Data Privacy & Security Update 2012

Update: Data Security
& Privacy
June 7, 2012

Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier

Copyright 2012 Bryan Cave

This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation
and any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenters and do not necessarily reflect the official or unofficial thoughts or
opinions of their employers.
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.


Data
Security
Privacy


Data
Increasing importance
Increasing value
Increasing scrutiny
Increasing responsibility


Data
Many challenges
Many changes
Many opportunities


No specific comprehensive
data privacy or security legislation
(in the US)


Legal Landscape

Longstanding EU Regulations
• EU Data Protection Directive (95/46/EC)
• Regulates the processing of personal data of EU subjects
– Broad scope of “personal data”
– Restricts processing unless stated conditions are met
– Prohibits transfer to countries not offering adequate levels of protection
• US Department of Commerce-negotiated “Safe Harbor Principles” enable
transfers to US companies
– Self-certification regime
– Allows US companies to register as compliant
– FTC oversight
• Proposed overhaul in the works (announced Jan. 25, 2012)


Legal Landscape

Growing Array of Relevant State Laws
• State consumer protection statutes
– All 50 states
– Prohibitions on “unfair or deceptive” trade practices
• Data breach notification statutes
– At least 46 states (DC and various US territories)
– Notification of state residents (and perhaps regulators) affected by
unauthorized access to sensitive personal information
• Data safeguards statutes
– (Significant) minority of states
– Safeguards to secure consumer information from unauthorized access
• Data privacy statutes
– Requirements for online privacy policies covering use and sharing of consumer
information
– Requirements on use of personal information for direct marketing purposes

Legal Landscape

Industry-specific Federal Statutes
• Consumer credit - Fair Credit Reporting Act (FCRA)
• Financial services - Gramm Leach Bliley Act (GLBA)
• Healthcare providers - Health Insurance Portability and Accountability Act
(HIPAA)
• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)
• Video content - Video Privacy Protection Act
• Others statutes covering education, payment processing, etc.


Legal Landscape

Federal Trade Commission
(FTC)


Legal Landscape

Federal Trade Commission Act (FTCA)
(15 U.S.C. 41, et seq)


Legal Landscape

“Unfair or deceptive acts or practices”


Legal Landscape

Federal Trade Commission Act (FTCA)
• No specific privacy or security requirements
– Broad prohibition on “unfair or deceptive acts or practices in or affecting
commerce” (Section 5)
– FTC uses Section 5 to target failures to implement “reasonable and
appropriate” data security measures
– Constituting unfair or deceptive practices
• Increasingly active enforcement
– More than 36 actions to date
– Covering electronically stored data and information
– Targeting privacy violations as well as security breaches


Legal Landscape

Emerging Model


Compliance

Emerging Model for Settlement and Compliance
• 20 year term
• Cease misrepresentations regarding practices for information security,
privacy, confidentiality, and integrity
• Conduct assessment of reasonably-foreseeable, material security risks
• Establish comprehensive written information security and privacy program
• Designate employee(s) to coordinate and be accountable for the program
• Implement employee training
• Conduct biannual independent third party audits to assess security and
privacy practices
• Implement multiple record-keeping requirements
• Implement regular testing, monitoring, and assessment
• Undergo periodic reporting and compliance requirements
• Impose requirements on service providers

Compliance

“Promises”
not just
Policies


Compliance

“Facebook is obligated to keep the promises
about privacy that it makes to its hundreds
of millions of users.”

Jon Leibowitz
Chairman of the FTC
Speaking on the settlement


Compliance

“Innovation does not have to come at the
expense of consumer privacy.”

Jon Leibowitz
Chairman of the FTC


Compliance

“We've made a bunch of mistakes.”

Mark Zuckerberg
CEO of Facebook


Compliance

Scope of “Personal Information”


Compliance

In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012)


Compliance

In the Matter of Eli Lilly and Company (File No. 012 3214, Januray 18, 2002)


Compliance

“Sensitive Information”


Compliance

Sensitive Information
• States have defined “sensitive information” to include SSN, drivers license
number, and financial account information
• FTC has broadened this definition to include
– Health information
– Information regarding children
– Geo-location information
• Trend is toward more activity in these areas
• Practical considerations
– Know when/where you collect sensitive information
– Consider seeking consent when using sensitive data for marketing purposes
– Ensure that WISPs appropriately protect sensitive information
• Note that these categories of sensitive information may not trigger a data
breach notification requirement under state laws


