2011 OFII General Counsel Conference Washington, D.C. Information Governance in an Era of Rapid Privacy and Data Security Change Edward McNicholas SIDLEY

2011 OFII General Counsel Conference Washington, D.C.

Information Governance in an Era of Rapid Privacy and Data Security Change

Edward McNicholasSIDLEY AUSTIN LLP


What Can Go Wrong• ChoicePoint - FTC obtained record $10 million fine and $5 million restitution,

plus substantial injunctive requirements; $500,000 settlement with 43 state AGs; $12 million spent on security upgrades since 2005

• TJX - computer intrusion and stolen customer transaction data leads to government investigations and scores of putative class actions around US and Canada (46 million customers)

• Monster.com - 1.6 million job searches compromised by Trojan horse and phishing attacks

• Telefonica Espana - fined €840,000 by the Spanish Data Protection Authority for sharing an individual’s data with one of its subsidiaries for marketing purposes

• Tyco Healthcare – fined €30,000 ($40,972) by the French Data Protection Authority (CNIL) for improper storage and cross-border transfer of employee data (April 2007)

• Lilly – FTC investigation started by single errant e-mail


The Cost of Getting Data Protection Wrong• Breaches and data incidents can be extremely painful• Hard costs:

– Cost of notifying affected individuals– Credit monitoring– Investigation and legal fees

• Potential costs:– FTC, State AG, and regulatory investigations– Class actions by data subjects – Litigation with business partners over hard costs– Legal defense fees

• Brand/Reputation harm:– Charges of deceptive / unfair business practices– Lost confidence / uncertainty in clients / employees– Lost profits / business partners


SEC Cybersecurity Guidance

• SEC issued significant new guidance suggesting that public companies should evaluate disclosure of cybersecurity risks.

• Several existing regulations could require disclosure of actual cyber-attacks, but that potential cyber-attacks should also be disclosed in some circumstances.


Advanced Persistent Threat

• Cyberattacks against Google were "wake-up call" about vulnerabilities that could cripple US economy (DNI)

• Cybersecurity legislation will seek to:– Enhance coordination and prioritization of federal research and

development– Promote development of technical standards– Improve the transfer of cybersecurity technologies to the marketplace

• Government contractors and companies involved in critical infrastructure should assess their technical and legal responses to cybersecurity risks– DOD advanced notice of proposed rulemaking for defense contractors


The Reality Facing Global Corporations

• Broad complexity and wide variety of national (and sub-national) privacy and data security laws complicates compliance

• Significant cultural – and legal – differences exist in the meaning and nuances of privacy and data protection

• Achieving compliance with overlapping federal, state, national, sub-national and multilateral rules is complex and burdensome

• Trend towards stricter, more prescriptive laws, with more complexity and greater enforcement appears likely


U.S. Governmental Response• States have responded with increased

statutory protections for personal information• Congress has passed sector-specific

privacy and information security laws • Omnibus privacy and information security

actively under debate in Congress


Overview of U.S. Privacy Law• No comprehensive federal privacy statute• In U.S., privacy is regulated via:

– Federal sector-specific and ad hoc statutes and regulations– FTC regulation and enforcement– State laws, AG enforcement actions and private litigation

• Industry self-regulation through company privacy policies, and association codes

• Changes likely in Washington


Federal Legislation and Regulation

• Gramm-Leach-Bliley Act of 1999 (GLBA)– Regulates privacy of personally identifiable, nonpublic financial

information disclosed to non-affiliated third parties by financial institutions

– Requires administrative, technical, and physical safeguards• Health Insurance Portability and Accountability Act of 1996

(HIPAA) / Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)– HIPAA rules protect confidentiality and security of medical information

in hands of “covered entities” and “business associates” such as healthcare poviders, hospitals, employer-sponsored health plans, etc.


