How Safe Is Your Data?
Top Data Protection Issues Keeping
Executives Awake at Night
Ann LaFrance (London)
Andy Kruppa (Miami)
Gary Timin (Miami)
39 Offices in 19 Countries
May 22, 2014
Agenda
• Overview
• US Cyber Risk Developments and Laws
• Florida Information Protection Act of 2014
• Data Protection Developments in the European
Union
• Practical Compliance Tips and Best Practices
for Data Breach Response
• Cyber Risk Insurance Issues
• Questions
2
• “[W]e don’t see any industries flying completely
under the radar. And that’s the real takeaway
here – everyone is vulnerable to some type of
[data breach] event.” – [Verizon’s 2014 Data
Breach Investigations Report]
• Examples: Adobe [153 million user accounts],
Bell Canada, Gawker [1.3 million users],
Snapchat [4.6 million users], Sony [multiple
breaches], Vodafone, Yahoo, Target, etc.
3
• The top nine sources of data breaches are the
following: POS intrusions, attacks on web
applications, insider misuse, physical theft/loss,
errors, crimeware, card skimmers, denial of
service attacks, and cyber-espionage.
The Cost of Services to Respond to a Data Breach
• The cost of a data breach is on the rise
• Corporate Counsel reports the average two year
cost rose in the US by 8% to $5.85M in 2013
• The average cost per record was $201
• In Europe the reported average two year cost
was $3.5M ($145/record)
4
US Cyber Risk Developments and
Laws
39 Offices in 19 Countries
Federal Statutory Framework
• Gramm-Leach-Bliley Act
• Federal Trade Commission Act
• Fair Credit Reporting Act/FACTA
• SEC disclosure requirements
• Federal Sector Requirements (not going to be addressed
here)
 Privacy Act
 Federal Information Security Management Act
 OMB’s Breach Notification Policy
 Veterans Affairs Information Security Act
• Children’s Online Privacy Protection Act
• HIPAA/HITECH
• Numerous pending federal bills (See, e.g., S.B. 1193)
6
Gramm-Leach-Bliley Act
[codified within 15 U.S.C. §§ 6701-81, 6801–27, 6901-10 and elsewhere]
• For financial institutions and requires:
 Notice of their privacy policies
 Safeguarding customer information
 Protection against any threats to records
 Protection against unauthorized access/use
• “Financial institutions” are businesses engaged in
certain financial activities, including banking, lending,
insurance and other financial activities
• Prohibited from disclosing “nonpublic personal
information” to third parties without (1) providing
customers with a notice of privacy practices, and (2)
an opportunity to opt-out
7
Federal Trade Commission Act [15 U.S.C. §§
41-58]
• Section 5 of the FTC Act prohibits “unfair or deceptive acts
or practices in or affecting commerce.”
• The FTC has alleged that companies who fail to protect
data after promising to do so have acted deceptively.
• The FTC has also prosecuted as unfair a company’s
failure to employ reasonable security measures to protect
consumers’ personal information. E.g., Wyndham case.
• The FTC has entered into a number of consent orders
requiring the defendants to implement information security
programs (e.g., B.J.’s Wholesale Club, DSW, Inc., and
Card Systems).
• The largest civil money penalty ever assessed by the FTC
was $10 million – arising from a data breach of personal
financial records from a consumer reporting company that
resulted in at least 800 cases of identity theft.
8
SEC Data Breach Disclosure Guidance
• SEC regulations may require public companies
to disclose:
 Any material cyber-security risks
 Costs associated with preventing cyber risks
 Data breaches
 Legal proceedings pertaining to data breaches
 Disclosure control and procedures designed to
prevent cyber security risks
Division of Corporation Finance, Securities and Exchange
Commission – “CF Disclosure Guidance: Topic No. 2,
Cybersecurity”
9
Fair Credit Reporting Act, Fair and Accurate
Transactions Act [15 U.S.C. § 1681 et seq.]
• The Act and its requirements only apply to entities
that fall within the definition of a “consumer
reporting agency,” and only to products that fall
within the definition of a “consumer report.”
• Credit bureaus must ensure that: (1) a consumer’s
information is used only for limited purposes; (2)
“reasonable procedures” are employed to limit
consumer reports to those with a permissible
purpose; and (3) the accuracy of information in a
consumer’s report.
