How Safe Is Your Data? Top Data Protection Issues Keeping Executives Awake at Night Ann LaFrance (London) Andy Kruppa (Miami) Gary Timin (Miami) 39 Offices in 19 Countries May 22, 2014 Agenda • Overview • US Cyber Risk Developments and Laws • Florida Information Protection Act of 2014 • Data Protection Developments in the European Union • Practical Compliance Tips and Best Practices for Data Breach Response • Cyber Risk Insurance Issues • Questions 2 • “[W]e don’t see any industries flying completely under the radar. And that’s the real takeaway here – everyone is vulnerable to some type of [data breach] event.” – [Verizon’s 2014 Data Breach Investigations Report] • Examples: Adobe [153 million user accounts], Bell Canada, Gawker [1.3 million users], Snapchat [4.6 million users], Sony [multiple breaches], Vodafone, Yahoo, Target, etc. 3 • The top nine sources of data breaches are the following: POS intrusions, attacks on web applications, insider misuse, physical theft/loss, errors, crimeware, card skimmers, denial of service attacks, and cyber-espionage. The Cost of Services to Respond to a Data Breach • The cost of a data breach is on the rise • Corporate Counsel reports the average two year cost rose in the US by 8% to $5.85M in 2013 • The average cost per record was $201 • In Europe the reported average two year cost was $3.5M ($145/record) 4 US Cyber Risk Developments and Laws 39 Offices in 19 Countries Federal Statutory Framework • Gramm-Leach-Bliley Act • Federal Trade Commission Act • Fair Credit Reporting Act/FACTA • SEC disclosure requirements • Federal Sector Requirements (not going to be addressed here) Privacy Act Federal Information Security Management Act OMB’s Breach Notification Policy Veterans Affairs Information Security Act • Children’s Online Privacy Protection Act • HIPAA/HITECH • Numerous pending federal bills (See, e.g., S.B. 1193) 6 Gramm-Leach-Bliley Act [codified within 15 U.S.C. §§ 6701-81, 6801–27, 6901-10 and elsewhere] • For financial institutions and requires: Notice of their privacy policies Safeguarding customer information Protection against any threats to records Protection against unauthorized access/use • “Financial institutions” are businesses engaged in certain financial activities, including banking, lending, insurance and other financial activities • Prohibited from disclosing “nonpublic personal information” to third parties without (1) providing customers with a notice of privacy practices, and (2) an opportunity to opt-out 7 Federal Trade Commission Act [15 U.S.C. §§ 41-58] • Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” • The FTC has alleged that companies who fail to protect data after promising to do so have acted deceptively. • The FTC has also prosecuted as unfair a company’s failure to employ reasonable security measures to protect consumers’ personal information. E.g., Wyndham case. • The FTC has entered into a number of consent orders requiring the defendants to implement information security programs (e.g., B.J.’s Wholesale Club, DSW, Inc., and Card Systems). • The largest civil money penalty ever assessed by the FTC was $10 million – arising from a data breach of personal financial records from a consumer reporting company that resulted in at least 800 cases of identity theft. 8 SEC Data Breach Disclosure Guidance • SEC regulations may require public companies to disclose: Any material cyber-security risks Costs associated with preventing cyber risks Data breaches Legal proceedings pertaining to data breaches Disclosure control and procedures designed to prevent cyber security risks Division of Corporation Finance, Securities and Exchange Commission – “CF Disclosure Guidance: Topic No. 2, Cybersecurity” 9 Fair Credit Reporting Act, Fair and Accurate Transactions Act [15 U.S.C. § 1681 et seq.] • The Act and its requirements only apply to entities that fall within the definition of a “consumer reporting agency,” and only to products that fall within the definition of a “consumer report.” • Credit bureaus must ensure that: (1) a consumer’s information is used only for limited purposes; (2) “reasonable procedures” are employed to limit consumer reports to those with a permissible purpose; and (3) the accuracy of information in a consumer’s report. 10 • “Permissible purposes” include decisions involving credit, insurance, or employment as well as providing reports to persons having “a legitimate business need” for the information in connection with a consumer-oriented transaction. Fair and Accurate Transactions Act • The Fair and ACcurate Transactions Act (“FACT Act”) amended FCRA, to add requirements designed to prevent identity theft and assist identity theft victims. • The FTC enforces FCRA/FACT and a violation is deemed to be an unfair or deceptive act or practice in violation of section 5(a) of the FTC Act. • There are various penalties for violating the FCRA: actual damages sustained by a consumer, plus costs and attorneys fees; punitive damages for willful violations; fines; and injunctive penalties. • Carsten v. University of Miami, US Dist. Ct. for the Southern District of Florida, No. 14-cv-20497 (“UM Data Breach Lawsuit”) 11 State Data Breach Notification Laws 12 State Statutory Framework Generally • Personal Information: An individual's first name or first initial and last name plus one or more of the following data elements: (i) SSN, (ii) driver's license or state ID number, and (iii) account number, credit card number or debit card number combined with the PIN/access code. • Personal Information does not include information that is lawfully publicly available. • Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. 