Transcript Q2 2008 Marketing Objectives

Recent Legal Trends in Data
Protection
Nick Akerman
Dorsey & Whitney LLP
[email protected]
http://www.computerfraud.us
Pervasiveness of computer data
• Marketing plans and strategies
• Financial information
• Customer information
• Employee HR records
• Acquisition strategies
• Product plans
• Manufacturing processes
• Email
2
Legal Implications





Law Protects
 Personal Information
 Sensitive company
information
State Laws
Federal Laws
Regulatory Framework
Legal Remedies
3
Notification California Database
Security Breach Act







Effective July 1, 2003
Companies must notify individuals of security breach that
could lead to identity theft
Security breach is “unauthorized access”
Does not apply to public information
Applies to all companies doing business in
California regardless of where data is kept
Authorizes private actions and does not
bar class actions
46 states have enacted similar laws
4
States That Have Enacted Breach Notification Laws
Enacted Laws
5
Pending Legislation
Personal Information As
Defined By California



Social security number
Driver’s license number or California Identification Card
number
Account number, credit or debit
card number, in combination
with any required security
code, access code, or
password that would permit
access to an individual’s
financial account
6
Provisions of the Statutes








Notification requirement to consumers varies among states
Third party vendors
Different remedies
Certain states exempt encrypted and/or redacted data from
the notification process
Timing standard varies
Law Enforcement Exception
Key issue is the ambiguous situation
Investigation requirement
7
HITECH Act – 2009 Stimulus Package







Amends HIPAA to include notification, September 2009
Breach of protected information
Breach as of date discovered or should be known
Name alone is breach
Electronic and paper records
Encryption has to meet certain standards
Notice to media in certain circumstances
8
TJX Multi-State Settlement June 24, 2009





2007 data breach to cardholder data and other
personal data
Investigation and action by 41 States
TJX agreed to implement and maintain a
comprehensive data security program
Must report regularly to the State Attorney
Generals on the efficacy of the security program
$9.75 million paid to the States
9
State Data Compliance Statutes




Nevada – personal information must be encrypted when it is
transferred – effective October 1, 2008
Connecticut – businesses must “safeguard the data, computer files
and documents containing the information from misuse by third
parties.” – effective October 1, 2008
Massachusetts Data Compliance rules effective March 1, 2010
 Applies to a business located anywhere that stores or maintains
personal information about a Massachusetts resident
 Mandates a compliance program consistent with the Federal
Sentencing Guidelines
Washington State – personal information encrypted effective July 1,
2010
10
Massachusetts – Administrative,
Technical and Physical Safeguards







Develop Security Policies that are enforced through encryption
Appoint Security Coordinator
Minimize risks from third parties terminated access to former
employees and ensuring compliance by vendors
Train the workforce on importance of personal information
security
Conduct regular audits at least annually
Enforce the policies through disciplinary measures and document
responsive actions
Respond to incidents encouraging employees to report violations
11
Federal Trade Commission
Enforcement


Failure to secure personal data is an unfair trade practice – Title 15
U.S.C. Section 45(a)
June 2005 BJ Wholesale Club
 150 warehouses and 78 gas stations
 BJ’s uses a computer network to obtain bank authorizations for
credit and debit card purchases
 BJ’s collects name, card number, expiration date from card
magnetic strips for purchases
12
The FTC Charge Against BJ’s






Failed to encrypt data when it transmitted or stored data
Created unnecessary risks by storing it for 30 days, in violation of
bank security rules, even when it was no longer needed
Store data in files that could be accessed with commonly known
user IDs and passwords
Failed to use readily available security measures to prevent
unauthorized wireless connections to its networks
Failed to use measures to detect unauthorized access to the
networks or conduct security investigations
Consent agreement to implement an information security program
with annual audits for 20 years
13
FTC Enforcement

June 2006 ChoicePoint –
 163,000 consumer records compromised
 Consent decree requiring ChoicePoint to implement new
procedures to ensure that it provides consumer reports only to
legitimate businesses for lawful purposes, to establish and
maintain a comprehensive information security program, and to
obtain audits by an independent 3rd party security professional
for 20 years
 $10 million penalties and $5 million in consumer redress
14
FTC Requirements for Businesses





Claims about data security should be accurate
Protect against common technology threats
Know the identity of third parties with whom
sharing customers’ sensitive information
Do not retain unneeded sensitive consumer
information
Dispose of sensitive consumer information
properly
15
General Guidance







Know your data and map the flows
Institute Information Risk Management Program
Must protect information with adequate security
measures
Be prepared to conduct an immediate investigation when
a breach is suspected
Protocols and agreements with vendors who maintain
data
Notify law enforcement
Maintain accurate and complete documentation
16
Working with Vendors





Warranty and representation on compliance
Indemnification
Certification of compliance with EU Safe Harbor
Framework
Adequate insurance coverage
General due diligence
17
Competitively Sensitive Information
Trade Secrets

