SlideShare uma empresa Scribd logo

Crash Course on Data Privacy (December 2012)

J
Jason Haislmaier

Presentation at the Silicon Flatirons Center at the University of Colorado School of Law. Providing an update on the latest issues and trends in data privacy and data security in the US. Focusing on recent actions of the FTC and state governments.

TecnologiaNotícias e política
1 de 72
December 6, 2012 ““Crash Course”Crash Course” onon Data Privacy and SecurityData Privacy and Security Jason Haislmaier jason.haislmaier@bryancave.com @haislmaier
May 19, 2011
June 7, 2012
Data Security Privacy
“Big Data” Volume Variety Velocity Broad and Fast
“Broad Data”
Increasing value Increasing importance Increasing scrutiny Increasing responsibility Increasing opportunity
What Should You Do?
Know Your Data Map Your Data “Ecosystem”
Data Mapping
You ?? Data Mapping
No specific comprehensive data privacy or security legislation (in the US) Legal Landscape
• EU Data Protection Directive (95/46/EC) • Regulates the processing of personal data of EU subjects – Broad scope of “personal data” – Restricts processing unless stated conditions are met – Prohibits transfer to countries not offering adequate levels of protection • US Department of Commerce-negotiated “Safe Harbor Principles” enable transfers to US companies – Self-certification regime – Allows US companies to register as compliant – FTC oversight • Proposed overhaul in the works (announced Jan. 25, 2012) Longstanding EU Regulations Legal Landscape
• State consumer protection statutes – All 50 states – Prohibitions on “unfair or deceptive” trade practices • Data breach notification statutes – At least 46 states (DC and various US territories) – Notification of state residents (and perhaps regulators) affected by unauthorized access to sensitive personal information • Data safeguards statutes – (Significant) minority of states – Safeguards to secure consumer information from unauthorized access • Data privacy statutes – Online privacy policies covering use and sharing of consumer information – Use of personal information for direct marketing purposes Growing Array of Relevant State Laws Legal Landscape
• Consumer credit - Fair Credit Reporting Act (FCRA) • Financial services - Gramm Leach Bliley Act (GLBA) • Healthcare providers - Health Insurance Portability and Accountability Act (HIPAA) • Children (under 13) - Children’s Online Privacy Protection Act (COPPA) • Video content - Video Privacy Protection Act • Others statutes covering education, payment processing, etc. Industry-specific Federal Statutes Legal Landscape
Federal Trade Commission Act (FTCA) (15 U.S.C. 41, et seq) Legal Landscape “Unfair or deceptive acts or practices”
• No specific privacy or security requirements – Broad prohibition on “unfair or deceptive acts or practices in or affecting commerce” (Section 5) • Failures to implement “reasonable and appropriate” data security measures • Deceptive data privacy policies and promises – Constituting unfair or deceptive acts or practices • Increasingly active enforcement – More than 40 actions to date • More than 25 in the last 6 years • Many more investigated but not brought – Covering largely electronically stored data and information – Targeting security breaches as well as privacy violations Federal Trade Commission Act (FTCA) Legal Landscape
Emerging Model FTC Compliance
• 20 year term • Cease misrepresentations regarding practices for information security, privacy, confidentiality, and integrity • Conduct assessment of reasonably-foreseeable, material security risks • Establish comprehensive written information security and privacy program • Designate employee(s) to coordinate and be accountable for the program • Implement employee training • Conduct biannual independent third party audits to assess security and privacy practices • Implement multiple record-keeping requirements • Implement regular testing, monitoring, and assessment • Undergo periodic reporting and compliance requirements • Impose requirements on service providers Emerging Model for Settlement and Compliance FTC Compliance
“Promises” not just Policies FTC Compliance
Jon Leibowitz Chairman of the FTC Speaking on the settlement “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users.” FTC Compliance
Jon Leibowitz Chairman of the FTC Speaking on the settlement “Innovation does not have to come at the expense of consumer privacy.” FTC Compliance
Speaking on the settlement “We've made a bunch of mistakes.” Mark Zuckerberg CEO of Facebook FTC Compliance
Scope of “Personal Information” FTC Compliance
In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012) FTC Compliance
In the Matter of Eli Lilly and Company (File No. 012 3214, Januray 18, 2002) FTC Compliance
Scope of “Sensitive Information” FTC Compliance
• States have defined “sensitive information” to include SSN, drivers license number, and financial account information • FTC has broadened this definition to include – Health information – Information regarding children – Geo-location information • Trend is toward more activity in these areas • Practical considerations – Know when/where you collect sensitive information – Consider seeking consent when using sensitive data for marketing purposes – Ensure that WISPs appropriately protect sensitive information • Note that these categories of sensitive information may not trigger a data breach notification requirement under state laws Sensitive Information FTC Compliance
WISPs (Written Information Security Plans) FTC Compliance
• The “Safeguards Rule” under GLBA requires implementation of “written information security plans” – Describing the company’s program to protect customer information – Appropriate to the company, nature and scope activities, and level of sensitivity of information • FTC consent orders now generally impose similar requirements – Implementation comprehensive information security program – Fully documented in writing – Reasonably designed to protect the security and privacy of covered information – Containing controls and procedures appropriate to the • Size and complexity of the business • Nature and scope of activities • Sensitivity of the covered information • Mass. state regs. also now require WISPs WISPs FTC Compliance
“Reasonable and appropriate” security measures FTC Compliance
U.S. v. RockYou, Inc. (N.D. Cal. Mar. 26, 2012) FTC Compliance In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012) In the Matter of Complete, Inc. (FTC File No. 102 3155, Oct. 22, 2012)