10
• “Permissible purposes” include decisions involving
credit, insurance, or employment as well as
providing reports to persons having “a legitimate
business need” for the information in connection with
a consumer-oriented transaction.
Fair and Accurate Transactions Act
• The Fair and ACcurate Transactions Act (“FACT Act”) amended
FCRA, to add requirements designed to prevent identity theft
and assist identity theft victims.
• The FTC enforces FCRA/FACT and a violation is deemed to be
an unfair or deceptive act or practice in violation of section 5(a)
of the FTC Act.
• There are various penalties for violating the FCRA: actual
damages sustained by a consumer, plus costs and attorneys
fees; punitive damages for willful violations; fines; and injunctive
penalties.
• Carsten v. University of Miami, US Dist. Ct. for the Southern
District of Florida, No. 14-cv-20497 (“UM Data Breach Lawsuit”)
11
State Data Breach Notification Laws
12
State Statutory Framework Generally
• Personal Information: An individual's first name
or first initial and last name plus one or more of
the following data elements: (i) SSN, (ii) driver's
license or state ID number, and (iii) account
number, credit card number or debit card
number combined with the PIN/access code.
• Personal Information does not include
information that is lawfully publicly available.
• Breach of Security: The unlawful and
unauthorized acquisition of personal information
that compromises the security, confidentiality, or
integrity of personal information.
13
State Statutory Framework Generally
• Time-Sensitive Notification: States have differing
requirements on when and how notifications must be sent
out to individuals.
• Risk of Harm Analysis: Some states allow for exceptions to
their notification requirements upon an assessment of the
risk of harm to the affected individuals.
• Encryption Safe Harbor: States have different laws
affecting the definition of a breach and the notification
requirements based on whether the data was encrypted.
• Private Cause of Action: Some states explicitly allow for a
private cause of action resulting from a data breach; others
explicitly exclude such a cause of action from their statutes.
• Paper or Electronic: States also differ as to whether their
laws affect only electronic materials, paper materials, or both.
14
Contractually Imposed Industry Self-Regulation
• The Payment Card Industry Data Security Standard (PCI
DSS) is an industry regulation developed by bank card
distributors.
• The PCI DSS requires organizations that handle bank
cards to conform to certain security standards, such as
maintaining a secure network, protecting cardholder data,
maintaining a vulnerability management program,
implementing strong access control measures, monitoring
and testing networks, and maintaining an information
security policy.
• Entities that fail to comply with PCI DSS face fines and
increases in the rates that the credit card companies
charge for transactions, and potentially can have their
authorization to process payment cards revoked.
• Legislation has been passed in the Texas House
mandating compliance with the PCI DSS standard.
15
Common Law Causes of Action
• Negligence – a number of courts in a number of states
have acknowledged a legal duty to secure personal
information.
• Negligent misrepresentation – cases have proceeded on
the theory that defendants have impliedly represented that
they will protect data.
• Contract law claims – where explicit commitments have
been made about data security, plaintiffs have sued on
those contractual duties.
• Breach of fiduciary duty claims require that Plaintiffs show
a relationship of trust, but have been used to sue when
data breaches have occurred.
• Consumer law claims.
16
Emerging Enforcement and Litigation
• Target
• Wyndham
• University of Miami
17
Target Data Breach
• In December 2013, hackers gained access to 70,000,000 users’
credit/debit card information, as well as other PII.
• Data was lifted by uploading malware via Target’s POS devices.
• The data breach triggered so many lawsuits that an MDL was
created. So far, 33 lawsuits, in 18 districts, and more than 50 actions
and potential tag-along actions have been filed.
• Among other things, Target has been sued by both banks and
customers for negligence, violating customer’s privacy rights,
breaching fiduciary duties, and for failing to disclose the breach in a
timely manner.
• The lawsuits also allege Target failed to meet the PCI Data Security
Standard because the three-digit CVV codes were stored on Target’s
system in violation of the standard.
• Shareholder derivative suit filed.
• CEO Greg Steinhafel asked to resign.
