Information Privacy, Security and Ethical Considerations Events/2… · NYS DFS Cybersecurity (23 NYCRR 500) What Is It? State law designed to promote the protection of customer information

Information Privacy, Security and Ethical Considerations

MASLA Summer Conference July 2019

Douglas Gerhardt

Partner

© Harris Beach PLLC, 2019

Information Privacy, Use & Security Solving the Compliance Puzzle


Learning Objectives

Data Privacy Laws

Compliance Obligations

Security Safeguards

Case Study – Wire Transfer Fraud/Phishing


The Carrot & The Stick

THE STICK • Financial Risk - Penalties

• Reputational Harm

• Loss of Clients

THE CARROT • Build Company Reputation

• More Secure Company

• Reduce Risk

• Attract New Clients

• Competitive Edge


Information Classification

Confidential

Information relating to the representation of a client and proprietary

Firm information.

Highly Sensitive

Information protected by laws, regulations, or contractual

obligations.

Biometric Record

Drivers’ License Number

Education Record

Financial Account Information

Healthcare Delivery

Healthcare Payment

NOT ALL INFORMATION IS

CREATED EQUAL

Medical Record

Social Security Number

Student Identification Number


The Legal Landscape

• FTC Act

• GLBA

• FERPA

• HIPAA

• GBS 899-AA

• 23 NYCRR500

• Education Law

• GDPR (EU)

• PIPEDA (Canada)

• APPI (Japan)

• PCI-DSS

• ISO/IEC 2700

• NIST

• Contractual

• Professional

Conduct - Rule

1.6c


Federal Trade Commission Act (15 U.S.C. §§41-58)

What Is It? Federal consumer protection law that prohibits unfair or deceptive business practices

Who Must Comply? Persons, partnerships, or corporations in or affecting U.S. commerce

Information Protected? SSN, Credit Card or Financial, Other Sensitive Data (credit reports/employee background screens)

Breach Notification Required? None


Gramm-Leach-Bliley Act (15 U.S.C. §§6801-6827)

What Is It? Federal law regulating the collection, use and disclosure of financial information

Who Must Comply? Financial Institutions that provide financial services and products (banks, securities

firms, insurance companies)

Information Protected? PII provided, resulting from a transaction or otherwise obtained (§6809(4))

Breach Notification Required? Affected Customers and Law Enforcement/Credit Bureaus if applicable


New York State General Business Law (§899-AA)

What Is It? State law requiring notification of unauthorized acquisition of private information

Who Must Comply? Businesses operating in New York state

Information Protected? SSN, Drivers’ License Number, Financial Account information

Breach Notification Required? Affected Persons, State Attorney General, Department of State, Division of

State Police


NYS DFS Cybersecurity (23 NYCRR 500)

What Is It? State law designed to promote the protection of customer information

Who Must Comply? Person operating under or required to operate under the Banking, Insurance or

Financial Services law

Information Protected? SSN, Drivers’ License Number, Financial Account information, Security Code,

Biometric, Health Information

Breach Notification Required? Superintendent of DFS


General Data Protection Regulation (GDPR)

What Is It? International law regulating the processing of personal data of individuals in the EU

Who Must Comply? Organizations that process personal data of individuals in the EU (regardless of where the

information is processed or whether or not the organization is established in the EU)

Information Protected? Identification Numbers, Financial Information, Healthcare/Physical Characteristics,

Religion, Sexual Orientation, Criminal Offense (see protected information for full list)

Breach Notification Required? Data Subject, Supervisory Authority, Controller (processor role)


Industry Standards

Payment Card Industry Data Security Standard (PCI-DSS)

ISO/IEC 27000 Family

National Institute of Standards and Technology (NIST)

Contractual Obligations (sometimes laws/regulations a client must

comply with)


New York Rule of Professional Conduct 1.6(c)

What Is It? An ethical requirement that requires attorneys to make “reasonable efforts” to

prevent unauthorized use or disclosure of client confidential information

Who Must Comply? All attorneys who practice law in New York State

Information Protected? Any confidential information relating to an attorney’s representation of a client

Breach Notification? Attorneys have an ethical duty to communicate any circumstance that materially

impacts the representation of a current client


Protected Information – The Bottom Line

Protected Information: Biometric Record

Drivers’ License Number

Education Record

Financial Account Information

Healthcare Delivery Information

Healthcare Payment Information

Medical Record

Social Security Number

Student Identification Number

Protected Information (GDPR):

Contact Information

Identification Numbers

Dates

Biometric/Genetics

Education/Training

Dates

Religion

Philosophical Beliefs

Criminal/Legal Status

Data about Sex Life

Name/Role

Personal Characteristics

Financial Information

Healthcare/Physical Characteristics

Physical/Electronic Tracking

Customer Relationship Manager

Politics

Trade Union Membership

Sexual Orientation

Survey Responses


Protected Information – Handling Guidelines

Always secure

paper documents

containing

protected

information

including during

disposal

Never leave

protected

information on

voicemail

Always use a

secure method

when

transmitting

protected

information

[SEND SECURE]

ShareFile

Always secure

documents

containing

protected

information in

NetDocs to those

individuals that

require access.

