magazine feature

DATA SECURITY BREACHES 25

MODERATOR: Charlene, I want to start with you this morning. Give us a sense of the continued importance of privacy and data security. I have the distinct feeling, since we did our last panel, that there’s even more heat, light and focus on the issue.

BROWNLEE: I would agree 100 percent. In terms of

statistics, 2008 is half over, and we’re already had the

same number of security breaches as for the entire year

2007. Why are we seeing higher statistics? More than

44 states require notification of data breaches resulting

in the disclosure of personally identifiable information

(such as Social Security numbers, drivers’ license numbers

and financial information). The majority of information

is digital, processed and stored electronically, and often

on portable media. The No. 1 cause of data breaches is

negligence. Some 50 percent of data breaches are caused

by employees leaving laptops at home or in their cars, and

there’s a break-in. Only 4 percent of data breaches are

caused by hackers, which tells us that, as counsel and as

privacy officers and IT professionals, we can do more to

bring those numbers down.

MODERATOR: Let’s go into the growing legal framework that governs privacy.

DENNEDY: The word “framework” is critical here. When you

approach this as a global entity—and we do business in

more than 140 countries around the world--there is no such

thing as localized data, if you’re using any sort of system

that interfaces with the Web. As you review the framework,

start by asking where the data is, from an IT perspective.

Data security continues to be a hot topic for general counsel and privacy officers. Breaches have not

abated; organized computer crime makes front-page news. The legal framework continues to grow,

both from state regulators, Attorneys General, the FTC and the EU. We’ve asked three top experts

in the field for their assistance in laying out what to do. They are Charlene Brownlee, a partner with

Davis Wright Tremaine in Seattle; Ruth Boardman, a partner with Bird & Bird in London; and Michelle Dennedy, chief data strategy and privacy officer at Sun Microsystems in Mountain View. This is an

abridged transcript of a live event held Sept. 26, 2008, in San Francisco, moderated by freelance

legal affairs writer Susan Kostal, and reported for Jan Brown & Associates by Valerie E. Jensen.

Phot

o By

: Ja

son

Doi

y

P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtable D I S C U S S I O N

ADVERTISING SECTION

DATA SECURITY:Managing the risk

26 DATA SECURITY BREACHES

Who is managing it, leading it, and paying for it? Then look

to the various jurisdictions that cover those interactions and

come up with a framework that includes laws like PIPEDA,

the EU Directive and all of its member states, what’s going

on in Asia, Korea, Argentina. Look at the map, and that’s

your framework. If it sounds overwhelming, it is. You can

get very geeky on this very quickly. But there is hope. A

risk-based approach, rather than a black-and-white, find-

the-answers approach, will cover you 80 percent of the

time.

BOARDMAN: The EU has had data privacy legislation

since before the 1995 Directive. But when we’re talking

about security breach notification, we’re playing catch-up.

Although we have general security principles in the EU, we

don’t yet have a breach notification law. But that is coming.

We have two main data privacy directives in the EU: one

general, and one specific to the communications sector.

The communications sector directive is being rewritten,

as we speak. One of the changes being made to it is to

introduce breach notification requirements. That will

then have to be transposed into the law of each member

state. In the UK, our regulator has been given increased

powers following an enormous data breach by Revenue and

Customs. Also recently, Nationwide Building Society lost a

laptop, and the society was fined 1 million pounds because

it didn’t have appropriate procedures in place to know what

to do in such situations. They waited three weeks deciding

what to do.

BROWNLEE: In the absence of federal legislation, in the

U.S. you must take a state-by-state approach. Are people

familiar with the Nevada encryption legislation that went

into effect Oct. 1?

DENNEDY: You’re about to be depressed.

BROWNLEE: In addition to the new Nevada law, which

requires encryption during transmission, Massachusetts

has just adopted regulations that require encryption before

and after transmission. In addition to a state-by-state

approach, you also need an industry/ sector analysis. Health

care information, for example, is covered under HIPPA. The

financial sector is covered by Gramm-Leach-Bliley, and

now, as of November, the red flag rules pursuant to FACTA.

The only federal legislation that deals directly with the

collection of information online is the Children’s Online

Privacy Protection Act, COPPA. There’s no other generally

applicable federal legislation for consumer transactions

over the Internet. But the FTC has been increasingly

aggressive about regulating companies that fail to live

up to their posted privacy policies. In 2006, the FTC

established a Division of Privacy and Identity Protection,

which is specifically targeted to investigate data breaches.

As of March 2008, the FTC had brought more than 20

cases against businesses for failure to maintain reasonable

security measures. If you are subject to an investigation

and settle, usually there will be a fine, and a requirement

to conduct independent audits, sometimes for as long

as 20 years. One of the biggest cases to date involved

ChoicePoint. They were assessed $10 million in fines, had

to allow $5 million for consumer redress, and agreed to be

audited for 20 years.

