Today’s firms are beginning to understand the critical differences and overlaps between cyber security and data privacy. While the attacks that get the most press involve compromised consumer data, those that steal confidential information or simply take down a system are equally important. It’s not a matter of ‘if’ a company will be the victim of a data breach – it’s a matter of ‘when’. As a result, companies across all industries need to improve the way they handle, use, transfer and destroy data.
Di Antonio: Could you outline the latest legal and regulatory developments affecting corporate handling and transfer of data in your region? Do you see a global pattern forming?
Raether: The main issue with data security law compliance remains the same: understanding which jurisdictions apply and determining whether those laws apply to the technology or market at issue. In the US, we have not seen and do not foresee any national legislation. Rather, the law has continued to develop at the state level and in very discrete and esoteric ways. For example, Minnesota recently passed a law limiting the use and distribution of driver licence information. As a result, care is still required in planning and implementation. We also expect further development of the standards through regulatory enforcement actions. While the state attorneys general remain prime actors, the Federal Trade Commission (FTC) will take on a greater role following the recent decision in the Wyndam matter affirming the sovereignty on matters relating to cyber security.
Treacy: There is a global trend towards more, rather than fewer, restrictions on cross-border data transfers, although there are encouraging signs that Europe and the APEC economies are seeking ways to ensure their respective transfer restrictions are interoperable. In Europe, the combined effect of the proposed General Data Protection Regulation – now expected in 2015 – and the public outcry following the Snowden disclosures of the NSA’s surveillance activities, have heightened public awareness about data protection, and signalled a more conservative approach to data protection regulation. As the Proposed EU Regulation moves forward, a key theme is the noticeable tightening up of requirements – for example, a move from general consent to explicit consent, and a greater focus on organisational accountability for personal data. In relation to data transfers specifically, many countries now restrict cross-border transfers of personal data, and some even require localised data storage. Enlightened companies are looking beyond mere legal compliance requirements and are seeking strategic solutions to these restrictions that not only address key regulatory concerns, but enable them to trade freely.
Bossardt: In 2007, Switzerland strengthened its data protection regulation by introducing a bylaw on the certification of data protection management systems, which has become a mandatory requirement for certain processes in the health insurance sector in 2012. In the banking sector, the Swiss Financial Market Authority (FINMA) revised Circular 2008/21 ‘Operational risks at banks’ by adding a new Appendix 3 which regulates the protection of clients’ data in electronic form. It has enumerated nine principles and given banks a number of guidelines on proper risk management related to the confidentiality of data on bank clients. The Circular comes into effect on 1 January 2015. A major challenge for regulators is to effectively tackle a complex global issue with local regulations. In general we see regulations getting more restrictive, particularly with regards to cross-border disclosure and the level of consent required from data subjects. The regulator must balance the protection of privacy of individuals with the innovation and improvements enabled by processing massive amounts of personal data on a global scale. Ideally, regulations would support individuals in getting transparency and an informed choice over the use of their data. Current regulation fails to adequately address this issue.
Gordon: State, federal and even municipal legislators and regulators in the US are imposing substantial restrictions on employers’ collection and use of criminal history, credit history and personal social media content. Thirteen states have enacted ‘social media password protection’ laws that restrict employers’ access to individuals’ personal social media content. Ten states now prohibit the use of credit information for employment decisions except for narrow categories of employees who might pose a risk to an employer’s assets or sensitive information. Four states and five cities have enacted ‘ban-the-box’ legislation that requires employers to wait until at least after the initial job application before inquiring about an applicant’s criminal history. Even if an employer lawfully obtains criminal history information, the federal Equal Employment Opportunity Commission (EEOC) has taken the position in administrative guidance that employers must conduct an individualised assessment before disqualifying an applicant from employment based on criminal history.
Freedman: I have seen an increased emphasis placed on the proper handling, use, transfer and destruction of data by companies in all industries. The obvious reasons are the changes and complexity of laws and regulations applicable to data, enforcement actions by governmental entities, class action litigation, and the devastating impact a data breach can have on a company’s brand. It is clear that we will continue to see increased enforcement activities over the proper handling of data from the FTC, state attorneys general and industry specific enforcement, such as health information. Protection of data is becoming a top priority for corporate executives and boards globally.
Levi: Although there is considerable discussion on a number fronts in the US, it seems unlikely that new privacy or cyber security legislation will be enacted at the federal level. Each of Congress and the general public are not sure what shape such legislation should take. However, we are seeing far more enforcement activity by the FTC and at the state level. I anticipate that trend will continue here in the US. The FTC, in particular, wants to signal to its data privacy counterparts in the EU that it takes this matter seriously and will be vigorous in enforcement. The challenge to many companies is that there is no definitive data security standard in the US, and the FTC is therefore relying on a more amorphous standard of ‘unfair competition’. Wyndam Hotels challenged the FTC’s enforcement authority in this area on precisely that issue; arguing, in effect, that the FTC cannot have authority on cyber security matters if it is petitioning Congress to expand its regulatory authority in this area. However, in an important decision, a federal court ruled in favour of the FTC. Many suspect, and I agree, that this will further embolden the FTC to act in this area.
Di Antonio: In what ways have global authorities increased their monitoring and enforcement activities with respect to data protection and privacy in recent years?
