There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
5. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
5
7. About This Webinar – Introduction to US Privacy
and Data Security: Regulations and Requirements
There is no federal law governing privacy and data security applicable to all US citizens.
Rather, individual states and regulatory agencies have created a patchwork of protections
that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and
regulations which may impact your business, from the state law protecting personal
information to regulations covering the financial services industry to state breach notification
laws.
7
8. About This Series – Cybersecurity and Data Privacy
Data security, data privacy, and cybersecurity are critical issues for your company to consider
in today’s business landscape. Data breaches from high profile companies, including law
firms, generate worldwide headlines and can severely damage your business’s reputation. In
certain industries, a patchwork of state and federal laws and regulations may cover your
business, leading to compliance headaches. This series explores the various laws and
regulations which govern businesses both in the US and abroad, as well as how to implement
and enforce an information security policy to protect your company and limit any damage from
a data breach.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
8
9. Episodes in this Series
#1: Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 9/24/20
#2: Introduction to EU General Data Protection Regulation: Planning,
Implementation, and Compliance
Premiere date: 10/22/20
#3: How to Build and Implement your Company's Information Security Program
Premiere date: 11/19/20
#4: Data Breach Response: Before and After the Breach
Premiere date: 12/17/20
9
11. What is Data Security?
• Confidentiality, availability, and integrity of data
• All the practices and processes used to protect data from being used or accessed by
unauthorized individuals
• How a company safeguards the data it collects and uses from threats
11
12. What is Data Privacy?
• The appropriate use of data, including the use of data according to agreed purposes
• How a company uses the data that it has collected
12
13. What is Personal Information?
• “personally identifiable information” sometimes called “PII”
Can be linked to a specific individual
Name, email, full postal address, birth date, SSN, driver’s license number,
account numbers
• “non-personally identifiable information”
Cannot by itself be used to identify a specific individual
Aggregate data, zip code, area code, city, state, gender, age
13
14. What is Personal Information?
• Gray area – “anonymized” data
Non-PII that, when linked with other data, can effectively identify a person
Geolocation data
Site history and viewing patterns from IP address
Note: recent rollback of privacy regulation with the FCC?
14
15. Why Do We Need to Protect It?
• Data is a corporate asset
• Corporate data is at a higher risk of theft or misuse than ever before
• Consumers now expect companies to take initiative to protect both security and privacy
15
16. What Must Companies Do to Protect It?
• Compliance with state, local, federal laws and regulations
Patchwork of laws developed by sector
Contrast to Europe, which has a centralized, uniform law
Makes it difficult to comply when multiple, possibly inconsistent laws apply
• Contracts with third parties
16
17. What Must Companies Do to Protect It?
• Privacy policies for website users
Don’t need one if: website is static, is purely B2B, and collects no PII from
consumers
Should cover:
o Actual practices for PII and information that reasonably could be
associated with a person or device, regarding collection, storage, use, and
sharing of info
Be aware of: financial information, medical information, children’s information
• Privacy audits:
Run them periodically to review and assess policies and practice for data
17
18. What Must Companies Do to Protect It?
• Your company may have more PII than you are aware of
For example, if your company gives out commercial loans, it must comply with
GLB
BUT: if you also take guarantees, then you have personal information such as
account information, possibly life insurance information, mortgage information,
etc. that must be secured
Have to think more creatively about what types of information you might be
collecting
o Credit card payments – have to secure that information
18
19. California Consumer Privacy Act
• Effective January 1, 2020, companies will have to observe restrictions on data
monetization business models, accommodate rights to access, deletion, and porting of
personal data, and update privacy policies
• “Consumers” (defined as natural persons who are California residents) have the right to
know what personal information a business has collected about them and what it is used for,
the right to opt out of allowing a business to sell their personal information to third parties, the
right to have a business delete personal information, and the right to receive equal servicing
and pricing from a business even if they exercise their privacy rights under the Act.
19
20. California Consumer Privacy Act
• “personal information” is “any information that…relates to…a particular consumer or
household”
Information about a household may include information like utility bills or
pricing
• Companies must comply if they receive personal data from California residents and they
or their parent company or a subsidiary exceed (a) annual gross revenues of $25 million, (b)
obtains personal information of 50,000 or more California residents, households or devices
annually, or (c) 50 percent or more annual revenue from selling California residents’ personal
information.
