Da ta Priva c y a nd Se c urity Ba sic s fo r E ve ry Busine sse s - - PowerPoint PPT Presentation

Ba c k to Sc ho o l:

Da ta Priva c y a nd Se c urity Ba sic s fo r E ve ry Busine sse s

Se pte mb e r 11, 2013

Ag e nda

• Ove rvie w
• Co ntra c t Co nside ra tio ns
• Pa yme nts & Co lle c tio ns
• Me rg e rs & Ac q uisitio ns
• T

he Clo ud

• Mo b ile Pro duc t De ve lo pme nt
• Ma rke ting
• E

mplo ye e Priva c y

• Whe n So me thing Go e s Wro ng
• Que stio ns

What is “privac y law”?

• Rule s re g a rding the c o lle c tio n a nd ha ndling o f

“pe rso na l” o r “pe rso na lly ide ntifia b le ” info rma tio n (PI I )

• AND the no tic e a nd c ho ic e pro vide d to the c o nsume r

a b o ut suc h a c tivitie s.

• “Da ta Se c urity” is the re la te d se t o f pra c tic e s de sig ne d to

e nsure c o mplia nc e with re q uire me nts tha t PI I a nd o the r se nsitive info rma tio n b e c o lle c te d, sto re d, tra nsmitte d a nd dispo se d o f in a se c ure ma nne r.

Ove rvie w: Privac y L aw

No c o mpre he nsive priva c y la w in U.S.

• Ge ne ra lly, the da ta c o lle c to r
• wns a nd c o ntro ls the da ta
• E

xc e pt in spe c ific a lly re g ula te d a re a s, c a n use da ta a s de sire d a s lo ng a s c o nsiste nt with priva c y no tic e s a nd c o nse nt is

• b ta ine d

I nte rna tio na lly, la ws va ry

Ove rvie w: So urc e s o f Ge ne ral U.S. Privac y L aw and E nfo rc e me nt

• F

e de ra l T ra de Co mmissio n

– F

T C Ac t

– Se c tio n 5 E

nfo rc e me nt a c tio ns

• U.S. Co mme rc e De pa rtme nt

– Cyb e rse c urity – Mo b ile a pp tra nspa re nc y

• Sta te la ws

– Da ta Se c urity – Ca lifo rnia – Mo b ile a pps

Ove rvie w: Se c urity/Data Bre ac h L aw

• Da ta dispo sa l/

de struc tio n la ws

• Bre a c h no tific a tio n la ws
• F

T C a pplie s “re a so na b le ne ss” sta nda rd

• Sta te da ta se c urity la ws
• Se c to ra l re q uire me nts

(HI PAA, HI T E CH, e tc .) ma y b e mo re string e nt

Privac y b y De sig n

Ba sic c o nc e pt: priva c y c o nc e rns sho uld b e a ddre sse d a t e ve ry sta g e

• f pro duc t de ve lo pme nt

E ndo rse d b y F T C in Ma rc h 2012 re po rt e ntitle d “Pro te c ting Co nsume rs’ Priva c y in a n E ra o f Ra pid Cha ng e ” Co nc e pt ha s b e e n inc lude d in le g isla tive pro po sa ls Ce ntra l to po lic y disc ussio ns o f priva c y in mo b ile c o nte xt F T C e nfo rc e me nt

F T C a lle g e d tha t HT C Ame ric a , a mo b ile de vic e ma nufa c ture r, did no t b uild priva c y pro te c tio ns into c o de , putting c o nsume r da ta a t risk a nd sub je c ting the c o mpa ny to Se c tio n 5 e nfo rc e me nt.

What do e s this me an fo r yo u?

Priva c y a nd da ta se c urity o b lig a tio ns e xte nd thro ug ho ut yo ur b usine ss:

Ope ra tio ns & Co ntra c ts Pa yme nts a nd Co lle c tio ns Me rg e rs a nd Ac q uisitio ns Info rma tio n T e c hno lo g y Ma rke ting Huma n Re so urc e s

Co ntrac ts with Se rvic e Pro vide r

Risks a sso c ia te d with da ta b re a c he s ma g nifie d whe n yo ur da ta is o utside yo ur c o ntro l Due Dilig e nc e to b e pe rfo rme d:

Whe re the se rvic e pro vide r will sto re the da ta (c lo ud o r no t) Wha t the se rvic e pro vide r will do with it (o nly o n yo ur b e ha lf, o r inde pe nde nt rig hts? ) Whe n yo u c a n g a in a c c e ss, o r a lte r the c o ntra c t Who else is to uc hing the data (subc o ntr ac to r s? I ndependent r ights?) Wha t ha ppe ns if the re is a b re a c h? Wha t ha ppe ns if the re a third pa rty c la im? Whe the r to se e k inde mnity fo r vio la tio ns o f la w? Re pre se nta tio ns a nd wa rra ntie s? Re turn o f da ta ?