Federal Trade Commission (FTC)• FTC is de facto federal privacy enforcement authority;

FTC Act § 5 (15 U.S.C. § 45)• FTC charged with preventing "unfair methods of

competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce" – FTC enforces against companies that engage in the

“deceptive” practice of failing to adhere to their own privacy and/or information security policies

• FTC enforces against companies that engage in the “unfair” practice of failing to provide adequate security for consumer data

• FTC enforces Gramm-Leach-Bliley Act; Fair Credit Reporting Act; Children's Online Privacy Protection Act


FTC Investigative Demand

– All policies adopted or statements made regarding the collection, disclosure, use and protection of personal information

– All documents sufficient to identify and describe in detail all systems and/or databases that collect, maintain, store, transmit or otherwise handle personal information

– Any risk assessments conducted to identify risks to the security and confidentiality of personal information

– All documents that set forth, assess, evaluate, question, challenge, contest or recommend changes to the security procedures, practices, policies, and defenses with respect to personal information

– All service providers that receive, maintain, process or otherwise are permitted to access personal information

– All documents that reflect, concern or relate to incidents of possible unauthorized access to personal information

– EU Privacy safe harbor compliance documentation


Communications PrivacyElectronic Communications Privacy Act (ECPA) • ECPA governs interception (“wiretap”), access to and disclosure – by

government and/or private entities – of contents of communications, or transactional and routing information related to communications, by providers of communications services and remote computing services

Computer Fraud and Abuse Act (CFAA) • Prohibits hacking or accessing computers in violation of, or in excess

of, authorization

Telecommunications Act • “Every telecommunications carrier has a duty to protect the

confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers”


Data Breach Statutes• Data breach notification laws are pervasive

– 46 states, DC, Puerto Rico, and the Virgin Islands have breach notification requirements

– Some states require reporting to government agencies

• Triggers Vary– Risk of harm – Pure acquisition

• Encryption remains a key issue– Creates safe harbor from state data breach notice laws– Laptops, portable media (such as USB drives)– Wireless transmission; transmission over public network


Massachusetts Data Security Standards

• Regulation 201 CMR 17.00 (effective March 1, 2010)• Requires anyone that owns, licenses, stores or maintains resident’s

personal information to develop and implement a comprehensive written information security program

• Requirements passed through to vendors• Personal information is defined as:

– Name plus SSN, driver’s license number or other state-issued identification number, or credit or debit card number or other financial account number

– Applies to electronic or paper data


• Collect only minimum personal information necessary • Retain information only as long as necessary for purpose originally collected• Limit access to those with need to know • Promptly deactivate user name/password of terminated employee authorized

to access personal information• Encrypt personal information:

– in transmission over Internet– on all wireless transmissions

– on portable storage media • Develop policy to regulate when and how personal information may be

transported, stored and accessed off-site • Develop policies for telecommuting• Passwords required• Monitor access to personal information and review audit trails

Massachusetts Data Security Regulations


Other State Issues To Watch• Social Security Number Protection laws that require special limitations on

the collection, use and display of SSNs • State “Unfair and Deceptive Acts and Practices” (UDAP) Statutes• Secure Disposal Laws that require businesses to dispose of personal data

records securely• Privacy Torts: Privacy invasions, negligence, misappropriation, defamatory

speech, trespass to chattel, stalking, etc.• RFID bills that prohibit the nonconsensual use or reading of RFID chips;

Missouri criminal law against employers requiring implants • Medical or Genetic Privacy – restrictions on the use of test results and the

use, disclosure and protection of biometric data• Employee Surveillance –DE and CT have notice rules• Locational Privacy – restrictions on use of GPS-enabled devices• Behavioral Tracking and Advertising


Privacy in Congress• Cybersecurity• ECPA & USA PATRIOT Act• Senators Kerry and McCain have lead on privacy bill

– fair information principles-based, omnibus privacy bill– right for data subjects to receive a clear and concise notice of

uses that they might not reasonably anticipate – opt-out of unanticipated uses of PII; opt-in consent required for

uses of sensitive PII or third party transfer – mechanism for individuals to access and correct PII– new Commerce Office of Commercial Privacy Policy – enforcement by state Attorneys General and FTC


White House• “2011 as Year of Privacy”?

– Chartering of inter-agency “Subcommittee on Privacy and Internet Policy” as part of National Science and Technology Council’s Committee on Technology

• Focus on commercial privacy policy issues

• Address global privacy policy challenges and pursue coordinated policy around the globe

• Promote favorable environment for cross-border information flows

• Coordinate Administration positions on privacy and Internet legislation

• No privacy “czar”; inter-agency committee

• White House Leadership


Federal Trade Commission: Preliminary Staff Report

“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for

Businesses and Policymakers”


FTC Vision of Privacy by Design• Promote consumer privacy throughout the organizations

and at every stage of the development of the products and services.

