Privacy Law

1 Financial Advisor Webinar Series 2009

Privacy Law & Financial Advisors

Brendon M. TavelliAssociate, Privacy & Data Security Practice Group

November 20, 2009


Agenda

• The inter-relationship between privacy and data security ð can’t have privacy without security

• Brief overview of the potentially applicable legal regimes at the federal and state level

• Exposure points for financial advisors

• Recommendations to minimize privacy risks


Privacy Law v. Data Security Law

• Privacy is the appropriate use of personal information or PII

• Privacy is impossible without security

• All the privacy promises in the world are worthless if appropriate data security measures are not in place

• Shift in legal focus from privacy disclosures (e.g., privacy policies and breach notification) to affirmative security obligations


Domestic Privacy Law Is Sectoral

• No omnibus, across the board privacy law in the United States Compare -- EU and Canada take a wholistic approach to protecting

the privacy of personal information

• Privacy law in the United States is a patchwork of federal, state, and other laws, regulations and standards of conduct

• Financial services industry is no stranger to privacy regulation


Major Financial Privacy Laws

• Fair Credit Reporting Act (FCRA)

• Fair and Accurate Credit Transactions Act (FACTA)

• Gramm-Leach-Bliley Act (GLBA) Privacy Rule imposes information-sharing restrictions and notice

obligations on financial institutions Safeguards Rule requires institutions to have a security plan to

protect the confidentiality and integrity of personal consumer information


Federal Data Security Enforcement

• FTC is authorized to regulate unfair or deceptive acts or practices in or affecting commerce

• FTC exercises this power with respect to data security in 2 ways: Unfair ð inadequate data privacy and security Deceptive ð misrepresentations with respect to these practices

• FTC cannot impose fines under the FTC Act, but can (and does) impose rigorous data security requirements


Exemplary Federal Enforcement Actions

• BJ’s Wholesale Club, Inc hackers exploited network security weakness to steal credit card data BJ’s must implement a comprehensive information security program

with administrative, technical, and physical safeguards Must obtain independent program audit every other year for 20 years

• Eli Lilly e-mail addresses of Prozac users inadvertently sent in “To” line settled FTC investigation by agreeing to implement 4-stage program

designed to protect sensitive personal information paid fine to state AGs and agreed to improve data security standards


Exemplary Federal Enforcement Actions (cont’d)

• CVS Caremark Corp. sensitive information found in insecure trash containers outside stores FTC and HHS each entered into separate agreements to resolve issues

related to violations of FTC Act and HIPAA must implement detailed data security program + standard audits $2.25M penalty paid to HHS

• ChoicePoint personal information sold to alleged crime ring w/o proper authorization FTC alleged violations of Fair Credit Reporting Act must implement detailed data security program + standard audits Paid $10M civil penalty to FTC + $5M consumer redress


Other Potentially Applicable Legal Regimes

• California Online Privacy Protection Act

• State security breach notification obligations

• State data security regulations Massachusetts Nevada Other

• Federal and state e-mail & telephone marketing regulations


California Online Privacy Protection Act

• Cal. Bus. & Prof. Code § 22575

• Any person that collects “personally identifiable information” from California residents online must post an online privacy policy NOT dependent upon the location of the person collecting PII

• Policy must disclose what types of PII are collected online and how PII may be disclosed

• Must be posted “conspicuously”


What is “personal information?”

• Most legal regimes in the United States apply to certain forms of “personal information” or “personally identifiable information”

• Definition of PII often varies depending on the objective of thestatute and the jurisdiction

• One common definition encompasses first name or first initial and last name in combination with one or more of the following: a Social Security number drivers license number or government issued ID number account number, and/or credit or debit card information including

numbers and passwords, PINs and access codes


State Security Breach Notice Requirements

• 45 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands require that you provide notice to individuals when the security of their unencrypted PII is compromised

• Some states include broader definitions of PII

• Notice requirements vary by jurisdiction Heightened thresholds to trigger notice obligation Content of notices Notice to state regulatory bodies


Anatomy Lesson: What Does a Breach Look Like?

• Network Hacking

• Lost or Stolen Laptops

• Spyware, Phishing and Pretexting

• Insecure Media Disposal

• Hacked Card Swiping Devices

• Security Vulnerabilities On Mobile Devices

• Misdirected Mail and Faxes

• Insecure wireless networks

• Peer-to-peer software

• Breaches in Physical Security

• Botched Software Updates/Upgrades

• Human Error

• Rogue or Disgruntled Employees

• Lost or Stolen Media

• And more . . .


