protecting company confidential or proprietary information in the ... · data breaches • the...
TRANSCRIPT
![Page 1: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/1.jpg)
Protecting Company Confidential or Proprietary Information in the Electronic Age
Sandra A. Jeskie Pamela LehrerP t D M i LLP Vi P id t d G l C l
Proprietary Information in the Electronic Age
Partner, Duane Morris LLP Vice President and General CounselBerwind Group
www.duanemorris.com
©2010 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP. Duane Morris – Firm and Affiliate Offices | New York | London | Singapore | Los Angeles | Chicago | Houston | Hanoi | Philadelphia | San Diego | San Francisco | Baltimore | Boston | Washington, D.C.
Las Vegas | Atlanta | Miami | Pittsburgh | Newark | Boca Raton | Wilmington | Cherry Hill | Princeton | Lake Tahoe | Ho Chi Minh City | Duane Morris LLP – A Delaware limited liability partnership
![Page 2: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/2.jpg)
Protected Information
• Trade Secrets
• Personally Identifiable Information– Consumers– Consumers – Employees
• Company Proprietary Information
www.duanemorris.com49
![Page 3: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/3.jpg)
Laws Relating to Personally Identifiable Information (“PII”)( )• Financial Services • Health Care• Health Care• Education
Telecommunications• Telecommunications• Children
Mi ll (d i li id t l t )• Miscellaneous (drivers license, video rental, etc.)
www.duanemorris.com50
![Page 4: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/4.jpg)
Sarbanes Oxley Act of 2002 “SOX”
• Section 404– Establish and maintain adequate “internal q
controls” for financial reporting, and
– Assess annually the effectiveness of these controls.
www.duanemorris.com51
![Page 5: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/5.jpg)
SOX
• Section 404 and its implementing Rules do not expressly require IT securityp y q y
BUT as a practical matter complianceBUT, as a practical matter, compliance necessitates adequate IT security- requires disclosure of “material weaknesses”requires disclosure of material weaknesses
www.duanemorris.com52
![Page 6: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/6.jpg)
Gramm Leach Bliley (“GLB”)
• Establishes obligations for “financial institutions”– Banks and lenders,– check-cashing businesses, – professional tax preparers, – mortgage brokers, – credit counselors,
real estate settlement companies and– real estate settlement companies, and – retailers that issue credit cards to consumers, etc.
www.duanemorris.com
![Page 7: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/7.jpg)
GLB – Safeguards Rule
• Must implement a written information security programp g1. identify and assess the risks to customer
information and evaluate effectiveness of current f dsafeguards
2. Design and implement a safeguards program and establish regular monitoring and testingestablish regular monitoring and testing
www.duanemorris.com
![Page 8: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/8.jpg)
GLB - Safeguards Rule3. Select appropriate service providers and contract
with them to implement safeguards
4. Evaluate and adjust the program in light of l t i t i l direlevant circumstances including:
changes in business or the results of testing and monitoring the results of testing and monitoring
www.duanemorris.com
![Page 9: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/9.jpg)
GLB
When a security breach occurs:• Implement an incident response plan with theImplement an incident response plan with the
following procedures (at a minimum):– assess the nature and scope of the incidentp– appropriate notification– steps to contain and control the incidentp
www.duanemorris.com
![Page 10: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/10.jpg)
HIPAA
• Impacts all organizations within the healthcare industry, and those which process or use y phealthcare information, such as:– private health plans, – healthcare providers, and– healthcare clearinghouses
www.duanemorris.com
![Page 11: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/11.jpg)
HIPAA
• “PHI” is information that relates to the individual's past, present or future physical or p p p ymental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.
45 C.F.R. 160.103.
www.duanemorris.com
![Page 12: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/12.jpg)
HIPAA – Security Rule
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
www.duanemorris.com
![Page 13: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/13.jpg)
ITAR
• International Traffic in Arms Regulation– Regulates the export and import of defense-g p p
related articles and services
– Prohibits disclosure of certain information to non-US citizens, including employees and non-US companiescompanies
Requires segregation and regulation of information
www.duanemorris.com
– Requires segregation and regulation of information
60
![Page 14: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/14.jpg)
Privacy Laws
• No privacy authority whose sole job is enforcement of privacy lawsp y
www.duanemorris.com
![Page 15: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/15.jpg)
Federal Trade Commission (“FTC”)
• Enforces laws that prohibit business practices that are anti-competitive, deceptive, or unfair p pto consumers
• Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or p paffecting commerce are declared unlawful.”
