Transcript IAPP Privacy Academy 2009 Into the Breach - HL

IAPP Privacy Academy 2009
Into the Breach: Dealing With the
Aftermath of a Data Breach
Christopher G. Cwalina
Vice President and Assistant General Counsel,
Intersections Inc.
Carol A. DiBattiste
Senior Vice President, Privacy/Security/Compliance/Government Affairs,
LexisNexis Group
Christopher Wolf
Partner and Co-Chair of Privacy and Data Security Practice Group,
Hogan & Hartson LLP
© 2009 Hogan & Hartson LLP. All rights reserved.
Our focus today
•
Beyond the basics of the data breach laws – how does one
translate the experience companies have had in handling a
breach into practical tips to reduce or manage risk?
•
The litigation and regulatory enforcement following breaches
have lessons for future targets, what are they?
•
We all have heard that a company must be prepared in advance
to handle a data security breach but what does that really mean,
in practical terms?
© 2009 Hogan & Hartson LLP. All rights reserved.
2
What we plan to cover
•
Briefly, what is the current legal landscape regarding data
security breach notification?
•
Also briefly, what are the prospects for legislative and/or
regulatory developments in the coming months?
•
What have we learned from the breach litigation so far and
what does this experience suggest on how to manage a
breach in light of the claims that have been brought?
•
Take-away strategies for preventing breaches and minimizing
claims
© 2009 Hogan & Hartson LLP. All rights reserved.
3
The current legal landscape
•
A major aspect of managing the aftermath of a data security
breach is complying with all of applicable statutes, so
knowing the intricacies of the laws is important
•
Alabama, Kentucky, Mississippi, New Mexico and South Dakota
are the only remaining states without a data security breach
notification law
–
•
There are variations in the laws as to what triggers a notice
–
•
For most companies, the absence of a state statute does not mean the
affected residents of the state will not receive notice
Approximate 35 states have some form of “risk of harm” standard before
notice is required
Some statutes cover both computerized and paper data
(Alaska, Hawaii, Indiana, Massachusetts, North Carolina,
Wisconsin and under the HITECH Act)
© 2009 Hogan & Hartson LLP. All rights reserved.
4
Current Legal Landscape:
Timing of the Notice
•
Most laws provide that notice must be made in the most
expedient time possible and/or without unreasonable delay.
–
Some laws provide that this notification may need to be made after
conducting an investigation or after notifying other bodies, such as
the Attorney General or law enforcement authorities.
–
Florida, Ohio and Wisconsin require notification no later than 45
days following discovery of the breach (consistent with law
enforcement needs or requests for delay and/or measures to
determine the scope of the breach).
–
Maine law limits to seven days the time that breach notification
may be delayed following a determination by law enforcement that
providing notice will not compromise a criminal investigation.
–
HITECH Act requires notification no later than 60 days following
discovery of the breach (“Discovered” is when it becomes known
or it should reasonably have been known.)
© 2009 Hogan & Hartson LLP. All rights reserved.
5
Current Legal Landscape: Other
Important Variations
•
Non-owners – custodians -- of data that has been breached, must notify
the owner or licensee of the data
–
Great variation among the laws as to when notification must be
made to data owners
•
In some states, and in some circumstances, notification must be
provided to the Attorney General, State Police, “primary regulators”
and/or consumer reporting agencies
•
A dozen states and Puerto Rico detail the required contents of the
notices: Massachusetts prohibits details; Others require details of
incident, type of personal information involved, direction to remain
vigilant and other information (e.g., Maryland requires the phone number
of the Maryland AG)
•
Written notice required; telephone notice allowed in 16 states; e-mail
allowed in certain circumstances (with advance consent pursuant to ESIGN Act)
–
Various provisions for substitute notice
© 2009 Hogan & Hartson LLP. All rights reserved.
6
Legislative Developments
A busy Summer
•
July 1: Alaska and South Carolina breach notification laws went into effect
•
July 9: Missouri enacted a data breach notification law, the 45th state to do so
•
July 22: Senator Leahy reintroduced federal data security bill
–
•
Would require notification of: major media within any state where more than
5,000 individuals are affected by a breach; consumer reporting agencies if
more than 5,000 individuals are affected; and the Secret Service if more than
10,000 individuals are affected or if the breach involves a federal database,
national security officials or a database containing information on more than
one million people.
