1. ADVERTISING SECTION
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A roundtabl e DISCUSSION
DATA SECURITY:
Managing the risk
Photo By: Jason Doiy
ata security continues to be a hot topic for general counsel and privacy officers. Breaches have not
D abated; organized computer crime makes front-page news. The legal framework continues to grow,
both from state regulators, Attorneys General, the FTC and the EU. We’ve asked three top experts
in the field for their assistance in laying out what to do. They are Charlene Brownlee, a partner with
Davis Wright Tremaine in Seattle; Ruth Boardman, a partner with Bird & Bird in London; and Michelle
Dennedy, chief data strategy and privacy officer at Sun Microsystems in Mountain View. This is an
abridged transcript of a live event held Sept. 26, 2008, in San Francisco, moderated by freelance
legal affairs writer Susan Kostal, and reported for Jan Brown & Associates by Valerie E. Jensen.
MODERATOR: Charlene, I want to start with you this morning. negligence. Some 50 percent of data breaches are caused
Give us a sense of the continued importance of privacy and by employees leaving laptops at home or in their cars, and
data security. I have the distinct feeling, since we did our there’s a break-in. Only 4 percent of data breaches are
last panel, that there’s even more heat, light and focus on the caused by hackers, which tells us that, as counsel and as
issue. privacy officers and IT professionals, we can do more to
bring those numbers down.
BROWNLEE: I would agree 100 percent. In terms of
statistics, 2008 is half over, and we’re already had the MODERATOR: Let’s go into the growing legal framework that
same number of security breaches as for the entire year governs privacy.
2007. Why are we seeing higher statistics? More than
44 states require notification of data breaches resulting DENNEDY: The word “framework” is critical here. When you
in the disclosure of personally identifiable information approach this as a global entity—and we do business in
(such as Social Security numbers, drivers’ license numbers more than 140 countries around the world--there is no such
and financial information). The majority of information thing as localized data, if you’re using any sort of system
is digital, processed and stored electronically, and often that interfaces with the Web. As you review the framework,
on portable media. The No. 1 cause of data breaches is start by asking where the data is, from an IT perspective.
DATA SECURITY BREACHES 25
2. ADVERTISING SECTION
P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION
Who is managing it, leading it, and paying for it? Then look
to the various jurisdictions that cover those interactions and
come up with a framework that includes laws like PIPEDA,
the EU Directive and all of its member states, what’s going
on in Asia, Korea, Argentina. Look at the map, and that’s
your framework. If it sounds overwhelming, it is. You can
get very geeky on this very quickly. But there is hope. A
risk-based approach, rather than a black-and-white, find-
the-answers approach, will cover you 80 percent of the
time.
BOARDMAN: The EU has had data privacy legislation
since before the 1995 Directive. But when we’re talking
about security breach notification, we’re playing catch-up.
Although we have general security principles in the EU, we
don’t yet have a breach notification law. But that is coming.
We have two main data privacy directives in the EU: one
general, and one specific to the communications sector.
The communications sector directive is being rewritten,
as we speak. One of the changes being made to it is to
introduce breach notification requirements. That will
Jason Doiy
then have to be transposed into the law of each member
state. In the UK, our regulator has been given increased
powers following an enormous data breach by Revenue and
Customs. Also recently, Nationwide Building Society lost a
laptop, and the society was fined 1 million pounds because “A risk-based approach, rather than a black-and-
it didn’t have appropriate procedures in place to know what
to do in such situations. They waited three weeks deciding
white, find-the-answers approach, will cover you
what to do. 80 percent of the time.”
BROWNLEE: In the absence of federal legislation, in the
U.S. you must take a state-by-state approach. Are people — Michelle Dennedy
familiar with the Nevada encryption legislation that went
into effect Oct. 1? Sun Microsystems
DENNEDY: You’re about to be depressed. ChoicePoint. They were assessed $10 million in fines, had
to allow $5 million for consumer redress, and agreed to be
BROWNLEE: In addition to the new Nevada law, which audited for 20 years.
requires encryption during transmission, Massachusetts
has just adopted regulations that require encryption before DENNEDY: We are a big provider for companies in the
and after transmission. In addition to a state-by-state financial services sector, so many of our customers are
approach, you also need an industry/ sector analysis. Health
impacted by the November 1 FACTA deadline. That
care information, for example, is covered under HIPPA. The
regulation points out the synergy between privacy rules and
financial sector is covered by Gramm-Leach-Bliley, and
data transfer regulations, which until two years ago could be
now, as of November, the red flag rules pursuant to FACTA.
managed fairly well by notice and consent. That was really
The only federal legislation that deals directly with the
where the locus of control and focus and meeting most of
collection of information online is the Children’s Online
Privacy Protection Act, COPPA. There’s no other generally these regulatory issues came in. What FACTA presents and
applicable federal legislation for consumer transactions what the financial services sector is going through right
over the Internet. But the FTC has been increasingly now, what HIPPA has foreshadowed, is that the growing
aggressive about regulating companies that fail to live framework, on both a federal level and internationally, is
up to their posted privacy policies. In 2006, the FTC about to get much more specific about what companies,
established a Division of Privacy and Identity Protection, tactically, must do to get out of either a negligence theory
which is specifically targeted to investigate data breaches. or a statutory theory for data losses.