• Incorporate substantive privacy protections into practices, such as:– data security, – reasonable collection limits, – sound retention practices, and – data accuracy.

• Maintain comprehensive data management procedures throughout the life cycle of products and services.


Doubly Broad Applicability

“All commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers”

For any data that can be “reasonably linked to a specific consumer, computer, or other device”


Three Key Principles“Privacy by Design”

Internal safeguards by commercial entities

Comprehensive business privacy programs

“Simplified Choice”“Just in time” notice and consumer choice

Standardized exceptions to the notice and choice

Do Not Track (national analog to Do Not Call)

“Greater Transparency”Consumer access to, and ability to correct, personal data

Prominent notification and express affirmative consent required from consumers before a company uses consumer data in a materially different manner than notified at collection


Department of Commerce Green Paper

“Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy

Framework”

Draft “White Paper” (December ?)


Fair Information Practice Principles (FIPPs)

• Transparency• Individual Participation • Purpose Specification • Data Minimization • Use Limitation • Data Quality and Integrity • Security • Accountability and Auditing


Privacy Impact Assessments (PIAs)

• PIAs would “require organizations to identify and evaluate privacy risks arising from the use of personal information in new technologies or information practices”

• The report contemplates that such PIAs would be “prepared in sufficient detail and made public”

• Purposes – “create consumer awareness of privacy risks in a new

technological context” – “help organizations to decide whether it is appropriate to engage

in the particular activity at all, and to identify alternative approaches that would help to reduce relevant privacy risks”


Commercial Privacy Policy Office


EU Impacts

• EU Data Protection Directive (1995)– Limits on collection, processing, transfer, and export– EU member states prohibit or restrict transfers of personal

information to the United States unless certain compliance mechanisms are in place

– EU standards (derived originally from U.S. and OECD fair information principles) require:

• Notice of collection and use of personal information• Choice (consent) to uses of information • Access to information to review, correct or expunge• Integrity/security of data• Enforcement/redress of privacy rights

– Member states differ significantly in approach


EU International Data Transfer Restrictions• Articles 25 and 26 of the Data Protection Directive prohibit transfer of

personal data to countries outside EEA that do not ensure an adequate level of protection

• Possible means for dealing with data transfers outside the EU include:– Consent – but consent must be informed and freely given– Model Contracts– US Safe Harbor– Binding Corporate Rules– Article 26(1)(d) – transfer necessary or legally required on important

public interest grounds or for establishment, exercise or defence of legal claims

• Hague Convention – compliance with request under Hague Convention provides formal basis for transfer of personal data but some EU Member States have not signed Convention or have signed with reservations regarding civil discovery


International PrivacyArgentina Cyprus Lithuania Netherlands Italy SpainTunisia Malta Estonia Austria Denmark France

Slovakia Czech Republic Ireland Finland GermanyIceland Greece Slovenia Suisse PolandLatvia Liechtenstein Sweden Japan PortugalLuxembourg Belgium

Singapore Mexico Israel Romania

Dubai HungaryChile South Africa NorwayParaguay Hong Kong Canada

Russia Australia United KingdomKorea New Zealand

Taiwan United States

BulgariaMalaysia Serbia

Bosnia ChinaAfrica Many Latin American countries Most Asian countries

Implemented Comprehensive

Data Privacy Law

No Local Privacy

Law

No Enforcement Capability

More Enforcement Capability


Uncertainty in the Clouds• Not specifically regulated but a plethora of divergent laws and

enforcement approaches apply around the world• Many laws relating to data privacy are outdated and it is unclear

how they will be applied in Cloud circumstances• Laws of multiple jurisdictions may apply to transactions involving a

single data set• Transferring data to a Cloud provider may lead to ambiguity

regarding data protections• Liability for, and uncertainty about duties for responding to, data

breaches, unauthorized access, loss of data, demands for access to data


Top Cloud Issues to Consider

1.Where Are the Data? Territorial jurisdiction continues

2.Privacy/Security Requirements

3.Incident Response and Control

4.Outages / Disaster Recovery

5.Service Levels / Speed

6.Termination / Migration to a Different Provider

7.Insurance / Indemnification / Risk Shifting

8.Government and Litigant Access to Information


Threat of Cloud Balkanization: Complying with EU Privacy Law?