Treacy: Data privacy is a global issue, but regulatory enforcement is local. Where data privacy issues affect individuals in multiple countries, there has been an increase in informal cooperation and information sharing between national data protection authorities. More formally, the Global Privacy Enforcement Network was formally launched in July 2010 specifically to share information about enforcement issues, trends and experiences, and facilitate training, cross-border privacy enforcement and complaint resolution. That network has no formal powers, but it led a project that saw regulators collaborate to examine data collection practices of a number of websites, globally. At a national level, regulators are gaining additional powers, usually to conduct audits and impose monetary penalties or fines. These trends of coordination and more meaningful sanctions are reflected in the Proposed EU General Data Protection Regulation, where fines of between 2-5 percent of global revenue are currently under discussion.
Bossardt: Besides a number of landmark court cases, data protection authorities in Europe are still taking more reactive than proactive measures. Usually, they take actions upon an individual’s complaint or on the occurrence of data breaches that attract great publicity. Enforcement authorities are typically constrained by the amount of resources and budget to take more proactive measures.
Gordon: Security breach notification laws have effectively forced US companies to ‘put a target on their back’ with respect to their information security practices. Enforcement of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) by the US Department of Health & Human Services (HHS) illustrates this tactic. HIPAA requires that covered entities report to HSS a security breach involving 500 or more individuals contemporaneously with providing notice to affected individuals. Since early 2011, shortly after this requirement went into effect, HHS has publicly announced 14 monetary settlements, averaging $1m each, and all but one resulted from self-reporting by a covered entity. The security breach notification laws in 10 states also require reporting of a security breach to the state’s attorney general. Many of the companies that have entered into monetary settlements over the past few years with these agencies self-reported a security breach.
Freedman: I have seen a dramatic increase in enforcement activities from state and federal regulators. Most notable is the FTC’s increased enforcement actives over all business sectors. If a US company suffers a data breach, it should brace itself for an FTC investigation and enforcement action. There are two cases I am closely watching from data breaches where companies are challenging the FTC’s jurisdiction over corporate data security practices. A recent ruling in one of the cases held that the FTC has broad powers over the enforcement of security breaches. This will pave the way for the FTC to flex its enforcement muscle and further expand its jurisdiction and power.
Raether: In view of the international security events we have seen in the past several years, from Snowden, to the ‘global ATM run’, to the Target breach, international enforcement and collaboration has improved. The aspirational nature of such joint monitoring and enforcement regimes is just that though. We are a long way from a universal standard and companies will still struggle to be compliant in numerous jurisdictions. We need look no further than the NSA revelations and the manner in which foreign governments responded to the US and its data practices. Thus, not surprisingly, US companies have seen more push back from foreign countries and businesses when it comes to handling personally identifiable information. But, again, this is nothing new as seen in the increased scrutiny over US companies that seek to self-certify to transfer information to and from the EU member states.
Di Antonio: In your experience, are boards sufficiently aware of how much personal information their company handles and how sensitive this data is for privacy law purposes? What can they do to build an accurate picture of their data assets?
Bossardt: Depending on the industry, the privacy awareness of boards varies considerably. In the banking and health insurance sector, which are heavily regulated, there is a relatively high awareness. Some of them consider privacy to be a differentiator in the market place. A number of companies in the technology sector, whose business models depend on processing customer data to extract valuable insights, have made privacy a strategic board topic. These companies are highly aware of the impact of bad privacy practices on customer trust, and their willingness to share valuable personal data with the company. Recent revelations about the processing of personal data by intelligence agencies have propelled the topic of privacy up the agenda of company boards.
Gordon: In my experience, the protection of employees’ personal data rarely comes to the attention of corporate boards. This lack of awareness is somewhat ironic given that employers customarily maintain information about their employees, including C-level executives, and sometimes even of board members, that is far more sensitive than the information maintained about the organisation’s customers. This ‘blind spot’ likely results from the protection of employee data being only an ancillary responsibility of the chief privacy officer, the chief information security officer and the head of HR. Assigning responsibility for overseeing the protection of employees’ data and requiring periodic reports to the board that address issues concerning that data likely would increase the board’s awareness of employee data assets.
Freedman: Corporate boards have been slow in prioritising corporate data protection. Recent high profile data breaches have caused name brand companies severe financial repercussions and negative brand reputation. Most board members are not information technology experts, let alone even computer literate. Boards are dependent on the company’s information technology team to keep management and the board apprised of privacy and security risks. Boards must receive regular and systematic reporting to assess data security risks. Reliance on internal IT personnel is insufficient. Boards should consider nominating and appointing board members with expertise in privacy and security so that the board can stay apprised of the companies’ data policies, and procedures and supervision over the vendors which have access to the data – a critical component of risk management.
Levi: I think the trend in this area has changed dramatically in recent months. Data privacy and cyber security were issues to which boards paid little attention. Boards are at least focused on this area and appreciate that it is a board-level risk issue. The next step will be for boards to take action in this area. As a result, boards are starting to ask for reports on data usage by the company, and how data and the company’s systems more generally are protected. In some cases this is handled by the risk committee, in other cases, a board member with relevant expertise is taking the labouring oar. A board that is unaware of these issues is becoming more the exception than the rule.
