Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Security Update: A Year in the Trenches Gerard M.

Similar presentations


Presentation on theme: "Privacy and Security Update: A Year in the Trenches Gerard M."— Presentation transcript:

1 Privacy and Security Update: A Year in the Trenches Gerard M.

2 Privacy and Security in the Trenches

3  Security Breach Consequences  Privacy by Design  Regulatory Context and Law: the FTC  Industry-Specific Privacy Laws  Online Advertising  Information Security  Lessons Learned Agenda

4 Security Breach Consequences  Enforcements  Expensive Class Actions  Investigations & Costs Estimated costs to recover from privacy mistakes will range from $5-$20 million each Source: Gartner

5  Hacking –Phishing/spear phishing –Brute force attack –SQL injection –Advanced Persistent Threat (APT)  Data theft or loss –Media stolen (e.g. laptops, thumb drives, tapes) –Data stolen (e.g. by current or former employee) –Data lost (e.g. in taxi or during data migration)  Data leakage –Exposure to public (e.g. via web site) –Exposure to unauthorized person (e.g. wrong employee) –Sensitive data sent via unencrypted channel Examples: Data Breach - Types

6  No general federal requirement  46 states have statutes –Differ on  What is a breach?  Who must be notified?  When must notification be made?  What content must be in notification? Breach Notification Statutes

7  What is a breach? –Unauthorized “access” or “acquisition” or both –Sometimes must lead to increased risk of harm or identity theft  Apply when “Personal Information” is breached –Name PLUS any of the following: social security number, driver’s license number, state ID number, bank account or credit card numbers along with any required security access codes.  Notify –Affected Individuals –State regulators –Consumer reporting agencies State Breach Notification Statutes

8

9 Privacy by Design

10  What is Privacy by Design? –Designing and building privacy protections into products and everyday business practices –Fostering a culture of privacy with executive-level commitment and employee training and awareness –Devising solutions that vary based on technology and sensitivity of underlying data –Concept introduced in Canada and being advanced by the FTC

11 Privacy by Design – Perceived Benefits  Create efficiencies and reduce risk  Cut costs  Reduce exposure  Create a competitive advantage  Save money

12 Current Regulatory Context and Law

13 Consumer Privacy Law in the U.S.  Technology has driven the growth of privacy law  Legislators and regulators have had to respond to technological changes that have radically altered the way companies collect, share, use, and maintain personally identifiable information  Many of these laws respond to particular issues or concerns  Result: sectoral approach (industry silos), overlaid with cross-industry requirements  Contrast with omnibus approach in other regions (e.g., EU)

14 U.S. Consumer Privacy Law  Telemarketing & Consumer Fraud & Abuse Prevention Act (Telemarketing Sales Rule)  Telephone Consumer Protection Act (TCPA)  Junk Fax Prevention Act  CAN-SPAM  U.S./EU Safe Harbor States:  Spyware  Social Security #s  Data Security  Breach Notification  Data Disposal  Point of Sale Data Collection  ID Theft Legislation  Security Freezes  Shine the Light  Credit Card Security  Electronic Communications Privacy Act (ECPA)  Fair Credit Reporting Act (FCRA) + FACTA  GLB  CPNI  HIPAA  SOX  FTC Section 5

15 FTC Privacy Report Major Principles Greater Transparency Privacy by Design Simplified Choice

16 Privacy by Design  Envisions comprehensive data management procedures throughout the product/service lifecycle  Incorporates substantive privacy protections into company practices –Data security –Reasonable collection limits –Sound retention practices –Data accuracy

17 Simplified Choice  Consumers should have choice about both data collection and usage  Choice mechanism should be offered at point consumers  provide data  “Do Not Track” proposed as simplified choice mechanism  Choice not required for a narrow set of practices –Fulfillment –Internal operations –Fraud prevention –Legal compliance –First-party marketing –Contextual advertising

18 Greater Transparency  Clarity: Streamlined and standardized privacy notices  Access: Reasonable access to consumer data  Changes: Consumers must opt in before companies may use consumer data in a materially different manner than claimed when the data was collected  Education: Increased need for consumer education regarding commercial privacy practices

19 Section 5 of the FTC Act “Unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful.” (1914)

20 A Practice is “DECEPTIVE” if:  It is likely to mislead consumers  Who are acting reasonably under the circumstances, and  It would be material to their decision to buy or use the product.

21 “ Deceptive” if it contains a statement, or omits information, that is likely to mislead consumers acting reasonably and is material to a consumer’s decision to buy or use. FTC Policy Statement on Deception Tell the Truth!

22 A Practice is “UNFAIR” if:  It is likely to cause substantial consumer injury – physical or economic  That is not reasonably avoidable by consumers themselves and  Is not outweighed by benefits to consumers or competition.

