Your SlideShare is downloading. ×
0
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

PowerPoint Presentation

741

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
741
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Privacy and Information Security Lisa J. Sotto Partner Hunton & Williams LLP (212) 309-1223 lsotto @hunton.com April 7, 2006
  • 2. Our Firm <ul><li>Founded in 1901, Hunton & Williams is one of the nation’s leading law firms with over 850 attorneys in 16 offices, serving clients in over 100 countries </li></ul><ul><li>21 privacy professionals in the U.S., EU and Asia </li></ul><ul><li>Our privacy clients include: </li></ul><ul><ul><li>Kraft Foods - Visa </li></ul></ul><ul><ul><li>General Dynamics - British Telecom </li></ul></ul><ul><ul><li>Holtzbrinck Publishers - Google </li></ul></ul><ul><ul><li>Kodak - TJX </li></ul></ul><ul><ul><li>Estee Lauder - IKEA </li></ul></ul><ul><ul><li>Pitney Bowes - Computer Associates </li></ul></ul><ul><li>The Center for Information Policy Leadership at Hunton & Williams </li></ul>
  • 3. What is Privacy? <ul><li>Privacy is the appropriate use of information as defined by: </li></ul><ul><ul><li>Law </li></ul></ul><ul><ul><li>Consumer expectations </li></ul></ul><ul><li>Security is the protection of information </li></ul><ul><ul><li>Confidentiality (protection against unauthorized access to data) </li></ul></ul><ul><ul><li>Data integrity </li></ul></ul>
  • 4. Four Privacy Risks <ul><li>Legal compliance </li></ul><ul><li>Reputation </li></ul><ul><li>Investment </li></ul><ul><li>Reticence </li></ul>
  • 5. U.S. Privacy Laws <ul><li>Major federal laws are: </li></ul><ul><ul><li>GLB: Financial institutions </li></ul></ul><ul><ul><li>HIPAA: Health care entities </li></ul></ul><ul><ul><li>FCRA/FACTA: Consumer reporting agencies </li></ul></ul><ul><ul><ul><li>FTC Disposal Rule </li></ul></ul></ul><ul><ul><li>DPPA: DMV records </li></ul></ul><ul><ul><li>CAN-SPAM: Commercial e-mail </li></ul></ul><ul><ul><li>COPPA: Children’s data </li></ul></ul><ul><ul><li>Do-Not-Call Registry: Telemarketing </li></ul></ul><ul><ul><li>FTC Act Section 5: Prohibits unfair or deceptive trade practices </li></ul></ul><ul><ul><li>Privacy Act of 1974 </li></ul></ul>
  • 6. California <ul><li>Disclosures to Direct Marketers Law (SB 27) </li></ul><ul><li>California Online Privacy Protection Act </li></ul><ul><li>Security of Personal Information (AB 1950) </li></ul><ul><li>California Computer Security Breach Act (SB 1386) </li></ul>
  • 7. Information Security <ul><li>2005 was the year of the security breach </li></ul><ul><li>In 2005/2006,141 information security breaches so far </li></ul><ul><ul><li>ChoicePoint - DSW </li></ul></ul><ul><ul><li>Bank of America - CardSystems </li></ul></ul><ul><ul><li>Lexis Nexis - Boston Globe </li></ul></ul><ul><li>Over 53 million potentially affected </li></ul><ul><li>22 additional state security breach notification laws </li></ul><ul><li>Numerous federal bills </li></ul>
  • 8. Recent FTC Enforcement Actions <ul><li>Most FTC privacy enforcement actions result from security breaches </li></ul><ul><ul><li>CardSystems </li></ul></ul><ul><ul><li>ChoicePoint </li></ul></ul><ul><ul><li>DSW </li></ul></ul><ul><ul><li>BJ’s Wholesale Club </li></ul></ul><ul><ul><li>Petco </li></ul></ul><ul><ul><li>Tower Records </li></ul></ul><ul><ul><li>Barnes & Noble.com </li></ul></ul><ul><ul><li>Guess.com, Inc. </li></ul></ul>
  • 9. Data Protection Laws Around the World USA Canada Mexico Australia Europe Japan Argentina Brazil
