Data Privacy and Data Security Transatlantic Challenges

Data Privacy and Data SecurityTransatlantic ChallengesKathryn J. MarksKathryn.marks@alston.comMay 21, 2008NACHA PAYMENTS 2008Las Vegas, Nevada

Overview: Who’s Tougher ­­ US or EU?• Conventional wisdom=EU imposes tougher restrictions, but:– U.S. security and data breach regulations, federal and state, imposetough “privacy”rules on different basis from EU Directive.– Not all financial institutions have all elements of security protections inplace to meet all federal examination guidelines.– Sound record retention policies for US may conflict with datadestruction requirements of EU.– Outsourcing of financial institution functions poses special problem inlight of differences between US and EU rules.– US and EU legislative proposals continue to drive systems differentdirections –but data breach is growing focus of regulation everywhere.

Big Challenges• Do you have a legitimate basis to transfer data from onecountry to another?• What do you do about conflicting laws? SOX whistle­blowervs. EU employee­management privacy rights; Canada privacylaw vs. Patriot Act AML disclosures; US data retention vs.EU data destruction• Do you have adequate security controls in place on data? UShas more stringent standards for notice in cases of breach, butbreach may be per se violation in EU• Do you know who your outsourcers are and what they aredoing? There is no simple way to deal with issues raised bythird­party service providers

Contrasting PhilosophiesEU• Information belongs to theconsumer• Companies are responsible forensuring the rights of consumer tocontrol the uses of their personalinformation• Companies have no rights topersonal data except to carry outservices on behalf of consumer orto meet legal obligations– Companies never “own”personaldata, it is always the individual’sdataUnited States• Information belongs to thebusiness• Personal information ofconsumers is part of “goodwill”ofcompany and has economic value• Security controls on data are toprotect the economic owners ofthe data (one or more businesses),not just the individual• Obligations to individual arebased on contractual agreement orpromises made by company toconsumer

Contrasting Initiatives and FocusEUUS• Limit sharing of passenger data onairplanes with US government• Prevent sharing of financial datafrom SWIFT system with USgovernment• Prevent sharing of customer andemployee data from the EU withUS entities without EU dataprotection authorities retainingauthority to control data• Prevent derogatory information ontargets of whistle­blowers fromgoing to US without rights ofaccess and correction• Ensure adequate security controlsin place to prevent breaches offinancial and medical information.• Ensure firms that makeaffirmative statements aboutprivacy abide by privacy policies.• Clean language for “opt outs”from marketing.• Restrict uses of Social Securitynumbers (pending)• Limit unsolicited e­mail (spam),and unsolicited faxes

U.S. Privacy and Data Security Legal Requirements• Federal Standards– FTC Act– Gramm­Leach­Bliley– HIPAA– FCRA and FACTA• Sarbanes­Oxley• Abide by Non­U.S. Laws When Relevant– European Union Data Protection Directive, if data comes from/crosses EU– Canada Personal Information Protection and Electronic Documents Act• Common Law Duty of Reasonable Care• State Data Breach Disclosure Laws• State mini­FTC acts• Privacy commitments seen as contracts with consumers

Privacy Violations: Federal Standards• Section 5 of FTC Act– Unfair or deceptive acts or practices– Doesn’t cover regulated financial institutions, telecom carriers, and motorcommon carriers –may cover their back­office service providers– Covers payments processors with no federal functional regulator• Old Pattern: prosecute “deceptive”acts• More Recent Approach: “unfairness”if practices are “unreasonable”– Guidance Software, Inc. Settles FTC Charges Company Failed toUse Reasonable Security Measures to Protect Consumers’Data (Nov2006)– DSW Inc. Settles FTC Charges Agency Says Company Failed toProtect Sensitive Customer Data (March 2006)– CardSystems Solutions Settles FTC Charges Tens of Millions ofConsumer Credit and Debit Card Numbers Compromised (Feb 2006)

FTC CardSystems Case:Unfair practice to stored information without enoughprotection• “CardSystems kept information it had no reason to keep and then stored it in a way thatput consumers' financial information at risk,”said Deborah Platt Majoras, Chairman ofthe FTC. “Any company that keeps sensitive consumer information must take steps toensure that the data is held in a secure manner.”• FTC found CardSystems in processing 210 million card purchases, totaling more than$15 billion, collected personal info from the magnetic strip of the card, including thecard number, expiration date, and other data, storing it on its computer network andcreated unnecessary risks to the information by:– not assessing vulnerability of its computer network to reasonably foreseeable attacks;– failing to put into place readily available defenses– failing to use strong passwords and other security systems to limit unauthorized access.• FTC found that these practices compromised millions of credit and debit cards, and ledto millions of dollars in fraudulent purchases. In addition, after the fraud wasdiscovered, banks cancelled and re­issued thousands of credit cards, and consumersexperienced inconvenience, worry, and time loss dealing with the affected cards.

