Blog Posts

Amended Data Privacy Law Goes Into Effect In Maryland On January 1, 2018

Maryland has amended its data privacy law. Stay on top of these new requirements to avoid expensive problems down the road.

Photo of Maryland's Amended Data Privacy Law
Maryland’s Amended Data Privacy Law

If holiday parties and New Year’s Eve were not enough to keep you up at night, the State of Maryland has given businesses a hangover that will last long beyond the holidays. Effective January 1, 2018, Maryland’s amended data privacy law imposes new requirements on businesses. The State says these new requirements may create a “potential[ly] meaningful” financial impact on Maryland businesses.

I am not going to detail all of the changes to the law in this post – look for them shortly.  However, below are a number of areas that businesses need to be concerned about going forward.

Important Maryland Data Privacy Provisions

  1. A “breach” no longer requires access of the personal information. Now, it only requires acquisition of that data, regardless of whether someone actually accessed them. This is potentially an important change, as it broadens the instances when a business must give notice.
  1. The definition of “Personal Information” has been expanded.
  1. Maryland businesses must “implement and maintain reasonable security procedures and practices.” However, when amending the law, the Maryland General Assembly refused to adopt a definition of this phrase for guidance. Thus, businesses must continue to monitor changes in both technology and the law, as courts and regulators will likely evolve their definitions over time.
  1. A business cannot delay acting when faced with a potential breach. Businesses must give notice of a breach as soon as practicable, but in no event later than 45 days after discovering the breach. Notice must now be given when the breach “creates a likelihood that personal information has been or will be misused.”
  1. The law has altered how notice of a breach may be given to an individual, in certain instances.
  1. The law applies to customers, as well as employees and former employees.
  1. Businesses that disclose personal information to unaffiliated third-party service providers must contractually require that these service providers implement and maintain reasonable security procedures and practices.

The risk of non-compliance can be expensive. So, if you want to sleep better this year, stay on top of Maryland’s amended data privacy law.  Spending a few dollars now may save you a small fortune in the future.

 

3 Quick Tips To Improve Email Security

Do not hack.General counsel, IT professionals and CEO’s frequently lose sleep worrying about data security, including email security. Worldwide, people send approximately 205 billion emails each day! The average business user sends and receives 125 emails. Today, businesses rely on email for the majority of their communications, including those transmitting sensitive information.

Email was developed when the internet was a much smaller place. At that time, its inventors never intended that email become the primary form of business communication. As such, email security was not a concern.

A brief explanation of the internet illustrates why email is so vulnerable. During transmission, an email encounters multiple points of vulnerability along the internet. Once you hit the send button, your email travels through a series of switches and routers, likely owned and operated by different entities. Hackers can read your email if only one of these points is not secure. Scary stuff!

Consider how many of your emails contain sensitive information. For example, emails with outside counsel frequently contain non-public information about publicly-traded companies. Emails in employment cases often contain personally identifiable information or personal healthcare information. Hackers relentlessly pursue this type of information.

Now that you are properly frightened, what can you do? Short of instituting a system that encrypts all of your email with outside counsel, there are three easy ways that you can better secure your email.

3  Easy Ways to Improve Email Security

  1. Do not include sensitive data in the body of an email. Instead, include it only in an attachment, encrypted with a password. Microsoft Office makes it easy to encrypt documents. You simply go to File>Info>Protect Document and select Encrypt with Password. Next, create a password and press enter. You have now encrypted your document!
    How to encrypt a Microsoft Office document with a password.
    How to encrypt a Microsoft Office document with a password.

    Be sure to then send the password to the recipient in a separate email or, preferably, by voice or text. Otherwise, including the password in the same email as the attachment defeats the purpose of encryption!

  2. Encrypt PDF’s in Adobe Acrobat before sending them by email. To do this, open the PDF and choose Tools>Protect>Encrypt>Encrypt with Password. If you then see a box asking whether you want to change the security settings on the document, click yes. Next, click the box labeled, “Require password to open the document.” Then, enter a password at the top of the encryption box.

    Improve email security of a PDF document through encryption.
    How to encrypt a PDF document with a password in Adobe Acrobat.
  3. Although not as secure as encryption, a final method for securing a document sent by email is to zip the document and require a password to open the zip file. A variety of low cost or free programs are available online to add this feature. This approach does not provide encryption, but it is more secure than sending the document without any protection.