• Leading EU Parliamentarians are concerned about the US government’s ability to seek and obtain information without notice to data subjects in the name of national security– “Does the Commission consider that the U.S. PATRIOT Act thus

effectively overrules the E.U. Directive on Data Protection? What will the Commission do to remedy this situation, and ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?”

“Essentially what is at stake is whether Europe can enforce its own laws in its own territory, or if the laws of a third country prevail.”


Beginning of a Digital Trade War?

• Bloomberg (9/13/11): “Deutsche Telekom Wants ‘German Cloud’ to Shield Data From U.S.”

– Deutsche Telekom AG's T-Systems information technology unit is pushing regulators to introduce a certificate for German or European cloud operators to help companies guard data from the U.S. government.

– “The Americans say that no matter what happens I'll release the data to the government if I'm forced to do so, from anywhere in the world,'” Clemens said. “Certain German companies don't want others to access their systems. That's why we're well-positioned if we can say we're a European provider in a European legal sphere and no American can get to them.”

– Clemens said: “A German cloud” would be a “safe cloud”.


CNIL (French DPA)

• CNIL has facilitated the use of outsourcing services performed in France on behalf of non-European companies (15 March 2011)

– Exempts required notification to CNIL for processing performed in the field of human resources and clients and prospects management by French service providers acting on behalf of companies established outside the European Union.

– CNIL wants to be realistic and pragmatic in applying the French law to such situations: ensure a high level of protection of personal data while, at the same time, generating practical solutions in order not to hamper the development of service provisions propositions by French companies.

– CNIL decided to exempt from declaration the processing of human resources, client management and prospects files. This exemption relates to the processing performed by French service providers on behalf of data controllers established outside the EU.

– CNIL wishes to encourage a reflection on how to improve and make more effective the rules relating to the national applicable law. The revision of the EU Directive, currently in progress, certainly provides a unique opportunity to embark on this path.


Google: All Governments Seek Data

• Google statistics on the number of requests it receives for the personal data of its users from governments around the world:

– Governments of France, Germany, Italy, Spain, the United Kingdom, and the Netherlands all submitted significant numbers of requests for user data

– Other government requests do not seem disproportionately more circumspect or privacy protective than the number of requests received from the U.S. government

• Accordingly, it not useful or accurate to single the United States out as significantly more intrusive on the Internet than other governments


Government Access: National SecurityUS and European governments have similar approaches to the balance between privacy and national security: •USA PATRIOT Act provides the FBI access to any business record with a court order, and expands the government’s ability to obtain records pursuant to a National Security letter; “probable cause” warrant or equivalent typically required for acquisition of communications or sensitive information•EU Data Protection Directive – Article 13 specifically exempts “national security” from otherwise applicable privacy protections•EU Treaty of Lisbon, which ensured personal data protection in the EU, expressly allows member countries to impose derogations on personal privacy where necessary for national security purposes•Specific European countries, such as the Netherlands and Spain, have created carve-outs in personal data privacy protections for activities conducted under the rubric of national security or certain law enforcement activities.

Some Europeans have exaggerated the differences between US and EU law regarding governmental access to personal data for national security purposes


Corporate Cloud Strategies

• Recognize that Cloud legal issues concern B2B as well as consumer (privacy) issues

• Take stock of where in the world your data are (conduct data inventory and track flows of): personal information, IP and trade secrets, HR data, other valuable information assets

• Engage in careful contracting: preserve control, reduce risk of disclosure, assign security obligations and enforcement costs

– Affirmatively deny consent to interception or disclosure of data conveyed by/through Cloud provider to governments or litigants

– Require notification of breach/disclosures/requests for data– Deny access unless specifically authorized in advance or compelled by law (in

which case notification is requested)– Require maximum possible resistance to disclosure– Determine access controls and encryption protocols


Privacy Challenges in Social Media

Internal Challenges

• Mosaic leakage• Whistle-blowers• Employee leakage

External challenges

• Customers• Hacktivists• Hackers• Journalists• Regulators

38


German Ban on “Like” Button

• From a German law perspective, any company operating a Facebook fanpage and using Facebook Insight as a service may well be considered to have a data processing relationship with Facebook

• Schleswig-Holstein DPA Thilo Weichert ordered businesses to remove the Facebook ”like” button from their websites and shut down so-called “fan” pages

• Weichert emphasized that the wording in the conditions of use and privacy statements of Facebook do not meet the legal requirements for compliance of legal notice, privacy consent, and general terms of use


Privacy in Social Media: Google Buzz

• FTC charged that Google used deceptive tactics and violated its own privacy promises to consumers when it launched a social network by pulling information from Gmail accounts

• Buzz settlement is the first to require implementation of a comprehensive “Privacy by Design” program to protect the privacy of consumers’ information, including

– Risk assessment to identify reasonably-foreseeable risks and assess the sufficiency of safeguards

– Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures

• Settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, independent third-party


NLRA Claims

• NLRA claims challenge employer decisions and policies that interfere with employees’ right to engage in concerted activity.

