The Matrix Reloaded:
Cybersecurity and Data
Protection for Employers
Jodi D. Taylor
Why Talk About This Now?
•
•
•
•
•
Landscape is changing
Enforcement by federal and state governments on the rise
Legislation on the rise
Costing businesses more money than ever
Confusion in marketplace – who’s responsible?
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
2
Proposed Consumer Privacy Bill of Rights Act
− Provide reasonable notice to individuals about a covered entity’s
privacy and security practices
− Provide individuals with reasonable means to control the
processing of personal data about them
− Enforcement by the Federal Trade Commission, State Attorneys
General
− Civil penalties up to $35,000 per day or $5,000 per affected
consumer, with a maximum penalty of $25 million
No private right of action
− Safe harbor – Enforceable Codes of Conduct
− Stuck in committee
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
3
Cyber Intelligence Sharing and Protection Act
− Would provide for the sharing of certain cyber threat intelligence
and cyber threat information between the intelligence community
and cybersecurity entities
Ex. If the government detects a cyber attack that might take
down Facebook or Google, for example, they could notify
those companies. At the same time, Facebook or Google
could inform the feds if they notice unusual activity on their
networks that might suggest a cyber attack.
− Problem: opponents said that it would allow companies to easily
hand over users' private information to the government thanks to
a liability clause.
− Approved by House; moved to Senate; White House has
threatened to veto
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
4
Executive Order
Promoting Private Sector Cybersecurity Information Sharing
− Encourage the development of Information Sharing
Organizations
− Develop a common set of voluntary standards for information
sharing organizations
Will include privacy and civil liberty protections
− Streamline private sector companies’ ability to access classified
cybersecurity threat information
− Provide legal safe harbor for companies that share cyber threat
information with the government or each other through a special
Department of Homeland Security portal
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
5
Executive Order (cont.)
Authorizing Sanctions Against Persons Engaged In Significant
Malicious, Cyber-Related Activities
− Significant threats to the national security, foreign policy or
economic health or financial stability of the United States
− Includes persons who aid and abet such activities
− Identified individuals or entities will be added to list of Specially
Designated Nationals and Blocked Persons (SDN List)
▫ U.S. assets are frozen
▫ Prohibited from doing business with U.S. persons/entities
▫ Cannot engage in dollar-denominated transactions
(effectively cut off from the U.S. banking system)
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
6
Proposed Data Security and Breach Notification
Act
− Companies must implement and maintain reasonable security
measures and practices to protect and secure personal
information
− Broader definition of “personal information” than most state data
breach laws
− Only required to provide notice if there is a reasonable risk of
identity theft, economic loss, economic harm, or financial harm
− Must provide notice to affected individuals within 30 days after
discovery of a breach
− Preempts all state data breach notification laws
− Enforcement by the FTC or State Attorneys General (no private
right of action)
− Stuck in committee
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
7
State Legislation
• Companies must comply with laws and regulations of all states in
which they do business or have employees
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
8
Georgia’s Personal Identity Protection Act (GPIPA)
− Security Breach Definition - Unauthorized acquisition of an
individual’s electronic data that compromises the security,
confidentiality, or integrity of personal information (PI) maintained
by an information broker or data collector
− Application:
Data Collector - Any state or local agency or any of its
subdivisions that maintains computerized PI
Information Broker - Any person or entity who, for money,
engages in, in whole or in part, the business of transferring
computerized PI to a nonaffiliated third party
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
9
GPIPA (cont.)
− Personal Information Definition - An individual’s first name or first initial
and last name, in combination with any one or more of the following data
elements, when either the name or the data elements are NOT
encrypted or redacted:
Social Security number
Drivers license number or state identification card number
Account number, credit or debit card number, if such number could be used
without any additional identifying information, access codes or passwords
Account passwords or personal identification numbers or other access codes;
or
Any of the above when, not in connection with a person’s first name or first
initial and last name, would be sufficient to perform or attempt identity theft
− PI does NOT include publicly available information that is lawfully made
available to the general public from federal, state or local government
records
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
10
GPIPA - Notice
Individual - Must disclose PI was, or is reasonably believed to
have been, acquired by an unauthorized person
Consumer Reporting Agencies - If required to notify more than
10,000 residents at one time, must notify all consumer
reporting agencies that compile and maintain files on
consumers on a nationwide basis of the timing, distribution
and content of the notices
Third-Party Data - Any person or business that maintains
computerized PI on behalf of an information broker or data
collector must notify them of any breach of security within 24
hours of discovery, if the PI was, or is reasonably believed to
have been, acquired by an unauthorized person
Notice must be made in most expedient time possible
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
11
GPIPA - Substitute Notice
− The cost of providing notice would exceed $50,000, or the
affected class exceeds 100,000 or if the information broker or
data collector does not have sufficient contact information
Substitute notice must consist of ALL of the following:
▫ Email notice when the email address is known;
▫ Conspicuous posting of the notice on the information
broker’s or data collector’s website page if they maintain
one; and
▫ Notification to major statewide media.
