This document summarizes regulations related to technology law and emerging technologies. It discusses the regulatory environment surrounding personal information, health information, financial information, and employee information at both the federal and state levels. It also provides context on the historical development of privacy laws and highlights reasons why companies should care about complying with these regulations, such as risks of fines and litigation from regulators.
6. Personal Information
• FEDERAL
– FTC Act
– COPPA
– CAN-SPAM
– TCPA
– FERPA
• STATE
– Breach
Notification
– Point of Sale
Collection
– State
Consumer
Protection
– Security
Obligations
Health Information
• FEDERAL
– HIPAA
– HITECH
– Health
Breach
Notification
Rule
– GINA
• STATE
– HIPAA-like
Financial Information
• FEDERAL
– GLB
– FCRA
– FACTA
• STATE
– GLB-like
Employee
Information
• FEDERAL
– ERISA
– FMLA
– Whistleblower
Protection Act
• STATE
– Contract
law
Current State
8. A Bit of Historical Context….
• Not actually a new topic
– Warren and Brandeis – 1890
– Prosser – 1960
– Fair Information Practices – 1973
– Guidelines Governing the Protection of Privacy and
Transborder Data Flows of Personal Data – 1980
– Council of Europe – 1981
– EU Data Protection Directive – 1995
– APEC Privacy Framework – 2004
9. Regulatory Environment – Disclaimer
• Data Privacy and Protection
– Health Care
– Financial
– Labor & Employment
– Trade Secrets
– Internet of Things
– BYOD
• Other Regulations
– Online contracting
– All other offline business regulations – FCC, FTC, etc.
10. Regulatory Environment
• Understand applicable obligations
– Geographic Source of Data
– What Kind of Data – Defined by States and/or
Statutes
• Personally Identifiable Information (PII)
• Nonpublic Personal Information (NPI)
• Protected Health Information (PHI)
• Types of Obligations
– Privacy
– Security
11. Regulatory Environment
• Understand Applicable Obligations
– Personal Information
• Federal
– FTC
» Section 5 of the FTC Act
» Telemarketing Sales Rule
» COPPA
» CAN-SPAM
– FCC
» Telephone Consumer Protection Act
– USDOE
» FERPA
– Electronic Communications Privacy Act
12. Regulatory Environment
• New Bills
– Location Privacy Protection Act of 2014
• S.2171, Sen. Franken, March 27, 2014
– Personal Data Privacy and Security Act of 2014
• S.1897, Sen. Leahy, January 8, 2014
– Data Security Act of 2014
• S.1927, Sen. Carper, January 15, 2014
– Commercial Privacy Bill of Rights of 2014
• S.2378, Sen. Menendez, May 21, 2014
• Other Initiatives
– Do Not Track movement
– Big Data: Seizing Opportunity, Preserving Value, May
2014, Executive Office of the President
13. Regulatory Environment
• Understand Applicable Obligations
– Personal Information
• State
– Security Breach Notification Statutes
– Point of Sale Collection
– Security Obligations – MA 201 CMR 17.00, Nev. 603A.215
– State Consumer Protection Laws
– FERPA-like
– ECPA-like
– California
» CALOPPA, BPC 22575-22579
» Shine the Light, CA Civ Code 1798.83
» CALCOPPA, S.B. 568
14. Regulatory Environment
• Understand Applicable Obligations
– Health Information
• HIPAA/HITECH – OCR of HHS
–LabMD – overlapping jurisdiction with
FTC
–State Attorneys General
• Health Breach Notification Rule – FTC
• GINA – EEOC
• States also have similar legislation
15. Regulatory Environment
• Understand Applicable Obligations
– Financial Information
• GLB
–Privacy Rule – FTC and CFPB
–Safeguards Rule – FTC and CFPB
–Banking Regulators
• FCRA – FTC, CFPB and State Attorneys General
• FACTA – FTC, CFPB and State Attorneys General
–Red Flags Rule
• Some states have similar legislation
16. Regulatory Environment
• Understand Applicable Obligations
– Employee Information
• ADA
• HIPAA
• State Specific Rules – social media
• Employee Handbooks
• Union Agreements/Collective Bargaining Agreements
17. Regulatory Environment
• Understand Applicable Obligations
– EU
• Directives – Personal Information and Cookie
• DPAs
• Works Councils
– Canada
• PIPEDA
• CASL
– Australia
• Privacy Amendment Act 2012
18. Regulatory Environment
• Credit Card Data
– PCI DSS v.3
– Nevada 603A.215
– Minnesota 325E.64
• Online Tracking
– Digital Advertising Alliance
– OBA and retargeting
• NIST
– Media Sanitization
– Cybersecurity Framework
• NERC
• Contractual obligations and self-imposed obligations
19. Regulatory Environment
• Security Audit
– “systematic, measurable technical assessment of how the
organization's security policy is employed at a specific site”
(Symantec 2003)
– “appropriate” and “reasonable”
• What is involved?
