PRIVACY POLICIES: THE LAW “UNDER THE
HOOD”
October 2015
Kelly McCanlies, CIPP/US, CIPM, CIPTDirector, Privacy ProgramsInformation Assurance DepartmentHawaiian Electric Company
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESDEFINITIONS - PRIVACY & SECURITY
Security is about • protecting assets,• creating barriers,• both physical and technology.
Privacy is about • compliance (legislative, regulatory, contractual),• data in any form
o at rest, in transit, in displayo hard or softcopy
• access to personal information.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESDEFINITIONS - PII
Personally Identifiable Information (PII)
In general terms – any information that relates to or identifies a person
Differs from law to law
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESFTC (FEDERAL TRADE COMMISSION)
• 207 enforcement actions involving privacy or security since 1997
• In addition to FTC Act, FTC cases cover• CAN-SPAM• COPPA• FCRA• FDCPA• GLBA• TILA
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESWYNDHAM HOTELS
What happened at Wyndham Hotels?• 3 breaches 2008 – 2010• 619,000 credit card numbers exposed• Data exfiltrated to a server in Russia• $10.6M in credit cards losses
Same attack methods used in all three breaches
No technical remediation made by Wyndham after 1st and 2nd breaches
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESWYNDHAM HOTELS
Privacy Policy (before the FTC suit)
“We safeguard our Customers' personally identifiableinformation by using industry standard practices. Although "guaranteed security" does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESFTC V. WYNDHAM HOTELS
FTC: Defendants failed to provide reasonable and appropriate security for the personal information…
• failure to use readily available security measures, such as firewalls;
• storage of credit card information in clear text;• failure to implement reasonable information security
procedures prior to connecting local computer networks to corporate-level networks;
• failure to address known security vulnerabilities on servers;• use of default user names and passwords for access to
servers;• failure to require employees to use complex user IDs and
passwords to access company servers;• failure to inventory computers to appropriately manage the
network;• failure to maintain reasonable security measures to monitor
unauthorized computer access;• failure to conduct security investigations; and• failure to reasonably limit third-party access to company
networks and computers.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESWYNDHAM HOTELS
The court case:
2012 FTC files suit in District Court alleging “deceptive and unfair business practices” (US District Court of New Jersey)
2014 District court rules against Wyndham’s motion to dismiss, upholding FTC authority to regulate cybersecurity
Aug 2015 Appeal court upholds FTC authority (U.S. Court of Appeals for the Third Circuit)
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESWYNDHAM HOTELS
Privacy Policy (current policy)
“Security of Your Information: We will take reasonable steps to protect the information you provide us from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented appropriate physical, electronic and managerial procedures to help safeguard and secure your information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Unfortunately, no security system is 100% secure, thus we cannot ensure the security of information that you provide to us via the Services.”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESCOPPA (CHILDREN’S ONLINE PRIVACY PROTECTION ACT)
• operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children
• operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESCOPPA - DEFINITION PERSONAL INFORMATION• First and last name• Physical address (street name and city name)• Online contact information• Screen or user name• Telephone number• Social Security Number• A persistent identifier that can be used to
recognize a user over time and across different websites or online services
• Photograph, video, or audio files, where such file contains a child’s image or voice
• Geolocation information (sufficient to identify street name and city name)
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESCOPPA
Privacy Policy (example from Target)
“We recognize the particular importance of protecting privacy where children are involved. We do not knowingly collect personally identifiable information online from children under the age of 13. If a child under the age of 13 has provided us with personally identifiable information online, we ask that a parent or guardian contact us or call 800-440-0680.”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESHIPAA
• HIPAA does not preemptIn 2014, in Byrne v. Avery Ctr. for Obstetrics & Gynecology, the Connecticut Supreme Court ruled that the HIPAA does not preempt common-law claims for negligence and negligent infliction of emotional distress against a health care provider.
• The Caseo Avery Center’s privacy policy assured patients that
their protected health information would not be disclosed without their authorization.
o Avery Center was subpoenaed and supplied Byrne’s medical records.
o As a result, Byrne allegedly suffered harassment and extortion threats after the estranged father of her child viewed the medical records.Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESHIPAA
Avery Center’s current Privacy Policy:
“We will disclose protected health information about you when required to do so by federal, state or local law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. We will make a reasonable effort to inform you of the request.”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESHIPAA
• HIPAA does not preemptIn 2014, in Byrne v. Avery Ctr. for Obstetrics & Gynecology, the Connecticut Supreme Court ruled that the HIPAA does not preempt common-law claims for negligence and negligent infliction of emotional distress against a health care provider.
• Avery Center’s privacy policy assured patients that their protected health information would not be disclosed without their authorization.
• Avery Center was subpoenaed and supplied Byrne’s medical records.