13 State Statutory Framework Generally • Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent out to individuals. • Risk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment of the risk of harm to the affected individuals. • Encryption Safe Harbor: States have different laws affecting the definition of a breach and the notification requirements based on whether the data was encrypted. • Private Cause of Action: Some states explicitly allow for a private cause of action resulting from a data breach; others explicitly exclude such a cause of action from their statutes. • Paper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials, or both. 14 Contractually Imposed Industry Self-Regulation • The Payment Card Industry Data Security Standard (PCI DSS) is an industry regulation developed by bank card distributors. • The PCI DSS requires organizations that handle bank cards to conform to certain security standards, such as maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks, and maintaining an information security policy. • Entities that fail to comply with PCI DSS face fines and increases in the rates that the credit card companies charge for transactions, and potentially can have their authorization to process payment cards revoked. • Legislation has been passed in the Texas House mandating compliance with the PCI DSS standard. 15 Common Law Causes of Action • Negligence – a number of courts in a number of states have acknowledged a legal duty to secure personal information. • Negligent misrepresentation – cases have proceeded on the theory that defendants have impliedly represented that they will protect data. • Contract law claims – where explicit commitments have been made about data security, plaintiffs have sued on those contractual duties. • Breach of fiduciary duty claims require that Plaintiffs show a relationship of trust, but have been used to sue when data breaches have occurred. • Consumer law claims. 16 Emerging Enforcement and Litigation • Target • Wyndham • University of Miami 17 Target Data Breach • In December 2013, hackers gained access to 70,000,000 users’ credit/debit card information, as well as other PII. • Data was lifted by uploading malware via Target’s POS devices. • The data breach triggered so many lawsuits that an MDL was created. So far, 33 lawsuits, in 18 districts, and more than 50 actions and potential tag-along actions have been filed. • Among other things, Target has been sued by both banks and customers for negligence, violating customer’s privacy rights, breaching fiduciary duties, and for failing to disclose the breach in a timely manner. • The lawsuits also allege Target failed to meet the PCI Data Security Standard because the three-digit CVV codes were stored on Target’s system in violation of the standard. • Shareholder derivative suit filed. • CEO Greg Steinhafel asked to resign. 18 Wyndham Data Breaches • From 2008 to 2010, Wyndham sustained three data breaches to more than 600,000 consumer credit/debit card numbers, with over $10 million in known resulting fraud losses. • The FTC filed enforcement action against Wyndham alleging, among other things, that Wyndham’s failure to implement a reasonable security policy violated § 5(a) of FTC Act and constituted an unfair trade practice. • FTC seeks an order compelling Wyndham to improve security and remedy consumer harm caused. • The New Jersey District Court refused to dismiss: “[T]his Court [refuses] to dismiss the FTC’s complaint on fair notice grounds [because of, among other things,] the FTC’s many public complaints and consent agreements, as well as its public statements and business guidance brochure . . .”. • Wyndham has moved to certify an interlocutory appeal, with a number of parties filing amici briefs, and the FTC opposing. 19 Wyndham Data Breaches • A shareholder derivative lawsuit has been filed against the company’s directors and officers for allowing three data breaches in under two years. • Among other allegations, the Complaint alleges the company was damaged by Wyndham’s: Failing to have adequate information security policies Using system software that ceased having security updates three years before the first breach Having inappropriately configured software Failing to timely disclose the breaches in financial filings Failing to have internal controls to prevent and detect breaches • The substantive claims are for breach of fiduciary duty, corporate waste, and unjust enrichment. 