As of March 2008, the FTC had brought more than 20
cases against businesses for failure to maintain reasonable It’s also important to understand server-based computing.
security measures. If you are subject to an investigation Today’s buzzword is “the cloud.” Everything is “in the
and settle, usually there will be a fine, and a requirement cloud.” Nothing is in the cloud but rain, folks. It’s all on
to conduct independent audits, sometimes for as long a server somewhere, and that server has jurisdiction stuck
as 20 years. One of the biggest cases to date involved all over it. It is physically located somewhere. You have to
26 DATA SECURITY BREACHES
3. ADVERTISINGSECTION
ADVERTISING
SECTION
P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION
crafting your legal memoranda about all these new rules,
regulations, cases and fines, you are giving people like me
something I can consume.
BROWNLEE: The FTC’s position is clear: “Companies
that collect sensitive consumer information have a
responsibility to keep it secure.” And that responsibility to
implement appropriate IT securities and safeguards is also
a requirement of approximately half of the 44 state data
breach notification laws. So, from a corporate perspective,
it is not a gray area. It is clear that companies must deploy
appropriate physical safeguards. A company would be
well served by looking at the obligations that are imposed
upon financial institutions and adopt a similar data breach
notification strategy. When these breaches occur, you need
a methodical plan, so you are not acting in crisis mode.
MODERATOR: It seems redundant at this point to use the word
“global,” but tell us about the concerns inherent in data
Jason Doiy transfer and outsourcing.
BOARDMAN: Movements of data outside the EU are
prohibited. So emailing and transferring data to a server
outside the EU--even traveling with a laptop outside the
EU--engages the prohibition. The only countries that you
“FTCʼs position is clear: 'Companies that can transfer data to from the EU are ones that have been
collect sensitive consumer information have approved by the European Commission and, so far, that
list is limited to Argentina, Switzerland, certain Canadian
a responsibility to keep it secure.' And that organizations covered by PIPEDA, the Isle of Man, Jersey,
and Guernsey. So it’s a fairly small list.
responsibility to implement appropriate IT
securities and safeguards is also a requirement There are four main methods to deal with this. If data is
being transferred from the EU to an organization in the
of approximately half of the 44 state data US that participates in the Safe Harbor scheme, that data
transfer is fine. From an EU perspective, Safe Harbor is
breach notification laws. So, from a corporate very easy for organizations to deal with. A second option is
perspective, it is not a gray area.” freely given consent. That sounds good, but it’s hard to do
in practice, especially in the employment context. In many
countries in the EU, you have to get a permit from the
— Charlene Brownlee data protection authority to export the data, and you have
to explain the basis on which you’re asking for the permit.
Davis Wright Tremaine In some countries, if you say, “This is employee data,
but we’ve got consent,” as a matter of principle, the data
be aware of where your data is and make sure that your protection authority will reject your application, because
clients know where their data is so that you can provide they’ve taken a paternalistic view toward employees.
appropriate legal advice. You may be missing jurisdictions
The other alternative is to use European Commission-
you haven’t even thought of. Who is the account customer
approved contract clauses. These are data export contracts
base, the employees? Where are they coming from? Are
that oblige the importing organization to offer EU protection
they working from home? Where is the data going to and in
for data. The idea is great, but they can be bureaucratic.
what format? Is it encrypted? Has it been severed from any
The clauses require registration in about 18 out of the
sort of personal information so it cannot be reconstituted? 27 member states, which is a time-consuming process.
You must know the answers to these questions. Lawyers are The other problem is that you have to complete an annex
being increasingly dragged into IT and HR, and other areas describing what you’re doing. And with my clients, I’ve
you may not have traditionally considered in your area of found that you complete that and then a year or two
practice. years later, the client will do something different; they’ll
want to implement a different HR system, and then you
Be aware of the technological realities, the people, the have to redo the clauses. The last alternative is to adopt
processes and the technology synergy, so when you’re “binding corporate rules.” The idea behind these is that
DATA SECURITY BREACHES 27
4. ADVERTISING SECTION
P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION
you embed data privacy in the organization’s culture. So,
for example, with employee data, you might develop a
workforce data privacy policy. If you can show that that
is binding and really enforceable within the organization,
then you can take these rules and procedures to EU data
protection authorities and get them approved, which then
allows you to transfer data freely within the organization,
without additional consent, or registering standard contract
clauses. You have to keep the data protection authorities
up to date if new members of the group come on board or
if you change your processing significantly, but it should
be a much-lighter-touch approach than the registration
process.
