From executives to software developers and database administrators, each role plays an important part in protecting privacy data. But what does an effective privacy program look like for the teams that build and operate the software applications that powers your enterprise?
This webcast will describe how to build powerful policies that can be easily understood and implemented in today’s continuous delivery and DevOps approaches.
Topics include:
Privacy Concerns for Software Applications
Threats, Regulations, and Laws
Guidelines for Building Privacy Policy
Privacy Engineering Principles
Data Collection, Retention, and Consent
This Webcast is ideal for policy makers, program leads, compliance managers, and privacy officers. Development and IT Operations teams will also gain valuable insight into how to protect data throughout the entire application lifecycle.
2. 2
Legal Requirements for a Privacy Policy
• Online Privacy Act of 2003
• FTC recently ruled that Facebook deceived
users by telling them their data was private
while sharing it more broadly.
• No fine for Facebook, only required to do 3rd
party reviews for 20 years
• Still a good idea to include a Privacy Policy to inform your users what
you collect and how their data is used
• Also required by most App Stores for Mobile.
3. 3
Legal Requirements for a Privacy Policy
• Required if:
• You collect data on your users directly
• You use 3rd parties to collect data on your users
• You are required by your App Store (iOS, Android, Windows, require)
• You have users in the EU (GDPR), CA (CCPA), Australia, UK, Canada, Singapore,
Malaysia…
• You collect data on children (COPPA) or minors in CA
• You collect data on students (SOPIPA)
• It’s a good idea anyway
• Err on the side of caution, regulations are moving quickly to require
• It’s reassuring to your users
4. 4
Pending Privacy Legislation (as of Feb 6th)
• New York City: requires a business to alert customers when using
biometric identification technology.
• New York State: require businesses that retain personal user
information to make details of what is held available on demand,
together with details of any third-party with which the data is shared.
• North Carolina: the state Attorney General has indicated an intention
to strengthen existing breach notifications, including ransomware
attacks.
5. 5
Pending Privacy Legislation (as of Feb 6th)
• Oregon: introduced the Health Information Property Act which increases
the protections afforded by HIPAA
• Utah: introduced HB 57 which provides privacy for digital communications.
3rd parties wanting access would require a warrant from a judge.
• Virginia: introduced HB 2793 requiring “care and disposal of customer
records”.
• Washington: introduced Washington Privacy Act. Consumers will have the
right to access personal data being held, can demand its deletion if it is no
longer required for the purpose it was collected, restrict its use for direct
marketing, and know and object to it being sold to third parties.
6. 6
Items to Include in a Privacy Policy
• Speak with your legal department first
• Gather information on:
• Which regulations
• Which demographics
• Which locations
• What data is collected
• Which third parties
• Duration of collection
7. 7
Items to Include
1. What data will be collected – identifying or anonymous
2. How data is collected – not too much detail
3. How this data is shared, affiliated, or sent to other sites
4. State that if compelled by law to disclose data, you will.
5. Give option of verifying, correcting, changing or removing personal
registration information (required by GDPR)
6. Provide a way for people to opt out of future communication
7. State the policy will be updated periodically and how you will
communicate such changes
8. 8
Cookie Policy
• Required by GDPR, recommended elsewhere
• GDPR requires
• User to consent before loading JavaScript to collect tracking
• Application creators to give an option to change cookie collection preferences
• Four Tiers of Cookies
• strictly necessary (ie. account login related cookies)
• functionality (ie. remembering users choices)
• tracking and performance (ie. Google Analytics)
• targeting and advertising (ie. Google AdSense, Google AdWords)
9. 9
Mobile App Privacy Polices
What to include (similar to web)
• Identity: who is collecting the information as well as the company’s contact
details
• Types of Data: what categories of personal data the app will collect and
process
• Reason: why data processing is necessary and for what precise purpose the
collection is being performed
• Disclosures: whether the data in question will be disclosed to third parties
• User Rights: what rights users have including the right to the withdrawal of
consent and the deletion of data.
10. 10
Mobile App Store Requirements
Required for Android Apps
• It uses camera/mic
• Is designed for families/children
Required for iOS if
• It’s made for kids
• It offers automatically renewable in-app purchases
• It offers free subscriptions
• It allows for user registration
• It accesses a user’s existing account
• It collects user data
• It’s otherwise required by law
11. 11
Notice vs. Consent
• Notice simply notifies the user of how their data will be collected or
used.
