Privacy and Security:
Practical and Sensible
Advice
Chuck Schwab, Special Counsel, Cooley LLP
and Karin Lindgren, General Counsel, Reed Group
© 2012 Cooley LLP, Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306
The content of this packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to
provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome.
Topics to Cover Today

Breach notification laws: planning for and responding to a
security breach

Information security requirements for customer and employee
data

Collection, use, and disclosure of information about customers
and employees

International issues
2
www.cooley.com
Breach Notification Laws

Progenitor - California’s “SB 1386”


Identity Theft is the driver
No Federal “Data Breach Law” although several bills are still
before Congress:

Personal Data Privacy and Security Act of 2011 (S. 1151) (Senators
Leahy (D-VT), Schumer (D-NY) and Cardin (D-MD)) (Last action-written
report filed by Committee on Commerce, Science and Transportation,
November 2011).

Data Security and Breach Notification Act of 2011, S. 1207 (Senators
Pryor (D-AR) and Rockefeller (D-WV)) (last action - Committee on
Commerce, Science and Transportation scheduled two mark-ups in fall
2011, which were both indefinitely postponed).

Data Breach Notification Act of 2011, S. 1408 (Senator Feinstein (DCA)) (last action - Committee on Judiciary hearing in October 2011, from
which no written report has resulted.)
3
www.cooley.com
Breach Notification – Patchwork State Laws

Instead of one uniform federal law (like the FCRA), businesses
must undertake the complex task of monitoring all state statutes:
Alaska
Alaska Stat. § 45.48.010 et seq.
Nevada
Nev. Rev. Stat. §§ 603A.010 et seq., 242.183
Arizona
Ariz. Rev. Stat. § 44-7501
New Hampshire
N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21
Arkansas
Ark. Code § 4-110-101 et seq.
New Jersey
N.J. Stat. 56:8-163
California
Cal. Civ. Code §§ 56.06, 1785.11.2,
1798.29, 1798.82
New York
N.Y. Gen. Bus. Law § 899-aa
Colorado
Colo. Rev. Stat. § 6-1-716
North Carolina
N.C. Gen. Stat § 75-65
Connecticut
Conn. Gen Stat. 36a-701b
North Dakota
N.D. Cent. Code § 51-30-01 et seq.
Delaware
Del. Code tit. 6, § 12B-101 et seq.
Ohio
Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Florida
Fla. Stat. § 817.5681
Oklahoma
Okla. Stat. § 74-3113.1 and § 24-161 to -166
Georgia
Ga. Code §§ 10-1-910, -911
Oregon
Oregon Rev. Stat. § 646A.600 et seq.
Hawaii
Haw. Rev. Stat. § 487N-2
Pennsylvania
73 Pa. Stat. § 2303
Idaho
Idaho Stat. §§ 28-51-104 to 28-51-107
Rhode Island
R.I. Gen. Laws § 11-49.2-1 et seq.
Illinois
815 ILCS 530/1 et seq.
South Carolina
S.C. Code § 39-1-90
Indiana
Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.
Tennessee
Iowa
Iowa Code § 715C.1
Texas
Tenn. Code § 47-18-2107, 2010 S.B. 2793
Tex. Bus. & Com. Code § 521.03, Tex. Ed. Code 37.007(b)(5) (2011 H.B.
1224)
Kansas
Kan. Stat. 50-7a01, 50-7a02
Utah
Utah Code §§ 13-44-101, -102, -201, -202, -310
Louisiana
La. Rev. Stat. § 51:3071 et seq.
Vermont
Vt. Stat. tit. 9 § 2430 et seq.
Maine
Me. Rev. Stat. tit. 10 §§ 1347 et seq.
Virginia
Va. Code § 18.2-186.6, § 32.1-127.1:05 (effective January 1, 2011)
Maryland
Md. Code, Com. Law § 14-3501 et seq.
Washington
Wash. Rev. Code § 19.255.010, 42.56.590
Massachusetts
Mass. Gen. Laws § 93H-1 et seq.
West Virginia
W.V. Code §§ 46A-2A-101 et seq.
Michigan
Mich. Comp. Laws § 445.72
Wisconsin
Wis. Stat. § 134.98 et seq.
Minnesota
Minn. Stat. §§ 325E.61, 325E.64
Wyoming
Wyo. Stat. § 40-12-501 to -502
Mississippi
2010 H.B. 583 (effective July 1, 2011)
District of Columbia
D.C. Code § 28- 3851 et seq.
Missouri
Mo. Rev. Stat. § 407.1500
Puerto Rico
10 Laws of Puerto Rico § 4051 et. seq.
Montana
Mont. Code §§ 30-14-1704, 2-6-504
Virgin Islands
V.I. Code § 2208
Nebraska
Neb. Rev. Stat. §§ 87-801, -802, -803, -804, 805, -806, -807
4
www.cooley.com
Patchwork– Most States

46 States, the District of Columbia, Puerto Rico and the Virgin Island
have enacted legislation requiring notification of security breaches
involving personal information.

