Workplace Data Breach Challenges:

Navigating Notification Requirements,

Employee Monitoring and BYOD Programs Structuring Policies to Prevent and Respond to Leaks of Sensitive, Regulated or Proprietary Data

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, JULY 30, 2014

Presenting a live 90-minute webinar with interactive Q&A

V. John Ella, Shareholder, Jackson Lewis, Minneapolis

Brent E. Kidwell, Partner, Jenner & Block, Chicago

Joseph J. Lazzarotti, Shareholder, Jackson Lewis, Morristown, N.J.

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-258-2056 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your

location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your

participation by completing and submitting an Official Record of Attendance (CLE

Form).

You may obtain your CLE form by going to the program page and selecting the

appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For

additional information about CLE credit processing, go to our website or call us at

1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

WORKPLACE DATA BREACH CHALLENGES: NAVIGATING NOTIFICATION REQUIREMENTS, EMPLOYEE MONITORING, AND BYOD PROGRAMS

Disclaimer

This presentation provides general information regarding its subject and

explicitly may not be construed as providing any individualized advice

concerning particular circumstances. Persons needing advice concerning

particular circumstances must consult counsel concerning those

circumstances.

6

Workplace Data Breach Challenges

• Employee Monitoring, BYOD programs, and

Navigating Notification Requirements.

― Employee Monitoring

V. John Ella

― BYOD Programs

Brent E. Kidwell

― Navigating Notification Requirements

Joseph J. Lazzarotti

7

Protecting Data

• Trade Secrets

• Personally identifiable information (PII)

• Personal health information (PHI)

• Financial information

• Business plans

• Customer and client data

• Employee data

8

Steps to Control of Access to Employee and Customer/Client Data

• Confidentiality/non-disclosure agreements

• Passwords, encryption, firewalls

• Policies and procedures

• Limited access

• Policies and procedures

• Training

• Monitoring

9

ALLOWABLE EMPLOYEE MONITORING

10

11

Employee Monitoring

• Reasons to monitor

• Avoid harassment claims

• Protect trade secrets

• Detect and dissuade improper behavior

• Ensure productivity

• Not a reason to monitor

• Prurient curiosity

12

Employee Monitoring

• Requirements to Monitor

• FTC guidance regarding endorsements

• FINRA requirements

• Child pornography reporting requirements

• Electronic discovery

13

Employee Monitoring

• Types of Monitoring

• Email

• Internet use

• Keystroke/keylogging

• Cached files

• Saved passwords on computers

• Video

• Audio

• GPS

• RFID

• Social media

• Physical searches

14

THINGS TO CONSIDER

“A growing number of companies are under pressure to

protect sensitive data — and not just from hackers lurking

outside the digital walls. They're also looking to protect it

from insiders — employees who may want to swipe

information such as customer bank account numbers or

electronic medical records.”

15

Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,

NPR, all tech considered, July 23, 2014

New Monitoring Software

“The content could be personal notes about one's family.

Or it could be company secrets. If the employee copies it

to a USB stick, the software sets off a red alert, grabs

that same file and displays its contents in real-time.”

16

Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,

NPR, all tech considered, July 23, 2014

New Monitoring Software

“Managers can't predict when an alleged violation might

happen. SureView lets them rewind to the minutes or

hour before the red alert, and watch like a slow-motion

film. Crouse says the software records four frames per

second and it's very compressed video, but it's very

readable by an investigator.”

17

Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,

NPR, all tech considered, July 23, 2014

New Monitoring Software

“Companies currently use software to block an employee

from copying or emailing an unauthorized document. But

according to a study by the research group Gartner, only 5

percent of that software traces every move, looking for

bad actors. By 2018, the study projects, it'll be 80

percent.”

18

Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,

NPR, all tech considered, July 23, 2014

Bad Consequences?

“Shannon heads an institute at Carnegie Mellon that

specializes in insider threat technologies. He says failures

in these technologies can create a really toxic workplace.

Say I'm poking around a bunch of files, doing research

above and beyond the call of duty. In the old days, no one

would know, or I'd be called proactive.”