Data Security: Federal Standards• Four Components of Information Security under GLB Act:– Upper Management Involvement in Data Management Practices– Methodology to Identify and Assess Risks of Data Misuse– Practices to Manage and Control Identified Risks of Data Misuse;Training and Audit– Oversight of Third Parties That Have Access to Data• Enforceable by Federal and State Regulators– Potential evidence of the appropriate standard of care in privatelitigation

HIPAA• Applies to the use and disclosure of individual health information bycovered entities– NOTE: includes self­funded health plans which are often involved in humanresources outsourcing (HRO) transactions• Statute requires: “Reasonable and appropriate administrative, technicaland physical safeguards”for Personal Health Information• HIPAA Security Rule– required a risk assessment/compliance before April 21, 2005• Business Associate Agreements– similar to Service Provider Agreements under GLB– flow through requirement for subcontractors– must report “security incidents”

Gramm Leach Bliley• Must implement “reasonable and appropriate administrative,technical and physical”measures to protect consumerinformation• Domestic bank regulators require global approach tomaintaining security of all consumer information• FTC Regulations also require that a Financial Institutionoversee its service providers –domestic and foreign ­­ by:– Taking reasonable steps to select and retain service providers that arecapable of maintaining appropriate safeguards for the customerinformation at issue; and– Requiring service providers by contract to implement and maintainsuch safeguards

GLB Info Security RequirementsCurrent FFIEC Info Security Bank Examination Questionnaire• Do you have a risk­based, written, board­approved, info security program tailored to yoursize/complexity and operations? Has it been implemented and enforced? Updated?• Have you identified how you store, process, transmit, and dispose of customer info? Identifiedthreats that could result in unauthorized disclosures? Assessed risk to you and your customers ofthese threats?• Do you have access controls on systems containing customer info to prevent unauthorizedaccess? Controls to prevent employees from providing customer info to unauthorized persons,including “pretext calling?”Place access restrictions at physical locations containing customerinfo, such as buildings, computer facilities, and records storage facilities?• Do you encrypt electronic customer info, including while in transit or in storage on networks orsystems, to prevent unauthorized access? Have dual control procedures, segregation of duties,employee background checks to minimize risk of internal misuse of customer info?• Do you monitor systems/processes to detect unauthorized access to customer info?• Do you have a plan for when the bank detects unauthorized access to customer info, includingreports to regulators and law enforcement.• Do you have measures in place to protect against destruction, loss, or damage of customer infodue to fire, water, tech failure?

Data Security: Federal Standards• Sarbanes­Oxley Section 302 Certification Requirements• Practical Impacts on IS Operations and on IT Governance:– Internal Reporting and Information Structure– Heightened Importance of Standards Organization Certifications (e.g., ISO)– Increased Emphasis on First­Party and Third­Party Assessments– Heightened Importance of Management of Service Provider Relationships• Outsourced Operations and Financial Reporting Compliance– Section 404 requirements are non­delegable– Corporate managers retain responsibility for ensuring compliance by certain outsourcedfunctions– Management maintains a responsibility to assess the controls over the outsourcedoperations– Service Provider oversight and audits.– Question of whether a deviation from security standards is material or not may be amatter of luck –how bad is a particular data breach, and could it have been prevented bya different approach to security?

Data Breach Laws: An Overview• 42 States and the District of Columbia• Definition of “Personal Information”– Computerized Data– Matters if it includes social security number, driver’s license, or otherparticularized account number or ID, these trigger notice requirements• Unauthorized Third Party Access– Employee Access• Encryption and Other Security Measures• Gramm­Leach­Bliley Act:– If misuse occurred or is “reasonably possible,”then must provide noticeas soon as possible

Data Breach Laws:What’s Required• Internal Investigation• Notice to Affected Persons– A brief description of the incident– A description of the type of personal information involved in thebreach– A telephone number and calling hours whereby a customer mayobtain additional information;– Narrative advice to the individual to monitor his/her credit report– The contact information for the three major credit reporting agenciesand instructions on how to obtain a free credit report from each• Notice to State Authorities and credit reporting agencies• GLB Act requires notice as soon as possible to regulator

Data Breach Laws: A Checklist• Form an Internal Response Team to Coordinate theManagement of and Response to the Incident• Perform an Internal Investigation of the Incident• Develop a Public Relations Strategy• Assess Nasdaq and SEC Disclosure Requirements• Establish Call Center Resources• Notify Affected Persons Government Authorities, and CreditReporting Agencies to the Extent Required by Law