DENNEDY: We are a big provider for companies in the

financial services sector, so many of our customers are

impacted by the November 1 FACTA deadline. That

regulation points out the synergy between privacy rules and

data transfer regulations, which until two years ago could be

managed fairly well by notice and consent. That was really

where the locus of control and focus and meeting most of

these regulatory issues came in. What FACTA presents and

what the financial services sector is going through right

now, what HIPPA has foreshadowed, is that the growing

framework, on both a federal level and internationally, is

about to get much more specific about what companies,

tactically, must do to get out of either a negligence theory

or a statutory theory for data losses.

It’s also important to understand server-based computing.

Today’s buzzword is “the cloud.” Everything is “in the

cloud.” Nothing is in the cloud but rain, folks. It’s all on

a server somewhere, and that server has jurisdiction stuck

all over it. It is physically located somewhere. You have to


ADVERTISING SECTION

“A risk-based approach, rather than a black-and-white, find-the-answers approach, will cover you 80 percent of the time.”

— Michelle DennedySun Microsystems

Jaso

n D

oiy


be aware of where your data is and make sure that your

clients know where their data is so that you can provide

appropriate legal advice. You may be missing jurisdictions

you haven’t even thought of. Who is the account customer

base, the employees? Where are they coming from? Are

they working from home? Where is the data going to and in

what format? Is it encrypted? Has it been severed from any

sort of personal information so it cannot be reconstituted?

You must know the answers to these questions. Lawyers are

being increasingly dragged into IT and HR, and other areas

you may not have traditionally considered in your area of

practice.

Be aware of the technological realities, the people, the

processes and the technology synergy, so when you’re

crafting your legal memoranda about all these new rules,

regulations, cases and fines, you are giving people like me

something I can consume.

BROWNLEE: The FTC’s position is clear: “Companies

that collect sensitive consumer information have a

responsibility to keep it secure.” And that responsibility to

implement appropriate IT securities and safeguards is also

a requirement of approximately half of the 44 state data

breach notification laws. So, from a corporate perspective,

it is not a gray area. It is clear that companies must deploy

appropriate physical safeguards. A company would be

well served by looking at the obligations that are imposed

upon financial institutions and adopt a similar data breach

notification strategy. When these breaches occur, you need

a methodical plan, so you are not acting in crisis mode.

MODERATOR: It seems redundant at this point to use the word “global,” but tell us about the concerns inherent in data transfer and outsourcing.

BOARDMAN: Movements of data outside the EU are

prohibited. So emailing and transferring data to a server

outside the EU--even traveling with a laptop outside the

EU--engages the prohibition. The only countries that you

can transfer data to from the EU are ones that have been

approved by the European Commission and, so far, that

list is limited to Argentina, Switzerland, certain Canadian

organizations covered by PIPEDA, the Isle of Man, Jersey,

and Guernsey. So it’s a fairly small list.

There are four main methods to deal with this. If data is

being transferred from the EU to an organization in the

US that participates in the Safe Harbor scheme, that data

transfer is fine. From an EU perspective, Safe Harbor is

very easy for organizations to deal with. A second option is

freely given consent. That sounds good, but it’s hard to do

in practice, especially in the employment context. In many

countries in the EU, you have to get a permit from the

data protection authority to export the data, and you have

to explain the basis on which you’re asking for the permit.

In some countries, if you say, “This is employee data,

but we’ve got consent,” as a matter of principle, the data

protection authority will reject your application, because

they’ve taken a paternalistic view toward employees.

The other alternative is to use European Commission-

approved contract clauses. These are data export contracts

that oblige the importing organization to offer EU protection

for data. The idea is great, but they can be bureaucratic.

The clauses require registration in about 18 out of the

27 member states, which is a time-consuming process.

The other problem is that you have to complete an annex

describing what you’re doing. And with my clients, I’ve

found that you complete that and then a year or two

years later, the client will do something different; they’ll

want to implement a different HR system, and then you

have to redo the clauses. The last alternative is to adopt

“binding corporate rules.” The idea behind these is that

ADVERTISING SECTION


ADVERTISING SECTION

“FTCʼs position is clear: 'Companies that collect sensitive consumer information have a responsibility to keep it secure.' And that responsibility to implement appropriate IT securities and safeguards is also a requirement of approximately half of the 44 state data breach notification laws. So, from a corporate perspective, it is not a gray area.”

