Security Breach Consequences Privacy by Design Regulatory Context and Law: the FTC Industry-Specific Privacy Laws Online Advertising Information Security Lessons Learned Agenda
Security Breach Consequences Enforcements Expensive Class Actions Investigations & Costs Estimated costs to recover from privacy mistakes will range from $5-$20 million each Source: Gartner
Hacking –Phishing/spear phishing –Brute force attack –SQL injection –Advanced Persistent Threat (APT) Data theft or loss –Media stolen (e.g. laptops, thumb drives, tapes) –Data stolen (e.g. by current or former employee) –Data lost (e.g. in taxi or during data migration) Data leakage –Exposure to public (e.g. via web site) –Exposure to unauthorized person (e.g. wrong employee) –Sensitive data sent via unencrypted channel Examples: Data Breach - Types
No general federal requirement 46 states have statutes –Differ on What is a breach? Who must be notified? When must notification be made? What content must be in notification? Breach Notification Statutes
What is a breach? –Unauthorized “access” or “acquisition” or both –Sometimes must lead to increased risk of harm or identity theft Apply when “Personal Information” is breached –Name PLUS any of the following: social security number, driver’s license number, state ID number, bank account or credit card numbers along with any required security access codes. Notify –Affected Individuals –State regulators –Consumer reporting agencies State Breach Notification Statutes
What is Privacy by Design? –Designing and building privacy protections into products and everyday business practices –Fostering a culture of privacy with executive-level commitment and employee training and awareness –Devising solutions that vary based on technology and sensitivity of underlying data –Concept introduced in Canada and being advanced by the FTC
Privacy by Design – Perceived Benefits Create efficiencies and reduce risk Cut costs Reduce exposure Create a competitive advantage Save money
Consumer Privacy Law in the U.S. Technology has driven the growth of privacy law Legislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable information Many of these laws respond to particular issues or concerns Result: sectoral approach (industry silos), overlaid with cross-industry requirements Contrast with omnibus approach in other regions (e.g., EU)
U.S. Consumer Privacy Law Telemarketing & Consumer Fraud & Abuse Prevention Act (Telemarketing Sales Rule) Telephone Consumer Protection Act (TCPA) Junk Fax Prevention Act CAN-SPAM U.S./EU Safe Harbor States: Spyware Social Security #s Data Security Breach Notification Data Disposal Point of Sale Data Collection ID Theft Legislation Security Freezes Shine the Light Credit Card Security Electronic Communications Privacy Act (ECPA) Fair Credit Reporting Act (FCRA) + FACTA GLB CPNI HIPAA SOX FTC Section 5
FTC Privacy Report Major Principles Greater Transparency Privacy by Design Simplified Choice
Privacy by Design Envisions comprehensive data management procedures throughout the product/service lifecycle Incorporates substantive privacy protections into company practices –Data security –Reasonable collection limits –Sound retention practices –Data accuracy
Simplified Choice Consumers should have choice about both data collection and usage Choice mechanism should be offered at point consumers provide data “Do Not Track” proposed as simplified choice mechanism Choice not required for a narrow set of practices –Fulfillment –Internal operations –Fraud prevention –Legal compliance –First-party marketing –Contextual advertising
Greater Transparency Clarity: Streamlined and standardized privacy notices Access: Reasonable access to consumer data Changes: Consumers must opt in before companies may use consumer data in a materially different manner than claimed when the data was collected Education: Increased need for consumer education regarding commercial privacy practices
Section 5 of the FTC Act “Unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful.” (1914)
A Practice is “DECEPTIVE” if: It is likely to mislead consumers Who are acting reasonably under the circumstances, and It would be material to their decision to buy or use the product.
“ Deceptive” if it contains a statement, or omits information, that is likely to mislead consumers acting reasonably and is material to a consumer’s decision to buy or use. FTC Policy Statement on Deception Tell the Truth!
A Practice is “UNFAIR” if: It is likely to cause substantial consumer injury – physical or economic That is not reasonably avoidable by consumers themselves and Is not outweighed by benefits to consumers or competition.
