Amended Data Privacy Law Goes Into Effect In Maryland On January 1, 2018

Maryland has amended its data privacy law. Stay on top of these new requirements to avoid expensive problems down the road.

Photo of Maryland's Amended Data Privacy Law
Maryland’s Amended Data Privacy Law

If holiday parties and New Year’s Eve were not enough to keep you up at night, the State of Maryland has given businesses a hangover that will last long beyond the holidays. Effective January 1, 2018, Maryland’s amended data privacy law imposes new requirements on businesses. The State says these new requirements may create a “potential[ly] meaningful” financial impact on Maryland businesses.

I am not going to detail all of the changes to the law in this post – look for them shortly.  However, below are a number of areas that businesses need to be concerned about going forward.

Important Maryland Data Privacy Provisions

  1. A “breach” no longer requires access of the personal information. Now, it only requires acquisition of that data, regardless of whether someone actually accessed them. This is potentially an important change, as it broadens the instances when a business must give notice.
  1. The definition of “Personal Information” has been expanded.
  1. Maryland businesses must “implement and maintain reasonable security procedures and practices.” However, when amending the law, the Maryland General Assembly refused to adopt a definition of this phrase for guidance. Thus, businesses must continue to monitor changes in both technology and the law, as courts and regulators will likely evolve their definitions over time.
  1. A business cannot delay acting when faced with a potential breach. Businesses must give notice of a breach as soon as practicable, but in no event later than 45 days after discovering the breach. Notice must now be given when the breach “creates a likelihood that personal information has been or will be misused.”
  1. The law has altered how notice of a breach may be given to an individual, in certain instances.
  1. The law applies to customers, as well as employees and former employees.
  1. Businesses that disclose personal information to unaffiliated third-party service providers must contractually require that these service providers implement and maintain reasonable security procedures and practices.

The risk of non-compliance can be expensive. So, if you want to sleep better this year, stay on top of Maryland’s amended data privacy law.  Spending a few dollars now may save you a small fortune in the future.

 

3 Quick Tips To Improve Email Security

Do not hack.General counsel, IT professionals and CEO’s frequently lose sleep worrying about data security, including email security. Worldwide, people send approximately 205 billion emails each day! The average business user sends and receives 125 emails. Today, businesses rely on email for the majority of their communications, including those transmitting sensitive information.

Email was developed when the internet was a much smaller place. At that time, its inventors never intended that email become the primary form of business communication. As such, email security was not a concern.

A brief explanation of the internet illustrates why email is so vulnerable. During transmission, an email encounters multiple points of vulnerability along the internet. Once you hit the send button, your email travels through a series of switches and routers, likely owned and operated by different entities. Hackers can read your email if only one of these points is not secure. Scary stuff!

Consider how many of your emails contain sensitive information. For example, emails with outside counsel frequently contain non-public information about publicly-traded companies. Emails in employment cases often contain personally identifiable information or personal healthcare information. Hackers relentlessly pursue this type of information.

Now that you are properly frightened, what can you do? Short of instituting a system that encrypts all of your email with outside counsel, there are three easy ways that you can better secure your email.

3  Easy Ways to Improve Email Security

  1. Do not include sensitive data in the body of an email. Instead, include it only in an attachment, encrypted with a password. Microsoft Office makes it easy to encrypt documents. You simply go to File>Info>Protect Document and select Encrypt with Password. Next, create a password and press enter. You have now encrypted your document!
    How to encrypt a Microsoft Office document with a password.
    How to encrypt a Microsoft Office document with a password.

    Be sure to then send the password to the recipient in a separate email or, preferably, by voice or text. Otherwise, including the password in the same email as the attachment defeats the purpose of encryption!

  2. Encrypt PDF’s in Adobe Acrobat before sending them by email. To do this, open the PDF and choose Tools>Protect>Encrypt>Encrypt with Password. If you then see a box asking whether you want to change the security settings on the document, click yes. Next, click the box labeled, “Require password to open the document.” Then, enter a password at the top of the encryption box.

    Improve email security of a PDF document through encryption.
    How to encrypt a PDF document with a password in Adobe Acrobat.
  3. Although not as secure as encryption, a final method for securing a document sent by email is to zip the document and require a password to open the zip file. A variety of low cost or free programs are available online to add this feature. This approach does not provide encryption, but it is more secure than sending the document without any protection.

No method provides foolproof security.  Nonetheless, a little effort goes a long way to protecting your sensitive information and helping you sleep better.

Photo courtesy of Christoph Scholz on Flickr.

Data Breaches, Part 4 – Are Your Vendors A Weak Link?

