Introduction to US Privacy and Data Security: Regulations and Requirements (Series: Cybersecurity & Data Privacy)

Copyright © 2019 by DailyDAC, LLC d/b/a Financial Poise Webinars™
Receive our free weekly newsletter at www.financialpoise.com/subscribe
1

Practical and entertaining education for
attorneys, accountants, business owners
and executives, and investors.
2

DISCLAIMER
The material in this webinar is for informational purposes only. It should not be
considered legal, financial or other professional advice. You should consult with an
attorney or other appropriate professional to determine what may be best for your
individual needs. While Financial Poise™ takes reasonable steps to ensure the information
it publishes is accurate, Financial Poise™ makes no guaranty in this regard.
About this PowerPoint: if you are looking at this PowerPoint without the benefit of
listening to the conversation that surrounded it then you are doing yourself a disservice.
This PowerPoint was prepared in contemplation of being viewed in conjunction with
listening to a one hour webinar on the topic
3

MEET THE FACULTY
Moderator:
Kathryn Nadro – Sugar Felsenthal Grais & Helsinger LLP
Panelists:
Daniel Farris – K&L Gates LLP
Cassandra Porter – Cognizant Technology Solutions
Alexander Bilus – Saul Ewing Arnstein & Lehr, LLP
4

ABOUT THIS WEBINAR: Introduction to
US Privacy and Data Security: Regulations
and Requirements
There is no federal law governing privacy and data security applicable to all US citizens.
Rather, individual states and regulatory agencies have created a patchwork of protections
that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and
regulations which may impact your business, from the state law protecting personal
information to regulations covering the financial services industry to state breach
notification laws.
5

ABOUT THIS SERIES:
Cybersecurity & Data Privacy 2019
Data security, data privacy, and cybersecurity are critical issues for your company to
consider in today’s business landscape. Data breaches from high profile companies,
including law firms, generate worldwide headlines and can severely damage your
business’s reputation. In certain industries, a patchwork of state and federal laws and
regulations may cover your business, leading to compliance headaches.
This series explores the various laws and regulations which govern businesses both in the
US and abroad, as well as how to implement and enforce an information security policy to
protect your company and limit any damage from a data breach.
6

EPISODES IN THIS SERIES
9/24/19 Episode #1: Introduction to US Privacy and Data Security:
Regulations and Requirements
10/22/19 Episode #2: Introduction to EU General Data Protection
Regulation: Planning, Implementation, and Compliance
11/19/19 Episode #3: How to Build and Implement your Company's
Information Security Program
12/17/19 Episode #4: Data Breach Response: Before and After the Breach
7
Dates shown are premiere dates.
All webinars will be available
On Demand approximately 4 weeks
after they premiere.

Episode #1:
Introduction to US Privacy and Data
Security: Regulations and
Requirements
8

WHAT IS DATA SECURITY?
a. Confidentiality, availability, and integrity of data
b. All the practices and processes used to protect data from being used or
accessed by unauthorized individuals
c. How a company safeguards the data it collects and uses from threats
9

WHAT IS DATA PRIVACY?
a. The appropriate use of data, including the use of data according
to agreed purposes
b. How a company uses the data that it has collected
10

WHAT IS PERSONAL INFORMATION?
a. “personally identifiable information” sometimes called “PII”
i. Can be linked to a specific individual
ii. Name, email, full postal address, birth date, SSN, driver’s license
number, account numbers
b. “non-personally identifiable information”
i. Cannot by itself be used to identify a specific individual
ii. Aggregate data, zip code, area code, city, state, gender, age
11

WHAT IS PERSONAL INFORMATION?
(CON’T)
c. Gray area – “anonymized” data
i. Non-PII that, when linked with other data, can effectively identify a
person
ii. Geolocation data
iii. Site history and viewing patterns from IP address
iv. Note: recent rollback of privacy regulation with the FCC?
12

WHY DO WE NEED TO PROTECT IT?
a. Data is a corporate asset
b. Corporate data is at a higher risk of theft or misuse than ever before
c. Consumers now expect companies to take initiative to protect both
security and privacy
13

WHAT MUST COMPANIES DO TO
PROTECT IT?
a. Compliance with state, local, federal laws and regulations
i. Patchwork of laws developed by sector
ii. Contrast to Europe, which has a centralized, uniform law
iii. Makes it difficult to comply when multiple, possibly inconsistent laws
apply
b. Contracts with third parties
14