— Charlene BrownleeDavis Wright Tremaine

Jaso

n D

oiy


you embed data privacy in the organization’s culture. So,

for example, with employee data, you might develop a

workforce data privacy policy. If you can show that that

is binding and really enforceable within the organization,

then you can take these rules and procedures to EU data

protection authorities and get them approved, which then

allows you to transfer data freely within the organization,

without additional consent, or registering standard contract

clauses. You have to keep the data protection authorities

up to date if new members of the group come on board or

if you change your processing significantly, but it should

be a much-lighter-touch approach than the registration

process.

BROWNLEE: Binding corporate rules (BCRs) are a bit

controversial, because they’re very expensive to develop

and implement, and they only protect the flow of data

among those corporate entities. For example, BCRs do not

address the flow of information from an EU member state

to a country that is deemed to have inadequate safeguards.

So it’s not a one-stop-shopping solution; you still have to

layer BCRs with other privacy mechanisms, such as Safe

Harbor certification.

BOARDMAN: You make several good points. It is a pioneering

effort. It started in 2003, and by 2005, we only had one

application that had been authorized. But there’s a real

sense that it’s starting to become more manageable. The

reason for the initial cost is you need to go and negotiate

with the protection authorities, many of which have little

expertise or familiarity with how organizations work. But

we’re starting to see a critical mass of applications come t

hrough.

My clients have been able to leverage existing privacy

policies and procedures. And in some instances, once there

is a UK authorization, other data protection authorities are

happy with that, and granted authorization on that basis

alone. The advantage is once you have a BCR, there are

fewer bureaucratic restrictions to them. If you have data

that is going from the EU to a U.S. entity, which will then

be transferred to a third party in the U.S., you would need

separate contract terms to deal with that. But you would, in

any event, under EU commission clauses or Safe Harbor.

MODERATOR: So how do companies best mitigate the risk?

BROWNLEE: Let’s use, as an example, the lawsuit filed

against Accenture in 2007. The Connecticut Attorney

General hired Accenture to transfer some taxpayer and

other personally identifiable information into a PeopleSoft

database. A backup tape containing the information

was stolen. The state had a contract with Accenture

that included provisions requiring Accenture to employ

reasonable safeguards. Accenture was subject to a

negligence claim, and also breach of contract. The take-

away here is that you must have a written agreement

with all third parties transferring or processing your data,

whether an information destruction/storage vendor or

an electronic discovery provider. The agreement should

provide that the vendor retains ownership/control at all

times, does not subcontract without your permission, uses

reasonable safeguards, and agrees to indemnify you in the

event of a data breach.

Your agreement should include a clause requiring your

vendor to allow you to have a third party come in and audit

your service provider’s information systems and ensure that

your service provider notifies you within a very short period

of time if there is any sort of breach or suspected breach.

“The idea behind binding corporate rules is that you embed data privacy in the organization's culture. With employee data, for example, you might develop a workforce data privacy policy. If you can show that that is binding and enforceable within the organization, you can have them approved by EU data protection authorities, which then allows you to transfer data freely within the organization, without additional consent or registering standard contract clauses. “

— Ruth BoardmanBird & Bird

Jaso

n D

oiy


ADVERTISING SECTION


DENNEDY: My favorite phrase in contract negotiations is

“from time to time.” Every now and again we get this

clause in an outsourcing context or some context that

is a data-intensive relationship. It will say, “reasonable

security as may change from time to time.” “Reasonable”

five years ago did not include comprehensive encryption.

“Reasonable” five years ago did not require background

checks for every single worker in every single facility. That

clause is going to screw you later. The most important

element of mitigating legal risk in the contracting context

is to really understand the deal. You need to really

understand the scope and the shape and the possibility of

data transfer, either from individual contractors that come

in, or people who are able to somehow carry your data out.

Really do your homework. As a lawyer, you need to become

a much bigger player in the decision-making process. In

the statement of work, you need to understand what kind

of information needs to be transferred from organization to

organization and to various downstream processing, and in

what context. You have to be very careful in the indemnity

section. It plays both ways. Auditing is one of hottest

negotiation topics right now because, inherently, by having

a third-party auditor in my data center, I am compromising

the security of my other customers or I’m possibly exposing

them to third-party distribution, under law, by allowing

them in. In laying out the deal, look at what people really

need access to the data, not based on any hierarchy or

organization chart, but by what role they really perform.

BOARDMAN: I would completely agree with everything that

Michelle and Charlene have said about risk, and would add

two additional points. One is there are specific obligations

in the EU when you appoint the kind of third party that

Charlene mentioned; in EU terms, this agent is called

a processor. But if you do due diligence and take the

approach that’s been described, then you will do what is

required in the EU. The other point to note is that in the

EU, under the Data Protection Directive, if you are the

organization that controls the data, you’re responsible for

it. When you appoint a third party to hold the information

or to do anything with the information on your behalf, then

you are responsible for what that third party does. So, if

there is a security breach, then you are still on the hook to

individuals, even though it might be the third party who was

responsible. Again, there are a couple of nice examples of

this in the UK involving lost laptops that weren’t encrypted.