18
Wyndham Data Breaches
• From 2008 to 2010, Wyndham sustained three data breaches to
more than 600,000 consumer credit/debit card numbers, with
over $10 million in known resulting fraud losses.
• The FTC filed enforcement action against Wyndham alleging,
among other things, that Wyndham’s failure to implement a
reasonable security policy violated § 5(a) of FTC Act and
constituted an unfair trade practice.
• FTC seeks an order compelling Wyndham to improve security
and remedy consumer harm caused.
• The New Jersey District Court refused to dismiss: “[T]his Court
[refuses] to dismiss the FTC’s complaint on fair notice grounds
[because of, among other things,] the FTC’s many public
complaints and consent agreements, as well as its public
statements and business guidance brochure . . .”.
• Wyndham has moved to certify an interlocutory appeal, with a
number of parties filing amici briefs, and the FTC opposing.
19
Wyndham Data Breaches
• A shareholder derivative lawsuit has been filed against the
company’s directors and officers for allowing three data
breaches in under two years.
• Among other allegations, the Complaint alleges the company
was damaged by Wyndham’s:
 Failing to have adequate information security policies
 Using system software that ceased having security updates
three years before the first breach
 Having inappropriately configured software
 Failing to timely disclose the breaches in financial filings
 Failing to have internal controls to prevent and detect
breaches
• The substantive claims are for breach of fiduciary duty, corporate
waste, and unjust enrichment.
20
University of Miami
• Class action against the University of Miami
• Alleged failure to secure PII (names, DOB, SSN, health info)
• Breach occurred by unauthorized access to PII of “thousands of
former patients” by a UM employee of UM’s computer records at an
offsite vendor
• The vendor was not sued (so far, no indemnity action by UM)
• UM allegedly failed to timely notify the affected parties of the breach,
although it did offer free credit monitoring when the breach was
reported
• Class representative suffered financial loss by identify theft (bank
account withdrawals, unauthorized purchases, and false tax returns)
21
University of Miami
• Claims for Relief
 I. Negligence (breached by failing to safeguard PII and failing to timely
notify of breach)
 II. Negligent Misrepresentation (misrepresented UM would keep PII
private/secure)
 III/IV. FCRA (UM took credit info for establishing eligibility for credit for
medical treatments; violated by not having reasonable procedures to
safeguard and by allowing access to unauthorized third-parties)
 V. FDUTPA (UM represented there was a secure online environment
for PII, which was breached by UM’s failure to take reasonable steps
to protect and by failing to timely notify affected patients)
 VI. Breach of Fiduciary Duty (fiduciary duty to safeguard PII breached
by failure to safeguard and notify)
 VII. Breach of Contract (UM breached contractual duty to keep PII
secure and notify of a breach within 60-days)
• UM filed a motion to dismiss the amended complaint, which is
fully brief and remains pending
22
Many Others
• Snapchat [FTC settlement re: truth of privacy claims]
• LabMD [FTC action over HIPAA covered entity security]
• University of Pittsburgh Medical Center
• Facebook
• Path
• LinkedIn
• Ebay [May 21, 2014 – stolen employee login credentials]
• Nieman Marcus [1.1 M cards exposed]
• Michaels Stores
23
Target, Wyndham, and UM – Take Aways
• Even some large business have failed to take security as
seriously as they should
• Company directors and officers are at risk
• Put the company at risk for reputational harm, FTC
liability, damages, remediation costs
• Data breaches can be massively expensive
• A proper timely response is critical to defense of potential
enforcement actions or civil claims
• Data breach class actions and shareholder derivative suits
are on the rise
24
Florida Information Protection Act of
2014
39 Offices in 19 Countries
New Act Replaces Current Statute
• Current (since 2005): 817.5681, F.S.
 DLA may seek “administrative fines” up to $500K for failure to report
breach promptly if and as required
 Reporting obligations & penalties are broadly similar to new Act, but with
many technical differences
 No reported enforcement or cases
• New: 501.171(1)-(10), F.S. (SB 1524)
 Becomes effective 7/1/2014
 Awaiting Governor action
 Continues DLA enforcement but broadens duties and scope
• Companion Public Records Exemption:
501.171(11) (SB 1526)
 Exempts “all information” DLA receives pursuant to (a) required notice OR
(b) DLA investigation while “active” – UNLESS DLA discloses.
