Employee Data Protection: FTC’s Reasonable Data Security Guideposts for Employers in 2015

• Introductory overview of importance of data security, especially in light of key laws/regs/guidelines (e.g., FTC standards, HIPAA requirements—the idea is to speak in more general terms, not get lost in the minutiae of the regs).  Highlight risks of inadequate security measures (lawsuits, fines/penalties, more).  Basically, give a quick overview of why this is an important topic—for pretty much everyone.
• Note some litigation trends, such as sample cases involving enforcement of data security requirements (e.g., the LabMD case) or private lawsuits arising from data breaches (many examples).  Underscores importance of data security.
• Provide some specific regs/requirements for data security, with explanations/examples as needed.  Could be a good idea to discuss the HIPAA standard and analogize it to non-HIPAA contexts (e.g., discuss how a private plaintiff in a data breach case might argue that a “run of the mill” data breach claim could be pursued by analogizing to some of the “reasonable” standards required by HIPAA).
• Best practices to ensure compliance with regs.  In simplest terms, what are the ley considerations and the steps you should take to establish, and maintain, reasonable and appropriate safeguards for data?
• Highlight some of the risks faced in implementing and maintaining an effective data security policy.

• Overview of privacy and data security landscape
  • Why are we in this mess?
    • Explosion of data
    • Vulnerability of electronic data
    • Increasing regulation
• Why does the FTC matter?
  • FTC doesn’t directly regulate employee data, focused on consumers
  • Standard for data security regulations is generally “reasonableness”. FTC takes the position that its 50-some data security enforcement actions are establishing the “reasonableness” standard
  • Implications for employers – “reasonable” safeguards obligations relevant to employers
    • FTCA – maybe a shoulder jurisdiction
  • Perhaps brief discussion of enforcement risk
    • HIPAA – for self-insured health plans
  • Perhaps brief discussion of enforcement risk
    • States laws
  • Discussion of enforcement risk
    • International employers
    • Contractual terms
• FTC’s reasonable safeguards with discussions of examples and why these matter:

Access Controls

• Failure to properly encrypt data as needed;
• Poor username/password protocol, including the following missteps:
  • Failure to require complex passwords to access the computer system;
  • Use of common or known passwords;
  • Failure to require users to change passwords;
  • Failure to suspend users after repeated failed login attempts;
  • Allowing username and password sharing;
  • Permitting users to store passwords in unsafe cookies;
  • Failure to require user information, such as passwords to be encrypted in transit; and
  • Allowing new user credentials to be created without checking them against previously obtained legitimate credentials. 

Data Minimization

• Failure to minimize the processing of personal information (e.g., by collecting no more information than is needed to accomplish the purpose of the collection or by keeping data after it is needed). 

Training

• Failure to train employees in proper data security. 

Vendors

• Failure to require by contract that third parties protect personal information;
• Failure to manage third-party access to data; and
• Failure to verify and authenticate the identity of third-party recipients. 

Document Destruction

• Failure to securely dispose of data. 

Network Safeguards

• Failure to adequately inventory computers connected to the company’s network;
• Failure to employ adequate firewalls;
• Failure to limit computer connectivity to company’s intranet/network;
• Failure to test the security of processes;
• Failure to remedy known security vulnerabilities (e.g., by failing to apply security patches);
• Failure to protect against common attacks, such as Structured Query Language (SQL), injection attacks and Cross-Site Scripting (XSS) attacks;
• Failure to set up a system of public feedback for vulnerabilities; and
• Failure to implement procedures to detect unauthorized access.

• Facts and figures on breaches – what safeguards are most likely to prevent breaches