© 2014 Fisher & Phillips LLP
The Data Breach Epidemic in the News Why Is Data Privacy Important? Notice requirements and potential liability
in the event of a data breach Best practices for safeguarding sensitive
data / preventing data breach Drafting a policy to comprehensively
address BYOD and use of company devices
© 2014 Fisher & Phillips LLP
Target’s Black Friday Theft
40 million customers victimized
$61 million in 4Q expenses
CIO resigned
© 2014 Fisher & Phillips LLP
38% increase in
incidents of loss, theft and exposure of personally identifiable information over the past year
Source: IBM Analytics
© 2014 Fisher & Phillips LLP
55% of C-Suite Executives Surveyed Believe Malicious or Negligent Insider/Employees Are The Primary Cause of Data Breach
Source: IBM Analytics
© 2014 Fisher & Phillips LLP
© 2014 Fisher & Phillips LLP
Data breach notification is a significant compliance risk for most businesses.
A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations.
Not to mention class action lawsuits! Employee data can also be a trade secret,
valuable in the hands of competitors.
© 2014 Fisher & Phillips LLP
Major data breaches by identity thieves
RSA Security (March 2011)
▪ Possibly 40 million employee records stolen by hackers
Even a small breach of employee data can affect a business
Departing employee takes personnel info and uses it to recruit top talent to work for competitor
Cannot “unring” the bell once certain private info is leaked (e.g., medical conditions)
© 2014 Fisher & Phillips LLP
46 states have enacted data privacy laws requiring businesses to safeguard certain types of employee and consumer information and to notify affected individuals in case of a data security breach.
Federal laws and regulatory schemes in the healthcare and financial industries also impose data privacy protections.
Contractual obligations.
© 2014 Fisher & Phillips LLP
Current disgruntled employees Employees about to compete with you or go
to work for competitors Competitors Vendors/suppliers Government agencies Criminal gangs / cartels Identity theft rings Medical fraud rings
© 2014 Fisher & Phillips LLP
Losses from intellectual property theft are up to $150 billion a year
The average employee embezzlement costs about $25,000 per incident
Average computer-assisted employee embezzlement runs $430,000 per incident
© 2014 Fisher & Phillips LLP
According to ASIS More than 3 of every
4 thieves are employees or contractors
Another 6% or more are domestic competitors
Only 7% steal secrets on behalf of foreign companies or governments
© 2014 Fisher & Phillips LLP
File Cabinets Rolodexes Personnel Files Computer Workstations Internet E-Mail High-Tech Surveillance Equipment Off-Site Login Cell Phones Fax Machines Garbage
© 2014 Fisher & Phillips LLP
Personally Identifiable Information (“PII”) is information which can be used to distinguish or trace an individual’s identity (such as their name, social security number, demographic records), alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (such as date and place of birth, mother’s maiden name, etc.).
© 2014 Fisher & Phillips LLP
Personal Health Information (“PHI”) is Health Information that identifies, or there is a reasonable basis to believe it can be used to identify, the individual.
Health Information includes any information
relating to the physical or mental health or condition of an individual, the health care provided to an individual, or payment for health care provided to an individual. PHI does not include employment records held by the employer in its role as employer.
© 2014 Fisher & Phillips LLP
NOT TO MENTION
TRADE SECRETS (e.g., customer lists / info; pricing and cost; financial data; R&D work; M&A plans; non-
public product specs / prototypes)
© 2014 Fisher & Phillips LLP
© 2014 Fisher & Phillips LLP
INVESTIGATE AND SECURE YOUR DATA When there is a suspected breach, you must
investigate and lock down data. The company might be required to
demonstrate reasonable efforts to secure its confidential information
Evaluated by a reasonable third-person
Effectiveness
© 2014 Fisher & Phillips LLP
Identify applicable state and federal laws Determine if a “breach” has occurred as
defined by applicable laws Determine if notification is required under
applicable laws
Who should be notified?
When to notify?
Contents of notice
Follow-up risk mitigation steps
© 2014 Fisher & Phillips LLP
State laws vary in 6 areas:
1. Scope of Covered PII
2. Trigger for Notification Obligation
3. Recipients of Notice
4. Content of Notice
5. Timing of Notice
6. Enforcement
© 2014 Fisher & Phillips LLP
HIPAA, as amended by the HITECH Act, and regulations adopted by US Dept. of HHS.
Covered entities are healthcare-related entities and their “business associates”
Contractual obligations to comply with HIPAA
Gramm-Leach-Bliley Act ("GLBA") and banking industry regulations
Federal Trade Commission Securities & Exchange Commission
© 2014 Fisher & Phillips LLP
A breach is defined as the unauthorized access, use, acquisition or disclosure of PHI that compromises the security of PHI.
Security is compromised if there is a substantial risk of financial, reputational, or other harm to the individual who is the subject of the PHI.
© 2014 Fisher & Phillips LLP
Breach triggers notice obligation Must notify affected individuals, Dept. of
Health & Human Services, and the media (if more than 500 persons in a state are affected)
But there is a Safe Harbor!
