May 2016 Issue
Data privacy is increasingly complex and subject to constant discourse and revision. Indeed, over the past 12 months, there has been a host of major regulatory and legislative developments in this area, including the Safe Harbour invalidation, the drafting of the EU-US Privacy Shield and the new EU General Data Protection Regulation. Moreover, in today’s high-stakes business environment, organisations that fail to evaluate data protection and privacy law trends are likely to find themselves facing a negative, long-term impact on their reputation, as well as their revenue.
Pfeifle: Could you provide an overview of how the data protection and privacy laws landscape has developed over the past 12 months? Have any particular trends and patterns caught your attention?
Arasaratnam: On the legislative front, Australia introduced controversial new data retention laws in October 2015 requiring telecommunications carriers, carriage service providers and internet service providers to retain certain datasets of information for law enforcement purposes. As a result of the new data retention regime, telcos have had to implement costly systems for data retention and responding to personal information access requests with respect to the retained data, which is deemed to be ‘personal information’ under the Privacy Act 1988 (Cth). On the business front, we continue to see a growing investment by clients in the revenue generating aspects to customer data, such as Big Data, data analytics and targeted advertising. These comparatively new forms of data use are poorly addressed by the Australian Privacy Principles in the Privacy Act.
Nisenbaum: Obviously, European Union data protection has been one of the most watched aspects of data privacy and security regulation. US companies that had relied on the invalidated US-EU Safe Harbour regime to transfer personal data from Europe scrambled to understand other available compliance mechanisms. This burden has renewed company focus on international compliance issues just as we approach the official countdown to the new EU General Data Protection Regulation, which should also stimulate company efforts to comply with their international data privacy and security obligations. More generally, big data analytics programmes continue to present compliance challenges. Companies that seek to combine data from multiple sources to improve the breadth and depth of their analytics will continue to face challenges relating to how that data can be used and shared. Evaluating laws and publicly facing privacy policies applicable to each source of data to discern allowable uses can be a complex process.
Sills: The most alarming trend has been a shift by attackers in targeting non-financial data. Looking at the largest breaches in 2015, the biggest headlines were for health insurance companies, the Office of Personnel Management, universities, and most recently, law firms. These organisations hold a wide range of personal and sensitive corporate data other than financial that will have long-term consequences on the privacy, security and future profits of individuals and organisations. Although they have been slow to respond, and to date have not tackled cyber security with the same resources as the financial services and defence industries, these organisations will need to catch up, improve their policies and capabilities, and begin protecting data more effectively. The Schrems decision and the invalidation of Safe Harbour was a significant change in the landscape that caught the attention of corporate America, and its recalibration will be something to watch in 2016.
Cohen: Over the last 12 months, we’ve seen an increased emphasis on accountability. We saw it with the invalidation of the Safe Harbour by the Court of Justice of the European Union in the Schrems decision, which was based in part on the lack of recourse against the US government for EU citizens who felt that their privacy rights had been violated. Under the Privacy Shield proposal that would replace the Safe Harbour, companies would be required to respond to complaints from EU citizens within 45 days and to provide free dispute resolution mechanisms to such citizens. The Privacy Shield would also require more transparency from the US government regarding its privacy practices. For example, the US Secretary of State would be required to appoint an ombudsperson who would be responsible for investigating complaints regarding the government’s use of EU personal data for national security purposes. These steps will make the US government and US businesses more accountable to residents of the EU.
Pfeifle: How would you characterise government enforcement of data protection regulations? Have you noticed a change?
Sills: Government agencies continue to show an increased interest in corporations’ cyber preparedness. The Federal Trade Commission continues to bring enforcement actions against companies that do not have adequate information security programmes and engage in deceptive advertising. Executive branch agencies are also increasingly interested in fostering conversations in the private sector regarding current challenges, from CEO roundtables to a seminar on ‘ransomware’ occurring later this year. Additionally, the Securities & Exchange Commission (SEC) has continued to identify cyber security as a priority, particularly for broker-dealers and investment advisers. Even state agencies, such as the New York Department of Financial Services, and the California Office of the Attorney General, have recently released guidelines intended to raise information security standards. Finally, the Department of Justice has brought multiple indictments against foreign criminals, with indications that the US government is going to take a more active role in going after cyber threats as well.
