A Desk Guide to Data Protection and Breach Response - Part 1
The news has been filled with stories of high-profile data breaches, exposing breached companies to intense and negative scrutiny from lawmakers, regulators, media, customers, and plaintiffs’ attorneys. Other companies that handle personal information have been asking us how they can avoid a similar fate. In the coming weeks, we will be exploring that issue through our special series, "A Desk Guide to Data Protection and Breach Response."
The Best Defense is a Good Game Plan: A Proactive Approach to Data Protection and Compliance
In our experience, the best defense against potential data breaches, investigations by privacy regulators, customer privacy complaints, and mishandling of sensitive data by vendors is a well-constructed and well-monitored privacy compliance and data protection plan. In this first installment of our series, we will discuss the initial steps companies should take to create an effective privacy compliance and data protection plan.
Assess Your Data Retention
Before beginning to design a data protection plan, your company should identify the types of information it collects and processes. Under current laws and regulations, the following types of commonly collected information require special handling and protection:
- Personal Information (“Personally Identifiable Information” or “PII”) – State data breach laws define personal information generally to include an individual’s first name or first initial and last name in combination with any one, or more, of the following identifiers: social security number; drivers’ license number or state identification card number; account number, credit card number, or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Many states add additional elements to this definition, including medical data, passport numbers, or tax identification numbers. Some states, including California, also include personal email addresses in the definition, when accompanied by a password or security question and answer.
- Cardholder Data – The Payment Card Industry Data Security Standard (“PCI DSS”) defines cardholder data as: “account number, cardholder name, expiration date, and service code.” The term also includes more sensitive data used for authentication of transactions (PIN, security code).
- Personal Health Information (“PHI”) – Generally speaking, the federal Health Insurance Portability and Accountability Act (“HIPAA”) defines protected health information to include data about health status or health care linked with certain personal identifiers. These identifiers include, among other things, name, geographic location (more specific than state-level), dates, phone/fax numbers, email addresses, and social security numbers.
Additionally, apart from information linked to an individual, companies often store business and technical information that they consider confidential or secret, and would prefer to keep from competitors and the public.
Survey the Legal Environment
Once you know how, what, when, where and why your company collects personal data, you will be able to assess the applicability of various statutes, regulations, and industry standards. Survey the surrounding privacy landscape to ensure that your company knows the applicable laws and regulations, recognizes how to achieve compliance, and understands how to implement effective precautions against data breaches. International corporations that receive data from foreign subsidiaries or affiliates must also be mindful of foreign laws that protect privacy, such as the European Union’s Data Protection Directive or French Law No. 78-17 (informatique et libertés).
A survey of the privacy landscape may be simple or complex, depending on the size of your company and the type of data it handles. Smaller-sized surveys might consist of a simple collection of documents reflecting each federal and state law, each regulation, and each contractual requirement applicable to the data stored or processed by your company. Surveys performed by larger companies would include a more detailed and complex collection of documents, often managed electronically, and might include documents related to compliance with international data protection regimes, industry standards, audit protocols, and internally developed policies related to vendor contracting. Your company’s survey should consider all applicable laws, regulations, and industry standards, including the following:
- Payment Card Standards – The PCI DSS outlines best practices for securing payment card data that may be contractually enforceable against companies that accept payment cards.
- Financial Data Regulations – Financial institutions are subject to a range of federal regulations, and must monitor compliance closely. The Fair Credit Reporting Act (as amended by Fair and Accurate Credit Transactions Act) applies specifically to credit reporting agencies, creditors, and insurers. The Gramm-Leach-Bliley Act contains data privacy and safeguard requirements that apply to all financial institutions.
- Health Data Regulations –The HIPAA privacy and security rules apply to health care providers, health insurers, and their vendors. The HIPAA rules (as amended by the HITECH Act) are the most comprehensive federal rules related to the protection of personal data. Some state laws also impact the management of health-related data.
- State Breach Notification Laws – Although state data breach notification laws are not identical, all of them require companies to disclose breaches of personal information to affected individuals in a timely manner. These laws will be discussed in more detail in future installments of this series.
- Marketing Regulations – Certain federal regulations apply to telephone, fax, text, and e-mail marketing to consumers. Other federal rules dictate how telecommunications companies can use personal information gathered from their customers.