Raether: Most organisations manage data security improperly. At best, the chief information security officer and compliance is considered a cost centre. At worst, they are often seen as a hindrance to product development and revenue growth, excluded from meetings and characterised as a ‘no’ person. As a consequence, data security is most often not discussed at the board level unless an event has occurred. A paradigm shift in corporate culture is required. Some companies still consider information technology as infrastructure. In reality, IT is part of the business just like the factory that creates the widgets or the marketing department which generates advertising. IT needs to be part of the conversation around planning, performance, product development and the like. Information security is a key part of sound IT practices. Building security into the products when the code is written and the architecture is designed prevents the culture which has developed as to compliance. With this different outlook, the CISO can be part of the solution and long-term profits rather than excluded from the meeting.
Treacy: There is a relatively small number of enlightened companies that proactively manage their data assets. The majority seem not to focus on these issues until something goes wrong. It is not common for boards or senior management to be aware of the extent of their data assets, or to understand the nature of their data risk, beyond IT security risk issues. We are seeing some change – with non-traditional data companies realising how critical their data assets are to the business – but this change is slow. Within businesses, data is typically viewed as a security issue and understandably becomes the responsibility of the IT security team. Data privacy roles are not strategic in many companies and, aside from IT security issues, the role is often about legal compliance rather than managing risk and opportunity. Unfortunately, because data risk often does not have board level visibility, companies overlook opportunities to develop their data assets.
Di Antonio: Do you believe companies are now coming to fully understand their duties of confidentiality and data protection in the digital age and in light of evolving privacy laws?
Gordon: HR professionals have long operated under the general assumption that employee personnel files generally should be kept confidential. That said, I think many companies do not yet fully understand their specific legal compliance obligations with respect to employees’ personal data. The alphabet soup of US laws regulating that data – ADA, ECPA, FCRA, FMLA, GINA, HIPAA, and so on – and innumerable, ‘acronym-less’ state laws, as well as legal obligations arising from cross-border data transfers raise substantial obstacles to achieving a full understanding. However, the ongoing media attention to privacy and data protection has undoubtedly increased awareness of the need to address employee privacy issues in a more sophisticated and programmatic way.
Freedman: As a result of the recent high profile data breaches, I have definitely seen companies begin to place data privacy and security high on the list of priorities. It is important for companies to properly budget for the company’s privacy and security needs, develop and implement a Privacy and Security Plan, audit vendors that have access to data, ensure that vendors have appropriate security measures for handling the company’s data, and that proper contractual language is in place with vendors. Vendors are a high risk for companies and those relationships need to be managed carefully.
Levi: For some companies this was always front of mind, and they employed a ‘privacy by design’ approach in which data privacy issues were part of the lifeblood of the company and folded into strategic decisions. For many other companies, privacy was an afterthought and all too often they tried to backfill privacy protection into their products and services, and privacy policies into their corporate culture. However, the trend is clearly for companies to focus on these issues and I think within a year or so it will be difficult to find a company that has not at least considered the impact of this issue on their business.
Raether: Denial is a powerful non-motivator. Most companies still believe that cyber security is a luxury or even a nuisance. It is seen only as a cost centre and not a profit preservation tool. This is not to say that compliance costs should exceed the profits to protect. Sound cyber security is achieved with a balance of technology and financial issues. In technology, everything is possible with enough resources, time and money. Ultimately, cyber security is risk management. What data is critical? What data is at risk? What is the value of losing that data? For example, the costs of losing customer credit card numbers will be different from losing the file containing past product catalogues. Likewise, certain security tools can affect the performance of an application and the roll out of new functionality. For example, if an intrusion detection system has a white list of all permitted executable files, that list must be maintained and changed when new functionality is released.
Treacy: Recent data breaches – most notably some of the huge US breaches – are making companies take note of their data privacy responsibilities, but there is still a sense that breaches affect ‘other’ organisations. In Europe, most member states do not have broad mandatory breach notification obligations, and companies are less focused on these issues than they should be. Good data practices are about more than security breach, and need to be championed by senior management. Companies that fail to do this will remain vulnerable, and will miss out on valuable business opportunities.
Bossardt: Privacy regulation is complex to implement as it requires multidisciplinary expertise, often leaves much room for interpretation and lags behind the extremely fast developments in the corporate world fuelled by technology, digitalisation, data analytics and globalisation. As a consequence, companies often struggle to fully embrace the impact of the changing regulatory requirements.
Di Antonio: What insights can we draw from recent ‘cyber liability’ cases of note? What impact have these situations had on the data protection landscape?
Freedman: Companies need to understand that it’s not a matter of ‘if’ they will be the victim of cyber hacking or an unintentional data breach, it’s a matter of ‘when’. Companies need to be prepared for a data breach like it is going to happen tomorrow. They should have a crisis management firm available 24/7 in order to assist with and combat the media frenzy surrounding a data breach. Companies with big names are going to be targets of hacking, theft, negligence and resulting media coverage. Reacting to the media is not a strong position and having an experienced crisis management and PR team in place is crucial in controlling the corporate message and protecting your brand.
