BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

Twin Cities Privacy Retreat15 January 2009 * Travelers Headquarters, St. Paul

Developments in US Data Security LawOFII General Counsel Conference

Edward McNicholas

October 16, 2009

2

The Reality Facing Global Corporations

• Broad complexity and wide variety of national (and sub-national) privacy and data security laws complicates compliance

• Significant cultural – and legal – differences exist in the meaning and nuances of privacy and data protection

• Achieving compliance with overlapping federal, state, national, sub-national and multilateral rules is costly and distracting

• Enforcement has been sporadic, but it is increasing• Trend towards stricter, more prescriptive laws, with

more complexity and greater enforcement appears likely

3

Federal Principles for Information Security

• Programs must not be deceptive or unfair• Security programs must adapt to changing

threats• Security programs must be appropriate under the

circumstances• Breaches are not per se evidence of a violation• Absence of a breach is not per se evidence of

adequacy

4

Federal Innovations?

• Consumer Financial Protection Agency (CFPA)– Administration has proposed the creation of a single

primary federal consumer protection supervisor to protect consumers of credit, savings, payment, and other consumer financial products and services

– Would transfer some rulemaking and enforcement powers from the FTC and banking agencies

– FTC would still have “backup enforcement authority”

• Comprehensive federal security legislation?– House Energy and Commerce Committee passed a data

security bill requires entities that hold personal information to adopt appropriate security measures and, if a breach occurs, they must notify consumers.

FACTA Red Flags Rules

• Almost all businesses must now have a Board-approved “red flags” policy to help combat identity theft by responding to a laundry list of “red flags”

• The FTC and others promulgated these Identity Theft Red Flags Regulations pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACTA)

• The final rule was effective January 1, 2008. • The FTC extended its deadline for enforcement to

November 1, 2009.

5

6

Data Breach Statute Developments

• Data breach notification laws are becoming settled– 45 states plus DC have breach notification requirements

• Some states also require reporting the data breach to certain state government agencies

– New federal breach notice requirements under HITECH• Encryption remains a key issue

– It creates a safe harbor from the state data breach notice laws – Nevada requires encryption for certain personal data in transit

• Numerous state laws also impose– Affirmative data security requirements – Data disposal restrictions– SSN protections and restrictions on use

7

Other Implicated State Laws

• California Constitution (and some others) provides privacy right enforceable against private entities

• Little FTC Acts (also known as UDAP statutes)

• Privacy, Negligence, Defamation and Other Torts– State tort laws protect against privacy invasions, negligence,

misappropriation, defamatory speech, trespass to chattel, stalking, etc.

8

California Data Security Obligations

• California requires businesses to:

– “Implement and maintain reasonable security procedures and practices appropriate to the nature of the information”

– “Protect the personal information from unauthorized access, destruction, use, modification, or disclosure”

• Applies to computerized and non-computerized “personal information”

• Reasonableness remains the norm, but new Massachusetts regulations are significantly more prescriptive

9

Requirements Must Be Passed Through to Service Providers

“A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

10

Massachusetts Data Security Regulations

• Requires anyone that owns, licenses, stores or maintains resident’s personal information to develop and implement a written comprehensive information security program to safeguard personal information of residents– Requires specific controls including encryption in

transmission and on portable media • Personal information is defined as:

– first name or initial and last name, plus SSN, driver’s license number or other state-issued identification number, or credit or debit card number or other financial account number (with or without any required PIN or access code)

• Now effective March 1, 2010, but changes possible• Office of Consumer Affairs and Business Regulation 201 CMR 17.00

11

Massachusetts Data Security Regulations

• Secure user authentication protocols• Secure access control measures• Encrypt personal information:

– in transmission over Internet– on all wireless transmissions – on portable storage media

• Reasonable monitoring of systems, for unauthorized use of or access to personal information

• Reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information

• Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions

• Education and training of employees on the proper use of the computer security system and the importance of personal information security

12

Nevada Information Security Law

• Previously required encryption for transmission of specified personal information

• Nevada has amended its encryption law to include mobile storage devices holding personal information that move outside of secured physical and logical boundaries of the covered entity

• Nevada also requires businesses that accept credit or debit cards to meet Payment Card Industry Data Security Standards– Payment Card Industry norm now part of state law

13

Top Ten Types of State Laws To Watch

• Data breach notification measures that require notice of a data breach.

• Credit freeze provisions that allow consumers to curtail access to credit histories.

• Social Security Number protection laws that require special limitations on the collection, use and display of federal SSNs.

• Secure Disposal Laws that require businesses disposing of records containing personal information to make the personal information indecipherable.

• Information Security Laws with varying protections. • Identity Theft criminalization and deterrence measures; either

enhance prison sentences or assist identity theft victims. • RFID bills that prohibit the nonconsensual use or reading of RFID

chips. Missouri criminal law against employers requiring implants.. • Genetic privacy – restrictions on the use of test results and the use,

disclosure and protection of biometric data.• Employee Surveillance – two states (DE and CT) have notice rules• Locational Privacy – new restrictions on use of GPS-enabled devices

14

US Privacy Litigation Comes of Age

• In absence of actual identity theft or quantifiable harms, the majority of courts reject emotional and dignitary injury and require evidence of concrete, economic harms from privacy violations to support standing and damages claims– Courts continue to reject risk of harm claims from loss of

personal data, but some are finding standing

• Quantifying the value of privacy continues to be an obstacle for plaintiffs, but three important trends make privacy litigation increasingly risky for corporations:– Standing– Competitor privacy litigation– Collateral data breach litigation

15

TJX Data Breach Litigation

• Disclosed in 2007 that in 2005 and 2006 unauthorized intruders accessed computer systems that process cardholder data