BROWNLEE: Binding corporate rules (BCRs) are a bit
controversial, because they’re very expensive to develop
and implement, and they only protect the flow of data
among those corporate entities. For example, BCRs do not
address the flow of information from an EU member state
to a country that is deemed to have inadequate safeguards.
Jason Doiy
So it’s not a one-stop-shopping solution; you still have to
layer BCRs with other privacy mechanisms, such as Safe
Harbor certification.
BOARDMAN: You make several good points. It is a pioneering
effort. It started in 2003, and by 2005, we only had one “The idea behind binding corporate rules is that
application that had been authorized. But there’s a real
sense that it’s starting to become more manageable. The
you embed data privacy in the organization's
reason for the initial cost is you need to go and negotiate culture. With employee data, for example, you
with the protection authorities, many of which have little
expertise or familiarity with how organizations work. But might develop a workforce data privacy policy. If
we’re starting to see a critical mass of applications come t
hrough.
you can show that that is binding and enforceable
within the organization, you can have them
My clients have been able to leverage existing privacy
policies and procedures. And in some instances, once there approved by EU data protection authorities, which
is a UK authorization, other data protection authorities are
happy with that, and granted authorization on that basis
then allows you to transfer data freely within
alone. The advantage is once you have a BCR, there are the organization, without additional consent or
registering standard contract clauses. “
fewer bureaucratic restrictions to them. If you have data
that is going from the EU to a U.S. entity, which will then
be transferred to a third party in the U.S., you would need
separate contract terms to deal with that. But you would, in
any event, under EU commission clauses or Safe Harbor. — Ruth Boardman
MODERATOR: So how do companies best mitigate the risk? Bird & Bird
BROWNLEE: Let’s use, as an example, the lawsuit filed
against Accenture in 2007. The Connecticut Attorney
provide that the vendor retains ownership/control at all
General hired Accenture to transfer some taxpayer and
other personally identifiable information into a PeopleSoft times, does not subcontract without your permission, uses
database. A backup tape containing the information reasonable safeguards, and agrees to indemnify you in the
was stolen. The state had a contract with Accenture event of a data breach.
that included provisions requiring Accenture to employ
reasonable safeguards. Accenture was subject to a Your agreement should include a clause requiring your
negligence claim, and also breach of contract. The take-
vendor to allow you to have a third party come in and audit
away here is that you must have a written agreement
with all third parties transferring or processing your data, your service provider’s information systems and ensure that
whether an information destruction/storage vendor or your service provider notifies you within a very short period
an electronic discovery provider. The agreement should of time if there is any sort of breach or suspected breach.
28 DATA SECURITY BREACHES
5. ADVERTISING SECTION
ADVERTISING SECTION
P R I VA C Y: D ATA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION
DENNEDY: My favorite phrase in contract negotiations is it. When you appoint a third party to hold the information
“from time to time.” Every now and again we get this or to do anything with the information on your behalf, then
clause in an outsourcing context or some context that you are responsible for what that third party does. So, if
is a data-intensive relationship. It will say, “reasonable there is a security breach, then you are still on the hook to
security as may change from time to time.” “Reasonable” individuals, even though it might be the third party who was
five years ago did not include comprehensive encryption. responsible. Again, there are a couple of nice examples of
“Reasonable” five years ago did not require background this in the UK involving lost laptops that weren’t encrypted.
checks for every single worker in every single facility. That In each case, it was the client organization that ended up
clause is going to screw you later. The most important on the receiving end of an enforcement notice from the
element of mitigating legal risk in the contracting context Information Commissioner, which required the client to roll
is to really understand the deal. You need to really out encryption and caused the organization and contractor
understand the scope and the shape and the possibility of to report back on a regular basis to the commissioner.
data transfer, either from individual contractors that come
in, or people who are able to somehow carry your data out. So I reinforce the point that having appropriate contract
Really do your homework. As a lawyer, you need to become terms is vital. You want to be checking your contract and
a much bigger player in the decision-making process. In looking at that indemnity.
the statement of work, you need to understand what kind
of information needs to be transferred from organization to
BROWNLEE: There are four practical ways to mitigate or
organization and to various downstream processing, and in
prevent data breaches. The first one is obvious: don’t
what context. You have to be very careful in the indemnity
collect what you don’t need. Secondly, destroy or redact
section. It plays both ways. Auditing is one of hottest
what you don’t need. Follow the federal laws, such as
negotiation topics right now because, inherently, by having
FACTA, on secure disposal of personally identifiable
a third-party auditor in my data center, I am compromising
the security of my other customers or I’m possibly exposing information. Thirdly, ensure that any laptops you recycle,
them to third-party distribution, under law, by allowing donate to charity or send back to a vendor are scrubbed.
them in. In laying out the deal, look at what people really Lastly, conduct a conduct a privacy impact assessment
need access to the data, not based on any hierarchy or prior to the launch of any new product or service. Encourage
organization chart, but by what role they really perform. your teams—marketing, IT, product development, legal—to
review what information can be collected from the product,
BOARDMAN: I would completely agree with everything that and what the legal ramifications are.