Levi: There is a critical difference and overlap between cyber security and privacy. The cyber attacks that get the most press are those involving consumer data. But equally important are those attacks that steal intellectual property, confidential information, or simply take down a system. Those attacks don’t implicate privacy concerns. On the other hand, there are many privacy issues that have little to do with cyber attacks, such as complying with trans-border data flow obligations. That said, there is no doubt that cyber attacks is the single greatest issue that has made companies focus more generally on data privacy matters.
Raether: In the past year, there has been an explosion in the interest in data security-related issues. From Edward Snowden, Target, Neiman Marcus and Michael’s, we are seeing data attacked, disclosed or taken at all levels within and from outside an organisation. Facing such a reality, companies seeking to be competitive and compliant must often feel that they are fighting a fire with a garden hose. Sometimes they may feel more at risk from internal ‘friendly fire’ than they are from outside threats. The reality is that information privacy and security risk management are ongoing requirements and never stagnant. And, even in the face of the best practices, breaches will still transpire. Company CEOs may like to have a silver bullet or all-in-one security solution to properly evaluate risk. However, there is no such thing.
Treacy: The term ‘cyber liability’ has become a somewhat generic term and without specifics, organisations can fail to focus on the key issues. Most commonly, ‘cyber liability’ refers to security breaches caused by external factors, usually deliberate. Certainly, IT security teams need to focus on managing those breaches, several of which have caused serious disruption for companies. But many breaches result from the actions of ‘insiders’ – disillusioned employees, contract staff or outsource service providers, or staff who simply make mistakes. In an outsourcing context, or where data are processed by third parties, data protection authorities will still look to the data controller – usually the data owner – to take responsibility for any breach incident. There have been numerous cases, some involving the financial services sector, where regulators have made this point forcefully.
Bossardt: In Switzerland, the case which has generated the greatest publicity was against Google Street View. The Swiss Federal Supreme Court endorsed the views of the Swiss Data Protection Authority set out in its earlier recommendation almost in their entirety. There are two important takeaways from this judgement. First, companies have to increase transparency in data processing and make the purpose of data processing known to data subjects. Second, companies must ensure strong anonymisation where there is an increased interest in the protection of privacy.
Gordon: Employers generally are not targets for the commonest type of ‘cyber liability’ case – class action litigation arising from a security breach – because breaches involving employee data tend not to involve the huge number of individuals that attracts plaintiffs’ class action counsel. Employers are starting to confront ‘cyber liability’ cases that attack employers’ access to information stored on employees’ personal mobile devices or in employees’ online accounts. For example, a federal district court recently refused to dismiss a case alleging that a manager had unlawfully accessed 48,000 personal emails over 18 months through a link to a personal email account that a former employee had left open when she returned her company-issued smart phone. These cases highlight the challenges for employers as personal and work life merge in a mobile device and the overwhelming need to adopt a corporate ‘bring your own device’ (BYOD) strategy and related policies.
Di Antonio: What trends are you seeing in litigation against companies and D&Os over data related disputes? What penalties may be issued if a company is found to have breached or violated data protection and privacy laws?
Levi: In the US, the key cases to data have been class actions brought against companies that are victims of cyber attacks. However, the key challenge these plaintiffs face is establishing ‘standing’ – in other words, do they have to establish they have actually been injured by the attack. US courts are a bit all over the map on this issue right now. The other interesting data point is that, to date, most of the settlements in this area are for relatively minimal amounts of money. If that trend continues, these cases may become less attractive to plaintiff class action lawyers.
Raether: There are two major trends here, one global and the other specific to financial services. Historically plaintiffs have had little success in litigation unless the defendant operated in a regulated space with a statute that provided for liquidated damages following a violation. For traditional tort claims, plaintiffs often lacked standing, could not prove damages or causation. As predicted, counsel for plaintiffs have learned to better plead their claims. Back in 2012, the 11th Circuit joined the majority of Circuits in finding that a plaintiff has Article III standing by alleging financial loss fairly traceable to a breach. Curry v. AvMed was remarkable, however, because the court went on to find causation could be established based on a logical relationship between the alleged harm and the breach and by allowing a claim of unjust enrichment based on a contractual promise to use sound security practices. Why is this important now? AvMed agreed to pay $3m to settle these claims.
Treacy: There has been an increase in litigation concerning data related disputes. In the US, the plaintiff bar is busy. In Europe, we have seen an increase in complaints to regulators and in litigation brought by privacy advocates. Unfair competition legislation has been used in Germany to found privacy-related claims, and we have seen privacy advocates initiate complaints to data protection authorities. While there remain significant legal hurdles to bringing successful claims for damages in this area, the number of complaints to data protection authorities appears to be growing. Data protection authorities’ enforcement powers are sometimes limited but they are responding with hefty fines, and ensuring that their investigations are well publicised. This is certainly an area to watch.
Bossardt: In Switzerland, the majority of cases investigated by the Financial Market Authority (FINMA) are related to data theft. The last case, which has been given greater publicity, related to an incident where a bank was sending account statements to the wrong recipients. In the EU, data protection litigation has been rising in two primary directions: first, as the result of a data breach arising from the unauthorised disclosure of personal data; and second, from the alleged invasion of an individual’s privacy as the result of the collection, use, and disclosure of personal data by companies with whom the affected individual has had contact. Even though the number of cases is rising in Europe, it is still not as popular to solve issues in the courts as it is in the US. The European system of data protection enforcement largely relies on the data protection authorities, which are considered to be the watchdogs for data protection.
