Goa Escorts WhatsApp Number South Goa Call Girl … 8588052666…
ClientAdvisoryNote - Obama's Privacy Action Plan
1. CONTACT US US: 888.878.7830 www.truste.com | EU: +44 (0) 203 078 6495 www.truste.eu
POWERING TRUST in the Data Economy
The Obama Administration’s Action Plan
for Protecting Consumer Privacy
Understanding What This Means For Your Business
February 2015
Prepared by Debra Farber, JD, CISSP, CIPP/US, CIPM, CIPT
Sr. Consultant and Product Manager, TRUSTe
In January, President Obama outlined a detailed plan to protect consumer privacy and
combat identity theft through his remarks at the FTC, the NCCIC and the State of the
Union Address. This plan includes a combination of proposed legislation, executive agency
activities and industry participation. The broad contours of this plan are:
1. Introduce Federal Breach Notification Requirements.
2. Safeguard Student Data in the Classroom and Beyond.
3. Promote Innovation by Improving Consumers Confidence Online.
4. Support Public and Private Sector Initiatives to Tackle Emerging Privacy Issues.
5. Continue to Fight Identity Theft.
This memorandum summarizes the three key new legislative proposals, the commitments
to new and existing initiatives to tackle emerging privacy issues, and outlines six practical
steps you can take to prepare for the proposed changes.
Please note that this memorandum is intended as a general overview of the subject matter
and cannot be regarded as legal advice. This is a summary and not a full analysis of how the
Obama Administration’s proposals may affect your business.
2. 2
CONTACT US US: 888.878.7830 www.truste.com | EU: +44 (0) 203 078 6495 www.truste.eu
POWERING TRUST in the Data Economy
1. Introduce Federal Breach Notification Requirements
The Personal Data Notification Protection Act: The first new piece of proposed legislation is highly
timely in the wake of the Anthem security breach. It relates to the obligations of a business to let impacted
individuals know when there has been a security breach. The Act would create a standardized federal
breach notification requirement meaning that companies would no longer need to refer to each state’s
breach notification requirements. However, there are some key additional elements which companies
should be aware of:
• The Act would establish a 30–day notification requirement from the discovery of a data breach.
This means companies will need to have efficient means to do scope and root cause analysis to
comply with the time requirements
• There is no per se Safe Harbor for encryption, or for the unintentional, good faith acquisition by
an employee.
• The definition of Sensitive Personal Information is expanded to be closer to the European
definition.
• Reputational harm is recognized as an actual “injury” for purposes of standing and recovery (it
used to be limited to pecuniary injury).
• While notice to an individual isn’t always necessary (where there is no “reasonable risk of harm”)
the risk analysis that a company must undertake to make such a determination has to be provided
to the FTC
• If you impact more than 5,000 people with your breach, you have to notify the media.
2. Safeguard Student Data in the Classroom and Beyond
The Student Digital Privacy Act: The President proposed new legislation designed to provide teachers and
parents with confidence that student data will be gathered and used responsibly, while enabling teaching
and learning via the use of new technologies. At present, the bill has not been released to the public for
analysis. However, the President’s remarks indicate the following:
• The Act would prevent personal data collected in the educational context from being used except
for educational purpose(s). Secondary uses would therefore be prohibited.
• The Act would permit research initiatives aimed at improving student learning outcomes and
efforts by companies to continuously improve the effectiveness of their learning technology
products.
• The Act would prevent companies from selling student data to third parties for purposes
unrelated to the educational mission.
• The Act would prevent companies from engaging in targeted advertising to students based on
data collected in schools.
New Commitments from the Private Sector to Help Enhance Privacy for Students
• 75+ companies, led by the Future of Privacy Forum and the Software and Information Industry
Association, have committed to protect student privacy by pledging to provide parents, teachers
and kids with important protections against misuse of their data.
• President Obama challenged other companies to also sign the pledge.
New Tools from the Department of Education to Empower Educators Around the Country
and Protect Students
• The Department of Education’s (“DOE”) Privacy Technical Assurance Center (“PTAC”) will
continue to expand its “one–stop” resource for education stakeholders to learn about data
privacy, confidentiality, and security practices related to student–level longitudinal data systems
and other uses of student data.
3. 3
CONTACT US US: 888.878.7830 www.truste.com | EU: +44 (0) 203 078 6495 www.truste.eu
POWERING TRUST in the Data Economy
• The DOE issued new model terms of service for educational organizations that are subject to
the Family Educational Rights and Privacy Act (“FERPA”) and the Protection of Pupil Rights
Amendment (“PPRA”):
Model Notification of Rights under FERPA for Elementary and Secondary Schools
FERPA Model Notice for Directory Information
Model Notification of Rights Under PPRA
• The DOE has committed to strengthening its training for teachers to ensure that educational data
are used appropriately and in accordance with educational missions.
3. Promote Innovation by Improving Consumer Confidence Online
Enact Consumer Privacy Bill of Rights Legislation The Commerce Department announced that it has
completed its public consultation on revised draft legislation that enshrines the principles contained in the
administration’s 2012 Consumer Privacy Bill of Rights into law.
