Every week seems to bring another story of a data breach or significant privacy gaffe. Learn how to help keep your company out of the Privacy Hall of Shame.
This interactive panel was the closing plenary session at LegalTech NY 2014.
This panel was moderated by Dori Anne Kuchinsky, Assistant General Counsel Litigation and Global Privacy, W.R. Grace & Co..
The chapter on Social Media Security Fails in 2013 was presented by Al Raymond, CIPP/US, CISSP, Head of US Privacy & Social Media Compliance, TD Bank. The chapter "Location, Location, Location: Why it REALLY matters" was presented by Kamal Patheja, Legal Director Global Software Licensing DHL GBS (UK).
The final chapter "Privacy Enforcement in the U.S." was presented by Monique Altheim, CIPP/US/E, Founder and Managing Partner of The Law Office of Monique Altheim.
Many thanks to Patrick Oot, Senior Special Counsel for Electronic Discovery at U.S. Securities and Exchange Commission, for providing the polling questions technology.
Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy
1. FEBRUARY 4 – 6, 2014 / THE HILTON NEW YORK
Ripped from the Headlines: Cautionary
Tales from the Annals of Data Privacy
Monique Altheim
Principal, The Law Office Monique Altheim
Dori Anne Kuchinsky
Assistant General Counsel, Litigation & Global Privacy
W.R. Grace & Co.
Kamal Patheja
Legal Director Global Software Licensing
DHL
Albert M. Raymond
Head of U.S. Privacy & Social Media Compliance
TD Bank
2. Target and Neimans and Snapchat, Oh
My! The Year in Data Privacy
• Privacy Jeopardy:
The Rules
The Categories
The Prizes
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
3. EU-U.S. Safe Harbor and the “Snowden Effect”
Poll Question:
The FTC recently announced settlements with 12 U.S.
companies for Safe Harbor violations. The violation
charged was:
a) Allowing the NSA to access EU data transferred
under Safe Harbor
b) Using Safe Harbor to justify transfers to inadequate
countries
c) Falsely claiming they had current Safe Harbor
certifications
d) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
5. Associated Press Twitter Account Hack
April 2013
• The Associated Press' Twitter account was
hacked.
• Moments later, the Syrian Electronic Army
claimed responsibility for the attack.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
6. Associated Press Twitter Account Hack
• The message spread quickly, with Twitter users
immediately wondering if the account had been
hacked.
• The Associated Press’ clarified the tweet was a
fake a shortly thereafter.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
7. Associated Press Twitter Account Hack
The Syrian Electronic Army, an organization that
supports Syrian President Bashar al-Assad, tweeted:
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
8. Associated Press Twitter Account Hack
Real Repercussions
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
9. Associated Press Twitter Account Hack
Poll Question:
Which of these ‘strong’ passwords should have the
Associated Press used to protect its Twitter account?
a)
b)
c)
d)
Password
Qwerty
Abc123
Muj@hideen2#
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
13. Chrysler Social Media Faux Pas
Poll Question:
If your vendor causes a security or privacy event for
you, what could be your recourse?
a)
b)
c)
d)
Legal action
Nothing. Your vendor’s action are your own
Depends on the contract
Run over someone with a Chrysler 300 Hemi
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
16. Burger King’s Twitter Account Hijacked
• The account was hacked by an unknown group, which
changed the company’s logo and profile name to
McDonald’s. It then started tweeting offensive
messages, along with a message the company was
“bought out” by McDonald’s.
• After nearly an hour and a half of “tasteless” tweets
filled with drug references and obscenities, Twitter
finally suspended the account.
• Afterwards, Burger King actually gained almost 30,000
followers after the incident!
300% in conversations on BK site (450,000 tweets!)
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
21. Burger King’s Twitter Account Hijacked
Poll Question:
What do you suppose is the biggest risk from having
your SM account hijacked?
a)
b)
c)
d)
Brand risk
Reputation risk
Both A & B
Loss of the formula for ‘secret sauce’
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
22. Lessons Learned?
Poor Pwd Management: The companies didn’t know who had access to the
account or to the passwords. If the same password can be used across multiple
accounts, that’s poor password management.
Newsflash!: Passwords need to be changed on a periodic basis.
Weakest Link: Any system can be compromised with enough time and effort.
Many ways into the crown jewels exist including phishing, smishing, social
engineering, software, or applications.
Inside Job: Malcontent employees (current or former) who have/had access to
the passwords make it difficult to know if the account truly was hacked or if it was
an a rogue employee. Many social media accounts are not tied to Active Directory
or LDAP systems.
Vendor Management: If you lack the skills inside the organization to run your SM
site, you may rely on an external firm. Burger King and Chrysler were both highly
dependent on external agencies to manage and control their Twitter accounts.
Improper governance and oversight led to epic Social Media Fails#
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
24. US vs. EU
Conflict with respect to Personal Data*
• EU: everything is prohibited unless expressly permitted by law
• US: everything is permitted unless expressly prohibited by law
*Art. 2 Directive 95/46/EC:
“Personal data" means any information relating to an identified or identifiable
natural person ("data subject").
An identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social identity.