Cohen: We have noticed an increase in the numbers of government agencies willing to step into the data protection enforcement arena. For a long time it was primarily the FTC that took responsibility for enforcement across a variety of industries, but given the heighted awareness of these issues, other agencies have begun stepping in to address data protection issues that are industry specific. For example, in March of this year the Consumer Financial Protection Bureau (CFPB), which seeks to ensure that financial institutions treat consumers fairly, concluded its first data protection enforcement under the Consumer Financial Protection Act of 2010 against Dwolla, Inc., in which it assessed a $100,000 fine against the payment processing company for misrepresenting its data security practices.
Arasaratnam: There has been a notable lack of significant enforcement action from the Australian Privacy Commissioner following the significant changes that were introduced into Australia’s key piece of privacy and data security legislation, the Privacy Act 1998 (Cth), in March 2014. These changes included a new set of Australian Privacy Principles (APPs), which Australian government entities and private sector organisations must comply with, as well as new powers for the Australian Privacy Commissioner to seek enforceable undertakings and apply for a court order requiring such entities to pay a penalty of up to $1.8m for serious or repeated breaches of the Privacy Act. At an industry level, this lack of enforcement action with respect to areas such as cyber security, direct marketing and credit reporting has led to a certain degree of complacency and uncertainty among companies with respect to measures required for privacy law compliance.
Nisenbaum: There are several relative newcomers to the alphabet soup of regulatory enforcement in the US, such as the Federal Communications Commission (FCC), which now has regulatory authority over broadband providers, the CFPB, which recently engaged in its first data security enforcement action against a payment processor and the SEC, which is showing increasing interest in data security issues. These regulatory agencies join agencies that have historically been the key drivers of US privacy regulatory enforcement, the FTC, US Department of Health and Human Services (HHS) and state attorneys general. Encroachment on this regulatory turf by the newcomers may spur action by the FTC, HHS and state attorneys general to maintain their leading enforcement roles. In the more long term, it will also be interesting to see whether the increased penalties under the GDPR will incentivise European data protection authorities to take more action.
“Companies that seek to combine data from multiple sources to improve the breadth and depth of their analytics will continue to face challenges relating to how that data can be used and shared.”
Pfeifle: With recent high-profile data breaches hitting the headlines, what lessons can we learn from how such cases were identified and managed?
Nisenbaum: The legal fallout from the Target breach offers some excellent lessons for maintaining attorney-client privilege and work product protection in US litigation following a data breach. In that case, Target maintained a dual track breach investigation, with one forensics team working for Target legal counsel for the purpose of enabling Target legal counsel to provide the company with legal advice and a separate forensics team investigating for the benefit of other interested parties such as payment card companies. The investigatory work of the forensics team working for Target legal counsel has generally been protected from discovery in subsequent litigation. While most breaches won’t justify the expense of a two track investigation, the case shows how important it can be for subsequent litigation to have legal counsel managing the data breach investigation.
Shepherd: Pretty much all of the recent high-profile data breaches have been as a result of inadequate or lax security arrangements. These breaches highlight the need for data controllers to ensure that their IT systems are secure, both in terms of physical and logical security, and also in relation to the access individuals are given to that data. The Mossack Fonseca/Panama Files case shows the vast quantity of a data a single data controller can hold and, once that data has been acquired by a third party, the relative ease in which it can be disseminated. It also highlights the huge amount of damage a single data breach can do.
Arasaratnam: Incidents such as the Target data breach have highlighted the importance for businesses of undertaking regular security risk assessments, taking out appropriate cyber insurance and implementing robust cyber security measures – including security policies and training, data breach response plans and compliance monitoring. At a board level, we are seeing company directors deal with the risk of data breach as an issue which they must address as part of their duties to the company.
Cohen: In the press surrounding both the Anthem and Ashley Madison breaches, the targeted companies emphasised to the public that full credit card information had not been compromised, as though this were good news – but the information that had been compromised was actually far more sensitive, including health information, social security numbers, home addresses and the fact that people were seeking extramarital affairs. In the prior high profile data breaches in which credit card information was compromised, like the Target and Home Depot breaches, while the public was inconvenienced, merchants and banks bore the brunt of the cost. In these more recent breaches, the stakes are higher, since the compromised data relates to deeply personal issues like health and relationships. In light of these recent breach incidents, companies that handle particularly sensitive consumer data should expect the public to become more focused on the companies’ data privacy practices and to question whether free credit monitoring is adequate compensation for these types of data security breaches.