© 2014 Fisher & Phillips LLP
Under HIPAA and laws in some states, notice is NOT required if company conducts investigation and determines risk of harm has been mitigated
Where data was returned or wiped
Where person who acquired data is incapable of unencrypting or “re-identifying” data
© 2014 Fisher & Phillips LLP
Content of notice:
Description of breach incident
Types of PHI involved
Steps individual should take to protect from harm
Steps taken to investigate breach, mitigate losses, and protect against further breaches
Contact procedures for affected individuals, including toll-free number
© 2014 Fisher & Phillips LLP
Implement security procedures tailored to your business needs: Personnel Documentation IT Infrastructure Communication Response / Investigation
© 2014 Fisher & Phillips LLP
Documentation: Workplace Policies Restrictive Covenants Agreements Job Descriptions
© 2014 Fisher & Phillips LLP
Documentation: Workplace Policies: ▪ Computer Systems Use ▪ Authorized Electronically Stored Information Usage ▪ VOIP Usage ▪ Confidentiality and Non-Disclosure ▪ Ethical Conduct Policy ▪ Return of Corporate Property ▪ Bring Your Own Devices?
© 2014 Fisher & Phillips LLP
Documentation: Restrictive Covenants Agreements ▪ Confidentiality and Non-Disclosure ▪ Non-Solicitation of Customers, Clients and Patients ▪ Non-Recruitment of Personnel ▪ Non-Competition
Most States Allow You To Protect Customer information; trade secrets; Confidential business information; existing customer relationships
© 2014 Fisher & Phillips LLP
Documentation: Leverage The Obligation To Protect Where Your Business Requires The Protection of Customer or Third Party Information, Make Sure Documentation Reflects That This Is A Business
Interest That Must Be Protected
© 2014 Fisher & Phillips LLP
Mark protected documents, computer programs, file cabinets and restricted areas using designation such as “Confidential – Property of (Your Company)”
Limit access to protected material based on “need to know”
Utilize physical controls – restrict areas by locking offices and file cabinets
© 2014 Fisher & Phillips LLP
Control third-party access – vendors, customers, independent contractors, plant and facility tours, etc.
Limit copying and removal of sensitive information
Shred confidential discarded documents, erase tapes thoroughly
© 2014 Fisher & Phillips LLP
Set up fire walls Data encryption Regular back-ups Utilize network, not local hard
drive, space
© 2014 Fisher & Phillips LLP
Set up passwords with multiple characters (including numbers and letters)
Change access codes Record or log who had access to computers
and subfiles and when
© 2014 Fisher & Phillips LLP
Safe data destruction practices
Some laws require that when data is destroyed it should be destroyed in a particular manner
Utilize and vet vendors properly
▪ Due diligence (industry certification)
Ensure forensically sound “wiping” of electronic devices (when there is no duty to preserve)
© 2014 Fisher & Phillips LLP
“Bring Your Own Device” is the practice of allowing employees to bring their own mobile devices to work for use with company systems, software, networks, or information.
© 2014 Fisher & Phillips LLP
BYOD can provide key benefits, such as increased productivity, reduced IT costs, and better mobility for employees.
BYOD, however, increases risk of data breaches and liability from such breaches.
BYOD also increases risk of spoliation of evidence and makes preservation more difficult to manage and enforce.
© 2014 Fisher & Phillips LLP
Employee-owned devices may be lost or stolen, putting company data and networks at risk.
In 2012, US gov issued a BYOD toolkit for federal agencies, which noted risk that operating system may be compromised by malware or device misuse.
© 2014 Fisher & Phillips LLP
IBM adopted a BYOD policy in 2010 In 2012, IBM banned employees from using
certain apps, including Dropbox and Siri, because of a “tremendous lack of awareness” about security risk and the company’s inability to control these apps.
© 2014 Fisher & Phillips LLP
In e-discovery, data has to be available if requested, and it is more complicated to preserve, locate and retrieve data when it is stored on employee-owned devices.
BYOD policy should make clear that, in the event of a legal or regulatory investigation, the password will be required and that any personal data that is on the device will be searched, along with anything that is relevant to the company.
© 2014 Fisher & Phillips LLP
A strong BYOD policy is the first step towards managing the increased risk of data breach.
BYOD policy should address:
the goals of the BYOD program
which employees can bring their own devices
which devices will be supported
access levels that employees are granted when using personal devices
© 2014 Fisher & Phillips LLP
Once a BYOD policy is adopted, maintaining BYOD security depends on how well employees are trained on BYOD best practices, implementation of effective device management and support, and enforcement of the BYOD policy.
© 2014 Fisher & Phillips LLP
Use password protected access controls Control wireless network and service
connectivity Control application access and permissions Keep Operating System, firmware, software,
and applications up-to-date Back up device data
© 2014 Fisher & Phillips LLP
Enroll in “Find my Device” and remote wipe services
Never store personal financial data on a device Beware of free apps Run mobile antivirus software or scanning tools Use Mobile Device Management (MDM)
software as recommended by IT
Usama Kahf, Esq. [email protected]
(949) 798-2118