privacy and security update: a year in the trenches
DESCRIPTION
Privacy and Security Update: A Year in the Trenches. Gerard M. Stegmaier [email protected] @1sand0slawyer. Privacy and Security in the Trenches. Agenda. Security Breach Consequences Privacy by Design Regulatory Context and Law: the FTC Industry-Specific Privacy Laws - PowerPoint PPT PresentationTRANSCRIPT
Privacy and Security Update: A Year in the Trenches
Gerard M. Stegmaier
@1sand0slawyer
Privacy and Security in the Trenches
Security Breach Consequences
Privacy by Design
Regulatory Context and Law: the FTC
Industry-Specific Privacy Laws
Online Advertising
Information Security
Lessons Learned
Agenda
Security Breach Consequences
Enforcements Expensive Class Actions Investigations & Costs
Estimated costs to recover from privacy mistakes will range from $5-$20 million each
Source: Gartner
Hacking– Phishing/spear phishing– Brute force attack– SQL injection– Advanced Persistent Threat (APT)
Data theft or loss– Media stolen (e.g. laptops, thumb drives, tapes)– Data stolen (e.g. by current or former employee)– Data lost (e.g. in taxi or during data migration)
Data leakage – Exposure to public (e.g. via web site)– Exposure to unauthorized person (e.g. wrong employee)– Sensitive data sent via unencrypted channel
Examples:
Data Breach - Types
No general federal requirement
46 states have statutes
– Differ on
What is a breach?
Who must be notified?
When must notification be made?
What content must be in notification?
Breach Notification Statutes
What is a breach?– Unauthorized “access” or “acquisition” or both
– Sometimes must lead to increased risk of harm or identity theft
Apply when “Personal Information” is breached– Name PLUS any of the following: social security number, driver’s
license number, state ID number, bank account or credit card numbers along with any required security access codes.
Notify– Affected Individuals
– State regulators
– Consumer reporting agencies
State Breach Notification Statutes
Privacy by Design
Privacy by Design What is Privacy by Design?
– Designing and building privacy protections into products and everyday business practices
– Fostering a culture of privacy with executive-level commitment and employee training and awareness
– Devising solutions that vary based on technology and sensitivity of underlying data
– Concept introduced in Canada and being advanced by the FTC
Privacy by Design – Perceived Benefits
Create efficiencies and reduce risk
Cut costs
Reduce exposure
Create a competitive advantage
Save money
Current Regulatory Context and Law
Consumer Privacy Law in the U.S. Technology has driven the growth of privacy law
Legislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable information
Many of these laws respond to particular issues or concerns
Result: sectoral approach (industry silos), overlaid with cross-industry requirements
Contrast with omnibus approach in other regions (e.g., EU)
U.S. Consumer Privacy Law
Telemarketing & Consumer Fraud & Abuse Prevention Act (Telemarketing Sales Rule)
Telephone Consumer Protection Act (TCPA)
Junk Fax Prevention Act CAN-SPAM U.S./EU Safe Harbor
States:SpywareSocial Security #sData SecurityBreach NotificationData DisposalPoint of Sale Data CollectionID Theft LegislationSecurity FreezesShine the LightCredit Card Security
Electronic Communications Privacy Act (ECPA)
Fair Credit Reporting Act (FCRA) + FACTA
GLB CPNI HIPAA SOX FTC Section 5
FTC Privacy Report Major Principles
Greater Transparency
Privacy by Design
Simplified Choice
Privacy by Design Envisions comprehensive data management procedures
throughout the product/service lifecycle
Incorporates substantive privacy protections into company practices
– Data security
– Reasonable collection limits
– Sound retention practices
– Data accuracy
Simplified Choice Consumers should have choice about both data collection
and usage
Choice mechanism should be offered at point consumers
provide data
“Do Not Track” proposed as simplified choice mechanism
Choice not required for a narrow set of practices
Greater Transparency Clarity: Streamlined and standardized privacy notices
Access: Reasonable access to consumer data
Changes: Consumers must opt in before companies may use consumer data in a materially different manner than claimed when the data was collected
Education: Increased need for consumer education regarding commercial privacy practices
Section 5 of the FTC Act
“Unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful.”
(1914)
A Practice is “DECEPTIVE” if:
It is likely to mislead consumers
Who are acting reasonably under the circumstances, and
It would be material to their decision to buy or use the product.
“Deceptive” if it contains a statement, or omits information, that is likely to mislead consumers acting reasonably and is material to a consumer’s decision to buy or use.
FTC Policy Statement on Deception
Tell the Truth!