20
21. California Consumer Privacy Act
• The Act provides a private right of action that allows consumers to seek, either
individually or as a class, statutory or actual damages and injunctive relief, if their sensitive
personal information is subject to unauthorized access and exfiltration, theft or disclosure as a
result of a business’s failure to implement and maintain reasonable security measures
Statutory damages can be between $100 and $750 per California resident per
incident, or actual damages, whichever is greater
21
22. New York Stop Hacks and Improve Electronic Data
Security (“SHIELD”) Act
• Expands NY breach notification law and imposes data security program requirements on
businesses that possess the private information of New York State residents
• Applies regardless of whether the businesses have any physical presence in New York
State
• Program requirements include administrative, technical, and physical safeguards for
detecting and responding to intrusions and maintaining security of information
• Businesses subject to and in compliance with Gramm-Leach-Bliley, HIPAA, or the NY
Dept. of Financial Services Cybersecurity Requirements are exempted from this requirement
under the SHIELD Act
• Limited reprieve for “small businesses” with fewer than fifty employees, less than $3
million in gross revenues in the last three fiscal years, or less than $5 million in year-end total
assets
• Expands the definition of “private information” subject to NY data breach notification law
• NY Attorney General can pursue civil penalties, but there is no private right of action
22
23. Massachusetts Standards – 201 C.M.R. 17
• 2010 law – most protective privacy law in the US at that time
• Requires every business that licenses or owns personal information of Massachusetts
residents to comply with the minimum security standards set forth in the regulation
• Considered the gold standard
• Require, when technically feasible, the encryption of personal information stored on
portable devices and personal information transmitted across public networks or wirelessly
23
24. Massachusetts Standards – 201 C.M.R. 17
• Requires any natural person or entity that owns or licenses information of a Mass.
Resident to implement a written information security program (“WISP”) with appropriate
administrative, technical, and physical safeguards
Standards must be consistent with those set forth in state and federal
regulations to which a business is subject, including data breach notification
laws, HIPAA, and the Gramm-Leach-Bliley Act
24
25. Massachusetts Standards – 201 C.M.R. 17
• “personal information” – “a Massachusetts resident’s first name and last name or first
initial and last name in combination with any one or more of the following data elements
that relate to such resident: (a) Social Security number; (b) driver’s license number or
state-issued identification card number; or (c) financial account number, or credit or debit
card number, with or without any required security code, access code, personal
identification number or password, that would permit access to a resident’s financial
account.”
25
26. GDPR and the Shrems II Decision
• New decision from the Court of Justice of the European Union
• Invalidated the US-EU Privacy Shield
• Closes off key mechanisms for transferring personal data from the EU to the US
• Shrems I invalidated European Commission adequacy decisions with respect to EU-U.S.
Safe Harbor
• CJEU was concerned with US government access to personal data for national security
purposes and the rights of EU citizens in the US to judicial review and redress
• CJEU found the U.S. was not according EU personal data the protection and rights of
redress available in the EU
• International data flows can continue to be based on EU Standard Contractual Clauses if
properly monitored
26
27. Gramm-Leach-Bliley
• Overseen by the FTC
Requires financial institutions (companies that offer consumers financial
products or services like loans, financial or investment advice, or insurance) –
to explain their information-sharing practices to their customers and to
safeguard sensitive data.
• The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide notice of
their privacy policies and practices to their customers, and prohibits financial institutions from
disclosing non-public personal information about a consumer to non-affiliated third parties,
unless the institutions provide certain information to the consumer and the consumer has not
elected to opt out.
27
28. Gramm-Leach-Bliley
• The GLBA also requires financial institutions to protect the security and confidentiality of
their customers’ non-public personal information.
• Regulators (e.g., the Securities and Exchange Commission, the Office of the Comptroller
of the Currency, the Federal Reserve and the Commodity Futures Trading Commission) have
promulgated rules under the GLBA.
28
29. HIPAA
• The Health Insurance Portability and Accountability Act (HIPAA) regulates medical
information.
• HIPAA Privacy Rule:
Requires appropriate safeguards to protect the privacy of “protected health
information” (PHI).
Sets limits and conditions on the uses and disclosures that may be made of
such information without patient authorization.
• Gives patients rights over their health information, including rights to examine and obtain
a copy of their health records, and to request corrections.
29
30. HIPAA
• HIPAA Security Rule requires appropriate administrative, physical and technical
safeguards to ensure the confidentiality, integrity, and security of “electronic protected health
information” (ePHI).
• Privacy Rule and Security Rule are primarily enforced by the U.S. Department of Health
& Human Services Office for Civil Rights.
30
31. COPPA
• Children’s Online Privacy Protection Act (administered by the FTC)
Requires parental consent for the collection or use of any personal data for a
child under 13 years old
Requires posting of a privacy policy on the website
Site operators must permit parental review of any data stored on their child
Parents are permitted to delete, but not otherwise alter, their child’s data
31
32. FTC Act
• Section 5(a) of the FTC Act prohibits “unfair methods of competition in or affecting
commerce, and unfair or deceptive acts or practices in or affecting commerce.”
