![Page 1: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/1.jpg)
Workplace Data Breach Challenges:
Navigating Notification Requirements,
Employee Monitoring and BYOD Programs Structuring Policies to Prevent and Respond to Leaks of Sensitive, Regulated or Proprietary Data
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, JULY 30, 2014
Presenting a live 90-minute webinar with interactive Q&A
V. John Ella, Shareholder, Jackson Lewis, Minneapolis
Brent E. Kidwell, Partner, Jenner & Block, Chicago
Joseph J. Lazzarotti, Shareholder, Jackson Lewis, Morristown, N.J.
![Page 2: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/2.jpg)
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-258-2056 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
![Page 3: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/3.jpg)
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your
participation by completing and submitting an Official Record of Attendance (CLE
Form).
You may obtain your CLE form by going to the program page and selecting the
appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For
additional information about CLE credit processing, go to our website or call us at
1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
![Page 4: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/4.jpg)
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
![Page 5: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/5.jpg)
WORKPLACE DATA BREACH CHALLENGES: NAVIGATING NOTIFICATION REQUIREMENTS, EMPLOYEE MONITORING, AND BYOD PROGRAMS
![Page 6: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/6.jpg)
Disclaimer
This presentation provides general information regarding its subject and
explicitly may not be construed as providing any individualized advice
concerning particular circumstances. Persons needing advice concerning
particular circumstances must consult counsel concerning those
circumstances.
6
![Page 7: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/7.jpg)
Workplace Data Breach Challenges
• Employee Monitoring, BYOD programs, and
Navigating Notification Requirements.
― Employee Monitoring
V. John Ella
― BYOD Programs
Brent E. Kidwell
― Navigating Notification Requirements
Joseph J. Lazzarotti
7
![Page 8: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/8.jpg)
Protecting Data
• Trade Secrets
• Personally identifiable information (PII)
• Personal health information (PHI)
• Financial information
• Business plans
• Customer and client data
• Employee data
8
![Page 9: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/9.jpg)
Steps to Control of Access to Employee and Customer/Client Data
• Confidentiality/non-disclosure agreements
• Passwords, encryption, firewalls
• Policies and procedures
• Limited access
• Policies and procedures
• Training
• Monitoring
9
![Page 10: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/10.jpg)
ALLOWABLE EMPLOYEE MONITORING
10
![Page 11: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/11.jpg)
11
![Page 12: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/12.jpg)
Employee Monitoring
• Reasons to monitor
• Avoid harassment claims
• Protect trade secrets
• Detect and dissuade improper behavior
• Ensure productivity
• Not a reason to monitor
• Prurient curiosity
12
![Page 13: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/13.jpg)
Employee Monitoring
• Requirements to Monitor
• FTC guidance regarding endorsements
• FINRA requirements
• Child pornography reporting requirements
• Electronic discovery
13
![Page 14: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/14.jpg)
Employee Monitoring
• Types of Monitoring
• Internet use
• Keystroke/keylogging
• Cached files
• Saved passwords on computers
• Video
• Audio
• GPS
• RFID
• Social media
• Physical searches
14
![Page 15: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/15.jpg)
THINGS TO CONSIDER
“A growing number of companies are under pressure to
protect sensitive data — and not just from hackers lurking
outside the digital walls. They're also looking to protect it
from insiders — employees who may want to swipe
information such as customer bank account numbers or
electronic medical records.”
15
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
![Page 16: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/16.jpg)
New Monitoring Software
“The content could be personal notes about one's family.
Or it could be company secrets. If the employee copies it
to a USB stick, the software sets off a red alert, grabs
that same file and displays its contents in real-time.”
16
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
![Page 17: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/17.jpg)
New Monitoring Software
“Managers can't predict when an alleged violation might
happen. SureView lets them rewind to the minutes or
hour before the red alert, and watch like a slow-motion
film. Crouse says the software records four frames per
second and it's very compressed video, but it's very
readable by an investigator.”
