Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Privacy & Security Update 2012


Published on

Update (mid 2012) on data privacy and data security regulation by the FTC and other federal government agencies.

  • Be the first to comment

  • Be the first to like this

Data Privacy & Security Update 2012

  1. 1. Update: Data Security & Privacy June 7, 2012 Jason D. Haislmaier @haislmaier Copyright 2012 Bryan Cave
  2. 2. This presentation is intended for general informational purposes only and should notbe construed as legal advice or legal opinion on any specific facts or circumstances,nor is it intended to address specific legal compliance issues that may arise inparticular circumstances. Please consult counsel concerning your own situationand any specific legal questions you may have.The thoughts and opinions expressed in this presentation are those of the individualpresenters and do not necessarily reflect the official or unofficial thoughts oropinions of their employers.For further information regarding this presentation, please contact the presenter(s)listed in the presentation.Unless otherwise noted, all original content in this presentation is licensed under theCreative Commons Creative Commons Attribution-Share Alike 3.0 United StatesLicense available at: Copyright 2012 Bryan Cave
  3. 3. DataSecurityPrivacyCopyright 2012 Bryan Cave
  4. 4. Copyright 2012 Bryan Cave
  5. 5. Copyright 2012 Bryan Cave
  6. 6. Copyright 2012 Bryan Cave
  7. 7. Data Increasing importance Increasing value Increasing scrutinyIncreasing responsibility Copyright 2012 Bryan Cave
  8. 8. Data Many challenges Many changesMany opportunities Copyright 2012 Bryan Cave
  9. 9. No specific comprehensivedata privacy or security legislation (in the US) Copyright 2012 Bryan Cave
  10. 10. Legal LandscapeLongstanding EU Regulations • EU Data Protection Directive (95/46/EC) • Regulates the processing of personal data of EU subjects – Broad scope of “personal data” – Restricts processing unless stated conditions are met – Prohibits transfer to countries not offering adequate levels of protection • US Department of Commerce-negotiated “Safe Harbor Principles” enable transfers to US companies – Self-certification regime – Allows US companies to register as compliant – FTC oversight • Proposed overhaul in the works (announced Jan. 25, 2012) Copyright 2012 Bryan Cave
  11. 11. Legal LandscapeGrowing Array of Relevant State Laws • State consumer protection statutes – All 50 states – Prohibitions on “unfair or deceptive” trade practices • Data breach notification statutes – At least 46 states (DC and various US territories) – Notification of state residents (and perhaps regulators) affected by unauthorized access to sensitive personal information • Data safeguards statutes – (Significant) minority of states – Safeguards to secure consumer information from unauthorized access • Data privacy statutes – Requirements for online privacy policies covering use and sharing of consumer information – Requirements on use of personal information for direct marketing purposes Copyright 2012 Bryan Cave
  12. 12. Legal LandscapeIndustry-specific Federal Statutes • Consumer credit - Fair Credit Reporting Act (FCRA) • Financial services - Gramm Leach Bliley Act (GLBA) • Healthcare providers - Health Insurance Portability and Accountability Act (HIPAA) • Children (under 13) - Children’s Online Privacy Protection Act (COPPA) • Video content - Video Privacy Protection Act • Others statutes covering education, payment processing, etc. Copyright 2012 Bryan Cave
  13. 13. Legal Landscape Federal Trade Commission (FTC) Copyright 2012 Bryan Cave
  14. 14. Legal Landscape Federal Trade Commission Act (FTCA) (15 U.S.C. 41, et seq) Copyright 2012 Bryan Cave
  15. 15. Legal Landscape “Unfair or deceptive acts or practices” Copyright 2012 Bryan Cave
  16. 16. Legal LandscapeFederal Trade Commission Act (FTCA) • No specific privacy or security requirements – Broad prohibition on “unfair or deceptive acts or practices in or affecting commerce” (Section 5) – FTC uses Section 5 to target failures to implement “reasonable and appropriate” data security measures – Constituting unfair or deceptive practices • Increasingly active enforcement – More than 36 actions to date – Covering electronically stored data and information – Targeting privacy violations as well as security breaches Copyright 2012 Bryan Cave
  17. 17. Legal Landscape Emerging Model Copyright 2012 Bryan Cave