 Personal info (defined), proprietary info (defined), “computer forensic
report” and “weaknesses … in data security” are exempt indefinitely.
26
Three Basic Duties
• Protect electronic “personal information”
 Vaguely worded
• Promptly give notices of “breaches”
 ‘Recipe’ with many specifics (later slides)
• Dispose of unneeded “customer records”
 Vague
27
Key Defined Terms
• Personal Information
• Data in Electronic Form
• Breach of Security
• Customer Records
• Covered Entity
• Governmental Entity
• Third-Party Agent
28
“Personal Information”
• User name OR email, PLUS password OR
security Q&A that “permit[s] access to an online
account” [undefined phrase]
OR
• First name or initial AND “last name” AND any
of:
 SSN
 Gov’t ID number (driver license, passport, military, etc)
 Financial account # OR credit or debit card # PLUS
password or access or security code
 ANY medical information
 Health policy or subscriber # AND “unique identifier
used by a health insurer” [undefined]
29
Two Exclusions from “Personal Info”
• “Information about an individual . . . made
publicly available” [undefined] by any [U.S.?]
“governmental entity.” (but from context, not
“gov’tal entity” as defined)
• Any information “encrypted, secured, or
modified by any other method or technology that
removes elements that personally identify an
individual or that otherwise renders the
information unusable.” [no terms defined]
30
“Covered” & “Governmental” Entities
• “Covered Entity” – Any “commercial entity” that
“acquires, maintains, stores, or uses personal
information.”
 May exclude political, charity & some non-profit organizations
 For breach notice requirements only, also includes
“governmental entities”.
 NOT limited based on location(s) of business or of information
storage or use or whether transaction business in Florida
• “Governmental Entity” – Any Florida department,
division, agency, board, district, etc, or “other
instrumentality” of Florida that acquires, maintains,
stores or uses electronic personal info.
 Cities? Counties? Does “division” include “subdivision”?
31
Two Other Definitions
• “Breach” = “Unauthorized access of data in
electronic form containing personal info;” but not
“good faith access” by employee or agent if info
is not used for “unrelated” purpose and not
“subject to further unauthorized use.”
• “Customer Records” = “Any material, regardless
of form, on which personal info is recorded or
preserved by any means” [for ex., paper],
“provided by an individual in this state” [so, not
just residents] to purchase, lease or obtain
anything.
32
First Duty: Protect Personal E-Data
• “Each covered entity, governmental entity, or
third-party agent shall take reasonable
measures to protect and secure data in
electronic form containing personal info.”
• No definition, criteria, examples, or safe harbor
for “reasonable measures”
• Effects of changing technologies and mischief
• “Secure” broader or stronger than “protect”?
33
Second Duty: Give Notices of Breaches
• Subject to limited exceptions, “covered entities”
must give “expeditious” notice of all breaches:
 To Department of Legal Affairs (DLA), if breach
“affect[s]” at least 500 individuals in Florida
 To all affected individuals in Florida, regardless of
number – technically, to those “whose personal info
was, or the covered entity reasonably believes to have
been, accessed”
 To consumer reporting agencies, if more than 1,000
notified
 Breach incurred by third-party agent (as defined) treated
as breach by its principal
34
Notice Required to DLA
• “As expeditiously as practicable” within 30 days
after “determination of the breach or reason to
believe a breach occurred.”
• Up to 15 more days “if good cause for delay”
shown
• Substance of notice to DLA –
 “Synopsis of the events surrounding the breach”
 Number of individuals in Florida “potentially affected”
 Free services offered to those affected
 Copy of notice to affected individuals in Florida
 DLA can require more info (inclg “policies in place
regarding breaches” and steps taken to rectify)
35
Notice to Affected Individuals
• To all individuals in Florida whose personal info was, or entity
“reasonably believes to have been,” accessed by breach.
• “As expeditiously as possible and without unreasonable
delay” in the circumstances, and within 30 days of
determination or reasonable belief of breach.
• Must delay per request of a law enforcement agency if
agency considers notice interferes with a criminal
investigation.
