Data privacy, security and rights presentation given to the Gener8tor companies on June 27, 2013. Covering data privacy and data security rights issues relevant to startups and the evolution of the value of data.
Presentation - gener8tor - Data Privacy, Security, and Rights 130627
1. 1
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Copyright 2013 BryanCave LLP
June 27, 2013
Jason Haislmaier
jason.haislmaier@bryancave.com
Data
Privacy, Security, Rights
Copyright 2013 Jason D. Haislmaier
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation and
any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenters and do not necessarily reflect the official or unofficial thoughts or opinions
of their employers.
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
2. 2
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data
Privacy
Security
Rights
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Increasing importance
Increasing value
Data
3. 3
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data
as
Property
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
What “rights”
protect data?
4. 4
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
No specific
comprehensive legal protection
for data or databases
in the US
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Trademarks
Branding and
Identity
Patents
Ideas and
Inventions
Trade Secrets
“Know-How”
Copyrights
Creative
Expressions
5. 5
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data Rights
• No specific comprehensive protections under US law
• Limited protections may be available through traditional IP laws
– Copyright
– Trade secret
– Contract
– Other legal theories (but generally limited)
• Growing data privacy and security protections are also shaping
rights in data
– General purpose laws
– Industry-specific federal laws
– State data security and privacy laws
– Increasing federal (and state) enforcement actions
In General
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Traditional IP laws provide
limited and inconsistent protections
Data Rights
6. 6
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Other sources of protection. . .
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
?Data
Rights
Data
Privacy
Data
Security
Copyright
Trade
Secret
Contract
Industry
Practice
State
Law
FTC
Action
7. 7
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Contracts
Terms of Service
Privacy Policy
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Emerging as a primary form of protection for data
• Permit broad protection, potentially even over data and databases not
subject to traditional IP protection
• Limited to the entities bound by the contract
• Even where traditional IP protection is not available, contracts have
become critical to obtaining and clarifying rights in data
– Each form of IP has its own rules regarding ownership
– Left to applicable law, ownership is often (very) unclear
– At best this leaves the potential for confusion
– Assignments and licenses are preferred to clarify these rights
• Industry expectations have risen with the rising value of data
– Contracts required to evidence adequate rights in transactions involving data
– Not unlike rights in software itself
Contracts
Contract Rights in Data
8. 8
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Data Privacy
Data Security
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
No specific comprehensive
data privacy or data security
legislation in the US
9. 9
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Established Standards
Growing Expectations
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
“Promises”
not just
Policies
Compliance
10. 10
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Jon Leibowitz
Chairman of the FTC
Speaking on the settlement
“Facebook is obligated to keep the
promises about privacy that it makes to its
hundreds of millions of users.”
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Jon Leibowitz
Chairman of the FTC
Speaking on the settlement
“Innovation does not have to come at the
expense of consumer privacy.”
11. 11
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Speaking on the settlement
“We've made a bunch of mistakes.”
Mark Zuckerberg
CEO of Facebook
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• State consumer protection statutes
– All 50 states
– Prohibitions on “unfair or deceptive” trade practices
• Data breach notification statutes
– At least 46 states (DC and various US territories)
– Notification of state residents (and perhaps regulators) affected by unauthorized access
to sensitive personal information
• Data safeguards statutes
– (Significant) minority of states
– Safeguards to secure consumer information from unauthorized access
• Data privacy statutes
– Online privacy policies covering use and sharing of consumer information
– Use of personal information for direct marketing purposes
Growing Array of Relevant State Laws
Data Privacy and Security
12. 12
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• EU Data Protection Directive (95/46/EC)
• Regulates the processing of personal data of EU subjects
– Broad scope of “personal data”
– Restricts processing unless stated conditions are met
– Prohibits transfer to countries not offering adequate levels of protection
• Requires the member countries to pass consistent laws (more or less)
• US Department of Commerce-negotiated “Safe Harbor Principles” enable
transfers to US companies
– Self-certification regime
– Allows US companies to register as compliant
– FTC oversight
• Proposed overhaul in the works (announced Jan. 25, 2012)
Longstanding Comprehensive EU Regulations
Data Privacy and Security
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Consumer credit - Fair Credit Reporting Act (FCRA)
• Financial services - Gramm Leach Bliley Act (GLBA)
• Healthcare providers - Health Insurance Portability and Accountability Act
(HIPAA)
• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)
• Video content - Video Privacy Protection Act
• Others statutes covering education, payment processing, etc.