July 27: North Carolina amended its breach notification law to require notification
of the state attorney general, with content requirements
© 2009 Hogan & Hartson LLP. All rights reserved.
7
Three federal data security bills this year
•
Senator Feinstein reintroduced one in January
•
Senator Leahy introduced his in July
–
Businesses that collect, use or access the SPII of more than
10,000 individuals would be required to implement a
comprehensive data security and privacy program
•
–
•
Exemption for financial institutions subject to the GrammLeach-Bliley Act (GLB) and covered entities and business
associates subject to the Health Insurance Portability and
Accountability Act (HIPAA)
Notification provisions would not preempt existing state data
breach notification laws with respect to solely in-state breaches, but
would supersede provisions of federal law or of state law relating to
notification by a business engaged in interstate commerce.
And Congressman Bobby Rush introduced HR 2221 in
April
–
Strongly supported by the FTC
© 2009 Hogan & Hartson LLP. All rights reserved.
8
Details of HR 2221 (for review at your leisure)
•
H.R. 2221 (the Data Accountability and Trust Act), introduced by Congressman Rush in April
–
requires those possessing electronic data that contain personal information to take steps to ensure that
the data is secure pursuant to regs to be promulgated by FTC
–
establishes notification procedures when a data breach occurs.
•
companies do not have to initiate such notices if they determine that "there is no reasonable risk of
identity theft, fraud or other unlawful conduct."
•
timing: “as promptly as possible” “without unreasonable delay”
–
•
notice can be through written notification or e-mail if the primary method of communication with
the individual is by email or the individual has consented to receive such notification and notice is
consistent with E-Sign with respect to consumer notices
–
•
–
“and consistent with any measures necessary to determine the scope of the breach, prevent
further breach or unauthorized disclosures, and reasonably restore the integrity of the data
system” – no express “law enforcement request exemption”
provision for substitute notice in certain circumstances
Content requirements:
–
a description of the personal information that was acquired by an unauthorized person;
–
telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about
the breach of security or the information maintained about that individual;
–
notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly
basis for a period of 2 years, and instructions to the individual on requesting such reports from the person;
–
toll-free contact telephone numbers and addresses for the major credit reporting agencies; and
–
a toll-free telephone number and Internet website address for the FTC whereby the individual may obtain
information regarding identity theft.
Encryption exception and provision for FTC to specify other exempting technologies
© 2009 Hogan & Hartson LLP. All rights reserved.
9
More on HR 2221 (more for review at your
leisure)
•
Grants FTC power to impose civil penalties for violations and
authorizes State Attorneys General to enforce. No private cause of
action.
•
Requires information brokers to submit their security policies to
the FTC in conjunction with a security breach notification, or on
FTC’s request.
–
Directs the FTC to require information brokers to establish measures which
facilitate the auditing or retracing of access to, or transmissions of, electronic
data containing personal information.
–
Requires information brokers to: (1) establish procedures to verify the
accuracy of information that identifies individuals; (2) provide individuals
whose personal information it maintains a means to review it; (3) place notice
on the Internet instructing individuals how to request access to such
information; and (4) correct inaccurate information.
•
Prohibits information brokers from obtaining or disclosing personal
information by false pretenses (a/k/a pretexting).
•
Preempts state information security laws.
•
Status: On June 3d, the Subcommittee on Commerce, Trade and
Consumer Protection sent the bill to the full House Energy and
Commerce Committee.
© 2009 Hogan & Hartson LLP. All rights reserved.
10
Litigation and Regulatory Precedents So Far
•
Breach notifications often trigger investigations by state
attorneys general and by the FTC
–
•
•
HITECH Act creates new vehicles for breach investigations
Civil actions face hurdles where there is no damage proximately
caused by the breach
–
But creative plaintiffs are working hard to chip away at the precedents
–
Cost of litigation high regardless of eventual dismissal as cases often are
proceeding past the motion to dismiss stage to allow development of record
to explore damage issue
B2B lawsuits on the rise, pursuant to state statute, contract and
common law
–
Note recently filed lawsuit against CardSystems’ auditor, Savvis Inc.