  18. 18. ComplianceEmerging Model for Settlement and Compliance • 20 year term • Cease misrepresentations regarding practices for information security, privacy, confidentiality, and integrity • Conduct assessment of reasonably-foreseeable, material security risks • Establish comprehensive written information security and privacy program • Designate employee(s) to coordinate and be accountable for the program • Implement employee training • Conduct biannual independent third party audits to assess security and privacy practices • Implement multiple record-keeping requirements • Implement regular testing, monitoring, and assessment • Undergo periodic reporting and compliance requirements • Impose requirements on service providers Copyright 2012 Bryan Cave
  19. 19. Compliance “Promises” not just Policies Copyright 2012 Bryan Cave
  20. 20. Compliance “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users.” Jon Leibowitz Chairman of the FTC Speaking on the settlement Copyright 2012 Bryan Cave
  21. 21. Compliance “Innovation does not have to come at the expense of consumer privacy.” Jon Leibowitz Chairman of the FTC Speaking on the settlement Copyright 2012 Bryan Cave
  22. 22. Compliance “Weve made a bunch of mistakes.” Mark Zuckerberg CEO of Facebook Speaking on the settlement Copyright 2012 Bryan Cave
  23. 23. Compliance Scope of “Personal Information” Copyright 2012 Bryan Cave
  24. 24. Compliance In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012) Copyright 2012 Bryan Cave
  25. 25. Compliance In the Matter of Eli Lilly and Company (File No. 012 3214, Januray 18, 2002) Copyright 2012 Bryan Cave
  26. 26. Compliance “Sensitive Information” Copyright 2012 Bryan Cave
  27. 27. ComplianceSensitive Information • States have defined “sensitive information” to include SSN, drivers license number, and financial account information • FTC has broadened this definition to include – Health information – Information regarding children – Geo-location information • Trend is toward more activity in these areas • Practical considerations – Know when/where you collect sensitive information – Consider seeking consent when using sensitive data for marketing purposes – Ensure that WISPs appropriately protect sensitive information • Note that these categories of sensitive information may not trigger a data breach notification requirement under state laws Copyright 2012 Bryan Cave
  28. 28. Compliance WISPs Written Information Security Plans Copyright 2012 Bryan Cave
  29. 29. ComplianceWISPs • The “Safeguards Rule” under GLBA requires implementation of “written information security plans” (WISPs) – Describing the company’s program to protect customer information – Appropriate to the company, nature and scope activities, and level of sensitivity of information • FTC consent orders now generally impose similar requirements – Implementation comprehensive information security program – Fully documented in writing – Reasonably designed to protect the security and privacy of covered information – Containing controls and procedures appropriate to the • Size and complexity of the business • Nature and scope of activities • Sensitivity of the covered information • Mass. state regs. also now require written information security policies for companies handling personal information about Mass. residents Copyright 2012 Bryan Cave
  30. 30. Compliance “Reasonable and appropriate” security measures Copyright 2012 Bryan Cave
  31. 31. Compliance U.S. v. RockYou, Inc. (N.D. Cal. Mar. 26, 2012) Copyright 2012 Bryan Cave
  32. 32. ComplianceU.S. v. RockYou • RockYou is an online social gaming service • Created an application for social networking sites allowing users to upload photos and music to create a slide show • When users registered for the app they were asked to provide email address and password – app also collected birth date, gender, etc. • RockYou represented that it used “commercially reasonable” security measures • All information actually stored only in plaint text (unencrypted) • RockYou was hacked in December 2009 • 32 million accounts affected, including information about 179,000 children • FTC settled for $250,000 and 20 year injunction that imposes standard requirements (biannual third party risk assessments, etc.) Copyright 2012 Bryan Cave
  33. 33. Compliance In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012) Copyright 2012 Bryan Cave
  34. 34. ComplianceIn the Matter of UPromise • UPromise is a membership reward service for saving for college • Provided toolbar application purporting to track user online activity and “provide college savings opportunities tailored to you” • App collected not only the web sites visited but information entered on some web pages • Information included user names, passwords, credit cards and expiration dates, financial account information, SSNs, etc. • All of this information was transmitted to UPromise unencrypted, despite statements that information was “automatically” encrypted • Over 150,000 consumers participated • FTC settled for 20 year consent decree requiring standard requirements (biannual third party risk assessments, etc.) Copyright 2012 Bryan Cave
