Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy

Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy

Monique Altheim Principal, The Law Office Monique Altheim

Dori Anne KuchinskyAssistant General Counsel, Litigation & Global Privacy

W.R. Grace & Co.

Kamal Patheja Legal Director Global Software Licensing

DHL

Albert M. RaymondHead of U.S. Privacy & Social Media Compliance

TD Bank

FEBRUARY 4 – 6, 2014 / THE HILTON NEW YORK

Target and Neimans and Snapchat, Oh My! The Year in Data Privacy

• Privacy Jeopardy: The Rules The Categories The Prizes

LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014


EU-U.S. Safe Harbor and the “Snowden Effect”

Poll Question:

The FTC recently announced settlements with 12 U.S. companies for Safe Harbor violations. The violation charged

was:

a) Allowing the NSA to access EU data transferred under Safe Harbor

b) Using Safe Harbor to justify transfers to inadequate countries

c) Falsely claiming they had current Safe Harbor certificationsd) None of the above


Social Media Security Fails in 2013

Associated Press Twitter Account Hack April 2013

• The Associated Press' Twitter account was hacked.

• Moments later, the Syrian Electronic Army claimed responsibility for the attack.


• The message spread quickly, with Twitter users immediately wondering if the account had been hacked.

• The Associated Press’ clarified the tweet was a fake a shortly thereafter.


Associated Press Twitter Account Hack

The Syrian Electronic Army, an organization that supports Syrian President Bashar al-Assad, tweeted:





Real Repercussions

Poll Question:

Which of these ‘strong’ passwords should have the Associated Press used to protect its Twitter account?

a) Passwordb) Qwertyc) Abc123d) Muj@hideen2#




Chrysler Social Media Faux Pas


Chrysler Social Media Faux Pas

Poll Question:

If your vendor causes a security or privacy event for you, what could be your recourse?

a) Legal actionb) Nothing. Your vendor’s action are your ownc) Depends on the contractd) Run over someone with a Chrysler 300 Hemi


Burger King’s Twitter Account Hijacked

• The account was hacked by an unknown group, which changed the company’s logo and profile name to McDonald’s. It then started tweeting offensive messages, along with a message the company was “bought out” by McDonald’s.

• After nearly an hour and a half of “tasteless” tweets filled with drug references and obscenities, Twitter finally suspended the account.

• Afterwards, Burger King actually gained almost 30,000 followers after the incident!

300% in conversations on BK site (450,000 tweets!)





Poll Question:

What do you suppose is the biggest risk from having your SM account hijacked?

a) Brand riskb) Reputation riskc) Both A & Bd) Loss of the formula for ‘secret sauce’


Lessons Learned?Poor Pwd Management: The companies didn’t know who had access to the account or to the passwords. If the same password can be used across multiple accounts, that’s poor password management.

Newsflash!: Passwords need to be changed on a periodic basis.

Weakest Link: Any system can be compromised with enough time and effort. Many ways into the crown jewels exist including phishing, smishing, social engineering, software, or applications.

Inside Job: Malcontent employees (current or former) who have/had access to the passwords make it difficult to know if the account truly was hacked or if it was an a rogue employee. Many social media accounts are not tied to Active Directory or LDAP systems.

Vendor Management: If you lack the skills inside the organization to run your SM site, you may rely on an external firm. Burger King and Chrysler were both highly dependent on external agencies to manage and control their Twitter accounts. Improper governance and oversight led to epic Social Media Fails#

Location, Location, Location- Why it REALLY Matters

Conflict with respect to Personal Data*

• EU: everything is prohibited unless expressly permitted by law

• US: everything is permitted unless expressly prohibited by law


US vs. EU

*Art. 2 Directive 95/46/EC:“Personal data" means any information relating to an identified or identifiable natural person ("data subject").

An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.


Incident #1- Dude - Where’s My Data?

Data


Incident #1

Poll Question:

Which of the following is Personal Data?

a) Car registration plateb) Work email addressc) Employee numberd) Employee status on corporate live chat systeme) All of the above


Incident #1

Poll Question:

Which of the following is NOT an adequate way of transferring Personal Data to a third party company outside

of the EEA?

a) Model Clausesb) Safe Harbor registrationc) White Listed Countriesd) Binding Corporate Rulese) None of the above


Incident #1- Dude - Where’s My Data?• DPDHL UK entity engaged with UK supplier to acquire a claims handling system

• The solution involved the hosting of claims related information of DPDHL employees

• Contract governed by English law

• Contract provides for DPDHL providing personal data to supplier in UK

• Contract completed ready for sign off

• DPDHL Legal enquire as to supplier’s server location

• “Oops, forgot to tell you”: Data to be hosted in US! By a third party!