FTC Enforcement Focus Intentional violations of privacy promises Changes in privacy policies without adequate notice Failures to keep promises to maintain security of personal information Failures to adequately safeguard the privacy of consumer information
FTC Orders: Comprehensive Privacy Programs “The Google and Facebook consent orders contain “one of the most effective provisions in our many data security cases. We are requiring Google [and Facebook] to develop and maintain a comprehensive privacy program and obtain independent privacy audits every other year for the next 20 years.” Julie Brill, FTC Commissioner
FTC Best Practices: Comprehensive Privacy Programs Designate responsible employees Perform privacy and security risk assessments, including –Employee training –Product design, development, and research –Prevention, detection, and response to intrusions Implement privacy controls appropriate for business, data use, and sensitivity of information to address risk Regularly test, monitor, and adjust privacy controls Police data supply chain and vendors
White House’s Consumer Privacy Bill of Rights Sets forth seven consumer data privacy rights Encourages business and industry associations to develop voluntary privacy protection codes Proposes that Congress pass legislation enacting recommendations, including federal data breach notification laws Expresses commitment to collaborate with international privacy laws, such as the European Data Privacy Directive
Seven Consumer Privacy Rights Individual Control: Give consumers control over how their data is collected Transparency: Clearly describe how, why, and for whom data is collected Respect for Context: Collection and use of data should be consistent with the scope and purpose of the primary business Security: Maintain reasonable data safeguards Access and Accuracy: Ensure that data is accurate Focused Collection: Only collect data necessary Accountability: For data protection and for disclosure to third parties
Gramm-Leach-Bliley Act (GLBA) Applies to financial institutions Consumers vs. customers Required privacy notices to customers Opt-out rights for information sharing to certain parties Limits on how service providers can use information
“Online behavioral advertising – which is also sometimes called ‘interest-based advertising’ – uses information collected across multiple web sites that you visit in order to predict your preferences and to show you ads that are most likely to be of interest to you.” – Digital Advertising Alliance
Concerns With Online Behavioral Advertising FTC convened workshops to learn more Themes that emerged: –The amount of information collected has increased –Collection is invisible; consumers are unaware that information about web browsing is being collected –Consumers care about privacy –There is no longer any meaningful basis for distinguishing between personally and non-personally identifiable information BUT…. –There are real benefits to information collection
February 2009 – FTC Report on Self- Regulatory Principles for OBA Called for the industry to adopt self-regulatory principles that incorporated: –Transparency and choice –Data security –Affirmative consent before a company could use previously collected data for a materially different purpose –Affirmative consent before collecting sensitive information for OBA purposes
Industry Created a Self-Regulatory Program in Response Self-Regulatory Principles for Online Behavioral Advertising released July 2009 Advertising Option Icon announced and registration begins October 4, 2010 Consumer Choice page launched November 2010 Coalition turns to enforcement, operational implementation, and educational planning
The DAA Principles – July 2009 Education Transparency Consumer Control Data Security Material Change to Existing OBA Policy/Practices Sensitive Data Accountability
Privacy and Security: You can have security without privacy, but you cannot have privacy without security Most privacy-related enforcement and litigation results from inadequate security Information must be “reasonably” secured: it may not matter if the information is already public – information still may be expected to be secured, especially if representations were made Written policies and procedures coupled with technical controls: be wary of hindsight – if something could be easily and cheaply fixed, then the security may not be viewed as “reasonable”
Information Security (cont.) FTC Information Security Guidance Suggests: –Take Stock. Know what personal information you have in your files and on your computers. –Scale Down. Keep only what you need for business. –Lock It. Protect the information you keep. –Pitch It. Properly dispose of what you no longer need. –Plan Ahead. Create a plan to respond to security incidents.
Privacy and Security Assessments: Operational Trends Increasing utilization of ISO security standards mapped to regulations (GLB, HIPAA) Look to 3 rd parties for validation and affirmation Enterprise-wide training Testing and validation of controls Integration with broader risk management
Privacy and Security Assessments: Policy Trends Advocacy for “accountability” – based standards Generally Accepted Privacy Practices (GAPP) OECD Guidelines Efforts to integrate privacy and security into comprehensive information governance Can have security without privacy, but cannot have privacy without security…