  • 10. The EU Directive <ul><li>Enacted in 1995, each country has its own national data protection law – the Directive sets the floor </li></ul><ul><li>Requires entities to notify authorities or register before processing personal data </li></ul><ul><li>Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed </li></ul><ul><li>U.S. is not “adequate” </li></ul><ul><li>Data transfer is permitted: </li></ul><ul><ul><li>To “adequate” countries (e.g., Switzerland, Canada) </li></ul></ul><ul><ul><li>Within the safe harbor framework (from EU to U.S. only) </li></ul></ul><ul><ul><li>Where a contract ensures adequate protection </li></ul></ul><ul><ul><li>With “unambiguous consent” of data subject </li></ul></ul><ul><ul><li>BCRs </li></ul></ul>
  • 11. PIPEDA <ul><li>The Personal Information Protection and Electronic Documents Act (effective January 1, 2004) </li></ul><ul><ul><li>Establishes rules for the management of personal information by organizations involved in commercial activities </li></ul></ul><ul><ul><li>Applies to the collection, use and disclosure of personal information by organizations during commercial activities </li></ul></ul><ul><li>Personal information is any information about an identifiable individual whether recorded or not </li></ul><ul><li>Requirements: </li></ul><ul><ul><li>Identify purposes of data collection </li></ul></ul><ul><ul><li>Obtain consent and limit use to identified purposes </li></ul></ul><ul><ul><li>Limit collection to necessary information </li></ul></ul><ul><ul><li>Limit use, disclosure and retention </li></ul></ul><ul><ul><li>Individual access </li></ul></ul>
  • 12. Latin America <ul><li>Argentina has an “adequate” comprehensive law, and now an active DPA </li></ul><ul><li>Several nations have draft data protection laws </li></ul><ul><li>Other nations codify privacy in consumer protection laws </li></ul><ul><li>Many Latin American nations implement data protection concepts through habeas data rights </li></ul><ul><ul><li>Habeas data rights are found in many national constitutions </li></ul></ul>
  • 13. Japan <ul><li>Personal Information Protection Act </li></ul><ul><li>Enacted in 2003, fully effective April 1, 2005 </li></ul><ul><li>“ Personal information” is any information that identifies an individual “data subject” contained in a personal information database (online or offline) </li></ul><ul><li>Applies to each “entity using a personal information database” </li></ul><ul><li>“ Third party” does not include data processors but does include affiliates </li></ul><ul><li>Civil and criminal penalties for violations </li></ul><ul><li>Guidelines have been published by various Ministries </li></ul>
  • 14. APEC <ul><li>Created an information privacy framework with 9 privacy principles: </li></ul><ul><ul><li>Preventing harm - Integrity </li></ul></ul><ul><ul><li>Notice - Security </li></ul></ul><ul><ul><li>Collection limitation - Access and correction </li></ul></ul><ul><ul><li>Uses of personal information - Accountability </li></ul></ul><ul><ul><li>Choice </li></ul></ul><ul><li>Endorsed by 21 member economies in November 2004 </li></ul><ul><li>Consistent with OECD Guidelines </li></ul>
  • 15. Final Thoughts <ul><li>Information security is the topic du jour </li></ul><ul><li>Expect new US privacy legislation </li></ul><ul><li>New level of professionalism of EU DPAs </li></ul><ul><li>There is significant activity globally to enact new data protection laws </li></ul><ul><li>There will be a focus on data protection harmonization in coming years </li></ul>
  • 16. Questions? <ul><li>Lisa J. Sotto Partner Head, Privacy and Information Management Practice Hunton & Williams LLP (212) 309-1223 [email_address] </li></ul>219913

×