No method provides foolproof security.  Nonetheless, a little effort goes a long way to protecting your sensitive information and helping you sleep better.

Photo courtesy of Christoph Scholz on Flickr.

You Were Just Appointed General Counsel – Now What?

Ben W. Heineman, Jr., former Senior Vice President and General Counsel of General Electric Company
Ben W. Heineman, Jr., former Senior Vice President and Chief Legal Officer of General Electric Company

You worked for years to reach this goal – your first general counsel position. There were countless sleepless nights as you planned how to get here. Now that you have arrived, you still can’t sleep. In fact, your insomnia has grown worse as you grope around, uncertain of your role in the company. You are not alone!

The general counsel’s job has become extraordinarily complex. On the one hand, GC’s are charged with ensuring that their companies stay within the boundaries of the law. On the other hand, corporations are in business to make money. If a general counsel raises too many objections and consistently says no, his company’s business may suffer. Not to mention, the c-suite will no longer look to the general counsel as a trusted adviser and partner.

The stakes are high for businesses that focus on profits over sound risk management. For example, in the days following the Deepwater Horizon oil spill, BP gas station owners reported a 10 to 40 percent drop in salesShareholder value also plummeted 55% within two months of the spill. In total, the spill cost BP $61.6 million.

Ben Heineman, General Electric’s GC from 1987 to 2005, has carefully considered this conundrum in his book, “The Inside Counsel Revolution: Resolving the Partner-Guardian Tension.” According to Ben, general counsel must embody four principles to succeed in the job.

Four Principles for an Effective General Counsel
  1. Corporate mission. The corporate mission must fuse high performance with high integrity and sound risk management.
  2. Lawyer-statesman. The general counsel must serve as an advocate, not just for what is legal but also for what is right.
  3. Partner-guardian. The general counsel serves as a partner to the CEO, as well as the protector of the corporation. This is, perhaps, the most difficult role to balance and requires independence and courage on the part of the general counsel. It also requires alliances with key corporate leaders, and a close relationship with the board and CEO.
  4. Culture of Integrity. Finally, a GC must foster a culture of integrity.

Ben notes that, for a general counsel to succeed, the CEO must share the same vision of the GC’s role. Otherwise, conflict is inevitable, and the general counsel must be prepared to leave.

David Lat, managing editor of Above the Law, has also offered sound advice to new GC’s. His article, “10 Tips For A New General Counsel,” is a must-read for any general counsel, new or experienced, offering real insight into the role.

Congratulations on becoming general counsel. Now, download Ben’s book, read David’s article, and sleep well tonight.

Photo courtesy of Widener University Delaware Law School on Flickr.

Data Breaches, Part 4 – Are Your Vendors A Weak Link?

Woman entering data into old computer system as example of vendors.For the first time in weeks, you slept well last night, confident that your expensive consultant found every hole in your company’s data-security program. The board of directors was thrilled with your report on the robust, new data-security policy that you personally approved. But, did your consultant look deep enough? Did she realize that although your company encrypts emails containing personally identifiable information, one of your vendors does not encrypt their responsive emails containing the same information? Did she understand your business well enough to realize that a service provider collects and stores customers’ personally identifiable information on its servers through the app it designed for your company?

Implementing reasonable security measure to avoid civil and regulatory liability requires a careful audit of all points of vulnerability. One of those points is your vendors. As such, any data-security audit should examine your vendors’ data security protocols.

Not every company is that careful, however. We routinely read in the press about companies facing scrutiny because their vendors exposed sensitive customer information. For example, Allison Grande at Law360 recently reported that a vendor breach exposed the names, dates of birth, and social security numbers of more than 5,000 patients of a health care provider.

Regulators have taken note, though, and are going after vendors responsible for data breaches. One such enforcement action occurred in 2016, when the FTC required a dental-practice software vendor to pay $250,000 to settle FTC charges that it falsely advertised the level of encryption it provided to protect patient data.

Many companies are pushing back against vendors who refuse to improve their data-security systems. In the February 2017 edition of Financial Planning Magazine, Suleman Din, Managing editor of SourceMedia’s Investment Advisory Group, wrote a great article discussing how financial advisers can ensure that their vendors adequately protect client data. According to the article, the financial advisory firm Heron Financial Group regularly reviews its vendors’ data security practices. The article reports that Heron is unwavering and has fired vendors whose security was inadequate.