A Practice is “UNFAIR” if: It is likely to cause substantial consumer injury –
physical or economic
That is not reasonably avoidable by consumers themselves and
Is not outweighed by benefits to consumers or competition.
FTC Enforcement Focus
Intentional violations of privacy promises
Changes in privacy policies without adequate notice
Failures to keep promises to maintain security of personal information
Failures to adequately safeguard the privacy of consumer information
FTC Orders: Comprehensive Privacy Programs
“The Google and Facebook consent orders contain “one of the most effective provisions in our many data security cases. We are requiring Google [and Facebook] to develop and maintain a comprehensive privacy program and obtain independent privacy audits every other year for the next 20 years.”
Julie Brill,FTC Commissioner
FTC Best Practices: Comprehensive Privacy Programs
Designate responsible employees
Perform privacy and security risk assessments, including
– Employee training
– Product design, development, and research
– Prevention, detection, and response to intrusions
Implement privacy controls appropriate for business, data use, and sensitivity of information to address risk
Regularly test, monitor, and adjust privacy controls
Police data supply chain and vendors
White House’s Consumer Privacy Bill of Rights Sets forth seven consumer data privacy
rights
Encourages business and industry associations to develop voluntary privacy protection codes
Proposes that Congress pass legislation enacting recommendations, including federal data breach notification laws
Expresses commitment to collaborate with international privacy laws, such as the European Data Privacy Directive
Seven Consumer Privacy Rights Individual Control: Give consumers control over how their
data is collected
Transparency: Clearly describe how, why, and for whom data is collected
Respect for Context: Collection and use of data should be consistent with the scope and purpose of the primary business
Security: Maintain reasonable data safeguards
Access and Accuracy: Ensure that data is accurate
Focused Collection: Only collect data necessary
Accountability: For data protection and for disclosure to third parties
Industry-Specific Privacy Laws
Gramm-Leach-Bliley Act (GLBA) Applies to financial institutions
Consumers vs. customers
Required privacy notices to customers
Opt-out rights for information sharing to certain parties
Limits on how service providers can use information
Online Behavioral Advertising
Online Behavioral Advertising
Online Behavioral Advertising
“Online behavioral advertising – which is also sometimes called ‘interest-based advertising’ – uses information collected across multiple web sites that you visit in order to predict your preferences and to show you ads that are most likely to be of interest to you.”
– Digital Advertising Alliance
Concerns With Online Behavioral Advertising FTC convened workshops to learn more
Themes that emerged:– The amount of information collected has increased – Collection is invisible; consumers are unaware that
information about web browsing is being collected– Consumers care about privacy– There is no longer any meaningful basis for
distinguishing between personally and non-personally identifiable information
BUT….– There are real benefits to information collection
February 2009 – FTC Report on Self-Regulatory Principles for OBA
Called for the industry to adopt self-regulatory principles that incorporated:
– Transparency and choice– Data security– Affirmative consent before a company could use
previously collected data for a materially different purpose
– Affirmative consent before collecting sensitive information for OBA purposes
Industry Created a Self-Regulatory Program in Response
Self-Regulatory Principles for Online Behavioral Advertising released July 2009
Advertising Option Icon announced and registration begins October 4, 2010
Consumer Choice page launched November 2010
Coalition turns to enforcement, operational implementation, and educational planning
The DAA Principles – July 2009
Education Transparency Consumer Control Data Security Material Change to
Existing OBA Policy/Practices Sensitive Data Accountability
Information Security
Information Security Privacy and Security: You can have security without privacy,
but you cannot have privacy without security Most privacy-related enforcement and litigation results from
inadequate security Information must be “reasonably” secured: it may not matter
if the information is already public – information still may be expected to be secured, especially if representations were made
Written policies and procedures coupled with technical controls: be wary of hindsight – if something could be easily and cheaply fixed, then the security may not be viewed as “reasonable”
Information Security (cont.)
FTC Information Security Guidance Suggests:
– Take Stock. Know what personal information you have in your files and on your computers.
– Scale Down. Keep only what you need for business.
– Lock It. Protect the information you keep.
– Pitch It. Properly dispose of what you no longer need.
– Plan Ahead. Create a plan to respond to security incidents.
Lessons Learned
Privacy and Security Assessments: Operational Trends
Increasing utilization of ISO security standards mapped to regulations (GLB, HIPAA)
Look to 3rd parties for validation and affirmation
Enterprise-wide training
Testing and validation of controls
Integration with broader risk management
Privacy and Security Assessments: Policy Trends
Advocacy for “accountability” – based standards
Generally Accepted Privacy Practices (GAPP)
OECD Guidelines
Efforts to integrate privacy and security into comprehensive information governance
Can have security without privacy, but cannot have privacy without security…