• Settlements provide guidance on what is not reasonable or appropriate – Collecting PII from consumers unnecessarily – Not taking steps to avoid collection of PII – Failing to test applications to ensure they are not collecting PII – Not training employees about security risks – Transmitting or storing sensitive information in unencrypted form – Failing to segment servers – Leaving systems susceptible to hacking (e.g., SQL injection attacks) – Failing to ensure that service providers use reasonable and appropriate security • They also raise practical considerations – Understand the data you are collecting, storing, accessing, and sharing – Draft WISPs to prohibit unreasonable practices – Educate and train employees – Enforce and update applicable policies Reasonable and Appropriate Security FTC Compliance
COPPA (Children’s Online Privacy Protection Act) FTC Compliance
United States of America v. Artist Arena, LLC (U.S. Dist., SDNY Oct. 2, 2012) FTC Compliance
• Artist Arena to pay $1 MM civil penalty to settle FTC complaint for COPPA violations – Operates fans sites: BieberFever.com; SelenaGomez.com; RihannaNow.com; DemiLovatoFanClub.com – Permitted users to join fan club, create profiles and post on members’ walls – FTC: knowingly registered over 25,000 children under age 13 and collected and maintained personal information from almost 75,000 additional children who began, but did not complete the registration process. • “Marketers need to know that even a bad case of Bieber Fever doesn’t excuse their legal obligation to get parental consent before collecting personal information from children,” said FTC Chairman Jon Leibowitz • “The FTC is in the process of updating the COPPA Rule to ensure that it continues to protect kids growing up in the digital age.” Aggressive COPPA Enforcement FTC Compliance
• Expands definition of “personal information” to include: – Persistent Identifiers (i.e., IP addresses, Device ID’s) – Customer numbers held in cookies – Geo-location information • Requires more effective means of obtaining parental consent (i.e. “no more email plus”) • Data minimization requirement • Requires all operators of an online service or website to provide contact information – Ad networks – Analytics providers – Other content providers FTC Issues Revised COPPA Regulations FTC Compliance
• Practical Implications for Sites/Apps “targeted to children” – Apps that utilize device ID’s could violate COPPA unless advance parental consent – Must think creatively to ensure effective parental consent – Must justify data retention and implement effective data disposal policies and procedures – Know your partners (analytics companies, third party marketing partners) and ensure downstream controls through contractual provisions • Intense industry criticism – “The 90’s called and they want their apps back” Revised COPPA Regulations FTC Compliance
Downstream obligations. . . FTC Compliance
• FTC settlements require contractual restrictions on third party service providers Requirements for Service Providers In the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011) FTC Compliance
• FTC settlements require contractual restrictions on third party service providers • Parallel newly effective Mass. regulation (201 CMR 17.03) – Requiring companies providing service providers with personal information about Mass. residents to contractually require the providers to “implement and maintain . . . appropriate security measures” – Went into full effect on March 1, 2012 • Practical implications – Understand what service providers you are using – Revise and amend form agreements (develop form paragraphs) – Maintain a WISP with applicable policies – Conduct risk employee training – Investigate incidents and document follow-up action Requirements for Service Providers FTC Compliance
Respecting consumer choice. . . FTC Compliance
FTC Compliance U.S. v. Google, Inc. (Case No. 5:12-cv-04177-HRL, N.D.Cal. August 9, 2012)
• U.S. v. Google, Inc., Case No. 5:12-cv-04177-HRL, N.D.Cal. (August 9, 2012) • FTC charged Google with violation of Google (Buzz) Consent Order – Privacy policy permitted opt out – Google exploited loophole in Safari browser default DNT settings to drop Doubleclick tracking cookies • Google to pay $22.5mm to settle charges • Remediation measures • Self-reporting of compliance with remediation Respecting Consumer Choice on Privacy FTC Compliance
Where are we headed? . . . and what should you do?
March 26, 2012 FTC Report
• Based on a yearlong series of privacy roundtables held by the FTC • Extensive comment period (more than 450 comments received) • Provides best practices for the protection of consumer privacy • Applicable to both traditional (offline) and online businesses • Intended to assist Congress as it considers privacy legislation • Not intended to serve as a template for law enforcement actions (but what about plaintiffs attorneys?) Background FTC Report
Privacy Framework • Proposed framework is based on several core concepts – Simplified consumer choice FTC Report
• Proposed framework is based on several core concepts – Simplified consumer choice – Transparency Privacy Framework FTC Report
• Proposed framework is based on several core concepts – Simplified consumer choice – Transparency – Privacy by design Privacy Framework FTC Report
• Continued expansion of “personal information” • Codification of the definitions used in FTC settlements • Shades of the definition in the EU Data Protection Directive • Blurring of the line between PII and non-PII • When is information not PII? Scope of Personal Information FTC Report
• Data is not PII if it is not reasonably linkable to a specific consumer, computer or other device • Breaking the link – Take reasonable measures to ensure that data is de-identified – Publicly commit to not try to re-identify – Contractually prohibit downstream recipients from trying to re-identify – Take measures to silo de-identified data from PII • Cannot remove concerns by simply envisioning the sharing of only “de-identified” or anonymous data • Must actually follow FTC guidance – Prohibitions in privacy policies against re-identification – Provisions in vendor contracts regarding re-identification – Systems designed to silo off de-identified data De-Identification of Personal Information FTC Report