Sills: Organisations prepare for a variety of cyber attacks beyond breaches of personally-identifiable information (PII) before they take place. As ransomware and purely destructive attacks increase, the ability to protect crown jewels and backup data effectively becomes paramount. Additionally, as hard-hit industries such as retailers, banks, and defence contractors have improved their cyber security capabilities, lesser targeted companies must also improve their cyber security postures. “We are too small” and “We don’t hold valuable data” are insufficient responses in today’s environment. This highlights the importance of building cyber security resilience for all organisations, and not only investing in technologies, but building a culture of cyber security that takes a whole-of-enterprise approach, including everyone from the board of directors to entry-level positions. After Congress finally passed an information sharing law, organisations within an industry and between industries should share threat information when possible, allowing others in their supply chain, third parties and other trusted partners to benefit from increased visibility.
Pfeifle: In your opinion, do companies now have a greater level of understanding of their data protection duties?
Cohen: A greater level of understanding is certainly true of large companies, especially those in regulated industries, which increasingly have in-house counsel devoted to data protection issues. Data protection is a focus in virtually every transaction, whether it be an outsourcing transaction where the parties specify the data protection standards to which they will each adhere, or an M&A transaction where the buyer wants to receive appropriate representations regarding the seller’s data protection practices. That said, there is still room for improvement among some smaller and mid-size companies, which often lack the resources to address to this issue fully.
Sills: The conversation is changing for corporate executives and boards of directors. Companies have a greater appreciation for existing threats and are treating cyber security more seriously because their customers, vendors and regulators are increasing their scrutiny. However, companies are still struggling to turn awareness of the risk into effective oversight and risk management. Although cyber security has been identified as a top risk for many organisations, it is not receiving the budgetary and personnel resources commensurate with such a ranking. Further, spending indiscriminately on cyber security technologies may be ineffective if those technologies are not integrated effectively. While cyber security has made its way into the c-suite and boardroom, combining an understanding of the threat with how particular incidents could manifest themselves inside the organisation remains a challenge.
Nisenbaum: There is definitely a much greater awareness that data protection is a business issue that needs to be addressed and companies are more aware of certain data protection issues. For example, thanks to the highly publicised invalidation of Safe Harbour, US companies better understand the legal requirements to transfer personal data from Europe. However, whether a company truly understands how to apply existing regulations to their business isn’t something that can easily be generalised. Companies that have grappled with data privacy and security regulations and attempted to apply them to their own businesses certainly have a greater understanding of what their obligations are – and organisations are increasingly doing so. However, all too often, many organisations ignore compliance issues or establish data privacy and security policies as a check-the-box exercise without taking the time to understand how they apply to the nuances of their businesses.
Shepherd: Companies appear to have a far greater understanding of their data protection duties than was once the case. In Asia, the introduction of new laws in some jurisdictions, and the enhancements to existing laws in others, has significantly raised data protection on the corporate agenda and that inevitably led to a great understanding of duties. However, I suspect that a combination of individuals having a better understanding of their rights and exercising those rights, and publicity surrounding data breaches, have been the key catalysts to raising companies’ awareness.
Arasaratnam: I can understand why companies are struggling to come to terms with their obligations under the revised Privacy Act 1988 (Cth). The Australian Privacy Commissioner has released a number of guideline documents in the past two years, including the APP Guidelines, the Guide to Undertaking Privacy Impact Assessments, the Guide to Securing Personal Information and the Data Breach Notification Guide with respect to best practice on privacy compliance. These guideline documents have greatly assisted companies in understanding the extent of their obligations under the Privacy Act 1988 (Cth). However, there remains a great gulf between what the Commissioner’s guideline documents recommend as best practice and what companies understand to be standard market practice in their industry with respect to privacy compliance.
“Companies that handle particularly sensitive consumer data should expect the public to become more focused on the companies’ data privacy practices and to question whether free credit monitoring is adequate compensation for these types of data security breaches.”
Pfeifle: In your opinion, what should companies be doing to prepare for the General Data Protection Regulation? What do you feel its impact will be worldwide?
Shepherd: Companies should be examining their data usage and processes in order to determine what differences the regulation will make to their business and they should be actively developing plans to put their business in compliance. Companies outside the EU which are currently handling EU data should already be aware of the existing regime and should be handling personal data accordingly; of course, that may or may not be the case in practice. Such companies, particularly those in jurisdictions which do not currently have a privacy regime, will need to ensure their staff are thoroughly trained on both the basics of EU privacy law and also on the impact of the regulation on their existing processes and practices. They will also need to examine their data usage and processes to ensure they are compliant with the new regime.