© 2009 Hogan & Hartson LLP. All rights reserved.
11
Litigation and Regulatory Precedents So Far
•
Case study: TJX – breach announced in January 2007 involving as
many as 94 million credit and debit card numbers
•
In June of this year, TJX agreed to pay $9.75 million to settle
investigations by 41 state attorneys general
•
Under the agreement, TJX will pay $5.5 million in settlement fees, plus
$1.75 million to cover the cost of the states' investigations.
•
In addition, the company will provide $2.5 million to establish a new Data
Security Fund that states will use for data security initiatives
–
Research will be funded on the benefits of technology, developing
best practices or model laws, and establishing consumer outreach
programs
•
In 2007, TJX settled consumer and bank lawsuits
•
TJX also has settled with VISA and MasterCard
In August 2008, 11 people charged with federal crimes in connection
with the breach (accomplished by exploiting vulnerable wireless
networks)
•
In January 2009, one of the defendants, Maksym Yastremskiy, 25, of
Ukraine, sentenced to 30 years in prison for spearheading the sale of
stolen TJX data.
© 2009 Hogan & Hartson LLP. All rights reserved.
12
Lessons from the Litigation
•
What have we learned from the breach litigation so far and what
does this experience suggest on how to manage a breach in
light of the claims that have been brought?
–
Important to have an effective public communications
strategy
–
As to business partners and customers, early notice pays
off
–
With respect to federal and state regulators, keep them
informed
–
Cooperate with regulators
–
Insurance coverage may help
–
And, fundamentally, minimizing the risk of a breach and
having a plan if one occurs is the best way to deal with
possible litigation
© 2009 Hogan & Hartson LLP. All rights reserved.
13
What can be done before a breach occurs to
minimize the risk of a breach?
•
Causes of a breach: Lost or stolen media, insider wrongdoing,
customer fraud, malicious code, inadvertent disclosure
•
Issues: Data storage, network security, third-party interactions,
human error
•
Focus of attention:
–
Data minimalization
–
Knowing what PII and SPII you have
–
Physical, technological and administrative safeguards
–
Portable data Issues
–
Third Party Issues
–
Data Desctruction Issues
–
Awareness and auditing
© 2009 Hogan & Hartson LLP. All rights reserved.
14
What does it really mean to “be ready”
for a breach?
•
The need for a written plan
•
Having a team in place to respond
•
The importance of training
•
Understanding with Third Parties
•
Having Law Enforcement Contacts
•
Consent for E-Mail Notification
•
Plan to Document Breach Response
•
Review and Update of Plan
© 2009 Hogan & Hartson LLP. All rights reserved.
15
Into the Breach: Lessons Learned
•
Notice issues – contents, timing, recipients, means of delivery
•
Law enforcement issues
•
Credit reporting agency issues
•
Insurance issues
© 2009 Hogan & Hartson LLP. All rights reserved.
16
IAPP Privacy Academy 2009
Into the Breach: Dealing With the
Aftermath of a Data Breach
Christopher G. Cwalina
Vice President and Assistant General Counsel,
Intersections Inc.
Carol A. DiBattiste
Senior Vice President, Privacy/Security/Compliance/Government Affairs,
LexisNexis Group
Christopher Wolf
Partner and Co-Chair of Privacy and Data Security Practice Group,
Hogan & Hartson LLP
© 2009 Hogan & Hartson LLP. All rights reserved.
Questions and Answers
© 2009 Hogan & Hartson LLP. All rights reserved.
18
www.hhlaw.com
Abu Dhabi
Baltimore
Christopher Wolf
202-637-8834
[email protected]
Beijing
Berlin
Boulder
Brussels
Caracas
Colorado Springs
Denver
Geneva
Hong Kong
Houston
London
Los Angeles
Miami
Moscow
Munich
New York
Northern Virginia
Paris
Philadelphia
San Francisco
Shanghai
Silicon Valley
Tokyo
Warsaw
Washington, DC
© 2009 Hogan & Hartson LLP. All rights reserved.
19