privacy and security update a year in the trenches n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy and Security Update: A Year in the Trenches PowerPoint Presentation
Download Presentation
Privacy and Security Update: A Year in the Trenches

Privacy and Security Update: A Year in the Trenches

174 Views Download Presentation
Download Presentation

Privacy and Security Update: A Year in the Trenches

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Privacy and Security Update: A Year in the Trenches Gerard M. Stegmaier @1sand0slawyer

  2. Privacy and Security in the Trenches

  3. Agenda • Security Breach Consequences • Privacy by Design • Regulatory Context and Law: the FTC • Industry-Specific Privacy Laws • Online Advertising • Information Security • Lessons Learned

  4. Security Breach Consequences Enforcements Expensive Class Actions Investigations & Costs Estimated costs to recover from privacy mistakes will range from $5-$20 million each Source: Gartner

  5. Data Breach - Types Examples: • Hacking • Phishing/spear phishing • Brute force attack • SQL injection • Advanced Persistent Threat (APT) • Data theft or loss • Media stolen (e.g. laptops, thumb drives, tapes) • Data stolen (e.g. by current or former employee) • Data lost (e.g. in taxi or during data migration) • Data leakage • Exposure to public (e.g. via web site) • Exposure to unauthorized person (e.g. wrong employee) • Sensitive data sent via unencrypted channel

  6. Breach Notification Statutes • No general federal requirement • 46 states have statutes • Differ on • What is a breach? • Who must be notified? • When must notification be made? • What content must be in notification?

  7. State Breach Notification Statutes • What is a breach? • Unauthorized “access” or “acquisition” or both • Sometimes must lead to increased risk of harm or identity theft • Apply when “Personal Information” is breached • Name PLUS any of the following: social security number, driver’s license number, state ID number, bank account or credit card numbers along with any required security access codes. • Notify • Affected Individuals • State regulators • Consumer reporting agencies

  8. Privacy by Design

  9. Privacy by Design • What is Privacy by Design? • Designing and building privacy protections into products and everyday business practices • Fostering a culture of privacy with executive-level commitment and employee training and awareness • Devising solutions that vary based on technology and sensitivity of underlying data • Concept introduced in Canada and being advanced by the FTC

  10. Privacy by Design – Perceived Benefits • Create efficiencies and reduce risk • Cut costs • Reduce exposure • Create a competitive advantage • Save money

  11. Current Regulatory Context and Law

  12. Consumer Privacy Law in the U.S. • Technology has driven the growth of privacy law • Legislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable information • Many of these laws respond to particular issues or concerns • Result: sectoral approach (industry silos), overlaid with cross-industry requirements • Contrast with omnibus approach in other regions (e.g., EU)

  13. U.S. Consumer Privacy Law • Telemarketing & Consumer Fraud & Abuse Prevention Act (Telemarketing Sales Rule) • Telephone Consumer Protection Act (TCPA) • Junk Fax Prevention Act • CAN-SPAM • U.S./EU Safe Harbor States: • Spyware • Social Security #s • Data Security • Breach Notification • Data Disposal • Point of Sale Data Collection • ID Theft Legislation • Security Freezes • Shine the Light • Credit Card Security • Electronic Communications Privacy Act (ECPA) • Fair Credit Reporting Act (FCRA) + FACTA • GLB • CPNI • HIPAA • SOX • FTC Section 5

  14. FTC Privacy Report Major Principles Simplified Choice Greater Transparency Privacy by Design

  15. Privacy by Design Envisions comprehensive data management procedures throughout the product/service lifecycle Incorporates substantive privacy protections into company practices Data security Reasonable collection limits Sound retention practices Data accuracy

  16. Simplified Choice Consumers should have choice about both data collection and usage Choice mechanism should be offered at point consumers provide data “Do Not Track” proposed as simplified choice mechanism Choice not required for a narrow set of practices • Fulfillment • Internal operations • Fraud prevention • Legal compliance • First-party marketing • Contextual advertising

  17. Greater Transparency Clarity: Streamlined and standardized privacy notices Access: Reasonable access to consumer data Changes: Consumers must opt in before companies may use consumer data in a materially different manner than claimed when the data was collected Education: Increased need for consumer education regarding commercial privacy practices

  18. Section 5 of the FTC Act “Unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful.”(1914)

  19. A Practice is “DECEPTIVE” if: • It is likely to mislead consumers • Who are acting reasonably under the circumstances, and • It would be material to their decision to buy or use the product.

  20. Tell the Truth! • “Deceptive” if it contains a statement, or omits information, that is likely to mislead consumers acting reasonably and is material to a consumer’s decision to buy or use. • FTC Policy Statement on Deception

  21. A Practice is “UNFAIR” if: • It is likely to cause substantial consumer injury – physical or economic • That is not reasonably avoidable by consumers themselves and • Is not outweighed by benefits to consumers or competition.

