Data Security and Privacy Landscape 2012 (September 2012)


Published on

"Data Security and Privacy Landscape 2012" Webinar presentation through the West CELESQ CLE Series covering

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Security and Privacy Landscape 2012 (September 2012)

  1. 1. Copyright 2012 Bryan CaveSeptember 20, 2012Jason D. in the Data Security andChanges in the Data Security andPrivacy Landscape - 2012Privacy Landscape - 2012
  2. 2. Copyright 2012 Bryan CaveDataSecurityPrivacy
  3. 3. Copyright 2012 Bryan CaveMay 19, 2011
  4. 4. Copyright 2012 Bryan CaveJune 7, 2012
  5. 5. Copyright 2012 Bryan CaveDataIncreasing importanceIncreasing valueIncreasing scrutinyIncreasing responsibility
  6. 6. Copyright 2012 Bryan CaveDataMany challengesMany changesMany opportunities
  7. 7. Copyright 2012 Bryan CaveNo specific comprehensivedata privacy or security legislation(in the US)
  8. 8. Copyright 2012 Bryan Cave• EU Data Protection Directive (95/46/EC)• Regulates the processing of personal data of EU subjects– Broad scope of “personal data”– Restricts processing unless stated conditions are met– Prohibits transfer to countries not offering adequate levels of protection• US Department of Commerce-negotiated “Safe Harbor Principles” enabletransfers to US companies– Self-certification regime– Allows US companies to register as compliant– FTC oversight• Proposed overhaul in the works (announced Jan. 25, 2012)Longstanding EU RegulationsLegal Landscape
  9. 9. Copyright 2012 Bryan Cave• State consumer protection statutes– All 50 states– Prohibitions on “unfair or deceptive” trade practices• Data breach notification statutes– At least 46 states (DC and various US territories)– Notification of state residents (and perhaps regulators) affected by unauthorizedaccess to sensitive personal information• Data safeguards statutes– (Significant) minority of states– Safeguards to secure consumer information from unauthorized access• Data privacy statutes– Requirements for online privacy policies covering use and sharing of consumerinformation– Requirements on use of personal information for direct marketing purposesGrowing Array of Relevant State LawsLegal Landscape
  10. 10. Copyright 2012 Bryan Cave• Consumer credit - Fair Credit Reporting Act (FCRA)• Financial services - Gramm Leach Bliley Act (GLBA)• Healthcare providers - Health Insurance Portability and Accountability Act(HIPAA)• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)• Video content - Video Privacy Protection Act• Others statutes covering education, payment processing, etc.Industry-specific Federal StatutesLegal Landscape
  11. 11. Copyright 2012 Bryan CaveFederal Trade Commission(FTC)Legal Landscape
  12. 12. Copyright 2012 Bryan CaveFederal Trade Commission Act (FTCA)(15 U.S.C. 41, et seq)Legal Landscape
  13. 13. Copyright 2012 Bryan Cave“Unfair or deceptive acts or practices”Legal Landscape
  14. 14. Copyright 2012 Bryan Cave• No specific privacy or security requirements– Broad prohibition on “unfair or deceptive acts or practices in or affectingcommerce” (Section 5)• Failures to implement “reasonable and appropriate” data security measures• Deceptive data privacy policies and promises– Constituting unfair or deceptive acts or practices• Increasingly active enforcement– More than 39 actions to date• 25 in the last 6 years• Many more investigated but not brought– Covering largely electronically stored data and information– Targeting security breaches as well as privacy violationsFederal Trade Commission Act (FTCA)Legal Landscape
  15. 15. Copyright 2012 Bryan CaveEmerging ModelLegal Landscape
  16. 16. Copyright 2012 Bryan Cave• 20 year term• Cease misrepresentations regarding practices for information security,privacy, confidentiality, and integrity• Conduct assessment of reasonably-foreseeable, material security risks• Establish comprehensive written information security and privacy program• Designate employee(s) to coordinate and be accountable for the program• Implement employee training• Conduct biannual independent third party audits to assess security andprivacy practices• Implement multiple record-keeping requirements• Implement regular testing, monitoring, and assessment• Undergo periodic reporting and compliance requirements• Impose requirements on service providersEmerging Model for Settlement and ComplianceCompliance
  17. 17. Copyright 2012 Bryan Cave“Promises”not justPoliciesCompliance
  18. 18. Copyright 2012 Bryan CaveJon LeibowitzChairman of the FTCSpeaking on the settlement“Facebook is obligated to keep the promisesabout privacy that it makes to its hundredsof millions of users.”Compliance
  19. 19. Copyright 2012 Bryan CaveJon LeibowitzChairman of the FTCSpeaking on the settlement“Innovation does not have to come at theexpense of consumer privacy.”Compliance
  20. 20. Copyright 2012 Bryan CaveSpeaking on the settlement“Weve made a bunch of mistakes.”Mark ZuckerbergCEO of FacebookCompliance
  21. 21. Copyright 2012 Bryan CaveScope of “Personal Information”Compliance
  22. 22. Copyright 2012 Bryan CaveIn the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012)Compliance
  23. 23. Copyright 2012 Bryan CaveIn the Matter of Eli Lilly and Company (File No. 012 3214, Januray 18, 2002)Compliance
  24. 24. Copyright 2012 Bryan Cave“Sensitive Information”Compliance
