriate safeguards,
require this by contract, and oversee their handling of PII numerous other requirements
IMPORTANT SECURITY POLICIES Organizations with PII or other confidential
information should implement certain important policies for data security
Several of the laws and regulatory requirements discussed earlier require a written information security plan (“WISP”), which is an overarching policy about all things data security within the organization
Best practices mandate additional policies and procedures to ensure employees are aware of requirements, to prepare for breaches, to address other matters not included in the WISP
WRITTEN INFORMATION SECURITY PLAN
WISP should contain the following basic terms, although requirements vary based on specific laws/regulations:
1. Definition of information covered (applicable laws) State laws - personal information (typically SS#,
drivers license, credit card, account information) GLBA - consumer financial transaction data HIPAA – protected health information PCI - cardholder data
WRITTEN INFORMATION SECURITY PLAN (CONT.)
2. Designate a Data Security Coordinator Required duties vary based on laws/regulations:
Implement and enforce the WISP Train employees Evaluate vendors for security compliance Grant appropriate access Test the WISP’s security measures Evaluate and revise the WISP annually Document potential and actual security breaches
and measures taken
3. List organization’s internal risk mitigation procedures
Distribute WISP to all employees, get written acknowledgement of receipt
Limit access to customer and employee records (by person, location, remote)
Procedures to eliminate access for terminated employees
Password policies Reporting obligations (suspicious access, requests,
uses)
WRITTEN INFORMATION SECURITY PLAN (CONT.)
WRITTEN INFORMATION SECURITY PLAN (CONT.)
(Internal risk mitigation, continued) Clean desk policySecurity breach plan and proceduresEach department must implement its own rules re:
safeguarding records within that departmentLimit which employees have remote access to
systemsRecord retention and disposal policiesPhysical access restrictions (visitors, badges, etc.)
WRITTEN INFORMATION SECURITY PLAN (CONT.)
4. List company’s external risk mitigation procedures Network firewalls Regular updates to system security software, malware
protection, operating system patches, etc. Procedures to monitor computers and network for
unauthorized use of records Strong authentication procedures Encryption requirements for records (in transit, at rest,
on all devices)
WRITTEN INFORMATION SECURITY PLAN (CONT.)
WISP Worksheet (handout) Complete what you can now Take the worksheet back to your office to discuss
with others and complete. You may need to meet with representatives from:
Scholarship administration IT HR Accounting/finance Marketing
EMPLOYEE DEVICE POLICY (“BYOD”)
Security risks posed by allowing employees to use their own laptops, smartphones or tablets to perform work for the company
Major risks: Loss of devices Insecure devices/networks allowing remote access Unauthorized parties accessing devices
BYOD POLICIES (CONT.)
Consider requiring remote device management software: Remote deletion capabilities
Lost/stolen Designated # inaccurate password attempts
Security software to ensure storage and transmissions are in accordance with the firm’s security standards
Automatic remote backups of the device on a regular basis
BYOD POLICIES (CONT.)Terms to consider for BYOD policies (tailor for business needs and data):
Limit the type of information that may be accessed from personal devices
Require that certain information be encrypted Employees must immediately report suspected loss or theft Prohibit storing the company’s information in cloud storage
services other than those provided or approved by the company
Employees must consent to the employer’s access to the device’s data if needed for legal reasons
Consider limiting type of devices employees may use for work
BYOD POLICIES (CONT.)Potential terms, continued:
Consent to employer monitoring of the device if appropriate Procedures regarding the employee’s termination Limitations for using devices on unsecured public wi-fi
networks Prohibit using personal email accounts for work Requirements regarding the device’s internal security
settings and which alterations, if any, may be made Strong passwords (company policy) Two factor authentication for company accounts
BYOD POLICIES (CONT.)Potential terms, continued:
Require implementation of all system updates If automatic backup is not possible, establish manual
backup procedures and frequency Restrict use of the device by friends and family (or establish
a separate walled user log-in for company information) Other terms as applicable depending on the nature of the
data and your company’s needs
Require employees to sign the BYOD policy
Some provide firm-owned devices to employees, giving the company greater control and rights
BYOD POLICIES (CONT.)
BYOD Worksheet (handout) Complete what you can now Take the worksheet back to your office to discuss
with others and complete. You may need to meet with representatives from:
IT HR
EMAIL/NETWORK USE POLICY Limit use of company email for company functions No emailing confidential data, applications containing
PII, etc. unless encrypted If you receive confidential information via email, delete
the message, notify the sender of the company’s policy and require encryption next time
Do not have email forwarded to a non-company account Require archiving and deletion of email according to
company schedule Company may monitor email and network use at any
time and without notice
EMAIL/NETWORK USE POLICY (CONT.)
No use of network to transmit unauthorized files/information
No downloading software unless approved by IT dept. Outside devices may not connect to company network
Recommend a separate guest network
Cloud storage only as approved by IT dept.Remote connection to network through VPN
whenever possibleOther requirements based on the nature of the
company and data
EMAIL/NETWORK USE POLICY (CONT.)
