october 2015 kelly mccanlies, cipp/us, cipm, cipt director, privacy programs information assurance...

PRIVACY POLICIES: THE LAW “UNDER THE

HOOD”

October 2015

Kelly McCanlies, CIPP/US, CIPM, CIPTDirector, Privacy ProgramsInformation Assurance DepartmentHawaiian Electric Company

PRIVACY POLICIESAGENDA

• Definitions

• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and

Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations

Confidential – property of Hawaiian Electric Co.

PRIVACY POLICIESDEFINITIONS - PRIVACY & SECURITY

Security is about • protecting assets,• creating barriers,• both physical and technology.

Privacy is about • compliance (legislative, regulatory, contractual),• data in any form

o at rest, in transit, in displayo hard or softcopy

• access to personal information.


PRIVACY POLICIESDEFINITIONS - PII

Personally Identifiable Information (PII)

In general terms – any information that relates to or identifies a person

Differs from law to law



• Definitions




PRIVACY POLICIESFTC (FEDERAL TRADE COMMISSION)

• 207 enforcement actions involving privacy or security since 1997

• In addition to FTC Act, FTC cases cover• CAN-SPAM• COPPA• FCRA• FDCPA• GLBA• TILA


PRIVACY POLICIESWYNDHAM HOTELS

What happened at Wyndham Hotels?• 3 breaches 2008 – 2010• 619,000 credit card numbers exposed• Data exfiltrated to a server in Russia• $10.6M in credit cards losses

Same attack methods used in all three breaches

No technical remediation made by Wyndham after 1st and 2nd breaches



Privacy Policy (before the FTC suit)

“We safeguard our Customers' personally identifiableinformation by using industry standard practices. Although "guaranteed security" does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.”


PRIVACY POLICIESFTC V. WYNDHAM HOTELS

FTC: Defendants failed to provide reasonable and appropriate security for the personal information…

• failure to use readily available security measures, such as firewalls;

• storage of credit card information in clear text;• failure to implement reasonable information security

procedures prior to connecting local computer networks to corporate-level networks;

• failure to address known security vulnerabilities on servers;• use of default user names and passwords for access to

servers;• failure to require employees to use complex user IDs and

passwords to access company servers;• failure to inventory computers to appropriately manage the

network;• failure to maintain reasonable security measures to monitor

unauthorized computer access;• failure to conduct security investigations; and• failure to reasonably limit third-party access to company

networks and computers.



The court case:

2012 FTC files suit in District Court alleging “deceptive and unfair business practices” (US District Court of New Jersey)

2014 District court rules against Wyndham’s motion to dismiss, upholding FTC authority to regulate cybersecurity

Aug 2015 Appeal court upholds FTC authority (U.S. Court of Appeals for the Third Circuit)



Privacy Policy (current policy)

“Security of Your Information: We will take reasonable steps to protect the information you provide us from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented appropriate physical, electronic and managerial procedures to help safeguard and secure your information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Unfortunately, no security system is 100% secure, thus we cannot ensure the security of information that you provide to us via the Services.”



• Definitions




PRIVACY POLICIESCOPPA (CHILDREN’S ONLINE PRIVACY PROTECTION ACT)

• operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children

• operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13


PRIVACY POLICIESCOPPA - DEFINITION PERSONAL INFORMATION• First and last name• Physical address (street name and city name)• Online contact information• Screen or user name• Telephone number• Social Security Number• A persistent identifier that can be used to

recognize a user over time and across different websites or online services

• Photograph, video, or audio files, where such file contains a child’s image or voice

• Geolocation information (sufficient to identify street name and city name)


PRIVACY POLICIESCOPPA

Privacy Policy (example from Target)

“We recognize the particular importance of protecting privacy where children are involved. We do not knowingly collect personally identifiable information online from children under the age of 13. If a child under the age of 13 has provided us with personally identifiable information online, we ask that a parent or guardian contact us or call 800-440-0680.”



• Definitions




PRIVACY POLICIESHIPAA

• HIPAA does not preemptIn 2014, in Byrne v. Avery Ctr. for Obstetrics & Gynecology, the Connecticut Supreme Court ruled that the HIPAA does not preempt common-law claims for negligence and negligent infliction of emotional distress against a health care provider.

• The Caseo Avery Center’s privacy policy assured patients that

their protected health information would not be disclosed without their authorization.

o Avery Center was subpoenaed and supplied Byrne’s medical records.

o As a result, Byrne allegedly suffered harassment and extortion threats after the estranged father of her child viewed the medical records.Confidential – property of Hawaiian Electric Co.


Avery Center’s current Privacy Policy:

“We will disclose protected health information about you when required to do so by federal, state or local law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. We will make a reasonable effort to inform you of the request.”



• HIPAA does not preemptIn 2014, in Byrne v. Avery Ctr. for Obstetrics & Gynecology, the Connecticut Supreme Court ruled that the HIPAA does not preempt common-law claims for negligence and negligent infliction of emotional distress against a health care provider.

• Avery Center’s privacy policy assured patients that their protected health information would not be disclosed without their authorization.

• Avery Center was subpoenaed and supplied Byrne’s medical records.

• As a result, Byrne allegedly suffered harassment and extortion threats after the estranged father of her child viewed the medical records.



• Definitions



Why privacy policies are importantConfidential – property of Hawaiian Electric Co.