• Historically, divergent privacy policies and practices regarding information sharing with corporate affiliates and subsidiaries • FTC Report views affiliates as “third parties” unless the affiliate relationship is “clear to consumers” • Common branding is cited as sufficient to make a relationship clear • Uncertainty remains • Practical implications – Disclose affiliate sharing in privacy policy – Consider opt-in for sharing sensitive information with affiliates – Opt-out for non-sensitive information Requirements for Affiliates and Subsidiaries FTC Report
“Consumer Privacy Bill of Rights” White House Privacy Framework
• Combined effort of the White House, Department of Commerce, and the FTC • Provides a framework for consumer privacy protections • Establishes principles covering personal data • Proposes voluntary industry “codes of conduct” for privacy and security – Encourages inclusive and transparent process – Safe harbor status for compliance with an approved code Consumer Privacy Bill of Rights White House Privacy Framework
Mobile Applications
Mobile Applications
• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012) – Large number of apps (75%) targeted at children (under 13) – Apps did not provide good privacy disclosures – Will conduct additional COPPA compliance reviews over the next 6 months • FCRA Warning letters (Feb. 2012) – FTC sent letters to marketers of 6 mobile apps – Warned that apps may violate Fair Credit Reporting Act (FCRA) – If apps provide a consumer report, must comply with FCRA requirements • FTC Workshops – New guidance for advertisers on online and mobile disclosures – Updates on the 2000 FTC “Dot Com Disclosures” guidelines for online ads – Emphasizing that consumer protection laws apply online and in mobile Increasing Activity In Mobile Privacy Mobile Applications
• States have become active as well • California Attorney General (AG) announced that California state privacy law (Cal OPPA) applies to mobile applications (February 22, 2012) • Cal OPPA requires conspicuous posting of privacy policy on mobile applications • California AG issued warning letters to 100 mobile app developers in violation of Cal OPPA (October 24, 2012) – United Airlines, Delta Airlines, Open Table among those targeted – Threatens civil penalties of up to $2,500 for each download of non-compliant app Mobile Applications Increasing Activity In Mobile Privacy
Mobile Applications
• Released September 5, 2012 • Reiterates that the mobile market is not different from the Internet • General “guidelines” or “principles” for mobile app developers – Tell the Truth About What Your App Can Do – Disclose Key Information Clearly and Conspicuously – Build Privacy Considerations in From the Start – Offer Choices that are Easy to Find and Easy to Use – Honor Your Privacy Promises – Protect Kids’ Privacy – Collect Sensitive Information Only with Consent – Keep User Data Secure • Acknowledges there can be no “one-size-fits-all” approach • But also states that the laws apply to all companies FTC Guide To Marketing Mobile Apps Mobile Applications
Civil Litigation
• Unprecedented number of filed cases (both data breach and unauthorized collection/use of personal information • Emergence of a dedicated privacy plaintiffs’ bar • Not all bad news for defendants – Cases are routinely dismissed at the pleading stage (on Article III standing or inability to meet “actual injury” element of claim) – No out-of-pocket damages = No claim • But the tide seems to be turning in favor of plaintiffs Current State of Privacy Litigation Data Breach/Privacy Litigation
• Empirical Analysis of Data Breach Litigation, Carnegie Mellon/Temple University Study (February 19, 2012) • Monetary recovery/settlement positively correlated with number of records compromised, actual misuse of data, statutory damages – 3.5x more likely to draw a lawsuit if financial harm present – 6x lower when companies provide free credit monitoring • Mean settlement value of $2,500 per affected individual • Mean attorneys’ fee figure of $1.2 MM – Google Buzz: $2.5mm – TD Ameritrade: $500K (knocked down from $1.8mm) – Facebook Beacon: $2.8mm (currently on appeal) – Facebook Sponsored Stories: $10mm? • Cy pres settlements ranging from $50K to $9.5 MM Current State of Privacy Litigation Data Breach/Privacy Litigation
Insurance Coverage
• Most comprehensive general liability (CGL) policies do not cover data losses – Only insure against claims for "bodily injury", "property damage", and "personal and advertising injury“ – Many also exclude state unfair practices claims • Lawsuits by insurers for a determination of non-coverage are becoming common • More insurers are offering data breach and “cyber-liability” policies – Options and alternatives are growing – Choose wisely as exclusions may limit the benefits of coverage Does Insurance Cover Losses? Data Breach/Privacy Litigation
What Should You Do?
• Increasing value means increasing scrutiny • Enforcement will continue (and may increase) – Actual security breaches are not required – Focus is on reasonable and appropriate measures – Companies held to privacy-related promises – Scope of personal information is growing • Enforcement actions are influencing and defining industry expectations (user and customer expectations too?) • Your enforcement issue may not come from the FTC, but from a potential customer, financing source, or acquirer • Premium on increased transparency into data practices Lessons Learned Conclusion
• Know your data (map data collection, usage, and sharing) • Collect the data you need and hold it only as long as you need it • Institute procedures to secure personal information and sensitive information • Implement “privacy by design” concepts • Prepare for a breach and adopt a written information security plan (WISP) • Educate and train employees • Manage and monitor vendors and contractors Best Practices Conclusion
Jason Haislmaier jason.haislmaier@bryancave.com @haislmaier Thank You.
• Follow your WISP • Day 1: Be proactive but with an eye to litigation – Stop the bleeding – Preserve forensic evidence – Document actions • Day 2: Seek counsel – Begin to assess whether notification requirement triggered – Don’t jump the gun on disclosure – Reach out to law enforcement, • Day 3 and beyond: Manage the fallout – Public/investor relations – Customer retention/communication – Notification vendors When the Inevitable (Breach) Happens Conclusion
Conclusion