- Laws Related to the Internet – The federal Children’s Online Privacy Protection Act controls the collection and use of personal information from children under 13 over the Internet or via mobile apps. California’s Online Privacy Protection Act requires every website and mobile app operator that gathers personal information from California consumers to conspicuously post an enforceable privacy policy.
- Public Disclosure Obligations – Guidance from the United States Securities and Exchange Commission explains that public companies should consider data security matters when preparing their financial disclosures, disclosure of risk factors, and conclusions regarding the adequacy of their disclosure controls and procedures. In the event of a breach, companies may also be required to disclose resulting material litigation. The disclosures should be reasonably detailed, but need not include information that would reveal a company’s vulnerabilities or compromise its cybersecurity. Companies should proactively review their existing public disclosures in light of the SEC guidance, prior data security incidents or known risks, and the potential impact of a data security incident.
- Other Laws and Regulations – The United States Federal Trade Commission (“FTC”) actively pursues companies that engage in “deceptive” or “unfair” privacy and data protection practices under Section 5 of the FTC Act. The FTC can punish violators with fines and require implementation of specific privacy programs (including lengthy monitoring and reporting periods). A number of other agencies and organizations are involved in privacy enforcement at the federal, state, and international levels.
Knowledgeable legal counsel can help companies survey the privacy landscape quickly and efficiently.
Compile Internal Compliance Information
Compile information related to your (including your contractors’) compliance with each of the requirements identified in your survey. Gather and examine each internal policy, procedure, and training program related to each identified requirement with an eye to demonstrating compliance. Specifically, gather your data retention and data destruction policies, written privacy policies, data security procedures, data breach notice plans, new hire and other employee training material, computer-use agreements, and any internal auditing and monitoring processes. (We will discuss how to design effective policies in the next installment of this series.) The collection of relevant internal policies and procedures will help to avoid scrambling in response to data breach events, lawsuits, regulatory complaints, and audit requests. Regularly evaluate your organization’s compliance with those policies and procedures once they are collected and regularly re-evaluate the substance of these policies and procedures in light of evolving technology, new legislation, litigation trends, and case law.
Evaluate Your Risks
There are myriad risks associated with noncompliance with privacy laws, mishandling of personal data, and data breaches. Common risks include loss of customers, loss of business, investigative costs, regulatory actions, fines, litigation, disclosure obligations, and unfavorable publicity. An internal brainstorming session may be helpful to identify all potential risks. Each company will evaluate its risks differently. Triage each risk based on the number of relevant threats, the vulnerability of your company, and the expected loss associated with a breach. Experienced legal counsel can help your company through this process. Starting with the highest value risk, identify one or more methods for mitigating each risk. Revisit the risk assessment frequently to re-rank the risks as your company’s systems for measuring and improving organizational privacy and data protection compliance improve.
Think “Privacy by Design”
Take a “privacy by design” approach to addressing privacy and data security risks. “Privacy by design” means customer privacy, legal compliance, and data protection are considered throughout the data lifecycle (collection, processing, storage, and destruction). Each high value risk identified by your company during a risk assessment represents an opportunity to design a new tool or solution to reduce that risk.
Design and Implement Your Solutions
Privacy solutions vary in complexity. The exact type and nature of the solutions will vary from company to company and depend upon the types of data collected. The most successful solutions address the privacy or data security risk without becoming overly burdensome on the resources of the company. Many solutions are mandated by statute, industry standards (such as the PCI DSS), or guidance from regulators (such as the FTC). Other potential solutions include revising internal policies, incident response plans, and vendor contracting requirements. More technically sophisticated risk mitigation tools might include software and firewalls designed to prevent and detect network intrusion. Before implementing more complex solutions, test them in a beta or pilot phase to identify shortcomings and avoid unforeseen disruptions to important business processes. Legal counsel and other outside consultants can help companies find solutions that may not have been known or considered internally.
Monitor and Evaluate Your Solutions
Once your company implements appropriate privacy solutions, measure the effectiveness of the solutions regularly. Among other things, test to ensure that employees are properly and consistently implementing the solutions.
Future installments in this series will discuss data security plans; investigations; litigation; and insurance coverage for cyber events. For additional information on any of these subjects, please contact a member of the Haynes and Boone, LLP Privacy and Data Breach Group.
Link to article