  25. 25. Copyright 2012 Bryan Cave• States have defined “sensitive information” to include SSN, drivers licensenumber, and financial account information• FTC has broadened this definition to include– Health information– Information regarding children– Geo-location information• Trend is toward more activity in these areas• Practical considerations– Know when/where you collect sensitive information– Consider seeking consent when using sensitive data for marketing purposes– Ensure that WISPs appropriately protect sensitive information• Note that these categories of sensitive information may not trigger a databreach notification requirement under state lawsSensitive InformationCompliance
  26. 26. Copyright 2012 Bryan CaveWISPsWritten Information Security PlansCompliance
  27. 27. Copyright 2012 Bryan Cave• The “Safeguards Rule” under GLBA requires implementation of “writteninformation security plans” (WISPs)– Describing the company’s program to protect customer information– Appropriate to the company, nature and scope activities, and level of sensitivityof information• FTC consent orders now generally impose similar requirements– Implementation comprehensive information security program– Fully documented in writing– Reasonably designed to protect the security and privacy of covered information– Containing controls and procedures appropriate to the• Size and complexity of the business• Nature and scope of activities• Sensitivity of the covered information• Mass. state regs. also now require written information security policies forcompanies handling personal information about Mass. residentsWISPsCompliance
  28. 28. Copyright 2012 Bryan Cave“Reasonable and appropriate”security measuresCompliance
  29. 29. Copyright 2012 Bryan CaveU.S. v. RockYou, Inc.(N.D. Cal. Mar. 26, 2012)Compliance
  30. 30. Copyright 2012 Bryan Cave• RockYou is an online social gaming service• Created an application for social networking sites allowing users to uploadphotos and music to create a slide show• When users registered for the app they were asked to provide emailaddress and password – app also collected birth date, gender, etc.• RockYou represented that it used “commercially reasonable” securitymeasures• All information actually stored only in plaint text (unencrypted)• RockYou was hacked in December 2009• 32 million accounts affected, including information about 179,000 children• FTC settled for $250,000 and 20 year injunction that imposes standardrequirements (biannual third party risk assessments, etc.)U.S. v. RockYouCompliance
  31. 31. Copyright 2012 Bryan CaveIn the Matter of UPromise, Inc.(FTC File No. 102 3116, Jan. 5, 2012)Compliance
  32. 32. Copyright 2012 Bryan Cave• UPromise is a membership reward service for saving for college• Provided toolbar application purporting to track user online activity and“provide college savings opportunities tailored to you”• App collected not only the web sites visited but information entered onsome web pages• Information included user names, passwords, credit cards and expirationdates, financial account information, SSNs, etc.• All of this information was transmitted to UPromise unencrypted, despitestatements that information was “automatically” encrypted• Over 150,000 consumers participated• FTC settled for 20 year consent decree requiring standard requirements(biannual third party risk assessments, etc.)In the Matter of UPromiseCompliance
  33. 33. Copyright 2012 Bryan Cave• RockYou and UPromise settlements provide guidance on what isnot reasonable or appropriate– Collecting PII from consumers unnecessarily– Failing to test applications to ensure they are not collecting PII– Not training employees about security risks– Transmitting or storing sensitive information in unencrypted form– Failing to segment servers– Leaving systems susceptible to hacking (e.g., SQL injection attacks)– Failing to ensure that service providers or third-party developers employreasonable and appropriate security• Other settlements add additional considerations• Practical Considerations– Draft WISPs to prohibit these practices– Review for these practices in audits and risk assessmentsReasonable and Appropriate SecurityCompliance
  34. 34. Copyright 2012 Bryan CaveDownstream obligations. . .Compliance
  35. 35. Copyright 2012 Bryan Cave• FTC settlements require contractual restrictions on third partyservice providersRequirements for Service ProvidersIn the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011)Compliance
  36. 36. Copyright 2012 Bryan Cave• FTC settlements require contractual restrictions on third partyservice providers• Parallel newly effective Mass. regulation (201 CMR 17.03)– Requiring companies providing service providers with personal informationabout Mass. residents to contractually require the providers to “implement andmaintain . . . appropriate security measures”– Went into full effect on March 1, 2012• Practical implications– Maintain a WISP with applicable policies• Storage, access, and transportation of information• Employees and downstream service providers• Disciplinary measures for violations– Conduct risk assessments, employee training, and security reviews– Investigate incidents and document follow-up actionRequirements for Service ProvidersCompliance
  37. 37. Copyright 2012 Bryan CaveWhere are we headed?. . . and what should you do?