  35. 35. ComplianceReasonable and Appropriate Security • RockYou and UPromise settlements provide guidance on what is not reasonable or appropriate – Collecting PII from consumers unnecessarily – Failing to test applications to ensure they are not collecting PII – Not training employees about security risks – Transmitting or storing sensitive information in unencrypted form – Failing to segment servers – Leaving systems susceptible to hacking (e.g., SQL injection attacks) – Failing to ensure that service providers or third-party developers employ reasonable and appropriate security • Other settlements add additional considerations • Practical Considerations – Draft WISPs to prohibit these practices – Review for these practices in audits and risk assessments Copyright 2012 Bryan Cave
  36. 36. Compliance Downstream obligations. . . Copyright 2012 Bryan Cave
  37. 37. ComplianceRequirements for Service Providers • FTC settlements require contractual restrictions on third party service providers In the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011) Copyright 2012 Bryan Cave
  38. 38. ComplianceRequirements for Service Providers • FTC settlements require contractual restrictions on third party service providers • Parallel newly effective Mass. regulation (201 CMR 17.03) – Requiring companies providing service providers with personal information about Mass. residents to contractually require the providers to “implement and maintain . . . appropriate security measures” – Went into full effect on March 1, 2012 • Practical implications – Maintain a WISP with applicable policies • Storage, access, and transportation of information • Employees and downstream service providers • Disciplinary measures for violations – Conduct risk assessments, employee training, and security reviews – Investigate incidents and document follow-up action Copyright 2012 Bryan Cave
  39. 39. Where are we headed?. . . and what should you do? Copyright 2012 Bryan Cave
  40. 40. December 1, 2010 Copyright 2012 Bryan Cave
  41. 41. March 26, 2012Copyright 2012 Bryan Cave
  42. 42. FTC ReportBackground • Based on a yearlong series of privacy roundtables held by the FTC • Extensive comment period (more than 450 comments received) • Provides best practices for the protection of consumer privacy • Applicable to both traditional (offline) and online businesses • Intended to assist Congress as it considers privacy legislation • Not intended to serve as a template for law enforcement actions (but what about plaintiffs attorneys?) Copyright 2012 Bryan Cave
  43. 43. FTC ReportPrivacy Framework • Proposed framework is based on several core concepts – Simplified consumer choice Copyright 2012 Bryan Cave
  44. 44. FTC ReportPrivacy Framework • Proposed framework is based on several core concepts – Simplified consumer choice – Transparency Copyright 2012 Bryan Cave
  45. 45. FTC ReportPrivacy Framework • Proposed framework is based on several core concepts – Simplified consumer choice – Transparency – Privacy by design Copyright 2012 Bryan Cave
  46. 46. FTC ReportScope of Personal Information • Continued expansion of “personal information” • Codification of the definitions used in FTC settlements • Shades of the definition in the EU Data Protection Directive • Blurring of the line between PII and non-PII • When is information not PII? Copyright 2012 Bryan Cave
  47. 47. FTC ReportDe-Identification of Personal Information • Data is not PII if it is not reasonably linkable to a specific consumer, computer or other device • Breaking the link – Take reasonable measures to ensure that data is de-identified – Publicly commit to not try to re-identify – Contractually prohibit downstream recipients from trying to re-identify – Take measures to silo de-identified data from PII • Cannot remove concerns by simply envisioning the sharing of only “de-identified” or anonymous data • Must actually follow FTC guidance – Prohibitions in privacy policies against re-identification – Provisions in vendor contracts regarding re-identification – Systems designed to silo off de-identified data Copyright 2012 Bryan Cave
  48. 48. FTC ReportRequirements for Affiliates and Subsidiaries • Historically, divergent privacy policies and practices regarding information sharing with corporate affiliates and subsidiaries • FTC Report views affiliates as “third parties” unless the affiliate relationship is “clear to consumers” • Common branding is cited as sufficient to make a relationship clear • Uncertainty remains • Practical implications – Disclose affiliate sharing in privacy policy – Consider opt-in for sharing sensitive information with affiliates – Opt-out for non-sensitive information Copyright 2012 Bryan Cave
  49. 49. February 23, 2012 Copyright 2012 Bryan Cave
  50. 50. “Consumer Privacy Bill of Rights” Copyright 2012 Bryan Cave
  51. 51. White House Privacy FrameworkConsumer Privacy Bill of Rights • Combined effort of the White House, Department of Commerce, and the FTC • Provides a framework for consumer privacy protections • Establishes 7 principles covering personal data – Transparency - Easily understandable policies and practices – Respect for Context - Collection and use consistent with context – Security - Secure and responsible handling – Access and Accuracy – Ability to access and correct – Focused Collection - Reasonable limits on collection and retention – Accountability - Appropriate measures to ensure compliance • Similarities to the principles adopted by economic organizations in Europe and Asia as well Copyright 2012 Bryan Cave
  52. 52. White House Privacy FrameworkConsumer Privacy Bill of Rights • Industry codes of conduct – Voluntary privacy and security “codes of conduct” – Commerce Department National Telecommunications and Information Administration (NTIA) to facilitate creation in “select” industries – Other federal agencies may also convene industry stakeholders – Industries can also convene stakeholders absent NTIA • Encourages inclusive and transparent process • Enforcement authority – FTC to enforce codes of conduct – Violation constitutes a deceptive practice under Section 5 of the FTC Act – Adherence to codes to be looked upon “favorably” in FTC investigations • No immediate changes, but. . . Copyright 2012 Bryan Cave
  53. 53. White House Privacy FrameworkLegislative Proposals • Provide FTC with direct authority to enforce some variant of the Consumer Privacy Bill of Rights – Potentially significant increase in FTC enforcement authority – Misrepresentations or unfair practices would no longer be required • Provide FTC with rulemaking authority to design a system for review and approval of codes of conduct – Review period (180 days) – Open public comments – Approve or reject • Companies encouraged to create and comply with codes of conduct – Obtain greater clarity concerning the rules to which they will be held – Safe harbor status for compliance with an approved code Copyright 2012 Bryan Cave
  54. 54. Copyright 2012 Bryan Cave
  55. 55. FTC Report on Mobile AppsMobile Applications • FTC has long stated that the mobile market is not different from the Internet • FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012) – Large number of apps (75%) targeted at children (under 13) – Apps did not provide good privacy disclosures – Will conduct additional COPPA compliance reviews over the next 6 months • FCRA Warning letters (Feb. 2012) – FTC sent letters to marketers of 6 mobile apps – Warned that apps may violate FCRA – If apps provide a consumer report, must comply with FCRA requirements • Expect more activity – discussion and enforcement • Particularly involving mobile apps directed at children • Review mobile applications for legal compliance Copyright 2012 Bryan Cave
  56. 56. What Should You Do? Copyright 2012 Bryan Cave
  57. 57. Copyright 2012 Bryan Cave
  58. 58. Make each use of dataA knowing (and compliant) use of data Copyright 2012 Bryan Cave
  59. 59. Know your dataMap your “ecosystem” Copyright 2012 Bryan Cave
  60. 60. Data Mapping Copyright 2012 Bryan Cave
  61. 61. Data Mapping You ? Copyright 2012 Bryan Cave
  62. 62. ConclusionLessons Learned • Increasing value means increasing scrutiny • Enforcement will continue (and may increase) – Actual security breaches are not required (poor practices will suffice) – Companies held to privacy-related promises – Scope of personal information is growing • Enforcement actions are influencing and defining industry expectations • Premium on increased transparency into data practices • Your “enforcement” issue may not come from the FTC, but from a potential customer, financing source, or acquirer Copyright 2012 Bryan Cave
  63. 63. ConclusionBest Practices • Institute procedures to secure sensitive information • Implement “privacy by design” concepts • Know your data, particularly sensitive data • Minimize the data collected – Collect only as needed – Hold only as long as needed • Map data collection, usage, and sharing • Prepare and adopt a written information security plan (WISP) – Address known risks – Prepare for a breach • Educate employees regarding the WISP • Manage vendors and contractors – Contractual provisions covering data transfer – Compliance monitoring Copyright 2012 Bryan Cave
  64. 64. Thank You. Jason Haislmaier @haislmaier