• Exception (“waiver”): Notice not required if entity “reasonably
determines” in writing, after an “appropriate investigation”
and consulting with law enforcement agencies, that “breach
has not and will not likely result in identity theft or other
financial harm to” affected individuals. Must furnish such
written determination to DLA.
36
How to Notify Individuals
• By snail mail or email to address in records
• “Substitute notice” OK if over 500K affected
individuals OR cost of direct notice over $250K
 “Conspicuous notice” on website AND published in
“major” print and broadcast media in area
• Minimum notice contents –
 Known or estimated date(s) of breach(es)
 Description of accessed personal information
 Contact information for more specifics
37
Other Notices
• If more than 1,000 individuals “at a single time,”
notify consumer credit reporting agencies with
nationwide consumer files.
• “Third-party agent” = entity “contracted to
maintain, store or process [any] personal info”
for a covered or governmental entity.
 Agent must notify principal of breach w/n 10 days
 Principal then proceeds per statute to give notices
 Violation of Act by agent attributed to principal
38
Third Duty: Dispose of Old Customer Records
• Each covered entity and third-party agent must
“take all reasonable measures to dispose . . . of
customer records containing personal
information within its custody or control when
the records are no longer to be retained.”
• Retention time based on other law or policy?
• Dispose by shredding, erasing “or otherwise
modifying” personal info so it is “unreadable or
undecipherable through any means.”
• No definitions, criteria, examples, or safe harbor.
39
Enforcement by DLA
• New 501.171 is not part of FDUTPA, but in an
action DLA brings under 501.207, any violation
of Act is “an unfair or deceptive trade practice”.
• Per 501.207, DLA may bring actions –
 For declaration that any act or practice is a violation
 To enjoin anyone committing past or present violation or
who “is otherwise likely to violate” in the future
 On behalf of consumers or government for their “actual
damages” caused by a violation [no punitive damages]
40
More on DLA Enforcement
• If violator shows violation “resulted from bona
fide error” despite reasonable procedures to
avoid error, liable only for “unjust enrichment”.
• DLA or “any interested party” may move for
other equitable remedies, including inter alia:
 appointment of magistrate or receiver
 sequestration or freezing of assets
 reimburse damaged consumers
 adhere to consumers’ “reasonable expectations”
 strike or limit “unconscionable” provisions
 divest interest in enterprise
41
Further on Enforcement
• Failure to notify DLA or public as required: DLA
recovers “civil penalty” up to $500K depending
on duration of violation
• “Per breach and not per individual affected”
• Can DLA recover its legal fees and costs under
501.2075 if it recovers a civil penalty? Unclear
• No private cause of action under 501.171
• BUT, does Act create standards of care on
which private plaintiffs can base tort actions?
42
Data Risk Developments in the
European Union
1) EU Data Protection Fundamentals
2) Draft EU Data Protection Regulation
3) Safe Harbor Controversy
4) European Court of Justice Judgment on
Google Search
39 Offices in 19 Countries
1) EU Data Protection Fundamentals
39 Offices in 19 Countries
1) EU Data Protection Fundamentals
• Data Protection Directive 1995
 Establishes the baseline rules on how data is processed
(including how it is obtained, retrieved, recorded, used,
disclosed, stored and erased).
 Applies to all types of personal data: employee, customer,
supplier.
 Applies directly to European subsidiaries of US companies in
their domestic processing of personal data.
 Each EU Member State has implemented the Directive with a
national flavor, and there are some significant substantive and
procedural differences among Member States within the EU.
 The European Commission (“Commission”) has proposed
sweeping changes to this Directive through the introduction of
a Data Protection Regulation that will be directly applicable in
each Member State (see Section C).
45
1) EU Data Protection Fundamentals (cont’d)
EU Data Protection Principles
There are 8 core data protection principles that must be
respected by all companies processing EU personal data:
1. Personal data must be processed fairly and lawfully
2. Personal data shall be obtained and used for one or more specified
purposes that have been notified to individuals (e.g. in a privacy policy)
3. Personal data shall be adequate, relevant and not excessive
4. Personal data shall be accurate, and where necessary, kept up-to-date
5. Personal data shall not be kept for longer than is necessary
6. Personal data shall be processed in accordance with the rights of data
subjects (e.g. data subjects have the right to access and require
rectification or deletion of their personal data)
7. Technical and organisational measures must be taken to prevent,
misuse, loss, damage or unlawful processing of personal data (higher
security is required for sensitive data)
8. No transfer of personal data outside of the EEA (subject to exceptions)
46
1) EU Data Protection Fundamentals (cont’d)
Comparison to US approach
• In contrast to US practice, protection of personal data is considered a
fundamental human right in the EU.
