In-house ACCess : In-house ACCess: Association of Corporate Counsel : ACC : The In-house Counsel Bar Association

2:31 p.m. PT: TJ Svensson, Assistant General Counsel (Global Privacy) at Thomson Reuters, is introducing the panel.

2:33 p.m. PT: Svensson is noting that Dave Dunn of the Secret Service is also presenting on the panel, despite his name not being listed in program literature. First speaker is Pamela Jones Harbour of the FTC; she was sworn in in 2003 for a term that expires in 2009. She is a former antitrust lawyer who counseled clients on internet privacy/e-commerce/related matters. She also spent a good amount of time in the New Jersey Attorney General's Office, where she represented the state in what led to a variety of multi-million dollar settlements.

2:35 p.m. PT: After that, Lisa Sotto from the NY office of Hunton & Williams will be speaking. She has extensive experience on privacy/data security issues, and advises clients on GLB/HIPPA/other security requirements around the country. During the past 3 years, she has worked with clients on over 300 data security breaches. She has testified before Congress on privacy/data security issues and is routinely quoted in articles - more than 100 to date - about privacy-related issues.

2:37 p.m. PT: Joanne McNabb will be speaking next. McNabb is another privacy expert who is a frequent speaker at privacy conferences and seminars. She started the Office of Privacy Protection, and has a marketing background that gives her a unique understanding of personal information that could result in data breaches.

2:39 p.m. PT: Lastly, we'll hear from Dave Dunn from the Seattle Police Department - who works with forensic/electronic crimes - currently working for the Secret Service. He works primarily on organized crime and extortion-related cases.

2:40 p.m. PT: Pamela Jones Harbour has taken the stage, and is recounting an event she spoke at it in France last week. "The overall message [...] was that good privacy equals good business." Good data security practices are good for the bottom line in jurisdiction where data protection laws are enforced. Data breaches can be costly, she notes.

2:41 p.m. PT: The average data breach costs a business an average of $180 per customer, Harbour says. This number was reached after considering a number of factors related to the company and consumer trends. Forrester Research released a different study last year, that said a data breach can cost a company between $90 and $300 per piece of data lost. "Once companies have experienced a data breach, customers report that they are more likely to sever a relationship."

2:43 p.m. PT: "The FTC has brought, just within the last couple of years, 20 enforcement actions against companies that have failed to provide reasonable protections for sensitive customer data under their control," says Harbour. Currently there is no single data security law; rather, there are a variety of these in separate states and jurisdictions.

2:45 p.m. PT: Data protection laws enforced by the FTC include the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and Section 5 of the FTC Act.

2:46 p.m. PT: "Today, I would like to focus on enforcement of Section 5 of the FTC Act - the primary statute used in our recent data security cases," Harbour says.

2:50 p.m. PT: Section 5 of the FTC Act is really the "meat and potatoes" of the FTC's law enforcement program. But in certain cases, the FTC's usual monetary remedies are inadequate. As a result, Congress has been attempting to include fines as an additional enforcement tool that is encouraging companies to invest wisely in their data security processes.

2:51 p.m. PT: It is important to note that companies do not need to have perfect data security systems in place; they need only be deemed "reasonable". Reasonableness is not equal to perfection.

2:53 p.m. PT : FTC is doing what they can to educate companies on the importance of privacy protection, through published literature and events in cities across the country. Harbour's advice to companies - know your customer; know the information you collect; and know where the information you're collecting travels.

2:55 p.m. PT: Safeguard Rule - "What is reasonable will depend on the size/complexity of the business; nature/scope of activities; and sensitive of the information." Even for companies that are not financial institutions (and therefore not legally required to abide by Safeguard Rule), it still provides excellent guidance.

2:56 p.m. PT: 3 bits of advice from the FTC on data protection: 1) If you make data security claims, back them up. 2) Be aware of well known and common security threats. 3) Do not retain sensitive data unnecessarily. "Regardless of legal obligations that apply to you, protecting sensitive data is simply a good business practice," Harbour says in closing.

2:58 p.m PT: Lisa Sotto from Hunton & Williams has taken the stage, and is asking how many people have - as consumers - received data security breach notifications. Almost every hand in the room went up.