• Under Section 5(n) of FTC Act, the Federal Trade Commission (FTC) may prohibit an
act or practice on the grounds that it is “unfair,” if it causes (or is likely to cause) substantial
injury to consumers that is:
Not reasonably avoidable by consumers themselves and
Not outweighed by countervailing benefits to consumers or to competition.
32
33. FTC Act
• “unfair” if: a practice causes or is likely to cause substantial injury to consumers, cannot
be reasonably avoided by consumers, and it is not outweighed by countervailing benefits to
consumers or to competition
• “deceptive” if: practice misleads, or is likely to mislead, consumers, consumers’
interpretation of it is reasonable under circumstances, and it is material
Examples of deceptive: violating published privacy policies, downloading
spyware or adware onto unsuspecting users’ computers, failing to verify
identity of persons to whom confidential consumer information was disclosed
Examples of unfair: failing to implement reasonable safeguards to protect
privacy of consumer information
33
34. FTC Act
• FTC is the main federal regulator in charge of policing privacy and cybersecurity
practices among U.S. companies generally.
• FTC pursues cases against companies for “unfair” or “deceptive” practices, where the
company allegedly had inadequate cybersecurity practices, or overstated how comprehensive
their privacy and cybersecurity practices were.
• Consent decrees and settlements often result in monetary damages, and requirements
that companies establish rigorous privacy and data security practices (which would be
overseen by the FTC).
34
35. CAN-SPAM Act
• The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-
SPAM Act) regulates emails that companies send for primarily commercial purposes (e.g.,
advertisements).
• Bans false or misleading header information and prohibits deceptive subject lines.
• Requires that unsolicited commercial email be identified as advertising and allow
recipients to opt out of receiving future emails.
• FTC enforces the CAN-SPAM Act.
35
36. The Telephone Consumer Protection Act (TCPA)
• Restricts the making of telemarketing calls and the use of automatic telephone dialing
systems and artificial or pre-recorded voice messages.
• TCPA creates a private right of action for consumers, and has been a source of
significant class action activity.
• Federal Communications Commission (FCC) and state attorneys general enforce the
TCPA.
36
37. The Fair Credit Reporting Act (As Amended by the Fair
and Accurate Credit Transactions Act) Applies to:
• Consumer reporting agencies (e.g., Equifax, Experian and TransUnion);
• Companies that use consumer reports (e.g., lenders); and
• Companies that provide consumer reporting information (e.g., credit card companies).
37
38. State Level Data Breach Laws
• All 50 states, the District of Columbia, and some U.S. territories have their own data
breach notification laws
• These laws generally require notification of affected individuals and regulators when a
company suffers a breach of the security of an individual’s personally identifiable information
(PII).
• If a company suffers a data breach involving the PII of customers or employees who are
resident in multiple states, it will need to comply with each applicable state’s laws.
38
39. What is a Data Breach? (That May Trigger State
Notification Laws)
• Unauthorized acquisition of PII that compromises the security, confidentiality or integrity
of PII…
That results or could result in identity theft or fraud (OH)
Unless PII is not used or subject to further unauthorized disclosure (NE)
Unless no misuse of PII has occurred or is not reasonably likely to occur (NJ)
Unless no reasonable likelihood of harm to consumer whose PII was acquired
has resulted or will result (CT)
That has caused or is likely to cause loss or injury to resident (MI)
That causes or is reasonably likely to cause substantial economic loss to the
individual (AZ)
Unless no reasonable likelihood of financial harm to consumer whose PII was
acquired has resulted or will result (IA)
39
40. Why We Should be Careful with the Word “Breach”
• Using “breach” to describe a data-privacy related incident assumes the incident meets
the definition of a security breach which triggers various notification requirements
• An “incident” does not always rise to the level of “breach” (i.e., encryption safe harbor)
• “Incident” is better received by the public than “breach”
40
41. Breach Notification Laws
• State laws differ with respect to:
Deadline for notifying (14, 30, 45 days; reasonable time)
Notification to Attorney General
Notification to other State agencies
Including Attorney General contact information
Substitute notice (email, website, media)
Specific facts of incident and type of PII compromised
Maintaining records of incident (for 3-5 years)
Countries also differ with notice requirements
41
43. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro advises clients on a diverse array of business matters, including commercial and
business disputes, employment issues, and data security and privacy compliance. Katie works with
individuals and businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie has broad experience representing companies and individuals in contract, non-compete,
discrimination, harassment, fiduciary duty, and trade secret litigation in state and federal court. With a
background as both in-house and outside counsel, Katie understands that business objectives, time, and
resources play an important role in reaching a favorable outcome for each client. Katie assists clients in
navigating employment issues ranging from employee handbooks and FMLA policies to litigating
discrimination and harassment claims, all while ensuring business needs and objectives are met. She
also counsels clients on data security and privacy issues, including policy drafting and compliance with
state, federal, and international law.