Woman entering data into old computer system as example of vendors.For the first time in weeks, you slept well last night, confident that your expensive consultant found every hole in your company’s data-security program. The board of directors was thrilled with your report on the robust, new data-security policy that you personally approved. But, did your consultant look deep enough? Did she realize that although your company encrypts emails containing personally identifiable information, one of your vendors does not encrypt their responsive emails containing the same information? Did she understand your business well enough to realize that a service provider collects and stores customers’ personally identifiable information on its servers through the app it designed for your company?

Implementing reasonable security measure to avoid civil and regulatory liability requires a careful audit of all points of vulnerability. One of those points is your vendors. As such, any data-security audit should examine your vendors’ data security protocols.

Not every company is that careful, however. We routinely read in the press about companies facing scrutiny because their vendors exposed sensitive customer information. For example, Allison Grande at Law360 recently reported that a vendor breach exposed the names, dates of birth, and social security numbers of more than 5,000 patients of a health care provider.

Regulators have taken note, though, and are going after vendors responsible for data breaches. One such enforcement action occurred in 2016, when the FTC required a dental-practice software vendor to pay $250,000 to settle FTC charges that it falsely advertised the level of encryption it provided to protect patient data.

Many companies are pushing back against vendors who refuse to improve their data-security systems. In the February 2017 edition of Financial Planning Magazine, Suleman Din, Managing editor of SourceMedia’s Investment Advisory Group, wrote a great article discussing how financial advisers can ensure that their vendors adequately protect client data. According to the article, the financial advisory firm Heron Financial Group regularly reviews its vendors’ data security practices. The article reports that Heron is unwavering and has fired vendors whose security was inadequate.

Five Key Steps to Protect Data Shared with Vendors

Although you can never be certain about your vendors’ practices, there are ways to better protect your data:

  1. Perform due diligence. How much do you really know about your vendors’ data security systems? Ask questions and verify the answers.
  2. Limit third party access. Only grant access to data that your vendors must have to service your business. When doing so, provide access solely through a secure, encrypted portal. Additionally, segment that portal from the rest of your network. Finally, limit the number of vendor employees granted access to your data.
  3. Encrypt communications. Require that your vendors encrypt all emails containing sensitive data.
  4. Verify compliance. Don’t just take their word for it. Instead, perform periodic audits of your vendors’ data-security systems.
  5. Put it in writing. Include provisions in vendor contracts to protect your data. These clauses should establish minimum data-security standards. Your contracts should also permit audits of your vendors’ data-security protocols. Importantly, these contracts should require that your vendors immediately report all data breaches.

These are just a few steps to consider. However, they will go a long way toward better protecting sensitive information shared with vendors. In future posts, I will offer useful data-security clauses for your vendor agreements.

Photo courtesy of wistechcolleges on Flickr.

Data Breaches, Part 3 – Hackers Can’t Steal What You Don’t Have

Does your company collect and keep only the information that is essential for your business? If not, your company is exposing itself to unnecessary risk in the event of a data breach. Data breaches often cause unnecessary liability because companies did not carefully consider what information they actually needed.

Many past data breaches had two consistent themes: 1) companies collected data that was unnecessary for their business; and 2) companies kept sensitive data longer than necessary.

Over-Collecting Data

In the early days of e-commerce (and perhaps even more recently), many companies collected as much customer information as possible. Why not? The marketing department was thrilled at the prospect of collecting that much demographic information about your customers. All of this data created unprecedented targeted-marketing opportunities. And, in the event you had to chase a delinquent customer, your collections department knew everything about them since they were in first grade.

Unfortunately, criminals quickly recognized this treasure trove of data. Today, nearly every business connected to the internet is the target of hackers trying to steal information.

Regulators also took note of this over-collection of data. For example, in 2012, the FTC filed a complaint against Rockyou, Inc., alleging that the company violated numerous statutes by collecting users’ email addresses and passwords and storing them in clear text. According to the FTC, Rockyou had no legitimate business need for that information. Rockyou settled the case with a lengthy consent decree, instituting a detailed compliance and monitoring program. Rockyou also agreed to pay a $250,000 fine. All of this was in addition to the legal and investigative costs to respond to the breach.

Unnecessarily Keeping Data

Liability doesn’t just arise from collecting unnecessary data. Your company also faces liability if it keeps customer data longer than necessary. In 2005, the FTC filed a complaint against BJ’s Wholesale Club, alleging that BJ’s created an unnecessary risk by storing customers’ credit card information for up to thirty days when it no longer had a business need to do so. BJ’s resolved the case with a consent order with the FTC.

