EVERYONE’S NIGHTMARE PRIVACY AND DATA BREACH RISKS MAY 2014 EDITION This edition is updated as of May 2014. To obtain a copy of this edition by email or to be placed on the mailing list for future editions, please email [email protected]. To learn more about our firm, or our Privacy and Data Protection Practice, please visit edwardswildman.com. BOSTON ♦ CHICAGO ♦ HARTFORD ♦ HONG KONG ♦ ISTANBUL ♦ LONDON ♦ LOS ANGELES ♦ MIAMI ♦ MORRISTOWN NEW YORK ♦ ORANGE COUNTY ♦ PROVIDENCE ♦ STAMFORD ♦ TOKYO ♦ WASHINGTON DC ♦ WEST PALM BEACH This white paper is for guidance only and is not intended to be a substitute for specific legal advice. If you would like further information, please contact the Edwards Wildman Palmer LLP lawyer responsible for your matters. This white paper is published by Edwards Wildman Palmer for the benefit of clients, friends and fellow professionals on matters of interest. The information contained herein is not to be construed as legal advice or opinion. We provide such advice or opinion only after being engaged to do so with respect to particular facts and circumstances. The firm is not authorized under the UK Financial Services and Markets Act 2000 to offer UK investment services to clients. In certain circumstances, as members of the Law Society of England and Wales, we are able to provide these investment services if they are an incidental part of the professional services we have been engaged to provide. Please note that your contact details, which may have been used to provide this bulletin to you, will be used for communications with you only. If you would prefer to discontinue receiving information from the firm, or wish that we not contact you for any purpose other than to receive future issues of this bulletin, please contact us at [email protected]. © 2014 Edwards Wildman Palmer LLP a Delaware limited liability partnership including professional corporations and Edwards Wildman Palmer UK LLP a limited liability partnership registered in England (registered number OC333092) and authorised and regulated by the Solicitors Regulation Authority. Disclosure required under U.S. Circular 230: Edwards Wildman Palmer LLP informs you that any tax advice contained in this communication, including any attachments, was not intended or written to be used, and cannot be used, for the purpose of avoiding federal tax related penalties, or promoting, marketing or recommending to another party any transaction or matter addressed herein. ATTORNEY ADVERTISING: This publication may be considered “advertising material” under the rules of professional conduct governing attorneys in some states. The hiring of an attorney is an important decision that should not be based solely on advertisements. Prior results do not guarantee similar outcomes. Edwards Wildman’s Privacy & Data Protection Group Mark E. Schreiber, Partner, Chair, +1 617 239 0585 Boston [email protected] Steering Committee, Privacy and Data Protection Group Theodore P. Augustinos, Partner, Steering +1 860 541 7710 Hartford [email protected] Committee, Privacy and Data Protection Group Laurie A. Kamaiko, Partner, Steering +1 212 912 2768 New York [email protected] Committee, Privacy and Data Protection Group Sarah Pearce, Partner, Steering +44 (0) 20 7556 4503 London [email protected] Committee, Privacy and Data Protection Group Barry J. Bendes, Partner +1 212 912 2911 New York [email protected] Michael P. Bennett, Partner +1 312 201 2679 Chicago [email protected] Kenneth Choy, Partner +852 2116 6653 Hong Kong [email protected] Mark Deem, Partner +44 (0) 20 7556 4425 London [email protected] Ben Goodger, Partner +44 (0) 20 7556 4188 London [email protected] Edwin M. Larkin, Partner +1 212 912 2762 New York [email protected] Clinton J. McCord, Partner +1 310 860 8715 Los Angeles [email protected] Stephen M. Prignano, Partner +1 401 276 6670 Providence [email protected] Ronie M. Schmelz, Partner +1 310 860 8708 Los Angeles [email protected] Lisa S. Simmons, Partner +1 312 201 2503 Chicago [email protected] Thomas J. Smedinghoff, Partner +1 312 201 2021 Chicago [email protected] David S. Szabo, Partner +1 617 239 0414 Boston [email protected] Barry Leigh Weissman, Partner +1 310 860 8704 Los Angeles [email protected] David L. Anderson, Counsel +1 310 860 8710 Los Angeles [email protected] Patrick J. Concannon, Counsel +1 617 239 0419 Boston [email protected] Sharon Monahan, Counsel +1 202 939 7902 Washington, DC [email protected] Karen L. Booth, Associate +1 860 541 7714 Hartford [email protected] Zachary N. Lerner, Associate +1 212 912 2927 New York [email protected] Jonny McDonald, Associate +44 (0) 20 7556 4620 London [email protected] Ari Moskowitz, Associate +1 202 939 7934 Washington, D.C. [email protected] Matthew Murphy, Associate +1 401 276 6497 Providence [email protected] Jamie Notman, Associate +1 617 235 5303 Boston [email protected] Patrick Peng, Associate +852 3150 1936 Hong Kong [email protected] Erin Pfaff, Associate + 310 860 8717 Los Angeles [email protected] Nicholas A. Secara, Associate +1 212 912 2785 New York [email protected] Ajita Shah, Associate +44 (0) 20 7556 4385 London [email protected] Kayla Tabela, Associate +1 617 239 0734 Boston [email protected] Nora A. Valenza-Frost, Associate +1 212 912 2763 New York [email protected] TABLE OF CONTENTS May 2014 Edition Everyone’s Nightmare: Privacy and Data Breach Risks Page I. INTRODUCTION: THE INCREASING SCOPE OF PRIVACY AND DATA BREACH RISKS ............................................................................................................... 1 II. THE TYPES OF INFORMATION AND PRACTICES AT RISK ................................... 2 1. Personal Information in the U.S. ............................................................................ 2 a. The Expanding Definitions of Personal Information ................................. 4 b. What is Protected Health Information (PHI) .............................................. 6 2. Personal Information in the E.U. and UK .............................................................. 7 3. Breaches of Data Other Than Personal Information .............................................. 8 a. Secrets of All Sorts ..................................................................................... 8 b. Cyber Spies and Hacktivism ...................................................................... 9 c. Cyber Attacks with Physical Effects or Business Disruption as Focus ... 13 4. The Scope of What Constitutes a “Data Breach”: Not Just Electronic – Paper Too ....................................................................................................................... 17 5. Privacy and Data Breach Concerns in Cloud Computing .................................... 18 a. In the United States .................................................................................. 18 b. In the E.U. and Globally ........................................................................... 20 6. Privacy and Data Breach Concerns in Social Media ............................................ 22 a. Social Media as Target and Source of Data Breaches.............................. 23 b. Social Media as Source of Statutory and Regulatory Violations ............. 25 7. Privacy Issues Arising Out of Behavioral Advertising and Online Tracking ...... 29 a. In the United States .................................................................................. 30 (i) The FTC Recommendations ......................................................... 30 (ii) Industry Self-Regulation .............................................................. 31 (iii) Do Not Track Class Actions ......................................................... 32 (iv) Do Not Track Legislation ............................................................. 34 b. E.U. Positions on Online Behavioral Advertising .................................... 35 8. Mobile/Apps as a Growing Exposure .................................................................. 36 -i- TABLE OF CONTENTS (continued) Page 9. The Importance of Privacy Policies ..................................................................... 38 a. The California Example ........................................................................... 38 (i) California’s Shine the Light Law ................................................. 38 (ii) California’s Online Privacy Protection Act ................................. 39 (iii) California’s Social Eraser Law .................................................... 40 10. New Technologies Bring New Risks ................................................................... 41 III. THE U.S. REGULATORY AND STATUTORY LANDSCAPE: OBLIGATIONS UNDER DATA PRIVACY AND SECURITY LAWS AND REGULATIONS ............ 41 1. State Data Privacy and Security Requirements .................................................... 42 a. Restrictions on Collection of Personal Information ................................. 42 b. Protection of Social Security Numbers .................................................... 43 c. Record Disposal Requirements ................................................................ 43 d. Data Breach Notification Requirements..................................................