T he n Do c ume nt it…

Privac y and Se c urity Co ntrac t L ang uag e

Che c klist

DE F INE Co nfide ntia l I

nfo rma tio n a nd Owne rship

L IMIT c o lle c tio n, a c c e ss, use , disc lo sure , a nd re te ntio n E ST ABL ISH SE CURIT Y ST ANDARDS fo r tra nsmissio n a nd

sto ra g e

OBT AIN a udit rig hts OUT L INE BRE

ACH/ I NCI DE NT RE SPONSE

Co ntrac ts with T hird Partie s: I nc lude Data Se c urity Bre ac h/I nc ide nt Re spo nse

I nde mnific a tio n Cre dit Mo nito ring Re so lutio n I nve stig a tio n Rig hts I nsura nc e Co ve ra g e No tic e s:

• to Co mpa ny
• to a ffe c te d individua ls
• to la w e nfo rc e me nt

Payme nts & Co lle c tio ns: Payme nts

• Pa yme nt Ca rd I

ndustry Da ta Se c urity Sta nda rds (PCI DSS)

• Pa yme nt Applic a tio n Da ta Se c urity

Sta nda rds (PA-DSS)

• Outso urc e d fo r c o mplia nc e ?

Payme nts & Co lle c tio ns: Cre dit

F a ir Cre dit Re po rting Ac t Ma jo r I ssue s:

• Are yo u o b ta ining a “c o nsume r

re po rt”?

• I

s the re a pe rmissib le purpo se to

• b ta in a nd use a c o nsume r re po rt?
• Dutie s o f “furnishe rs”
• Be wa re ste a lth F

CRA trig g e rs: Spo ke o

Payme nts & Co lle c tio ns: Cre dit

• F

CRA a dve rse a c tio n no tic e s: Must g ive no tic e to c o nsume r if b usine ss ta ke s a dve rse a c tio n b a se d in pa rt o n a c o nsume r re po rt fro m a CRA

• F

e de ra l Re se rve (no w CF PB) ha s a mo de l a dve rse a c tio n no tic e fo r F CRA/ Re g . B

Me rg e rs, Ac q uisitio ns and Dive stiture s

• E

mplo ye e a nd c usto me r da ta = b ig g e st a sse t?

• Co nside r due dilig e nc e o n priva c y a nd da ta

se c urity whe n:

– T

ra nsa c tio ns invo lve pe rso na lly ide ntifia b le a sse ts (c usto me r da ta b a se s, so c ia l me dia , e tc .)

– T

ra nsa c tio ns invo lve da ta se c urity re pre se nta tio ns

• Re vie w priva c y po lic ie s to e nsure pro mise s ke pt

Privac y in the Clo ud

I T So lutio ns – T he Clo ud

• Mo re da ta mo ving to the c lo ud
• Custo me rs ma y purc ha se So ftwa re ,

I nfra struc ture , Pla tfo rm – a ll “a s a se rvic e ”

• Diffe re nt T

ype s o f Clo ud Se rvic e s

– Priva te (inte rna l o rg a niza tio n) – Co mmunity (e duc a tio n, he a lth, pa yme nt) – Pub lic (Ama zo n, Mic ro so ft, Go o g le ) – Hyb rid

• Uniq ue c o ntra c t issue s

– Cyb e rse c urity pro te c tio ns – Re vie w/ a udit rig hts – Jurisdic tio na l issue s - re stric tio ns in c o ntra c ts – Ac c e ss rig hts

Mo b ile Pro duc t De ve lo pme nt

• F

T C priva c y re po rt, c a lling fo r impro ve d mo b ile disc lo sure s (3/ 2012)

• F

T C wo rksho p o n mo b ile priva c y (5/ 2012)

• F

T C g uida nc e o n priva c y/ a d disc lo sure s fo r mo b ile a pps (9/ 2012)

• NT

I A sta ke ho lde r disc ussio ns re : mo b ile a pps b e g in (7/ 2012)

• Ca lifo rnia Online Priva c y Pro te c tio n Ac t (Busine ss a nd Pro fe ssio ns Co de se c tio n

22575)