15 U.S.C. Sec 45 (a)(1)
www.duanemorris.com
15 U.S.C. Sec 45 (a)(1)
![Page 16: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/16.jpg)
Recent Developments
www.duanemorris.com
![Page 17: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/17.jpg)
Red Flag Rules effective Dec. 31, 2010
• Applies to “financial institutions” and “creditors” who have “covered accounts”– “creditor” defined broadly and includes businesses/ organizations
that regularly defer payment for goods or services or provide goods or services and bill customers laterg
– “covered accounts” include: consumer accounts or any account with a reasonably foreseeable risk to customers or to any account with a reasonably foreseeable risk to customers or to
the safety and soundness of the financial institution or creditor from identity theft
• If applicable required to have a written
www.duanemorris.com
• If applicable, required to have a writtenidentity-theft prevention program
![Page 18: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/18.jpg)
State Laws• 46 states have enacted breach notification laws
• Most are different!
• 29 states have data disposal laws relating to PII29 states have data disposal laws relating to PII
• Nevada requirements for encryption effective Jan. 1, 2010
• Massachusetts Data Security Regulations effective March 1 2010Massachusetts Data Security Regulations effective March 1, 2010
www.duanemorris.com
![Page 19: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/19.jpg)
Nevada Amended Encryption Statute
• Encryption requirement– must encrypt personal information transmitted
electronically outside the “data collector’s” secure systemmust encrypt personal information stored on any– must encrypt personal information stored on any device or medium that is moved “beyond the logical and physical controls” of the data collector or its data t dstorage vendor
• Codifies the Payment Card Industry Data Security Standard (PCI DSS)
www.duanemorris.com
Standard (PCI DSS)
![Page 20: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/20.jpg)
Massachusetts Data Security Regulations
• “every person that owns, licenses, stores or maintains personal information” about a Massachusetts resident must have a comprehensive written information security programprogram
E ti i t• Encryption requirement– Transmission of personal information
Portable devices (laptop smart phones flash drives
www.duanemorris.com
– Portable devices (laptop, smart phones, flash drives etc.)
![Page 21: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/21.jpg)
Massachusetts Data Security Program
Develop a security program • Assess reasonably foreseeable internal and external risks (including
th d )paper or other records)– employee training and compliance
• Oversee service providers• Oversee service providers – Careful selection of providers– Contractual limitations re: security measures for personal information
• Restrictions upon physical access to records
• Document breaches and investigations
www.duanemorris.com
• Document breaches and investigations
![Page 22: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/22.jpg)
Data Breaches Get The Headlines
www.duanemorris.com69
![Page 23: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/23.jpg)
Data Breaches
• The number of breaches continues to rise
• Federal enforcement of breaches escalates• Federal enforcement of breaches escalates
• States take the lead in new laws
• Victims of data breaches continue to face an uphill battle for legal redressuphill battle for legal redress
• The cost of a data breach is rising
www.duanemorris.com
![Page 24: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/24.jpg)
Cost of a Breach
• $204 per compromised customer record in 2009
• Average total per-incident costs in 2009 wereAverage total per incident costs in 2009 were $6.75 million
» Data from Ponemon Institute 2010 report
www.duanemorris.com
![Page 25: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/25.jpg)
Security Statistics
• Over 70 million security breaches– 4% - Lost backup tapesp p– 7% - Unauthorized access to documents– 19% - Human Error– 25% - Hacking– 45% - Stolen/lost computer or portable devices
Privacy Rights Clearinghouse
www.duanemorris.com72
![Page 26: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/26.jpg)
High Profile Thefts of Trade Secrets
• Coca-Cola• Morgan StanleyMorgan Stanley• Boeing• Duracell• Duracell
www.duanemorris.com73
![Page 27: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/27.jpg)
The Threat Within
• Inadvertent disclosures• Use of unapproved devicesUse of unapproved devices • Carelessness• Lack of training• Lack of training• Theft
www.duanemorris.com74
![Page 28: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/28.jpg)
Disposal of Information
www.duanemorris.com
![Page 29: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/29.jpg)
Acquisition Related Issues
• Sale of Division, product line or subsidiary
– Clearly delineate information
– Protections in acquisition agreement
– Address possible inadvertent disclosures Employees
www.duanemorris.com
Systems76
![Page 30: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/30.jpg)
Technology Risks to Business
• New storage mediag– Cyberbling– MP3– Mobile phones– Wireless/Bluetooth connectivity
• More tech savvy employees
www.duanemorris.com77
![Page 31: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/31.jpg)
Laptops
www.duanemorris.com78
![Page 32: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/32.jpg)
Flash/Thumb/USB Keychain Drives
www.duanemorris.com79
![Page 33: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/33.jpg)
iPhone/ iPod/ MP3
www.duanemorris.com80
![Page 34: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/34.jpg)
PDAs
www.duanemorris.com81
![Page 35: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/35.jpg)
Cameras
• Camera phones
• Pen Cameras
• Wristwatch cameras
www.duanemorris.com82
![Page 36: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/36.jpg)
Instant Messaging
www.duanemorris.com
![Page 37: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/37.jpg)
E-Mail and File Storage
• E-mail sent to personal accounts or put on personal lap topsp p p
• Work files stored on personal devices or web backupsp
• Inadvertent disclosures by e-mail – the Eli Lilly examplethe Eli Lilly example
www.duanemorris.com84
![Page 38: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/38.jpg)
Cloud Computing
• Definition:
– Narrow: updated version of utility computing: basically virtual servers available over the Internet.