  38. 38. Copyright 2012 Bryan CaveDecember 1, 2010
  39. 39. Copyright 2012 Bryan CaveMarch 26, 2012
  40. 40. Copyright 2012 Bryan Cave• Based on a yearlong series of privacy roundtables held by the FTC• Extensive comment period (more than 450 comments received)• Provides best practices for the protection of consumer privacy• Applicable to both traditional (offline) and online businesses• Intended to assist Congress as it considers privacy legislation• Not intended to serve as a template for law enforcement actions(but what about plaintiffs attorneys?)BackgroundFTC Report
  41. 41. Copyright 2012 Bryan CavePrivacy FrameworkFTC Report• Proposed framework is based on several core concepts– Simplified consumer choice
  42. 42. Copyright 2012 Bryan CaveFTC Report• Proposed framework is based on several core concepts– Simplified consumer choice– TransparencyPrivacy Framework
  43. 43. Copyright 2012 Bryan Cave• Proposed framework is based on several core concepts– Simplified consumer choice– Transparency– Privacy by designPrivacy FrameworkFTC Report
  44. 44. Copyright 2012 Bryan Cave• Continued expansion of “personal information”• Codification of the definitions used in FTC settlements• Shades of the definition in the EU Data Protection Directive• Blurring of the line between PII and non-PII• When is information not PII?Scope of Personal InformationFTC Report
  45. 45. Copyright 2012 Bryan Cave• Data is not PII if it is not reasonably linkable to a specific consumer,computer or other device• Breaking the link– Take reasonable measures to ensure that data is de-identified– Publicly commit to not try to re-identify– Contractually prohibit downstream recipients from trying to re-identify– Take measures to silo de-identified data from PII• Cannot remove concerns by simply envisioning the sharing of only“de-identified” or anonymous data• Must actually follow FTC guidance– Prohibitions in privacy policies against re-identification– Provisions in vendor contracts regarding re-identification– Systems designed to silo off de-identified dataDe-Identification of Personal InformationFTC Report
  46. 46. Copyright 2012 Bryan Cave• Historically, divergent privacy policies and practices regarding informationsharing with corporate affiliates and subsidiaries• FTC Report views affiliates as “third parties” unless the affiliaterelationship is “clear to consumers”• Common branding is cited as sufficient to make a relationship clear• Uncertainty remains• Practical implications– Disclose affiliate sharing in privacy policy– Consider opt-in for sharing sensitive information with affiliates– Opt-out for non-sensitive informationRequirements for Affiliates and SubsidiariesFTC Report
  47. 47. Copyright 2012 Bryan CaveFebruary 23, 2012
  48. 48. Copyright 2012 Bryan Cave“Consumer Privacy Bill of Rights”
  49. 49. Copyright 2012 Bryan Cave• Combined effort of the White House, Department of Commerce, andthe FTC• Provides a framework for consumer privacy protections• Establishes 7 principles covering personal data– Transparency - Easily understandable policies and practices– Respect for Context - Collection and use consistent with context– Security - Secure and responsible handling– Access and Accuracy – Ability to access and correct– Focused Collection - Reasonable limits on collection and retention– Accountability - Appropriate measures to ensure compliance• Similarities to the principles adopted by economic organizations in Europeand Asia as wellConsumer Privacy Bill of RightsWhite House Privacy Framework
  50. 50. Copyright 2012 Bryan Cave• Industry codes of conduct– Voluntary privacy and security “codes of conduct”– Commerce Department National Telecommunications and InformationAdministration (NTIA) to facilitate creation in “select” industries– Other federal agencies may also convene industry stakeholders– Industries can also convene stakeholders absent NTIA• Encourages inclusive and transparent process• Enforcement authority– FTC to enforce codes of conduct– Violation constitutes a deceptive practice under Section 5 of the FTC Act– Adherence to codes to be looked upon “favorably” in FTC investigations• No immediate changes, but. . .Consumer Privacy Bill of RightsWhite House Privacy Framework
