View
217
Download
0
Category
Preview:
DESCRIPTION
Overview Key privacy concerns for 2016 Privacy and security preparation Vendor management When and how to engage outside counsel & advisors EU Privacy Sample enforcement
Citation preview
Data Security for Lawyers: What You Need to Know
Kelly Kay VP, Business Operations Lyft, Inc. Dino Tsibouris
Attorney Tsibouris & Associates, LLC Overview Key privacy
concerns for 2016 Privacy and security preparation Vendor
management When and how to engage outside counsel & advisors EU
Privacy Sample enforcement Key Privacy Concerns for 2016
It is not just about how you use data any more More enforcement by
federal and state regulators More than The Internet of Things State
privacy laws Vendor management Class actions (plaintiff standing to
sue) EU General Data Protection Regulation AvMed Class Action
Settlement
$3M class action settlement Theft of two AvMed laptops containing
1.2M customer records in 2009 Class action ensued, based upon
negligence, breach of contract, implied contract, unjust enrichment
Not HIPAA Case dismissed twice, but revived on appeal AvMed Class
Action Settlement
Class 1: AvMed customers whos data was stolen Class 2: Same as
Class 1, but also became victims of identity theft BONUS: Federal
Court of appeals also allowed claims for persons who were not
victims of identity theft but paid higher premiums for AvMed to
protect their data AvMed decides to settle this quickly AvMed Class
Action Settlement
$3M health insurance class action settlement Awarded money to
plaintiffs who suffered no monetary loss $10 refund to every
customer per year up to $30 for the additional per-customer cost of
protecting their data AvMed reimbursed customers whos data was on a
stolen laptop for any proven ID theft AvMed Class Action
Settlement
Promised to: Train all employees in security awareness Special
laptop security training Upgrading laptops security including GPS
New passwords and full disk encryption at rest Physical security
upgrades $750,000 to the lawyers Springer v. Stanford Hospitals and
Multi-Specialty Collection Services
Stanford Hospital hired MSCS to perform a revenue cycle review
Provided encrypted spreadsheet with patient data MSCS hired Corcino
& Associates to convert data to graphics One Corcino employee
posted the spreadsheet to Student of Fortune website for freelance
help and left it posted for a year Patient discovered it online
Springer v. Stanford Hospitals and Multi-Specialty Collection
Services
Stanford sent breach notification four days after discovery
Terminated MSCS Offered identity theft protection $20M class action
filed by patient a few days after they received notice Filed
against all 3 companies Springer v. Stanford Hospitals and
Multi-Specialty Collection Services
Basis: California Confidentiality of Medical Information Act Unlike
HIPAA provides private individuals with a right to sue 2 years of
litigation $4.1M court-approved settlement MSCS and Corcino to pay
$3.3M When your details and identity are stolen it's hard to put a
true price on the damage it can cause you and your credit rating.
But hackers don't have such trouble assigning a value to your
personal property. DailyMail . How much is your customers data
worth?
Uber accounts sell for nearly $4 on the dark web 18 times more than
credit card info PayPal Accounts with a $500 balance sell for just
$6.43 Facebook accounts for $3.02 On the dark web, stolen credit
and debit cards are listed for just 22 cents Data Breaches Average
$6.5M in Damage to US Companies Education can only do so much: 19%
of breaches were caused by negligent employees
Sometimes its just bad luck: 32% of breaches involved system
glitches and/or IT/business process failures Malicious attacks are
the worst: 49% of breaches involved malicious or criminal attacks
with a cost that was much higher than other breaches Heavily
regulated industries are big targets: healthcare, pharmaceutical,
financial, energy, and transportation, communications and education
were found to have a per capita data breach cost substantially
above the overall mean of $217 per lost record Risk versus Cost How
to Prepare Conduct a privacy audit
Identify the categories of data you collect Locate where it is
collected and stored Identify who may access it Limit access How to
Prepare Perform intrusion testing
Create a data incident response plan Develop customer
communications Anticipate regulator notifications if required
Select media response team How to Prepare Draft internal privacy
policy and external privacy notices Develop an information security
policy Integrate with HR Policies Data Security Team - Physical
& System Security Vendor management Cloud Storage verses Data
Center Protection through Contract
Security Certification Encryption in transit, at rest, in backups
Contracting Vulnerabilities
Treat vulnerabilities like security breaches Demand: Notification
Action plan Remediation Mitigation Contracting Indemnification
Intellectual property (trade secrets)
Violation of laws Violation of agreement Gross negligence
Contracting Liability Unlimited Capped Security in Practice Major
cloud providers implement reasonable or appropriate measure You are
responsible for your configuration You get Service Levels, but no
other warranties. Liability is limited, typically to 12-months fees
When to Engage External Advisors Data Breach Outside Counsels
Breach Checklist
Who owns the data? Are you the owner? Are you a processor? Outside
Counsels Breach Checklist
Which laws apply to the breach What industry are you in? Where is
the affected data located? Where do the affected individuals live?
Outside Counsels Breach Checklist
Identify which laws apply to the breach How long do we have to
investigate? Must I notify the individuals? What notice
requirements apply? Outside Counsels Breach Checklist
Identify which laws apply to the breach How soon must we notify
customers or regulators? What is the form of notification? (paper,,
SMS) Outside Counsels Breach Checklist
How soon must I notify the data owner if I am a service
provider/data processor? Are other parties obligated to pay for
this? What should we reserve for the contingency? Outside Counsels
Breach Checklist
What are my ongoing obligations after a breach? Providing for
credit monitoring Paying for financial losses Can I get sued for a
breach? Who can sue me? What are damages? Outside Counsels Breach
Checklist
What regulators should we consider? FTC, DOJ, FCC, HHS OCR, CFPB,
OCC, NCUA State attorney general State regulators Foreign
governments International Privacy Issues Possible
Alternatives
Standard Contractual Clauses (Model Clauses) Binding Corporate
Rules Derogations in Law Necessary for performance of contract
Unambiguous, informed, freely given, specific consent January 31,
2016 deadline by European privacy regulators to create Safe Harbor
2.0 General Data Protection Regulation
Final text adopted but not formally ratified by EC early 2016?
72-hour data breach notification obligation Fines as high as 2% of
annual turnover Zappos MA AG Enforcement
Zapposagreed to pay $106K Unauthorized access to: Names, addresses,
phone numbers, Last 4 digits of credit card numbers, and Login
credentials of customers. Zappos MA AG Enforcement
Settlement requires: Maintenance and compliance with information
security policies, Providing the AG with information, Demonstrating
compliance with PCI-DSS for two years, Third party audit, providing
copy to MA AG, and addressing deficiencies, and Annual training.
SHA1MD5 Kelly Kay (408) 391-1432 kk@lyft.com
Questions & Answers Kelly Kay (408) Dino Tsibouris (614)
Recommended