State Data Security Regulations

• Some states require businesses to use “reasonable procedures and practices” to protect PII

• Some states impose obligations to properly dispose of records containing PII Required or recommended disposal methods include shredding,

erasing, or otherwise rendering unreadable Businesses may “outsource” disposal, but generally must monitor for

compliance

• Massachusetts and Nevada are leading the charge by requiring businesses to take specific, affirmative steps to protect PII


Massachusetts Data Security Regulations

• 201 C.M.R. § 17.00 enacted in September 2008

• Regulations harshly criticized by the business community and others as unworkable and unduly burdensome

• Revised twice and compliance deadlines extended

• Any person that owns or licenses personal information about a Massachusetts resident must comply by March 1, 2010


Massachusetts Data Security Regulations

• Must develop, implement and maintain a comprehensive, written information security program that includes administrative, technical, and physical safeguards

• Flexible ð program may be tailored to the organization Size, scope and type of business Available resources Amount of stored data Security / confidentiality needs for consumer and employee data


201 C.M.R. § 17.00: Specific Requirements

• Massachusetts data security regulations are flexible, but written information security programs must include certain components: Designating one or more “responsible” employees Identifying and assessing reasonably foreseeable risks Security policies for employees regarding handling PII Disciplinary measures for program violations Access restrictions Service-provider oversight Program monitoring and updating to ensure continued effectiveness Documenting breach response


201 C.M.R. § 17.00: Specific Requirements (cont’d)

• Massachusetts regulations require persons that own or license PII to implement computer system security measures: Secure user authentication protocols Access restrictions (e.g., need-to-know access) Encryption (in transit and stored on portable devices) “Reasonable” monitoring of systems for unauthorized access Up-to-date firewalls, patches, antivirus software Employee training on proper use of systems and importance of PII

security

• CAVEAT: computer system security measures must be implemented “to the extent technically feasible”


201 C.M.R. § 17.04: Encryption

• “Encrypted” means “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key” OCABR abandoned specific encryption technology

• Records and files that contain PII which are transmitted wirelessly and/or across public networks must be encrypted

• PII stored on laptops or other portable devices must be encrypted


Nev. Rev. Stat. § 603A: Encryption

• Nev. Rev. Stat. § 597.970 prohibits electronic transmission of PII outside secure system (other than a fax) unless encrypted

• S.B. 227 amends § 597.970 to require encryption of all PII leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device” Data storage device = computers, cell phones, magnetic tape,

computer drives, and the medium itself

• S.B. 227 requires use of encryption technology that has been adopted by an established standards setting body and proper management and safeguards of cryptographic keys


Nev. Rev. Stat. § 603A: Encryption (cont’d)

• Safe harbor ð data collector not liable for a breach if compliant with encryption law and no gross negligence or intentional misconduct

• Some questions remain Who can enforce? Is there a private right of action? What does it mean to be “doing business in this State”


Federal and State Marketing Regulations

• CAN-SPAM Act E-mail Communications

• Telemarketing regulations Telephone solicitations

• Behavioral Targeting Guidelines


Advisor Exposure Points

• Customer Relationship Management (“CRM”) databases Strong access restrictions Minimize collection and storage of sensitive PII Train employees on proper access and use

• Portable electronic devices Encrypt devices that store PII Implement physical security policies

• Hard copy documents Some breach notification laws apply Disposal rules may apply


Advisor Exposure Points (cont’d)

• Client communications What types of PII should be included in transmissions (e.g., redact PII

in performance reports) Compliance with federal and state marketing restrictions

• Externally-facing policies on privacy and data security Do you have a policy? Do you know what it says? Does your policy accurately reflect your practices?


Recommendations: 6 Simple Steps

• Step 1: Take ownership ð avoid a tragedy of the commons

• Step 2: Identify what you have ð ask the questions!

• Step 3: Identify the appropriate level(s) of security

• Step 4: Document your program

• Step 5: Communicate your program to affected individuals

• Step 6: Manage your program ð provide oversight, update


Thank You!

http://privacylaw.proskauer.com/

Brendon M. Tavelli

[email protected]

http://privacylaw.proskauer.com/

mailto:[email protected]

Privacy Law

Documents

Transcript of Privacy Law