–

Ca lifo rnia AG a g re e me nt with Mo b ile Apps Ma rke ting Co mpa nie s (2/ 22/ 12)

–

Ca lifo rnia AG le tte rs to 100 c o mpa nie s re : mo b ile priva c y po lic ie s (10/ 30/ 12)

–

Ca lifo rnia AG file s suit a g a inst De lta (12/ 2012)

• Ca lifo rnia AG’ s “Priva c y On T

he Go ” Re po rt (1/ 2013)

• F

T C re po rt “Mo b ile Priva c y Disc lo sure s: Building T rust T hro ug h T ra nspa re nc y” with re c o mme nda tio ns fo r pla tfo rm pro vide rs, a pp de ve lo pe rs a nd a d ne two rks a nd

• the r third pa rtie s (2/ 2013)
• NT

I A Multista ke ho lde r Pro c e ss re le a se s “Sho rt F

• rm No tic e Co de o f Co nduc t to

Pro mo te T ra nspa re nc y in Mo b ile App Pra c tic e s” a nd la unc he s c o nsume r te sting o f sho rt-fo rm no tic e s a b o ut the c o lle c tio n a nd sha ring o f c o nsume r info rma tio n with third pa rtie s.

Ove rvie w: Mo b ile Pro duc t De ve lo pme nt

• Co nc e rns tha t mo b ile se rvic e s a nd a pps vio la te priva c y b y c o lle c ting a nd

sto ring info rma tio n a b o ut use rs’ lo c a tio ns

• Cha lle ng e s o f o b ta ining c o nse nt.
• Cha lle ng e s with c o mmunic a ting disc lo sure s o n a sma ll sc re e n.
• NT

I A Multi-Sta ke ho lde r Pro c e ss de sig ne d to a ddre ss the se issue s wb y de sig ning a c o mmo n use r inte rfa c e tha t q uic kly info rms c o nsume rs o f info rma tio n c o lle c tio n a nd sha ring a c tivitie s.

• Jule s Po lo ne tsky, E

xe c utive Dire c to r o f the F uture o f Priva c y F

• rum ha s

de sc rib e d the re sults a s a “‘ fo o d la b e l’ type a ppro a c h to a priva c y no tic e [tha t] will g ive c o nsume rs a sta nda rdize d wa y to g e t ke y priva c y info rma tio n a t a g la nc e a nd will he lp c o nsume rs b e tte r unde rsta nd ho w a pps c o lle c t a nd sha re da ta .”

• T

he fo llo wing pa g e s c o nta in sa mple no tic e s sho wn a s e xa mple s o f imple me nta tio ns o f the sho rt no tic e de ve lo pe d b y se ve ra l o f the NT I A sta ke ho lde rs (so urc e : F uture o f Priva c y F

• rum,

http:/ / www.future o fpriva c y.o rg / 2013/ 07/ 25/ ntia -use r-inte rfa c e - mo c kups/ ).

NT I A Mo b ile Sho rt No tic e E xample 1

• Da ta Use d

Hig hlig hte d

NT I A Mo b ile Sho rt No tic e E xample 2

• Da ta Use d
• n T
• p a nd

Da ta No t Use d o n Bo tto m

NT I A Mo b ile Sho rt No tic e E xample 3

• YE

S/ NO Hig hlig hte d Ac c o rdio n

Marke ting - c hildre n

• T

he Childre n’ s Online Priva c y Pro te c tio n Ac t (“COPPA”) a pplie s to we b site s dire c te d a t c hildre n unde r 13 tha t c o lle c t pe rso na l info fro m the m, o r g e ne ra l we b site s tha t ha ve a c tua l kno wle dg e tha t the y a re c o lle c ting info fro m c hildre n

• T

he se we b site s must:

–

Po st priva c y po lic y o n ho me pa g e & link to it whe re da ta is c o lle c te d

–

Ob ta in ve rifia b le c o nse nt fro m pa re nt b e fo re c o lle c ting da ta

–

Offe r pa re nta l c ho ic e re g a rding use o f da ta , pa re nta l a c c e ss to info & a b ility to de le te

• Mo dific a tio ns to the COPPA rule b e c a me fina l in De c . 2012. So me hig hlig hts inc lude :

–

Ge o lo c a tio n info rma tio n, pho to g ra phs, a nd vide o s no w tre a te d a s pe rso na l info rma tio n tha t c a nno t b e c o lle c te d witho ut pa re nta l no tic e a nd c o nse nt