EU Data Protection Directive• Directive Issued in 1995 by European Parliament– Multiple Interpretations of the Directive in Member State Laws– Inconsistent and Sometimes Non­existent Enforcement– Complex and Expensive Compliance Initiatives Required• All 28 Member States of EU have enacted conforming dataprivacy and security laws.• Data Security Rules:– Technical and Organizational Security Measures– Sensitive Data (“Special Categories of Data”)– Article 17: Service Provider Flow­Down Requirements

Cross Border Transfers• Prohibition on transfers of data outside EEA unless“adequacy”can be demonstrated for destination country– Limited number of countries deemed to provide “adequate”protection• Hungary (now a member of the EU)• Switzerland• Canada• Argentina• Guernsey– Several typical EU “call center”countries working for “adequacy”• Tunisia & Mauritius ­ further along• Morocco & Senegal ­ not as advanced in their efforts– Helpful to construct data flows within the EEA, even if data is flowingto an outsourcing provider

Cross Border Transfers• Transfers to inadequate destinations only allowed in limitedcircumstances, including inter alia:– Data subject has given consent unambiguously to the proposed transfer• Explicit consent is required for “sensitive”information– Transfer is necessary for the performance of a contract between the datasubject and the controller– Public Interest– Contractual arrangement• EU Standard Clauses• DPA case­by­case approvals– Corporate Codes of Conduct ­ not well established

Cross Border Transfers• U.S. laws not deemed to provide “adequate”protection– U.S. Safe Harbor Principles –“adequate”• Must Register with Department of Commerce• Least costly solution for many companies, with minimal enforcement inpractice to date– Only companies subject to FTC and DoT jurisdiction can sign up.• Regulated financial institutions can sign up for human resources datawithout creating new jurisdictional nexus for FTC• For customer data, consent or model contracts main alternatives– Safe harbor membership does not cover onward transfer• i.e., once the data is moved from the EU to the U.S., can you move it toIndia or elsewhere?

Standard Clauses• Standard Clauses adopted by EU Commission– Allows data flow outside of the EU– Often encountered in outsourcing transactions –customer requiressupplier to execute between the Data Exporter (customer) and the DataImporter (the outsourcing supplier)– Several problematic provisions:• Importer agrees to submit to audit by data exporter or an inspection bodyselected by the data exporter• Third party beneficiary clause• Joint and several liability for data exporter and importer• Dispute resolution in courts of Member State where exporter is established

Standard Clauses• Issues:– Variances from the standard –extent of flexibility• Does it have to be approved in each individual country?– Agreements may have to be filed– Cumbersome to implement, particularly for companies that need totransfer data to and from multiple countries to multiple countries (andpossibly multiple service providers)

Binding Corporate Rules• Guidelines for Binding Corporate Rules for International Data Transfer,issued April 14, 2005, by Article 29 Working Party• Would be an efficient alternative, if one set of “adequate”rules can beused across a global enterprise and approved by one regulator• Possible corporate­wide solution for complex financial servicescompanies –GE became first company to qualify in December 2005 forits HR data –but has run into questions since from other EU DPAs as towhether its UK­based practices are sufficient to meet HR requirementsin all other EU countries

Know Your Basis for Transfer• Safe Harbor• Model Contracts• Binding Corporate Rules• Notice and Consent• Necessity –to carry out contract with or on behalf of datasubject, but the DPAs interpret it narrowly– Should have a written contract governing such data transfers.– non­Model Contract may be sufficient, but isn’t pre­approved byEU data protection authorities– data base controllers and processors taking data from EU mustregister with many DPAs to handle EU data, many of whom intheory must approve non­Model Contracts. . .

EU Data Protection Directive:Data Security Requirements• Generalized standards provide some flexibility for business– Exceptions include Spain• Relationship to Data Transfer Restrictions (tougher security required ifyou leave EU)• Legal Risks– Local enforcement through Data Protection Authorities– FTC Enforcement under Safe Harbor Program– Private Rights of Action• Canada PIPEDA– Requirements mirror those found in the EU though PIPEDA provides moreflexibility for business– No express notice requirements in EU law or in Canadian law under mostcircumstances in response to breach– Canada moving towards breach notification law as of 2007, initiated byPrivacy Commissioners Office

Outsourcing Major Source of Security Risks• Strategy needed for assessing degree to which outsourcingraises security compliance questions under US law, privacycompliance questions under EU Directive.– May be impractical to provide notice and obtain consent for alloutsourcing.– Must ensure that all regulatory obligations adhering to data in its homejurisdiction follow with data to third countries.– Many financial institutions have never undertaken comprehensiveinformation data­flow analysis