States with no security breach notification law: AL, KY, NM, and SD.

29 states (AK, AZ, AR, CA, CO, CT, GA, HI, IL, IN, KS, KY, MS,
MS, MI, MO, MT, NV, NJ, NY, NC, OR, RI, SC, TX, UT, VT, WA,
and WI) have laws requiring encryption and secure disposal, of
personal information held by businesses and/or government.

Every state has a law criminalizing identity theft.
5
www.cooley.com
Patchwork – Commonalities

What is Covered:

Personal Information requires last name and first initial plus at least one
more data element that could lead to loss (e.g., social security number,
driver’s license number, credit or debit card number, or bank account
number and access code, etc.)

Includes employee and customer information.

Most States have exemption for encrypted data:

Only IN, NYC, WY and DC lack an encryption safe harbor

MS, NH, OK, OR, and TX require notice if encrypted data is
breached along with encryption key

Several States require notice to Attorney General even if data is
encrypted
6
www.cooley.com
Breach Notice – Timing and Scope

Planning for Breach is essential – Response time is mandated by
law:

In all States except CA, GA, ID, and IL, discovery of a suspected breach
triggers immediate requirement to investigate and notification is only
triggered if investigation determines that there is a reasonable risk of
identity theft or loss

In CA, GA, ID, and IL, notification requirement is triggered upon
discovery

Once triggered, notification must be provided “As expediently as
possible and without unreasonable delay unless disclosure impedes law
enforcement investigation”

Several States require immediate disclosure to Attorney General (within
24 hours of discovery)

Notice must typically be in writing and sent to each individual victim, but
a small number of states may allow substitute notice in cases of large
breach
7
www.cooley.com
Breach Notice - Content

Content of Notice:

General description of incident;

type of information breached;

toll-free numbers and addresses of the three NCRAs.
8
www.cooley.com
Breach Notice – Penalties and Costs


Penalties For Failure to Provide Breach Notification

Administrative fines can vary State-by-State, ranging up to $500,000 in
certain States.

Actual damages to each affected victim.
Costs and Expenses Associated with Breach

Costs of investigation.

Production and mailing costs for notification letters.

Costs of period of credit monitoring service for affected victims (Typically
about $75-$125 per person).

Reputational costs.
9
www.cooley.com
Other Breach Notification Laws



FTC’s Red Flag Rule – applies to financial institutions and
“creditors” to have an identity theft prevention program;
notification is an option
HIPAA – affects covered entities and business associates,
requiring employers, for example, to:

Notify major media outlets and HHS if a breach involves 500 or more
plan participants

Notify affected individuals within 60 days of becoming aware of the
breach
GLBA – applies to financial institutions
10
www.cooley.com
Information Security – Why?

Confidential information is critical to the success of business

Protection of valuable intellectual property is essential to
maintain legal rights (e.g., trade secret protection)

To further business, employees must have access to
confidential information and must create IP

Employers have legal obligations to keep certain information
confidential

Legal Requirements
www.cooley.com
Information Security Regulations

FTC Act

Fairness - Maintain Adequate and Appropriate Security Measures

Deceptiveness -- False or Misleading Statements; “100% Safe”

Original California SB 1386

State Data Security Law -- 10+ States

“Reasonable” safeguards

Sensitive Data

Social Security Number

Drivers License Number

Financial Account Information

Credit Card Number
12
www.cooley.com
InfoSec Regulations – A Higher Bar

Massachusetts

Covers Sensitive Data

Mandates Security Program

Safeguards Require Encryption

Policies

Training

Monitoring

Some states require encryption for transmission (Nevada)

Data destruction

23 + states, FCRA

“Reasonable steps” to destroy sensitive data (or all data for CA, CT, KY)
13
www.cooley.com
Other InfoSec Regulations