–

Clo se s lo o pho le a llo wing kid-dire c te d a pps/ we b site s to pe rmit third pa rtie s to c o lle c t pe rso na l info rma tio n thro ug h plug -ins (e .g ., F a c e b o o k plug -ins) witho ut c o nse nt

–

E xte nds COPPA c o ve ra g e to “pe rsiste nt ide ntifie rs” tha t c a n re c o g nize use rs

• ve r time a nd a c ro ss diffe re nt we b site s o r o nline se rvic e s, suc h a s I

P a ddre sse s a nd mo b ile de vic e I Ds

• F

T C se ttle me nt with Ar tist Ar e na for $1 million

Kids + Mo b ile Apps

• I

n De c . 2012, F T C re le a se d “Mo b ile Apps fo r K ids: Disc lo sure s Still No t Ma king the Gra de ”

–

80% o f ve ndo rs o f a pps fo r kids fa il to no tify pa re nts a b o ut wha t da ta the y’ re c o lle c ting fro m kids, ho w the y’ re sha ring it, a nd who ha s a c c e ss to it.

–

Ne a rly 60% o f a pps surve ye d tra nsmitte d use r info rma tio n b a c k to the de ve lo pe r o r to a n a dve rtising ne two rk a na lytic s c o mpa ny o r

• the r third pa rty

–

58% c o nta ine d a dve rtising within the a pp, b ut o nly 15% indic a te d the pre se nc e o f a dve rtising prio r to do wnlo a d

–

22% c o nta ine d links to so c ia l ne two rking se rvic e s, b ut o nly 9% disc lo se d tha t fa c t.

–

17% a llo we d kids to ma ke purc ha se s fo r virtua l g o o ds

–

F T C se ttle me nt with W3 Innova tions, L L C (d/ b/ a / Broke n T humbs Apps) for $50,000

Marke ting – So c ial Me dia Challe ng e s

Do e s Priva c y Po lic y Addre ss So c ia l Me dia ? F T C Ac tio n Po te ntia l I nva sio n o f Priva c y Cla ims I nte rna tio na l I ssue s K ids I mpo rta nt to E sta b lish Co rpo ra te Po lic ie s

Huma n Re so urc e s – E mplo ye e Priva c y

Pre -e mplo yme nt b a c kg ro und c he c ks

• Sta te la ws limit c he c k o f c rimina l histo ry
• F

CRA g o ve rns c he c k o f fina nc e s

Bring Yo ur Own De vic e ? E mplo ye e pe rso na l use o f so c ia l me dia Sta te le g isla tio n pa sswo rds/ lo g in

Wha t do yo u do whe n so me thing g o e s wro ng ?

Bre ac h Re spo nse Plan

• Ha ve a pla n in pla c e b e fo re the b re a c h
• c c urs!
• Cre a te a se c urity b re a c h re spo nse te a m tha t

inc lude s le g a l, I T , se c urity, HR, a nd me dia re la tio ns func tio ns

• T

ra in e mplo ye e s in imple me nting the pla n

• T

e st re spo nse pla n

Sta te Da ta Bre a c h No tific a tio n L a ws

46 sta te s a nd Distric t o f Co lumb ia (no AL , K Y, NM, SD) Mo st a pply to e le c tro nic info rma tio n (vs. physic a l do c ume nt) Ofte n de fine pe rso na l info rma tio n a s: An individua l’ s first na me o r first initia l a nd la st na me plus o ne o r mo re o f fo llo wing da ta e le me nts:

(i) So c ia l Se c urity numb e r, (ii) drive r’ s lic e nse numb e r o r sta te -issue d I D c a rd numb e r, (iii) a c c o unt numb e r, c re dit c a rd numb e r o r de b it c a rd numb e r c o mb ine d with a ny se c urity c o de , a c c e ss c o de , PI N o r pa sswo rd ne e de d to a c c e ss a n a c c o unt.

But Be wa re o f No rth Da ko ta a nd re c e nt tre nd fo r b ro a de r de finitio n o f PI F re q ue nt re q uire me nt to re po rt to sta te o ffic ia l/ AG, c re dit re po rting b ure a us

Risks asso c iate d with a data b re ac h

L e g a l a c tio n b y re g ula to ry a g e nc ie s, la w e nfo rc e me nt a nd/ o r priva te litig a nts

F e de ra l T ra de Co mmissio n Sta te AGs a nd Co ng re ssio na l I nq uirie s Cla ss Ac tio n L itig a tio n

E U, Ca na dia n o r o the r fo re ig n g o vt e nfo rc e me nt Re puta tio na l Ha rm