Compliance

WISPs
Written Information Security Plans


Compliance

WISPs
• The “Safeguards Rule” under GLBA requires implementation of “written
information security plans” (WISPs)
– Describing the company’s program to protect customer information
– Appropriate to the company, nature and scope activities, and level of sensitivity
of information
• FTC consent orders now generally impose similar requirements
– Implementation comprehensive information security program
– Fully documented in writing
– Reasonably designed to protect the security and privacy of covered information
– Containing controls and procedures appropriate to the
• Size and complexity of the business
• Nature and scope of activities
• Sensitivity of the covered information
• Mass. state regs. also now require written information security policies for
companies handling personal information about Mass. residents

Compliance

“Reasonable and appropriate”
security measures


Compliance

U.S. v. RockYou, Inc.
(N.D. Cal. Mar. 26, 2012)


Compliance

U.S. v. RockYou
• RockYou is an online social gaming service
• Created an application for social networking sites allowing users to upload
photos and music to create a slide show
• When users registered for the app they were asked to provide email
address and password – app also collected birth date, gender, etc.
• RockYou represented that it used “commercially reasonable” security
measures
• All information actually stored only in plaint text (unencrypted)
• RockYou was hacked in December 2009
• 32 million accounts affected, including information about 179,000 children
• FTC settled for $250,000 and 20 year injunction that imposes standard
requirements (biannual third party risk assessments, etc.)


Compliance

In the Matter of UPromise, Inc.
(FTC File No. 102 3116, Jan. 5, 2012)


Compliance

In the Matter of UPromise
• UPromise is a membership reward service for saving for college
• Provided toolbar application purporting to track user online activity and
“provide college savings opportunities tailored to you”
• App collected not only the web sites visited but information entered on
some web pages
• Information included user names, passwords, credit cards and expiration
dates, financial account information, SSNs, etc.
• All of this information was transmitted to UPromise unencrypted, despite
statements that information was “automatically” encrypted
• Over 150,000 consumers participated
• FTC settled for 20 year consent decree requiring standard requirements
(biannual third party risk assessments, etc.)


Compliance

Reasonable and Appropriate Security
• RockYou and UPromise settlements provide guidance on what is
not reasonable or appropriate
– Collecting PII from consumers unnecessarily
– Failing to test applications to ensure they are not collecting PII
– Not training employees about security risks
– Transmitting or storing sensitive information in unencrypted form
– Failing to segment servers
– Leaving systems susceptible to hacking (e.g., SQL injection attacks)
– Failing to ensure that service providers or third-party developers employ
reasonable and appropriate security
• Other settlements add additional considerations
• Practical Considerations
– Draft WISPs to prohibit these practices
– Review for these practices in audits and risk assessments

Compliance

Downstream obligations. . .


Compliance

Requirements for Service Providers
• FTC settlements require contractual restrictions on third party
service providers

In the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011)


Compliance

Requirements for Service Providers
• FTC settlements require contractual restrictions on third party
service providers
• Parallel newly effective Mass. regulation (201 CMR 17.03)
– Requiring companies providing service providers with personal information
about Mass. residents to contractually require the providers to “implement and
maintain . . . appropriate security measures”
– Went into full effect on March 1, 2012
• Practical implications
– Maintain a WISP with applicable policies
• Storage, access, and transportation of information
• Employees and downstream service providers
• Disciplinary measures for violations
– Conduct risk assessments, employee training, and security reviews
– Investigate incidents and document follow-up action


Where are we headed?
. . . and what should you do?


December 1, 2010


March 26, 2012


FTC Report

Background
• Based on a yearlong series of privacy roundtables held by the FTC
• Extensive comment period (more than 450 comments received)
• Provides best practices for the protection of consumer privacy
• Applicable to both traditional (offline) and online businesses
• Intended to assist Congress as it considers privacy legislation
• Not intended to serve as a template for law enforcement actions
(but what about plaintiffs attorneys?)


FTC Report

Privacy Framework
• Proposed framework is based on several core concepts
– Simplified consumer choice


FTC Report

Privacy Framework
– Transparency


FTC Report

Privacy Framework
– Transparency
– Privacy by design


FTC Report

Scope of Personal Information
• Continued expansion of “personal information”

• Codification of the definitions used in FTC settlements
• Shades of the definition in the EU Data Protection Directive
• Blurring of the line between PII and non-PII
• When is information not PII?