Michelle and Charlene have said about risk, and would add
two additional points. One is there are specific obligations DENNEDY: There are technical solutions out there. I won’t
in the EU when you appoint the kind of third party that make a company pitch. I agree with Ruth and Charlene,
Charlene mentioned; in EU terms, this agent is called though—don’t collect more than you need, and don’t travel
a processor. But if you do due diligence and take the with more than you need. There are various strategies
approach that’s been described, then you will do what is where you can take advantage of server-based computing
required in the EU. The other point to note is that in the to keep your crown jewels in a place where IT professionals
EU, under the Data Protection Directive, if you are the are surrounding them with, truly, not just “the reasonable
organization that controls the data, you’re responsible for security from time to time” but actual security.
DATA SECURITY BREACHES 29
6. ADVERTISING SECTION
P R I VA C Y: D A TA S E C U R I T Y B R E A C H E S • A r oundtabl e DISCUSSION
CHARLENE A. BROWNLEE is a partner with the law firm Davis Wright Tremaine LLP. She
advises clients on global privacy and data security matters, development of records
management programs, e-discovery best practices and technology transactions. She
co-authored the legal treatise Privacy Law (Law Journal Press). Charlene has lectured and
published widely on privacy, records management and e-discovery. She is a US delegate for
the APEC Privacy Data Security Working Group and serves on the University of Washington's
Advisory Board for its EDiscovery Certification Program launching in 2009.
DAVIS WRIGHT TREMAINE LLP The regulation of privacy and data security continues to
expand at both a state and federal level. We can assist your organization in determining
what policies, procedures and technology are required to comply and
ensure proactive information governance. From developing record
retention schedules and litigation hold policies, to advising on responding to a data breach, we
have the experience and business oriented perspective that clients value.
RUTH BOARDMAN is a partner in the London office of Bird & Bird. Ruth advises on all
aspects of European information law, including data protection, freedom of information,
database rights and confidentiality, with a specific emphasis on IT, e-commerce and
public procurement. She is the co-author of Data Protection Strategy, published by Sweet
& Maxwell. She also edits the Encyclopedia of Data Protection, from the same publisher,
and is on the editorial board of Data Protection Law & Policy.
BIRD & BIRD is a leading European and Asian law firm, with offices in Belgium, Czech
Republic, Finland, France, Germany, Hungary, Italy, Poland, PRC, Slovakia, Spain,
Sweden, The Netherlands and The UK.
We are ranked as a leading firm for data privacy advice, where we advise a wide range of
international companies as well as companies for whom personal data is a key asset.
We provide a full range of legal services: commercial, corporate, corporate restructuring & insolvency, dispute
resolution, employment, EU & competition law, finance, intellectual property,
outsourcing, public procurement, real estate and regulatory & administrative tax.
MICHELLE DENNEDY is Chief Privacy Officer for SUN MICROSYSTEMS, INC. Michelle is
responsible for the continued development and implementation of Sun’s data privacy
policies and practices, working across Sun’s business groups to drive the company’s
continued data privacy excellence. Data privacy is a cornerstone of Sun’s approach to
compliance with complex, demanding regulations including Sarbanes-Oxley, the EU
Directive, California State Senate Bills, as well as escalating policy and process-oriented
requirements being imposed globally. Michelle also works with Sun’s product development
teams and partners to deliver best-practice privacy enabling products and services. She
is the co-founder of Sun’s internal Privacy Council, an organization that includes and
engages with stakeholders from across the company and is dedicated to promoting and
promulgating a cohesive practice throughout the organization to protect Sun’s relationships
with its customers.
JAN BROWN & ASSOCIATES is a worldwide deposition reporting and legal video company. We offer the latest
in technical expertise and the highest quality in the rendition of these services. Our services include realtime
depositions, video conferencing, full service legal videography, document scanning, on-line repository, DVD or
CD-ROM, case management services for large complex cases. We are Certified Livenote Providers and offer
conference rooms. Our services are utilized by the top firms in the country and we are the court reporters and
videographers of choice. www.janbrownassociates.com 800.522.7096
30 DATA SECURITY BREACHES