Recomendados

Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
CEU DPA
CEU DPACEU DPA
CEU DPABERBERGRACEMARJORIE
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Data privacy act
Data privacy actData privacy act
Data privacy actansherina erika dejan
 
FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) Philippine Press Institute
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 

Recomendados

Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentationKittelson & Carpo Consulting
 
CEU DPA
CEU DPACEU DPA
CEU DPABERBERGRACEMARJORIE
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Philippine Data Privacy Act of 2012 (RA 10173)
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Data privacy act
Data privacy actData privacy act
Data privacy actansherina erika dejan
 
FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) FOI Executive Order (Freedom of Information)
FOI Executive Order (Freedom of Information) Philippine Press Institute
 
Data Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesData Privacy Act of 2012 implication to cooperatives
Data Privacy Act of 2012 implication to cooperativesjo bitonio
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popiWerksmans Attorneys
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentationKholisile Mazaza
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Data Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationData Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationJDP Consulting
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
M.Marusic Dzlp E Society En
M.Marusic Dzlp E Society EnM.Marusic Dzlp E Society En
M.Marusic Dzlp E Society EnMetamorphosis
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectJDP Consulting
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspectiveAnn Treacy
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMMyron Duncan Burton Betshanger
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceJDP Consulting
 
Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Philippine Republic Act No. 10173 Data Privacy Act of 2012
Philippine Republic Act No. 10173 Data Privacy Act of 2012Philippine Republic Act No. 10173 Data Privacy Act of 2012
Philippine Republic Act No. 10173 Data Privacy Act of 2012Macoy Mejia
 

Mais conteúdo relacionado

Mais procurados

Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersJDP Consulting
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Data Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationData Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationJDP Consulting
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
M.Marusic Dzlp E Society En
M.Marusic Dzlp E Society EnM.Marusic Dzlp E Society En
M.Marusic Dzlp E Society EnMetamorphosis
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectJDP Consulting
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspectiveAnn Treacy
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceJDP Consulting
 

Mais procurados (20)

Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal Information
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentation
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...
 
Basic Data Privacy for Non Lawyers
Basic Data Privacy for Non LawyersBasic Data Privacy for Non Lawyers
Basic Data Privacy for Non Lawyers
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Data Privacy - Security of Personal Information
Data Privacy - Security of Personal InformationData Privacy - Security of Personal Information
Data Privacy - Security of Personal Information
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africa
 
M.Marusic Dzlp E Society En
M.Marusic Dzlp E Society EnM.Marusic Dzlp E Society En
M.Marusic Dzlp E Society En
 
Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data Subject
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspective
 
Overview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection LawOverview of the Egyptian Personal Data Protection Law
Overview of the Egyptian Personal Data Protection Law
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCM
 
Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Data Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-ComplianceData Privacy - Penalties for Non-Compliance
Data Privacy - Penalties for Non-Compliance
 

Destaque

Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentationmlw32785
 
Philippine Republic Act No. 10173 Data Privacy Act of 2012
Philippine Republic Act No. 10173 Data Privacy Act of 2012Philippine Republic Act No. 10173 Data Privacy Act of 2012
Philippine Republic Act No. 10173 Data Privacy Act of 2012Macoy Mejia
 
9754_Benefit Summary 2016 revised
9754_Benefit Summary 2016 revised9754_Benefit Summary 2016 revised
9754_Benefit Summary 2016 revisedBianca Visagie
 
Government or Private Sector: The Future of Asia's Healthcare Infrastructure
Government or Private Sector: The Future of Asia's Healthcare InfrastructureGovernment or Private Sector: The Future of Asia's Healthcare Infrastructure
Government or Private Sector: The Future of Asia's Healthcare InfrastructureIris Thiele Isip-Tan
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information PrivacyPerry Slack
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - EnglishData Security
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationHajarul Cikyen
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data securityMohammed Fazuluddin
 

Destaque (10)

Data Privacy and Protection Presentation
Data Privacy and Protection PresentationData Privacy and Protection Presentation
Data Privacy and Protection Presentation
 
Philippine Republic Act No. 10173 Data Privacy Act of 2012
Philippine Republic Act No. 10173 Data Privacy Act of 2012Philippine Republic Act No. 10173 Data Privacy Act of 2012
Philippine Republic Act No. 10173 Data Privacy Act of 2012
 
9754_Benefit Summary 2016 revised
9754_Benefit Summary 2016 revised9754_Benefit Summary 2016 revised
9754_Benefit Summary 2016 revised
 
DATA PRIVACY
DATA PRIVACYDATA PRIVACY
DATA PRIVACY
 
Government or Private Sector: The Future of Asia's Healthcare Infrastructure
Government or Private Sector: The Future of Asia's Healthcare InfrastructureGovernment or Private Sector: The Future of Asia's Healthcare Infrastructure
Government or Private Sector: The Future of Asia's Healthcare Infrastructure
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
 
Data Security - English
Data Security - EnglishData Security - English
Data Security - English
 