Gordon: While only an incipient trend, I expect litigation over unauthorised access to information stored on employees’ personal devices or in their personal accounts to gather significant force in the next few years. The widespread – and likely, eventual universal – adoption of BYOD opens the door for employers to employees’ personal lives, and the quantity of available, sensitive information will only increase with the increased use of health-related applications and personal accounts. At the same time, fundamental human attributes, such as suspicion of wrongdoing and the urge to snoop into others’ personal lives, will make crossing the line irresistible for some. To make the mix more potent, potentially applicable federal statutes, such as the federal Wiretap Act and Stored Communications Act, authorise awards of statutory damages of $10,000 and $1000, respectively, absent proof of actual harm, as well as fee shifting for a successful plaintiff, making lawsuits attractive for plaintiffs’ counsel.
Freedman: I can’t emphasise enough the importance of the written agreements in place between companies and their vendors with respect to data breaches and data related disputes. The provisions of the contract that control data retention, return and destruction, as well as indemnification in the event of a data breach where notification or litigation ensue, are critical. Many indemnification clauses only allow for third party claims, when in fact, significant costs associated with a data breach include the cost of the investigation, notification, credit monitoring, legal costs and potential fines and penalties. Poorly written indemnification clauses are worthless.
Di Antonio: In your opinion, what steps should companies take to prepare for a potential data security breach? Do most companies have an adequate response plan in place?
Raether: A recent Forrester report again stated that employees remain the greatest source of security breaches. In short, companies are not establishing policies and ensuring their employees understand and abide by them. A great indicator of this gap can be seen in the manner in which a company responds to breach, specifically its communications and notification process. Companies that rush to tell a poorly researched story in order to calm consumers and regulators are probably working ‘off script’. Worse, they have no script. Not only should companies have a written incident response plan, but they practice with those plans to assure it can be fulfilled when the time comes. It is critical that any response plan identify and empower an incident response team. The team should be comprised of senior managers, key operations staff, experienced communicators, and any compliance or risk officers. Because there may always be a risk of significant liability attached to any incident, legal counsel should be involved.
Treacy: Companies that claim not to have had a security breach are probably not looking in the right place. Those who have detected breaches need to learn from them. All companies should have a data security breach procedure in place, and a breach response team. This team needs to rehearse its response periodically, and know what it is doing. Increasingly, with so much at stake if a breach occurs, companies are appointing specialist security breach lawyers ahead of time, as part of their preparation, to make sure they have access to the best lawyers if a breach occurs. We are also working with companies to assist with rehearsals, in the same way that companies prepare for the possibility of dawn raids by other regulators. There is no time for rehearsal once a security breach occurs. Valuable time and opportunity to contain the breach can be lost trying to work out what to do.
Bossardt: Companies should maintain an inventory of their data assets. Data assets need to be classified to allow for risk based protection measures. Additionally legal requirements have to be considered as well – for example, the E-privacy Directive requires in certain circumstances notification of a data breach. A key challenge is to design adequate breach detection capabilities and incident response plans. Such plans should include a communication strategy with the relevant stakeholders, including customers, authorities, media and the public. Privacy officers should closely align their efforts with the company’s cyber security specialists, which have similar issues to solve. Currently, many companies lack adequate response plans.
Gordon: Number one on my list would be to encrypt any mobile device used to store information that could trigger a security breach notification obligation. My experience – consistent with most studies – is that the loss or theft of a mobile device is the most common cause of a security breach, and virtually all breach notice laws have an ‘encryption safe harbour’. Other important steps include creating a security incident responses team (SIRT) and plan; training employees on identifying and reporting a potential security breach; and establishing the operational steps to be followed between initial report and ‘lessons learned’. Security incident response plans have certainly become more common among larger businesses, particularly those whose products or services involve handling ‘trigger information’. Smaller and medium-sized businesses, especially those that have not previously experienced a security breach, tend not to have a comprehensive security incident response plan in place.
Freedman: All companies should have a security breach notification policy and procedure in place to prepare for a potential security breach. In my experience, many companies may have a plan in place, but have not adequately tested the plan to make sure that all members of the team are aware of their responsibility so the team can be assembled quickly and efficiently. It is critical that vendor contracts for crisis management, credit monitoring, call centre services and other services are negotiated in advance of a data breach. You don’t want to negotiate these contracts while trying to investigate a data breach.
Levi: The single most important step a company can take is to have a rapid response plan in place. In today’s environment, companies can easily lose control over the timing of when they make a breach public. As just one example, security bloggers often publicise a data breach they have learned about through back channels before the company is prepared to go public. A rapid response plan should, among other things: identify the key team members; include a list of the key action items to consider, such as whether notification to consumers is necessary, how to handle the press, whether regulatory disclosures are required, and so on; and who will make the key decisions. The company should also have a law firm and forensics firm as part of the team that is knowledgeable about the business and the plan, so the company is not scrambling when an incident occurs. Some companies even run drills using the plan. We are advising an increasing number of companies on creating and implementing such plans.
Di Antonio: One issue that presents a significant challenge is privacy arising from employment. How can companies manage internal risks, such as those connected to Bring Your Own Device (BYOD), employee monitoring and malicious employee actions?
