More Related Content

Similar to Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering - 25 Feb 2019(20)


More from Burton Lee(20)


Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering - 25 Feb 2019

  1. Privacy @ big tech 2/25/19 Polina Zvyagina Privacy Counsel @Airbnb European Entrepreneurship @ Stanford
  2. Agenda ● Who I am ● Why Privacy matters - The law, the industry, consumer expectation ● Why now? ● “How to” Privacy
  3. Privacy & Security Counsel ● Privacy Legal team based out of HQ ○ Data Protection Officer in Ireland ● We set policies for the whole company related to data use ● We support your product counsel in helping to draft notifications, help with UI flow, adjust policies, resolve issues as they come up ● We work on scalable Privacy solutions such as: ○ GDPR Efforts ○ Training ○ Privacy by Design ○ Self-service playbooks
  4. Introduction to Privacy Law
  5. ● Privacy-Related mistakes can cost 4% of global annual turnover ● 60% of breaches are caused by human error ● Equifax Breach Cost $400M
  6. Complex Regulatory Framework ● US Law: ○ Section 5 of the FTC Act: Unfair and deceptive acts and practices ■ + FTC recommendations ○ SCA, FCRA, TCPA ○ State by state data breach notification, CCPA, wiretap laws ○ Industry-specific laws: financial (GLBA), children’s marketing (COPPA) ● Europe: GDPR, Directive 2002/58/EC ● APAC ○ Every country has its own set of privacy laws, but the strictest are: ■ Singapore, South Korea, Japan, Australia Lots of regulators
  7. GDPR Case Studies Lessons learned Action Summary Damage Lesson Google(UK 2019) ● Bundled consent made it unclear to the users of android phones how their data will be used across all of Google’s products. Didn’t make it clear that account creation is not necessary for all phone features. $57 Million Minimize the data used for each purpose Track consent Do not use data collected for one purpose for another purpose Easy UI with fewer clicks that explain how data is used
  8. GDPR Case Studies Lessons learned Action Summary Damage Lesson Facebook(UK 2018) ● Improper sharing of data £500,000 fine by the UK's ICO, a congressio nal hearing, and an unpreceden ted formal apology from Zuckerberg - for all data sharing with third parties: complete a security assessment and implement recommendations air/security-review
  9. Future of Privacy Law ● Consumers and regulators are only becoming more savvy to how companies use their data and they want more control ○ CCPA ○ Pending BIlls: ■ NJ, Conn, NY, Penn, SC, DC, RI ○ Biometric Data state laws: Illinois, Washington, Texas, New Hampshire ○ Federal Privacy Regulation? This is just the beginning
  10. Let’s define some terms ● Personal Data: Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly by any kind of identifier (GDPR). This is not what you know of as PII, it’s much broader ● De-Identified: information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer (CCPA and GDPR) ● Privacy Policy: public facing notice that advises the world and our users about how Airbnb collects, shares, stores, and uses Personal Data ● JIT Notification: Just-In-Time Notifications that advise users about very specific data uses usually within the UI, either through a pop-up, toast or in-app notifications ● Privacy by Design and Security by Default: being proactive, rather than reactive when it comes to the treatment of user data ● Privacy Principles: Minimization, Purpose, Limitation, Accuracy, Storage Limitation, Integrity and Confidentiality, Fairness and Transparency, Security
  11. Data & Trust
  12. TRUST ● Trust is hard to quantify but the loss of trust costs a lot of money ○ Fines under GDPR: 4% of the total worldwide annual turnover of the preceding year ○ Cost of the breaches vary, but most recently: Uber is paying $148M to settle, Anthem $115M, Facebook TBD ○ These costs do not account for lost users and dips in signups and internal operational disruption ● Why do regulators care? Because people get hurt when their data is misused, not properly protected ● Regulators are not the only ones that care: consumer advocates, watchdogs, reporters & data subjects themselves Consumer trust requires: empathy, logic, authenticity Consumers trust of government and big organizations is at an all-time low
  13. Source of Truth ● Consumers read the Privacy Policy and JIT notifications to understand how we collect, use and store their data ● In the US, regulators read the Privacy Policy, use the product and look for deception ● Across the world, regulators rely on the Privacy Policy to understand how we collect, use and store consumer data and they send investigative questions ● We recommend everyone, especially leadership, read the privacy policy and consider whether it accurately reflects all activities of your teams. ○ Our privacy policy is broad so in most cases, what you do should be within its realm ○ Certain products and features demand that we update the Privacy Policy ● The Privacy Policy is a catchall, internal policies are more strict! Airbnb Privacy Policy : Practice what you preach
  14. Other places we might make representations about privacy and data ● User Interface (UI)- info toolkits, just in time notifications ● How-to videos ● Help articles ● Conferences, Interviews with reporters & regulators ● Blog posts ● Emails we send to users ● Survey language ● Emails we send to try to get user stories ● Here’s a summary of companies under FTC consent decrees for 2017 (2018 report to come out in January)
  15. Privacy by Design
  16. Privacy Principles to Follow ● Privacy by Design extends to a trilogy of encompassing applications: ○ IT systems; ○ accountable business practices; and ○ networked infrastructure. ● Risk-based approach to how data is treated based on sensitivity of the data & volume of data ● Personal Data: ○ Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ● Financial Data: Does not need to be Personal Data to be highly risky if mismanaged In every product decision
  17. Privacy By Design ● Proactive not reactive ● Privacy by default related to Personal Data ○ Tag data appropriately according to a data schema ● Privacy has to be embedded into the design process Full functionality: positive sum, not zero-sum ● End-to-end security ● Transparency ● Respect user privacy An excellent standard for the last 10 years, and now the law, under GDPR