PROTECT IT? (CON’T)
c. Privacy policies for website users
i. Don’t need one if: website is static, is purely B2B, and collects no PII from
consumers
ii. Should cover:
1. Actual practices for PII and information that reasonably could be associated
with a person or device, regarding collection, storage, use, and sharing of
info
iii. Be aware of: financial information, medical information, children’s
information
d. Privacy audits:
i. Run them periodically to review and assess policies and practice for data
15

PROTECT IT? (CON’T)
a. Your company may have more PII than you are aware of
i. For example, if your company gives out commercial loans, it must
comply with GLB
ii. BUT: if you also take guarantees, then you have personal information
such as account information, possibly life insurance information,
mortgage information, etc. that must be secured
iii. Have to think more creatively about what types of information you
might be collecting
1. Credit card payments – have to secure that information
16

CALIFORNIA CONSUMER PRIVACY ACT
a. Effective January 1, 2020, companies will have to observe restrictions on
data monetization business models, accommodate rights to access, deletion,
and porting of personal data, and update privacy policies
b. “Consumers” (defined as natural persons who are California residents) have
the right to know what personal information a business has collected about
them and what it is used for, the right to opt out of allowing a business to
sell their personal information to third parties, the right to have a business
delete personal information, and the right to receive equal servicing and
pricing from a business even if they exercise their privacy rights under the
Act.
17

CALIFORNIA CONSUMER PRIVACY
ACT (CON’T)
c. “personal information” is “any information that…relates to…a particular consumer
or household”
i. Information about a household may include information like utility bills or
pricing
d. Companies must comply if they receive personal data from California residents and
they or their parent company or a subsidiary exceed (a) annual gross revenues of
$25 million, (b) obtains personal information of 50,000 or more California
residents, households or devices annually, or (c) 50 percent or more annual
revenue from selling California residents’ personal information.
18

CALIFORNIA CONSUMER PRIVACY
ACT (CON’T)
e. The Act provides a private right of action that allows consumers to seek,
either individually or as a class, statutory or actual damages and injunctive
relief, if their sensitive personal information is subject to unauthorized
access and exfiltration, theft or disclosure as a result of a business’s failure
to implement and maintain reasonable security measures
i. Statutory damages can be between $100 and $750 per California
resident per incident, or actual damages, whichever is greater
19

MASSACHUSETTS STANDARDS – 201
C.M.R. 17
a. 2010 law – most protective privacy law in the US at that time
b. Requires every business that licenses or owns personal information of
Massachusetts residents to comply with the minimum security standards set
forth in the regulation
c. Considered the gold standard
d. Require, when technically feasible, the encryption of personal information
stored on portable devices and personal information transmitted across
public networks or wirelessly
20

C.M.R. 17 (CON’T)
e. Requires any natural person or entity that owns or licenses
information of a Mass. Resident to implement a written information
security program (“WISP”) with appropriate administrative, technical,
and physical safeguards
i. Standards must be consistent with those set forth in state and
federal regulations to which a business is subject, including data
breach notification laws, HIPAA, and the Gramm-Leach-Bliley Act
21

C.M.R. 17 (CON’T)
f. “personal information” – “a Massachusetts resident’s first name and last name
or first initial and last name in combination with any one or more of the
following data elements that relate to such resident: (a) Social Security number;
(b) driver’s license number or state-issued identification card number; or (c)
financial account number, or credit or debit card number, with or without any
required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account.”
22

GRAMM-LEACH-BLILEY
a. Overseen by the FTC
i. Requires financial institutions (companies that offer consumers financial
products or services like loans, financial or investment advice, or insurance) –
to explain their information-sharing practices to their customers and to
safeguard sensitive data.
b. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide
notice of their privacy policies and practices to their customers, and prohibits
financial institutions from disclosing non-public personal information about a
consumer to non-affiliated third parties, unless the institutions provide certain
information to the consumer and the consumer has not elected to opt out.
23

GRAMM-LEACH-BLILEY (CON’T)
c. The GLBA also requires financial institutions to protect the security
and confidentiality of their customers’ non-public personal
information.
d. Regulators (e.g., the Securities and Exchange Commission, the Office
of the Comptroller of the Currency, the Federal Reserve and the
Commodity Futures Trading Commission) have promulgated rules
under the GLBA.
24