Shortly, the administration will release its revised legislative proposal. Based on the White House report,
we can expect the following contours to be a part of the proposed legislation:
• Transparency: Not just privacy policies. Just–in–time notices, simplified language and mobile
device optimized disclosures are all going to be important.
• Respect for Context: Manage the expectation of the data subject. Secondary use is fine as long as
it is expected. Still, that secondary use needs to be reasonable related to the originally agreed to
use which was the basis for the collection in the first place.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable
formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse
consequences to consumers if the data are inaccurate.
• Focused Collection: Don’t collect more than you need, and don’t store it longer than you have
to. This principle will be the hardest to balance the interest of the company in innovation and the
individual in maintaining privacy.
• Accountability: First, companies must have a process in place to comply with the rules. Second,
enforcement will have teeth.
• Co–Regulation: The model set out in the APEC Cross Border Privacy Rules System could get
official recognition.
4. Support Public and Private Sector Initiatives to Tackle Emerging Privacy Issues
Voluntary Code of Conduct for Smart Grid Customer Data Privacy
• The Department of Energy and Federal Smart Grid Task Force released a new Data Privacy and
Smart Grid Voluntary Code of Conduct (“VCC”) for utilities and third parties aimed at protecting
electricity customer data, including energy usage data.
• The VCC was developed to improve consumer awareness, choice and consent, and controls on
access.
• The VCC aims to: (1) encourage innovation while appropriately protecting the privacy and
confidentiality of customer data and providing reliable, affordable electric and energy–related
services; and (2) provide customers with appropriate access to their own customer data.
4. 4
CONTACT US US: 888.878.7830 www.truste.com | EU: +44 (0) 203 078 6495 www.truste.eu
POWERING TRUST in the Data Economy
5. Continue to Fight Identity Theft
Identify and Prevent Identity Theft
• Various credit industry giants are working to make credit reports available for free to 50% of
all adult Americans with consumer credit cards. Note that this is already the law under FACTA.
However, additional analytical tools are being developed to make the data more easily actionable.
Those with access to this tool can help spot identity theft earlier on through their banks, card
issuers or lenders.
Make Federal Payments More Secure to Help Drive the Market Forward
• President Obama issued an executive order in October 2014 that requires federal agencies to
upgrade to more secure chip–and–PIN technology for credit and debit card transactions. Major
private sector retailers have also committed to implement secure chip–and–PIN–compatible card
terminals in stores across the country.
Enhance the FTC’s Capability to Help Prevent Identity Theft
• The Federal Trade Commission (“FTC”) is currently developing a “one–stop” resource for
identity theft victims. The FTC plans to expand its information–sharing capabilities to ensure that
federal investigators can regularly report evidence of stolen financial, and other information, to
companies whose customers are directly affected.
5. 5
CONTACT US US: 888.878.7830 www.truste.com | EU: +44 (0) 203 078 6495 www.truste.eu
POWERING TRUST in the Data Economy
Six Practical Steps to Prepare for the
Proposed Changes
1. Engage the Board and C–Suite
The current environment is demanding that businesses treat personal information as a valuable asset — both
to the business and to the individual data subject. Privacy and security are no longer esoteric topics to be
thought about by specialists. These are now Board and C–Suite issues which failure to address can generate
real liability — for both the company and individual officers and directors of the company.
2. Prepare for changes to Data Breach Notification Requirements
At a minimum, you will need to have the following components in place to deal with the requirements of any
national security breach notification law:
• Regular security and privacy audits
• Security Incident Response process
• Risk Assessment process
• Crisis Communications process
• Identified Executive Management responsible for these processes
3. Map Your Data Flows And Maintain A Data Inventory
Critical to the functioning of the above processes will be resources to know what kind of data your business
manages, and where/how that data gets managed. Even a high–level, role–based data inventory will be
necessary to make any of the above processes be able to operate in an “event”.
4. Have An Independent Review Of Your Privacy Practices
Having a third–party review and verify your company’s privacy program is necessary, both from an internal
controls perspective, but also because of the benefit of outside expertise. In addition, if the third–party
reviewer is a Certification or Trustmark Provider, once the Co–Regulatory provisions of the Privacy Bill of
Rights are passed, companies who engage such providers will have an additional layer of insulation from direct
regulatory scrutiny.
5. Work With Trusted Advisors To Stay Ahead Of Legislative Changes
No company can keep on top of all the different nuances that could negatively impact the business. To do so
would be overly distracting to the business at hand. Therefore, it is critical that businesses engage with experts
whose job it is to keep up with all the rapid changes in the privacy space. This way the business can stay
focused on its mission, and still have a reasonable level of confidence that it is managing its privacy risks while
doing so.
6. Build Flexibility Into Your Privacy Program To Respond To Changes
As the more substantive parts of the President’s proposal start to gain traction, your Privacy Program can be
matured to include use restrictions, technology controls, and other elements which are used to implement
the obligations that may arise out of whatever version of the Consumer Privacy Bill of Rights and the Student
Digital Privacy Act impose. It is critical to have a framework, which your company can use to quickly build
additional “modules” into a privacy program as new legislation is enacted.