23 FTC Enforcement Focus  Intentional violations of privacy promises  Changes in privacy policies without adequate notice  Failures to keep promises to maintain security of personal information  Failures to adequately safeguard the privacy of consumer information

24 FTC Orders: Comprehensive Privacy Programs “The Google and Facebook consent orders contain “one of the most effective provisions in our many data security cases. We are requiring Google [and Facebook] to develop and maintain a comprehensive privacy program and obtain independent privacy audits every other year for the next 20 years.” Julie Brill, FTC Commissioner

25 FTC Best Practices: Comprehensive Privacy Programs  Designate responsible employees  Perform privacy and security risk assessments, including –Employee training –Product design, development, and research –Prevention, detection, and response to intrusions  Implement privacy controls appropriate for business, data use, and sensitivity of information to address risk  Regularly test, monitor, and adjust privacy controls  Police data supply chain and vendors

26 White House’s Consumer Privacy Bill of Rights  Sets forth seven consumer data privacy rights  Encourages business and industry associations to develop voluntary privacy protection codes  Proposes that Congress pass legislation enacting recommendations, including federal data breach notification laws  Expresses commitment to collaborate with international privacy laws, such as the European Data Privacy Directive

27 Seven Consumer Privacy Rights  Individual Control: Give consumers control over how their data is collected  Transparency: Clearly describe how, why, and for whom data is collected  Respect for Context: Collection and use of data should be consistent with the scope and purpose of the primary business  Security: Maintain reasonable data safeguards  Access and Accuracy: Ensure that data is accurate  Focused Collection: Only collect data necessary  Accountability: For data protection and for disclosure to third parties

28 Industry-Specific Privacy Laws

29 Gramm-Leach-Bliley Act (GLBA)  Applies to financial institutions  Consumers vs. customers  Required privacy notices to customers  Opt-out rights for information sharing to certain parties  Limits on how service providers can use information

30 Online Behavioral Advertising

31

32 “Online behavioral advertising – which is also sometimes called ‘interest-based advertising’ – uses information collected across multiple web sites that you visit in order to predict your preferences and to show you ads that are most likely to be of interest to you.” – Digital Advertising Alliance

33 Concerns With Online Behavioral Advertising  FTC convened workshops to learn more  Themes that emerged: –The amount of information collected has increased –Collection is invisible; consumers are unaware that information about web browsing is being collected –Consumers care about privacy –There is no longer any meaningful basis for distinguishing between personally and non-personally identifiable information BUT…. –There are real benefits to information collection

34 February 2009 – FTC Report on Self- Regulatory Principles for OBA  Called for the industry to adopt self-regulatory principles that incorporated: –Transparency and choice –Data security –Affirmative consent before a company could use previously collected data for a materially different purpose –Affirmative consent before collecting sensitive information for OBA purposes

35 Industry Created a Self-Regulatory Program in Response  Self-Regulatory Principles for Online Behavioral Advertising released July 2009  Advertising Option Icon announced and registration begins October 4, 2010  Consumer Choice page launched November 2010  Coalition turns to enforcement, operational implementation, and educational planning

36 The DAA Principles – July 2009  Education  Transparency  Consumer Control  Data Security  Material Change to Existing OBA Policy/Practices  Sensitive Data  Accountability

37 Information Security

38  Privacy and Security: You can have security without privacy, but you cannot have privacy without security  Most privacy-related enforcement and litigation results from inadequate security  Information must be “reasonably” secured: it may not matter if the information is already public – information still may be expected to be secured, especially if representations were made  Written policies and procedures coupled with technical controls: be wary of hindsight – if something could be easily and cheaply fixed, then the security may not be viewed as “reasonable”

39 Information Security (cont.)  FTC Information Security Guidance Suggests: –Take Stock. Know what personal information you have in your files and on your computers. –Scale Down. Keep only what you need for business. –Lock It. Protect the information you keep. –Pitch It. Properly dispose of what you no longer need. –Plan Ahead. Create a plan to respond to security incidents.

40 Lessons Learned

41 Privacy and Security Assessments: Operational Trends  Increasing utilization of ISO security standards mapped to regulations (GLB, HIPAA)  Look to 3 rd parties for validation and affirmation  Enterprise-wide training  Testing and validation of controls  Integration with broader risk management

42 Privacy and Security Assessments: Policy Trends  Advocacy for “accountability” – based standards  Generally Accepted Privacy Practices (GAPP)  OECD Guidelines  Efforts to integrate privacy and security into comprehensive information governance Can have security without privacy, but cannot have privacy without security…

43 Gerry Stegmaier


Download ppt "Privacy and Security Update: A Year in the Trenches Gerard M."

Similar presentations


Ads by Google