20 University of Miami • Class action against the University of Miami • Alleged failure to secure PII (names, DOB, SSN, health info) • Breach occurred by unauthorized access to PII of “thousands of former patients” by a UM employee of UM’s computer records at an offsite vendor • The vendor was not sued (so far, no indemnity action by UM) • UM allegedly failed to timely notify the affected parties of the breach, although it did offer free credit monitoring when the breach was reported • Class representative suffered financial loss by identify theft (bank account withdrawals, unauthorized purchases, and false tax returns) 21 University of Miami • Claims for Relief I. Negligence (breached by failing to safeguard PII and failing to timely notify of breach) II. Negligent Misrepresentation (misrepresented UM would keep PII private/secure) III/IV. FCRA (UM took credit info for establishing eligibility for credit for medical treatments; violated by not having reasonable procedures to safeguard and by allowing access to unauthorized third-parties) V. FDUTPA (UM represented there was a secure online environment for PII, which was breached by UM’s failure to take reasonable steps to protect and by failing to timely notify affected patients) VI. Breach of Fiduciary Duty (fiduciary duty to safeguard PII breached by failure to safeguard and notify) VII. Breach of Contract (UM breached contractual duty to keep PII secure and notify of a breach within 60-days) • UM filed a motion to dismiss the amended complaint, which is fully brief and remains pending 22 Many Others • Snapchat [FTC settlement re: truth of privacy claims] • LabMD [FTC action over HIPAA covered entity security] • University of Pittsburgh Medical Center • Facebook • Path • LinkedIn • Ebay [May 21, 2014 – stolen employee login credentials] • Nieman Marcus [1.1 M cards exposed] • Michaels Stores 23 Target, Wyndham, and UM – Take Aways • Even some large business have failed to take security as seriously as they should • Company directors and officers are at risk • Put the company at risk for reputational harm, FTC liability, damages, remediation costs • Data breaches can be massively expensive • A proper timely response is critical to defense of potential enforcement actions or civil claims • Data breach class actions and shareholder derivative suits are on the rise 24 Florida Information Protection Act of 2014 39 Offices in 19 Countries New Act Replaces Current Statute • Current (since 2005): 817.5681, F.S. DLA may seek “administrative fines” up to $500K for failure to report breach promptly if and as required Reporting obligations & penalties are broadly similar to new Act, but with many technical differences No reported enforcement or cases • New: 501.171(1)-(10), F.S. (SB 1524) Becomes effective 7/1/2014 Awaiting Governor action Continues DLA enforcement but broadens duties and scope • Companion Public Records Exemption: 501.171(11) (SB 1526) Exempts “all information” DLA receives pursuant to (a) required notice OR (b) DLA investigation while “active” – UNLESS DLA discloses. Personal info (defined), proprietary info (defined), “computer forensic report” and “weaknesses … in data security” are exempt indefinitely. 26 Three Basic Duties • Protect electronic “personal information” Vaguely worded • Promptly give notices of “breaches” ‘Recipe’ with many specifics (later slides) • Dispose of unneeded “customer records” Vague 27 Key Defined Terms • Personal Information • Data in Electronic Form • Breach of Security • Customer Records • Covered Entity • Governmental Entity • Third-Party Agent 28 “Personal Information” • User name OR email, PLUS password OR security Q&A that “permit[s] access to an online account” [undefined phrase] OR • First name or initial AND “last name” AND any of: SSN Gov’t ID number (driver license, passport, military, etc) Financial account # OR credit or debit card # PLUS password or access or security code ANY medical information Health policy or subscriber # AND “unique identifier used by a health insurer” [undefined] 29 Two Exclusions from “Personal Info” • “Information about an individual . . . made publicly available” [undefined] by any [U.S.?] “governmental entity.” (but from context, not “gov’tal entity” as defined) • Any information “encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.” [no terms defined] 30 “Covered” & “Governmental” Entities • “Covered Entity” – Any “commercial entity” that “acquires, maintains, stores, or uses personal information.” May exclude political, charity & some non-profit organizations For breach notice requirements only, also includes “governmental entities”. NOT limited based on location(s) of business or of information storage or use or whether transaction business in Florida • “Governmental Entity” – Any Florida department, division, agency, board, district, etc, or “other instrumentality” of Florida that acquires, maintains, stores or uses electronic personal info. Cities? Counties? Does “division” include “subdivision”? 31 Two Other Definitions • “Breach” = “Unauthorized access of data in electronic form containing personal info;” but not “good faith access” by employee or agent if info is not used for “unrelated” purpose and not “subject to further unauthorized use.” • “Customer Records” = “Any material, regardless of form, on which personal info is recorded or preserved by any means” [for ex., paper], “provided by an individual in this state” [so, not just residents] to purchase, lease or obtain anything. 