PowerPoint Presentation

946 views
812 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
946
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PowerPoint Presentation

  1. 1. Privacy and Information Security Lisa J. Sotto Partner Hunton & Williams LLP (212) 309-1223 lsotto @hunton.com April 7, 2006
  2. 2. Our Firm <ul><li>Founded in 1901, Hunton & Williams is one of the nation’s leading law firms with over 850 attorneys in 16 offices, serving clients in over 100 countries </li></ul><ul><li>21 privacy professionals in the U.S., EU and Asia </li></ul><ul><li>Our privacy clients include: </li></ul><ul><ul><li>Kraft Foods - Visa </li></ul></ul><ul><ul><li>General Dynamics - British Telecom </li></ul></ul><ul><ul><li>Holtzbrinck Publishers - Google </li></ul></ul><ul><ul><li>Kodak - TJX </li></ul></ul><ul><ul><li>Estee Lauder - IKEA </li></ul></ul><ul><ul><li>Pitney Bowes - Computer Associates </li></ul></ul><ul><li>The Center for Information Policy Leadership at Hunton & Williams </li></ul>
  3. 3. What is Privacy? <ul><li>Privacy is the appropriate use of information as defined by: </li></ul><ul><ul><li>Law </li></ul></ul><ul><ul><li>Consumer expectations </li></ul></ul><ul><li>Security is the protection of information </li></ul><ul><ul><li>Confidentiality (protection against unauthorized access to data) </li></ul></ul><ul><ul><li>Data integrity </li></ul></ul>
  4. 4. Four Privacy Risks <ul><li>Legal compliance </li></ul><ul><li>Reputation </li></ul><ul><li>Investment </li></ul><ul><li>Reticence </li></ul>
  5. 5. U.S. Privacy Laws <ul><li>Major federal laws are: </li></ul><ul><ul><li>GLB: Financial institutions </li></ul></ul><ul><ul><li>HIPAA: Health care entities </li></ul></ul><ul><ul><li>FCRA/FACTA: Consumer reporting agencies </li></ul></ul><ul><ul><ul><li>FTC Disposal Rule </li></ul></ul></ul><ul><ul><li>DPPA: DMV records </li></ul></ul><ul><ul><li>CAN-SPAM: Commercial e-mail </li></ul></ul><ul><ul><li>COPPA: Children’s data </li></ul></ul><ul><ul><li>Do-Not-Call Registry: Telemarketing </li></ul></ul><ul><ul><li>FTC Act Section 5: Prohibits unfair or deceptive trade practices </li></ul></ul><ul><ul><li>Privacy Act of 1974 </li></ul></ul>
  6. 6. California <ul><li>Disclosures to Direct Marketers Law (SB 27) </li></ul><ul><li>California Online Privacy Protection Act </li></ul><ul><li>Security of Personal Information (AB 1950) </li></ul><ul><li>California Computer Security Breach Act (SB 1386) </li></ul>
  7. 7. Information Security <ul><li>2005 was the year of the security breach </li></ul><ul><li>In 2005/2006,141 information security breaches so far </li></ul><ul><ul><li>ChoicePoint - DSW </li></ul></ul><ul><ul><li>Bank of America - CardSystems </li></ul></ul><ul><ul><li>Lexis Nexis - Boston Globe </li></ul></ul><ul><li>Over 53 million potentially affected </li></ul><ul><li>22 additional state security breach notification laws </li></ul><ul><li>Numerous federal bills </li></ul>
  8. 8. Recent FTC Enforcement Actions <ul><li>Most FTC privacy enforcement actions result from security breaches </li></ul><ul><ul><li>CardSystems </li></ul></ul><ul><ul><li>ChoicePoint </li></ul></ul><ul><ul><li>DSW </li></ul></ul><ul><ul><li>BJ’s Wholesale Club </li></ul></ul><ul><ul><li>Petco </li></ul></ul><ul><ul><li>Tower Records </li></ul></ul><ul><ul><li>Barnes & Noble.com </li></ul></ul><ul><ul><li>Guess.com, Inc. </li></ul></ul>
  9. 9. Data Protection Laws Around the World USA Canada Mexico Australia Europe Japan Argentina Brazil
