Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Data Privacy & Security Update 2012
1. Update: Data Security
& Privacy
June 7, 2012
Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
Copyright 2012 Bryan Cave
2. This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation
and any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenters and do not necessarily reflect the official or unofficial thoughts or
opinions of their employers.
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
Copyright 2012 Bryan Cave
10. Legal Landscape
Longstanding EU Regulations
• EU Data Protection Directive (95/46/EC)
• Regulates the processing of personal data of EU subjects
– Broad scope of “personal data”
– Restricts processing unless stated conditions are met
– Prohibits transfer to countries not offering adequate levels of protection
• US Department of Commerce-negotiated “Safe Harbor Principles” enable
transfers to US companies
– Self-certification regime
– Allows US companies to register as compliant
– FTC oversight
• Proposed overhaul in the works (announced Jan. 25, 2012)
Copyright 2012 Bryan Cave
11. Legal Landscape
Growing Array of Relevant State Laws
• State consumer protection statutes
– All 50 states
– Prohibitions on “unfair or deceptive” trade practices
• Data breach notification statutes
– At least 46 states (DC and various US territories)
– Notification of state residents (and perhaps regulators) affected by
unauthorized access to sensitive personal information
• Data safeguards statutes
– (Significant) minority of states
– Safeguards to secure consumer information from unauthorized access
• Data privacy statutes
– Requirements for online privacy policies covering use and sharing of consumer
information
– Requirements on use of personal information for direct marketing purposes
Copyright 2012 Bryan Cave
12. Legal Landscape
Industry-specific Federal Statutes
• Consumer credit - Fair Credit Reporting Act (FCRA)
• Financial services - Gramm Leach Bliley Act (GLBA)
• Healthcare providers - Health Insurance Portability and Accountability Act
(HIPAA)
• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)
• Video content - Video Privacy Protection Act
• Others statutes covering education, payment processing, etc.
Copyright 2012 Bryan Cave
14. Legal Landscape
Federal Trade Commission Act (FTCA)
(15 U.S.C. 41, et seq)
Copyright 2012 Bryan Cave
15. Legal Landscape
“Unfair or deceptive acts or practices”
Copyright 2012 Bryan Cave
16. Legal Landscape
Federal Trade Commission Act (FTCA)
• No specific privacy or security requirements
– Broad prohibition on “unfair or deceptive acts or practices in or affecting
commerce” (Section 5)
– FTC uses Section 5 to target failures to implement “reasonable and
appropriate” data security measures
– Constituting unfair or deceptive practices
• Increasingly active enforcement
– More than 36 actions to date
– Covering electronically stored data and information
– Targeting privacy violations as well as security breaches
Copyright 2012 Bryan Cave
18. Compliance
Emerging Model for Settlement and Compliance
• 20 year term
• Cease misrepresentations regarding practices for information security,
privacy, confidentiality, and integrity
• Conduct assessment of reasonably-foreseeable, material security risks
• Establish comprehensive written information security and privacy program
• Designate employee(s) to coordinate and be accountable for the program
• Implement employee training
• Conduct biannual independent third party audits to assess security and
privacy practices
• Implement multiple record-keeping requirements
• Implement regular testing, monitoring, and assessment
• Undergo periodic reporting and compliance requirements
• Impose requirements on service providers
Copyright 2012 Bryan Cave
19. Compliance
“Promises”
not just
Policies
Copyright 2012 Bryan Cave
20. Compliance
“Facebook is obligated to keep the promises
about privacy that it makes to its hundreds
of millions of users.”
Jon Leibowitz
Chairman of the FTC
Speaking on the settlement
Copyright 2012 Bryan Cave
21. Compliance
“Innovation does not have to come at the
expense of consumer privacy.”
Jon Leibowitz
Chairman of the FTC
Speaking on the settlement
Copyright 2012 Bryan Cave
22. Compliance
“We've made a bunch of mistakes.”
Mark Zuckerberg
CEO of Facebook
Speaking on the settlement
Copyright 2012 Bryan Cave
23. Compliance
Scope of “Personal Information”
Copyright 2012 Bryan Cave
24. Compliance
In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012)
Copyright 2012 Bryan Cave
25. Compliance
In the Matter of Eli Lilly and Company (File No. 012 3214, Januray 18, 2002)
Copyright 2012 Bryan Cave
27. Compliance
Sensitive Information
• States have defined “sensitive information” to include SSN, drivers license
number, and financial account information
• FTC has broadened this definition to include
– Health information
– Information regarding children
– Geo-location information
• Trend is toward more activity in these areas
• Practical considerations
– Know when/where you collect sensitive information
– Consider seeking consent when using sensitive data for marketing purposes
– Ensure that WISPs appropriately protect sensitive information
• Note that these categories of sensitive information may not trigger a data
breach notification requirement under state laws
Copyright 2012 Bryan Cave
28. Compliance
WISPs
Written Information Security Plans
Copyright 2012 Bryan Cave
29. Compliance
WISPs
• The “Safeguards Rule” under GLBA requires implementation of “written
information security plans” (WISPs)
– Describing the company’s program to protect customer information
– Appropriate to the company, nature and scope activities, and level of sensitivity
of information
• FTC consent orders now generally impose similar requirements
– Implementation comprehensive information security program
– Fully documented in writing
– Reasonably designed to protect the security and privacy of covered information
– Containing controls and procedures appropriate to the
• Size and complexity of the business
• Nature and scope of activities
• Sensitivity of the covered information
• Mass. state regs. also now require written information security policies for
companies handling personal information about Mass. residents
Copyright 2012 Bryan Cave
31. Compliance
U.S. v. RockYou, Inc.