Treacy: Frequently, employees are a key cause of data security breach, yet often their actions are inadvertent. Too often, data privacy training is irrelevant, infrequent, or simply boring. Companies that are leading the market in their approach to managing data privacy risk have relevant, well-structured training programs, founded on a strong policy framework. The training is delivered on an ‘as needed’ basis, so that employees learn relevant information, delivered appropriately for their role and seniority. ‘One size’ data protection training rarely fits all. From a corporate perspective, the need to safeguard data assets frequently involves the monitoring of employees. The practicalities of conducting monitoring are challenging, from an employment law perspective and a EU fundamental rights perspective.
Bossardt: Rogue employees or suppliers – depending on the amount of criminal energy – will find a way around any privacy measures. Companies can, however, manage this risk and should also consider Cressey’s fraud triangle to get guidance on their protection strategy against rogue employees. The triangle names the following three factors that must be present for an ordinary person to commit fraud: pressure, opportunity and rationalisation. It is critical to create a culture of privacy awareness in the company and carefully select employees with access to sensitive data. Access to data should be granted and monitored on a strict ‘need-to-know’ basis only. While monitoring does not prevent breaches from happening, employees may be deterred as the risk of getting caught is high. In addition, technical solutions such as data leakage prevention (DLP) and digital rights management (DRM) are additional key measures to reduce the risk of privacy breaches by rogue employees and in BYOD environments.
Gordon: Employers need to take a programmatic and cross-functional approach to BYOD and employee monitoring. The team should include representatives from HR, Legal and IT. The team should identify the specific objectives of the program, the technology that will best achieve those objectives, and the policies and procedures that will mitigate legal and employee relations risks. In the case of BYOD, for example, the team must find the right balance between safeguarding, and obtaining access when needed, to corporate information on employees’ personal devices; and employees’ legal right to, and strong personal interest in, the privacy of non-business information stored on their personal devices. As another example, location tracking can substantially enhance productivity, especially for businesses with many field employees. However, if not implemented in a transparent way that takes into account corporate culture and legal risk, location tracking can be divisive and counterproductive.
Freedman: Most companies now implement BYOD programs and allow employees to utilise social media, both of which are high risk but unavoidable. Having a BYOD program and a social media policy in place is important to try to keep control over the risks associated with this activity. Understand that you will not have control over malicious employees’ actions, but be prepared for them as it frequently occurs. Preparedness and employee training are key. Employee training should be live and engaging – web-based training is pretty ineffective in engaging employees in ensuring compliance.
Levi: For all the sophistication of cyber attacks, all security experts will tell you that the human element is critical and often overlooked. In some cases this is an inadvertent disclosure of a password by an employee not being careful, but in other cases it is a rogue employee. Companies need to be vigilant in this area starting at the hiring process. Companies should also have regular training sessions to create a culture of vigilance; careful monitoring of employee activity; and strong responses when a breach occurs. In addition, companies should have robust policies and procedures in place to limit employee access to areas required for their performance.
Raether: Many data breaches start with some form of human error. The top attack vectors remain non-technical, such as abuse of system access or privileges; use of stolen credentials; social engineering; bribery; or embezzlement and skimming. One common example makes this point. Spear phishing has long been a favourite of hackers. You have been a target – that email that says you won a prize, have a security issue that needs to be resolved or are the subject of a better business bureau complaint and need to respond. Once you click on the link, malware is loaded to your computer and the hacker now has access to whatever the user can access. Companies should limit personnel access to information based on the employee or contractor’s ‘need to know’. A secretary or customer service associate often does not need the same information access as a CEO or IT Manager might need. Therefore, access credentials for system networks and databases should likewise be segregated and aggregated on this need-to-know basis. Information technology ‘doors’ should be locked and monitored the same way as those to any office suite.
Di Antonio: In your experience, are more companies proactively implementing appropriate controls and processes to deal with data protection and privacy? How important is it for a company to develop a culture of data protection based on strong values?
Bossardt: Companies are increasingly aware as to what extent they depend on personal data to generate their revenues. At the same time, prominent privacy breaches illustrate the fragility of the protection of these data assets in the context of global supply chains, outsourcing and cyber threats such as espionage by corporates and governments. Some companies feel that if they are not able to adequately protect personal data they will lose customer trust and their business case will fail. As a consequence, we even observe an interest in self-regulation. A strong culture of data protection is a critical element in a comprehensive framework of organisation and technical controls.
Gordon: Ironically, I am seeing more employers addressing protection of their US employees’ data because of their non-US operations. More and more US businesses — even relatively small ones — are multinational. These businesses want to leverage cost-saving cloud solutions that centralise HR data, usually in the US. At the same time, they are wary of violating unfamiliar privacy laws, not just in the EU. Focusing on compliance with these laws raises the question whether it makes sense to provide less protection for the personal data of US employees. Very often the answer to that question is “no”, and the employer implements a single, overarching set of policies and procedures for all employee data with supplemental policies and procedures to address outlier requirements.
Freedman: I recently conducted enterprise-wide privacy and security training for a company with offices throughout the US. The company’s privacy and security plan was outlined and live training was required of every employee. The importance of data protection was emphasised and the transformation of the culture of the company around data protection ramped up significantly. Employees began to think about what they were doing with data on a day-to-day basis and entire offices collaborated and changed their practices around data protection. It boosted morale to engage the employees in this important work and made them feel like an integral part of risk management. Suggestions keep pouring in and the process has been extremely beneficial to the company.
