Partner Program

If you like this presentation – show it...

Slide 0

Partner Program

Slide 1

Technology Law: Regulations on the Internet and Emerging Technologies Heather L. Buchta Quarles & Brady LLP September 4, 2014

Slide 2

Regulatory Environment Contractual Issues

Slide 3

Regulatory Environment Speed of Regulation Comparison over last 10 years

Slide 4

State in 2003 E-contracting Cybercrime/hacking

Slide 5

Personal Information FEDERAL FTC Act COPPA CAN-SPAM TCPA FERPA STATE Breach Notification Point of Sale Collection State Consumer Protection Security Obligations Health Information FEDERAL HIPAA HITECH Health Breach Notification Rule GINA STATE HIPAA-like Financial Information FEDERAL GLB FCRA FACTA STATE GLB-like Employee Information FEDERAL ERISA FMLA Whistleblower Protection Act STATE Contract law Current State

Slide 6

Regulatory Environment - Background Terminology Data Privacy Data Security Cybersecurity Co-Lo Cloud Legal Framework Sectoral Comprehensive

Slide 7

A Bit of Historical Context…. Not actually a new topic Warren and Brandeis – 1890 Prosser – 1960 Fair Information Practices – 1973 Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data – 1980 Council of Europe – 1981 EU Data Protection Directive – 1995 APEC Privacy Framework – 2004

Slide 8

Regulatory Environment – Disclaimer Data Privacy and Protection Health Care Financial Labor & Employment Trade Secrets Internet of Things BYOD Other Regulations Online contracting All other offline business regulations – FCC, FTC, etc.

Slide 9

Regulatory Environment Understand applicable obligations Geographic Source of Data What Kind of Data – Defined by States and/or Statutes Personally Identifiable Information (PII) Nonpublic Personal Information (NPI) Protected Health Information (PHI) Types of Obligations Privacy Security

Slide 10

Regulatory Environment Understand Applicable Obligations Personal Information Federal FTC Section 5 of the FTC Act Telemarketing Sales Rule COPPA CAN-SPAM FCC Telephone Consumer Protection Act USDOE FERPA Electronic Communications Privacy Act

Slide 11

Regulatory Environment New Bills Location Privacy Protection Act of 2014 S.2171, Sen. Franken, March 27, 2014 Personal Data Privacy and Security Act of 2014 S.1897, Sen. Leahy, January 8, 2014 Data Security Act of 2014 S.1927, Sen. Carper, January 15, 2014 Commercial Privacy Bill of Rights of 2014 S.2378, Sen. Menendez, May 21, 2014 Other Initiatives Do Not Track movement Big Data: Seizing Opportunity, Preserving Value, May 2014, Executive Office of the President

Slide 12

Regulatory Environment Understand Applicable Obligations Personal Information State Security Breach Notification Statutes Point of Sale Collection Security Obligations – MA 201 CMR 17.00, Nev. 603A.215 State Consumer Protection Laws FERPA-like ECPA-like California CALOPPA, BPC 22575-22579 Shine the Light, CA Civ Code 1798.83 CALCOPPA, S.B. 568

Slide 13

Regulatory Environment Understand Applicable Obligations Health Information HIPAA/HITECH – OCR of HHS LabMD – overlapping jurisdiction with FTC State Attorneys General Health Breach Notification Rule – FTC GINA – EEOC States also have similar legislation

Slide 14

Regulatory Environment Understand Applicable Obligations Financial Information GLB Privacy Rule – FTC and CFPB Safeguards Rule – FTC and CFPB Banking Regulators FCRA – FTC, CFPB and State Attorneys General FACTA – FTC, CFPB and State Attorneys General Red Flags Rule Some states have similar legislation

Slide 15

Regulatory Environment Understand Applicable Obligations Employee Information ADA HIPAA State Specific Rules – social media Employee Handbooks Union Agreements/Collective Bargaining Agreements