• Settlement reached with 41 state AGs• TJX agreed to pay $9.75 million and to implement a

comprehensive information security program:– Designate an employee to be accountable for the program– Replace or upgrade all wired and wireless systems in retail

stores to a specified level of security– Segment the portions of its computer system that process

personal information, including credit card information, from the other parts of its system

– 120 days to certify compliance– Agrees to participate in industry pilot programs to test new

security for payment cards

16

Standing Changes• Pisciotta v. Old National Bancorp – 7th Cir.,

2007 – Bank web site breached and customer information lost– Plaintiffs claimed potential economic damages and emotional

distress, but conceded no direct financial loss or actual identity theft

– On appeal, Seventh Circuit disagreed with several district courts and deemed mere fear of future identity theft sufficient to establish standing

• Ruiz v. Gap, Inc. – N.D. Cal., 2008– Laptops containing unencrypted personal information of

800,000 job applicants stolen from clothing retailer– Plaintiffs alleged increased risk of future identity theft only– District court held plaintiffs had preliminary standing to pursue

claim that retailer negligently failed to protect applicants’ personal data

17

Litigating Competitors’ Privacy Practices

• Companies can use privacy offensively to stop competitors that neglect privacy concerns

• In CollegeNET, Inc. v. XAP Corp., 2008 WL 1805539, No. 03-CV-1229-BR (D. Or. Apr. 17, 2008), a company used the Lanham Act to enjoin an online software competitor from engaging in misleading privacy practices

• Privacy can also be used offensively to hamstring aggressive discovery efforts

• Certain statutes provide remedies to companies who are harmed by violations of the statute’s requirements. Example: Computer Fraud and Abuse Act, 18 U.S.C. § 1030

18

Litigating to Recoup Costs of Data Breaches

• Banks increasingly seek to recoup costs (est. $50-60 per customer) of cancelling and reissuing cards after data breaches. Courts shifting in banks’ favor.

• In Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392 (3rd Cir. July 13, 2008), card-issuing banks sued BJW and its merchant bank to recover cost of issuing new cards after data breach, claiming breach of contract under third-party beneficiary theory. – Third Circuit reversed dismissal of banks’ complaint, holding

that banks stated claim as incidental third-party beneficiaries to merchant bank’s agreement with VISA.

– Decision may open route for issuing banks indirectly to recoup costs from merchants

– May spawn collateral indemnification actions by merchant banks against merchants

19

Litigation When Services Outsourced• In Quon v. ArchWireless, No. 07-55282 (9th Cir. 2008),

the Ninth Circuit held that public employer violated privacy rights of employee under California Constitution by reading text messages sent over employer-provided pager – Pager provided through a third-party telecommunications vendor– Formal employer policy provided that employee had no expectation of

privacy in pager system– But informal employer policy permitted employer to audit employee

messages unless employee reimbursed employer for “overage” charges

– Ninth Circuit held that informal policy trumped formal policy and created an expectation of privacy in employees

USA PATRIOT Act Renewal

• Three key USA PATRIOT Act provisions are set to expire Dec. 31, 2009:– Section 215, which allows the FBI to seek an order from

the Foreign Intelligence Surveillance Court (FISC) to force a business to turn over customer records for a terrorism investigation

– the "lone wolf" authority to go after individual terrorist suspects who may not readily be associated with a foreign power

– roving wiretaps

• Senate Judiciary committee approved renewal on October 8, 2009

20

National Security Letters (NSLs)

• Allow the FBI to obtain records without any court approval, including from telephone and internet service providers and financial institutions

• The Second Circuit held that the telecommunications NLS provision, § 2709(c), is unconstitutional to the extent they impose a nondisclosure requirement on NSL recipients; Existing NSLs are still valid

• No court has ruled on the Fourth Amendment issues regarding the hundreds of thousands of NSLs

• Judiciary USA PATRIOT Act renewal bill creates new four-year sunset for currently nonexpiring NSL provisions

• Effect of sunset would be to put the NSL provisions back to their pre 9/11 status

21

22

Governmental Surveillance and Privacy

• Border Searches: Ninth Circuit expansions of Border Search Doctrine inhibit international travelers carrying sensitive information– Executives traveling from foreign countries often carry

clean computers across borders

• Litigation over alleged corporate involvement in governmental surveillance continues – SWIFT case, NSA Telecommunications Records litigation

23

Deep Packet Inspection

• New security technologies, such as deep packet inspection– Create possibilities for analyzing and targeting traffic– Effective for recognizing harmful content– Require Wiretap Act analysis

• Behavioral advertising controversy under consideration by Congress and FTC

• FTC guidance: – Transparency and Consumer Control– Reasonable Security and Limited Retention– Affirmative Express Consent for Material Changes to Promises – Affirmative Express Consent for Use of Sensitive Data

24

Information Governance Will Dominate

• Paradigm shift in which privacy becomes merely a part of information governance

• Duties of privacy officers will expand or become subsumed– Information Security– Privacy– Marketing– Customer Sales– Records Management– eDiscovery

25

Global Changes Will Impact Business

• Outsourcing and international IT systems will make the need for international cooperation a necessity

• OECD, EU DPAs, UN, ITU, ISO, HLCG, APEC• What does it all mean?

– Possibly more “safe harbor” structures?– Enhanced enforcement to prove strength of regulation?– Uncertainty in international business.

• Privacy Commissioners to consider choice of law issue

26

Edward McNicholasSidley Austin LLP

1501 K Street, NWWashington, DC 20005

emcnicholas@sidley.com(202) 736-8010

www.sidley.com/InfoLaw

Questions?

This presentation has been prepared by Sidley Austin LLP as of October 16, 2009, for educational and informational purposes only. It does not constitute legal advice. This information

is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional

advisers.

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin,

a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.