Email/Network Use Worksheet (handout) Complete what you can now Take the worksheet back to your office to discuss with
others and complete. You may need to meet with representatives from:
IT HR Administration Others? (understand unique departmental needs)
PASSWORD POLICY
Require strong passwords on all computers/devices used by employees (company owned or employee owned) Require new passwords at least every 90 days
Use a company database/system to track changes and require new passwords each time (no repeats)
Complexity requirements – contain at least 4 of the following: Upper case letters Lower case letters Numbers “Special” characters (e.g. @#$%&) Punctuation marks
At least 10 (TBD) alphanumeric characters
PASSWORD POLICY (CONT.)
Do NOT use passwords with the following characteristics: A word found in a dictionary (English or foreign) Name of family, pets, friends, co-workers, fantasy characters,
etc. The company’s name, a nearby city name or derivation Computer terms and names, commands, sites, companies,
hardware, software Birthdays and other personal information such as addresses
and phone numbers Word or number patterns like aaabbb, qwerty, zyxwvuts,
123321 Any of the above preceded or followed by a digit (e.g., secret1,
1secret) Any of the above spelled backwards
PASSWORD POLICY (CONT.)
Additional password recommendations: Always decline the use of the "Remember Password" feature of
applications Use different passwords for company accounts from other non-
company access Use different passwords for various company access needs
whenever possible Do not share company passwords with anyone, including
administrative assistants Passwords should never be written down or stored on-line
without encryption
WEBSITE/MOBILE APP PRIVACY POLICY
Essential terms to include Data collected (how/when collected) How the data is used Under what circumstances is data shared (and with whom)
Avoid over-promising “we will never share your data” Ability for users to modify/delete their PII Ability to opt-out of sharing with third parties, use for marketing, etc. Notice of material changes
No use inconsistent with original policy unless notice and choice
Disclosures if using cookies/similar tracking technologies CA required disclosures:
How site responds to browser do not track signals Use of cookies to track users across sites
EU: must disclose use of cookies and obtain consent Consent to transfer to U.S. if applicable Effective date (governs all data collected under that policy) Contact information
WEBSITE/MOBILE APP PRIVACY (CONT.)
FTC enforcement actions – must follow your own privacy policy, no deceptive or unfair practices Not having reasonable data security has been
deemed unfair/deceptive Enforcement re: failures leading to security
breaches
OTHER POLICIES TO CONSIDER
Data Retention Policy
Data Destruction Policy
Remote Access Policy
Backup Policy
Social Media Policy
Many others…
BEFORE A BREACH OCCURS
Limit the type and amount of personal data collected Don’t use SSN as identifier Is DOB really necessary? Evaluate other identifiers
Employee measures Restrict who has access to personal data Train staff re: how to spot a breach, what to do if a breach is
suspected
Monitor data access and use on ongoing basis Use software to notify of:
Outside access requests (potential hackers) Suspicious patterns of use Unusually large access requests/downloads
Access by unauthorized departments
BEFORE A BREACH OCCURS (CONT.)
Segregate data to limit risks Use separate networks, firewalls, access controls
Encrypt data (eliminates many notification requirements)
Data destruction Schedule for destruction; all types of data/formats Compliance with state laws (shred, erase, make
unreadable)
Evaluate cyber liability insurance Be sure to read exclusions carefully!
CREATE A BREACH PLANDraft a Breach Plan including the following:
Company contacts: Designate an incident response team and the team lead Other individuals (management, board, IT dept., etc.) Include all means of contact for all individuals to be notified: cell/home/work phone,
multiple email addresses, to be used 24x7
External parties to be notified Third parties for whom you process data Third parties storing/processing your data Law enforcement if applicable Criteria to assess which notification laws are triggered
Data forensics specialist to contact for investigation Evaluate several options and enter a contract in advance
Attorney to assist if a breach occurs PR firm to manage media coverage if applicable List of states from which the entity has personal information triggering
notification requirements (update frequently)
CREATE A BREACH PLAN (CONT.) List steps to take immediately:
Document the date and time the breach was discovered Document everything known about the breach (who
discovered/reported, who is aware of it, how it was discovered, any
evidence, etc.) Secure the premises or take other measures to preserve evidence
Assess what data may have been accessed Analyze backups or reconstructed data sources Ascertain the number of people who may be impacted and type of
information accessed Take steps to identify specific individuals’ data potentially compromised
Contact data forensics expert Contact outside breach counsel Contact PR representative (if media coverage is likely)
BREACHES – IMMEDIATE ACTIONS (CONT.)
Remediation: If lost device – implement remote deletion (after consultation with
data forensics) If network breach – contain the breach as feasible
Terminate outside access to the network Review log files for suspected intrusions/IP addresses
If an identifiable system has been compromised: Before shutting down system, collect evidence (pursuant to
instructions of data forensics specialist): Make a list of processes running on the system Check status of network interface List all listening ports and active network connections Make exact copies of compromised system’s hard drive
BREACHES - NOTIFICATION Legal notification requirements
State requirements Based on location of the data subject, not the company
Additional requirements for other laws Tricky issues:
Various definitions of what triggers notification Carve-outs for encryption in some states PII triggers vary in different states
Timing Some states require notification within X days Most merely require notice as soon as possible Notification may be delayed if it may interfere with investigation
Additional third party notifications required Vary among states State attorney general, credit bureaus, etc.)
