Data Security and Privacy Overview and Update

Peter MoldaveOctober 28, 2015

Topics to cover today:

Data SecurityData PrivacyData Integrity Specific Issues with Regulated Data

Examples of situations that companies face

Storage of employee and customer personal data

Use of credit reports for employment decisions

Use of health data for marketingTechnological features required to

comply with regulations

Data security and data privacy are not the same thing

Data security is about protecting data from unauthorized access

Data privacy is about restrictions on collection or use of (personal) information

Data protection may be combination of privacy and security

Data integrity is separate from data security and data privacy

Ensuring data is available and usefulData integrity issues are in some ways

opposite to those of privacy and security

Data Protection RegulationUS has no general (federal) data

protection requirementSpecific US items may need more specific

consideration, i.e. Gramm-Leach-Bliley, HIPAA, COPPA, Fair Credit Reporting, State Data Protection

European rules on data protection are more generalSafe Harbor update

Examples where data security and data privacy issues come up“Normal” companies (i.e. not “internet”)

Employee recordsState data security (SSN’s etc.)

Hiring decisionsState data security & Fair Credit Reporting

Customer relationshipsInformation about EU customers

Services provided to healthcare companiesAre you a “business associate”

Use of on-line resourcesAre your records appropriately protected?

Examples (cont.)“Internet” companies i.e. product

provided over internetObligations regarding customer dataObligations regarding customer’s

customers dataAbility to use data to improve products,

provide services to other than the immediate customer

Obligations regarding method of storage/protection of data

Some terminology to usePersonally Identifiable Information (“PII”)

A data protection (US state law) conceptInformation associated with a particular individualExample definition under Massachusetts data

protection law: Name + account number Personal Health Information (“PHI”)

A HIPAA conceptInformation relating to a health care services

provided to an individualCan including billing information

Terminology (cont.)HIPAA

US federal law regulating health information

Generally covers health care providersCan also extend to “business

associates”Graham-Leach-Blighly

US federal law regulating privacy of financial information

Generally covers financial institutions

Terminology (cont.)Data subject/subject individual

What individual is the data being gathered about

Generic terminology/EU privacy terminology

Aggregated dataData which has been combined so that

it does not reflect any particular individual

Terminology (cont.)

CustomerWhat organization is utilizing the

information supplied by the Content company concerning the data subject

End UserMay be the same as the data subject,

maybe a person at the Customer organization

Terminology (cont.)

EncryptionA method of transforming data so that it

is not immediately readable by an unauthorized third party

Clear textThe original unencrypted data

Rights/Liability

Interests of the content company(Data Privacy) Use restriction obligation

to data subject, source(Data Security) Security protection

obligation to data subject(Data Integrity) Data integrity of

concern to data recipient, not to subject

Rights/Liability (cont.)

Interests of the data subject(Data Privacy) Use restriction obligation

to data subject(Data Security) Security protection

obligation to data subject(Data Integrity) Data integrity not

relevant to subject

Rights/Liability (cont.)

Customer(Data Privacy/IP) Use restriction

obligation to data subject, source(Data Security) Security protection

obligation to data subject(Data Integrity) Data integrity of

concern to Customer

Contractual protection of data is importantProblem areas/issues

Overbroad clausesIndemnificationLiability for events over which you have no

controlConfidentiality clauses; interaction with privacy

policiesAddressing multiple levels of source of data

End user->provider->customer->third party resources

HIPAAWhat is covered: Protected health

information maintained or transmitted electronically (“PHI”)

Who is covered: Covered Entity: includes health plans,

and health care providers who transmits any health information in electronic form

Business Associate: includes non-health care organizations performing services to a Covered Entity involving access to PHI

HIPAA (cont.)What is required: adequate security;

Business Associates Agreements (“BAA”) with Business Associates

What is restricted: Use of PHI other than for provision of health care

What is permitted: use for health care purposes, etc.

What is not covered: aggregated data, de-identified data

Gramm- Leach-Bliley

What is covered: nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes; but not for business, commercial, or agricultural purposes.

