Hot Topics in Privacy Gretchen S. Herault Monster Worldwide SCCE Conference April 12, 2013 Agenda Privacy Landscape current state of regulatory coverage > Global > Industry Sector > Technology Hot Topics Common Themes Action Steps Questions Additional Resources 2 1
Privacy Landscape 3 Current Landscape US > Regulation based on industry sector, based on consumer protection principles FTC SEC > State-level regulation Data breach notification requirements MA, NV have security requirements for personal information Canada and EU > Comprehensive privacy frameworks, based on notion of privacy as fundamental human right > Canada: PIPEDA > EU: individual member country implementing legislation of EU Data Protection Directive APAC and Latin America > Varies by country > Countries with newer regimes adopting European style approaches 4 2
Current Landscape: Sector Regulation Health information > HIPAA Financial information > GLBA > Credit card information Personal information or PII > Catch all > Varies by sector and by jurisdiction Date of birth > Sensitive information SSN, driver s license number, bank account number, passport number 5 Technology Most privacy laws on the books written in the 90s Since then the development of new technologies and their uses has exceeded the law s capacity to regulate > Apps and social media > Mobile and online payments > User tracking > Behavioral advertising Email addresses becoming most important piece of personal information as technology develops > Used for account credentials to log in > Used for email marketing 6 3
Common themes Laws and regulation not keeping pace with technological development Technology is allowing the rapid growth of collection of personally identifiable information, > Direct marketing > User tracking Advertising Mobile apps > Social media and mobile apps > Genetic information > Biometrics Facebook facial recognition Greater expectations regarding corporate standards and accountability for privacy and data protection > Subcontractor/supplier duties > Employee privacy rights Self-regulatory standards > NAI, DMA, DAA > TRUSTe, BBB Rising enforcement Additional requirements for breach prevention and greater security > MA Security Reg > Executive Order on Cybersecurity 7 Rapid Growth of collection of Personally Identifiable Information Direct marketing User tracking > Analytics Creation of profiles by amassing and merging large pools of data Rise of Big Data > Advertising User tracking across websites > Mobile apps Universal Device ID Location tracking Maps/Google Street View Social media > Enables more data to be shared, collected, intercepted Genetic information/biometric data 8 4
User Tracking Tracking > Behavioral Advertising/Targeted Advertising > Retargeting > Use of location in mobile advertising and applications/ Universal Device ID > GPS tracking Big Data > Creation of profiles about individuals > Lack of individual control Anonymization and Re-identification 9 Greater expectations Subcontractor/supplier duties > SAS 70 replaced by new standard US AICAPA SSAE 16 Employee privacy rights > Use of Social Security numbers as identifiers CT, NY regulations on use of SSN > Mobile device tracking/gps tracking > Company equipment usage monitoring Bring Your Own Device HIPAA/HITECH > Final rule has been adopted and takes effect September 23, 2013 > Security and privacy requirements include business associates > Compromise vs. harm standard of assessing risk > 60 days to notify of breach of PHI > Increased penalties, mandatory HHS audits 10 5
Self-regulatory standards Marketing organizations Network Advertising Initiative Direct Marketing Association Digital Advertising Alliance Privacy Certifications and Seals > TRUSTe > Better Business Bureau > Safe Harbor 11 Rising enforcement CA AG created Privacy Enforcement and Protection Unit CA and EU have published mobile app privacy guidelines > Both require privacy disclosures before installation of app Greater fining authority for EU data protection authorities > UK ICO levies highest fine yet for Sony Playstation breach ( 250,000) > Google settles WiFi claims with 38 states for $7 million MA automatically requesting copies of Written Information Security Program upon report of breach 12 6
Additional requirements for breach prevention and greater security Greater awareness of underweb and hacking > Phishing > Account hacking > Online banking and credit card transactions Cybersecurity initiatives > Executive Order on Cybersecurity > MD cybersecurity commission SEC disclosures on cybersecurity risks 13 Action Steps Know who regulates your business Know where data privacy is relevant to organization > Talk to people who actually handle or manage data and understand how it is used > Create risk profile of data > Triage risk Create/Review Policies > Social media > BYOD > Written Information Security Program Review/Audit Vendors > HIPAA/HITECH for business associate agreements > Security requirements MA security regulation compliance for personal information of MA residents Payment Card Industry Data Security Standard (PCI DSS) compliance Evaluate self-regulatory organizations and value to organization 14 7
If Nothing Else Be transparent Be clear Honor requests > Account deletion > Opt outs Think ahead of the law 15 Questions and Discussion 16 8
Additional Resources International Association of Privacy Professionals, Digital Advertising Alliance, Network Advertising Initiative Publications: BNA, Nymity Privaworks, DataGuidance HIPAA Final Omnibus Rule: http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf EU s Article 29 Working Party Opinion on Mobile Apps: http://ec.europa.eu/justice/dataprotection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf CA AG s recommendations on mobile ecosystem: http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf? AICPA s new SSAE 16 standard: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx SEC guidance on cybersecurity disclosures: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm MA security regulation: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf Executive Order on Cybersecurity: http://www.whitehouse.gov/the-pressoffice/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity 17 9