SlideShare a Scribd company logo

Creating an Effective Application Privacy Policy

Download as PPTX, PDF
Security Innovation
Security Innovation

From executives to software developers and database administrators, each role plays an important part in protecting privacy data. But what does an effective privacy program look like for the teams that build and operate the software applications that powers your enterprise? This webcast will describe how to build powerful policies that can be easily understood and implemented in today’s continuous delivery and DevOps approaches. Topics include: Privacy Concerns for Software Applications Threats, Regulations, and Laws Guidelines for Building Privacy Policy Privacy Engineering Principles Data Collection, Retention, and Consent This Webcast is ideal for policy makers, program leads, compliance managers, and privacy officers. Development and IT Operations teams will also gain valuable insight into how to protect data throughout the entire application lifecycle.

Technology
1 of 25
1
2 Legal Requirements for a Privacy Policy • Online Privacy Act of 2003 • FTC recently ruled that Facebook deceived users by telling them their data was private while sharing it more broadly. • No fine for Facebook, only required to do 3rd party reviews for 20 years • Still a good idea to include a Privacy Policy to inform your users what you collect and how their data is used • Also required by most App Stores for Mobile.
3 Legal Requirements for a Privacy Policy • Required if: • You collect data on your users directly • You use 3rd parties to collect data on your users • You are required by your App Store (iOS, Android, Windows, require) • You have users in the EU (GDPR), CA (CCPA), Australia, UK, Canada, Singapore, Malaysia… • You collect data on children (COPPA) or minors in CA • You collect data on students (SOPIPA) • It’s a good idea anyway • Err on the side of caution, regulations are moving quickly to require • It’s reassuring to your users
4 Pending Privacy Legislation (as of Feb 6th) • New York City: requires a business to alert customers when using biometric identification technology. • New York State: require businesses that retain personal user information to make details of what is held available on demand, together with details of any third-party with which the data is shared. • North Carolina: the state Attorney General has indicated an intention to strengthen existing breach notifications, including ransomware attacks.
5 Pending Privacy Legislation (as of Feb 6th) • Oregon: introduced the Health Information Property Act which increases the protections afforded by HIPAA • Utah: introduced HB 57 which provides privacy for digital communications. 3rd parties wanting access would require a warrant from a judge. • Virginia: introduced HB 2793 requiring “care and disposal of customer records”. • Washington: introduced Washington Privacy Act. Consumers will have the right to access personal data being held, can demand its deletion if it is no longer required for the purpose it was collected, restrict its use for direct marketing, and know and object to it being sold to third parties.
6 Items to Include in a Privacy Policy • Speak with your legal department first • Gather information on: • Which regulations • Which demographics • Which locations • What data is collected • Which third parties • Duration of collection
7 Items to Include 1. What data will be collected – identifying or anonymous 2. How data is collected – not too much detail 3. How this data is shared, affiliated, or sent to other sites 4. State that if compelled by law to disclose data, you will. 5. Give option of verifying, correcting, changing or removing personal registration information (required by GDPR) 6. Provide a way for people to opt out of future communication 7. State the policy will be updated periodically and how you will communicate such changes
8 Cookie Policy • Required by GDPR, recommended elsewhere • GDPR requires • User to consent before loading JavaScript to collect tracking • Application creators to give an option to change cookie collection preferences • Four Tiers of Cookies • strictly necessary (ie. account login related cookies) • functionality (ie. remembering users choices) • tracking and performance (ie. Google Analytics) • targeting and advertising (ie. Google AdSense, Google AdWords)
9 Mobile App Privacy Polices What to include (similar to web) • Identity: who is collecting the information as well as the company’s contact details • Types of Data: what categories of personal data the app will collect and process • Reason: why data processing is necessary and for what precise purpose the collection is being performed • Disclosures: whether the data in question will be disclosed to third parties • User Rights: what rights users have including the right to the withdrawal of consent and the deletion of data.
