Employee Data Protection: FTC’s Reasonable Data Security Guideposts for Employers in 2015
The June 2014 ruling by a judge that the Federal Trade Commission (FTC) must testify about the data security standards it uses to enforcement action against LabMD, Inc. has heightened interest in the security of employees' data. This case should be a warning to employers to take notice of their obligations to safeguard employee data. The Health Insurance Portability and Accountability Act (HIPAA) already includes 'reasonable and appropriate' safeguards for protecting private health information. The challenge for employers is how to determine 'reasonable' security requirements for their employees.
In this two-hour LIVE webcast, a panel of distinguished professionals and thought leaders assembled by The Knowledge Group will help Employers understand the important aspects of this case. They will provide an in-depth discussion of Employee Data Protection with regard to the FTC’s Reasonable Data Security Guideposts for Employers in 2015. Speakers will also offer best practices in developing and implementing an effective implementation and establishment of employee data security programs.
Key issues include that will be covered in this course are:
- FTC's Standards for Reasonable Data Security - An Overview
- Employer's Obligations in Safeguarding Employee's Data
- Enforcement Risks & Mitigating Data Security Breaches
- Establishing an Effective Information Security Program
- Risks: Third Parties and Vendors
- Document Destruction
Stites & Harbison, PLLC
- Introductory overview of importance of data security, especially in light of key laws/regs/guidelines (e.g., FTC standards, HIPAA requirements—the idea is to speak in more general terms, not get lost in the minutiae of the regs). Highlight risks of inadequate security measures (lawsuits, fines/penalties, more). Basically, give a quick overview of why this is an important topic—for pretty much everyone.
- Note some litigation trends, such as sample cases involving enforcement of data security requirements (e.g., the LabMD case) or private lawsuits arising from data breaches (many examples). Underscores importance of data security.
- Provide some specific regs/requirements for data security, with explanations/examples as needed. Could be a good idea to discuss the HIPAA standard and analogize it to non-HIPAA contexts (e.g., discuss how a private plaintiff in a data breach case might argue that a “run of the mill” data breach claim could be pursued by analogizing to some of the “reasonable” standards required by HIPAA).
- Best practices to ensure compliance with regs. In simplest terms, what are the ley considerations and the steps you should take to establish, and maintain, reasonable and appropriate safeguards for data?
- Highlight some of the risks faced in implementing and maintaining an effective data security policy.
Littler Mendelson P.C.
- Overview of privacy and data security landscape
- Why are we in this mess?
- Explosion of data
- Vulnerability of electronic data
- Increasing regulation
- Why are we in this mess?
- Why does the FTC matter?
- FTC doesn’t directly regulate employee data, focused on consumers
- Standard for data security regulations is generally “reasonableness”. FTC takes the position that its 50-some data security enforcement actions are establishing the “reasonableness” standard
- Implications for employers – “reasonable” safeguards obligations relevant to employers
- FTCA – maybe a shoulder jurisdiction
- Perhaps brief discussion of enforcement risk
- HIPAA – for self-insured health plans
- Perhaps brief discussion of enforcement risk
- States laws
- Discussion of enforcement risk
- International employers
- Contractual terms
- FTC’s reasonable safeguards with discussions of examples and why these matter:
- Failure to properly encrypt data as needed;
- Poor username/password protocol, including the following missteps:
- Failure to require complex passwords to access the computer system;
- Use of common or known passwords;
- Failure to require users to change passwords;
- Failure to suspend users after repeated failed login attempts;
- Allowing username and password sharing;
- Permitting users to store passwords in unsafe cookies;
- Failure to require user information, such as passwords to be encrypted in transit; and
- Allowing new user credentials to be created without checking them against previously obtained legitimate credentials.
- Failure to minimize the processing of personal information (e.g., by collecting no more information than is needed to accomplish the purpose of the collection or by keeping data after it is needed).
- Failure to train employees in proper data security.
- Failure to require by contract that third parties protect personal information;
- Failure to manage third-party access to data; and
- Failure to verify and authenticate the identity of third-party recipients.
- Failure to securely dispose of data.