– Broad: anything outside the firewall is in the cloud, including conventional outsourcing.
www.duanemorris.com85
![Page 39: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/39.jpg)
Cloud Computing Security Risks
• Most established service providers (Amazon and Google) contract on a take it or leave it basis
• Servers may not be in the US
• Smaller service providers may not survivep y
• What happens to the data at termination?
www.duanemorris.com
What happens to the data at termination?
86
![Page 40: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/40.jpg)
P2P software
• P2P Software is installed at least once in 77% of companiesp
www.duanemorris.com87
![Page 41: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/41.jpg)
FTC Warnings
www.duanemorris.com
![Page 42: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/42.jpg)
Fortune 500 Companies and Social Media
• 22% have blogs (Fortune 500)– 31% enhance blogs with videog
(45% of Inc. 500 - fastest growing private companies - have blogs!)
• 35% have a corporate program for tweeting
• 19% host podcasts
www.duanemorris.com
19% host podcasts
89
![Page 43: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/43.jpg)
S i l N t ki SitSocial Networking Sites –LinkedIn, Facebook, My Space
www.duanemorris.com90
![Page 44: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/44.jpg)
Blogging
www.duanemorris.com91
![Page 45: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/45.jpg)
Wikipedia
www.duanemorris.com92
![Page 46: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/46.jpg)
Issues with Social Media
• Leaks of trade secrets and confidential information
• Security breaches • FinancialFinancial • Corporate Reputation • Regulatory Issues• Regulatory Issues• Discovery time bombs
www.duanemorris.com93
![Page 47: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/47.jpg)
Wireless Security
www.duanemorris.com94
![Page 48: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/48.jpg)
Outsourcing
• “A company that is subject to U.S. laws is responsible for the use and maintenance of consumer information in accordance with those laws. . . . Simply because a company chooses to
t f it d t i toutsource some of its data processing to a domestic or off-shore provider does not allow that company to escape liability for any failure tocompany to escape liability for any failure to safeguard information adequately.”
Ti th J M i F Ch i FTC
www.duanemorris.com
Timothy J. Muris, Former Chairman, FTC
95
![Page 49: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/49.jpg)
Outsourcing and International Risks
• Proving ownership of intangible trade secrets is difficult
• Foreign countries do not always recognize or offer protection for trade secrets in a similar pmanner
• Foreign countries may not enforce lawsg y
www.duanemorris.com96
![Page 50: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/50.jpg)
Best Practices in Outsourcing
• Due diligence in outsourcing firms– Background checksg– Review company’s history
• Contractual obligationsg• Monitoring• Train partners• Train partners• At termination, remove data
www.duanemorris.com97
![Page 51: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/51.jpg)
The Threat Outside – Competitive Intelligence and Business Espionage g p g
• Business or EconomicBusiness or Economic Espionage
• Industrial orCommercial SpyingCommercial Spying
www.duanemorris.com98
![Page 52: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/52.jpg)
Economic Espionage
• The U.S. Attorney General defined economic espionage as: p g
“the unlawful or clandestine targeting i iti f iti fi i lor acquisition of sensitive financial,
trade, or economic policy information, proprietary economic information orproprietary economic information, or critical technologies.”
Economic Espionage and Industrial Spying 2005
www.duanemorris.com99
![Page 53: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/53.jpg)
Competitive Intelligence
• Competitive Intelligence is defined as:
“a systematic and ethical program for gathering, analyzing and managing i f ti th t ff t ti ’information that can affect a corporation’s plans, decisions and operations.”