10 Mobile App Store Requirements Required for Android Apps • It uses camera/mic • Is designed for families/children Required for iOS if • It’s made for kids • It offers automatically renewable in-app purchases • It offers free subscriptions • It allows for user registration • It accesses a user’s existing account • It collects user data • It’s otherwise required by law
11 Notice vs. Consent • Notice simply notifies the user of how their data will be collected or used. • Consent requires the user to accept how their data is collected. • Difference in language and in functionality • You cannot load data collection code before consent if required
12 Defining a Policy Early Can Save Time • Defining a privacy policy early can help guide development • Drives Privacy by Design • Limited Collection, Use, Retention • What data do we need to collect? • What data do we need to store?
13 7 Principles of Privacy by Design 1. Proactive & Preventative 2. Privacy by Default 3. Privacy Embedded into Design 4. Full Functionality with Privacy in Mind 5. End to End Security 6. Visibility and Transparency 7. Respect for Privacy
14 Proactive & Preventative • Be Proactive with your privacy decisions, not reactive • Anticipate and prevent data loss events • Don’t wait for an event to occur before having this conversation • Don’t “close the barn door after the horse has bolted”
15 Privacy by Default • “Falling into a Pit of Success” • If a customer selects all default settings or does nothing at all they should be left in a secure state • If a user signs up, their data should be protected by default
16 Privacy Embedded Into Design • Think about privacy early • Don’t try to add it on later • Privacy should be integral to the system without diminishing functionality • Integrate privacy in a holistic and creative way • Enable the functional goals of the application through the lens of privacy and data protection
17 Full Functionality, Positive-Sum, Not Zero-Sum • Tradeoffs shouldn’t be made to accommodate privacy • Privacy vs. Security is a false dichotomy • All interests and objectives must be clearly documented • Find a solution that enables multi-functionality
18 End to End Security • Consider security and privacy from start to finish • Information is secured and protected when it enters into the system • It is retained safely • It is destroyed safely • Remember the data lifecycle Capture Maintenance Synthesis UsagePublication Archival Purging
19 Visibility and Transparency • Allow users and other involved parties to see how information moves through the system • Requires accountability, openness and compliance • Be transparent about your system and the level of privacy and security is provides
20 Respect for User Privacy • Privacy should be a #1 concern • Beyond compliance, privacy is a fundamental goal • Once data is lost it cannot be protected again • Like trying to put toothpaste back in the tube
21 What’s Wrong with This? https://citibank.com/myacct/95126314/summary
22 Security Vulnerabilities Can Lead to Privacy Policy Violations • Classic example of an “Insecure Direct Object Reference” • Also the cause for the Panera Bread data breach of 2018 where as many as 37 million customer records were exposed.
23 Summary • Privacy Policies should: • Inform what/how data is collected and shared • Give the user the ability to modify their data or opt out completely • Include effective date and frequency of update • Cookie Policies are required for many other regulations • Depending on regulation may require notice or consent • Privacy Policies should be managed and maintained by a central role in the Privacy Office
24 Questions?
25 Thank You! www.securityinnovation.com Everyone who attended today’s session will receive: • Webinar recording • Copy of the presentation Please join us February 28th for the finale of our Privacy in the SDL webinar series: Privacy: The New Software Development Dilemma

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilSecurity Innovation
 
Hacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideHacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideSecurity Innovation
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

More Related Content

More from Security Innovation

Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Hacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideHacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideSecurity Innovation
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 

More from Security Innovation (20)

Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
Hacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideHacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing Guide
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still Exists
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Creating an Effective Application Privacy Policy