Five Key Steps to Protect Data Shared with Vendors

Although you can never be certain about your vendors’ practices, there are ways to better protect your data:

  1. Perform due diligence. How much do you really know about your vendors’ data security systems? Ask questions and verify the answers.
  2. Limit third party access. Only grant access to data that your vendors must have to service your business. When doing so, provide access solely through a secure, encrypted portal. Additionally, segment that portal from the rest of your network. Finally, limit the number of vendor employees granted access to your data.
  3. Encrypt communications. Require that your vendors encrypt all emails containing sensitive data.
  4. Verify compliance. Don’t just take their word for it. Instead, perform periodic audits of your vendors’ data-security systems.
  5. Put it in writing. Include provisions in vendor contracts to protect your data. These clauses should establish minimum data-security standards. Your contracts should also permit audits of your vendors’ data-security protocols. Importantly, these contracts should require that your vendors immediately report all data breaches.

These are just a few steps to consider. However, they will go a long way toward better protecting sensitive information shared with vendors. In future posts, I will offer useful data-security clauses for your vendor agreements.

Photo courtesy of wistechcolleges on Flickr.

Data Breaches, Part 3 – Hackers Can’t Steal What You Don’t Have

Does your company collect and keep only the information that is essential for your business? If not, your company is exposing itself to unnecessary risk in the event of a data breach. Data breaches often cause unnecessary liability because companies did not carefully consider what information they actually needed.

Many past data breaches had two consistent themes: 1) companies collected data that was unnecessary for their business; and 2) companies kept sensitive data longer than necessary.

Over-Collecting Data

In the early days of e-commerce (and perhaps even more recently), many companies collected as much customer information as possible. Why not? The marketing department was thrilled at the prospect of collecting that much demographic information about your customers. All of this data created unprecedented targeted-marketing opportunities. And, in the event you had to chase a delinquent customer, your collections department knew everything about them since they were in first grade.

Unfortunately, criminals quickly recognized this treasure trove of data. Today, nearly every business connected to the internet is the target of hackers trying to steal information.

Regulators also took note of this over-collection of data. For example, in 2012, the FTC filed a complaint against Rockyou, Inc., alleging that the company violated numerous statutes by collecting users’ email addresses and passwords and storing them in clear text. According to the FTC, Rockyou had no legitimate business need for that information. Rockyou settled the case with a lengthy consent decree, instituting a detailed compliance and monitoring program. Rockyou also agreed to pay a $250,000 fine. All of this was in addition to the legal and investigative costs to respond to the breach.

Unnecessarily Keeping Data

Liability doesn’t just arise from collecting unnecessary data. Your company also faces liability if it keeps customer data longer than necessary. In 2005, the FTC filed a complaint against BJ’s Wholesale Club, alleging that BJ’s created an unnecessary risk by storing customers’ credit card information for up to thirty days when it no longer had a business need to do so. BJ’s resolved the case with a consent order with the FTC.

Lessons Learned from Past Data Breaches

There are a number of lessons learned from data breach cases brought by the FTC:

  1. Only collect customer information that is essential for the transaction.
  2. Keep customer information for no longer than necessary for the transaction.
  3. Do not collect sensitive information, such as social security numbers, unless you have a legitimate business need for the information. If collected, encrypt this sensitive data and purge it as soon as possible after the transaction concludes.
  4. If your company uses a mobile app, ensure that the app only accesses the data and functionality that it needs.
  5. Do not keep customers’ credit card numbers or expiration dates longer than necessary. Also, encrypt this data so that only employees with a critical need can access it.
  6. Limit access to data. Employees should have access to the least amount of data necessary to do their jobs.
  7. Don’t use real customer information in training sessions or for development of new applications. Instead, use fictitious information.

Prevention is far cheaper than a regulatory complaint or a class action lawsuit. As such, your business units should seek legal department approval for the types of information that they want to collect from customers. Legal should also review and approve policies for storing and purging customer data. These two changes will go a long way toward reducing your liability in the event of a breach.

Photo courtesy of Blue Coat Photos on Flickr.