Sponsored by Financial Directions, Inc.

February 21, 2012

Randy Whitmeyer

Whitmeyer Tuffin PLLC

www.whit-law.com

Privacy Law Update: Strategies for

Handling Personal Information

The Backdrop: Mobile technology

and the Internet

• Organizations store more and more information in electronic

form and are increasingly reliant on the Internet for accessing

data and systems

• Many employees have smartphones that are constantly

connected to the Internet

• Information sharing through Facebook, Twitter, and other

social networks is ubiquitous

• Active and growing “hacker” industry

The result: (1) Expanding laws and

regulations relating to the use and

handling of private information, and

(2) increased government enforcement

activities and class actions by plaintiffs’

attorneys

The challenge for businesses: Handle

personal information in a way that is

compliant with rules and regulations

and limit your risk

Specific Topics

• Legal obligations on use of personal information

• NC statutes relating to treatment of personal information

• Massachusetts Information Security law and other state laws

• Federal privacy/security update, including HIPAA and Hi-Tech

(treatment of medical records)

• Employers’ use of and access to employee’s

communications/computer systems, and social network

use

• Elements of effective information security/privacy policies

and social media policies

• Other proactive steps to manage information privacy and

security risks – contracting and insurance

NC Identity Theft Protection Act of

2005

• Similar to a myriad of similar acts in almost all states, originally California in 2003 (California law updated as of 1/1/2012 to require more specific disclosures relating to security breaches)

• Violations of the statute are generally considered unfair or deceptive act or practice

Sect. 75-65: Protection from Security

Breaches

• Security breaches affecting personal information of NC residents must be reported to affected individuals

• Security breach must involve either “illegal use” (or a reasonable likelihood thereof) or a material risk of harm

• If records are encrypted, only need to provide notice if the associated key or confidential process is also breached

• If the breach does not involve data which you own or license (i.e., you are a contractor), then you notify the owner or licensee, not the affected individual

Sect. 75-65: Protection from Security

Breaches

• Notice must be made without unreasonable delay, taking into account law enforcement needs, verification of contact information and scope of breach, and need to restore security

• Notice must be clear and conspicuous, and provide a description of:

• The incident

• Type of personal information affected

• Remedial actions of the business

• Telephone number to get further information

• Advice to monitor account statements and free credit reports

Sect. 75-65: Protection from Security

Breaches

• Notice may be in writing, by e-mail (if consented), and in writing

• If the cost of notice is > $250,000, and in certain other situations, general notice may be given publicly

• If the case involves more than 1,000 persons, NC attorney general’s office must also be notified

Section 75-62: SSN Protection

• A business may not:

• Intentionally communicate a person’s Social Security

number to the public

• Intentionally place an SSN on a card required to access

products or services

• Require an SSN to be transmitted over the Internet, unless

encrypted

Section 75-62: SSN Protection

• A business may not:

• Require an individual to use SSN to access an internet web

site, unless a password or PIN is also required

• Print an individual’s SSN on any materials mailed to the

individual, unless otherwise required by law

• Sell or disclose an SSN to a third party if it is known or

should be known that the third party lacks a legitimate

purpose

Section 75-62: SSN Protection • The Exceptions--restrictions do not apply to:

• Redacted SSN

• When required by law

• To the government

• To the opening of an account or payment for a product or

services authorized by the individual

• To the collection, use, or release of an SSN for internal

verification or administrative purposes

Section 75-62: SSN Protection • The Exceptions, continued:

• When an SSN is included in an application or in documents related to an enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN for the purpose of obtaining a credit reports (with limits on mailing)

• To investigate or prevent fraud, conduct background checks, conduct certain research, collect a debt, obtain a credit report, for a permissible Gramm-Leach-Bliley purpose, or locate a missing individual, lost relative, or one due a benefit

Section 75-63: Security Freeze

• The ITPA of 2005 add a “consumer right” to put a security freeze on consumer credit reports

• The security freeze may be temporarily lifted by the consumer

• If a consumer security freeze is in place, the consumer reporting agency may not change the consumer’s name, date of birth, SSN, or address change, without sending a written confirmation within 30 days of the changes

• Consumer reporting agencies are required to give NC residents specific notice of their rights under this provision

Section 75-64: Destruction of

Personal Information Records

• NC businesses MUST :

• Implement and monitor compliance with policies and procedures that require the destruction of papers that include personal information

• Implement and monitor compliance with policies and procedures that require the destruction or erasure of electronic media that contain personal information

• Describe procedures relating to the destruction of personal records as official policy in the writings of the business

Section 75-64: Destruction of

Personal Information Records

• If a 3rd party records destruction company is used, one or more of these due diligence steps must be taken:

• Review an independent audit

• Obtain references from reliable sources and review certification from a reputable source

• Review and evaluate the disposal business’ information security policies or procedures.