Content of notification varies among states Some require specific elements, others prohibit certain details
BREACHES – NOTIFICATION (CONT.)
Alternate notice in some cases Mail/printed notices typically required Electronic (email) often allowed if that is the primary
means of communication (laws vary) Publication in media in some states, if substantial number
of consumers and unable to reach many via mail or email
If a substantial number, evaluate whether a call center’s services would be helpful
Evaluate whether to obtain credit monitoring or other services for impacted consumers If you may want this, negotiate pre-breach for better rates Most consumers don’t take advantage of this even if
offered
YOU CAN’T OUTSOURCE COMPLIANCE
When companies use third party vendors to collect, process, or provide other data management services, the company is responsible to ensure the vendors maintain security practices in accordance with applicable laws and regulations governing the company’s PII
Take adequate internal precautions to prevent unauthorized access to data and networks by your vendors
Before engaging a vendor, be sure it can comply on your behalf
According to a study published by PwC in Nov. 2013: “Although 71% of companies expressed confidence that their security activities are effective, only 32% require third-parties to comply with their policies.”
SELECTING A PROVIDER – DUE DILIGENCE
When choosing third party service providers who will have access to PII, ask for the following (as applicable): Require them to complete a vendor compliance questionnaire
Legal compliance documentation Data security measures (copy of their WISP if possible)
Network, firewalls, encryption standards, backups, etc. - may potentially include dozens of questions as needed (or more)
Third party audits and certifications Employee training, background checks, confidentiality policies Cyber insurance Location of data centers
Visit their facilities, meet the team Obtain and check customer references
NEGOTIATING VENDOR CONTRACTS
Key considerations: Contractually shift responsibility when you trust an
outside entity with data Evaluate whether to include specific/detailed
requirements or merely require compliance with “applicable laws and regulations”
NEGOTIATING VENDOR CONTRACTS
Restrictions on vendor access and use of PII Specify use parameters - only in the performance
of this agreement List permitted means of access How data will be transferred to/from vendor, etc. Timing limitations
NEGOTIATING VENDOR CONTRACTS
Information Security Requirements Specific IT measures to comply with acceptable industry practices:
encryption of data (in transit, at rest, web-facing applications) firewalls network security mobile security access controls/authentication segregation of vendor’s data/systems vendor application of latest security patches
Employee background checks/training Limit physical access to facilities Other requirements based on applicable laws Data centers: location requirements needed if processing PII or ePHI
to comply with data import/export regulations and local laws
NEGOTIATING VENDOR CONTRACTS
Security Breach Notification and Disclosures Immediately notify customer of all suspected breaches (specify
details) Procedures vendor must follow in the event of a breach Investigation details (timing, approved by customer, vendor
pays) What vendor has done/will do to mitigate potential damage,
prevent future breaches Notification to consumer
Require compliance with various state/industry breach notification laws
Customer approves (or controls) all public communications Vendor pays costs for notification program, credit
monitoring, etc.
NEGOTIATING VENDOR CONTRACTS
Compliance With Laws Require the vendor to comply with all applicable information security
and privacy laws and regulations Include an additional list if vendor may not be aware of some for your
industry
Confidentiality Obligations Data, results of processing, other relevant business information Require notification to customer of any subpoenas/other requests by
government or third parties for data Access limitations “legitimate business need to know” Survival of obligation of confidentiality post termination Require the vendor to return, or destroy, all data in the vendor’s
possession or control Compliance with applicable data destruction laws
NEGOTIATING VENDOR CONTRACTS
Service Level Agreements Uptime guarantees
Error response and remediation timing
Notification before suspension of services
Maintenance windows – late night/early morning
Penalties for noncompliance – credits, termination rights
Reporting – re: SLA compliance
Emergency resource allocation: preferential treatment
NEGOTIATING VENDOR CONTRACTS
Risk Allocation Provisions Limitation of liability Indemnification by vendor re: security breach
claims/costs
Insurance Requirements Cyber insurance covering both data loss and
data breach response General commercial liability, other as applicable Additional insured
NEGOTIATING VENDOR CONTRACTS
Audit and Monitoring Rights
Third party audit of vendor’s IT security practices, inspection of data centers – confirm vendor's infrastructure and security practices via an onsite inspection
customer selects the auditor Note: be sure you want this, if no corrective actions taken, may be
deemed negligent
Audit data collected/accessed, other aspects of contract performance
Consider monitoring software
NEGOTIATING VENDOR CONTRACTS
Termination Issues Include threshold for SLA violations or certain breaches for
which no cure is allowed Post termination obligations
transition assistance data transfer (customer designates format)
Personnel and Subcontractors Right to approve key people on the project Right to prohibit/approve use of any subcontractors Background check, training, monitoring, other restrictions Contractual requirements for subcontractors
THANK YOU!
Feel free to contact me with any questions:
Deborah Shinbein, Esq., CIPP/[email protected]
303-997-1325