• As a result, Byrne allegedly suffered harassment and extortion threats after the estranged father of her child viewed the medical records.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Why privacy policies are importantConfidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC
SEC Disclosures
• For all publically traded companies
• First guidance on cyber-incident reporting issued in Oct. 2011 by Division of Corporate Finance
• Disclosure of a “material” cyber-incidents
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC
SEC Disclosures
• A Cyber-incident:o Deliberate or unintentional evento Unauthorized access to digital systems:
Misappropriating information, corrupting data or operational disruption
• Information that a "reasonable investor would consider important to an investment decision” o SEC: “A cyber-attack could be material if it causes
a company to significantly increase what it spends to defend its systems ”
o SEC Commissioner urged more public reporting of cyberattacks. Firms “should go beyond the impact on the company” and weigh the effect on others, including customers.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC
SEC Disclosures
• Report in o 10Q – quarterly report (less detailed) o 10K – annual report (more detailed)o 8K – special form to report to investors an
unscheduled material event
• Differentiate risks from incidents• Needs to match public statements
Target was subject to SEC investigation due to the data breach.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC
SEC Disclosures
Good Examples of 10K filings: o Citigroup (March 1, 2013) or Bank of
America (Feb 28, 2013)o Coca-Cola Feb 27, 2013 discloses Chinese
hacking
Filings available through the SEC search tool EDGAR
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC - HARTFORD
SEC Disclosures
• Hartford Insuranceo Hartford mentioned a reliance on online
technology in their SEC 10K filing.o April 2012 the SEC sent a letter asking for
more info.o Hartford responded: we have not
experienced a material incident.o SEC followed-up with questions on “have
you ever been under attack?”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC - HARTFORD
Hartford Added language to their 10K:
“If we are unable to maintain the availability of our systems and safeguard the security of our data due to the occurrence of disasters or a cyber or other information security incident, our ability to conduct business may be compromised, we may incur substantial costs and suffer other negative consequences, all of which may have a material adverse effect on our business, financial condition, results of operations and liquidity.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSEC - HARTFORD
Privacy Policy
OUR SECURITY PROCEDURES“We take reasonable precautions to safeguard the personal information transmitted between visitors and the Site and the personal information stored on our servers. Unfortunately, no method of transmitting or storing data can be guaranteed to be 100% secure. As a result, although we strive to protect your personal information, we cannot ensure the security of any information you transmit to us…”
WHERE THE HARTFORD STORES AND MAINTAINS INFORMATION“This Online Privacy Policy applies to our United States operations. We maintain the Site in the United States and the Site is not intended to subject The Hartford or any affiliated entity to the laws or jurisdiction of any state, country or territory other than that of the United States. The Hartford does not represent or warrant that the Site, or any part thereof, is appropriate or available for use in any particular jurisdiction…”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Why privacy policies are importantConfidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSTATE PRIVACY LAWS
State Attorneys General
Security Breach Notification47 states, DC, Guam, Puerto Rico, US Virgin Islands Dependent on where the customer lives, NOT where the business is located.
Other state privacy laws include data collection, social media in hiring, Social Security Number protection, student data protection, etc.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESSTATE PRIVACY LAWS
State Attorneys General
• In 2013, the Hawaii AG received $106,179 for one privacy fine from Google Street View
• 3 Hawaii Privacy Lawso Social Security Number Protection (HRS 487-J)o Security Breach of Personal Information (HRS
487-N)o Destruction Of Personal Information (HRS 487-
R)
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESDEFINITIONS - HRS 487-N
"Security breach" means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESDEFINITIONS - HRS 487-N
"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver's license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESAGENDA
• Definitions
• The Lawso FTC – Federal Trade Commissiono COPPA – Children’s Online Privacy Protection Acto HIPAA – Health Insurance Portability and
Accountability Acto SEC – Security and Exchange Commissiono State lawso Other legal considerations
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESOTHER LEGAL CONSIDERATIONS
Class action lawsuits (Target Corp.)
• Over 140 lawsuits filed in 21 states plus DC.
• Most are consumer class-action suits, but financial institutions and investors have also filed.
• Some lawsuits include Target’s security auditor Trustwave
• One lawsuit filed under Minnesota Plastic Card Security Act (PCI)
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESOTHER LEGAL CONSIDERATIONS
Conflicts within a Privacy Policy
• True Beginnings and Plenty Of Fish
o True Beginnings filed for Chapter 11 bankruptcy protection in 2012
o Plenty of Fish contracted to by the 34 million subscribers data for $700,000
o Texas Attorney General filed objections to the transfer of assets based on True Beginning’s "ambiguous online published privacy policy" and its failure to provide members with prior notice regarding the sale of their personal information.Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIESOTHER LEGAL CONSIDERATIONS
True Beginning’s Privacy Policy:
• "True does not sell, trade, or otherwise disclose customer lists names, addresses, birth dates, email address or other individually identifiable information to unaffiliated third parties without your permission”
• “In the event that True should be acquired or substantially all of its assets transferred, Personal Information would be considered a transferable asset.”
Confidential – property of Hawaiian Electric Co.
PRIVACY POLICIES
Questions & Answers
Kelly McCanlies, CIPP/US, CIPM, CIPTDirector, Privacy ProgramsInformation Assurance DepartmentHawaiian Electric Company