 In the EU, there is a horizontal approach to regulation covering
all industries and the rules are prescriptive – requiring
compliance by EU companies to various procedural and
substantive rules.
• The EU prohibits the transfer of EU personal data to points outside the
EU (and this includes remote access to EU personal data from points
outside the EU), unless specified conditions are met.
• The transfer of personal data within a corporate group or partnership is
also caught by the prohibition/required conditions.
• US-EU Safe Harbor, EU Model Clauses and Binding Corporate Rules
47
2) Draft EU Data Protection Regulation
39 Offices in 19 Countries
2) Draft Data Protection Regulation
• A new and highly controversial Regulation on data
protection is currently being debated by the EU institutions
and, if adopted, will become directly enforceable law in all
EU Member States.
Highlights
• Scope/Jurisdiction:
 The Regulation will apply to businesses with no physical presence in
the EU if they process personal data in connection with the provision
of services to or the monitoring of individuals in the EU.
 The Regulation will apply even if the processing takes place outside
the EU and even if no payment by the data subject is required.
 Requirement for data subjects to be resident in the EU removed
– Could apply where data subjects are temporarily travelling in the
EU
• Sanctions:
 Maximum fines of up to EUR 100 Million or 5% of global turnover
(whichever is higher) for serious breaches.
 Private right of action for victims - non-pecuniary damage is covered.
49
2) Draft Data Protection Regulation (cont’d)
International Data Transfers:
•
If a non-EU government/court (e.g. under the Patriot Act)
requests a company to disclose EU personal data, then,
unless international treaties allow for such disclosure,
the data controller or processor must:
 notify the data protection authority without undue delay;
 obtain prior authorization for the disclosure/transfer (based
on public interest or in respect of legal claims); and
 inform the relevant data subject(s).
•
As a result, companies operating outside the EU but storing/processing
EU data will face a conflict of laws when deciding how to respond to nonEU regulatory requests.
 For example, a company in the US could face contempt of court and criminal
sanctions for failing to respond to US requests, or large fines from the EU if
they do comply.
•
There is also a proposal to “sunset” the existing authorisation procedures
(Safe Harbor adequacy decisions and standard clauses) after 5 years:
 This raises issues about impact on long-term cloud and other outsourcing
agreements involving international transfers from the EU.
50
2) Draft Data Protection Regulation (cont’d)
European Data Protection Seal (EDPS):
51
•
The EDPS is a new concept and is essentially a
certification programme allowing data
controllers/processors to have their activities
audited and certified by DPAs or accredited third
parties.
•
Companies can rely on the EDPS as an adequate
basis for transfers of data outside of the EEA to
recipients that also hold an EDPS.
•
The EDPS provides an exemption from fines for
non-compliance with the Regulation in the absence
of intentional or negligent conduct.
•
The EDPS will be valid for up to 5 years.
2) Draft Data Protection Regulation (cont’d)
• Privacy by Design/Default:
 Data controllers and processors will be required to embed
“appropriate and proportionate technical and organisational measures
and procedures” having “particular regard to the entire lifecycle
management of personal data from collection to processing to
deletion”.
 Such measures may include default settings, checklists, signoffs and
certifications.
• Data Portability:
 Data controllers will be required to provide electronically processed
data to individuals or to another controller on request “in an electronic
and interoperable format” to facilitate moving data between service
providers.
 Right to data portability would be merged with the right of data
subjects to access their personal data.
52
2) Draft Data Protection Regulation (cont’d)
• Data Protection Officers (DPOs) / Privacy Impact
Assessments (PIAs):
 The appointment of a DPO and the carrying out of a PIA is required
where:
– data is processed in respect of more than 5000 data subjects in
the EU during any consecutive 12 month period; or
– where the core processing of the business relates to sensitive
data, location data, or data relating to children or employees in
large filing systems.