• Disposal companies must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with information security policies and procedures

• This section does not apply if the company is already covered by GLB, HIPAA, or Fair Credit Reporting Act

Other State Law

Developments

• At least 10 states have data security laws that generally require

companies to use “reasonable security” to protect personal

information

• Connecticut and Delaware require employers to provide notice to

employees before monitoring email communications or internet

access

• California and other states require prominent web site privacy

policies

Massachusetts Data Security Act

• Implemented in 2010, requires organizations that handle

information about Mass. residents to have a

comprehensive written information security program

• Requires certain personal information to be encrypted

• Starting March 1, 2012, all contracts with vendors who

handle information re: Mass. residents must require the

vendors to also implement and maintain appropriate

security measures

Federal Laws

• Generally “industry sector specific” – Gramm-Leach-Bliley

(Financial); HIPAA (Healthcare); COPPA (Children’s information);

FERPA (Education); Video Rentals Privacy Act

• Electronic Privacy and Communications Act of 1986 – before

Internet and widespread e-mail usage in workplace

• Limits access to stored and “in transit” electronic communications

• Exceptions for access to employer-provided systems and when

access is consented to.

• National Labor Relations Board has investigated numerous cases

involving firings based on posts on social media networks.

• Concern is that right to engage in “concerted” employee activity

may be infringed

Federal Trade Commission

• FTC has broad authority to monitor compliance with federal privacy laws, including breach of a published privacy policy. Authority is based on its mandate to regulate and prevent unfair and deceptive trade practices.

• In 2011, FTC entered into enforcement proceedings against the major social networks (Twitter, Google, and Facebook).

• Have focused on need for consent prior to changing a privacy policy

• Concerns have increased from use and sale of personal information, to use of IP addresses, device identifiers, and other information not normally considered as personally identifiable.

Federal Legislative Proposals

• Momentum is growing for a federal cybersecurity bill

• Latest bi-partisan bill was introduced last week. The bill:

• Establishes liability protections for sharing of information relating

to information security threats

• Clarifies that info system owners may undertake countermeasures

to combat cybersecurity threats

• Allows government to establish cybersecurity performance

standards for certain critical infrastructure (finance, utilities, etc.)

• Other federal proposals seek to establish a national data breach

reporting standard

HIPAA Privacy and Security Rule

• Privacy Rule generally effective April 2003; Security Rule generally effective April 2005. HIPAA rules are dense and lengthy.

• Enforcement of Privacy Rule generally friendly, but over 200 referrals to Department of Justice for criminal investigation. Audits for several hundred entities announced in late 2011

• Covered Entities -- directly affected

• Health care providers who engage in electronic Standard Transactions

• Health Plans

• Data Clearinghouses

• HI-TECH Act (2009) added direct obligations on service providers (“Business Associates”) who deal with protected health information

HIPAA Privacy Rule

• Protected Health Information Def’n: • all Individually Identifiable Health Information that is transmitted or

maintained by a covered entity in any form, including paper and oral records and communications

• PHI can be disclosed only if: Purpose is treatment, payment or business operations

With Authorization (needed for, e.g., Disclosures to employers; fundraising; marketing)

• special authorization needed for psychotherapy notes

Other Specified Purposes

• Written authorization cannot be a condition for treatment or payment

HIPAA Privacy Rule

• PHI can be disclosed if:

Emergency or public health need

Judicial and administrative proceedings

To law enforcement in certain circumstances

For research purposes, if written IRB or Privacy Board

approval

Where required by law

HIPAA Privacy Rule

• Minimum Amount Necessary rule: CE’s must make reasonable efforts to limit scope of disclosures or requests to only what is needed. With exceptions for these Disclosures/Requests: • To/By the Individual

• To/By Another Provider for Treatment

• Under an Authorization

• To DHHS for HIPAA Compliance

• To comply with Transaction Standards

• Otherwise required by law

• De-identification Rule Long list of De-ID requirements

Also “no reason to believe” that recipient can combine the information with other information to identify the individual

HIPAA Privacy Rule

• Right to Receive Notice of Privacy Practices

• Right to Access PHI

• Right to Request Corrections in PHI

• Right to Receive Disclosure Information

• Right to Request Additional Restrictions

HIPAA Privacy Rule

• Business Associate must have written contract with the following provisions: Must follow Privacy Regulations

Use appropriate safeguards to prevent unauthorized disclosure

Report any unauthorized disclosure

Make PHI available in accordance with patient access rights

Make books and records available to HHS

Incorporate PHI updates received from patients

Flow contract obligations to subcontractors

HIPAA Security Rule

• Security Rule requires covered entities to adopt (for

some requirements) and consider adoption of (for

other requirements) a laundry list of administrative,

technical, and physical safeguards for protecting

patient information.

• The rule generally adopts a technologically-neutral

and flexible approach.

• CE’s are required to adopt various security policies.

International Privacy Landscape

• Many countries have much broader protections for individual privacy

• EU Data Protection Directive provides comprehensive regulation for

use of personal information. In January 2012, detailed revisions

proposed to make the law more uniform across the EU, and

increases protections and possible penalties

• US companies seeking to transfer personal information from EU to

US must follow a safe harbor certification/filing approach or other

rules to comply with EU regulations

• EU also has a Privacy and Electronic Communications Directive that

regulates the use of cookies

• Note: under French and German data privacy laws, personal social

networks cannot be searched for employment decisions

What can organizations do now to

manage privacy/security risk?