  • 1. 1
  • 2. 2 Legal Requirements for a Privacy Policy • Online Privacy Act of 2003 • FTC recently ruled that Facebook deceived users by telling them their data was private while sharing it more broadly. • No fine for Facebook, only required to do 3rd party reviews for 20 years • Still a good idea to include a Privacy Policy to inform your users what you collect and how their data is used • Also required by most App Stores for Mobile.
  • 3. 3 Legal Requirements for a Privacy Policy • Required if: • You collect data on your users directly • You use 3rd parties to collect data on your users • You are required by your App Store (iOS, Android, Windows, require) • You have users in the EU (GDPR), CA (CCPA), Australia, UK, Canada, Singapore, Malaysia… • You collect data on children (COPPA) or minors in CA • You collect data on students (SOPIPA) • It’s a good idea anyway • Err on the side of caution, regulations are moving quickly to require • It’s reassuring to your users
  • 4. 4 Pending Privacy Legislation (as of Feb 6th) • New York City: requires a business to alert customers when using biometric identification technology. • New York State: require businesses that retain personal user information to make details of what is held available on demand, together with details of any third-party with which the data is shared. • North Carolina: the state Attorney General has indicated an intention to strengthen existing breach notifications, including ransomware attacks.
  • 5. 5 Pending Privacy Legislation (as of Feb 6th) • Oregon: introduced the Health Information Property Act which increases the protections afforded by HIPAA • Utah: introduced HB 57 which provides privacy for digital communications. 3rd parties wanting access would require a warrant from a judge. • Virginia: introduced HB 2793 requiring “care and disposal of customer records”. • Washington: introduced Washington Privacy Act. Consumers will have the right to access personal data being held, can demand its deletion if it is no longer required for the purpose it was collected, restrict its use for direct marketing, and know and object to it being sold to third parties.
  • 6. 6 Items to Include in a Privacy Policy • Speak with your legal department first • Gather information on: • Which regulations • Which demographics • Which locations • What data is collected • Which third parties • Duration of collection
  • 7. 7 Items to Include 1. What data will be collected – identifying or anonymous 2. How data is collected – not too much detail 3. How this data is shared, affiliated, or sent to other sites 4. State that if compelled by law to disclose data, you will. 5. Give option of verifying, correcting, changing or removing personal registration information (required by GDPR) 6. Provide a way for people to opt out of future communication 7. State the policy will be updated periodically and how you will communicate such changes
  • 8. 8 Cookie Policy • Required by GDPR, recommended elsewhere • GDPR requires • User to consent before loading JavaScript to collect tracking • Application creators to give an option to change cookie collection preferences • Four Tiers of Cookies • strictly necessary (ie. account login related cookies) • functionality (ie. remembering users choices) • tracking and performance (ie. Google Analytics) • targeting and advertising (ie. Google AdSense, Google AdWords)
  • 9. 9 Mobile App Privacy Polices What to include (similar to web) • Identity: who is collecting the information as well as the company’s contact details • Types of Data: what categories of personal data the app will collect and process • Reason: why data processing is necessary and for what precise purpose the collection is being performed • Disclosures: whether the data in question will be disclosed to third parties • User Rights: what rights users have including the right to the withdrawal of consent and the deletion of data.
  • 10. 10 Mobile App Store Requirements Required for Android Apps • It uses camera/mic • Is designed for families/children Required for iOS if • It’s made for kids • It offers automatically renewable in-app purchases • It offers free subscriptions • It allows for user registration • It accesses a user’s existing account • It collects user data • It’s otherwise required by law
  • 11. 11 Notice vs. Consent • Notice simply notifies the user of how their data will be collected or used. • Consent requires the user to accept how their data is collected. • Difference in language and in functionality • You cannot load data collection code before consent if required
  • 12. 12 Defining a Policy Early Can Save Time • Defining a privacy policy early can help guide development • Drives Privacy by Design • Limited Collection, Use, Retention • What data do we need to collect? • What data do we need to store?
  • 13. 13 7 Principles of Privacy by Design 1. Proactive & Preventative 2. Privacy by Default 3. Privacy Embedded into Design 4. Full Functionality with Privacy in Mind 5. End to End Security 6. Visibility and Transparency 7. Respect for Privacy
  • 14. 14 Proactive & Preventative • Be Proactive with your privacy decisions, not reactive • Anticipate and prevent data loss events • Don’t wait for an event to occur before having this conversation • Don’t “close the barn door after the horse has bolted”
  • 15. 15 Privacy by Default • “Falling into a Pit of Success” • If a customer selects all default settings or does nothing at all they should be left in a secure state • If a user signs up, their data should be protected by default
  • 16. 16 Privacy Embedded Into Design • Think about privacy early • Don’t try to add it on later • Privacy should be integral to the system without diminishing functionality • Integrate privacy in a holistic and creative way • Enable the functional goals of the application through the lens of privacy and data protection
  • 17. 17 Full Functionality, Positive-Sum, Not Zero-Sum • Tradeoffs shouldn’t be made to accommodate privacy • Privacy vs. Security is a false dichotomy • All interests and objectives must be clearly documented • Find a solution that enables multi-functionality
  • 18. 18 End to End Security • Consider security and privacy from start to finish • Information is secured and protected when it enters into the system • It is retained safely • It is destroyed safely • Remember the data lifecycle Capture Maintenance Synthesis UsagePublication Archival Purging
  • 19. 19 Visibility and Transparency • Allow users and other involved parties to see how information moves through the system • Requires accountability, openness and compliance • Be transparent about your system and the level of privacy and security is provides
  • 20. 20 Respect for User Privacy • Privacy should be a #1 concern • Beyond compliance, privacy is a fundamental goal • Once data is lost it cannot be protected again • Like trying to put toothpaste back in the tube
  • 21. 21 What’s Wrong with This? https://citibank.com/myacct/95126314/summary
  • 22. 22 Security Vulnerabilities Can Lead to Privacy Policy Violations • Classic example of an “Insecure Direct Object Reference” • Also the cause for the Panera Bread data breach of 2018 where as many as 37 million customer records were exposed.
  • 23. 23 Summary • Privacy Policies should: • Inform what/how data is collected and shared • Give the user the ability to modify their data or opt out completely • Include effective date and frequency of update • Cookie Policies are required for many other regulations • Depending on regulation may require notice or consent • Privacy Policies should be managed and maintained by a central role in the Privacy Office
  • 25. 25 Thank You! www.securityinnovation.com Everyone who attended today’s session will receive: • Webinar recording • Copy of the presentation Please join us February 28th for the finale of our Privacy in the SDL webinar series: Privacy: The New Software Development Dilemma