HIPAA
a. The Health Insurance Portability and Accountability Act (HIPAA) regulates
medical information.
b. HIPAA Privacy Rule:
i. Requires appropriate safeguards to protect the privacy of “protected
health information” (PHI).
ii. Sets limits and conditions on the uses and disclosures that may be made
of such information without patient authorization.
c. Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections.
25

HIPAA (CON’T)
d. HIPAA Security Rule requires appropriate administrative, physical
and technical safeguards to ensure the confidentiality, integrity, and
security of “electronic protected health information” (ePHI).
e. Privacy Rule and Security Rule are primarily enforced by the U.S.
Department of Health & Human Services Office for Civil Rights.
26

COPPA
a. Children’s Online Privacy Protection Act (administered by the FTC)
i. Requires parental consent for the collection or use of any personal
data for a child under 13 years old
ii. Requires posting of a privacy policy on the website
iii. Site operators must permit parental review of any data stored on
their child
iv. Parents are permitted to delete, but not otherwise alter, their
child’s data
27

FTC ACT
a. Section 5(a) of the FTC Act prohibits “unfair methods of competition
in or affecting commerce, and unfair or deceptive acts or practices in
or affecting commerce.”
b. Under Section 5(n) of FTC Act, the Federal Trade Commission (FTC)
may prohibit an act or practice on the grounds that it is “unfair,” if it
causes (or is likely to cause) substantial injury to consumers that is:
i. Not reasonably avoidable by consumers themselves and
ii. Not outweighed by countervailing benefits to consumers or to
competition.
28

FTC ACT (CON’T)
c. “unfair” if: a practice causes or is likely to cause substantial injury to consumers,
cannot be reasonably avoided by consumers, and it is not outweighed by
countervailing benefits to consumers or to competition
d. “deceptive” if: practice misleads, or is likely to mislead, consumers, consumers’
interpretation of it is reasonable under circumstances, and it is material
i. Examples of deceptive: violating published privacy policies, downloading
spyware or adware onto unsuspecting users’ computers, failing to verify
identity of persons to whom confidential consumer information was disclosed
ii. Examples of unfair: failing to implement reasonable safeguards to protect
privacy of consumer information
29

FTC ACT (CON’T)
e. FTC is the main federal regulator in charge of policing privacy and
cybersecurity practices among U.S. companies generally.
f. FTC pursues cases against companies for “unfair” or “deceptive”
practices, where the company allegedly had inadequate cybersecurity
practices, or overstated how comprehensive their privacy and
cybersecurity practices were.
g. Consent decrees and settlements often result in monetary damages,
and requirements that companies establish rigorous privacy and data
security practices (which would be overseen by the FTC).
30

CAN-SPAM ACT
a. The Controlling the Assault of Non-Solicited Pornography and
Marketing Act (CAN-SPAM Act) regulates emails that companies send
for primarily commercial purposes (e.g., advertisements).
b. Bans false or misleading header information and prohibits deceptive
subject lines.
c. Requires that unsolicited commercial email be identified as
advertising and allow recipients to opt out of receiving future emails.
d. FTC enforces the CAN-SPAM Act.
31

THE TELEPHONE CONSUMER
PROTECTION ACT (TCPA)
a. Restricts the making of telemarketing calls and the use of automatic
telephone dialing systems and artificial or pre-recorded voice
messages.
b. TCPA creates a private right of action for consumers, and has been a
source of significant class action activity.
c. Federal Communications Commission (FCC) and state attorneys
general enforce the TCPA.
32

THE FAIR CREDIT REPORTING ACT (AS
AMENDED BY THE FAIR AND ACCURATE
CREDIT TRANSACTIONS ACT) APPLIES
TO:
a. Consumer reporting agencies (e.g., Equifax, Experian and
TransUnion);
b. Companies that use consumer reports (e.g., lenders); and
c. Companies that provide consumer reporting information (e.g., credit
card companies).
33

STATE LEVEL DATA BREACH LAWS
a. All 50 states, the District of Columbia, and some U.S. territories have
their own data breach notification laws
b. These laws generally require notification of affected individuals and
regulators when a company suffers a breach of the security of an
individual’s personally identifiable information (PII).
c. If a company suffers a data breach involving the PII of customers or
employees who are resident in multiple states, it will need to comply
with each applicable state’s laws.
34