32 First Duty: Protect Personal E-Data • “Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal info.” • No definition, criteria, examples, or safe harbor for “reasonable measures” • Effects of changing technologies and mischief • “Secure” broader or stronger than “protect”? 33 Second Duty: Give Notices of Breaches • Subject to limited exceptions, “covered entities” must give “expeditious” notice of all breaches: To Department of Legal Affairs (DLA), if breach “affect[s]” at least 500 individuals in Florida To all affected individuals in Florida, regardless of number – technically, to those “whose personal info was, or the covered entity reasonably believes to have been, accessed” To consumer reporting agencies, if more than 1,000 notified Breach incurred by third-party agent (as defined) treated as breach by its principal 34 Notice Required to DLA • “As expeditiously as practicable” within 30 days after “determination of the breach or reason to believe a breach occurred.” • Up to 15 more days “if good cause for delay” shown • Substance of notice to DLA – “Synopsis of the events surrounding the breach” Number of individuals in Florida “potentially affected” Free services offered to those affected Copy of notice to affected individuals in Florida DLA can require more info (inclg “policies in place regarding breaches” and steps taken to rectify) 35 Notice to Affected Individuals • To all individuals in Florida whose personal info was, or entity “reasonably believes to have been,” accessed by breach. • “As expeditiously as possible and without unreasonable delay” in the circumstances, and within 30 days of determination or reasonable belief of breach. • Must delay per request of a law enforcement agency if agency considers notice interferes with a criminal investigation. • Exception (“waiver”): Notice not required if entity “reasonably determines” in writing, after an “appropriate investigation” and consulting with law enforcement agencies, that “breach has not and will not likely result in identity theft or other financial harm to” affected individuals. Must furnish such written determination to DLA. 36 How to Notify Individuals • By snail mail or email to address in records • “Substitute notice” OK if over 500K affected individuals OR cost of direct notice over $250K “Conspicuous notice” on website AND published in “major” print and broadcast media in area • Minimum notice contents – Known or estimated date(s) of breach(es) Description of accessed personal information Contact information for more specifics 37 Other Notices • If more than 1,000 individuals “at a single time,” notify consumer credit reporting agencies with nationwide consumer files. • “Third-party agent” = entity “contracted to maintain, store or process [any] personal info” for a covered or governmental entity. Agent must notify principal of breach w/n 10 days Principal then proceeds per statute to give notices Violation of Act by agent attributed to principal 38 Third Duty: Dispose of Old Customer Records • Each covered entity and third-party agent must “take all reasonable measures to dispose . . . of customer records containing personal information within its custody or control when the records are no longer to be retained.” • Retention time based on other law or policy? • Dispose by shredding, erasing “or otherwise modifying” personal info so it is “unreadable or undecipherable through any means.” • No definitions, criteria, examples, or safe harbor. 39 Enforcement by DLA • New 501.171 is not part of FDUTPA, but in an action DLA brings under 501.207, any violation of Act is “an unfair or deceptive trade practice”. • Per 501.207, DLA may bring actions – For declaration that any act or practice is a violation To enjoin anyone committing past or present violation or who “is otherwise likely to violate” in the future On behalf of consumers or government for their “actual damages” caused by a violation [no punitive damages] 40 More on DLA Enforcement • If violator shows violation “resulted from bona fide error” despite reasonable procedures to avoid error, liable only for “unjust enrichment”. • DLA or “any interested party” may move for other equitable remedies, including inter alia: appointment of magistrate or receiver sequestration or freezing of assets reimburse damaged consumers adhere to consumers’ “reasonable expectations” strike or limit “unconscionable” provisions divest interest in enterprise 41 Further on Enforcement • Failure to notify DLA or public as required: DLA recovers “civil penalty” up to $500K depending on duration of violation • “Per breach and not per individual affected” • Can DLA recover its legal fees and costs under 501.2075 if it recovers a civil penalty? Unclear • No private cause of action under 501.171 • BUT, does Act create standards of care on which private plaintiffs can base tort actions? 