  18. Privacy Principles ● Adherence to the following privacy principles: ○ Data minimization- this is the most common pitfall and the begin of privacy decay ○ Identify purpose of the collection ○ Limit the use of the data to only that purpose for which it was collected ○ Accuracy ○ Storage limitation ○ Integrity and confidentiality ○ Fairness and transparency ○ Security ● Consumer rights
  19. Privacy By Design in Practice ● When developing a new “product” requires going through a privacy analysis and doing a PIA ○ “Product” is: business process/project/activity that proposes to use customer data in a new way. ■ Incorporating a data questionnaire into the product review process, will help your counsel identify whether a new PIA is required. ○ While designing, Privacy counsel made suggestions on how to minimize and mitigate privacy concerns ● The plan and the mitigations are documented in the PIA Privacy Impact Assessments
  20. Data Mapping
  21. Page 21 Personally Identifiable Information vs Personal Data Whereas the European Union uses the term “Personal Data” in its laws and regulations, the United States’ laws and regulations use the term Personally Identifiable Information (PII). While PII may refer to information such as name, address, or birthdate, Personal Data is broader and may include things as broad as social media posts, transaction histories, and IP addresses. Definition: As defined by Airbnb, Personally Identifiable Information (PII) is any data that personally identifies or may be used to personally identify an individual. The U.S. Department of Commerce defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. PII differs from Personal Data in that Personal Data captures a wider range of information.
  22. Data Mapping and Data Tagging ● As companies grow, the amount of data they collect and the data architecture changes very quickly ● Data Inventory is a multi-team effort ○ Product Managers ○ Engineering ○ Data Science ○ Security ○ Legal ● Data must be tagged and mapped appropriately, so that we can know what data we have, where it’s stored and how it might be used. Behemoth Task
  23. Data Subject Rights
  24. Data Subjects Rights ● The right to access their personal data and obtain various other information, such as the purposes of the processing and who the personal data has been disclosed to ● The right to rectify inaccurate personal data ● The right to erasure ● The right to data portability, i.e. to receive their personal data in an easily transferable, machine- readable format ● A right ‘not to be subject to’ a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects the data subjects ● A right to object to personal data processing.
  26. Case Studies: Appendix
  27. Data Breaches Case Studies Lessons learned Action Summary Damage Lesson UpnProxy vulnerability ● exposed more than 45,000 routers to exploits linked to the EternalBlue malware created by the NSA, potentially exposing millions to hacker attacks ● Targets routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445. This allows the obfuscation and routing of malicious traffic to launch denial of service attacks and spread malware to other devices. This exploit in routers has led to around two million networked devices, such as laptops and smartphones, being open to attack. ● The attack relies on two exploits, EternalBlue, a backdoor developed by the NSA to target Windows computers; and its “sibling” exploit EternalRed, used to backdoor Linux devices. TBD - Scanning for vulnerability - Testing for vulnerabilities Cathay Airlines ● personal data, from credit card details and passport numbers to physical addresses stolen by cyber criminals British Airways ● had its website breached and data belonging to 380,000 customers stolen.
  28. Data Breaches Case Studies Lessons learned Action Summary Damage Lesson Marriott (2018) exposed the personal information of some 500 million customers TBD - these significant breaches is indicative of how important it is to have robust security and data handling policies within an organization. - they also highlights how it can be difficult to get ahead of motivated hackers and cyber criminals on a mission to steal data and sell or exploit it in nefarious ways.
  29. US Federal Trade Commission (FTC) Case StudiesLessons learned Action Summary Damage Lesson Uber Technologies, Inc.(Oct 2018) - Inadequate Internal Access to User Personal Data. Despite Respondent’s representation that its practices would continue on an ongoing basis, Respondent has not always closely monitored and audited its employees’ access to Rider and Driver accounts since November 2014. Respondent developed an automated system for monitoring employee access to consumer personal information in December 2014 but the system was not designed or staffed to effectively handle ongoing review of access to data by Respondent’s thousands of employees and contingent workers. - Security Statements in privacy Policy Inaccurate. “Your information will be stored safely and used only for purposes you’ve authorized. We use the most up to date technology and services to ensure that none of these are compromised.” “I understand that you do not feel comfortable sending your personal information via online. However, we’re extra vigilant in protecting all private and personal information.” “All of your personal information, including payment methods, is kept secure and encrypted to the highest security standards available.” - 2014 Data Breach - 2016 Data Breach Consent Agreement w/ FTC -Prohibition Against Misrepresent ations -Mandatory Privacy Program -Privacy Assessments by a Third Party (reporting period for the Assessments must cover: (1) the first 180 days after the issuance date of the Order for the initial Assessment, and (2) each 2-year period - implement reasonable access controls to safeguard data stored in the Amazon S3 Datastore. For example, Respondent: i. require programs and engineers that access AWS to use distinct access keys, instead permitting all programs and engineers to use a single AWS access key that provided full administrative privileges over all data in the Amazon S3 Datastore; ii. restrict access to systems based on employees’ job functions; and iii. require multi-factor authentication for