WHAT IS A DATA BREACH? (THAT MAY
TRIGGER STATE NOTIFICATION LAWS)
a. Unauthorized acquisition of PII that compromises the security,
confidentiality or integrity of PII…
i. That results or could result in identity theft or fraud (OH)
ii. Unless PII is not used or subject to further unauthorized
disclosure (NE)
iii. Unless no misuse of PII has occurred or is not reasonably likely to
occur (NJ)
iv. Unless no reasonable likelihood of harm to consumer whose PII
was acquired has resulted or will result (CT)
35

WHAT IS A DATA BREACH? (THAT MAY
TRIGGER STATE NOTIFICATION LAWS)
(CON’T)
b. Unauthorized acquisition of PII that compromises the security,
confidentiality or integrity of PII…
i. That has caused or is likely to cause loss or injury to resident (MI)
ii. That causes or is reasonably likely to cause substantial economic
loss to the individual (AZ)
iii. Unless no reasonable likelihood of financial harm to consumer
whose PII was acquired has resulted or will result (IA)
36

WHY WE SHOULD BE CAREFUL WITH
THE WORD “BREACH”
a. Using “breach” to describe a data-privacy related incident assumes the
incident meets the definition of a security breach which triggers
various notification requirements
b. An “incident” does not always rise to the level of “breach” (i.e.,
encryption safe harbor)
c. “Incident” is better received by the public than “breach”
37

BREACH NOTIFICATION LAWS
a. State laws differ with respect to:
i. Deadline for notifying (14, 30, 45 days; reasonable time)
ii. Notification to Attorney General
iii. Notification to other State agencies
iv. Including Attorney General contact information
v. Substitute notice (email, website, media)
vi. Specific facts of incident and type of PII compromised
vii. Maintaining records of incident (for 3-5 years)
viii. Countries also differ with notice requirements
38

ABOUT THE FACULTY
39

Kathryn Nadro– knadro@sfgh.com
Kathryn (“Katie”) Nadro advises clients on a diverse array of business matters, including
commercial and business disputes, employment issues, and data security and privacy compliance.
Katie works with individuals and businesses of all sizes to craft successful resolutions tailored to
each individual matter.
Katie has broad experience representing companies and individuals in contract, non-compete,
discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court.
With a background as both in-house and outside counsel, Katie understands that business
objectives, time, and resources play an important role in reaching a favorable outcome for each
client. Katie assists clients in navigating employment issues ranging from employee handbooks and
FMLA policies to litigating discrimination and harassment claims, all while ensuring business needs
and objectives are met. She also counsels clients on data security and privacy issues, including
policy drafting and compliance with state, federal, and international law.
40

Daniel Farris – Daniel.Farris@KLGates.com
Daniel is Chair of the firm’s Technology Group, and focuses his practice on technology, privacy, data security, and
infrastructure matters. Daniel understands how technology enables a company’s operations and creates competitive
advantage, and he appreciates the central role data plays in driving strategic decision-making. His practice is founded
upon understanding how technology can strengthen and expand upon the core missions of his clients’ businesses.
Daniel is a trusted adviser to technology and telecommunication companies, healthcare providers, financial
institutions, national retail and apparel companies, and manufacturing clients, as well as startup, embryonic and
emerging growth companies. As a former software engineer and network administrator, Daniel brings real-world
experience to bear in counseling on a wide range of issues, including fiber optic networking, cloud computing, mobile
app development, information management, privacy, and data security. He also regularly advises and represents
clients on “traditional” intellectual property matters, including patent protection and enforcement, inbound/outbound
licensing, trademark prosecution, brand extension, digital rights management, and large transactions, such as mergers
and acquisitions. Daniel has experience in four primary areas: Technology Transactions, Privacy & Data Security, Data
Center & Infrastructure, and Intellectual Property and Corporate. Before joining Fox Rothschild, Daniel was a
shareholder at an Am Law 100 firm, where he co-chaired the Data Center & Infrastructure and Data Privacy & Security
teams and served on the Startup Ventures team. Daniel previously worked as an associate in the Chicago offices of two
international law firms. Daniel is a former software engineer and network administrator in telecommunications.
41

