Data Security for Lawyers: What You Need to Know
Kelly Kay VP, Business Operations Lyft, Inc. Dino Tsibouris Attorney Tsibouris & Associates, LLC Overview Key privacy concerns for 2016 Privacy and security preparation Vendor management When and how to engage outside counsel & advisors EU Privacy Sample enforcement Key Privacy Concerns for 2016
It is not just about how you use data any more More enforcement by federal and state regulators More than The Internet of Things State privacy laws Vendor management Class actions (plaintiff standing to sue) EU General Data Protection Regulation AvMed Class Action Settlement
$3M class action settlement Theft of two AvMed laptops containing 1.2M customer records in 2009 Class action ensued, based upon negligence, breach of contract, implied contract, unjust enrichment Not HIPAA Case dismissed twice, but revived on appeal AvMed Class Action Settlement
Class 1: AvMed customers whos data was stolen Class 2: Same as Class 1, but also became victims of identity theft BONUS: Federal Court of appeals also allowed claims for persons who were not victims of identity theft but paid higher premiums for AvMed to protect their data AvMed decides to settle this quickly AvMed Class Action Settlement
$3M health insurance class action settlement Awarded money to plaintiffs who suffered no monetary loss $10 refund to every customer per year up to $30 for the additional per-customer cost of protecting their data AvMed reimbursed customers whos data was on a stolen laptop for any proven ID theft AvMed Class Action Settlement
Promised to: Train all employees in security awareness Special laptop security training Upgrading laptops security including GPS New passwords and full disk encryption at rest Physical security upgrades $750,000 to the lawyers Springer v. Stanford Hospitals and Multi-Specialty Collection Services
Stanford Hospital hired MSCS to perform a revenue cycle review Provided encrypted spreadsheet with patient data MSCS hired Corcino & Associates to convert data to graphics One Corcino employee posted the spreadsheet to Student of Fortune website for freelance help and left it posted for a year Patient discovered it online Springer v. Stanford Hospitals and Multi-Specialty Collection Services
Stanford sent breach notification four days after discovery Terminated MSCS Offered identity theft protection $20M class action filed by patient a few days after they received notice Filed against all 3 companies Springer v. Stanford Hospitals and Multi-Specialty Collection Services
Basis: California Confidentiality of Medical Information Act Unlike HIPAA provides private individuals with a right to sue 2 years of litigation $4.1M court-approved settlement MSCS and Corcino to pay $3.3M When your details and identity are stolen it's hard to put a true price on the damage it can cause you and your credit rating. But hackers don't have such trouble assigning a value to your personal property. DailyMail . How much is your customers data worth?
Uber accounts sell for nearly $4 on the dark web 18 times more than credit card info PayPal Accounts with a $500 balance sell for just $6.43 Facebook accounts for $3.02 On the dark web, stolen credit and debit cards are listed for just 22 cents Data Breaches Average $6.5M in Damage to US Companies Education can only do so much: 19% of breaches were caused by negligent employees
Sometimes its just bad luck: 32% of breaches involved system glitches and/or IT/business process failures Malicious attacks are the worst: 49% of breaches involved malicious or criminal attacks with a cost that was much higher than other breaches Heavily regulated industries are big targets: healthcare, pharmaceutical, financial, energy, and transportation, communications and education were found to have a per capita data breach cost substantially above the overall mean of $217 per lost record Risk versus Cost How to Prepare Conduct a privacy audit
Identify the categories of data you collect Locate where it is collected and stored Identify who may access it Limit access How to Prepare Perform intrusion testing
Create a data incident response plan Develop customer communications Anticipate regulator notifications if required Select media response team How to Prepare Draft internal privacy policy and external privacy notices Develop an information security policy Integrate with HR Policies Data Security Team - Physical & System Security Vendor management Cloud Storage verses Data Center Protection through Contract
Security Certification Encryption in transit, at rest, in backups Contracting Vulnerabilities
Treat vulnerabilities like security breaches Demand: Notification Action plan Remediation Mitigation Contracting Indemnification Intellectual property (trade secrets)
Violation of laws Violation of agreement Gross negligence Contracting Liability Unlimited Capped Security in Practice Major cloud providers implement reasonable or appropriate measure You are responsible for your configuration You get Service Levels, but no other warranties. Liability is limited, typically to 12-months fees When to Engage External Advisors Data Breach Outside Counsels Breach Checklist
Who owns the data? Are you the owner? Are you a processor? Outside Counsels Breach Checklist
Which laws apply to the breach What industry are you in? Where is the affected data located? Where do the affected individuals live? Outside Counsels Breach Checklist
Identify which laws apply to the breach How long do we have to investigate? Must I notify the individuals? What notice requirements apply? Outside Counsels Breach Checklist
Identify which laws apply to the breach How soon must we notify customers or regulators? What is the form of notification? (paper,, SMS) Outside Counsels Breach Checklist
How soon must I notify the data owner if I am a service provider/data processor? Are other parties obligated to pay for this? What should we reserve for the contingency? Outside Counsels Breach Checklist
What are my ongoing obligations after a breach? Providing for credit monitoring Paying for financial losses Can I get sued for a breach? Who can sue me? What are damages? Outside Counsels Breach Checklist
What regulators should we consider? FTC, DOJ, FCC, HHS OCR, CFPB, OCC, NCUA State attorney general State regulators Foreign governments International Privacy Issues Possible Alternatives
Standard Contractual Clauses (Model Clauses) Binding Corporate Rules Derogations in Law Necessary for performance of contract Unambiguous, informed, freely given, specific consent January 31, 2016 deadline by European privacy regulators to create Safe Harbor 2.0 General Data Protection Regulation
Final text adopted but not formally ratified by EC early 2016? 72-hour data breach notification obligation Fines as high as 2% of annual turnover Zappos MA AG Enforcement
Zapposagreed to pay $106K Unauthorized access to: Names, addresses, phone numbers, Last 4 digits of credit card numbers, and Login credentials of customers. Zappos MA AG Enforcement
Settlement requires: Maintenance and compliance with information security policies, Providing the AG with information, Demonstrating compliance with PCI-DSS for two years, Third party audit, providing copy to MA AG, and addressing deficiencies, and Annual training. SHA1MD5 Kelly Kay (408) 391-1432 kk@lyft.com
Questions & Answers Kelly Kay (408) Dino Tsibouris (614)