FTC Report

De-Identification of Personal Information
• Data is not PII if it is not reasonably linkable to a specific consumer,
computer or other device
• Breaking the link
– Take reasonable measures to ensure that data is de-identified
– Publicly commit to not try to re-identify
– Contractually prohibit downstream recipients from trying to re-identify
– Take measures to silo de-identified data from PII
• Cannot remove concerns by simply envisioning the sharing of only
“de-identified” or anonymous data
• Must actually follow FTC guidance
– Prohibitions in privacy policies against re-identification
– Provisions in vendor contracts regarding re-identification
– Systems designed to silo off de-identified data


FTC Report

Requirements for Affiliates and Subsidiaries
• Historically, divergent privacy policies and practices regarding information
sharing with corporate affiliates and subsidiaries
• FTC Report views affiliates as “third parties” unless the affiliate
relationship is “clear to consumers”
• Common branding is cited as sufficient to make a relationship clear
• Uncertainty remains
• Practical implications
– Disclose affiliate sharing in privacy policy
– Consider opt-in for sharing sensitive information with affiliates
– Opt-out for non-sensitive information


February 23, 2012


“Consumer Privacy Bill of Rights”


White House Privacy Framework

Consumer Privacy Bill of Rights
• Combined effort of the White House, Department of Commerce, and
the FTC
• Provides a framework for consumer privacy protections
• Establishes 7 principles covering personal data
– Transparency - Easily understandable policies and practices
– Respect for Context - Collection and use consistent with context
– Security - Secure and responsible handling
– Access and Accuracy – Ability to access and correct
– Focused Collection - Reasonable limits on collection and retention
– Accountability - Appropriate measures to ensure compliance
• Similarities to the principles adopted by economic organizations in Europe
and Asia as well



Consumer Privacy Bill of Rights
• Industry codes of conduct
– Voluntary privacy and security “codes of conduct”
– Commerce Department National Telecommunications and Information
Administration (NTIA) to facilitate creation in “select” industries
– Other federal agencies may also convene industry stakeholders
– Industries can also convene stakeholders absent NTIA
• Encourages inclusive and transparent process
• Enforcement authority
– FTC to enforce codes of conduct
– Violation constitutes a deceptive practice under Section 5 of the FTC Act
– Adherence to codes to be looked upon “favorably” in FTC investigations
• No immediate changes, but. . .



Legislative Proposals
• Provide FTC with direct authority to enforce some variant of the Consumer
Privacy Bill of Rights
– Potentially significant increase in FTC enforcement authority
– Misrepresentations or unfair practices would no longer be required
• Provide FTC with rulemaking authority to design a system for review and
approval of codes of conduct
– Review period (180 days)
– Open public comments
– Approve or reject
• Companies encouraged to create and comply with codes of conduct
– Obtain greater clarity concerning the rules to which they will be held
– Safe harbor status for compliance with an approved code


FTC Report on Mobile Apps

Mobile Applications
• FTC has long stated that the mobile market is not different from the
Internet
• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012)
– Large number of apps (75%) targeted at children (under 13)
– Apps did not provide good privacy disclosures
– Will conduct additional COPPA compliance reviews over the next 6 months
• FCRA Warning letters (Feb. 2012)
– FTC sent letters to marketers of 6 mobile apps
– Warned that apps may violate FCRA
– If apps provide a consumer report, must comply with FCRA requirements
• Expect more activity – discussion and enforcement
• Particularly involving mobile apps directed at children
• Review mobile applications for legal compliance


What Should You Do?


Make each use of data
A knowing (and compliant) use of data


Know your data
Map your “ecosystem”


Data Mapping


Data Mapping

You

?

Conclusion

Lessons Learned
• Increasing value means increasing scrutiny
• Enforcement will continue (and may increase)
– Actual security breaches are not required (poor practices will suffice)
– Companies held to privacy-related promises
– Scope of personal information is growing
• Enforcement actions are influencing and defining industry expectations
• Premium on increased transparency into data practices
• Your “enforcement” issue may not come from the FTC, but from a
potential customer, financing source, or acquirer


Conclusion

Best Practices
• Institute procedures to secure sensitive information
• Implement “privacy by design” concepts
• Know your data, particularly sensitive data
• Minimize the data collected
– Collect only as needed
– Hold only as long as needed
• Map data collection, usage, and sharing
• Prepare and adopt a written information security plan (WISP)
– Address known risks
– Prepare for a breach
• Educate employees regarding the WISP
• Manage vendors and contractors
– Contractual provisions covering data transfer
– Compliance monitoring


Thank You.
Jason Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
http://www.linkedin.com/in/haislmaier

Data Privacy & Security Update 2012

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Data Privacy & Security Update 2012 (20)

More from Jason Haislmaier (11)