Cassandra Porter – Cassandra.Porter@cognizant.com
Cassandra M. Porter is the Americas/APAC data privacy lead attorney for a Fortune 100 Tech company working to
transform clients’ businesses, operations and technology models for the digital era. She counsels internal clients on
privacy-related matters such as data collection practices, online advertising, mobile commerce, along with the
development and acquisition of new technology, data incidents and management. Cassandra is a member of the
inaugural class of Privacy Law Specialists, a new specialty recognized by the American Bar Association, and a Fellow of
Information Privacy by the International Association of Privacy Professionals (IAPP). Her IAPP credentials as a
Certified Information Privacy Professional and Certified Information Privacy Manager designate her as thought leader
in the field. She is a former co-chair of the IAPP’s New Jersey Chapter and member of the Bankruptcy Lawyers
Advisory Committee for the District of New Jersey. As a member of the United States Trustee’s Consumer Privacy
Ombudsman (CPO) panel, she served as the CPO in the Golfsmith International chapter 11 cases. Previously she was
counsel at Lowenstein Sandler LLP where, in addition to assisting clients with data privacy-related issues, she also
regularly represented debtors in possession and creditors in chapter 11 matters along with indigents in chapter 7
proceedings in association with the Volunteer Lawyers for Justice. Prior to joining Lowenstein, she clerked for the
Honorable Cecelia Morris, United States Bankruptcy Judge for the Southern District of New York and was the
Assistant Managing Attorney at Kaye Scholer LLP. Before practicing law, she built a foundation for her career in data
privacy as a senior reference librarian and acquired a master’s degree from Pratt Institute. Cassandra obtained her law
degree from Brooklyn Law School and a certificate in Pharmaceutical & Medical Device Law from Seton Hall
University Law School.
To read more, go to https://www.financialpoise.com/financialpoisewebinars/faculty/cassandra-m-porter/
42

Alexander Bilus – alexander.bilus@saul.com
Alexander (Sandy) R. Bilus assists clients who are facing complex commercial litigation or who need legal advice on
issues involving cybersecurity and data privacy, particularly in the higher education and financial services industries.
Sandy’s litigation experience includes arguing cases before the U.S. Court of Appeals for the Third Circuit and assisting
with cases before the U.S. Supreme Court and the Supreme Court of Pennsylvania. His cybersecurity and data privacy
experience includes responding to potential data breaches and providing advice on compliance with the European
Union’s General Data Protection Regulation (GDPR). The International Association of Privacy Professionals recognizes
Sandy as a Certified Information Privacy Professional (CIPP/US). Sandy’s work for institutions of higher education
includes providing advice and conducting internal investigations connected to their compliance concerns, as well as
responding to private lawsuits and government enforcement activity. He also counsels colleges and universities on
cybersecurity and data privacy matters. Because of the depth of his experience representing higher education
institutions, he understands the unique challenges that this industry faces in planning for cyber-attacks and data
breaches, to managing these crises, to proceeding after one or both occur. Sandy also advises clients on First
Amendment and defamation matters. Through his work with the American Civil Liberties Union of Pennsylvania,
Sandy has represented clients bringing First Amendment and other constitutional claims. He also represented on a pro
bono basis a group of same-sex couples who brought a constitutional challenge to Pennsylvania’s ban on same-sex
marriage. Before joining Saul Ewing Arnstein & Lehr, he practiced for six years at an international law firm in
Philadelphia and worked as a law clerk for two federal judges.
43

QUESTIONS OR COMMENTS?
If you have any questions about this webinar that you did not get to ask during
the live premiere, or if you are watching this webinar On Demand, please do
not hesitate to email us at info@financialpoise.com with any questions or
comments you may have. Please include the name of the webinar in your email
and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes only. It has been prepared primarily
for attorneys and accountants for use in the pursuit of their continuing legal education and continuing professional education.
44

ABOUT FINANCIAL POISE
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. Its
websites, webinars, and books provide Plain
English, entertaining, explanations about legal,
financial, and other subjects of interest to these
audiences.
Visit us at www.financialpoise.com.
45
Our free weekly newsletter, Financial Poise
Weekly, educates readers about business,
business law, finance, and investing. To receive
it simply add yourself by going to:
https://www.financialpoise.com/newsletter/
Email addresses are never sold to or shared
with third parties.

Introduction to US Privacy and Data Security: Regulations and Requirements (Series: Cybersecurity & Data Privacy)

Recommended

Recommended

More Related Content

More from Financial Poise

More from Financial Poise (20)

Recently uploaded

Recently uploaded (20)

Introduction to US Privacy and Data Security: Regulations and Requirements (Series: Cybersecurity & Data Privacy)