Privacy , Security and Ethics Presentation
Privacy , Security and Ethics PresentationPrivacy , Security and Ethics Presentation
Privacy , Security and Ethics Presentation
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
 

Semelhante a Crash Course on Data Privacy (December 2012)

Presentation ncsl - mobile privacy enforcement 130502 (as presented)
Presentation ncsl - mobile privacy enforcement 130502 (as presented)Presentation ncsl - mobile privacy enforcement 130502 (as presented)
Presentation ncsl - mobile privacy enforcement 130502 (as presented)Jason Haislmaier
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)Jason Haislmaier
 
Trending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingTrending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingcdasLLP
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...Jason Haislmaier
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 

Semelhante a Crash Course on Data Privacy (December 2012) (20)

Presentation ncsl - mobile privacy enforcement 130502 (as presented)
Presentation ncsl - mobile privacy enforcement 130502 (as presented)Presentation ncsl - mobile privacy enforcement 130502 (as presented)
Presentation ncsl - mobile privacy enforcement 130502 (as presented)
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)Data Security and Privacy Landscape 2012 (September 2012)
Data Security and Privacy Landscape 2012 (September 2012)
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
 
Trending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted MarketingTrending Topics in Data Collection & Targeted Marketing
Trending Topics in Data Collection & Targeted Marketing
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to know
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...When Past Performance May Be Indicative of Future Results - The Legal Implica...
When Past Performance May Be Indicative of Future Results - The Legal Implica...
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 

Mais de Jason Haislmaier

Mobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical ConsiderationsMobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical ConsiderationsJason Haislmaier
 
Covidien - FDA Guidance on Mobile Medical Apps 140124
Covidien - FDA Guidance on Mobile Medical Apps 140124Covidien - FDA Guidance on Mobile Medical Apps 140124
Covidien - FDA Guidance on Mobile Medical Apps 140124Jason Haislmaier
 
Presentation - Mobile Medical Applications Guidance for Industry and Food and...
Presentation - Mobile Medical Applications Guidance for Industry and Food and...Presentation - Mobile Medical Applications Guidance for Industry and Food and...
Presentation - Mobile Medical Applications Guidance for Industry and Food and...Jason Haislmaier
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Jason Haislmaier
 
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...Jason Haislmaier
 
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...Jason Haislmaier
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Jason Haislmaier
 
"Crash Course" on Open Source Silicon Flatirons Center (2012)
"Crash Course" on Open Source Silicon Flatirons Center (2012) "Crash Course" on Open Source Silicon Flatirons Center (2012)
"Crash Course" on Open Source Silicon Flatirons Center (2012) Jason Haislmaier
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Jason Haislmaier
 
Open Source License Compliance In The Cloud
Open Source License Compliance In The CloudOpen Source License Compliance In The Cloud
Open Source License Compliance In The CloudJason Haislmaier
 
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...Jason Haislmaier
 
2011 "Crash Course" on Open Source
2011 "Crash Course" on Open Source2011 "Crash Course" on Open Source
2011 "Crash Course" on Open SourceJason Haislmaier
 
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
2011 Silicon Flatirons IP (Crash Course) For EntrepreneurersJason Haislmaier
 
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)Jason Haislmaier
 
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)Jason Haislmaier
 

Mais de Jason Haislmaier (15)

Mobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical ConsiderationsMobile Apps - Legal and Practical Considerations
Mobile Apps - Legal and Practical Considerations
 
Covidien - FDA Guidance on Mobile Medical Apps 140124
Covidien - FDA Guidance on Mobile Medical Apps 140124Covidien - FDA Guidance on Mobile Medical Apps 140124
Covidien - FDA Guidance on Mobile Medical Apps 140124
 
Presentation - Mobile Medical Applications Guidance for Industry and Food and...
Presentation - Mobile Medical Applications Guidance for Industry and Food and...Presentation - Mobile Medical Applications Guidance for Industry and Food and...
Presentation - Mobile Medical Applications Guidance for Industry and Food and...
 
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627Presentation - gener8tor - Data Privacy, Security, and Rights 130627
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
 
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
Licensing in the Cloud (2013 Rocky Mountain IP and Technology Institute) (May...
 
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
 
"Crash Course" on Open Source Silicon Flatirons Center (2012)
"Crash Course" on Open Source Silicon Flatirons Center (2012) "Crash Course" on Open Source Silicon Flatirons Center (2012)
"Crash Course" on Open Source Silicon Flatirons Center (2012)
 
Data Privacy & Security Update 2012
Data Privacy & Security Update 2012Data Privacy & Security Update 2012
Data Privacy & Security Update 2012
 
Open Source License Compliance In The Cloud
Open Source License Compliance In The CloudOpen Source License Compliance In The Cloud
Open Source License Compliance In The Cloud
 
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
Boulder/Denver Software Club Presentation: "All Things Data - Data Right...
 