Slide 16

Regulatory Environment Understand Applicable Obligations EU Directives – Personal Information and Cookie DPAs Works Councils Canada PIPEDA CASL Australia Privacy Amendment Act 2012

Slide 17

Regulatory Environment Credit Card Data PCI DSS v.3 Nevada 603A.215 Minnesota 325E.64 Online Tracking Digital Advertising Alliance OBA and retargeting NIST Media Sanitization Cybersecurity Framework NERC Contractual obligations and self-imposed obligations

Slide 18

Regulatory Environment Security Audit “systematic, measurable technical assessment of how the organization's security policy is employed at a specific site” (Symantec 2003) “appropriate” and “reasonable” What is involved? Personal interviews Vulnerability scans (pen-testing) Examinations of operating system settings Analyses of network shares and other data Go to the experts Find the right vendor Set parameters

Slide 19

Regulatory Environment WISP Consider Insurance Options Identify Key Team Members Key Executives Compliance – CISO? Legal Marketing/HR PR IT/Forensics Incident Response Vendor? Incident Response Plan Tabletop Exercises

Slide 20

Regulatory Environment Internal Privacy Program Data Retention Schedule Regularly Review

Slide 21

Why Do We Care The Regulators are Coming…. FTC Attorneys’ General And they are bringing bad press, fines and Enforcement Orders

Slide 22

Why Do We Care Corporate Governance Issues SEC Investigations Officer Liability Have to Stay Informed NACD White Paper – Cybersecurity Boardroom Implications (2014) SEC Cybersecurity Roundtable Transcript, 3/28/14, available at www.sec.gov

Slide 23

Why Do We Care Valuation Reputational Value Corporate Deals - M&A High Profile Deals WhatsApp, Moves, Nest Impacting the Bottom Line Restricting Ability to Transfer

Slide 24

Why Do We Care Vendor Relationships Implicates both privacy and security Outsourcing does not mean relinquishing obligations or liability Must do due diligence Appropriate contractual provisions Maintain level of control and knowledge of activities

Slide 25

Why Do We Care Mobile App Development Privacy By Design Hosting Facilities Security Requirements Breach Notifications SaaS Data Ownership/Access/Return Data Usage Marketing Retargeting OBA

Slide 26

Why Do We Care Ask Questions Then Ask More Questions Which will lead to more questions Must understand the data flows, retention, sharing and usage

Slide 27

Why Do We Care Key Provisions to Consider Audit Rights Security Audit Reports – SSAE16/ISAE3402 Disaster Recovery/Business Continuity Compliance with Laws Ownership/Usage/Destruction Indemnities Warranties Exclusions to Limitations of Liability Insurance

Slide 28

Why Do We Care Responsibility for breach of security is a function of who controls the data Liability for breach of security is a function of the contract Compliance with laws may be a domestic and/or foreign matter

Slide 29

Other Considerations IP law trailing the technology evolution of the Cloud Trade Secrets and the Cloud may be incompatible Potential third-party disclosures US PATRIOT Act Evolving licensing models Potential data location issues Legacy software and systems issues

Slide 30

Other Considerations Ownership of Data Preservation of Data Preservation may be easier on the cloud…or not Courts may not distinguish servers in the cloud Physical location of Data may be unknown Compliance with e-discovery and litigation holds Spoliation Data Integrity Must be free from corruption

Slide 31

Other Considerations Determine accountability for data preservation Who is liable for stolen data What does indemnification cover What happens in bankruptcy What notice is provided for security breach What happens if lose co-lo contract or lose lease

Slide 32

Other Considerations Intellectual Property Whose software Whose network Ownership Customizations or configurations Works made for hire Same contractual provisions come into play – now from an IP perspective

Slide 33

Other Considerations Service Levels Online contracting – Enforceability Notice Conspicuous Choice Meaningful Contract of Adhesion

Slide 34

Questions??? Thank you for your partnership!