Sills: Companies should increasingly be thinking about how their use of data, encryption and information security practices will be viewed globally. While the disagreement between Apple and the FBI raged and will resurface in the US, the conversation ignores that any agreement about the use of encryption would have little effect globally. Depending on the content, it may make consumers abroad less safe by setting a dangerous precedent for government access. Companies are becoming increasingly adept at meeting the regulatory, vendor and third-party requirements placed on them by others but risk losing sight of making their own risk tolerance decisions and deciding what is best globally for their customers and clients.
Cohen: All companies should ask themselves whether they will be subject to the GDPR given that it has a much broader reach than the 1995 EU Data Protection Directive that it will replace. Any company, even one with operations located entirely outside the EU, that offers goods or services to EU data subjects, regardless of whether a payment is required, is subject to the GDPR. This means that companies that had previously not had to concern themselves with the 1995 Directive will need to determine whether they must comply with the GDPR. Second, companies that will be subject to the GDPR should examine their use of personal data collected through their products and services to determine whether they require EU data subjects to give affirmative consent to the use of such data for any purposes other than those required for the data subject to receive the product or service, as required under the GDPR. For companies based in the US, we would expect that answer to be ‘no’, since most US companies tend to rely on ‘silence, pre-ticked boxes or inactivity’ to indicate consent, which the GDPR has deemed inadequate.
Nisenbaum: Companies that will be subject to the GDPR will need to review their personal data collection practices, assess where they may need consent from customers, workers and business partners and make sure they are obtaining that consent in a way that is in compliance with the heightened requirements under the GDPR. Companies should also review their contracts with third party vendors with whom personal data from European citizens will be shared to ensure their supply chain practices meet GDPR requirements. Companies also need to evaluate their breach management practices to ensure they are ready to comply with the compressed 72 hour timeframe for notice to data protection authorities under the GDPR. We are likely to see significant efforts to comply globally as companies seek to ensure they will not be subject to the significant fines that may be levied under the GDPR.
Pfeifle: What steps should companies take to ensure their boards are aware of the sensitive data in their possession, as well as the potential liabilities if that data is lost or stolen?
Nisenbaum: US regulatory authorities and case law has firmly established that data protection is a business issue that requires the attention of the boards of US companies. Some important steps that can help ensure board access to appropriate information are regularly devoting time to review cyber security issues, appointing a chief information security or similar executive officer to have accountability to and report to the board on cyber security issues, and tasking a board committee with responsibility for cyber security issues and requiring the committee to regularly report to the board. These steps can help arm the board with the information they require to assess, and make appropriate decisions to mitigate, cyber risk.
Sills: Management should identify, by itself or with the aid of an outside review by an independent expert, the company’s sensitive data, worst case scenario risks and risk tolerance. This information should be briefed to the board and followed up iteratively through the use of dashboards or other method that is customary in the organisation. Additionally, boards should be briefed on three key components of the organisation’s cyber security programme – progress on key initiatives, metrics that give the board insight into the company’s information security capabilities, and incidents. Companies should also discuss incident response with their boards. Internally, executives should report on the lessons learned from tabletop exercises. As incident response plans are developed, the company should identify a board member who will receive updates during significant incidents where the board will want frequent updates but should not be interfering in the organisation’s response. Finally, executives and boards should review public cyber incidents of other companies and learn from cyber attacker’s tactics and companies’ responses.
Cohen: It is important that risks associated with cyber security are treated by the company and its board like any other enterprise risk. A company should make sure that its board receives regular reports regarding the risks associated with the company’s collection and use of personal data, including the legal, monetary, operational and reputational risks. Some companies find it useful to bring in outside experts to explain key issues to the board. The board discussion should also address the steps the company has taken to mitigate those risks, including the adequacy of the resources and budget allocated to data security risk mitigation, the personnel responsible for data security issues and the way in which those issues are escalated at the company, whether the company has a data breach response plan, and the extent to which any of the risk has been transferred through cyber liability insurance.
Shepherd: Companies which hold sensitive personal data should already be aware of sensitive data which they hold – both ‘sensitive personal data’ under the current Directive and sensitive personal data in the traditional sense – and that awareness should be from the board down. If they do not, the company should urgently undertake a review of their personal data usage and conduct appropriate training to ensure that they fully understand their legal duties and the legal, commercial and reputational risks of failing to comply with those duties.