3:00 p.m. PT: Since 2005, according to Sotto, there have been over 1000 information security breaches from companies like ChoicePoint, Bank of America, Lexis Nexis and other big guns. "That number is the tip of the iceberg," Sotto says.

3:05 p.m. PT: "Section 5 of the FTC Act prohibits unfair or deceptive trade practices," Sotto notes. "[Other cases] were more about unfairness, which may be a harder standard for the FTC to meet in bringing its action."

3:07 p.m. PT: Someone asks about data breaches at the university level. Sotto defers this to the next speaker.

3:08 p.m. PT: Question - "If you sell a product to a farmer who uses that product for their business, is that a loss of business data or consumer data?" FTC Commissioner Harbour comes back to the microphone and notes that it is, in fact, both.

3:10 p.m. PT: "The FTC is very serious about its data security mission," Sotto notes. "Enforcement is absolutely on the up-take: we're seeing more and more investigations, and more enforcement actions coming out of these investigations. [...] Even the very small incidents are getting the interest of state regulators."

3:11 p.m. PT: Critical question to ask when a breach occurs, according to Sotto: "Does the event trigger notification to individuals?"

3:15 p.m. PT: Sotto notes that in the case of her firm, when clients have data breaches they actively alert the FTC about this breach (rather than letting the press frame it incorrectly).

3:22 p.m. PT: "It's better not to have a breach than have one, but if you do have one, be prepared," Sotto says. Concern and focus on data security must come from the top.

3:25 p.m. PT: Sotto has just wrapped up, and Joanne McNabb is up. "This is the key question that faces anybody when they're looking at a possible breach of personal information: 'Do I have to notify?' "

3:32 p.m. PT: Senate Bill 541 in California has a breach requirement, says McNabb. She jokes that it's sometimes called the "Punish UCLA Law."

3:38 p.m. PT: McNabb's company recommends health insurance providers to provide patients with regular explanations of benefit statements, and that these companies be prepared to give individuals a new member or subscriber number if their security is breached." She quickly rushes to finish so Dave Dunn can take over.

3:42 p.m. PT: Dunn's got an exciting story: on a Friday afternoon, financial institution receives call from a hacker who says that he's stolen all their pertinent client information. Company calls a data security company that afternoon, who flies in a computer forensic expert who comes to examine the company's server. Dunn notes that there are a lot of forensic investigators out there, of varying degrees of quality.

3:45 p.m. PT: Hackers had left a slight trail of where they'd been (routed information to a server in San Diego), but they had been very good what they did. "There is no network that is inpenetrable," Dunn says.

3:47 p.m. PT: Dunn explains how they tracked hackers trail to an online financial institution's website, but when he presented the company with his information - which showed that the company's data had been breached - they refused to accept this. He plans to go back and rub it in their face when the suspect is in custody, though.

3:50 p.m. PT: Another case he explains - someone walks away with a hard drive with a significant dollar amount worth of information. Victim company called local law enforcement agency, who told them they would address the case in due time (which may have stemmed from the fact that they failed to tell the police how much the data was worth). After a few weeks, the company starts to panic and calls FBI - who ignores them - and then Secret Service.

3:51 p.m. PT: In the interim, company had notified one client (another company) that information had been stolen. The information on that drive was about company B's acquisition of company C, which created even more confusion. Ultimately, warrants were served but the drive was not recovered. Dunn believes they could have tracked it down if informed in a timely manner, but since company A feared the impact it would have on their image, they kept it under wraps longer than they should have.

3:55 p.m. PT: "Ultimately, what it comes down to is that law enforcement wants to put a stop to this," Dunn says. "We need cooperation from businesses, and we need it quickly. If you come to me 12 weeks after a breach has happened [...] the liklihood of me finding the suspect is very slim."

3:56 p.m. PT: That's it; Dunn is off the stage. Time for questions. First one: "With new laws that are coming out on encryption, how are companies going to comply with this? Do you expect us to start seeing 40 states coming up with encryption laws and requirements?" LIsa Soddo answers:"That is the question of the future."

3:57 p.m. PT: Next question, for Dave Dunn: "Is it reasonable for attorneys to assume we can send clients confidential information without encrypting it?" Dunn laughs. "If you're sending sensitive information, it should be encrypted."

And that's a wrap, folks. Thanks for reading.