Lessons Learned from Past Data Breaches

There are a number of lessons learned from data breach cases brought by the FTC:

  1. Only collect customer information that is essential for the transaction.
  2. Keep customer information for no longer than necessary for the transaction.
  3. Do not collect sensitive information, such as social security numbers, unless you have a legitimate business need for the information. If collected, encrypt this sensitive data and purge it as soon as possible after the transaction concludes.
  4. If your company uses a mobile app, ensure that the app only accesses the data and functionality that it needs.
  5. Do not keep customers’ credit card numbers or expiration dates longer than necessary. Also, encrypt this data so that only employees with a critical need can access it.
  6. Limit access to data. Employees should have access to the least amount of data necessary to do their jobs.
  7. Don’t use real customer information in training sessions or for development of new applications. Instead, use fictitious information.

Prevention is far cheaper than a regulatory complaint or a class action lawsuit. As such, your business units should seek legal department approval for the types of information that they want to collect from customers. Legal should also review and approve policies for storing and purging customer data. These two changes will go a long way toward reducing your liability in the event of a breach.

Photo courtesy of Blue Coat Photos on Flickr.

Data Breaches, Part 2 – “Reasonable Security Measures” Will Protect More Than Just Your Data

There once was a time when in-house lawyers could sleep soundly and let the computer experts stay up at night worrying about IT issues. Those days are long gone (if they ever really existed at all)!

Courts and regulators require that companies take “Reasonable Security Measures” to protect personally identifiable information and personal healthcare data. But, what exactly does that mean? How do you know if your company’s data security measures will be deemed reasonable? These are questions squarely within the legal department’s wheelhouse.

There is no one-size-fits-all solution to data security that will satisfy every court and regulator. However, several government and private organizations have published data security standards. Following these standards will go a long way toward protecting your company, both from experiencing a data breach and defending itself in the event one occurs.

Numerous statutes require that companies provide reasonable security for sensitive, personal information. These statutes include, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, HIPAA and the Federal Trade Commission Act, among others. Also, nearly every state has now enacted some form of data-privacy statute. While there are certain central concepts for data security that apply regardless of the industry and data, each of these acts may require additional steps to maintain reasonable personal data security.

The Federal Trade Commission

The Federal Trade Commission has taken the position that a data breach can constitute an unfair and deceptive trade practice. As a result, since 2002, the FTC has brought approximately 60 cases against companies alleged to have put consumers’ personal data at unreasonable risk. These cases have led to fines in excess of $1 million, as well as injunctions. In one case, LifeLock agreed to pay $100 million to consumers to settle FTC contempt charges that the company violated the terms of a 2010 federal court order that required the company to secure consumers’ personal information.

All the news coming from the FTC is not bad, however. In an effort to assist companies in protecting consumer information, the FTC has issued written guidance in two documents explaining how companies can protect consumer data and, thereby, avoid liability.

Protecting Personal Information, A Guide for Business

The first FTC guidance document is called, Protecting Personal Information, A Guide for Business. According to this document, “a sound data security plan is built on 5 key principles.”

FTC Principles for Data Security
  1. Take Stock. Know what personal information you have in your files and on your computers.
  2. Scale Down. Keep only what you need for your business.
  3. Lock It. Protect the information that you keep.
  4. Pitch It. Properly dispose of what you no longer need.
  5. Plan Ahead. Create a plan to respond to security incidents.

The guide provides further detail for each of these five principles, and I strongly encourage you to study it.

Start with Security, a Guide for Business

The second document, Start with Security, a Guide for Business, contains ten lessons learned from more than 50 FTC cases. These lessons provide concrete steps to protect sensitive data. And, the FTC discusses them in greater detail than the five FTC principles mentioned above. Thus, every chief legal officer and chief information security officer must consider them.

Ten Lessons on Data Security
  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

Other important Standards for Establishing Reasonable Security MEasures

The FTC is not the only organization that has issued standards for data security. Courts and regulators may also consider the following documents when deciding whether a company implemented reasonable security measures:

  1. NIST Cybersecurity Framework.
  2. SEC OCIE 2015 Cybersecurity Examination Initiative.
  3. California Attorney General’s 2016 Data Breach Report.
  4. National Association of Corporate Director’s Handbook on Cyber Risk Oversight.
  5. Center for Internet Security Critical Security Controls (CIS Controls).

As you can see, what constitutes “reasonable security measures” is a complicated question, with no single answer. Moreover, the answer depends, to a certain extent, on the type of data involved. Nonetheless, companies today cannot avoid seeking the answer to this question. The financial and reputation risks are too high to do otherwise.

Chief legal officers also no longer have the luxury of claiming that they are not “tech-savvy” and deferring to the information technology department. The issues extend beyond technical concepts into questions that merge the technical with the legal. As such, chief legal officers must immerse themselves in this topic to protect both their companies and their careers.

Photo courtesy of Blue Coats Photo on Flickr.