Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance

Size: px

Start display at page:

Download "Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance"

Beverly Owen
5 years ago
Views:

1 Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance Presented by Charlie Bingham, Legal and Corporate Affairs -Enterprise Partner Group, Microsoft Corporation Rachel Reid, Senior Counsel and Chief Privacy Officer, Voya Financial Cassie Sadowitz, Deputy General Counsel, Jacksonville Jaguars Danielle Vanderzanden, Shareholder, Ogletree, Deakins, Nash, Smoak & Stewart, P.C. Moderated by Emily Roisman, Attorney

2 Agenda The Big Data Problem Information Privacy and Data Security Matter Data Capture Concerns Data Sharing Risks Prevention, Compliance, Training and Development

3 The Big Data Problem Vulnerabilities are exploding By 2018, daily mobile data traffic may be as high as 5,000 times the contents of the Library of Congress One victim reports over 250 million in breach-related expenses

4 The Big Data Problem Settlements routinely in the millions 10 million to consumers 19 million to credit card companies 4.8 million in HIPAA settlements $3 million to breach victims, even those who have not suffered direct harm

5 The Big Data Problem (cont.) FBI distinguishes data holders as follows: Those who have been breached and know it Those who have been breached but do not yet know it Experts say 96% of systems breached

6 The Big Data Problem (cont.) Breaches affected increasingly large numbers of people 80 million insureds 25 million government employees/their relatives 1 million biometric fingerprints

7 Poll Who is in our Audience Public or private company Multi-dimensional privacy team or single person US-based operations only or Canada EU Asia Pacific

8 Poll Who is in our Audience (cont.) Incident response plan in place Multiple outside legal resources in case of ethical conflict IT Security Budget Data map Logging

9 Poll Who is in our Audience (cont.) Plans for business and personnel continuity in event of attack Third party/vendor due diligence Insurance Multiple outside technical and legal teams in case of conflict

10 Information Privacy and Data Security Matter Evolving Compliance Challenges Statutory schemes Regulatory schemes International Issues Data security liability Total costs run to hundreds of millions

11 Information Privacy and Data Security Matter (cont.) More headline stories 1.4 million vehicles recalled to block hacking CEO/35-year employee resigns over breach that affected 40 million consumers Agency Chief resigns CIO loses job over data breach

12 Distinguishing Privacy from Security Privacy Philosophical in nature Involves completing claims to Legitimate access to Use of and Ability to alter information Dictates implementation of security options Defines direction for security

13 Distinguishing Privacy from Security (cont.) Security Implements privacy s philosophical choices Defines Implementation of privacy choices Ability to alter information Involves barriers Physical Technological and Administrative

14 Distinguishing Privacy from Security (cont.) International expectations differ Canada EU focuses on 6 issues Asia Pacific

15 Data Capture Concerns What, why and howdo you collect Who collects on your behalf Do you collect and share Where and when do you store collected data Consider statutory and regulatory issues TCPA, COPPA, CAN-SPAM, HIPAA PCI-DSS, IRS 1075 Safeguards, FERPA FISMA/FEDRamp, ISO 27018

16 Data Capture Best Practices Collect only what you need Keep only as long as necessary Identify what you collect Define usage accurately Provide conspicuous, comprehensible notice

17 Data Capture Best Practices (cont.) As collection practices change, adjust Notices, policies and practices Update data collection forms regularly Hard copy Electronic Comply with applicable requirements

18 Data Capture Best Practices (cont.) Avoid collecting keystroke data Protect site from malware Provide conspicuous website notice Hypernotify re behaviorial tracking Comply with applicable requirements

19 Data Sharing Issues Data sharing refers to the exchange of data among People Technologies Organizations E.g., social media Vendors/sponsors Customers/researchers

20 Data Sharing Issues (cont.) Confidentiality Integrity Availability Notice

21 Data Sharing Best Practices Detailed data protection/processing agreements Data indemnity licenses Due diligence and audit programs Robust disclaimers in Terms and conditions of use Marketing materials

22 Data Sharing Best Practices (cont.) Protocols for secure storage and transmission Database management Specificity regarding use, ownership, and access Waivers and registration

23 Data Sharing Best Practices (cont.) Incident notification and response processes State data breach notification laws HIPAA Notify law enforcement and credit reporting bureaus as required Provide identity theft protection As required To protect goodwill

24 Data Sharing Best Practices (cont.) Review third-party service provider agreements Accurately describe privacy, security, integrity of user information Audit regularly and take remedial measures

25 Data Sharing Best Practices (cont.) With third party SaaS, IaaSand PaasVendors: Share security and privacy responsibilities Establish detailed agreements Address access to customer data issues Verify compliance independently Check for appropriate certifications (SOC, FEDRamp, PCI-DSS) Apply EU model clauses Follow ISO best practices

26 Prevention, Internal Compliance, Training and Development Collaborate with Data Analytics to provide training TCPA; CAN-SPAM; CASL; FTC Guidelines Explain legal background Provide prospecting guidelines

27 Prevention, Internal Compliance, Training and Development (cont.) Address social media issues Navigating social media platform s TOU Your company s privacy notice, privacy policy and TOU

28 Prevention, Internal Compliance, Training and Development (cont.) PCI Compliance Establish internal controls/processes for transactions Ticketmaster live chat phone Conduct internal audits

29 Prevention, Internal Compliance, Training and Development (cont.) Implement and enforce protective policies Develop administrative, technical and physical safeguards for data Restrict access to sensitive data and transmit securely Update protective measures as technology develops

30 Prevention, Internal Compliance, Training and Development (cont.) Designate accountable employees Provide comprehensive employee training Use portable devices safely and guard them zealously Surf and communicate electronically in a responsible manner Security program must evolve with business

31 Prevention, Internal Compliance, Training and Development (cont.) Remediation Document Preservation Legal consultation and privilege issues Public relations

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks