Getting Your Privacy House in Order Lisa J. Sotto Ewa Abrams Victoria King Partner Associate General Counsel Global Privacy Officer Hunton & Williams LLP Tiffany & Co. UPS (212) 309-1223 (212) 230-5351 (404) 828-6550 lsotto@hunton.com ewa.abrams@tiffany.com vking@ups.com www.huntonprivacyblog.com September 16, 2014
Roadmap Building blocks of a global privacy program Know your data Managing a global enterprise Privacy policies Cross-border data transfer restrictions Registrations Workplace privacy Monitoring policies Whistleblower hotlines BYOD Vendor management Marketing uses of data Cloud computing Cybersecurity and breach preparedness 2
What personal data does your company collect, use and store? In what systems? Where are they located? Consider the various buckets of personal data HR Consumer Vendor Data Flow Mapping 3
Privacy Policies Consumer facing privacy notices Online Apps Stores Special events HR privacy policies Other privacy policies For example, Safe Harbor Policy 4
EEA Consent Model clauses Safe Harbor BCRs Asia Cross-Border Data Transfers CBPRs Other jurisdictions with cross-border data transfer restrictions 5
Registrations Registering the entity s data processing activities Tackling the logistical nightmare Country-specific issues For example, whistleblower hotlines 6
Workplace Privacy Issues Monitoring electronic communications and devices Global variations Social media use policies Overlap with labor and employment law NLRB issues 7
Whistleblower Hotlines Understanding the issues Managing your hotline provider Appropriate documentation Global inconsistences 8
Vendor Management Identifying all vendors with access to personal data Conducting due diligence Contractual protections Ongoing monitoring 9
Marketing Uses of Data Traditional CRM Online behavioral advertising and retargeting Apps Cookies EU-specific issues Data analytics 10
Bring Your Own Device What are the key challenges? Voluntary Monitoring work-related activities Notice and consent 11
Cloud Computing Issues Data that resides in a cloud is maintained by a service provider and locations can change without notice Which jurisdiction s laws apply? Cross-border data transfer restrictions are problematic Security is a key concern Law enforcement access to data stored in the cloud Consider service provider restrictions HIPAA GLB 12
Incident response plan and team Tabletop exercise Vendor engagements Law enforcement coordination Cyber insurance Incident Response and Proactive Preparation 13
Final Words of Wisdom 14
Contacts Lisa J. Sotto Ewa Abrams Victoria King Partner Associate General Counsel Global Privacy Officer Hunton & Williams LLP Tiffany & Co. UPS (212) 309-1223 (212) 230-5351 (404) 828-6550 lsotto@hunton.com ewa.abrams@tiffany.com vking@ups.com www.huntonprivacyblog.com @hunton_privacy
Speaker Biographies 16
Lisa J. Sotto Lisa J. Sotto is the managing partner of the firm s New York office, and chairs the firm s top-ranked Global Privacy and Cybersecurity practice. Named among The National Law Journal s 100 Most Influential Lawyers in 2013, she also was voted the world s leading privacy advisor in Computerworld s three most recent annual surveys and was recognized by Chambers and Partners as a Star performer for Privacy & Data Security. Ms. Sotto also is recognized as a leading lawyer by The Legal 500 United States. Ms. Sotto has extensive experience counseling clients on privacy, cybersecurity and records management issues. She serves as Chairperson of the Department of Homeland Security s Data Privacy and Integrity Advisory Committee. Ms. Sotto is a member of the Board of Directors of the International Association of Privacy Professionals, co-chair of the International Privacy Law Committee of the New York State Bar Association, and chair of the New York Privacy Officers Forum. She is the editor and lead author of the legal treatise entitled Privacy and Data Security Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business. 17
Ewa Abrams Ewa Abrams is Vice President - Associate General Counsel & Chief Privacy Officer of Tiffany & Co. Her work at Tiffany has spanned a variety of practice areas including corporate intellectual property management; unfair competition; anti-counterfeiting; data privacy / security; internet, advertising and media law; securities; and regulatory and compliance matters. For over ten years, Ms. Abrams has been responsible for all aspects of the management of Tiffany s worldwide intellectual property matters, including the strategic administration and protection of Tiffany & Co. s worldwide trademarks, copyrights and patents. Ms. Abrams specializes in trademark prosecution and enforcement, with an emphasis on internet-related issues, including advertising and social media. In her role as Chief Privacy Officer, she is responsible for worldwide privacy compliance for the company, which includes identifying, evaluating and managing risks associated with privacy and information management on a global basis. 18
Victoria King Victoria King is the Global Privacy Officer for UPS. She manages privacy and data protection for UPS global operations which encompass more than 440,000 employees, operations in 220 countries and more than 4 billion annual deliveries. She works closely with both her US and international privacy team members to address both tactical and strategic privacy matters. She also chairs the company s Information Security Council, a cross-functional management group that addresses privacy governance, strategic projects, communications and training. Victoria has been with UPS for 15 years and previously worked with the company s Legal and Public Affairs Departments. Prior to joining UPS, she was partner with the Southern California law firm of Best, Best & Krieger. She started her professional career with PriceWaterhouseCoopers, working in their Los Angeles, St. Louis and Frankfurt, Germany offices. Victoria joined the International Association of Privacy Professionals (IAPP) Educational Advisory Board in 2014. She co-chairs the IAPP s Atlanta Chapter of Privacy Professionals and has received her Certified Information Privacy Professional (CIPP) certification for both US and Information Technology. 19