Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ten Steps to Help Avoid a Major Privacy or Security Headache


Published on

"Learn from others' mistakes to avoid making your own"

From Privacy and Security session at Internet Summit 2010. This is the legal perspective of the 3 part session. This presentation was given by Elizabeth Johnson from Poyner Spruill LLP in Raleigh NC.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Ten Steps to Help Avoid a Major Privacy or Security Headache

  1. 1. Ten Steps to Help Avoid a Major Privacy or Security Headache Learn from others' mistakes to avoid making your own Elizabeth Johnson 919.783.2971 These materials have been prepared by Poyner Spruill LLP for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship.
  2. 2. Headache # 1: Over-promising in your website privacy notice
  3. 3. Examples of FTC Enforcement • Life Is Good Retail, Inc. – “We are committed to maintaining our customers’ privacy. … All information is kept in a secure file and is used to tailor our communications with you.” • Twitter – “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information.” Also repeatedly represented that tweets could be kept private • Mandatory risk assessment, implementation of information security program, third party audits every other year for 10 or 20 years
  4. 4. Rx # 1: Update your website privacy notice with an eye to legal risk • Don’t over-promise!!! • Incorporate legal requirements − International − Federal − State • Anticipate unforeseen disclosures − Security breaches − Government requests
  5. 5. Headache # 2: Failure to implement a comprehensive security program
  6. 6. Some Examples of the FTC’s Allegations • Using shared user IDs and passwords • Storing and transmitting personal information in clear text • Failure to require strong passwords • Employees storing passwords within email accounts • Failure to provide a company email system • Failure to block users after certain number of failed log-ins • Allowing customers to store their user credentials in a vulnerable format in cookies on their computers • Failure to use intrusion detection systems
  7. 7. Rx # 2: Implement a reasonable security program • Take into account – Laws and regulations, both state and federal – Case law and FTC enforcement actions – Contracts • WRITE IT DOWN!!!
  8. 8. Headache # 3: Failure to disclose your use of tracking features Members of Congress are just as confused as this guy!
  9. 9. Rx # 3: Clearly describe your tracking • Describe your use of tracking features – Website privacy notice – Pop-ups and tag lines – Use of tracking icon • FTC’s Self-Regulatory Principles for Online Behavioral Advertising – Self-regulatory, but anticipate enforcement • Understand the application of international law • Beware of class action lawsuits
  10. 10. Headache # 4: Failing to disclose disclosures
  11. 11. Rx # 4: Disclose information sharing practices • Describe disclosures in privacy notice – Stated broadly to treat unforeseen circumstances • Revisit and update the notice frequently to capture changes in business model • Require others to abide by your privacy notice – Service providers – Apps – Advertisers • Sanction disobedience – Facebook requiring deletion of data collected by apps to date
  12. 12. Headache # 5: User-generated content • Defamation/Libel • “Cyberbullying”/ harassment • Infliction of emotional distress • Publication of private facts/ invasion of privacy • Hostile work environment/ discrimination/etc.
  13. 13. Rx # 5: Prohibit problem material and review content • Strong terms of use • Review content − Front end v. back end − In whole v. in part − Guidelines for employees
  14. 14. Headache # 6: Employees doing dumb stuff online
  15. 15. Social Media Risks • FTC’s Guide Concerning the Use of Endorsements and Testimonials in Advertising • Security breach • NLRB lawsuit • Stored Communications Act liability Ban all use of social media?
  16. 16. How Powerful Is Twitter? Conan O’Brien “I had a show. Then I had a different show. Now I have a Twitter account.”
  17. 17. Twitter Popularity • Conan O’Brien - #76 with 1.8M+ followers (just prior to premier of TBS show) • More popular than Larry King, John McCain and Nick Jonas • But less popular that “$#*! My Dad Says” - #75 – “I’m 29. I live with my 74-year-old dad. He is awesome. I just write down s*** that he says.”
  18. 18. Rx # 6: Mitigate risk with a well-crafted policy • Understand ALL the legal risks and requirements when drafting the policy • Train employees • Monitor their posts (but watch out for SCA) • Communicate risks to management • Don’t let privacy and security risks keep you from engaging in the business of social media
  19. 19. Headache # 7: Breaches happen • 46 states require breach notification • More than 500 million records affected • Average cost of a breach is more than $6.7M • Notice due in as little as 10 days
  20. 20. Rx # 7: Plan for it now • Develop a response plan – Reporting – Escalation – Evaluation • Identify a response team • Consider outside support team – Lawyers – Security consultants – Credit monitoring
  21. 21. Headache # 8: Service provider screw-ups • Ponemon graph? -- Ponemon Institute
  22. 22. Ouch! -- Ponemon Institute
  23. 23. Rx # 8: Diligence and strong contracts
  24. 24. Headache # 9: FTC Initiatives and Enforcement
  25. 25. Examples of FTC Initiatives • Self-Regulatory Principles for Online Behavioral Advertising • Endorsement Guides adapted to social media • Privacy and security enforcement – Unfair and deceptive trade practices • Do-Not-Track Registry • COPPA • Broader regulatory authority? • Monetary penalties?
  26. 26. Rx # 9: Pay attention and get involved
  27. 27. Headache # 10: Can you guess who??? The Honorable Judge Oscar Magi
  28. 28. Rx # 10: Block all content from Italy
  29. 29. Elizabeth Johnson Poyner Spruill LLP 919-783-2971