  22. FTC Enforcement Focus • Intentional violations of privacy promises • Changes in privacy policies without adequate notice • Failures to keep promises to maintain security of personal information • Failures to adequately safeguard the privacy of consumer information

  23. FTC Orders: Comprehensive Privacy Programs “The Google and Facebook consent orders contain “one of the most effective provisions in our many data security cases. We are requiring Google [and Facebook] to develop and maintain a comprehensive privacy program and obtain independent privacy audits every other year for the next 20 years.” Julie Brill, FTC Commissioner

  24. FTC Best Practices: Comprehensive Privacy Programs • Designate responsible employees • Perform privacy and security risk assessments, including • Employee training • Product design, development, and research • Prevention, detection, and response to intrusions • Implement privacy controls appropriate for business, data use, and sensitivity of information to address risk • Regularly test, monitor, and adjust privacy controls • Police data supply chain and vendors

  25. White House’s Consumer Privacy Bill of Rights • Sets forth seven consumer data privacy rights • Encourages business and industry associations to develop voluntary privacy protection codes • Proposes that Congress pass legislation enacting recommendations, including federal data breach notification laws • Expresses commitment to collaborate with international privacy laws, such as the European Data Privacy Directive

  26. Seven Consumer Privacy Rights • Individual Control:Give consumers control over how their data is collected • Transparency:Clearly describe how, why, and for whom data is collected • Respect for Context:Collection and use of data should be consistent with the scope and purpose of the primary business • Security:Maintain reasonable data safeguards • Access and Accuracy: Ensure that data is accurate • Focused Collection:Only collect data necessary • Accountability: For data protection and for disclosure to third parties

  27. Industry-Specific Privacy Laws

  28. Gramm-Leach-Bliley Act (GLBA) • Applies to financial institutions • Consumers vs. customers • Required privacy notices to customers • Opt-out rights for information sharing to certain parties • Limits on how service providers can use information

  29. Online Behavioral Advertising

  30. Online Behavioral Advertising

  31. Online Behavioral Advertising “Online behavioral advertising – which is also sometimes called ‘interest-based advertising’ – uses information collected across multiple web sites that you visit in order to predict your preferences and to show you ads that are most likely to be of interest to you.” – Digital Advertising Alliance

  32. Concerns With Online Behavioral Advertising • FTC convened workshops to learn more • Themes that emerged: • The amount of information collected has increased • Collection is invisible; consumers are unaware that information about web browsing is being collected • Consumers care about privacy • There is no longer any meaningful basis for distinguishing between personally and non-personally identifiable information BUT…. • There are real benefits to information collection

  33. February 2009 – FTC Report on Self-Regulatory Principles for OBA • Called for the industry to adopt self-regulatory principles that incorporated: • Transparency and choice • Data security • Affirmative consent before a company could use previously collected data for a materially different purpose • Affirmative consent before collecting sensitive information for OBA purposes

  34. Industry Created a Self-Regulatory Program in Response • Self-Regulatory Principles for Online Behavioral Advertising released July 2009 • Advertising Option Icon announced and registration begins October 4, 2010 • Consumer Choice page launched November 2010 • Coalition turns to enforcement, operational implementation, and educational planning

  35. The DAA Principles – July 2009 • Education • Transparency • Consumer Control • Data Security • Material Change toExisting OBA Policy/Practices • Sensitive Data • Accountability

  36. Information Security

  37. Information Security • Privacy and Security: You can have security without privacy, but you cannot have privacy without security • Most privacy-related enforcement and litigation results from inadequate security • Information must be “reasonably” secured: it may not matter if the information is already public – information still may be expected to be secured, especially if representations were made • Written policies and procedures coupled with technical controls: be wary of hindsight – if something could be easily and cheaply fixed, then the security may not be viewed as “reasonable”

  38. Information Security (cont.) • FTC Information Security Guidance Suggests: • Take Stock. Know what personal information you have in your files and on your computers. • Scale Down. Keep only what you need for business. • Lock It. Protect the information you keep. • Pitch It. Properly dispose of what you no longer need. • Plan Ahead. Create a plan to respond to security incidents.

  39. Lessons Learned

  40. Privacy and Security Assessments: Operational Trends • Increasing utilization of ISO security standards mapped to regulations (GLB, HIPAA) • Look to 3rd parties for validation and affirmation • Enterprise-wide training • Testing and validation of controls • Integration with broader risk management

  41. Privacy and Security Assessments: Policy Trends • Advocacy for “accountability” – based standards • Generally Accepted Privacy Practices (GAPP) • OECD Guidelines • Efforts to integrate privacy and security into comprehensive information governance Can have security without privacy, but cannot have privacy without security…

  42. Gerry Stegmaier +1. 202.973.8809