42 Data Risk Developments in the European Union 1) EU Data Protection Fundamentals 2) Draft EU Data Protection Regulation 3) Safe Harbor Controversy 4) European Court of Justice Judgment on Google Search 39 Offices in 19 Countries 1) EU Data Protection Fundamentals 39 Offices in 19 Countries 1) EU Data Protection Fundamentals • Data Protection Directive 1995 Establishes the baseline rules on how data is processed (including how it is obtained, retrieved, recorded, used, disclosed, stored and erased). Applies to all types of personal data: employee, customer, supplier. Applies directly to European subsidiaries of US companies in their domestic processing of personal data. Each EU Member State has implemented the Directive with a national flavor, and there are some significant substantive and procedural differences among Member States within the EU. The European Commission (“Commission”) has proposed sweeping changes to this Directive through the introduction of a Data Protection Regulation that will be directly applicable in each Member State (see Section C). 45 1) EU Data Protection Fundamentals (cont’d) EU Data Protection Principles There are 8 core data protection principles that must be respected by all companies processing EU personal data: 1. Personal data must be processed fairly and lawfully 2. Personal data shall be obtained and used for one or more specified purposes that have been notified to individuals (e.g. in a privacy policy) 3. Personal data shall be adequate, relevant and not excessive 4. Personal data shall be accurate, and where necessary, kept up-to-date 5. Personal data shall not be kept for longer than is necessary 6. Personal data shall be processed in accordance with the rights of data subjects (e.g. data subjects have the right to access and require rectification or deletion of their personal data) 7. Technical and organisational measures must be taken to prevent, misuse, loss, damage or unlawful processing of personal data (higher security is required for sensitive data) 8. No transfer of personal data outside of the EEA (subject to exceptions) 46 1) EU Data Protection Fundamentals (cont’d) Comparison to US approach • In contrast to US practice, protection of personal data is considered a fundamental human right in the EU. In the EU, there is a horizontal approach to regulation covering all industries and the rules are prescriptive – requiring compliance by EU companies to various procedural and substantive rules. • The EU prohibits the transfer of EU personal data to points outside the EU (and this includes remote access to EU personal data from points outside the EU), unless specified conditions are met. • The transfer of personal data within a corporate group or partnership is also caught by the prohibition/required conditions. • US-EU Safe Harbor, EU Model Clauses and Binding Corporate Rules 47 2) Draft EU Data Protection Regulation 39 Offices in 19 Countries 2) Draft Data Protection Regulation • A new and highly controversial Regulation on data protection is currently being debated by the EU institutions and, if adopted, will become directly enforceable law in all EU Member States. Highlights • Scope/Jurisdiction: The Regulation will apply to businesses with no physical presence in the EU if they process personal data in connection with the provision of services to or the monitoring of individuals in the EU. The Regulation will apply even if the processing takes place outside the EU and even if no payment by the data subject is required. Requirement for data subjects to be resident in the EU removed – Could apply where data subjects are temporarily travelling in the EU • Sanctions: Maximum fines of up to EUR 100 Million or 5% of global turnover (whichever is higher) for serious breaches. Private right of action for victims - non-pecuniary damage is covered. 49 2) Draft Data Protection Regulation (cont’d) International Data Transfers: • If a non-EU government/court (e.g. under the Patriot Act) requests a company to disclose EU personal data, then, unless international treaties allow for such disclosure, the data controller or processor must: notify the data protection authority without undue delay; obtain prior authorization for the disclosure/transfer (based on public interest or in respect of legal claims); and inform the relevant data subject(s). • As a result, companies operating outside the EU but storing/processing EU data will face a conflict of laws when deciding how to respond to nonEU regulatory requests. For example, a company in the US could face contempt of court and criminal sanctions for failing to respond to US requests, or large fines from the EU if they do comply. • There is also a proposal to “sunset” the existing authorisation procedures (Safe Harbor adequacy decisions and standard clauses) after 5 years: This raises issues about impact on long-term cloud and other outsourcing agreements involving international transfers from the EU. 50 2) Draft Data Protection Regulation (cont’d) European Data Protection Seal (EDPS): 51 • The EDPS is a new concept and is essentially a certification programme allowing data controllers/processors to have their activities audited and certified by DPAs or accredited third parties. • Companies can rely on the EDPS as an adequate basis for transfers of data outside of the EEA to recipients that also hold an EDPS. • The EDPS provides an exemption from fines for non-compliance with the Regulation in the absence of intentional or negligent conduct. • The EDPS will be valid for up to 5 years. 