- Failure to adequately inventory computers connected to the company’s network;
- Failure to employ adequate firewalls;
- Failure to limit computer connectivity to company’s intranet/network;
- Failure to test the security of processes;
- Failure to remedy known security vulnerabilities (e.g., by failing to apply security patches);
- Failure to protect against common attacks, such as Structured Query Language (SQL), injection attacks and Cross-Site Scripting (XSS) attacks;
- Failure to set up a system of public feedback for vulnerabilities; and
- Failure to implement procedures to detect unauthorized access.
- Facts and figures on breaches – what safeguards are most likely to prevent breaches
Who Should Attend:
- Data Security Professionals
- Corporate Security Officer
- IT Heads
- IT Lawyers
- In-House Counsel & Employment Law Attorneys
- Privacy and Data Security Lawyers and Consultants
- Risk Analysts & Controllers
- Technology Firms and Others
Chadwick McTighe is a Member of Stites & Harbison practicing in its Business Litigation and Privacy & Data Security service groups, with an active practice in the firm’s class action and appellate practice teams. Chad practices extensively in class action litigation involving numerous substantive areas, including consumer protection/consumer fraud issues, insurance products, data breaches, financial institutions, wage and hour disputes, and utilities. His practice also encompasses a wide range of other substantive practice areas, including fiduciary duty litigation, shareholder and membership disputes, business torts (including trade secret and tortious interference litigation), and other commercial disputes.
Chad is a 2001 graduate of the University of Notre Dame and 2004 graduate of the University of Notre Dame Law School. He is an active member of the community who serves on the Board of Directors of the Kentucky Derby Festival Foundation and is regularly involved in the American Cancer Society Relay For Life.
Chadwick McTighe is a Member of Stites & Harbison practicing in its Business Litigation and Privacy & Data Security service …
Zoe M. Argento represents and counsels clients on all aspects of workplace privacy and information security. She has written extensively on subjects related to data rights and security, intellectual property, and internet law, and has given many presentations on these topics. She regularly provides advice to businesses of all sizes on:
- Workplace privacy and information security
- Social media and other new technologies affecting the workplace
- State data protection laws
- Security incident response
Prior to Littler, Zoe taught internet, privacy, intellectual property, and torts law at Roger Williams University School of Law. She also practiced privacy, data security, and intellectual property law at a large law firm in Boston. After graduating law school, she clerked for Chief Judge Mary Lisi at the U. S. District Court for the District of Rhode Island.
Zoe M. Argento represents and counsels clients on all aspects of workplace privacy and information security. She has written extensively …
Print and review course materials
Method of Presentation:
On-demand Webcast (CLE)
NASBA Field of Study:
Specialized Knowledge and Applications
NY Category of CLE Credit:
Areas of Professional Practice
Unlock All The Knowledge and Credit You Need
Leading Provider of Online Continuing Education
It's As Easy as 1, 2, 3
Get Your 1-Year All Access Pass For Only $199
About Stites & Harbison, PLLC
A full-service law firm representing clients across the United States and internationally, Stites & Harbison, PLLC is known as a preeminent firm managing sophisticated transactions, challenging litigation, and complex regulatory matters on a daily basis. The firm represents a broad spectrum of clients including multinational corporations, financial institutions, pharmaceutical companies, health care organizations, manufacturers, private companies, nonprofit organizations, family-owned businesses, and individuals. Tracing its origins to 1832, Stites & Harbison is one of the oldest law practices in the nation and among the largest law firms in the Southeast.
Stites & Harbison has more than 220 attorneys a support staff of 300 with 10 offices across five states — Georgia, Indiana, Kentucky, Tennessee, and Virginia. The firm’s attorneys are currently admitted to practice in 23 states and the District of Columbia.
About Littler Mendelson P.C.
Littler is the largest global employment and labor law practice with more than 1,000 attorneys in over 60 offices worldwide. Littler represents management in all aspects of employment and labor law and serves as a single source solution provider to the global employer community. Consistently recognized in the industry as a leading and innovative law practice, Littler has been litigating, mediating and negotiating some of the most influential employment law cases and labor contracts on record for over 70 years. Littler is the collective trade name for an international legal practice, the practicing entities of which are separate and distinct professional firms. For more information, visit www.littler.com.