  10. 10. The EU Directive <ul><li>Enacted in 1995, each country has its own national data protection law – the Directive sets the floor </li></ul><ul><li>Requires entities to notify authorities or register before processing personal data </li></ul><ul><li>Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed </li></ul><ul><li>U.S. is not “adequate” </li></ul><ul><li>Data transfer is permitted: </li></ul><ul><ul><li>To “adequate” countries (e.g., Switzerland, Canada) </li></ul></ul><ul><ul><li>Within the safe harbor framework (from EU to U.S. only) </li></ul></ul><ul><ul><li>Where a contract ensures adequate protection </li></ul></ul><ul><ul><li>With “unambiguous consent” of data subject </li></ul></ul><ul><ul><li>BCRs </li></ul></ul>
  11. 11. PIPEDA <ul><li>The Personal Information Protection and Electronic Documents Act (effective January 1, 2004) </li></ul><ul><ul><li>Establishes rules for the management of personal information by organizations involved in commercial activities </li></ul></ul><ul><ul><li>Applies to the collection, use and disclosure of personal information by organizations during commercial activities </li></ul></ul><ul><li>Personal information is any information about an identifiable individual whether recorded or not </li></ul><ul><li>Requirements: </li></ul><ul><ul><li>Identify purposes of data collection </li></ul></ul><ul><ul><li>Obtain consent and limit use to identified purposes </li></ul></ul><ul><ul><li>Limit collection to necessary information </li></ul></ul><ul><ul><li>Limit use, disclosure and retention </li></ul></ul><ul><ul><li>Individual access </li></ul></ul>
  12. 12. Latin America <ul><li>Argentina has an “adequate” comprehensive law, and now an active DPA </li></ul><ul><li>Several nations have draft data protection laws </li></ul><ul><li>Other nations codify privacy in consumer protection laws </li></ul><ul><li>Many Latin American nations implement data protection concepts through habeas data rights </li></ul><ul><ul><li>Habeas data rights are found in many national constitutions </li></ul></ul>
  13. 13. Japan <ul><li>Personal Information Protection Act </li></ul><ul><li>Enacted in 2003, fully effective April 1, 2005 </li></ul><ul><li>“ Personal information” is any information that identifies an individual “data subject” contained in a personal information database (online or offline) </li></ul><ul><li>Applies to each “entity using a personal information database” </li></ul><ul><li>“ Third party” does not include data processors but does include affiliates </li></ul><ul><li>Civil and criminal penalties for violations </li></ul><ul><li>Guidelines have been published by various Ministries </li></ul>
  14. 14. APEC <ul><li>Created an information privacy framework with 9 privacy principles: </li></ul><ul><ul><li>Preventing harm - Integrity </li></ul></ul><ul><ul><li>Notice - Security </li></ul></ul><ul><ul><li>Collection limitation - Access and correction </li></ul></ul><ul><ul><li>Uses of personal information - Accountability </li></ul></ul><ul><ul><li>Choice </li></ul></ul><ul><li>Endorsed by 21 member economies in November 2004 </li></ul><ul><li>Consistent with OECD Guidelines </li></ul>
  15. 15. Final Thoughts <ul><li>Information security is the topic du jour </li></ul><ul><li>Expect new US privacy legislation </li></ul><ul><li>New level of professionalism of EU DPAs </li></ul><ul><li>There is significant activity globally to enact new data protection laws </li></ul><ul><li>There will be a focus on data protection harmonization in coming years </li></ul>
  16. 16. Questions? <ul><li>Lisa J. Sotto Partner Head, Privacy and Information Management Practice Hunton & Williams LLP (212) 309-1223 [email_address] </li></ul>219913

×