Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Lily lim data privacy ownership and ethics
1. Tech Talk: Data Privacy,
Ownership & IoT
December 11, 2017, 12:30 pm- 12:45 pm
By Lily Lim, Partner, Finnegan Henderson
The Intersection of IoT and Robotics: How Sensors, Data, and
Intelligence Are Redefining Industry
1
2. IoT Data: Ownership and Rights
Data Collected
Correlations Made
with Data Collected
Personally
Identifiable
Information
Company has ownership
rights:
Copyright, Trade Secrets,
Know-how, Patents
Company has ownership
rights to data that is mined
or correlated
Users Have Rights to
Control Their Personal
Data
2
3. Laws Protecting PII
Personally Identifiable Information (PII)
Federal Statutes
Financial Records: Gramm-Leach-Bliley Act
Health Records: HIPAA
Educational Records: FERPA
Interception of Communications: Electronic Communications Privacy
Act
State Laws:
Massachusetts Defines PII as: Person’s last name, first initial,
combined with SSN, driver’s license, bank account, credit card
account,
California Constitutional Right to Privacy
Illinois: PII includes user names with password & biometric data
European General Data Protection Regulation (GDPR)
3
4. Data Collected
Cost of Breach of Privacy Data (External Attack)
Class Actions:
Target Breach: over $300 Million
Home Depot: over $250 Million to date
(Forbes Magazine estimates total in recurring
expenses will be $10 Billion).
Deal Devalued:
Yahoo! Breach: Verizon cut $350 Million from
its deal with Yahoo! after the news of the
breach was released.
Clean-up/ Rebuild costs:
Sony Pictures Entertainment Breach
(Copyrighted materials, not yet released
movies, Sony’s trade secrets like business
negotiations):
Clean-up costs $35 Million for FY 2015.
Rebuilding Sony’s computer systems
estimated at $83 Million.
4
5. Open Source Software Vulnerabilities
Apache Open Source License (Web
Servers) :
Apache Strut vulnerability
Equifax breach September 2017
(personal data for 143 million
people leaked)
Apache Struts web-application
software had a bug (CVE-2017-
5638) for which Apache released a
patch in March 6, 2017.
Equifax did not apply the patch
and the breach started in May
2017.
5
Data Collected
6. Bluetooth Vulnerabilities
Bluetooth Vulnerability:
USCERT (United States Computer
Emergency Readiness Team) issued
warning
BlueBorne: potentially affecting millions of
IoT devices, mobile phones, and
computers.
Remote attacker can take control of
affected devices
Impacted systems:
Windows, iOS, Android
Affected Vendors:
Apple, Google, Microsoft, Samsung,
Android
Patches available for Windows, and iOS,
but patching for Android was delayed due
to disperse ecosystem
USCERT Recommended action: disable
Bluetooth
6
Data Collected
7. IoT Data: Penalties When PII Collected Without
User Consent
Data Mining Contacts from Email
Accounts
Google Buzz allegedly automatically pulled
contacts from users’ Gmail accounts into a social
network without informing them.
FTC Consent Decree: Google agreed to
implement a comprehensive privacy program and
to 20 years of privacy audits.
Sweeping Up WiFi Passwords
Google Street View: collection of passwords, email
and personal information from unsecured networks
collected by Google cars while the collected
location data for Street View.
Google agreed to: $7 Million fine; self-policing of
employees, teaching public how to fend off privacy
violations.
7
Data Collected
8. Data Handling “Mishaps”
Uber’s “God View” Tool and “GreyBall”
Program
FTC is inquiring about Uber’s “data-handling
mishaps” including employees’ “misuse of
‘god view,’ a tool that had previously let
employees closely track individual riders,
such as politicians and celebrities.”.
Department of Justice reportedly opened a
criminal probe regarding Uber’s use of its
Greyball program, which allegedly helped it
circumvent scrutiny from local transportation
regulators
8
Data Collected
9. Maximizing Data Set Values By Mitigating PII Risks
Companies can use PII and sell it:
Privacy-By-Design and Security-By-Design
Rather than address privacy and security issues on the back end
of a product cycle, companies are making efforts to integrate
privacy and security into earlier phases of the design cycle.
Privacy Policy: User Consent
Data Collected
9
10. Lily Lim, Partner
Finnegan Henderson
Intellectual property, cybersecurity, and privacy law.
Ms. Lim provides strategic counseling on cybersecurity and privacy
best practices, including security-by-design and privacy-by-design,
utilizing her depth of knowledge in both law and technology. Ms. Lim
is a Certified Information Privacy Professional (CIPP/US). Ms. Lim is
a frequently invited speaker and contributes to the Sedona
Conference Working Group on data security and privacy issues.
Ms. Lim has prevailed at trial and on appeal in cases involving
patent, copyright, and trade secret disputes in federal court and
before the U.S. International Trade Commission (ITC). She
represents U.S. and international clients whose technologies include
integrated circuits, satellite technologies, wireless devices, software,
and medical devices and diagnostic equipment. Ms. Lim also
provides strategic pre-litigation counseling regarding negotiating
patent and software licenses and international manufacturing and
marketing agreements.
Prior to joining private practice, Ms. Lim served as a law clerk to the
Honorable S. Jay Plager of the U.S. Court of Appeals for the
Federal Circuit. She also worked as a spacecraft navigation
engineer at NASA’s Jet Propulsion Laboratory.
Email:
Lily.Lim@Finnegan.com
10Copyright 2017