17
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
![Page 18: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/18.jpg)
New Monitoring Software
“Companies currently use software to block an employee
from copying or emailing an unauthorized document. But
according to a study by the research group Gartner, only 5
percent of that software traces every move, looking for
bad actors. By 2018, the study projects, it'll be 80
percent.”
18
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
![Page 19: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/19.jpg)
Bad Consequences?
“Shannon heads an institute at Carnegie Mellon that
specializes in insider threat technologies. He says failures
in these technologies can create a really toxic workplace.
Say I'm poking around a bunch of files, doing research
above and beyond the call of duty. In the old days, no one
would know, or I'd be called proactive.”
19
Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,
NPR, all tech considered, July 23, 2014
![Page 20: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/20.jpg)
Restrictions on Monitoring
• Electronic Communications Privacy Act (ECPA)
• Stored Communications Act (SCA)
• Common law intrusion upon seclusion
• State wire tap acts
• Notice requirements in CT, DE
• Restrictions on disclosure of social media passwords
in 13+ states
20
![Page 21: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/21.jpg)
Overview of Privacy Law
• Not explicitly in U.S. Constitution
(except searches by the government)
• Almost all states have a common law
tort for “invasion of privacy”
• California and Montana have a state
constitutional right to privacy
21
![Page 22: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/22.jpg)
Overview of Privacy Law
• Federal statutes are often industry-
specific (financial, medical, etc.)
• State legislatures are very busy passing
new privacy statutes
• International law differs
• Technology is challenging all of these
established legal structures
22
![Page 23: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/23.jpg)
Common Law Privacy
The Restatement, Second, of Torts, Section 652A sets
forth four types of common law invasion of privacy:
• Unreasonable intrusion upon the
seclusion of another;
• Appropriation of the others’ name or
likeness;
• Publication of private facts; and
• Publicity that unreasonably places the
other in a false light before the public.
23
![Page 24: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/24.jpg)
Electronic Monitoring
• Monitoring work email = usually o.k.
• Using work computer to obtain employee’s
password to personal, cloud-based email account =
usually not o.k.
24
![Page 25: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/25.jpg)
Employee Monitoring Cases
• Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S.D.
Ind. 2011)
• Stengart v. Loving Care Agency, Inc., 990 A.2d 650
(N.J. 2010)
• Pure Power Boot Camp, Inc. v. Warrior Fitness Boot
Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y)
25
![Page 26: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/26.jpg)
Monitoring – Preventive Steps
• Develop a specific, written policy:
• Establish information systems are the
property of the employer
• Reserve the right to monitor
• Prohibit inappropriate use
• Include penalties for policy violations
26
![Page 27: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/27.jpg)
Monitoring – Preventive Steps
• Train/educate employees and others
• Keep the monitoring work-related
• Permit reasonable personal use
• Consider additional steps – desktop
statement, posting in common area,
written consent/acknowledgement
27
![Page 28: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/28.jpg)
Employee Monitoring Issues
Courts will be more inclined to
rule in favor of the employer if:
• Employer owns the “system”
(computer, e-mail, etc.)
• Employee voluntarily uses an
employer’s network
• Employee has consented to be
monitored (usually based in
written personnel policy)
28
![Page 29: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/29.jpg)
Vendor Agreements
• More than trade secrets and confidential business
information
• Similar to business associate agreement under
HIPAA
• Protects company in case of data breach
29
![Page 30: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/30.jpg)
Legal / Compliance
- HIPAA
- FCRA
- GLBA
- State law
- Litigation
- International
H.R.
- Information about employees
* Hiring
* Testing
* Monitoring
* Record retention
- Ensuring compliance by employees
Workplace Information Risk
- Smart phones
- Social media
- Monitoring
- BYOD
30
- E-commerce
- Vendors
- Customers
- COPPA
- Data breach
- Confidentiality
- Trade secrets
- Policies
- Agreements
I.T.
