There is no question that the amount of information created in the information age is overwhelming. From banking transactions to Fitbits, we are all generating incredible amounts of information every single day whether we realize it or not. As should no longer be surprising, this data—this information about us as individuals--is vulnerable. Consequently, issues of data security and privacy have moved to the mainstream in a quick and powerful way. And that’s before we even whisper the name “Snowden.”
Taking note of the sheer number of vulnerabilities, governmental bodies, from all 3 branches of government, as well as state and federal authorities have gotten involved. Primarily, the Federal Communications Commission and the Federal Trade Commission have each made loud and important contributions on the subject. In addition, the differences between how Americans and Europeans treat data is not only different, but particularly for businesses that work internationally, knowledge of how information is secured and managed is essential in avoiding the long arm of the law.
However, before beginning to contemplate international standards and actions, it’s important for clients—and their lawyers—to do a careful risk assessment. That is, do you—and your clients—know what data is actually being stored on client systems (or in client cloud files)? What kinds of information are being held? Credit card numbers? Medical records? Financial information? Other personal information? It’s hard to know how to manage (read: protect) such information when you’re not sure what’s there, let alone where it is, in the first place.
Before taking an even deeper dive into this murky swamp, there’s one other critical factor to consider. Certain industries/professions/entities have additional regulatory requirements (some might call them burdens) that must be met based on the nature of the work that they do. Examples that come to mind include healthcare, where the Food and Drug Administration (FDA), among other government agencies, has defined--and is very happy to enforce--very definite obligations, and financial services where, among others, the Commodity Futures Trading Commission (CFTC) is more than willing to flex its muscles. Then there are the states, which have mostly (47 have signed on in one way or another) created their own set of rules and procedures regarding the information security, with particular attention to those parties that need to be notified in the event of a security breach. For a complete list go here.
With the passing of the 2013-14 Executive Budget, responsibilities shifted from the New York Office of Cyber Security to the Office of Information Technology Services. In addition changes were made to the N.Y. Gen. Bus Law § 899-aa and N.Y. State Tech. Law 208. The changes to the General Business Law require that “persons or businesses conducting business in New York must disclose any breaches of computerized data which includes private information by notifying the offices of the New York Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.” The changes to State Tech. Law 208 require that entities that are subject to the reach of state law that “experience breaches of computerized data which includes private information must file notices of with the New York Attorney General; Department of State's Division of Consumer Protection; and the Office of Information Technology Services' Enterprise Information Security Office.”
Quick review
Will of the WISP
A WISP is a written information security program/plan. If your firm and your clients don’t have one, they should. In some states, they’re required, but in all states, they’re certainly advisable. A WISP is an essential tool not only in the actual protection and management of data. More importantly, it is an essential tool in the defense of claims related to data breaches. A well-constructed WISP will address not only what’s done “in-house,” but also how data that’s been shared beyond the home location (with vendors, employees and other outsiders) is protected. An effective WISP should be a carefully crafted document that is both industry-specific and clearly oriented toward the entity that it’s seeking to protect. As always, writing it is only part of the challenge. Adopting it, modifying it, and relying upon it is the other. An effective WISP is a living, breathing document.
In the interest of space, I won’t be able to fully address the international issues associated with data protection. For now, suffice it to say that the October 2015 decision of Schrems v. Data Protection Commissioner (Case C-362/14) made it clear that the mechanism historically used by U.S. businesses to comply with existing safe harbor protections is now insufficient to meet EU standards. Stay tuned for next month’s comment when I’ll have space and additional experience to really dig into this issue.