PRIVACY POLICIESSEC

SEC Disclosures

• For all publically traded companies

• First guidance on cyber-incident reporting issued in Oct. 2011 by Division of Corporate Finance

• Disclosure of a “material” cyber-incidents


PRIVACY POLICIESSEC

SEC Disclosures

• A Cyber-incident:o Deliberate or unintentional evento Unauthorized access to digital systems:

Misappropriating information, corrupting data or operational disruption

• Information that a "reasonable investor would consider important to an investment decision” o SEC: “A cyber-attack could be material if it causes

a company to significantly increase what it spends to defend its systems ”

o SEC Commissioner urged more public reporting of cyberattacks. Firms “should go beyond the impact on the company” and weigh the effect on others, including customers.


PRIVACY POLICIESSEC

SEC Disclosures

• Report in o 10Q – quarterly report (less detailed) o 10K – annual report (more detailed)o 8K – special form to report to investors an

unscheduled material event

• Differentiate risks from incidents• Needs to match public statements

Target was subject to SEC investigation due to the data breach.


PRIVACY POLICIESSEC

SEC Disclosures

Good Examples of 10K filings: o Citigroup (March 1, 2013) or Bank of

America (Feb 28, 2013)o Coca-Cola Feb 27, 2013 discloses Chinese

hacking

Filings available through the SEC search tool EDGAR


PRIVACY POLICIESSEC - HARTFORD

SEC Disclosures

• Hartford Insuranceo Hartford mentioned a reliance on online

technology in their SEC 10K filing.o April 2012 the SEC sent a letter asking for

more info.o Hartford responded: we have not

experienced a material incident.o SEC followed-up with questions on “have

you ever been under attack?”



Hartford Added language to their 10K:

“If we are unable to maintain the availability of our systems and safeguard the security of our data due to the occurrence of disasters or a cyber or other information security incident, our ability to conduct business may be compromised, we may incur substantial costs and suffer other negative consequences, all of which may have a material adverse effect on our business, financial condition, results of operations and liquidity.



Privacy Policy

OUR SECURITY PROCEDURES“We take reasonable precautions to safeguard the personal information transmitted between visitors and the Site and the personal information stored on our servers. Unfortunately, no method of transmitting or storing data can be guaranteed to be 100% secure. As a result, although we strive to protect your personal information, we cannot ensure the security of any information you transmit to us…”

WHERE THE HARTFORD STORES AND MAINTAINS INFORMATION“This Online Privacy Policy applies to our United States operations. We maintain the Site in the United States and the Site is not intended to subject The Hartford or any affiliated entity to the laws or jurisdiction of any state, country or territory other than that of the United States. The Hartford does not represent or warrant that the Site, or any part thereof, is appropriate or available for use in any particular jurisdiction…”



• Definitions



Why privacy policies are importantConfidential – property of Hawaiian Electric Co.

PRIVACY POLICIESSTATE PRIVACY LAWS

State Attorneys General

Security Breach Notification47 states, DC, Guam, Puerto Rico, US Virgin Islands Dependent on where the customer lives, NOT where the business is located.

Other state privacy laws include data collection, social media in hiring, Social Security Number protection, student data protection, etc.


PRIVACY POLICIESSTATE PRIVACY LAWS

State Attorneys General

• In 2013, the Hawaii AG received $106,179 for one privacy fine from Google Street View

• 3 Hawaii Privacy Lawso Social Security Number Protection (HRS 487-J)o Security Breach of Personal Information (HRS

487-N)o Destruction Of Personal Information (HRS 487-

R)


PRIVACY POLICIESDEFINITIONS - HRS 487-N

"Security breach" means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.


PRIVACY POLICIESDEFINITIONS - HRS 487-N

"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.



• Definitions




PRIVACY POLICIESOTHER LEGAL CONSIDERATIONS

Class action lawsuits (Target Corp.)

• Over 140 lawsuits filed in 21 states plus DC.

• Most are consumer class-action suits, but financial institutions and investors have also filed.

• Some lawsuits include Target’s security auditor Trustwave

• One lawsuit filed under Minnesota Plastic Card Security Act (PCI)



Conflicts within a Privacy Policy

• True Beginnings and Plenty Of Fish

o True Beginnings filed for Chapter 11 bankruptcy protection in 2012

o Plenty of Fish contracted to by the 34 million subscribers data for $700,000

o Texas Attorney General filed objections to the transfer of assets based on True Beginning’s "ambiguous online published privacy policy" and its failure to provide members with prior notice regarding the sale of their personal information.Confidential – property of Hawaiian Electric Co.


True Beginning’s Privacy Policy:

• "True does not sell, trade, or otherwise disclose customer lists names, addresses, birth dates, email address or other individually identifiable information to unaffiliated third parties without your permission”

• “In the event that True should be acquired or substantially all of its assets transferred, Personal Information would be considered a transferable asset.”


PRIVACY POLICIES

Questions & Answers

Kelly McCanlies, CIPP/US, CIPM, CIPTDirector, Privacy ProgramsInformation Assurance DepartmentHawaiian Electric Company

[email protected]

october 2015 kelly mccanlies, cipp/us, cipm, cipt director, privacy programs information assurance...

Documents

hood privacy policies

appropriate security

guaranteed security

reasonable security

accountability actsec

available security measures

known security vulnerabilities

information consistent