Any information
$$$
$$$
• That derives
economic value
• From not being known
to others
• And is subject to
reasonable efforts
to preserve secrecy
18
Computer Fraud and Abuse Act Provides
Proactive Tool to Protect Data






Title 18 U.S.C. § 1030 – Enacted in 1984
Criminal statute
Civil remedy in 1994 amendment
Computers used in
interstate commerce
Amended in 2001 and 2008
Provides for damages
and injunction
19
Various Causes of Action







Stealing valuable computer data
Schemes to defraud
Trafficking in a computer
password or similar information
with intent to defraud
Damaging computer data
Hacking
Extortion
Sending computer viruses
20
Legal Requirements








Protected computer
Lack of authorization or exceeding authorization to
access computer
Theft of information or anything of value
Damage to data permanent
$5,000 loss
Limited to economic damages
Compensatory damages
Two-year statute of limitations
21
The $5,000 Jurisdictional Limit




Loss during any 1 year period aggregating at least
$5,000
Loss defined by statute as cost of responding to offense,
restoring data or system or costs from interruption of
service
Must relate to computer
Forensic review counts
22
22
Key Issue: Unauthorized Access

Section 1030(a)(4) Whoever knowingly and with
intent to defraud, accesses a
protected computer without
authorization, or exceeds
authorized access, and by
means of such conduct
furthers the intended fraud
and obtains anything of
value…
23
23
International Airport Centers LLC v. Citrin




Employee destroyed data on company computer
Authorization based on law of agency
Authorization terminates with disloyal act
Judge Posner found that
authorization terminated
when employee “resolved
to destroy files that
incriminated himself and
other files that were also
the property of his employer.”
24
EF Cultural Travel v. Explorica







Ex-employees set up competing student travel company
Information was accessed through public website
Robot created with confidential information
Used robot to download pricing data
First Circuit upheld injunction based
on confidentiality agreement
Authorization established
by contract
Pricing data was valuable
25
Authorization Established by Company





First Circuit: the CFAA “is primarily a statute
imposing limits on access and enhancing control
by information providers.”
Companies can set predicate for CFAA violation
Rules on authorized access
Agreements can set limits
Similar to criminal trespass
26
Terms of Use





Require users to provide accurate registration
information
Limit use of account to registered user at one computer
at a time
Prohibit use of web crawlers, robots and similar devices
Post acceptable use guidelines that prohibit abuse,
harassment and similar conduct
Specify limitations on use of materials obtained (e.g., no
commercial use)
27
Ways to Establish Lack of Authorization





Hacking by outsider who breaks into computer
Exceeds expected norms of intended use
Terminates Agency relationship with employer
by disloyal conduct
Violates company policies and rules
Breaches contractual obligation
28
Tort of Conversion





Tangible v. Intangible property
Thyroff v. Nationwide Mutual Insurance
Company, 8 N.Y.3d 283 (2007)
Computer data included in conversion based on
changing societal values
Similar remedies to the CFAA
May have advantages over the CFAA
29
Digital Millennium Copyright Act





Enacted in October 1998
Implemented “safe harbor” (17 U.S.C. § 512) for online
service providers
Service providers may be shielded from liability if they
remove materials upon receiving notification of claimed
infringement
Does not apply to trademark infringement, but service
providers often also take down materials based on
claimed trademark infringement
Applies only to service providers in U.S.
30
Companies can mitigate their “risk” by
re-evaluating 7 areas of their business







Hiring Practices
Company Rules
Appropriate Agreements
Use of Technology
Termination Practices
Protocols for Response
Company Compliance Program
31
The Hiring Process



Honor Prior Employment Agreements
Explain Company Obligations
 Company Policy
 Employment
Agreements
Criminal Exposure
for the Company
32
Company Rules





Employee Handbook
Compliance Code of Conduct
Terms of Use on
company Web site
Training
International rules
33
Agreements









Officers/Employees/Third Parties
Among related companies
Confidentiality/Non-Disclosure
Post employment restrictive covenants
Anti-Raiding Covenants
Agreement to search personal
computers
Permissions re use of the computers
Customer agreements
Data vendor agreements
34
Use of Technology






Password protection is simplest
Access based on need to know
Risks re transportable media
Encryption
Audit trail
Coordinating with document
retention and e-discovery
35
The Termination Process




Employees must return all
company property
Standard Exit Interview Form
Explain post employment
obligations
Retain evidence
36
Protocols for Response





Speed is of the essence
Designate a coordinator
Be investigative ready
Prepare standard court papers with company
policies and agreements
Select an affiant
37
Compliance







New York Stock Exchange listed company compliance
program must protect confidential information that “might
be of use to competitors, or harmful to the company or
its customers, if disclosed.”
Effective as of October 31, 2004
Part of Compliance standards and procedures
Annual CEO certification
Massachusetts
FTC’s Red Flags Rule
Cover competitively sensitive data and personal data
38
Nick Akerman
Dorsey & Whitney LLP
[email protected]
212-415-9217
http://www.computerfraud.us
39