• Implement and maintain an Information Security program

• Perform security audit

• Perform due diligence and add privacy/security contract

provisions for key vendors and other business partners

• Consider cyber insurance

Information Security Program

• Required by: • Records Disposal portion of North Carolina’s ITPA

• HIPAA Security Rule

• Massachusetts and other state laws

• Extremely helpful for: • Handling security breach and SSN portions of ITPA

• Dealing with FTC-Style enforcements

• Assuring compliance with required privacy notices (e.g. California requirement)

• Protecting intellectual property

• Satisfying officer and director fiduciary obligations

• Complying with contracts

• Increasing value of company to buyers

• Dealing with subpoenas and related requests for electronic information in discovery

Process for implementing an Info

Security Program

• Not just an IT issue, need input from management, legal,

and risk advisors. Rapidly becoming a corporate

governance issue.

• Laws and regulations focus more on the process rather

than specific results

• Don’t just use a form policy from the internet, but tailor to

the specific issues and risks faced by the organization

• Perform an initial security review and gap analysis

• Update on a regular basis, at least annually

Information Security Program

• Written Policy

• Purpose of Policy

• Types/Levels of Confidential Information

• Training

• Sanctions

• Privacy/Security Officer

• Notification of no expectation of privacy in use of company assets

• Publicity; Dealing with News Media

• Incident Response Procedures

• Physical Security Measures

Information Security Program

• ID’s and Passwords

• Password Guidelines - Strong vs. Weak Passwords • Mandatory Password Changes

• Access Controls and Network Resources • Firewalls • Authentication • Use of Networks • Wireless Network Usage • Remote Access Policy

• Use of Encryption • Electronic Communications • Destruction of Computing Resources and Information • Virus Prevention and Detection

Information Security Program

• Social Media Policy

• Software Use and Licensing Policy

• Mobile Computing Policy (laptops, pda’s, keydisks, etc.)

• System Modification Procedures

• Record Retention Schedules

• Litigation and Subpoena Issues

• Disaster Recovery

Summary of Key Security Measures

• Adopt Defense in Depth – keep external computers in a

“DMZ”

• Manage passwords aggressively

• Implement all operating system and security software

patches

• Train against social engineering

• Audit controls, especially remote access points

Types of Contracts to Consider for

Privacy Issues

• Software and IT service vendors, including cloud computing

• Software as a Service (Salesforce)

• Infrastructure as a Service (Amazon EC2)

• Marketing and distribution partners

• Side note: Who owns the data?

• Order fulfillment vendors

• Records disposal vendor contracts

• Any other contract where the other party will have rights to access,

use or store your personally identifiable data

• Consider standalone information security agreement

• Rather than trying to figure out how to amend the other party’s

form of service contract

Security and Privacy Contract Terms

• Confidentiality

• Obligation to maintain reasonable and effective physical,

technical and administrative security measures

• Compliance with all applicable data privacy and security

laws

• Third-Party security audits

• Right to review detailed security/disaster recovery policies

Security and Privacy Contract Terms

• Right to audit and test security

• Notification in the case of breach

• Indemnification for breaches/payment of costs of required

notices to customers

• Encryption

• Restrictions on use of subcontractors and downstream

sharing of information

• Restrictions on where data can be stored

CyberInsurance

• Review existing insurance for coverage of data breaches and

electronic privacy issues, and consider adding cyberinsurance

policies

• Sony for example is in litigation with Zurich American Insurance re:

coverage for recent security breaches

• SEC has issued guidance requiring disclosure of material cyber

attacks including a description of relevant insurance coverage

• Look for (or add) coverage for lost business, notification costs, legal

and investigation costs, and credit monitoring services

Cloud Computing

v.

Traditional I.T. Structures

Graphic Courtesy of Hosted Solutions

Graphic Courtesy of Hosted Solutions

Cloud Computing Services

• Software as a Service (SaaS)

• Platform as a Service (PaaS)

• Infrastructure as a Service (IaaS)

Cloud Computing Contract

Structures

• Typically service-based, not licensed

• OPEX, not CAPEX

• Often offered via “click and accept” agreements

• Sometimes incorporate by reference other terms

of use and policies

• Sometimes purport to be changeable without

notice by the vendor

Cloud Computing and Security

Disadvantages

• Lack of Transparency

• Lack of Responsiveness

• “Trading Market” of

Subcontractors

• Vendor Lock-In

• Lack of Security Details

Advantages

• Data Dispersal

• Data Fragmentation

• “Tier 1” Data Centers

• Multiple Customer Demands

• Easier Patching and Updates

Key Takeaways

• Increased regulatory and legal scrutiny of personal

information handling is unavoidable

• Companies (especially IT vendors and outsourcers) should

review the laws applicable to their situation, and update

security practices, policies and procedures as needed

• When dealing with cloud computing vendors and other

business partners, perform appropriate due diligence and

consider contract negotiations

• Review insurance policies and possibility for additional

insurance

Randy Whitmeyer

Whitmeyer Tuffin PLLC

randy@whit-law.com

919-880-6880

Any questions?