View
501
Download
0
Category
Preview:
Citation preview
Mehmet MunurAttorney
Tsibouris & Associates, LLC
Legal Perspective on Data Security for 2016
Dino TsibourisAttorney
Tsibouris & Associates, LLC
Overview1. Looking back at 2015 2. More capable and technical regulators3. Expanding enforcement by Federal
regulators4. State guidelines on security5. How to prepare6. International privacy issues
Looking back at 2015
Expanding Enforcement
Typical FTC §5 Enforcement Action• Designate employee responsible for privacy or
security program• Conduct risk assessment and employee
training• Test and monitor risks identified• Implement and maintain protections• Evaluate and adjust program• Biennial third-party assessments• In effect for 20 years
ASUS FTC Enforcement
“your secure space”“private personal cloud for selective file sharing”
“indefinite storage and increased privacy”“the most complete, accessible, and secure
cloud platform”
ASUS FTC Enforcement
Authentication bypass vulnerabilityPassword disclosure vulnerability
Cross-site request forgery vulnerabilitiesFTP Server, if enabled, open to all by default
Notified of vulnerabilities in June 2013Issued firmware in February 2014
ASUS FTC Enforcement• Risks assessment must include risks relating to:– Employee training and management, including
secure engineering and defensive programming; – Product design, development, and research; – Secure software design, development, and testing,
including for Default Settings; – Review, assessment, and response to third-party
security vulnerability reports, and – Prevention, detection, and response to attacks,
intrusions, or systems failures.
ASUS FTC Enforcement• Design and implementation of reasonable safeguards
must include:– Vulnerability and penetration testing; – Security architecture reviews; – Code reviews; and – Other reasonable and appropriate assessments,
audits, reviews, or tests to identify potential security failures and verify that access to Covered Devices and Covered Information is restricted consistent with a user’s security settings.
CFPB Dwolla Enforcement
data security practices “exceed industry standards” “surpass industry security standards”
“sets a new precedent for the industry for safety and security”
Dwolla stores consumer information “in a bank-level hosting and security environment”
CFPB Dwolla Enforcement• Falsely claimed its data security practices exceeded
or surpassed industry security standards• Failed to employ reasonable and appropriate
measures to protect data obtained from consumers from unauthorized access
• Falsely claimed that its information is securely encrypted and stored
• Did not encrypt some sensitive consumer personal information and released applications to the public before testing whether they were secure
CFPB Dwolla Enforcement
• Consent order requires Dwolla to:– Stop misrepresenting its data security
practices;– Train employees; and –Pay a $100,000 civil money penalty.
• There was no data breach.
HIPAA Enforcement
• Feinstein Institute for Medical Research $3.9 million settlement, security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities
• North Memorial Health Care of Minnesota $1.55 million settlement for failing to enter into a business associate agreement
CA AG Data Breach Report • Recommendations:– For reasonable security, points to 20
controls from the Center for Internet Security’s Critical Security Controls– Implement multi-factor authentication–Use strong encryption with portable and
desktop devices, especially in the healthcare sector
• Conduct a privacy audit
• Identify the categories of data you collect
• Locate where it is collected and stored
• Identify who may access it
• Limit access
How to Prepare
• Perform intrusion testing
• Create a data incident response plan
• Develop customer communications
• Anticipate regulator notifications if required
• Select media response team
How to Prepare
• Draft internal privacy policy and external privacy notices
• Develop an information security policy
• Integrate with HR Policies
• Data Security Team - Physical & System Security
• Vendor management
How to Prepare
International Privacy Issues
EU-US Privacy Shield
Possible Alternatives
• Standard Contractual Clauses (Model Clauses)• Binding Corporate Rules• Derogations in Law–Necessary for performance of contract–Unambiguous, informed, freely given,
specific consent• European Commission working on details of
the EU-US Privacy Shield
General Data Protection Regulation
• Final text negotiated but not formally published – effective in ~ 2.5 years
• 72-hour data breach notification obligation • Fines as high as 4% of annual turnover
What should you do?• Implement security and privacy by design• Understand data collection, transfer, and use• Conduct risk assessments• Address risk assessment results• Prepare for data breaches• Ready response teams, including legal,
communications, forensic, and business• Obtain cyber liability insurance• Repeat annually
Dino Tsibouris(614) 360-3133
Dino@Tsibouris.com
Questions & Answers
Mehmet Munur(614) 859-6962
Mehmet.Munur@Tsibouris.com
Recommended