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
25. Incident #1- Dude - Where’s My Data?
Data
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
26. Incident #1
Poll Question:
Which of the following is Personal Data?
a)
b)
c)
d)
e)
Car registration plate
Work email address
Employee number
Employee status on corporate live chat system
All of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
27. Incident #1
Poll Question:
Which of the following is NOT an adequate way of
transferring Personal Data to a third party company
outside of the EEA?
a)
b)
c)
d)
e)
Model Clauses
Safe Harbor registration
White Listed Countries
Binding Corporate Rules
None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
28. Incident #1- Dude - Where’s My Data?
• DPDHL UK entity engaged with UK supplier to acquire a claims handling system
• The solution involved the hosting of claims related information of DPDHL employees
• Contract governed by English law
• Contract provides for DPDHL providing personal data to supplier in UK
• Contract completed ready for sign off
• DPDHL Legal enquire as to supplier’s server location
• “Oops, forgot to tell you”: Data to be hosted in US! By a third party!
• 3 months later we sign off the deal after arduous negotiations surrounding the data
protection provisions – supplier did not see what the big deal was for DPDHL!
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
29. Incident #2- Show Me the Data!
DATA !
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
30. Incident #2
Poll Question:
Which of the following is deemed valid consent for the
purposes of transferring Personal Data?
a) Data subject’s waiver in the form of posting of same Personal
Data to social media
b) A formal consent form signed by the company’s CEO
authorizing the transfer of employee Personal Data
c) A formal consent form signed by an administrative assistant
authorizing transfer of his/her personal data
d) An email by CEO authorizing transfer of his/her personal data
e) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
31. Incident #2
Poll Question:
Which of the following is true?
a) E-discovery rules override the EU Data Protection
Directive
b) EU Data Protection Directive overrides E-discovery rules
c) The EU Data Protection Directive can be ignored by US
Company only doing business in the US
d) Companies can select which privacy regime to follow
based on country of registration
e) None of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
32. Incident #2- Show Me the Data!
• US based employee seconded to Germany
• The new role never transpired
• Employee sought reinstatement to her original role in US
• Old role filled!!!
• Employee commenced proceedings in US against DPDHL alleging wrongful termination
and harassment
• Plaintiff produced altered emails
• DHL had to collect emails from executives and non-executives in Germany to disprove P’s
allegations
• US litigators barred by EU Data Protection from collecting data
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
33. Incident #2- Show Me the Data!
• DPDHL had to implement adequate measures which included:
Giving German employees an opportunity to consult with DPDHL
Data Protection Officers
DPDHL Officers consulting with German Worker’s Council
US lawyers to disclose data needed, where it would be sent to and
how it would be used
US lawyers had to obtain consent from each custodian, subject to
refusal or withdrawal
EU employees to self-collect
Data subject to protective order
Then and only then data could be used in litigation
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
34. Lessons Learned?
• From the outset ask suppliers about server locations
and DR sites
• Quiz your business folk on the type of data to be
processed/hosted/stored
• In any litigation matter be mindful of any European
aspects to the case
• Seek Local legal advice on national law issues
• The EU Directive has been implemented by all EU
members in their local legislation with varying
degrees of formality e.g. Germany compared to UK
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
36. Oregon Woman Awarded $18.6 MILLION
Over Equifax Credit Report Mix-Up
July 2013
(Reduced to $ 1.62 Million in Appeal on
January 29, 2014)
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
37. FTC Collects $3.5 Million From
TeleCheck For Failing To Investigate
Disputes Or Correct Errors
January 16, 2014
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
38. FTC Expands FCRA Coverage to Mobile
Industry – Criminal Records Search Apps
January 10, 2013
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
39. FCRA
Poll Question:
A consumer reporting agency falls under the FCR
Act, if it sells consumer reports to:
a) Banks, Insurance Companies, Employers and Consumers
b) Banks, Insurance Companies, Employers and for Other
Business Purposes
c) Banks, Insurance Companies, Employers, Marketers, and
Dating Sites
d) All of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
40. FTC Announces First Settlement
Involving Privacy and the "Internet of
Things" – The TRENDnet Case
September 2013
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
41. Section 5 (a) of the FTC Act
Poll Question:
A company has an obligation under section 5 (a) of
the FTC Act to provide reasonable security for its PII:
a)
b)
c)
d)
Always
Only if there is risk of substantial damage
Only if it promises to do so
Never
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
42. WellPoint Pays HHS $1.7 Million for
Leaving Information Accessible Over
Internet
July 2013
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
43. HIPPA
Poll Question:
The following entities must comply with HIPAA
Privacy and Security Rules:
a) Law firms that handle PHI from insurance
companies, hospitals or health care providers
b) Webmd.com and Patientslikeme.com
c) H.R. departments
d) All of the above
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014
44. Lessons Learned?
• Data Brokers and App Developers: If you quack like a duck…you are a duck.
Regardless of your ToS, if you act as a consumer reporting agency, you need
to be compliant with the FCRA requirements to avoid steep fines from the
FTC and law suits from wronged consumers.
• Companies under jurisdiction of FTC: Say what you mean and mean what
you say in your privacy policies. Don’t make promises you will not keep, lest
the FTC will accuse you of deceptive practices under Section 5 (a) FTCA.
If you handle sensitive data, the breach of which may result in substantial
damage, you must have a data security program in place, lest the FTC will
accuse you of unfair practices under Section 5(a) FTCA.
• All companies processing PH data from HIPAA “covered entities”: As
“business associates” you must comply with HIPAA Privacy and Security
Rules as well. HHS/FTC are after you!
LEGALTECH NEW YORK / FEBRUARY 4 – 6, 2014