Nasheri, Economic Espionage and Industrial Spying
www.duanemorris.com100
![Page 54: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/54.jpg)
Examples of Business Espionage
• Maytag “Front Loader”• Ringling BrothersRingling Brothers • Oracle• SAP• SAP• HP
www.duanemorris.com101
![Page 55: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/55.jpg)
Competitive Intelligence
• 90% of large companies have CI staff and many large U.S. businesses spend more than y g pa $1 million annually on CI.
Economic Espionage and Industrial Spying 2005 (citing Business Week 2002)
www.duanemorris.com102
![Page 56: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/56.jpg)
Legal Collection ofCompetitive Intelligencep g• Public records (on-line databases, industry
periodicals, competitors’ promotional documents or a review of annual reports, patent filings)
• Trade shows• Attendance at conferences and seminars• Analysis of competitor’s products • Customer surveys • Visual observation of a competitor’s site
www.duanemorris.com
• Dumpster diving?103
![Page 57: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/57.jpg)
Best Practices - Planning
• Identify trade secrets, proprietary information and personally identifiable informationp y
• Conduct a risk assessmentConduct a risk assessment
• Draft Policies• Draft Policies
www.duanemorris.com104
![Page 58: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/58.jpg)
Best Practices – Policy Development
• Workplace E-Policies and Social Media Policies
• Establish ownership and user guidelines forEstablish ownership and user guidelines for computer and internet use
• Dispel expectations of privacy
www.duanemorris.com• Obtain employee consent
![Page 59: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/59.jpg)
Best Practices - Policy Development• Develop a Compliance Plan and Guidelines
– put employees/contractors on notice– include confidentiality provision in contracts and other
documents– require non-disclosure agreements– require non-disclosure agreements– protect trade secrets and personally identifiable
information with passwords, encryption, visitation procedures, locks on file cabinets etc.
– identify and protect information in any formlimit access on a need to know basis
www.duanemorris.com
– limit access on a need to know basis
106
![Page 60: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/60.jpg)
Best Practices – Policy Development
• Develop a Data Security Plan- Why? Its required!y q– Comprehensive approach for your most valuable
assets– Protection from significant financial loss and damage– Protection of customer information
Contain intrusions restore systems and provide– Contain intrusions, restore systems and provide assistance to customers (if necessary)
www.duanemorris.com107
![Page 61: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/61.jpg)
Best Practices – Policy Development
• Develop an Incident Response Plan– breach containment– activation of the core team to handle a breach– outline for internal investigation and analysis– identification of security breach notification laws – notification of relevant authorities and credit bureaus
id li f i t l d t l i ti– guidelines for internal and external communications– media statementsapproach the plan from “when” not “if”
www.duanemorris.com
approach the plan from when , not if
108
![Page 62: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/62.jpg)
Best Practices – Policy Development
• Develop a Document Retention Policy
– Good litigation preparedness tool – e-discovery!
– Ensures that documents are properly destroyed when no longer needed
– Addresses documents in all forms
www.duanemorris.com109
![Page 63: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/63.jpg)
Best Practices – continued
• Apply all policies and procedures to outside consultants, as well as employeesp y
• Train employeesTrain employees
• Conduct regular audits• Conduct regular audits
www.duanemorris.com110
![Page 64: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/64.jpg)
Questions?
www.duanemorris.com111
![Page 65: Protecting Company Confidential or Proprietary Information in the ... · Data Breaches • The number of breaches continues to rise • Federal enforcement of breaches escalatesFederal](https://reader034.vdocuments.mx/reader034/viewer/2022052101/603b47245e243d08e920b19f/html5/thumbnails/65.jpg)
Protecting Company Confidential or Proprietary Information in the Electronic Age
Sandra A. Jeskie Pamela LehrerP t D M i LLP Vi P id t d G l C l
Proprietary Information in the Electronic Age
Partner, Duane Morris LLP Vice President and General CounselBerwind Group
www.duanemorris.com
©2010 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP. Duane Morris – Firm and Affiliate Offices | New York | London | Singapore | Los Angeles | Chicago | Houston | Hanoi | Philadelphia | San Diego | San Francisco | Baltimore | Boston | Washington, D.C.
Las Vegas | Atlanta | Miami | Pittsburgh | Newark | Boca Raton | Wilmington | Cherry Hill | Princeton | Lake Tahoe | Ho Chi Minh City | Duane Morris LLP – A Delaware limited liability partnership