 DPOs must be appointed for at least 4 years (for employees) or 2
years (where the role is outsourced to a contractor).
• Data Breach Notification:
 The Regulation provides for mandatory data breach notification to
local DPAs and victims “without undue delay” (note that there is a
separate regime for telecoms companies which must report breaches
within 24 hours of detection).
53
2) Draft Data Protection Regulation (cont’d)
• Profiling/Big Data:
 Notices about profiling must be highly visible and
individuals must have the opportunity to object.
 Where profiling significantly affects an individual's
rights, it will only be allowed: (1) where the
individual's explicit consent is obtained; (2) where
provided for by law (EU or MS); or (3) where
necessary to conclude or perform a contract
(provided there are suitable safeguards).
 Profiling based solely on sensitive data or which
has the effect of discriminating against individuals
(such as that based on race or political opinions)
is prohibited.
 Profiling based on pseudonymous data is
acceptable provided the data cannot be linked to
a specific individual.
 Guidelines to be issued by the European Data
Protection Board
54
2) Draft Data Protection Regulation (cont’d)
• Right to Erasure:
 If an individual requests that their personal data is erased, if it
is no longer necessary for the purposes for which it was
collected nor if there is no legal ground for processing
remaining the data controller must, without delay:
1.
erase all personal data relating to that individual and prevent
further dissemination; and
2.
forward the request to other third-party providers (e.g. cloud
providers) who maintain the same data on the individual and
request that all links to and copies of such data be erased.
 Processing should be restricted where the particular type of
storage technology does not allow for erasure and has been
installed prior to entry into force of the Regulation.
• Explicit Consent:
 Consent of data subjects must be explicit and withdrawing
consent must be as easy as giving it.
55
2) Draft Data Protection Regulation (cont’d)
Timing/Prognosis
• Draft regulation was first proposed by the EU Commission in January
2012.
• In March 2014, the European Parliament adopted the current draft of
the Regulation. The Parliament’s position is now set in stone
(regardless of the new composition of the Parliament following EU
elections in May).
• To become law, the Draft Regulation must now be adopted by the
Council of Ministers who do still need to agree their position.
• The target adoption date for the new Regulation is the end of 2014
(with a two year implementation period before it becomes
enforceable), but this is highly ambitious and will depend on outcome
of upcoming EU elections.
• Some EU Member States are trying to block the Regulation and are
instead pushing for a watered-down Directive that each Member
State would need to transpose into their own law (UK, Sweden,
Czech Republic and Hungary).
56
3) Safe Harbor Controversy
39 Offices in 19 Countries
3) Safe Harbor Controversy
• In November 2013, the European Commission
made 13 recommendations to the US-EU Safe
Harbor framework to restore the trust in data
flows between the US and the EU, including:
 Making Safe Harbor more transparent (e.g. by
requiring self-certified companies to publically
disclose their privacy policies);
 Ensuring that all Safe Harbor self-certified
companies offer an Alternative Dispute Resolution
mechanism in their privacy policy;
 Actively enforcing and auditing compliance with
the Safe Harbor scheme;
 Clarifying the circumstances under which US
authorities may access EU personal data
processed by a Safe Harbor self-certified
company.
58
3) Safe Harbor Controversy (cont’d)
• The European Commission expects its
Recommendations to be implemented by the
summer of 2014.
 Commission will then decide whether to maintain,
modify, suspend or revoke the Safe Harbor framework.
• On 12 March 2014, the European Parliament
passed a resolution calling for the immediate
suspension of the Safe Harbor mechanism.
 However, the underlying agreements were entered into
by the Commission – only the Commission has the
power to decide the future of the Safe Harbor
framework.
• Council of Ministers discussing “alternative” models
for safeguarding international data transfers
 A mix of self-certification systems and government led
approvals
59
4) European Court of Justice Judgment
on Google Search
39 Offices in 19 Countries
4) European Court of Justice Judgment on
Google Search
• Complaint filed in Spanish court by lawyer with
past debt problems long since resolved.
• Issue of EU data protection law was referred by
the Spanish court to the European Court of Justice
(ECJ).