43
44. Cassandra Porter - caporter@zuora.com
Cassandra M. Porter is the Americas/APAC data privacy lead attorney for a Fortune 100 Tech company
working to transform clients’ businesses, operations and technology models for the digital era. She
counsels internal clients on privacy-related matters such as data collection practices, online advertising,
mobile commerce, along with the development and acquisition of new technology, data incidents and
management. Cassandra is a member of the inaugural class of Privacy Law Specialists, a new specialty
recognized by the American Bar Association, and a Fellow of Information Privacy by the International
Association of Privacy Professionals (IAPP). Her IAPP credentials as a Certified Information Privacy
Professional and Certified Information Privacy Manager designate her as thought leader in the field. She
is a former co-chair of the IAPP’s New Jersey Chapter and member of the Bankruptcy Lawyers Advisory
Committee for the District of New Jersey. As a member of the United States Trustee’s Consumer Privacy
Ombudsman (CPO) panel, she served as the CPO in the Golfsmith International chapter 11
cases. Previously she was counsel at Lowenstein Sandler LLP where, in addition to assisting clients with
data privacy-related issues, she also regularly represented debtors in possession and creditors in chapter
11 matters along with indigents in chapter 7 proceedings in association with the Volunteer Lawyers for
Justice. Prior to joining Lowenstein, she clerked for the Honorable Cecelia Morris, United States
Bankruptcy Judge for the Southern District of New York and was the Assistant Managing Attorney at
Kaye Scholer LLP.
44
45. About The Faculty
Kristin Garris - kgarris@wbny.com
Kristin G. Garris is a member of Warshaw Burstein, LLP's Intellectual Property practice group who has a
broad range of experience in handling matters related to trademark, copyright, Internet, and domain
name enforcement and litigation. Ms. Garris counsels clients on a wide range of intellectual property
issues, including IP ownership and protection, trademark enforcement and litigation, branding procedures
and management, copyright protection, licensing, domain names, privacy policies and website terms of
use, IP-related risk management, IP due diligence, data privacy regulations, and much more. She also
has significant experience with opposition and cancellation proceedings before the Trademark Trial and
Appeal Board of the U.S. Patent and Trademark Office. In addition, Ms. Garris is skilled in representing
clients with domain name disputes before the World Intellectual Property Organization’s Arbitration and
Mediation Center, as well as a broad range of other Internet-related disputes and trademark and
copyright enforcements in connection with social media. With twelve years of experience in intellectual
property, Ms. Garris is adept in representing clients with trademark and copyright litigation, design and
implementation of comprehensive enforcement programs, clearance and portfolio management,
registration strategies, and intellectual property due diligence in corporate transactions.
For more information, go to: https://www.financialpoise.com/webinar-faculty/kristin-garris/
45
46. About The Faculty
Michael Riela - Riela@thsh.com
Mike Riela is a partner in Tannenbaum Helpern’s Creditors’ Rights and Business Reorganization practice.
With more than 15 years of experience, Mike advises companies on complex restructuring, distressed
M&A, loan transactions and bankruptcy related litigation matters. Mike has in-depth experience in
advising clients on corporate and real estate bankruptcies, workouts, Chapter 11 and Chapter 7
bankruptcy cases, debtor-in-possession (DIP) and bankruptcy exit loan facilities, secondary market
trading of distressed debt and trade claims, Section 363 sales and bankruptcy retention and fee
agreements and disputes. His clients include banks, administrative agents, indenture trustees, hedge
funds, private equity firms, professional services firms, trade creditors, contract counterparties,
shareholders, debtors and investors. Mike has represented buyers of assets in Section 363 and out-of-
court sales from sellers such as Evergreen Solar, Inc., Sonic Telecommunications International, Ltd,
Urban Communicators PCS Limited Partnership, US Aggregate, Inc., and Vectrix Corporation, as well as
representing lenders, trustees and administrative agents in major Chapter 11 cases and workouts such
as Delta Air Lines, Inc., Extended Stay Inc., Buffets Inc., Legends Gaming LLC, Nortel Networks, Premier
International Holdings Inc., and many others.
46
47. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
47
48. About Financial Poise
48
Financial Poise™ has one mission: to provide
reliable plain English business, financial, and legal
education to individual investors, entrepreneurs,
business owners and executives.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles published
on our website and Upcoming Webinars you
may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/