2011 "Crash Course" on Open Source
2011 "Crash Course" on Open Source2011 "Crash Course" on Open Source
2011 "Crash Course" on Open Source
 
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
2011 Silicon Flatirons IP (Crash Course) For Entrepreneurers
 
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
Fundamentals in Software Licensing (J. Haislmaier - IP Institute 2010)
 
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Crash Course on Data Privacy (December 2012)

  • 1. December 6, 2012 ““Crash Course”Crash Course” onon Data Privacy and SecurityData Privacy and Security Jason Haislmaier jason.haislmaier@bryancave.com @haislmaier
  • 7. Increasing value Increasing importance Increasing scrutiny Increasing responsibility Increasing opportunity
  • 9. Know Your Data Map Your Data “Ecosystem”
  • 12. No specific comprehensive data privacy or security legislation (in the US) Legal Landscape
  • 13. • EU Data Protection Directive (95/46/EC) • Regulates the processing of personal data of EU subjects – Broad scope of “personal data” – Restricts processing unless stated conditions are met – Prohibits transfer to countries not offering adequate levels of protection • US Department of Commerce-negotiated “Safe Harbor Principles” enable transfers to US companies – Self-certification regime – Allows US companies to register as compliant – FTC oversight • Proposed overhaul in the works (announced Jan. 25, 2012) Longstanding EU Regulations Legal Landscape
  • 14. • State consumer protection statutes – All 50 states – Prohibitions on “unfair or deceptive” trade practices • Data breach notification statutes – At least 46 states (DC and various US territories) – Notification of state residents (and perhaps regulators) affected by unauthorized access to sensitive personal information • Data safeguards statutes – (Significant) minority of states – Safeguards to secure consumer information from unauthorized access • Data privacy statutes – Online privacy policies covering use and sharing of consumer information – Use of personal information for direct marketing purposes Growing Array of Relevant State Laws Legal Landscape
  • 15. • Consumer credit - Fair Credit Reporting Act (FCRA) • Financial services - Gramm Leach Bliley Act (GLBA) • Healthcare providers - Health Insurance Portability and Accountability Act (HIPAA) • Children (under 13) - Children’s Online Privacy Protection Act (COPPA) • Video content - Video Privacy Protection Act • Others statutes covering education, payment processing, etc. Industry-specific Federal Statutes Legal Landscape
  • 16. Federal Trade Commission Act (FTCA) (15 U.S.C. 41, et seq) Legal Landscape “Unfair or deceptive acts or practices”
  • 17. • No specific privacy or security requirements – Broad prohibition on “unfair or deceptive acts or practices in or affecting commerce” (Section 5) • Failures to implement “reasonable and appropriate” data security measures • Deceptive data privacy policies and promises – Constituting unfair or deceptive acts or practices • Increasingly active enforcement – More than 40 actions to date • More than 25 in the last 6 years • Many more investigated but not brought – Covering largely electronically stored data and information – Targeting security breaches as well as privacy violations Federal Trade Commission Act (FTCA) Legal Landscape
  • 19. • 20 year term • Cease misrepresentations regarding practices for information security, privacy, confidentiality, and integrity • Conduct assessment of reasonably-foreseeable, material security risks • Establish comprehensive written information security and privacy program • Designate employee(s) to coordinate and be accountable for the program • Implement employee training • Conduct biannual independent third party audits to assess security and privacy practices • Implement multiple record-keeping requirements • Implement regular testing, monitoring, and assessment • Undergo periodic reporting and compliance requirements • Impose requirements on service providers Emerging Model for Settlement and Compliance FTC Compliance
  • 21. Jon Leibowitz Chairman of the FTC Speaking on the settlement “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users.” FTC Compliance
  • 22. Jon Leibowitz Chairman of the FTC Speaking on the settlement “Innovation does not have to come at the expense of consumer privacy.” FTC Compliance
  • 23. Speaking on the settlement “We've made a bunch of mistakes.” Mark Zuckerberg CEO of Facebook FTC Compliance
  • 25. In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012) FTC Compliance
  • 26. In the Matter of Eli Lilly and Company (File No. 012 3214, Januray 18, 2002) FTC Compliance
  • 28. • States have defined “sensitive information” to include SSN, drivers license number, and financial account information • FTC has broadened this definition to include – Health information – Information regarding children – Geo-location information • Trend is toward more activity in these areas • Practical considerations – Know when/where you collect sensitive information – Consider seeking consent when using sensitive data for marketing purposes – Ensure that WISPs appropriately protect sensitive information • Note that these categories of sensitive information may not trigger a data breach notification requirement under state laws Sensitive Information FTC Compliance
  • 29. WISPs (Written Information Security Plans) FTC Compliance
  • 30. • The “Safeguards Rule” under GLBA requires implementation of “written information security plans” – Describing the company’s program to protect customer information – Appropriate to the company, nature and scope activities, and level of sensitivity of information • FTC consent orders now generally impose similar requirements – Implementation comprehensive information security program – Fully documented in writing – Reasonably designed to protect the security and privacy of covered information – Containing controls and procedures appropriate to the • Size and complexity of the business • Nature and scope of activities • Sensitivity of the covered information • Mass. state regs. also now require WISPs WISPs FTC Compliance
  • 31. “Reasonable and appropriate” security measures FTC Compliance
  • 32. U.S. v. RockYou, Inc. (N.D. Cal. Mar. 26, 2012) FTC Compliance In the Matter of UPromise, Inc. (FTC File No. 102 3116, Jan. 5, 2012) In the Matter of Complete, Inc. (FTC File No. 102 3155, Oct. 22, 2012)