- Passwords
- Data security
- Firewalls
- Technology
![Page 31: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/31.jpg)
Policies
Electronic communications
Nondisclosure/confidentiality
Privacy/Monitoring (notice)
Sexual harassment
Social media
Bring your own device
Drug testing
31
Written information
security policy
Data destruction
Business associate
agreements
Vendor agreements
![Page 32: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/32.jpg)
BYOD PROGRAMS
32
![Page 33: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/33.jpg)
Personal Business
“The practice of
allowing the
employees of an
organization to use
their own computers,
smartphones, or other
devices for work
purposes.”
33
![Page 34: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/34.jpg)
80% of employees
use personal devices for
business
But only 53% of
organizations officially
support BYOD
34
![Page 35: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/35.jpg)
35
![Page 36: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/36.jpg)
Scope of BYOD Expanding
Smartphones
Tablets
Laptops
36
![Page 37: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/37.jpg)
Why BYOD – Perceived Benefits
Individuals
• Choice of devices -
flexibility
• Single device for business
and personal use
• Modern and “hip” to
select own device
(particularly important to
millennial workforce)
• Enables “cutting-edge”
technology
Business
• Reduced hardware and
support costs
• Increase employee
satisfaction
• Increased productivity
• Increased innovation
• Shifting management and
responsibility to
employees
37
![Page 38: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/38.jpg)
Key Legal/Risk Management Issues
• Data Loss, Security and Incident
Response
• Legal/E-discovery
• Internal Investigations
38
![Page 39: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/39.jpg)
Data Security/Incident Response
• Securing devices (encryption, passwords, etc.)
• Mobile Device Management solutions (MDM)
• Procedures for addressing lost or stolen devices
• Procedures for responding to data loss or breach
• Defining scope of data to be stored on devices, e.g.:
• Allowed to store PHI on device?
• Allowed to store PCI data on device?
• Sandboxing data
• Virtualization
• E.g., Good Technology MDM
39
![Page 40: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/40.jpg)
iOS 8 40
![Page 41: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/41.jpg)
Internal Investigations
• Business access to data, even if “personal”
• Where to draw the line
• E.g., personal vs. business phone calls and voicemail
• Monitor user activity on devices
• Location or travel monitoring
• Web browsing activities
• Text messages (which don’t pass through corporate
network)
• Define “personal” vs. “business” use
• Define permissible use by policy
41
![Page 42: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/42.jpg)
City of Ontario, California v. Quon
• Police officer using department supplied pager allegedly sends inappropriate
messages to other officer
• Department reviews messages on pager
• City had a general "Computer Usage, Internet and E-mail Policy" that stated
that "[t]he City of Ontario reserves the right to monitor and log all network
activity including e-mail and Internet use, with or without notice," and that
"[u]sers should have no expectation of privacy or confidentiality when using
these resources."
• Supreme Court held that City’s search of pager was permissible and assumed,
but did not decide, employee had right of privacy in personal messages
• Fourth Amendment search and seizure case but still interesting regarding
privacy issues
• United States Supreme Court 2009
42
![Page 43: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/43.jpg)
Legal/E-discovery
• Data preservation process (a/k/a legal hold)
• Data collection
• Segregation of personal vs. business data
• Preservation of data – new device or termination
• Requires ACCESS and CONTROL of devices (policy is key)
• Requires procedures and tools to preserve, collect and access
data
43
![Page 44: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/44.jpg)
Source: http://www.mobileiron.com/en/infographic/trustgap
44
![Page 45: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/45.jpg)
Risk Management Strategies
Ignore the risk
Limit BYOD by data type, device, employee, etc. to contain risk
Implement technology security controls (e.g., MDAM)
Prohibit BYOD
45
![Page 46: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/46.jpg)
Possible Elements of a BYOD Policy
Define who may participate
Delineate economic issues
(reimbursement, etc.)