Industry-specific Federal Statutes
Data Privacy and Security
13. 13
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Federal Trade Commission Act
(15 U.S.C. 41, et seq)
“Unfair or deceptive acts or practices”
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• Trend toward increasing enforcement
– More than 45 actions to date
– More than 25 in the last 6 years
– Many more investigated but not brought
• Covering largely electronically stored data and information
• Targeting data security as well as data privacy
• Increasing trend toward mobile data privacy and security
Increasing Activity
FTC Enforcement Actions
14. 14
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Emerging Models
For Compliance
FTC Enforcement Actions
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• 20 year term
• Cease misrepresentations regarding practices for information security, privacy,
confidentiality, and integrity
• Conduct assessment of reasonably-foreseeable, material security risks
• Establish comprehensive written information security and privacy program
• Designate employee(s) to coordinate and be accountable for the program
• Implement employee training
• Conduct biennial independent third party security and privacy assessments
• Implement multiple record-keeping requirements
• Implement regular testing, monitoring, and assessment
• Undergo periodic reporting and compliance requirements
• Impose requirements on service providers
Legislation by Consent Decree
FTC Enforcement Actions
15. 15
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Not just enforcement. . .
Standards
Best practices
Codes of Conduct
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Mobile Applications
16. 16
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012)
– Large number of apps (75%) targeted at children (under 13)
– Apps did not provide good privacy disclosures
– Will conduct additional COPPA compliance reviews over the next 6 months
• FCRA Warning letters (Feb. 2012)
– FTC sent letters to marketers of 6 mobile apps
– Warned that apps may violate Fair Credit Reporting Act (FCRA)
– If apps provide a consumer report, must comply with FCRA requirements
• FTC Dot Com Disclosures Workshop (May 30, 2012)
– New guidance for advertisers on disclosures in the online and mobile
environment
– Focus on advancements and developments since the FTC issued its “Dot Com
Disclosures” guidelines for online advertising disclosure (released in 2000)
– Emphasis on the notion that consumer protection laws apply equally to online
and mobile marketers
Lots of Activity
17. 17
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• The mobile market is not different from the Internet
• General “guidelines” or “principles” for mobile app developers
– Tell the Truth About What Your App Can Do
– Disclose Key Information Clearly and Conspicuously
– Build Privacy Considerations in From the Start
– Offer Choices that are Easy to Find and Easy to Use
– Honor Your Privacy Promises
– Protect Kids’ Privacy
– Collect Sensitive Information Only with Consent
– Keep User Data Secure
• Acknowledges there can be no “one-size-fits-all” approach
• But also states that the laws apply to all companies
FTC Guide To Marketing Mobile Apps
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
What Should You Do?
18. 18
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Make each use of data
A knowing (and compliant) use of data
Know your data
20. 20
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
• We are in an era of increasing data value
• Increasing value means greater focus on data rights
• We do not have the benefit of strong and comprehensive laws to match
• Data “rights” are defined through an increasingly broad array of sources
– Traditional IP rights,
– Contract protections
– Growing data privacy and data security obligations
• Understand the protections, understand the inconsistencies
• Appreciate the growing standards and expectations
• Issues relating to data will only continue to increase
(transactions and litigation)
Lessons Learned
Closing Thoughts
Copyright 2012 Bryan CaveCopyright 2013 BryanCave LLP
Copyright 2013 BryanCave LLP
Thank You.
Jason Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
http://www.linkedin.com/in/haislmaier