Never save

protected

information on

removable media

unless

absolutely

necessary and

only if it is

encrypted.


Future Trends

PERSONAL INFORMATION IS THE

CURRENCY OF THE 21st

CENTURY

LAWS WITHOUT BORDERS

TRANSFER OF POWER

STATES TAKE ACTION


Laws Without Borders

NYS SHIELD ACT APPLIES TO ANY PERSON OR BUSINESS–

Section 2

which [conducts business in New York state, and which] owns or licenses

computerized data which includes the private information of any resident of

New York state.

Section 3

which maintains computerized data (of any resident of New York state) which

includes private information which such person or business does not own.

NEW APPROACH –

FOCUSED ON THE JURISDICTION OF THE

DATA SUBJECT INSTEAD OF THE

ORGANIZATION


Transfer of Power

RIGHT TO BE

INFORMED

RIGHT OF ACCESS

RIGHT TO

RECTIFICATION

RIGHT TO ERASURE

RIGHT TO

RESTRICTION OF

PROCESSING

RIGHT TO DATA

PORTABILITY

RIGHT TO OBJECT

RIGHTS REGARDING

AUTOMATED

DECISION MAKING

RIGHTS OF

THE DATA

SUBJECT

GDPR

CA

Privacy Act


States Take Action

As of March 2018, all

50 states have enacted

some form of data

privacy laws…

Consumer Privacy Act of 2018

Effective 1/1/2020

SHIELD Act

Introduced 11/2017


States Take Action

NYS SHIELD

ACT

Private Information Extended

Breach Notification Standard

Jurisdiction Extended

Increased Fines

Data Security Protections


Security Safeguards

INFORMATION

TECHNICAL

PHYSICAL

ADMINISTRATIVE


TECHNICAL

PHYSICAL

Focus on policies and procedures

and the administrative actions that

support them.

Security Safeguards

ADMINISTRATIVE

INFORMATION


TECHNICAL

Focus on physical measures,

policies, and procedures that

protect information, systems,

equipment, and facilities from

natural disasters, environmental

hazards, and unauthorized

intrusion.

PHYSICAL

INFORMATION

ADMINISTRATIVE

Security Safeguards


Security Safeguards

Designed to protect

electronic information from

unauthorized access and to

control access to it.

TECHNICAL

INFORMATION

ADMINISTRATIVE

PHYSICAL


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N

60

15

30

45 Sixty

Second

Timer

The clock

has Started 5

10

20

25 35

40

50

55 Can you identify the

seven workplace

security violations in

less than a minute?


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N


W

O

R

K

S

P

A

C

E

WINDOWS KEY + L

V

I

O

L

A

T

I

O

N


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N


W

O

R

K

S

P

A

C

E

V

I

O

L

A

T

I

O

N


External Information Transfer

[Send Secure]


A Case Study – O’Neill, Bragg & Staffin v Bank of America

WIRE TRANSFER FRAUD


The Scam

Gary Bragg Alvin Staffin

OH NO!

OH NO!

OH NO! It was

too late!


Level of Sophistication

Emails sent from a known account

Content implies knowledge of the matter

The account numbers were correct

Attack timed to coincide with travel and plausible

request

Attention to detail – Hi Mel


Fraud Prevention

Always verify wire transfer instructions

by calling a known phone number of an

individual on the other side of the transaction

Do not initiate a wire transfer based solely on instructions

received via email

Always follow the Harris Beach Wire Transfer Policy and

Procedure

AVOID FRAUD


Court Ruling

Federal judge dismissed the lawsuit

The firm failed to show that the Bank of America

breached any agreement, violated federal

regulations or breached the Pennsylvania

Commercial Code

O’Neill, Bragg & Staffin lost more than a half million

dollars


Court Ruling

“What is alleged to have happened to the law firm

here is indeed unfortunate. The computer hacker, of

course, is the real culprit but is not a party to this

lawsuit…. [A]s between the law firm and the bank,

the law firm must bear the loss.”

Thank you!

Douglas Gerhardt

(518) 701-2738

[email protected]

mailto:[email protected]

Documents

Information Privacy, Security and Ethical Considerations Events/2… · NYS DFS Cybersecurity (23 NYCRR 500) What Is It? State law designed to promote the protection of customer information