HIPAA Security Rule




Information Security Program

Administrative

Technical

Physical Safeguards
Data Breach Notification
GLBA Safeguards Rule – Information Security Program

Administrative, Technical, Physical Safeguards

Size and Complexity of Organization

Sensitivity of Customer Information

Designate Employees to Coordinate

ID Risks & Sufficiency of Safeguards
Red Flags Rule - Implement program to detect, prevent, and
mitigate identity theft
14
www.cooley.com
InfoSec Policies

Diamonds vs.Toothbrushes

Written InfoSec Policy



Identify Security Risks and Identity Theft Risks

Reasonable approach to security risk vectors

Graduated treatment of data types

Establish a “Privacy/InfoSec Officer”
Establish technical controls on data – access, transmission
Maintain technical vigilance – apply security patches within a
reasonable time

Annual policy/risk review

Train at least key people
15
www.cooley.com
Consumer Privacy - Federal

Customer vs. Consumer

FTC Act – unfair or deceptive practices


notice – disclosures of what, who x2, how x2

choice – secondary uses, disclosures, opt-out or opt-in

access – access to data, correction

Behavioral Tracking
TCPA


Junk Fax, Do Not Call, SMS
CAN-SPAM

Disclosures for Promotional Emails

Opt-Out
16
www.cooley.com
Consumer Privacy - California

California Online Privacy Protection Act


Post a policy
Identify



California – Shine the Light




Information collected
Third parties with whom you share the information
Disclosures about sharing with third parties for their marketing purposes
Consumer right to opt-out or receive information about third parties
California – Song-Beverly Act

Prohibits collection of PII that is not on the credit card, including zip code

Applies to online transactions?
Spyware Laws – track data
17
www.cooley.com
Employee Privacy

FCRA


Applies to reports prepared by a third party that regularly assembles or
evaluates credit or other information on a consumer (“consumer
reporting agency”)
Covers any inquiry for employment purposes bearing on an individual’s
“credit, general reputation, personal characteristics, or mode of living”

Criminal history checks, credit checks, sex offender registry, motor
vehicle record checks, employment and education verification

Requires permissible purpose to access

State “mini-FCRAs”

Credit check laws

Anti-discrimination laws

Genetic Information Non-Discrimination Act of 2008 (GINA)
18
www.cooley.com
FCRA Process

Provide notice and obtain authorization before procuring a
background check report

Before taking adverse action or risk based pricing decision,
provide notice, including a copy of the report and FTC
summary of rights

Wait 5 days before taking final action

Deliver final adverse action or risk based pricing notice
19
www.cooley.com
Social Network Checks

Establish policies on when social media checks will be
conducted, by whom, at which sites, for what information, and
how will that information be evaluated

Include social checks by third-party vendors in your FCRA
compliance program

Social checks by the employer’s own staff are not subject to
FCRA

Careful about: asking/coercing an employee or applicant to
provide social media password(s), or fraudulently/coercively
gaining access to network

Be careful of taking adverse action against en employee for
comments on social media (could be protected by state law or
NLRB rules)
20
www.cooley.com
Employees – Practical Pointers
Contracts


Require employees to sign proprietary information agreements;
define “confidential information”

Require job applicants to sign non-disclosure agreements
Handbooks/Policies – Privacy expectation is key


Adopt electronic data and computer use policies

Employer-allowed use of email and computers

Employer ownership of all data on work computers

Limit personal use

Employee consent to monitoring and inspection

Restrictions on social media use?
www.cooley.com
International

EU spam laws



Opt-in, with some EBR exceptions
Canadian spam law

Expecting regulations

All electronic messages (not just email)

Explicit or implied (including EBR) consent

Heavy fines (C$220/message, D&O exposure)
Cookie directive

The Sound and the Fury

Waiting for industry solutions
22
www.cooley.com
International (2)

EU Directive

Expectation of compliance is growing

Model Contracts


Processor

Controller
Safe Harbor

7 Principles – Notice, Choice, Onward Transfer, Access,
Security, Data Integrity, Enforcement



Two Toughies: Onward Transfer, Enforcement
BCRs
EU Regulation on horizon

you don’t even want to know

~2 years away
23
www.cooley.com
Questions?
For more information contact:
Chuck Schwab, schwabca@cooley.com
Sign up for Alerts at www.cooley.com.
24
www.cooley.com