Arasaratnam: It is crucial that company boards address cyber security and the risk of cyber attack as a regular item for discussion during board meetings. This process can begin each year with a presentation or workshop on directors’ duties with respect to monitoring and ensuring that management have implemented effective policies to prevent and respond to cyber attacks. Directors need to inform themselves of the cyber risks faced by the company. One way to do this is by requiring the IT, legal and privacy teams to deliver regular reporting to the board on data held by the company, the risk of cyber breaches and IT-related issues and the exposure for the company should there be a data breach. Directors should also ensure that the company has a designated team responsible for managing cyber risk, which includes personnel and stakeholders from all aspects of the business. Finally, directors should ensure that appropriate processes, policies and insurance is implemented to address cyber risk and escalate issues with respect to cyber breach or IT-related risks to management and the board for their consideration.
“I suspect that a combination of individuals having a better understanding of their rights and exercising those rights, and publicity surrounding data breaches, have been the key catalysts to raising companies’ awareness.”
Pfeifle: To what extent is the concept of privacy by design (PbD) gaining traction among companies and government entities? What do you consider to be the driving factors in achieving a greater awareness of PbD?
Cohen: In the US, government entities have been quicker to embrace PbD than private industry. For example, PbD has informed the policies and guidelines of the FTC since it recognised the principles its 2012 report ‘Protecting Consumer Privacy in Era of Rapid Change’. In addition, the California attorney general’s office, long a leader in data privacy issues, embraced PbD principles in 2013 when it issued guidance incorporating those principles to mobile app providers. For companies, the traction depends on the PbD principle in question. Many companies have become proactive in recent years about their data security measures, but still struggle with the ideas of privacy as the default setting, embedding privacy into the design of their products, and transparency around their data privacy practices.
Arasaratnam: The Australian Privacy Commissioner is a strong advocate of PbD and has taken the view that Australian Privacy Principle 1.2 of the Privacy Act 1988 (Cth) embeds the approach of PbD into the APPs. One difficulty for businesses seeking to follow a PbD approach to APP 1.2 is that the seven foundational principles of PbD are fairly high-level and do not specify practical measures that businesses can adopt to implement PbD. In this respect, Australian businesses are more likely to turn to the Privacy Commissioner’s Guide to Securing Personal Information as this guideline document provides much greater specificity with respect to measures businesses can take to implement PbD into their practices, procedures and systems.
Nisenbaum: The popularity of PbD is certainly established in regulatory circles. For example, FTC guidance indicates that PbD is the responsibility of all companies that collect consumer’s personal information. However, traction in practice among companies depends on the maturity of a company’s privacy programme. Organisations with robust and sophisticated privacy programmes conduct privacy impact assessments to determine ahead of time the privacy implications of their business decisions in accordance with PbD concepts. However, organisations with less sophisticated privacy programmes or smaller organisations by and large simply have not implemented the infrastructure required to establish PbD in their businesses.
Sills: PbD, and its cousin, security by design, continue to be concepts that organisations aspire to but far too frequently are cast aside when they would cost more or slow down business. For new systems, it is easier to include privacy and security from the beginning. However, in most cases privacy and security improvements are being bolted onto existing processes and systems that were developed to optimise cost and speed. To drive awareness, advocates of PbD must show the benefits of implementing these processes in the short- and long-term. Additionally, governments and public-interest groups must step in to protect consumers, who frequently have little voice in the protection of their data other than to make draconian decisions to stop using products and services completely.
Pfeifle: What advice can you offer to companies on dealing with internal data security risks, such as those posed by Bring Your Own Device (BYOD)? How can companies best strike a balance between ensuring staff are not indulging in wrongdoing or negligence on the one hand, and violating their privacy on the other?
Sills: Organisations can implement effective programmes against insider threats by building a strong cyber security culture and an awareness of multiple ways that data can be removed from the network. Building a strong culture includes having sophisticated policies and training in which everyone, from the CEO to part-time employees, must adhere to and participate. Employees must also understand the accidental and innocent ways that data can be stolen and lost to adversaries. Beyond advice, companies must understand the realities of the current information security dynamics and take reasonable steps, particularly against those who pose the greatest threats. System administrators, executives and others with privileged or ‘super-user’ access must be audited and not given more access than necessary. Additionally, employees who are about to leave, are performing poorly or who may have another reason to harm the organisation should face more careful scrutiny.
Shepherd: The key advice is to make sure that your company is actually aware of its data security risks in the first place and taking appropriate steps to address them. Too many companies have not considered this at all, often in the mistaken belief that they do not have any such risks. In relation to BYOD and similar policies, again the first thing is that you must actually have a policy in the first place – again, too many companies do not think they need them. Many companies also make the mistake of putting in place entirely unfair policies without considering whether they are enforceable and then discovering that they’re not precisely when they need to rely on them. It’s much better to ensure that any policy is appropriate and fair, respects employees’ legitimate rights and, of course, is enforceable.