Specify device options and
minimum requirements
Allocate responsibility for
loss or theft
Allocate rights and data permissions
Specify location where data is stored
(e.g., local, cloud, etc.)
Define acceptable use
List permissible applications
Allocate responsibility for
support
Specify company ability to monitor
activities – expectation of
privacy
Handling data preservation
Handling employee terminations – remote wiping
46
![Page 47: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/47.jpg)
Other Potentially Relevant Enterprise Policies
• Acceptable Use Policies
• Employee Conduct
• Remote Access/Remote Working
• Privacy Policy
• Special Data Policies (HIPPA, etc.)
• General Security Policies
• Incident Response
47
![Page 48: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/48.jpg)
Key BYOD Risk Management Tips
• Develop and implement a BYOD policy
• Enforce and audit compliance with your
BYOD policy
• Know WHAT data resides on BYOD devices
• Know WHERE data resides on BYOD devices (or
related locations)
• Implement technology to assist in device (and
people!) management
48
![Page 49: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/49.jpg)
Key Drivers of Breach Notification Laws Continue
• Huge Breaches – Target, eBay, Dept. of Energy, the ones not
reported
• Identity Theft Tops 2013 FTC Consumer Complaint List
• 14th Year in a row
• Consumers lost $1.6 billion to fraud in 2013
• Most complaints: Age 20-29
• Most familiar with technology and most at risk
• Technology Outpacing Law
49
![Page 50: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/50.jpg)
NAVIGATING NOTIFICATION REQUIREMENTS
50
![Page 51: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/51.jpg)
What Data Privacy and Security Laws Affect Your Company
• There is currently no broadly applicable federal law in the
U.S. - we follow a piecemeal approach:
• HIPAA, GLBA, FCRA, ECPA, SCA, CFAA,
ADA/GINA/FMLA, FISMA, COPPA, FERPA…
• States generally have one or more of the following:
• Affirmative obligations to safeguard (e.g., CA, CT, IL
(biometric information), MA, MI, TX, others)
• Data breach notification (47 states plus some cities)
• Various Social Security number protections
• Data destruction requirements
51
![Page 52: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/52.jpg)
What Is a Data Breach?
• Unauthorized use of, or access to, records or data containing personal information
― Personal Information (PI) typically includes
― First name (or first initial) and last name in combination with:
― Social Security Number
― Drivers License or State identification number
― Account number or credit or debit card number in combination with access or security code
― Biometric Information (e.g. NC, NE, IA, WI)
― Medical Information (e.g. HIPAA, AR, CA, DE, MO, TX, VA)
― username or e-mail address with a password/security question and answer that permits access to online account (CA and FL).
― Broader view taken by FTC – email address, phone numbers, etc.
― PI typically maintained about?
― Employees…Customers…Vendors
52
![Page 53: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/53.jpg)
Handling Data Breaches
• How does a “Data Breach” occur?
• The lost laptop/bag
• Inadvertent access
• Data inadvertently put in the “garbage”
• Theft/intentional acts, hacking, phishing attacks other intrusions
• Inadvertent email attachment(s)
• Stressed software applications
• Rogue employees
• Remote access
• Wireless networks
• Peer to peer networks
• Vendors
53
![Page 54: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/54.jpg)
Handling Data Breaches
• 3 Critical Phases
• Discovery
• Notification and response process (if needed)
• Review and evaluate to avoid future incidents
54
![Page 55: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/55.jpg)
Handling Data Breaches
• Discovery: stop the bleeding…first steps • Dust off your breach response plan – hopefully you have one
• Immediately alert data breach response team, counsel, and
insurance carrier, if applicable
• Take steps to secure information systems, including any and all files
containing customer, employee and other individuals' personal
information that may be at risk
• Coordinate with law enforcement, as needed
• Identify key person to monitor and drive team progress
• Involve top management, public relations
• Make preliminary assessments and consider preliminary actions,
notices
• Consider implementing litigation hold
55
![Page 56: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/56.jpg)
Handling Data Breaches
• Discovery: did a breach occur?