• Consent requires the user to accept how their data is collected.
• Difference in language and in functionality
• You cannot load data collection code before consent if required
12. 12
Defining a Policy Early Can Save Time
• Defining a privacy policy early can help guide development
• Drives Privacy by Design
• Limited Collection, Use, Retention
• What data do we need to collect?
• What data do we need to store?
13. 13
7 Principles of Privacy by Design
1. Proactive & Preventative
2. Privacy by Default
3. Privacy Embedded into Design
4. Full Functionality with Privacy in Mind
5. End to End Security
6. Visibility and Transparency
7. Respect for Privacy
14. 14
Proactive & Preventative
• Be Proactive with your privacy decisions, not reactive
• Anticipate and prevent data loss events
• Don’t wait for an event to occur before having this conversation
• Don’t “close the barn door after the
horse has bolted”
15. 15
Privacy by Default
• “Falling into a Pit of Success”
• If a customer selects all default
settings or does nothing at all they
should be left in a secure state
• If a user signs up, their data should be protected by default
16. 16
Privacy Embedded Into Design
• Think about privacy early
• Don’t try to add it on later
• Privacy should be integral to the system without diminishing
functionality
• Integrate privacy in a holistic and creative way
• Enable the functional goals of the application through the lens of
privacy and data protection
17. 17
Full Functionality, Positive-Sum, Not Zero-Sum
• Tradeoffs shouldn’t be made to accommodate privacy
• Privacy vs. Security is a false dichotomy
• All interests and objectives must be clearly documented
• Find a solution that enables multi-functionality
18. 18
End to End Security
• Consider security and privacy from start to finish
• Information is secured and protected when it
enters into the system
• It is retained safely
• It is destroyed safely
• Remember the data lifecycle
Capture
Maintenance
Synthesis
UsagePublication
Archival
Purging
19. 19
Visibility and Transparency
• Allow users and other involved parties to see how information moves
through the system
• Requires accountability, openness and compliance
• Be transparent about your system and the level of privacy and
security is provides
20. 20
Respect for User Privacy
• Privacy should be a #1 concern
• Beyond compliance, privacy is a fundamental goal
• Once data is lost it cannot be protected again
• Like trying to put toothpaste back in the tube
22. 22
Security Vulnerabilities Can Lead to Privacy Policy
Violations
• Classic example of an “Insecure Direct Object Reference”
• Also the cause for the Panera Bread data breach of 2018 where
as many as 37 million customer records were exposed.
23. 23
Summary
• Privacy Policies should:
• Inform what/how data is collected and shared
• Give the user the ability to modify their data or opt out completely
• Include effective date and frequency of update
• Cookie Policies are required for many other regulations
• Depending on regulation may require notice or consent
• Privacy Policies should be managed and maintained by a central role
in the Privacy Office
25. 25
Thank You!
www.securityinnovation.com
Everyone who attended today’s session will receive:
• Webinar recording
• Copy of the presentation
Please join us February 28th for the finale of our Privacy in the SDL
webinar series: Privacy: The New Software Development Dilemma
Editor's Notes
https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep
In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
Facebook promised users that it would not share their personal information with advertisers. It did.
Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
The point of this slide is to show that there is a drastically narrowing window of users for which you’re not required to have a privacy policy, so you might as well go it now.
https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app
SOPIPA: Student Online Personal Information Protection Act
The point of this slide is to show that there is a drastically narrowing window of users for which you’re not required to have a privacy policy, so you might as well go it now.
https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app
SOPIPA: Student Online Personal Information Protection Act
The point of this slide is to show that there is a drastically narrowing window of users for which you’re not required to have a privacy policy, so you might as well go it now.
https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app
SOPIPA: Student Online Personal Information Protection Act
Note, this section is to introduce people to these concepts, in section 4 we will go into more implementation guidelines
What’s wrong with this URL
**actual example - 2 years ago - 300,000 accts compromised
** recent example! CISO Summit conference we attended had this issue, 14,000 CISOs!
email, company, bio, website, facebook, phonenumber twitter, linkedin
“Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” the researcher writes.