(N.D. Cal. Mar. 26, 2012)
Copyright 2012 Bryan Cave
32. Compliance
U.S. v. RockYou
• RockYou is an online social gaming service
• Created an application for social networking sites allowing users to upload
photos and music to create a slide show
• When users registered for the app they were asked to provide email
address and password – app also collected birth date, gender, etc.
• RockYou represented that it used “commercially reasonable” security
measures
• All information actually stored only in plaint text (unencrypted)
• RockYou was hacked in December 2009
• 32 million accounts affected, including information about 179,000 children
• FTC settled for $250,000 and 20 year injunction that imposes standard
requirements (biannual third party risk assessments, etc.)
Copyright 2012 Bryan Cave
33. Compliance
In the Matter of UPromise, Inc.
(FTC File No. 102 3116, Jan. 5, 2012)
Copyright 2012 Bryan Cave
34. Compliance
In the Matter of UPromise
• UPromise is a membership reward service for saving for college
• Provided toolbar application purporting to track user online activity and
“provide college savings opportunities tailored to you”
• App collected not only the web sites visited but information entered on
some web pages
• Information included user names, passwords, credit cards and expiration
dates, financial account information, SSNs, etc.
• All of this information was transmitted to UPromise unencrypted, despite
statements that information was “automatically” encrypted
• Over 150,000 consumers participated
• FTC settled for 20 year consent decree requiring standard requirements
(biannual third party risk assessments, etc.)
Copyright 2012 Bryan Cave
35. Compliance
Reasonable and Appropriate Security
• RockYou and UPromise settlements provide guidance on what is
not reasonable or appropriate
– Collecting PII from consumers unnecessarily
– Failing to test applications to ensure they are not collecting PII
– Not training employees about security risks
– Transmitting or storing sensitive information in unencrypted form
– Failing to segment servers
– Leaving systems susceptible to hacking (e.g., SQL injection attacks)
– Failing to ensure that service providers or third-party developers employ
reasonable and appropriate security
• Other settlements add additional considerations
• Practical Considerations
– Draft WISPs to prohibit these practices
– Review for these practices in audits and risk assessments
Copyright 2012 Bryan Cave
37. Compliance
Requirements for Service Providers
• FTC settlements require contractual restrictions on third party
service providers
In the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011)
Copyright 2012 Bryan Cave
38. Compliance
Requirements for Service Providers
• FTC settlements require contractual restrictions on third party
service providers
• Parallel newly effective Mass. regulation (201 CMR 17.03)
– Requiring companies providing service providers with personal information
about Mass. residents to contractually require the providers to “implement and
maintain . . . appropriate security measures”
– Went into full effect on March 1, 2012
• Practical implications
– Maintain a WISP with applicable policies
• Storage, access, and transportation of information
• Employees and downstream service providers
• Disciplinary measures for violations
– Conduct risk assessments, employee training, and security reviews
– Investigate incidents and document follow-up action
Copyright 2012 Bryan Cave
39. Where are we headed?
. . . and what should you do?
Copyright 2012 Bryan Cave
42. FTC Report
Background
• Based on a yearlong series of privacy roundtables held by the FTC
• Extensive comment period (more than 450 comments received)
• Provides best practices for the protection of consumer privacy
• Applicable to both traditional (offline) and online businesses
• Intended to assist Congress as it considers privacy legislation
• Not intended to serve as a template for law enforcement actions
(but what about plaintiffs attorneys?)
Copyright 2012 Bryan Cave
43. FTC Report
Privacy Framework
• Proposed framework is based on several core concepts
– Simplified consumer choice
Copyright 2012 Bryan Cave
44. FTC Report
Privacy Framework
• Proposed framework is based on several core concepts
– Simplified consumer choice
– Transparency
Copyright 2012 Bryan Cave
45. FTC Report
Privacy Framework
• Proposed framework is based on several core concepts
– Simplified consumer choice
– Transparency
– Privacy by design
Copyright 2012 Bryan Cave
46. FTC Report
Scope of Personal Information
• Continued expansion of “personal information”
• Codification of the definitions used in FTC settlements
• Shades of the definition in the EU Data Protection Directive
• Blurring of the line between PII and non-PII
• When is information not PII?