• Review applicable federal, state and local laws
• FTC/HIPAA/SEC considerations
• Risk of harm trigger…e.g., in Michigan – no notification if “the security
breach has not or is not likely to cause substantial loss or injury to, or
result in identity theft with respect to, 1 or more residents of this state”
• Police investigation/consultation
• Consider whether immediate federal and/or state notification
required/recommended
• Conservative vs. aggressive approach
• Breach involves “risk of harm” states and “non-risk of harm” states
• Notify individuals, but not state agencies
56
![Page 57: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/57.jpg)
Handling Data Breaches
• Notification and response
• Who must be notified?
• Individuals, children
• Government agency notifications (State Police, AG, HHS, etc.)
• Owners
• Credit reporting agencies
• State-wide media
• What should notice say/who approves?
• Some states require information such as – (i) description of breach in
general terms, (ii) types of personal information involved, (iii) what is
being done to protect data from further security breaches, (iv)
telephone number for notice recipient to obtain assistance, information,
and (v) reminder of the need to remain vigilant for incidents of fraud
and identity theft.
57
![Page 58: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/58.jpg)
Handling Data Breaches
• Notification and response
• When to deliver
• Without unreasonable delay
• Some states permits delay for (i) law enforcement investigation,
and (ii) as necessary to determine the scope of the security
breach and restore the reasonable integrity of the database.
• How to deliver
• Writing
• Electronic
• Telephone
• Credit monitoring services
• Optional, consider when appropriate
• Describe in initial letter
58
![Page 59: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/59.jpg)
Handling Data Breaches
• Notification and response
• Call center/script
• Internal/external
• Escalation process
• Returned mail
• Substitute notice provisions
• Coordinate with vendors
• Review service agreements carefully
• Services agreement should include data security provisions
• Responding to inquiries
• Affected individuals
• Governmental agencies
• Media
• Document, document, document
59
![Page 60: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/60.jpg)
Handling Data Breaches
• Review and assess
• Why did the breach occur?
• Amend and implements updated policies and
procedures as appropriate, such as training
• Document post-breach considerations and remedial
steps taken, if any.
• Document why breach not reported (see, e.g., FL,
HIPAA)
60
![Page 61: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/61.jpg)
Other Key Features
• Private Cause of Action
― Some states permit – AK, CA, LA, MD, MN, NH, NC, SC, TN, VA,
WA
• Some states publish notices
― Maryland -
http://www.oag.state.md.us/idtheft/breacheNotices.htm
― New Hampshire - http://www.doj.nh.gov/consumer/security-
breaches/index.htm
• Risk of Harm Trigger
― Examples: AK, AZ, AR, CO, CT, DE, FL, HI, ID, IN, IA, KS, KY, LA,
MD, MI, MS, MO, MT, NH, NJ, NC, OH, OK, OR, PA, PR, RI, SC, UT,
VA, WV, WI.
61
![Page 62: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/62.jpg)
Take-aways!
• Take reasonable steps to prevent breaches
– develop and implement a written
information security program
• Have a data breach response plan
• Educate employees about the plan,
practice the plan, follow the plan
• Be transparent, credible, responsive
62
![Page 63: Workplace Data Breach Challenges: Navigating Notification ...media.straffordpub.com/products/workplace-data-breach-challenges-navigating...Jul 30, 2014 · - HIPAA - FCRA - GLBA -](https://reader033.vdocuments.us/reader033/viewer/2022042323/5f0e031f7e708231d43d2f03/html5/thumbnails/63.jpg)
• V. John Ella, Jackson Lewis, [email protected]
• Brent E. Kidwell, Jenner & Block, [email protected]
• Joseph J. Lazzarotti, Jackson Lewis, [email protected]
63