19

Software That Sees Employees, Not Outsiders, As The Real Threat, Shahani,

NPR, all tech considered, July 23, 2014

Restrictions on Monitoring

• Electronic Communications Privacy Act (ECPA)

• Stored Communications Act (SCA)

• Common law intrusion upon seclusion

• State wire tap acts

• Notice requirements in CT, DE

• Restrictions on disclosure of social media passwords

in 13+ states

20

Overview of Privacy Law

• Not explicitly in U.S. Constitution

(except searches by the government)

• Almost all states have a common law

tort for “invasion of privacy”

• California and Montana have a state

constitutional right to privacy

21

Overview of Privacy Law

• Federal statutes are often industry-

specific (financial, medical, etc.)

• State legislatures are very busy passing

new privacy statutes

• International law differs

• Technology is challenging all of these

established legal structures

22

Common Law Privacy

The Restatement, Second, of Torts, Section 652A sets

forth four types of common law invasion of privacy:

• Unreasonable intrusion upon the

seclusion of another;

• Appropriation of the others’ name or

likeness;

• Publication of private facts; and

• Publicity that unreasonably places the

other in a false light before the public.

23

Electronic Monitoring

• Monitoring work email = usually o.k.

• Using work computer to obtain employee’s

password to personal, cloud-based email account =

usually not o.k.

24

Employee Monitoring Cases

• Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S.D.

Ind. 2011)

• Stengart v. Loving Care Agency, Inc., 990 A.2d 650

(N.J. 2010)

• Pure Power Boot Camp, Inc. v. Warrior Fitness Boot

Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y)

25

Monitoring – Preventive Steps

• Develop a specific, written policy:

• Establish information systems are the

property of the employer

• Reserve the right to monitor

• Prohibit inappropriate use

• Include penalties for policy violations

26

Monitoring – Preventive Steps

• Train/educate employees and others

• Keep the monitoring work-related

• Permit reasonable personal use

• Consider additional steps – desktop

statement, posting in common area,

written consent/acknowledgement

27

Employee Monitoring Issues

Courts will be more inclined to

rule in favor of the employer if:

• Employer owns the “system”

(computer, e-mail, etc.)

• Employee voluntarily uses an

employer’s network

• Employee has consented to be

monitored (usually based in

written personnel policy)

28

Vendor Agreements

• More than trade secrets and confidential business

information

• Similar to business associate agreement under

HIPAA

• Protects company in case of data breach

29

Legal / Compliance

- HIPAA

- FCRA

- GLBA

- State law

- Litigation

- International

H.R.

- Information about employees

* Hiring

* Testing

* Monitoring

* Record retention

- Ensuring compliance by employees

Workplace Information Risk

- Smart phones

- Social media

- Email

- Monitoring

- BYOD

30

- E-commerce

- Vendors

- Customers

- COPPA

- Data breach

- Confidentiality

- Trade secrets

- Policies

- Agreements

I.T.

- Passwords

- Data security

- Firewalls

- Technology

Policies

Electronic communications

Nondisclosure/confidentiality

Privacy/Monitoring (notice)

Sexual harassment

Social media

Bring your own device

Drug testing

31

Written information

security policy

Data destruction

Business associate

agreements

Vendor agreements

BYOD PROGRAMS

32

Personal Business

“The practice of

allowing the

employees of an

organization to use

their own computers,

smartphones, or other

devices for work

purposes.”

33

80% of employees

use personal devices for

business

But only 53% of

organizations officially

support BYOD

34

35

Scope of BYOD Expanding

Smartphones

Tablets

Laptops

36

Why BYOD – Perceived Benefits

Individuals

• Choice of devices -

flexibility

• Single device for business

and personal use

• Modern and “hip” to

select own device

(particularly important to

millennial workforce)

• Enables “cutting-edge”

technology

Business

• Reduced hardware and

support costs

• Increase employee

satisfaction

• Increased productivity

• Increased innovation

• Shifting management and

responsibility to

employees

37

Key Legal/Risk Management Issues

• Data Loss, Security and Incident

Response

• Legal/E-discovery

• Internal Investigations

38

Data Security/Incident Response

• Securing devices (encryption, passwords, etc.)

• Mobile Device Management solutions (MDM)

• Procedures for addressing lost or stolen devices

• Procedures for responding to data loss or breach

• Defining scope of data to be stored on devices, e.g.:

• Allowed to store PHI on device?

• Allowed to store PCI data on device?