• ECJ ruled on 13 May 2014 that individuals have a
right to ask search engines to remove links
containing personal data about them, if the
information about the individual is “inadequate,
irrelevant or no longer relevant or excessive”
unless there is an overriding public interest reason
to maintain accessibility to the data.
• The ECJ held that Google is subject to EU data
protection laws because its Spanish subsidiary
promotes and sells advertising space on the
search engine, and processes and controls
personal data.
• Highly controversial landmark decision must now
be applied by the Spanish court.
• Implementation questions abound!
61
Practical Compliance Tips and Best
Practices for Data Breach Response
39 Offices in 19 Countries
Data Breach Preparedness and Response
• Prepare
 Compliance “Health Check”
 Enact/Revise/Update Internal Policies and Processes
 Conduct Risk Assessments
– Analyze internal security strength, audit, and policies
– Assess strength of vendors, suppliers and partners and evaluate
contracts
 Formulate a Data Breach Response Plan
– Crisis Response Team (internal and external)
– Conduct breach response drills annually
 Insure
– Consider cyber risk policy to augment existing coverages
• Prevent
 Physical/Technical/Organizational Security Measures
 Develop Privacy/Cyber Strategies and Address BYOD
63
Data Breach Preparedness and Response
• Detect and Respond
 Assign Incident Manager (privacy or operations officer)
 Assemble Incident Response Team
 Notify Insurers
 Validate the Breach & Establish Severity of Incident
 Identify and Implement Initial Mitigation Measures
 Identify and Preserve Evidence & Conduct Internal
Investigation
 Analyze whether to involve potentially responsible partners,
vendors, or other third-parties [cloud providers, web hosts,
software providers, etc.]
64
Data Breach Preparedness and Response
 Breach Notification Assessment – review applicable state and
federal laws and industry standards
– State analysis – does incident fit within state law requirements
– If it does, assess who must be notified (individuals, partners,
investors, law enforcement, attorney general, agencies)
– If notification not mandatory, is it otherwise advisable
– Consider means of notification (e-mail, mail, advertisement,
media)
 Prepare notification
– Sample letter to each recipient (individuals, government, etc.)
– Be inclusive and avoid piecemeal notifications where possible
 Media/PR Strategy
• Recover and Fortify [root cause analysis, fix issues,
update policies]
• Consider Legal Privilege [structure communications and
activities to maximize applicability of privilege]
65
“Cyberliability” Insurance in a Very
Small Nutshell
39 Offices in 19 Countries
Main Loss Exposures to Claimants
• To Private Claimants
 Invasion of Privacy / Identity Theft & Losses
 Negligence, Recklessness, Emotional Distress
 Lost / Damaged Data (stored or processed for others)
 Damage to or infringement of others’ software,
proprietary information, trade secrets, or other IP
 D&O and other personal liability
 Reimburse businesses serving customers, e.g. banks
• To Government Authorities
 Required Reporting to Multiple Jurisdictions
 Investigations, Enforcement Actions, Fines
67
Internal Costs and Losses
• Investigating Breach & Circumstances: Reports
• Forensics & Consultants
• Remedial Measures & Enhancements
• Damage to Systems & Hardware
• Notices to & communications with customers
• ‘Free’ services e.g. credit monitoring
• Crisis management and media relations
• Business interruption and lost revenues
• Long term restoration of goodwill & reputation
68
Policies with Potential Coverage
• Commercial General Liability (CGL)
• Commercial Property / Business Interruption
• Errors & Omissions (E&O)
• ‘Professional’ Services Liability
• Directors & Officers (D&O)
• Fiduciary or Crime
• Specialized “Cyber” Policies -- New
69
Are My Cyber Risks Covered by Other Insurances?
No Cover Provided
Possible Cover
Provided
Cover Provided
70
Questions
39 Offices in 19 Countries
Ann J. LaFrance
Partner, Squire Sanders
T +44 20 7655 1752
ann.lafrance@squiresanders.com
Andrew R. Kruppa
Partner, Squire Sanders
T +1 305 577 7712
andrew.kruppa@squiresanders.com
Gary P. Timin
Partner, Squire Sanders
T +1 305 577 2860
gary.timin@squiresanders.com
72