  • 33. • Settlements provide guidance on what is not reasonable or appropriate – Collecting PII from consumers unnecessarily – Not taking steps to avoid collection of PII – Failing to test applications to ensure they are not collecting PII – Not training employees about security risks – Transmitting or storing sensitive information in unencrypted form – Failing to segment servers – Leaving systems susceptible to hacking (e.g., SQL injection attacks) – Failing to ensure that service providers use reasonable and appropriate security • They also raise practical considerations – Understand the data you are collecting, storing, accessing, and sharing – Draft WISPs to prohibit unreasonable practices – Educate and train employees – Enforce and update applicable policies Reasonable and Appropriate Security FTC Compliance
  • 34. COPPA (Children’s Online Privacy Protection Act) FTC Compliance
  • 35. United States of America v. Artist Arena, LLC (U.S. Dist., SDNY Oct. 2, 2012) FTC Compliance
  • 36. • Artist Arena to pay $1 MM civil penalty to settle FTC complaint for COPPA violations – Operates fans sites: BieberFever.com; SelenaGomez.com; RihannaNow.com; DemiLovatoFanClub.com – Permitted users to join fan club, create profiles and post on members’ walls – FTC: knowingly registered over 25,000 children under age 13 and collected and maintained personal information from almost 75,000 additional children who began, but did not complete the registration process. • “Marketers need to know that even a bad case of Bieber Fever doesn’t excuse their legal obligation to get parental consent before collecting personal information from children,” said FTC Chairman Jon Leibowitz • “The FTC is in the process of updating the COPPA Rule to ensure that it continues to protect kids growing up in the digital age.” Aggressive COPPA Enforcement FTC Compliance
  • 37. • Expands definition of “personal information” to include: – Persistent Identifiers (i.e., IP addresses, Device ID’s) – Customer numbers held in cookies – Geo-location information • Requires more effective means of obtaining parental consent (i.e. “no more email plus”) • Data minimization requirement • Requires all operators of an online service or website to provide contact information – Ad networks – Analytics providers – Other content providers FTC Issues Revised COPPA Regulations FTC Compliance
  • 38. • Practical Implications for Sites/Apps “targeted to children” – Apps that utilize device ID’s could violate COPPA unless advance parental consent – Must think creatively to ensure effective parental consent – Must justify data retention and implement effective data disposal policies and procedures – Know your partners (analytics companies, third party marketing partners) and ensure downstream controls through contractual provisions • Intense industry criticism – “The 90’s called and they want their apps back” Revised COPPA Regulations FTC Compliance
  • 39. Downstream obligations. . . FTC Compliance
  • 40. • FTC settlements require contractual restrictions on third party service providers Requirements for Service Providers In the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011) FTC Compliance
  • 41. • FTC settlements require contractual restrictions on third party service providers • Parallel newly effective Mass. regulation (201 CMR 17.03) – Requiring companies providing service providers with personal information about Mass. residents to contractually require the providers to “implement and maintain . . . appropriate security measures” – Went into full effect on March 1, 2012 • Practical implications – Understand what service providers you are using – Revise and amend form agreements (develop form paragraphs) – Maintain a WISP with applicable policies – Conduct risk employee training – Investigate incidents and document follow-up action Requirements for Service Providers FTC Compliance
  • 42. Respecting consumer choice. . . FTC Compliance
  • 43. FTC Compliance U.S. v. Google, Inc. (Case No. 5:12-cv-04177-HRL, N.D.Cal. August 9, 2012)
  • 44. • U.S. v. Google, Inc., Case No. 5:12-cv-04177-HRL, N.D.Cal. (August 9, 2012) • FTC charged Google with violation of Google (Buzz) Consent Order – Privacy policy permitted opt out – Google exploited loophole in Safari browser default DNT settings to drop Doubleclick tracking cookies • Google to pay $22.5mm to settle charges • Remediation measures • Self-reporting of compliance with remediation Respecting Consumer Choice on Privacy FTC Compliance
  • 45. Where are we headed? . . . and what should you do?
  • 47. • Based on a yearlong series of privacy roundtables held by the FTC • Extensive comment period (more than 450 comments received) • Provides best practices for the protection of consumer privacy • Applicable to both traditional (offline) and online businesses • Intended to assist Congress as it considers privacy legislation • Not intended to serve as a template for law enforcement actions (but what about plaintiffs attorneys?) Background FTC Report
  • 48. Privacy Framework • Proposed framework is based on several core concepts – Simplified consumer choice FTC Report
  • 49. • Proposed framework is based on several core concepts – Simplified consumer choice – Transparency Privacy Framework FTC Report
  • 50. • Proposed framework is based on several core concepts – Simplified consumer choice – Transparency – Privacy by design Privacy Framework FTC Report
  • 51. • Continued expansion of “personal information” • Codification of the definitions used in FTC settlements • Shades of the definition in the EU Data Protection Directive • Blurring of the line between PII and non-PII • When is information not PII? Scope of Personal Information FTC Report
  • 52. • Data is not PII if it is not reasonably linkable to a specific consumer, computer or other device • Breaking the link – Take reasonable measures to ensure that data is de-identified – Publicly commit to not try to re-identify – Contractually prohibit downstream recipients from trying to re-identify – Take measures to silo de-identified data from PII • Cannot remove concerns by simply envisioning the sharing of only “de-identified” or anonymous data • Must actually follow FTC guidance – Prohibitions in privacy policies against re-identification – Provisions in vendor contracts regarding re-identification – Systems designed to silo off de-identified data De-Identification of Personal Information FTC Report