• NLRA protects all employees regardless of union status.• Recently, NLRB has issued complaints against employers in the

context of social networking.• The NLRB has also issued advice memoranda addressing social

networking issues.

“[W]hether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions . . . and they have a right to do that.”

-- Lafe Solomon, GC of the NLRB, on the “Facebook firing” case


Employment Privacy Issues

• Duty to investigate sites where it knows of facts or has reliable objective evidence that would lead a reasonably prudent person to investigate a prospective or current employee:

– Past history or recent threats of violence– Complaints of harassment, sexual or otherwise– Knowledge of other conduct – such as involvement in racist or hate groups – that

could create liability for the company• Employer responsible for employee posts on his/her blog during

non-work hours on non-work equipment? It depends . . .

– The nature of the post– Whether the employee clearly identified himself or herself as an individual (as

opposed to an employee of the company)– Whether the individual truly acts as an individual, with

no apparent nexus to the company


Employment Privacy Issues: To Monitor or Not To Monitor

Steps Forward• Use to screen in and screen

out applicants– Bona fide qualifications– Honesty in resume

• Get FCRA Consent• Obey terms of use• Use consistent approach• Use non-decision maker• Investigate when prudent

Steps to Avoid• Private sites• Protected groups• Protected activities (wages,

hours, safety)• Consumption Statutes• Lifestyle Discrimination

– California prohibits discrimination for any off-dutyconduct


Corporate Strategies: Assessment• Factual assessment

– Map how personal data is collected, stored and transferred • Cultural assessment

– Assess privacy training and employee awareness– How does privacy fit within the goals of the organization?

• Legal assessment– Analyze existing policies and procedures– Review vendor contractual provisions– Find a transborder data flow solution – Review website policies – Labor Unions / Worker’s councils – Registrations with DPAs

• Security assessment – Document information security vulnerabilities and protections

• Third party service providers and their policies


Mind the Common Compliance Gaps

The ability to deliver on privacy and security compliance obligations is often outpaced by

market, technological, and organizational changes

Vendors, Vendors, Vendors New Technologies Analog Problems in a Digital World People, People, People Wireless and Slippery Devices Organizational Commitment


Shift to Information Governance• Paradigm shift in which privacy becomes merely a

part of information governance

• Duties of privacy officers expanding or being subsumed

– Information Security– Privacy– Marketing– Customer Sales– Records Management– eDiscovery


Key Insights

• The issue is information governance – collection, use, sharing, security, eDiscovery, retention and disposal

• Focus on data security, particularly due diligence over Internet systems and service providers

• Clear legal obligations will generally lag industry standards, reasonable practices, and new technologies

• Include privacy in the design of new projects• Ensure board and senior management involvement


Ten Items to Worry About

1. Locational privacy: geo-located ubiquitous mobile web devices

2. Security: Will cybersecurity overwhelm privacy?

3. Children: Protecting digital natives, without breaking the web

4. Smart grid: Will appliances become surveillance machines?

5. Face recognition: Will useful apps enable mass surveillance?

6. Privacy Notices: Are privacy policies useful? What is next?

7. Anonymization: Is everything on a spectrum of identifiability?

8. Analyzing social media: Birds of a feather.

9. Droit a l'Oubli: Is forgetting censorship?

10.Conflicts in the cloud: Is the global web balkanizing?


Edward McNicholasPartner

Sidley Austin LLP1501 K Street, NW

Washington, DC 20005(202) 736-8010

www.sidley.com/infolaw

This presentation has been prepared by Sidley Austin LLP as of November 14, 2011, for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not

constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers.

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability

partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley

Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

Documents

2011 OFII General Counsel Conference Washington, D.C. Information Governance in an Era of Rapid Privacy and Data Security Change Edward McNicholas SIDLEY