• Sandboxing data

• Virtualization

• E.g., Good Technology MDM

39

iOS 8 40

Internal Investigations

• Business access to data, even if “personal”

• Where to draw the line

• E.g., personal vs. business phone calls and voicemail

• Monitor user activity on devices

• Location or travel monitoring

• Web browsing activities

• Text messages (which don’t pass through corporate

network)

• Define “personal” vs. “business” use

• Define permissible use by policy

41

City of Ontario, California v. Quon

• Police officer using department supplied pager allegedly sends inappropriate

messages to other officer

• Department reviews messages on pager

• City had a general "Computer Usage, Internet and E-mail Policy" that stated

that "[t]he City of Ontario reserves the right to monitor and log all network

activity including e-mail and Internet use, with or without notice," and that

"[u]sers should have no expectation of privacy or confidentiality when using

these resources."

• Supreme Court held that City’s search of pager was permissible and assumed,

but did not decide, employee had right of privacy in personal messages

• Fourth Amendment search and seizure case but still interesting regarding

privacy issues

• United States Supreme Court 2009

42

Legal/E-discovery

• Data preservation process (a/k/a legal hold)

• Data collection

• Segregation of personal vs. business data

• Preservation of data – new device or termination

• Requires ACCESS and CONTROL of devices (policy is key)

• Requires procedures and tools to preserve, collect and access

data

43

Source: http://www.mobileiron.com/en/infographic/trustgap

44

Risk Management Strategies

Ignore the risk

Limit BYOD by data type, device, employee, etc. to contain risk

Implement technology security controls (e.g., MDAM)

Prohibit BYOD

45

Possible Elements of a BYOD Policy

Define who may participate

Delineate economic issues

(reimbursement, etc.)

Specify device options and

minimum requirements

Allocate responsibility for

loss or theft

Allocate rights and data permissions

Specify location where data is stored

(e.g., local, cloud, etc.)

Define acceptable use

List permissible applications

Allocate responsibility for

support

Specify company ability to monitor

activities – expectation of

privacy

Handling data preservation

Handling employee terminations – remote wiping

46

Other Potentially Relevant Enterprise Policies

• Acceptable Use Policies

• Employee Conduct

• Remote Access/Remote Working

• Privacy Policy

• Special Data Policies (HIPPA, etc.)

• General Security Policies

• Incident Response

47

Key BYOD Risk Management Tips

• Develop and implement a BYOD policy

• Enforce and audit compliance with your

BYOD policy

• Know WHAT data resides on BYOD devices

• Know WHERE data resides on BYOD devices (or

related locations)

• Implement technology to assist in device (and

people!) management

48

Key Drivers of Breach Notification Laws Continue

• Huge Breaches – Target, eBay, Dept. of Energy, the ones not

reported

• Identity Theft Tops 2013 FTC Consumer Complaint List

• 14th Year in a row

• Consumers lost $1.6 billion to fraud in 2013

• Most complaints: Age 20-29

• Most familiar with technology and most at risk

• Technology Outpacing Law

49

NAVIGATING NOTIFICATION REQUIREMENTS

50

What Data Privacy and Security Laws Affect Your Company

• There is currently no broadly applicable federal law in the

U.S. - we follow a piecemeal approach:

• HIPAA, GLBA, FCRA, ECPA, SCA, CFAA,

ADA/GINA/FMLA, FISMA, COPPA, FERPA…

• States generally have one or more of the following:

• Affirmative obligations to safeguard (e.g., CA, CT, IL

(biometric information), MA, MI, TX, others)

• Data breach notification (47 states plus some cities)

• Various Social Security number protections

• Data destruction requirements

51

What Is a Data Breach?

• Unauthorized use of, or access to, records or data containing personal information

― Personal Information (PI) typically includes

― First name (or first initial) and last name in combination with:

― Social Security Number

― Drivers License or State identification number

― Account number or credit or debit card number in combination with access or security code

― Biometric Information (e.g. NC, NE, IA, WI)

― Medical Information (e.g. HIPAA, AR, CA, DE, MO, TX, VA)

― username or e-mail address with a password/security question and answer that permits access to online account (CA and FL).

― Broader view taken by FTC – email address, phone numbers, etc.

― PI typically maintained about?

― Employees…Customers…Vendors

52

Handling Data Breaches

• How does a “Data Breach” occur?