2) Draft Data Protection Regulation (cont’d) • Privacy by Design/Default: Data controllers and processors will be required to embed “appropriate and proportionate technical and organisational measures and procedures” having “particular regard to the entire lifecycle management of personal data from collection to processing to deletion”. Such measures may include default settings, checklists, signoffs and certifications. • Data Portability: Data controllers will be required to provide electronically processed data to individuals or to another controller on request “in an electronic and interoperable format” to facilitate moving data between service providers. Right to data portability would be merged with the right of data subjects to access their personal data. 52 2) Draft Data Protection Regulation (cont’d) • Data Protection Officers (DPOs) / Privacy Impact Assessments (PIAs): The appointment of a DPO and the carrying out of a PIA is required where: – data is processed in respect of more than 5000 data subjects in the EU during any consecutive 12 month period; or – where the core processing of the business relates to sensitive data, location data, or data relating to children or employees in large filing systems. DPOs must be appointed for at least 4 years (for employees) or 2 years (where the role is outsourced to a contractor). • Data Breach Notification: The Regulation provides for mandatory data breach notification to local DPAs and victims “without undue delay” (note that there is a separate regime for telecoms companies which must report breaches within 24 hours of detection). 53 2) Draft Data Protection Regulation (cont’d) • Profiling/Big Data: Notices about profiling must be highly visible and individuals must have the opportunity to object. Where profiling significantly affects an individual's rights, it will only be allowed: (1) where the individual's explicit consent is obtained; (2) where provided for by law (EU or MS); or (3) where necessary to conclude or perform a contract (provided there are suitable safeguards). Profiling based solely on sensitive data or which has the effect of discriminating against individuals (such as that based on race or political opinions) is prohibited. Profiling based on pseudonymous data is acceptable provided the data cannot be linked to a specific individual. Guidelines to be issued by the European Data Protection Board 54 2) Draft Data Protection Regulation (cont’d) • Right to Erasure: If an individual requests that their personal data is erased, if it is no longer necessary for the purposes for which it was collected nor if there is no legal ground for processing remaining the data controller must, without delay: 1. erase all personal data relating to that individual and prevent further dissemination; and 2. forward the request to other third-party providers (e.g. cloud providers) who maintain the same data on the individual and request that all links to and copies of such data be erased. Processing should be restricted where the particular type of storage technology does not allow for erasure and has been installed prior to entry into force of the Regulation. • Explicit Consent: Consent of data subjects must be explicit and withdrawing consent must be as easy as giving it. 55 2) Draft Data Protection Regulation (cont’d) Timing/Prognosis • Draft regulation was first proposed by the EU Commission in January 2012. • In March 2014, the European Parliament adopted the current draft of the Regulation. The Parliament’s position is now set in stone (regardless of the new composition of the Parliament following EU elections in May). • To become law, the Draft Regulation must now be adopted by the Council of Ministers who do still need to agree their position. • The target adoption date for the new Regulation is the end of 2014 (with a two year implementation period before it becomes enforceable), but this is highly ambitious and will depend on outcome of upcoming EU elections. • Some EU Member States are trying to block the Regulation and are instead pushing for a watered-down Directive that each Member State would need to transpose into their own law (UK, Sweden, Czech Republic and Hungary). 56 3) Safe Harbor Controversy 39 Offices in 19 Countries 3) Safe Harbor Controversy • In November 2013, the European Commission made 13 recommendations to the US-EU Safe Harbor framework to restore the trust in data flows between the US and the EU, including: Making Safe Harbor more transparent (e.g. by requiring self-certified companies to publically disclose their privacy policies); Ensuring that all Safe Harbor self-certified companies offer an Alternative Dispute Resolution mechanism in their privacy policy; Actively enforcing and auditing compliance with the Safe Harbor scheme; Clarifying the circumstances under which US authorities may access EU personal data processed by a Safe Harbor self-certified company. 