In each case, it was the client organization that ended up

on the receiving end of an enforcement notice from the

Information Commissioner, which required the client to roll

out encryption and caused the organization and contractor

to report back on a regular basis to the commissioner.

So I reinforce the point that having appropriate contract

terms is vital. You want to be checking your contract and

looking at that indemnity.

BROWNLEE: There are four practical ways to mitigate or

prevent data breaches. The first one is obvious: don’t

collect what you don’t need. Secondly, destroy or redact

what you don’t need. Follow the federal laws, such as

FACTA, on secure disposal of personally identifiable

information. Thirdly, ensure that any laptops you recycle,

donate to charity or send back to a vendor are scrubbed.

Lastly, conduct a conduct a privacy impact assessment

prior to the launch of any new product or service. Encourage

your teams—marketing, IT, product development, legal—to

review what information can be collected from the product,

and what the legal ramifications are.

DENNEDY: There are technical solutions out there. I won’t

make a company pitch. I agree with Ruth and Charlene,

though—don’t collect more than you need, and don’t travel

with more than you need. There are various strategies

where you can take advantage of server-based computing

to keep your crown jewels in a place where IT professionals

are surrounding them with, truly, not just “the reasonable

security from time to time” but actual security.

ADVERTISING SECTION


ADVERTISING SECTION


CHARLENE A. BROWNLEE is a partner with the law firm Davis Wright Tremaine LLP. She

advises clients on global privacy and data security matters, development of records

management programs, e-discovery best practices and technology transactions. She

co-authored the legal treatise Privacy Law (Law Journal Press). Charlene has lectured and

published widely on privacy, records management and e-discovery. She is a US delegate for

the APEC Privacy Data Security Working Group and serves on the University of Washington's

Advisory Board for its EDiscovery Certification Program launching in 2009.

DAVIS WRIGHT TREMAINE LLP The regulation of privacy and data security continues to

expand at both a state and federal level. We can assist your organization in determining

what policies, procedures and technology are required to comply and

ensure proactive information governance. From developing record

retention schedules and litigation hold policies, to advising on responding to a data breach, we

have the experience and business oriented perspective that clients value.

RUTH BOARDMAN is a partner in the London office of Bird & Bird. Ruth advises on all

aspects of European information law, including data protection, freedom of information,

database rights and confidentiality, with a specific emphasis on IT, e-commerce and

public procurement. She is the co-author of Data Protection Strategy, published by Sweet

& Maxwell. She also edits the Encyclopedia of Data Protection, from the same publisher,

and is on the editorial board of Data Protection Law & Policy.

BIRD & BIRD is a leading European and Asian law firm, with offices in Belgium, Czech

Republic, Finland, France, Germany, Hungary, Italy, Poland, PRC, Slovakia, Spain,

Sweden, The Netherlands and The UK.

We are ranked as a leading firm for data privacy advice, where we advise a wide range of

international companies as well as companies for whom personal data is a key asset.

We provide a full range of legal services: commercial, corporate, corporate restructuring & insolvency, dispute

resolution, employment, EU & competition law, finance, intellectual property,

outsourcing, public procurement, real estate and regulatory & administrative tax.

MICHELLE DENNEDY is Chief Privacy Officer for SUN MICROSYSTEMS, INC. Michelle is

responsible for the continued development and implementation of Sun’s data privacy

policies and practices, working across Sun’s business groups to drive the company’s

continued data privacy excellence. Data privacy is a cornerstone of Sun’s approach to

compliance with complex, demanding regulations including Sarbanes-Oxley, the EU

Directive, California State Senate Bills, as well as escalating policy and process-oriented

requirements being imposed globally. Michelle also works with Sun’s product development

teams and partners to deliver best-practice privacy enabling products and services. She

is the co-founder of Sun’s internal Privacy Council, an organization that includes and

engages with stakeholders from across the company and is dedicated to promoting and

promulgating a cohesive practice throughout the organization to protect Sun’s relationships

with its customers.


ADVERTISING SECTION

JAN BROWN & ASSOCIATES is a worldwide deposition reporting and legal video company. We offer the latest

in technical expertise and the highest quality in the rendition of these services. Our services include realtime

depositions, video conferencing, full service legal videography, document scanning, on-line repository, DVD or

CD-ROM, case management services for large complex cases. We are Certified Livenote Providers and offer

conference rooms. Our services are utilized by the top firms in the country and we are the court reporters and

videographers of choice. www.janbrownassociates.com 800.522.7096

magazine feature

Technology