Who is covered: Financial institutions

GLB (cont.)

What is required: develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards to insure the security and confidentiality of customer information. 16 CFR 314.3

Fair Credit Reporting Act

What is covered: “consumer report” communication any information by a consumer reporting agency bearing on a consumer’s credit worthiness, . . . character, general reputation, personal characteristics, or mode of living. 15 U.S.C. § 1681a(d)

FCRA (cont.)

Who is covered: Consumer reporting agencies

What is required: In many cases, consent from data subject; notice upon adverse actions; correction of erroneous information

FCRA (cont.)What is restricted: Use of/access to

credit information for unauthorized reason (i.e. not in connection with credit etc. transaction); maintenance of certain stale or prohibited information. 15 U.S.C. § 1681c

What is permitted: Use for eligibility for credit, insurance or employment purposes with consent of data subject. 15 U.S.C. § 1681b

EU

Expansive view of what is coveredRequirement re destruction/review by

data subjectRestrictions on cross-border usageImpact of recent “Safe Harbor”

decision

State Data Protection LawsOverview

What is covered: Personally identifiable information (“PII”), usually a name or email address plus SSN or financial account number, in general only in electronic form

Who is covered: In general, citizens of the applicable state

What is required: Encryption of electronic PII

What is restricted: In general, unauthorized disclosure of PII

Massachusetts example

What is coveredWhat is requiredWhat is not coveredActions to take on data breach

Data Security

ConsiderationsWhat is the data being utilized?Plan ahead for type/form of data

collectionDefine access controlUnderstand location of content and

encryption strategyUnderstand backup and archivingContingency plan for data breach

What is content used for - internally

Consistency with internal privacy policy

Consistency with regulatory requirements

Consistency with IP rights granted in end user agreements

What is content used for - provider

Consistency with internal and provider privacy policy

Consistency with regulatory requirements

Consistency with IP rights granted in end user agreementsIs aggregate/anonymous use permitted?

What is content used for – provider (cont.)

Performance of serviceMonitoring of serviceOther uses

Creating new productsSelling of aggregate data

Planning ahead for data collection and storageWhere is data stored

Is data for separate projects/separate clients stored in separate “containers”?

How is access controlled (2 factor authentication?)In what form is it stored (encrypted or

unencrypted)Where are encryption keys storedHow is it protected from external access (firewalls

etc.)

Access to Content - Generally

Purpose of accessSecurity of information flow

Agreements with third partiesConformance of theory with reality

Access to Content – Generally (cont.)

Consider regulatory requirements for protection of data

Consider regulatory requirements for agreements (BAA’s etc.)

Consider impact of mobile usage

Access to Content – Generally (cont.)Employees

Implement appropriate internal security policy

Consider whether employee use of own devices is problematic

Access by third partiesImplement appropriate non-disclosure

agreementsMake sure access consistent with

agreements and privacy policy

Subcontractors

Consent over use of subcontractorsVetting of subcontractorsEnsuring contractual provisions flow

properlyMay require use of BAA's for HIPAA data

Dealing with changes to provision

Backups and archivesHow is it archived?

Where is it archived? Is the location acceptable based on general data protection principles?

FrequencySecurity – encrypted vs. non-encrypted

Retention periodWhen can/must it be destroyed

Stop-destruction in case of litigation

Backups and archives (cont.)Make sure document retention policy

and archive process consistentMake sure litigation hold can be

implementedClarify location of dataConsider ability to delete

backups/archives on a client by client/project by project basis

Data Breach

Exposure to liabilityFinancial – identify theft monitoringHIPAA – regulatory actions

Contingency planning for data breach

Understanding regulatory requirement and time frames

Determining types of data being storedEncryption

Arrange insurance for data breachUsually E&OMay be sublimits on notificationPrimary insurance coverage under own

policyAlso coverage under supplier policyName as additional insuredConcern about coverage amount

Questions?

Peter MoldaveGesmer Updegrove LLP617-531-8340peter.moldave@gesmer.com