Raether: Most companies do not dedicate sufficient resources to data security, both in manpower and in security tools. For some, including start-ups, security is an issue to address only if the business becomes successful. For these companies, it may be too late or certainly much more expensive to develop sound security after the fact. For other companies, security is seen as a cost centre and insufficient resources are applied. Companies in highly regulated industries, such as the financial sector, have learned to apply the proper resources and build security into the early design of products. Avoiding an event and building the proper security has become part of the culture of these businesses to maintain company goodwill. Other companies should strive to do likewise. In sum, companies should prepare a risk analysis, understanding the data they control, likely modes of attack and appropriate measures to mitigate the risk. There must be an incentive to promote information security during the budgeting process and in operations.
Treacy: As companies realise the value of their data, they are seeking to implement appropriate controls and processes to better manage their data assets. Too often, however, a proactive approach is only triggered by a security breach, or by discovering that data use is restricted by failings in existing processes. We have worked with companies that have been unable to utilise data assets because of flaws in collection processes, or because proposed uses have never been notified to individuals. Companies need a strong culture of privacy awareness and compliance not merely to manage the risk of breach, but to enable them to make better use of their data assets.
Di Antonio: To what extent should insurance coverage be a key component of a company’s risk management strategy on data security?
Gordon: Employers need to conduct a careful cost-benefit analysis before investing in cyber insurance coverage for employee data. For employers with a smaller workforce and less risk arising from a security breach, the cost may be prohibitive. However, where insuring against risk associated with customer data is cost effective, the employer may be able to ‘wrap’ coverage for employee data into the coverage for risk associated with customer data at limited additional cost.
Freedman: Cyber liability insurance coverage is essential for all companies that collect, maintain, use and disclose employee and customer data. Companies should engage a broker who has specific experience with cyber liability products as the application process is detailed and lengthy. The company’s security risk assessment is a key component of the application and product choice. Appropriate coverage is essential, including coverage for costs associated with notification, fines and penalties.
Levi: Cyber insurance needs to be part of the discussion today. Not surprisingly, insurance brokers are pushing these policies given how high profile this issue has become. However, companies should work with their insurance advisers to see if cyber insurance provides meaningful additional coverage to the polices they already have. In some cases they will, but in other cases a company may conclude it is adequately protected. We also won’t know how strong cyber insurance policies really are until a number of companies have made claims against them and been successful, or not. This has not yet happened.
Raether: The cyber insurance market is relatively new and as a result coverage varies among the offerings. Generally, coverage addresses two areas: first-party coverage which includes direct expenses, and third-party coverage payments to cover costs of customers, consumers and others. Companies should look at the first-party coverage to determine whether it includes notification expenses to alert stakeholders of a breach and provide them, when necessary, with credit monitoring services. Other first-party expenses might include repairing reputation harmed by a breach, including public relations costs; restoring systems and data; repaying funds stolen through fraud or extortion; and covering revenue losses associated with computer system disruptions. Third-party coverage might include court-imposed damages, regulatory penalties and defence costs associated with lawsuits alleging the disclosure of customers’ personally identifiable information or harm to business partners’ systems. Some firms are offering risk management advice from its panel experts in addition to just loss coverage. In sum, the details are important, so make sure whoever provides advice in the space is knowledgeable.
Treacy: Insurance is a key part of the risk management strategy for data security, but it is only part of the solution. Insurers expect companies to understand their data assets, and their data risks. There is a variety of security breach and cyber risk insurance products, some of which are standalone, and others are added as endorsements to existing policies. Careful thought needs to be given to buying the right cover. There are some good products and knowledgeable brokers and underwriters in the market, particularly those with US experience. But insurance can never be a substitute for risk management.
Bossardt: Insurance should be considered to dampen the financial aspects of a data security breach. Companies should keep in mind that the impact of privacy breaches on reputation, and subsequent loss of customer trust and loyalty, may cause much more pain than the immediate financial consequences. Also insurance does not cover negligence and therefore will not release companies from taking adequate measures to mitigate the privacy risks.
Di Antonio: What final advice can you offer to companies on managing data risk, establishing internal controls and maintaining compliance with data privacy laws?
Raether: Historically, there has been on overreliance on just keeping the bad guys out. Build better firewalls, properly credential users, encourage strong passwords, and the like. These components of a sound security program are important. They also are incomplete. With the ever expanding list of access points our walled fortress of firewalls and the like now has hundreds and thousands of doors. These doors are guarded by sentinels that allow any variable packet – think an employee badge without a picture – to pass through that wall. Thus, our rogue employee, trusted outside vendor, or employee on vacation logging in through the hotels wireless, could be the Trojan horse that allows a hacker to easily pass through the firewall and gain access to the keys of the kingdom.
Treacy: Increasingly, personal data is a business’ most valuable asset, yet in too many companies data privacy strategy is only about security. Of course, security is crucial, but in a world of big data analytics, the cloud, and the internet of things, the businesses that flourish will be those that use their data assets strategically. To do that, companies need to start with the basics and know what data they hold, how it was collected, from whom, and on what basis. They need to think strategically about the creation and collection of data, what they would like to use the data for, and what expectations individuals might have about data use. They need to be transparent and build consumer trust in their use of data. Crucially, they need to be able to demonstrate compliance with privacy laws, utilising policies, procedures such as Privacy Impact Assessments, and people, including data protection officers. These are strategic objectives that need to be brought to life within the culture of an organisation.