Copyright 2012 Bryan Cave
47. FTC Report
De-Identification of Personal Information
• Data is not PII if it is not reasonably linkable to a specific consumer,
computer or other device
• Breaking the link
– Take reasonable measures to ensure that data is de-identified
– Publicly commit to not try to re-identify
– Contractually prohibit downstream recipients from trying to re-identify
– Take measures to silo de-identified data from PII
• Cannot remove concerns by simply envisioning the sharing of only
“de-identified” or anonymous data
• Must actually follow FTC guidance
– Prohibitions in privacy policies against re-identification
– Provisions in vendor contracts regarding re-identification
– Systems designed to silo off de-identified data
Copyright 2012 Bryan Cave
48. FTC Report
Requirements for Affiliates and Subsidiaries
• Historically, divergent privacy policies and practices regarding information
sharing with corporate affiliates and subsidiaries
• FTC Report views affiliates as “third parties” unless the affiliate
relationship is “clear to consumers”
• Common branding is cited as sufficient to make a relationship clear
• Uncertainty remains
• Practical implications
– Disclose affiliate sharing in privacy policy
– Consider opt-in for sharing sensitive information with affiliates
– Opt-out for non-sensitive information
Copyright 2012 Bryan Cave
51. White House Privacy Framework
Consumer Privacy Bill of Rights
• Combined effort of the White House, Department of Commerce, and
the FTC
• Provides a framework for consumer privacy protections
• Establishes 7 principles covering personal data
– Transparency - Easily understandable policies and practices
– Respect for Context - Collection and use consistent with context
– Security - Secure and responsible handling
– Access and Accuracy – Ability to access and correct
– Focused Collection - Reasonable limits on collection and retention
– Accountability - Appropriate measures to ensure compliance
• Similarities to the principles adopted by economic organizations in Europe
and Asia as well
Copyright 2012 Bryan Cave
52. White House Privacy Framework
Consumer Privacy Bill of Rights
• Industry codes of conduct
– Voluntary privacy and security “codes of conduct”
– Commerce Department National Telecommunications and Information
Administration (NTIA) to facilitate creation in “select” industries
– Other federal agencies may also convene industry stakeholders
– Industries can also convene stakeholders absent NTIA
• Encourages inclusive and transparent process
• Enforcement authority
– FTC to enforce codes of conduct
– Violation constitutes a deceptive practice under Section 5 of the FTC Act
– Adherence to codes to be looked upon “favorably” in FTC investigations
• No immediate changes, but. . .
Copyright 2012 Bryan Cave
53. White House Privacy Framework
Legislative Proposals
• Provide FTC with direct authority to enforce some variant of the Consumer
Privacy Bill of Rights
– Potentially significant increase in FTC enforcement authority
– Misrepresentations or unfair practices would no longer be required
• Provide FTC with rulemaking authority to design a system for review and
approval of codes of conduct
– Review period (180 days)
– Open public comments
– Approve or reject
• Companies encouraged to create and comply with codes of conduct
– Obtain greater clarity concerning the rules to which they will be held
– Safe harbor status for compliance with an approved code
Copyright 2012 Bryan Cave
55. FTC Report on Mobile Apps
Mobile Applications
• FTC has long stated that the mobile market is not different from the
Internet
• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012)
– Large number of apps (75%) targeted at children (under 13)
– Apps did not provide good privacy disclosures
– Will conduct additional COPPA compliance reviews over the next 6 months
• FCRA Warning letters (Feb. 2012)
– FTC sent letters to marketers of 6 mobile apps
– Warned that apps may violate FCRA
– If apps provide a consumer report, must comply with FCRA requirements
• Expect more activity – discussion and enforcement
• Particularly involving mobile apps directed at children
• Review mobile applications for legal compliance
Copyright 2012 Bryan Cave
62. Conclusion
Lessons Learned
• Increasing value means increasing scrutiny
• Enforcement will continue (and may increase)
– Actual security breaches are not required (poor practices will suffice)
– Companies held to privacy-related promises
– Scope of personal information is growing
• Enforcement actions are influencing and defining industry expectations
• Premium on increased transparency into data practices
• Your “enforcement” issue may not come from the FTC, but from a
potential customer, financing source, or acquirer
Copyright 2012 Bryan Cave
63. Conclusion
Best Practices
• Institute procedures to secure sensitive information
• Implement “privacy by design” concepts
• Know your data, particularly sensitive data
• Minimize the data collected
– Collect only as needed
– Hold only as long as needed
• Map data collection, usage, and sharing
• Prepare and adopt a written information security plan (WISP)
– Address known risks
– Prepare for a breach
• Educate employees regarding the WISP
• Manage vendors and contractors
– Contractual provisions covering data transfer
– Compliance monitoring
Copyright 2012 Bryan Cave
64. Thank You.
Jason Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
http://www.linkedin.com/in/haislmaier