• The lost laptop/bag

• Inadvertent access

• Data inadvertently put in the “garbage”

• Theft/intentional acts, hacking, phishing attacks other intrusions

• Inadvertent email attachment(s)

• Stressed software applications

• Rogue employees

• Remote access

• Wireless networks

• Peer to peer networks

• Vendors

53

Handling Data Breaches

• 3 Critical Phases

• Discovery

• Notification and response process (if needed)

• Review and evaluate to avoid future incidents

54

Handling Data Breaches

• Discovery: stop the bleeding…first steps • Dust off your breach response plan – hopefully you have one

• Immediately alert data breach response team, counsel, and

insurance carrier, if applicable

• Take steps to secure information systems, including any and all files

containing customer, employee and other individuals' personal

information that may be at risk

• Coordinate with law enforcement, as needed

• Identify key person to monitor and drive team progress

• Involve top management, public relations

• Make preliminary assessments and consider preliminary actions,

notices

• Consider implementing litigation hold

55

Handling Data Breaches

• Discovery: did a breach occur?

• Review applicable federal, state and local laws

• FTC/HIPAA/SEC considerations

• Risk of harm trigger…e.g., in Michigan – no notification if “the security

breach has not or is not likely to cause substantial loss or injury to, or

result in identity theft with respect to, 1 or more residents of this state”

• Police investigation/consultation

• Consider whether immediate federal and/or state notification

required/recommended

• Conservative vs. aggressive approach

• Breach involves “risk of harm” states and “non-risk of harm” states

• Notify individuals, but not state agencies

56

Handling Data Breaches

• Notification and response

• Who must be notified?

• Individuals, children

• Government agency notifications (State Police, AG, HHS, etc.)

• Owners

• Credit reporting agencies

• State-wide media

• What should notice say/who approves?

• Some states require information such as – (i) description of breach in

general terms, (ii) types of personal information involved, (iii) what is

being done to protect data from further security breaches, (iv)

telephone number for notice recipient to obtain assistance, information,

and (v) reminder of the need to remain vigilant for incidents of fraud

and identity theft.

57

Handling Data Breaches

• Notification and response

• When to deliver

• Without unreasonable delay

• Some states permits delay for (i) law enforcement investigation,

and (ii) as necessary to determine the scope of the security

breach and restore the reasonable integrity of the database.

• How to deliver

• Writing

• Electronic

• Telephone

• Credit monitoring services

• Optional, consider when appropriate

• Describe in initial letter

58

Handling Data Breaches

• Notification and response

• Call center/script

• Internal/external

• Escalation process

• Returned mail

• Substitute notice provisions

• Coordinate with vendors

• Review service agreements carefully

• Services agreement should include data security provisions

• Responding to inquiries

• Affected individuals

• Governmental agencies

• Media

• Document, document, document

59

Handling Data Breaches

• Review and assess

• Why did the breach occur?

• Amend and implements updated policies and

procedures as appropriate, such as training

• Document post-breach considerations and remedial

steps taken, if any.

• Document why breach not reported (see, e.g., FL,

HIPAA)

60

Other Key Features

• Private Cause of Action

― Some states permit – AK, CA, LA, MD, MN, NH, NC, SC, TN, VA,

WA

• Some states publish notices

― Maryland -

http://www.oag.state.md.us/idtheft/breacheNotices.htm

― New Hampshire - http://www.doj.nh.gov/consumer/security-

breaches/index.htm

• Risk of Harm Trigger

― Examples: AK, AZ, AR, CO, CT, DE, FL, HI, ID, IN, IA, KS, KY, LA,

MD, MI, MS, MO, MT, NH, NJ, NC, OH, OK, OR, PA, PR, RI, SC, UT,

VA, WV, WI.

61

Take-aways!

• Take reasonable steps to prevent breaches

– develop and implement a written

information security program

• Have a data breach response plan

• Educate employees about the plan,

practice the plan, follow the plan

• Be transparent, credible, responsive

62

• V. John Ella, Jackson Lewis, ellaj@jacksonlewis.com

• Brent E. Kidwell, Jenner & Block, bkidwell@jenner.com

• Joseph J. Lazzarotti, Jackson Lewis, lazzaroj@jacksonlewis.com

63