Editor's Notes

  1. https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance. Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need. Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used. Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't. Facebook promised users that it would not share their personal information with advertisers. It did. Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts. Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
  2. The point of this slide is to show that there is a drastically narrowing window of users for which you’re not required to have a privacy policy, so you might as well go it now. https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app SOPIPA: Student Online Personal Information Protection Act
  3. The point of this slide is to show that there is a drastically narrowing window of users for which you’re not required to have a privacy policy, so you might as well go it now. https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app SOPIPA: Student Online Personal Information Protection Act
  4. The point of this slide is to show that there is a drastically narrowing window of users for which you’re not required to have a privacy policy, so you might as well go it now. https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app SOPIPA: Student Online Personal Information Protection Act
  5. http://www.smallbiztechnology.com/archive/2013/09/7-items-you-should-always-include-in-your-privacy-policy.html/
  6. https://termsfeed.com/blog/privacy-policy-mobile-apps/ https://termly.io/resources/templates/privacy-policy-for-mobile-apps/#do-you-need-a-privacy-policy-for-your-mobile-app
  7. The button text is different.
  8. https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf https://aristininja.com/wp-content/uploads/2018/01/privacy-by-design-principles.jpg https://medium.com/searchencrypt/7-principles-of-privacy-by-design-8a0f16d1f9ce
  9. Note, this section is to introduce people to these concepts, in section 4 we will go into more implementation guidelines
  10. What’s wrong with this URL **actual example - 2 years ago - 300,000 accts compromised ** recent example! CISO Summit conference we attended had this issue, 14,000 CISOs! email, company, bio, website, facebook, phonenumber twitter, linkedin
  11. “Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” the researcher writes.