Arasaratnam: Companies need to ensure that appropriate security controls are implemented to prevent unauthorised devices from connecting to the company’s network. To ensure that staff do not abuse BYOD privileges, the Australian Privacy Commissioner recommends that companies implement clear policies and procedures, which personnel must comply with in using their own devices to connect to the company’s network and taking work home. These policies should address minimum password protection and encryption standards required on devices, the steps personnel must take to secure devices against theft or loss and the training required to ensure staff understand the risks associated with BYOD devices and how these risks may necessitate device monitoring to ensure security of the company’s network.
Nisenbaum: What may be an appropriate balance for one company may not be for the next. When developing policies related to BYOD and other employee privacy and security risks, companies should involve multidisciplinary teams to take into account the views of multiple stakeholders. The multidisciplinary team will also often have the added benefit of bringing to light issues that would not ordinarily be considered by just the IT or legal departments, creating opportunities for more effective policy. Companies should be mindful of differences in legal protections for employees across different jurisdictions. For example, European laws are much more solicitous of employee privacy rights in the workplace than US laws. Companies also must not overlook the fact that many authorised users will be members of a third party vendors team rather than employees and so appropriate supply chain management with respect to such vendors is key.
Cohen: The first step is to educate employees about data security and their role in keeping the company’s systems safe. All employees should receive role-appropriate training on the company’s policies regarding data security, including the consequences for both the employee and the company if the employee fails to comply. For example, employees who use personal smartphones to receive work email should understand that under no circumstances should they disable the password protections on the phone, since anyone finding the phone could see sensitive business correspondence that could damage the company or its clients. Employees should also understand that a number of high profile data breaches have occurred because hackers successfully obtained employee authorisation codes through phishing schemes or an employee’s failure to use a strong password.
“Management should identify, by itself or with the aid of an outside review by an independent expert, the company’s sensitive data, worst case scenario risks and risk tolerance.”
Pfeifle: When reviewing their data protection systems, what steps should companies take to ensure that their infrastructure is effective? How can they achieve robust monitoring and drive accountability?
Arasaratnam: Companies can adopt three important measures to ensure adequate monitoring and accountability with respect to the effectiveness of data protection systems. Firstly, ensure that there is buy-in at a senior executive and board level with respect to reviewing, monitoring and managing cyber security and cyber incidents. Secondly, ensure that there is regular third party auditing, penetration testing and certifications to ensure system security. Thirdly, ensure that independent legal and technical advice is sought early with respect to the adequacy of the company’s data protection and governance mechanisms with respect to monitoring and accountability for cyber threats.
Nisenbaum: All data privacy and security programmes must begin with a clear understanding of the company’s assets. Accordingly, the first step is knowing what the company’s assets are and where they are located. Once this is done, the legal obligations with respect to the assets can be identified and appropriate infrastructure responsive to those obligations can be developed consistent with organisational priorities. Accountability can be driven by executive sponsorship of compliance initiatives, for example by a chief information security officer or other appropriate executive.
Cohen: There are now multiple sets of guidelines that help companies make good decisions about their data protection systems and practices; in fact, there are so many that it can be overwhelming for companies to determine which they should follow. Companies, regardless of location or industry, would do well to follow the recommendation in the February 2016 California Data Breach Report issued by the California Department of Justice, which says that the 20 controls in the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense should be considered the minimum level of information security for companies that collect personal data. To ensure robust monitoring, the controls emphasise the importance of an accurate hardware and software inventory, conducting continuous vulnerability assessments, analysing audit logs and managing user accounts.
Sills: In order to have a sophisticated, adaptive data protection system, companies must know what is in their networks. As a result of mergers, acquisitions and stacking technologies, it is surprisingly difficult to keep an accurate list of the software, hardware and applications running in the network at any given time, let alone the data they are processing. Developing and maintaining such a list improves security and ensures that being able to assemble this information is listed in a job description in the organisation. When senior executives ask for this information and are interested in its contents, this will drive accountability down through the organisation. Once organisations have a clear understanding of their IT infrastructure, they can build a technology roadmap that aligns with their risks that fits their particular infrastructure and business operations.
Pfeifle: When preparing their response to a potential data breach incident, what are the essential components that companies must include in their planning scenario? What, in your opinion, are the top priorities?