– Personal interviews
– Vulnerability scans (pen-testing)
– Examinations of operating system settings
– Analyses of network shares and other data
• Go to the experts
– Find the right vendor
– Set parameters
22. Why Do We Care
• The Regulators are Coming….
–FTC
–Attorneys’ General
• And they are bringing bad press, fines
and Enforcement Orders
23. Why Do We Care
• Corporate Governance Issues
– SEC Investigations
– Officer Liability
– Have to Stay Informed
– NACD White Paper – Cybersecurity Boardroom
Implications (2014)
– SEC Cybersecurity Roundtable Transcript, 3/28/14,
available at www.sec.gov
24. Why Do We Care
• Valuation
– Reputational Value
– Corporate Deals - M&A
• High Profile Deals
– WhatsApp, Moves, Nest
• Impacting the Bottom Line
• Restricting Ability to Transfer
25. Why Do We Care
• Vendor Relationships
– Implicates both privacy and security
– Outsourcing does not mean relinquishing
obligations or liability
• Must do due diligence
• Appropriate contractual provisions
• Maintain level of control and knowledge of
activities
26. Why Do We Care
• Mobile App Development
– Privacy By Design
• Hosting Facilities
– Security Requirements
– Breach Notifications
• SaaS
– Data Ownership/Access/Return
– Data Usage
• Marketing
– Retargeting
– OBA
27. Why Do We Care
• Ask Questions
• Then Ask More Questions
• Which will lead to more questions
• Must understand the data flows, retention,
sharing and usage
28. Why Do We Care
• Key Provisions to Consider
– Audit Rights
– Security Audit Reports – SSAE16/ISAE3402
– Disaster Recovery/Business Continuity
– Compliance with Laws
– Ownership/Usage/Destruction
– Indemnities
– Warranties
– Exclusions to Limitations of Liability
– Insurance
29. Why Do We Care
• Responsibility for breach of security is a function
of who controls the data
• Liability for breach of security is a function of the
contract
• Compliance with laws may be a domestic and/or
foreign matter
30. Other Considerations
• IP law trailing the technology evolution of the
Cloud
• Trade Secrets and the Cloud may be
incompatible
– Potential third-party disclosures
– US PATRIOT Act
• Evolving licensing models
• Potential data location issues
• Legacy software and systems issues
31. Other Considerations
• Ownership of Data
• Preservation of Data
• Preservation may be easier on the cloud…or not
– Courts may not distinguish servers in the cloud
– Physical location of Data may be unknown
– Compliance with e-discovery and litigation holds
• Spoliation
• Data Integrity
– Must be free from corruption
32. Other Considerations
• Determine accountability for data preservation
– Who is liable for stolen data
– What does indemnification cover
– What happens in bankruptcy
– What notice is provided for security breach
– What happens if lose co-lo contract or lose lease
33. Other Considerations
• Intellectual Property
– Whose software
– Whose network
• Ownership
– Customizations or configurations
– Works made for hire
• Same contractual provisions come into play –
now from an IP perspective
34. Other Considerations
• Service Levels
• Online contracting – Enforceability
– Notice
• Conspicuous
– Choice
• Meaningful
• Contract of Adhesion