  • 53. • Historically, divergent privacy policies and practices regarding information sharing with corporate affiliates and subsidiaries • FTC Report views affiliates as “third parties” unless the affiliate relationship is “clear to consumers” • Common branding is cited as sufficient to make a relationship clear • Uncertainty remains • Practical implications – Disclose affiliate sharing in privacy policy – Consider opt-in for sharing sensitive information with affiliates – Opt-out for non-sensitive information Requirements for Affiliates and Subsidiaries FTC Report
  • 54. “Consumer Privacy Bill of Rights” White House Privacy Framework
  • 55. • Combined effort of the White House, Department of Commerce, and the FTC • Provides a framework for consumer privacy protections • Establishes principles covering personal data • Proposes voluntary industry “codes of conduct” for privacy and security – Encourages inclusive and transparent process – Safe harbor status for compliance with an approved code Consumer Privacy Bill of Rights White House Privacy Framework
  • 58. • FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012) – Large number of apps (75%) targeted at children (under 13) – Apps did not provide good privacy disclosures – Will conduct additional COPPA compliance reviews over the next 6 months • FCRA Warning letters (Feb. 2012) – FTC sent letters to marketers of 6 mobile apps – Warned that apps may violate Fair Credit Reporting Act (FCRA) – If apps provide a consumer report, must comply with FCRA requirements • FTC Workshops – New guidance for advertisers on online and mobile disclosures – Updates on the 2000 FTC “Dot Com Disclosures” guidelines for online ads – Emphasizing that consumer protection laws apply online and in mobile Increasing Activity In Mobile Privacy Mobile Applications
  • 59. • States have become active as well • California Attorney General (AG) announced that California state privacy law (Cal OPPA) applies to mobile applications (February 22, 2012) • Cal OPPA requires conspicuous posting of privacy policy on mobile applications • California AG issued warning letters to 100 mobile app developers in violation of Cal OPPA (October 24, 2012) – United Airlines, Delta Airlines, Open Table among those targeted – Threatens civil penalties of up to $2,500 for each download of non-compliant app Mobile Applications Increasing Activity In Mobile Privacy
  • 61. • Released September 5, 2012 • Reiterates that the mobile market is not different from the Internet • General “guidelines” or “principles” for mobile app developers – Tell the Truth About What Your App Can Do – Disclose Key Information Clearly and Conspicuously – Build Privacy Considerations in From the Start – Offer Choices that are Easy to Find and Easy to Use – Honor Your Privacy Promises – Protect Kids’ Privacy – Collect Sensitive Information Only with Consent – Keep User Data Secure • Acknowledges there can be no “one-size-fits-all” approach • But also states that the laws apply to all companies FTC Guide To Marketing Mobile Apps Mobile Applications
  • 63. • Unprecedented number of filed cases (both data breach and unauthorized collection/use of personal information • Emergence of a dedicated privacy plaintiffs’ bar • Not all bad news for defendants – Cases are routinely dismissed at the pleading stage (on Article III standing or inability to meet “actual injury” element of claim) – No out-of-pocket damages = No claim • But the tide seems to be turning in favor of plaintiffs Current State of Privacy Litigation Data Breach/Privacy Litigation
  • 64. • Empirical Analysis of Data Breach Litigation, Carnegie Mellon/Temple University Study (February 19, 2012) • Monetary recovery/settlement positively correlated with number of records compromised, actual misuse of data, statutory damages – 3.5x more likely to draw a lawsuit if financial harm present – 6x lower when companies provide free credit monitoring • Mean settlement value of $2,500 per affected individual • Mean attorneys’ fee figure of $1.2 MM – Google Buzz: $2.5mm – TD Ameritrade: $500K (knocked down from $1.8mm) – Facebook Beacon: $2.8mm (currently on appeal) – Facebook Sponsored Stories: $10mm? • Cy pres settlements ranging from $50K to $9.5 MM Current State of Privacy Litigation Data Breach/Privacy Litigation
  • 66. • Most comprehensive general liability (CGL) policies do not cover data losses – Only insure against claims for "bodily injury", "property damage", and "personal and advertising injury“ – Many also exclude state unfair practices claims • Lawsuits by insurers for a determination of non-coverage are becoming common • More insurers are offering data breach and “cyber-liability” policies – Options and alternatives are growing – Choose wisely as exclusions may limit the benefits of coverage Does Insurance Cover Losses? Data Breach/Privacy Litigation
  • 68. • Increasing value means increasing scrutiny • Enforcement will continue (and may increase) – Actual security breaches are not required – Focus is on reasonable and appropriate measures – Companies held to privacy-related promises – Scope of personal information is growing • Enforcement actions are influencing and defining industry expectations (user and customer expectations too?) • Your enforcement issue may not come from the FTC, but from a potential customer, financing source, or acquirer • Premium on increased transparency into data practices Lessons Learned Conclusion
  • 69. • Know your data (map data collection, usage, and sharing) • Collect the data you need and hold it only as long as you need it • Institute procedures to secure personal information and sensitive information • Implement “privacy by design” concepts • Prepare for a breach and adopt a written information security plan (WISP) • Educate and train employees • Manage and monitor vendors and contractors Best Practices Conclusion
  • 71. • Follow your WISP • Day 1: Be proactive but with an eye to litigation – Stop the bleeding – Preserve forensic evidence – Document actions • Day 2: Seek counsel – Begin to assess whether notification requirement triggered – Don’t jump the gun on disclosure – Reach out to law enforcement, • Day 3 and beyond: Manage the fallout – Public/investor relations – Customer retention/communication – Notification vendors When the Inevitable (Breach) Happens Conclusion