Outsourcing RegulatoryGuidance for Banks• Outsourcing guidance for Banks generally, with many privacy andsecurity issues interwoven:– OCC Bulletin 2001­47, Third Party Relationships: Risk ManagementPrinciples (November 2001)– FFIEC Guidance on Risk Management of Outsourced Technology Services(November 2000)– FDIC: Effective Practices for Selecting a Service Provider; Tools to ManageTechnology Providers’Performance Risk: Service Level Agreements; andTechniques for Managing Multiple Service Providers (June 2001)– FFIEC: The Supervision of Technology Service Providers Booklet (May2003)– FFIEC IT Examination Handbook on Outsourcing Technology Services(2004)

Outsourcing Regulatory Guidancefor Insurance Companies• Outsourcing guidance for Insurance Companies, with manyprivacy and security issues interwoven:– NAIC Managing General Agents Model Act, Third Party AdministratorModel Statute– NAIC Market Regulation and Consumer Affairs Committee ­ ThirdParty Vendor Working Group• working on recommendations for NAIC’s Market Conduct ExaminersHandbook– NAIC: Standards for Safeguarding Customer Information• adopted in 9 states at last count

Third Party Security Standards• ISO 17799 ­ Security Standard (ala ISO 9000)• BS 7799 ­ Security Specification implementing ISO 17799• ISSA GAISP: Information Systems Security Association/ GenerallyAccepted Information Security Principles• CISSP CBK: Certified Information Security Professional/ CommonBody of Knowledge• ISACA CObIT: Information Security Audit Control Association/Control Objectives for Information Technology• NIST SP 800­14: US National Institute of Standards and Technology/Generally Accepted Principles and Practices for Securing InformationTechnology Systems

UK ­ Lloyds TSB Bank• Lloyds attempted a call center outsourcing to India• Challenged by a Union representing an individual’s request tothe UK Data Commissioner• Dispute over whether consent of customers is required inorder to move the data offshore• Transaction was stopped by the investigation• Varying interpretations by UK practitioners of importance ofthis case

India• Currently no comprehensive privacy law• Under active discussion in government• Many are opposed to EU style rules• Many of the Tier One Indian suppliers are complyingwith BS 7799 (most recently revised in June 2005 andrenamed ISO/IEC 27002 in July 2007).

Negotiation Issues• Who’s responsible for what?– Customers want Suppliers to be responsible for all aspects of current andcontinuing compliance– Suppliers don’t want to be responsible for anything that isn’t known as of thedate of the contract and expressly listed• Who pays for what?– What if the requirements change? Classic governance issue.– Should the supplier really pay for new security and privacy requirements?– Can costs be apportioned among similarly situated customers, particularly inshared services environment?• What if the customer isn’t in compliance on the date of the agreement?– Be careful with warranty requests of suppliers ­ they may request a mutualwarranty

Negotiation Issues• Privacy and Security Issues:– Customer should make “interpretive decisions”(after consulting withsupplier)– Supplier should be required to implement privacy and security changesdue to changes in laws or regulations or other “required”guidance– Industry practice should be considered as “required”guidance, e.g.,white papers issued by NAIC– Consider expedited implementation and problem solving within overallgovernance structure for privacy and security issues

Negotiation Issues• What if a change in the law prohibits the outsourced activity?– e.g., no longer permitted to transfer the data to the offshore jurisdiction– What happens under the agreement?• Governance Procedures• Transition provisions are critical– Does the customer pay (a) nothing; (b) winddowns; (c) termination forconvenience or some portion thereof; (d) something else??• Are regulatory fines consequential, special or punitive damages?– are they subject to the limitation of liability?– is the customer indemnified for such damages?– if not expressly addressed, suppliers might take the position that regulatoryawards are not third party damages and therefore customer is not protected

Negotiation Issues• Security:– Suppliers want to only be responsible for written policies as of the dateof the agreement• not all security policies are written• consider supplier responsibility at the same time and in the same manneras employees are notified of the policy– Customers should require notification of all security breaches on anexpedited basis• required by both HIPAA and new California statute• but, what exactly is a “security breach?”– Background checks ­ are they required for all employees on theaccount?

Negotiation Issues• Subcontractors –if they have access to personal informationof any sort, they should be subject to the same privacy andsecurity requirements• Shared services models –complicate the security and privacyanalysis• You don’t want to be the test case or the example for theregulators . . .

Kathryn J. MarksAlston & Bird LLPKathryn.marks@alston.com202 756 3479