58 3) Safe Harbor Controversy (cont’d) • The European Commission expects its Recommendations to be implemented by the summer of 2014. Commission will then decide whether to maintain, modify, suspend or revoke the Safe Harbor framework. • On 12 March 2014, the European Parliament passed a resolution calling for the immediate suspension of the Safe Harbor mechanism. However, the underlying agreements were entered into by the Commission – only the Commission has the power to decide the future of the Safe Harbor framework. • Council of Ministers discussing “alternative” models for safeguarding international data transfers A mix of self-certification systems and government led approvals 59 4) European Court of Justice Judgment on Google Search 39 Offices in 19 Countries 4) European Court of Justice Judgment on Google Search • Complaint filed in Spanish court by lawyer with past debt problems long since resolved. • Issue of EU data protection law was referred by the Spanish court to the European Court of Justice (ECJ). • ECJ ruled on 13 May 2014 that individuals have a right to ask search engines to remove links containing personal data about them, if the information about the individual is “inadequate, irrelevant or no longer relevant or excessive” unless there is an overriding public interest reason to maintain accessibility to the data. • The ECJ held that Google is subject to EU data protection laws because its Spanish subsidiary promotes and sells advertising space on the search engine, and processes and controls personal data. • Highly controversial landmark decision must now be applied by the Spanish court. • Implementation questions abound! 61 Practical Compliance Tips and Best Practices for Data Breach Response 39 Offices in 19 Countries Data Breach Preparedness and Response • Prepare Compliance “Health Check” Enact/Revise/Update Internal Policies and Processes Conduct Risk Assessments – Analyze internal security strength, audit, and policies – Assess strength of vendors, suppliers and partners and evaluate contracts Formulate a Data Breach Response Plan – Crisis Response Team (internal and external) – Conduct breach response drills annually Insure – Consider cyber risk policy to augment existing coverages • Prevent Physical/Technical/Organizational Security Measures Develop Privacy/Cyber Strategies and Address BYOD 63 Data Breach Preparedness and Response • Detect and Respond Assign Incident Manager (privacy or operations officer) Assemble Incident Response Team Notify Insurers Validate the Breach & Establish Severity of Incident Identify and Implement Initial Mitigation Measures Identify and Preserve Evidence & Conduct Internal Investigation Analyze whether to involve potentially responsible partners, vendors, or other third-parties [cloud providers, web hosts, software providers, etc.] 64 Data Breach Preparedness and Response Breach Notification Assessment – review applicable state and federal laws and industry standards – State analysis – does incident fit within state law requirements – If it does, assess who must be notified (individuals, partners, investors, law enforcement, attorney general, agencies) – If notification not mandatory, is it otherwise advisable – Consider means of notification (e-mail, mail, advertisement, media) Prepare notification – Sample letter to each recipient (individuals, government, etc.) – Be inclusive and avoid piecemeal notifications where possible Media/PR Strategy • Recover and Fortify [root cause analysis, fix issues, update policies] • Consider Legal Privilege [structure communications and activities to maximize applicability of privilege] 65 “Cyberliability” Insurance in a Very Small Nutshell 39 Offices in 19 Countries Main Loss Exposures to Claimants • To Private Claimants Invasion of Privacy / Identity Theft & Losses Negligence, Recklessness, Emotional Distress Lost / Damaged Data (stored or processed for others) Damage to or infringement of others’ software, proprietary information, trade secrets, or other IP D&O and other personal liability Reimburse businesses serving customers, e.g. banks • To Government Authorities Required Reporting to Multiple Jurisdictions Investigations, Enforcement Actions, Fines 67 Internal Costs and Losses • Investigating Breach & Circumstances: Reports • Forensics & Consultants • Remedial Measures & Enhancements • Damage to Systems & Hardware • Notices to & communications with customers • ‘Free’ services e.g. credit monitoring • Crisis management and media relations • Business interruption and lost revenues • Long term restoration of goodwill & reputation 68 Policies with Potential Coverage • Commercial General Liability (CGL) • Commercial Property / Business Interruption • Errors & Omissions (E&O) • ‘Professional’ Services Liability • Directors & Officers (D&O) • Fiduciary or Crime • Specialized “Cyber” Policies -- New 69 Are My Cyber Risks Covered by Other Insurances? No Cover Provided Possible Cover Provided Cover Provided 70 Questions 39 Offices in 19 Countries Ann J. LaFrance Partner, Squire Sanders T +44 20 7655 1752 ann.lafrance@squiresanders.com Andrew R. Kruppa Partner, Squire Sanders T +1 305 577 7712 andrew.kruppa@squiresanders.com Gary P. Timin Partner, Squire Sanders T +1 305 577 2860 gary.timin@squiresanders.com 72