Shepherd: Obviously the two key internal priorities are investigating the breach and ensuring that it cannot happen again. As part of this process, the agenda should be finding the truth not apportioning blame – too often we find that a focus on finding something or someone to blame gets in the way of achieving the best remedy. In relation to larger data breaches, it is increasing likely that there will be publicity which needs to be managed, so companies need to seek to control the story so, where possible, it’s important to make a swift announcement or response. However, it’s vital to ensure that the response doesn’t itself become a story so companies need to ensure that their interaction with the media is sensible: a blanket denial against clear evidence of a breach simply doesn’t work.
Nisenbaum: Planning an effective test of a company’s incident response plan needs to identify the objective, test participants and resources, such as facilities and documentation. The most important part of an effective test is the objective. These can include testing weak spots that may have been identified in a past test or through a security audit or a particular architectural issue that the company desires to learn more about. In every case, the scenario should be designed to test communication and escalation protocols to ensure appropriate members of the incident response team are involved in the appropriate decisions at the appropriate time.
Cohen: An effective response plan must identify the individuals that are responsible for responding to a data breach incident, and companies must ensure that each person understands his or her role. It is not sufficient to assume that the IT department will handle the response. The core team will of course include key IT professionals, but it must also include a legal officer and a communications executive. In addition, companies should anticipate that, in the event of a serious incident, they will need the help of a third party IT forensics expert – that expert should be identified ahead of time following a careful selection process, not at the moment the company realises that the incident has occurred. Perhaps the most important priority is to develop a response plan and then to drill on that plan using hypothetical scenarios so that companies have thought through and discussed various action items.
Sills: Preparing effectively for a data breach incident means assembling the team you want bring to the incident before the incident happens. Signing retainer or stand-by agreements with outside counsel, forensics teams, public relations firms and any other external group is critical to responding quickly to a data breach incident. Signing these agreements once an incident happens will cost more and waste valuable time. These groups should also be present at tabletop exercises and internal drills to ‘de-conflict’ roles, identify areas of expertise and build relationships before a crisis occurs. When building planning scenarios it is important for the people who will be leading a real crisis to practice in the training exercise as well. Organisations are increasingly thinking about building scenarios that affect key suppliers or their industry generally in order to consider how competitors can work together to improve security and resiliency in order to keep their industry operating.
Arasaratnam: In Australia, companies are guided by the steps to responding to a data breach contained in the Australian Privacy Commissioner's Data Breach Notification Guide, which are: contain the breach; perform a preliminary assessment; evaluate the risk; consider whether notification is appropriate or required; document lessons learned from the incident and prepare a prevention plan. In preparing for potential data breaches, companies should prepare and implement a data breach response plan that contains practical, up-to-date and easy-to-follow steps on what the company should do in different scenarios involving a data breach. They should appoint a data breach response team, which includes stakeholders from senior management, IT, legal and privacy compliance, and they should contact technical and legal advisers early so that the breach incident can be contained as soon as possible and appropriately managed and assessed with respect to data breach notification requirements.
“Directors should ensure that appropriate processes, policies and insurance is implemented to address cyber risk and escalate issues with respect to cyber breach or IT-related risks to management and the board for their consideration.”
Pfeifle: Going forward, what final piece of advice can you offer to companies in terms of keeping abreast of key privacy and data protection laws and regulations?
Cohen: Because this is such an active area of law right now, there are many resources that companies can use to learn about new developments. At a minimum, US companies should periodically check the FTC’s website for updates as well as new consumer protection enforcement actions in this area. In addition, many law firms and industry groups publish periodic summaries of recent developments related to privacy and data protection – companies should select a few that suit their needs and sign up to receive those summaries via email. While in most cases companies will need to follow up to obtain legal advice that is specific to their business, these summaries will help keep companies informed of developments that may apply to them.
Arasaratnam: Australia is expecting mandatory data breach notification legislation to be passed within the next 12 months. This legislation will require companies to have processes in place for detecting cyber breaches, conducting an assessment to confirm the scale, impact and risk of harm to individuals from cyber breach and responding to the breach, including by notifying the required parties. Companies will need to ensure that they have implemented an appropriate data breach response plan, designated a data breach response team and assessed whether they need to appoint advisers to assist with respect to the data breach response in advance of the new mandatory data breach notification legislation coming into force.