Bossardt: Driven by advances in technology, digitalisation and data analytics, data has become a revenue driver and mission critical business asset. In addition to legal consequences, data breaches – in particular when personal data is affected – may lead to loss of customers and corresponding revenues. Companies should therefore treat and protect personal data as a strategic asset. This includes making data protection and security a board level topic, and assigning responsibility accordingly. Protecting data is a complex multidisciplinary issue. Often, responsible officers understand either the legal or information security aspects of privacy but not both. To implement and operate an effective, sustainable privacy protection framework, the responsible officer must be able to cover and align both aspects. Furthermore, it is critical that privacy and security requirements are taken into account at the design phase of business operating models, and information system architectures implemented to improve the robustness of the protection, and avoid high implementation and change costs later on.
Gordon: There are several particularly high-risk areas involving employee data: criminal and credit history checks, handling of employees’ social security numbers and health information, and employees’ use of personal devices to conduct the organisation’s business. Legal compliance in these areas requires very specific policies and procedures. Rather than simply inserting the phrase “and employee data” into policies and procedures applicable to customer data, employers should supplement generally applicable data protection policies and procedures with policies and procedures specifically designed to address the risks uniquely associated with employee data.
Freedman: It is essential for companies to perform a security risk assessment by an outside firm. The outside firm and internal IT personnel can then fill the security gaps to minimise risks and implement appropriate controls around the access, use and disclosure of data. Appropriate budgeting is essential. Simultaneously, legal counsel should be consulted to ensure that the policies and procedures comply with all laws applicable to the company. Finally, it is imperative that you bring your employees into the risk management process as employee error can and should be eliminated from the potential risks associated with a data breach. Eliminating that large risk is key to a successful risk management program.
Levi: There was a time when C-suite executives and the board could just have a general understanding of data privacy and cyber security issues. A response that “cyber security is a complex issue, but we have the best IT staff to handle that and we trust them” was commonplace. Nowadays, executives and the board cannot take such a ‘hands off’ approach. It is essential for them to understand, evaluate and act on the risks that every company faces. Internal controls and management are critical, both to minimise risk from an operational level, but also to mitigate the company’s risk profile if an attack occurs. A company that is attacked and did not have such controls and oversight in place is likely to have a much tougher time with plaintiff class action lawyers and regulators.
Rita Di Antonio serves as the managing director of IAPP Europe. She is based in Italy and leads IAPP Europe’s efforts to develop programmes and services for its European members. Ms Di Antonio has a deep understanding of EU law, and has worked closely with key data protection industry players and regulators in Europe. Prior to joining the IAPP, she was the Editor of DataGuidance, a leading data protection global online resource.
Ron Raether is a partner at Faruki Ireland & Cox P.L.L. Mr Raether not only works as a data breach coach and defending companies in class actions and before regulators, but also advises companies in proactively developing data security practices and policies.
Bridget Treacy leads Hunton & Williams’ UK Privacy and Cybersecurity team. For over 14 years her practice has focused on all aspects of privacy and information governance for multinational companies including big data analytics and the Internet of Things, behavioural targeting, cloud computing, cross- border data transfers and BCRs, and data breach. Ms Treacy is top ranked in Chambers which describes her as “one of the leading thinkers on data protection, providing practical solutions to thorny legal issues”.
Matthias Bossardt is a partner and head of information risk consulting at KPMG AG. He supports global corporations in Europe, the Middle East and the Americas in implementing effective data protection and improving their cyber security resilience. Mr Bossardt was the first lead auditor accredited to certify data protection management systems according to Swiss law. He holds a PhD in Information Technology from the Swiss Federal Institute of Technology.
Philip Gordon chairs the Privacy and Background Check Practice Group at Littler Mendelson, P.C. He counsels employers on workplace privacy and information security issues, including background checks, employee monitoring, regulating social media, HIPAA compliance, cross-border data transfers, and security incident preparedness and response. Mr Gordon serves on the Advisory Board of BNA’s Privacy & Security Law Report. He taught data protection law as an adjunct professor at the University of Colorado School of Law.
Linn Freedman practices in data privacy and security law, and complex litigation. She is leader of the firm’s Privacy & Data Protection group and chair of the firm’s HIPAA Compliance Team. She focuses on compliance with all state and federal privacy and security laws, and regulations, as well as emergency data breach response and mitigation. She advises clients on state and federal data privacy and security investigations, and helps companies and organisations adopt their risk management approach.
Stuart D. Levi is co-head of Skadden’s Intellectual Property and Technology Group, and coordinates the firm’s outsourcing and privacy practices. He has a broad and diverse practice that includes outsourcing transactions, technology and intellectual property licensing, privacy and cyber security advice, branding and distribution agreements, cloud computing agreements, technology transfers, strategic alliances and joint ventures. Mr Levi also counsels clients on a variety of issues, including website and technology policies, intellectual property matters and legislative compliance.
© Financier Worldwide