− Exception - An information broker or data collector may follow the
procedures of its own notification policy if it is consistent with the
timing requirements of the statute
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
12
Massachusetts
Data Security Regulation (Mass. Regs. Code tit. 201 § 17.00)
• Stringent and detailed data security requirements
• Applies to any person (legal entity or natural person), wherever located,
that owns or licenses personal information about a MA resident
• Includes any organization that receives, stores, maintains, processes or
otherwise has access to personal information either for the provision of
goods or services or employment
• Must develop, implement and maintain a comprehensive written
information security program (“WISP”) that contains administrative,
technical and physical safeguards that are appropriate to the size, scope
and type of the person’s business, the person’s available resources, the
amount of stored data, and the need for security and confidentiality of
both consumer and employee information
Massachusetts AG recently targeted a Rhode Island hospital for failing to
encrypt consumer information – resulted in a $150,000 settlement
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
13
Recent Cases / Breach Notifications
• Target Corp.
− One of the largest breaches of payment-card security in U.S. retail
history
− Hackers, through HVAC contractor systems, stole debit-card info of
about 110 million customers
− Class action suit raised 7 different claims including violation of data
breach notification statutes
− Court discusses the enforceability of data-breach notice statutes:
Attorney General/Government enforcement only: Ex. Arkansas,
Connecticut, Idaho [no private right of action, plaintiff’s claim is
barred]
Ambiguous or explicitly non-exclusive: Ex. Colorado [permissive
language of “may” allows plaintiff’s claim to survive dismissal]
No enforcement provision - Ex. Georgia §10-1-912 is silent to
enforcement [plaintiff’s claim survives dismissal]
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
14
Recent Cases / Breach Notifications
• Maloney Properties, Inc.
− Loss of one laptop with unencrypted personal information of
approximately 621 residents
− No evidence that personal information was accessed or used by an
unauthorized person or for unauthorized purpose
− Resulted in $15,000 settlement along with other required action by MPI:
Ensuring that personal information is not unnecessarily stored on portable
devices
Ensuring that stored personal information is encrypted on portable devices
Ensuring that portable devices with personal information are stored in a
secure location
Effectively training employees on the policies and procedures with respect to
maintaining the security of personal information
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
15
Recent Cases / Breach Notifications
• Tierney et al. v. Advocate Health and Hospitals Corp. (Seventh
Circuit, Case No. 14-3168)
− Proposed class action claiming FCRA violations by failing to
safeguard health data stolen from its offices
− District Court threw out the FCRA claims, ruling that the hospital
can’t be considered a “credit reporting agency” under the FCRA
− Plaintiffs appealed to 7th circuit – UPDATE
released August 12, 2015 - affirmed lower Court
− Why extend the FCRA?
Penalties – range from $100 to $1,000 per willful violation
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
16
Insider Threat Detection
• Using big data analytics and software to identify potential insider
threats in the workplace
• High risk, high reward
• Rewards
− Preventing fraud, intellectual property theft and workplace
violence
• Risks
− Data is discoverable in litigation
− Discrimination claims against employer
• Best Practices
− Transparency
− Clearly stated policies that are consistently enforced
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
17
Insider Threat Detection
• Best Practices (cont.)
− Systematic logging, monitoring and auditing of employee network
activity
− Blocking unauthorized emailing or uploading of company data
outside the company network
− Comprehensive employee termination procedures
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
18
Top 10 for Employers
1.
2.
3.
4.
5.
Policies/Protocols
Training
Data Access Points
BYOD
Telecommuting
6. Passwords
7. Discipline Policies
8. Data Retention
9. Impartial Use of Data
10. Data Mining/Analytics
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
19
Questions?
Jodi D. Taylor
jtaylor@bakerdonelson.com
404.589.3413
www.bakerdonelson.com
© 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
20