Nisenbaum: The legal and regulatory landscape changes quickly. Fortunately, one consequence of the current focus on data privacy and security issues is that there is no shortage of information sources that provide timely updates on these changes. However, keeping up with these resources takes time and energy. Only companies that make compliance a priority and dedicate appropriate resources will be able to keep up and make appropriate proactive business decisions based on a thoughtful determination of how the changes affect them.
Sills: Companies should be pushing for international, harmonised solutions to privacy and data protection challenges. While it is possible to meet bespoke laws in myriad countries around the world, this creates a drag on business and puts compliance with government standards before customers and consumers. Because of these differing standards, government regulators and industry groups are developing independent testing regimes with which companies must demonstrate compliance on a frequent basis. This constant assessment by regulators and industry groups is causing companies to focus their privacy and data security measures to meet these external requirements instead of their own risk tolerance. Finally, different standards in each jurisdiction make it harder for companies to be transparent to consumers who want to know how companies are using and protecting their data. Arguing for harmonised, international standards will streamline compliance, enable a focus on security over compliance and increase transparency.
As publications director, Sam Pfeifle oversees everything from the Daily Dashboard to the monthly Privacy Advisor to the International Association of Privacy Professionals’ (IAPP’s) various blogs, books and Resource Center items. Mr Pfeifle came to the IAPP after stints overseeing a number of B2B publications, including titles in the physical security, workboat and 3D data capture industries. He began his journalism career with the alternative newsweekly The Portland Phoenix. He can be contacted on +1 (603) 427 9209 or by email: spfeifle@privacyassociation.org.
Niranjan Arasaratnam is a partner with Allens based in Melbourne, but his experience includes working for over four years in the firm’s Greater China offices. Mr Arasaratnam has acted on a range of mergers, acquisitions and joint venture transactions in the hi-tech and media sectors, together with numerous technology and media licensing and procurement projects in Australia and Asia. He was rated as a leading TMT lawyer in Australia by Chambers Global 2012 and was praised for his “strong legal skills, partnered with very high client service skills”. He can be contacted on +61 3 9613 8324 or by email: niranjan.arasaratnam@allens.com.au.
Evan Sills is an associate with Good Harbor Security Risk Management, where he advises corporate executives and boards of directors on cyber risk management, helps clients prepare for crisis and incident responses to cyber incidents, identifies and recommends best-in-class cyber security technologies, and reviews cyber-related legislative and regulatory activities. He is the editor and rapporteur of A Playbook for Cyber Events, a project of the American Bar Association’s Standing Committee on Law and National Security that serves as a guide for legal and cyber security professionals on the interplay of legal, operational and technical issues that arise when preparing for and responding to cyber incidents. He can be contacted on +1 (703) 812 9199 or by email: evan.sills@goodharbor.net.
Alex C. Nisenbaum is an associate in the Corporate and Securities Practice Group of Pepper Hamilton LLP, resident in the Orange County and Los Angeles offices. Mr Nisenbaum’s practice is focused on technology and intellectual property transactional matters, including drafting and negotiating agreements involving software licensing, software as a service (SaaS), software and mobile application development, information technology and business process outsourcing, telecommunications, data licensing, copyright and trademark licensing, and professional services. He can be contacted on +1 (949) 567 3511 or by email: nisenbaa@pepperlaw.com.
Alexander Shepherd is a partner in the information, communications & technology group based in Singapore and head of the firm’s technology, media and telecommunications (TMT) practice in South East Asia. Mr Shepherd advises on commercial, regulatory and intellectual property work with a particular focus on telecoms, media, broadcasting, IT and technology. As well as significant experience advising on corporate finance transactions in the TMT sector across Europe, Africa and the Middle East, he also advises on technology procurement and outsourcing in the TMT and financial institutions sectors. He can be contacted on +65 6831 5655 or by email: alexander.shepherd@simmons-simmons.com.
Jessica Cohen is a counsel in the firm's New York office. She focuses on intellectual property and technology issues in a wide variety of transactions, including licensing and development agreements, outsourcing agreements, service agreements, strategic alliances, and mergers and acquisitions. As part of Skadden’s Intellectual Property and Technology Group, Ms Cohen counsels clients on intellectual property protection and ownership, information security and technology procurement issues. She can be contacted on +1 (212) 735 2793 or by email: jessica.cohen@skadden.com.
© Financier Worldwide
MODERATOR
IAPP
THE PANELLISTS
Allens
Good Harbor Security Risk Management
Pepper Hamilton LLP
Simmons & Simmons LLP
Skadden, Arps, Slate, Meagher & Flom LLP