  51. 51. Copyright 2012 Bryan CaveLegislative ProposalsWhite House Privacy Framework• Provide FTC with direct authority to enforce some variant of the ConsumerPrivacy Bill of Rights– Potentially significant increase in FTC enforcement authority– Misrepresentations or unfair practices would no longer be required• Provide FTC with rulemaking authority to design a system for review andapproval of codes of conduct– Review period (180 days)– Open public comments– Approve or reject• Companies encouraged to create and comply with codes of conduct– Obtain greater clarity concerning the rules to which they will be held– Safe harbor status for compliance with an approved code
  52. 52. Copyright 2012 Bryan CaveMobile Applications
  53. 53. Copyright 2012 Bryan CaveMobile Applications
  54. 54. Copyright 2012 Bryan CaveMobile Applications
  55. 55. Copyright 2012 Bryan Cave• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012)– Large number of apps (75%) targeted at children (under 13)– Apps did not provide good privacy disclosures– Will conduct additional COPPA compliance reviews over the next 6 months• FCRA Warning letters (Feb. 2012)– FTC sent letters to marketers of 6 mobile apps– Warned that apps may violate Fair Credit Reporting Act (FCRA)– If apps provide a consumer report, must comply with FCRA requirements• FTC Dot Com Disclosures Workshop (May 30, 2012)– New guidance for advertisers on disclosures in the online and mobileenvironment– Focus on advancements and developments since the FTC issued its “Dot ComDisclosures” guidelines for online advertising disclosure (released in 2000)– Emphasis on the notion that consumer protection laws apply equally to onlineand mobile marketersAdditional ActivityMobile Applications
  56. 56. Copyright 2012 Bryan CaveMobile Applications
  57. 57. Copyright 2012 Bryan Cave• Released September 5, 2012• Reiterates that the mobile market is not different from the Internet• General “guidelines” or “principles” for mobile app developers– Tell the Truth About What Your App Can Do– Disclose Key Information Clearly and Conspicuously– Build Privacy Considerations in From the Start– Offer Choices that are Easy to Find and Easy to Use– Honor Your Privacy Promises– Protect Kids’ Privacy– Collect Sensitive Information Only with Consent– Keep User Data Secure• Acknowledges there can be no “one-size-fits-all” approach• But also states that the laws apply to all companiesFTC Guide To Marketing Mobile AppsMobile Applications
  58. 58. Copyright 2012 Bryan Cave• Expect more activity – discussion and enforcement• Particularly involving mobile apps directed at children• Review existing mobile applications for legal complianceAdditional ActivityMobile Applications
  59. 59. Copyright 2012 Bryan CaveWhat Should You Do?
  60. 60. Copyright 2012 Bryan Cave
  61. 61. Copyright 2012 Bryan CaveMake each use of dataA knowing (and compliant) use of data
  62. 62. Copyright 2012 Bryan CaveKnow your dataMap your data “ecosystem”
  63. 63. Copyright 2012 Bryan CaveData Mapping
  64. 64. Copyright 2012 Bryan CaveData MappingYou??
  65. 65. Copyright 2012 Bryan Cave• Increasing value means increasing scrutiny• Enforcement will continue (and may increase)– Actual security breaches are not required (nor dispositive)– Focus is on reasonable and appropriate measures– Companies held to privacy-related promises– Scope of personal information is growing• Enforcement actions are influencing and defining industry expectations(consumer expectations too?)• Premium on increased transparency into data practices• Your enforcement issue may not come from the FTC, but from apotential customer, financing source, or acquirerLessons LearnedConclusion
  66. 66. Copyright 2012 Bryan Cave• Institute procedures to secure sensitive information• Implement “privacy by design” concepts• Know your data, particularly sensitive data• Minimize the data collected– Collect only as needed– Hold only as long as needed• Map data collection, usage, and sharing• Prepare and adopt a written information security plan (WISP)– Address known risks– Prepare for a breach• Educate employees regarding the WISP• Manage vendors and contractors– Contractual provisions covering data transfer– Compliance monitoringBest PracticesConclusion
  67. 67. Thank You.Thank You.Jason