• 3 months later we sign off the deal after arduous negotiations surrounding the data

protection provisions – supplier did not see what the big deal was for DPDHL!


Incident #2- Show Me the Data!

DATA !


Incident #2Poll Question:

Which of the following is deemed valid consent for the purposes of transferring Personal Data?

a) Data subject’s waiver in the form of posting of same Personal Data to social media

b) A formal consent form signed by the company’s CEO authorizing the transfer of employee Personal Data

c) A formal consent form signed by an administrative assistant authorizing transfer of his/her personal data

d) An email by CEO authorizing transfer of his/her personal datae) None of the above


Incident #2

Poll Question:

Which of the following is true?

a) E-discovery rules override the EU Data Protection Directiveb) EU Data Protection Directive overrides E-discovery rulesc) The EU Data Protection Directive can be ignored by US

Company only doing business in the USd) Companies can select which privacy regime to follow based

on country of registratione) None of the above


Incident #2- Show Me the Data!• US based employee seconded to Germany

• The new role never transpired

• Employee sought reinstatement to her original role in US

• Old role filled!!!

• Employee commenced proceedings in US against DPDHL alleging wrongful termination and harassment

• Plaintiff produced altered emails

• DHL had to collect emails from executives and non-executives in Germany to disprove P’s allegations

• US litigators barred by EU Data Protection from collecting data


Incident #2- Show Me the Data!• DPDHL had to implement adequate measures which included:

Giving German employees an opportunity to consult with DPDHL Data Protection Officers

DPDHL Officers consulting with German Worker’s Council

US lawyers to disclose data needed, where it would be sent to and how it would be used

US lawyers had to obtain consent from each custodian, subject to refusal or withdrawal

EU employees to self-collect

Data subject to protective order

Then and only then data could be used in litigation


Lessons Learned?

• From the outset ask suppliers about server locations and DR sites

• Quiz your business folk on the type of data to be processed/hosted/stored

• In any litigation matter be mindful of any European aspects to the case

• Seek Local legal advice on national law issues • The EU Directive has been implemented by all EU

members in their local legislation with varying degrees of formality e.g. Germany compared to UK


Privacy Enforcement in the U.S.


Oregon Woman Awarded $18.6 MILLION Over Equifax Credit Report Mix-Up

July 2013(Reduced to $ 1.62 Million in Appeal on January

29, 2014)


FTC Collects $3.5 Million From TeleCheck For Failing To Investigate

Disputes Or Correct Errors January 16, 2014


FTC Expands FCRA Coverage to Mobile Industry – Criminal Records Search Apps

January 10, 2013


FCRA

Poll Question:

A consumer reporting agency falls under the FCR Act, if it sells consumer reports to:

a) Banks, Insurance Companies, Employers and Consumersb) Banks, Insurance Companies, Employers and for Other

Business Purposesc) Banks, Insurance Companies, Employers, Marketers, and

Dating Sitesd) All of the above


FTC Announces First Settlement Involving Privacy and the "Internet of Things" – The

TRENDnet Case September 2013


Section 5 (a) of the FTC Act

Poll Question:

A company has an obligation under section 5 (a) of the FTC Act to provide reasonable security for its PII:

a) Alwaysb) Only if there is risk of substantial damagec) Only if it promises to do sod) Never


WellPoint Pays HHS $1.7 Million for Leaving Information Accessible Over

Internet July 2013

Poll Question:

The following entities must comply with HIPAA Privacy and Security Rules:

a) Law firms that handle PHI from insurance companies, hospitals or health care providers

b) Webmd.com and Patientslikeme.comc) H.R. departmentsd) All of the above


HIPPA


Lessons Learned?• Data Brokers and App Developers: If you quack like a duck…you are a duck.

Regardless of your ToS, if you act as a consumer reporting agency, you need to be compliant with the FCRA requirements to avoid steep fines from the FTC and law suits from wronged consumers.

• Companies under jurisdiction of FTC: Say what you mean and mean what you say in your privacy policies. Don’t make promises you will not keep, lest the FTC will accuse you of deceptive practices under Section 5 (a) FTCA.If you handle sensitive data, the breach of which may result in substantial damage, you must have a data security program in place, lest the FTC will accuse you of unfair practices under Section 5(a) FTCA.

• All companies processing PH data from HIPAA “covered entities”: As “business associates” you must comply with HIPAA Privacy and Security Rules as well. HHS/FTC are after you!


Questions?

Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy

Business

Transcript of Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy