"Learn from others' mistakes to avoid making your own"
From Privacy and Security session at Internet Summit 2010. This is the legal perspective of the 3 part session. This presentation was given by Elizabeth Johnson from Poyner Spruill LLP in Raleigh NC.
Ten Steps to Help Avoid a Major Privacy or Security Headache
1. Ten Steps to Help Avoid a Major
Privacy or Security Headache
Learn from others' mistakes
to avoid making your own
Elizabeth Johnson
ejohnson@poyners.com
919.783.2971
These materials have been prepared by Poyner Spruill LLP for informational purposes
only and are not legal advice. This information is not intended to create, and receipt of it
does not constitute, a lawyer-client relationship.
2. Headache # 1: Over-promising in your website
privacy notice
3. Examples of FTC Enforcement
• Life Is Good Retail, Inc.
– “We are committed to maintaining our customers’ privacy. … All
information is kept in a secure file and is used to tailor our
communications with you.”
• Twitter
– “Twitter is very concerned about safeguarding the confidentiality of
your personally identifiable information.” Also repeatedly
represented that tweets could be kept private
• Mandatory risk assessment, implementation of information
security program, third party audits every other year for 10
or 20 years
4. Rx # 1: Update your website privacy notice with
an eye to legal risk
• Don’t over-promise!!!
• Incorporate legal requirements
− International
− Federal
− State
• Anticipate unforeseen
disclosures
− Security breaches
− Government requests
5.
6.
7. Headache # 2: Failure to implement a
comprehensive security program
8.
9. Some Examples of the FTC’s Allegations
• Using shared user IDs and passwords
• Storing and transmitting personal information in clear text
• Failure to require strong passwords
• Employees storing passwords within email accounts
• Failure to provide a company email system
• Failure to block users after certain number of failed log-ins
• Allowing customers to store their user credentials in a
vulnerable format in cookies on their computers
• Failure to use intrusion detection systems
10. Rx # 2: Implement a reasonable security program
• Take into account
– Laws and regulations, both state and federal
– Case law and FTC enforcement actions
– Contracts
• WRITE IT DOWN!!!
11. Headache # 3: Failure to disclose your use of
tracking features
Members of Congress
are just as confused
as this guy!
12. Rx # 3: Clearly describe your tracking
• Describe your use of tracking features
– Website privacy notice
– Pop-ups and tag lines
– Use of tracking icon
• FTC’s Self-Regulatory Principles for Online Behavioral
Advertising
– Self-regulatory, but anticipate enforcement
• Understand the application of international law
• Beware of class action lawsuits
15. Rx # 4: Disclose information sharing practices
• Describe disclosures in privacy notice
– Stated broadly to treat unforeseen circumstances
• Revisit and update the notice frequently to capture
changes in business model
• Require others to abide by your privacy notice
– Service providers
– Apps
– Advertisers
• Sanction disobedience
– Facebook requiring deletion of data collected by apps to date
16.
17.
18. Headache # 5: User-generated content
• Defamation/Libel
• “Cyberbullying”/
harassment
• Infliction of
emotional distress
• Publication of
private facts/
invasion of privacy
• Hostile work environment/
discrimination/etc.
19. Rx # 5: Prohibit problem material and review
content
• Strong terms of use
• Review content
− Front end v. back end
− In whole v. in part
− Guidelines for employees
21. Social Media Risks
• FTC’s Guide
Concerning the Use
of Endorsements
and Testimonials
in Advertising
• Security breach
• NLRB lawsuit
• Stored Communications Act liability
Ban all use of social media?
22. How Powerful Is Twitter?
Conan O’Brien
“I had a show. Then I had a different
show. Now I have a Twitter account.”
23. Twitter Popularity
• Conan O’Brien - #76 with 1.8M+ followers (just prior to
premier of TBS show)
• More popular than Larry King, John McCain and Nick
Jonas
• But less popular that “$#*! My Dad Says” - #75
– “I’m 29. I live with my 74-year-old dad. He is awesome.
I just write down s*** that he says.”
24. Rx # 6: Mitigate risk with a well-crafted policy
• Understand ALL the legal risks and requirements when
drafting the policy
• Train employees
• Monitor their posts (but watch out for SCA)
• Communicate risks to management
• Don’t let privacy and security risks keep you from
engaging in the business of social media
25. Headache # 7: Breaches happen
• 46 states require breach notification
• More than 500 million records affected
• Average cost of a breach is more than $6.7M
• Notice due in
as little as
10 days
26. Rx # 7: Plan for it now
• Develop a response plan
– Reporting
– Escalation
– Evaluation
• Identify a response team
• Consider outside
support team
– Lawyers
– Security consultants
– Credit monitoring
27. Headache # 8: Service provider screw-ups
• Ponemon graph?
-- Ponemon Institute