F T C E nfo rc e me nt

F T C: inc re a se d e nfo rc e me nt a c tivitie s a nd te sting limits o f Se c tio n 5 Autho rity http:/ / www.ftc .g o v/ o pa / re po rte r/ priva c y/ priva c ypro mise s.shtml:

• Google Buzz(Ma rc h 2011): Gma il use rs who o pte d o ut o f Buzz we re no ne the le ss

e nro lle d; use rs we re no t a de q ua te ly info rme d tha t the ide ntity o f individua ls the y e ma ile d mo st fre q ue ntly wo uld b e ma de pub lic b y de fa ult, a nd use rs who c lic ke d “T urn Off Buzz” we re no t fully re mo ve d fro m the so c ia l ne two rk.

• F

ac e book (No v. 2011): c ha ng e d priva c y se tting s witho ut no tic e o r c o nse nt; ma de

da ta pub lic tha t use rs ha d de sig na te d a s priva te

• Roc kYou (Ma r. 2012): fa ile d to imple me nt re a so na b le se c urity pro c e dure s to pro te c t

use rs’ da ta ; vio la te d COPPA b y c o lle c ting & disc lo sing c hildre n’ s info witho ut pa re nta l c o nse nt

• MySpac e (Ma y 2012): vio la te d o wn priva c y po lic y b y sha ring pe rso na l info rma tio n

with a dve rtise rs; a llo we d ta rg e te d a ds witho ut no tic e .

• Wyndham Hote ls (June 2012): F

T C sue d fo r fa ilure to pro te c t c o nsume r info fro m thre e da ta b re a c he s. Wyndham has file d MT

D, alle ging that F T C has no author ity to de c ide whe the r data pr

• te c tion polic ie s ar

e “unfair ,” “r e asonable ,” or “appr

• pr

iate .”

• Google Cookie s (Aug ust 2012): a g re e d to pa y a re c o rd $22.5 millio n c ivil pe na lty to

se ttle F e de ra l T ra de Co mmissio n c ha rg e s tha t it misre pre se nte d to use rs o f Apple I nc .’ s Sa fa ri I nte rne t b ro wse r tha t it wo uld no t pla c e tra c king “c o o kie s” o r se rve ta rg e te d a ds to tho se use rs, vio la ting the e a rlie r Go o g le Buzz se ttle me nt with the F T C.

• Path (Ja n. 2013): impro pe rly c o lle c te d info fro m c o nsume rs’ mo b ile de vic e a ddre ss

b o o ks, c o lle c te d kids’ da ta witho ut pa re nta l c o nse nt.

L itig a tio n T re nds

• Mo st c o mmo n re sult: priva c y la wsuits e nd a t the

Mo tio n to Dismiss sta g e – no ha rm o r sta nding

• So me re c e nt c a se s: mo re le nie nt o n “ha rm”

sta nda rd whe re sta tute c re a te s rig ht o f a c tio n, da ma g e s (e .g . Je we l v NSA (surve illa nc e ) & E dwa rds v F irst Ame ric a n Co rp. (RE SPA))

• E

ve n a n unsuc c e ssful priva c y c la ss a c tio n suit c a n c o nc e iva b ly c o st a de fe nda nt millio ns o f do lla rs.

• Arb itra tio n c la use s

F e de ra l Sta tutute s with Sta tuto ry Da ma g e s a nd Priva te Rig hts o f Ac tio n

• Co mpute r F

ra ud a nd Ab use Ac t, 18 U.S.C. § 1030

• E

le c tro nic Co mmunic a tio ns Priva c y Ac t (E CPA), inc luding – Wire ta p Ac t, 18 U.S.C. §§ 2510-2522 – Sto re d Co mmunic a tio ns Ac t, 18 U.S.C. §§ 2701-2712 – Vide o Priva c y Pro te c tio n Ac t, 18 U.S.C. § 2710

• T

e le pho ne Co nsume r Pro te c tio n Ac t, 47 U.S.C. § 227

• F

a ir Cre dit Re po rting Ac t, 15 U.S.C. § 1681

• Ca b le Ac t, 47 U.S.C. § 551
• Sa te llite Ho me Vie we r E

xte nsio n a nd Re a utho riza tio n Ac t, 47 U.S.C. § 338(i)

T hank You! Que stions?

Bob Sc ott

Wa shing to n, DC 20006 (202) 973-4265 Bo b Sc o tt@ d wt.c o m

Chr istin Mc Me le y

Wa shing to n, DC 20006 (202) 973-4264 ChristinMc Me le y@ dwt.c o m