data 101: the new world of privacy & security
DESCRIPTION
Arizona Technology Council Presentation by Heather Buchta on October 15, 2014TRANSCRIPT
![Page 1: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/1.jpg)
![Page 2: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/2.jpg)
Chicago | Indianapolis | Madison | Milwaukee | Naples | Phoenix | Tampa | Tucson | Washington, D.C.
Data 101: The New World of Privacy and Security Heather L. BuchtaQuarles & Brady LLPArizona Tech CouncilCouncil ConnectOctober 15, 2014
![Page 3: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/3.jpg)
3
• You receive a new assignment…
• This “data thing” is your new priority.
• So, now what?
It’s Monday Morning…
![Page 4: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/4.jpg)
4
• Terminology
–Data Privacy
–Data Security
– Cybersecurity
– Big Data
• Legal Framework
– Sectoral
– Comprehensive
Background
![Page 5: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/5.jpg)
5
• Not actually a new topic– Warren and Brandeis - 1890
– Prosser – 1960
– Fair Information Practices – 1973
– Guidelines Governing the Protection or Privacy and Transborder Data Flows of Personal Data – 1980
– Council of Europe 1981 and resulting EU Data Protection Directive in 1995
– Privacy Framework – 2004
• But the speed of regulation has changed
A Bit of Historical Context…
![Page 6: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/6.jpg)
6
• Very broad topic
–Health Care
–Financial
–Employer/Employee
–Trade Secrets
– Internet of Things
–BYOD
And Our Disclaimer…
![Page 7: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/7.jpg)
7
So what do you do first?
![Page 8: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/8.jpg)
8
http://artchive.com/artchive/M/munch/scream.jpg.html
![Page 9: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/9.jpg)
9
• Legal Risk
–Regulators
–Class Actions
• Valuation Impact–Reputation
–$$$$
Why do we care?
![Page 10: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/10.jpg)
10
• Privacy Assessment
• Components
–Due Diligence
–Ask Questions
– Interview
– Investigate
Privacy Audit
![Page 11: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/11.jpg)
11
• What data is collected?
– Passively or actively?
– Online or offline?
– Mobile apps?
• Which business unit collects it?
• How is it collected?
– Purchases
– Sweepstakes
• Where does it sit: in-house or offsite?
What are you looking for?
![Page 12: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/12.jpg)
12
• Third party data host or company leased co-location facility?
• How is the data used?
• Who is it shared with?
– No one? Probably not
– Affiliates?
– Vendors?
– Third parties?
– Resellers?
– Franchisors?
What are you looking for? (cont.)
![Page 13: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/13.jpg)
13
• United States
• Canada
• Europe
• Australia
• Other jurisdictions?
Understand Geographic Source of Data
![Page 14: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/14.jpg)
14
• Create data map
• Is it “sensitive”?
–Personally identifiable (PII)
–Kids
–Financial (NPI)
–Credit cards
–Health (PHI)
Categorize Your Data
![Page 15: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/15.jpg)
15
• What applies to you and what is your risk/exposure profile?
• Cannot outsource obligations
• Personally Identifiable?
– Definition Varies
• By state
–ZIP Code – Michael’s decision
– IP Address
• By statute - COPPA
Regulatory Review (U.S.)
![Page 16: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/16.jpg)
16
• Use of Personal Information - Federal
– FTC
• Section 5 of the FTC Act
• Red Flags Rule
• Telemarketing Sales Rule
– COPPA – enforced by FTC
– CAN-SPAM – enforced by FTC
– TCPA – enforced by FCC
– FERPA – enforced by USDOE
Regulatory Review (U.S.)
![Page 17: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/17.jpg)
17
• New Bills – Location Privacy Protection Act of 2014
• S.2171, Sen. Franken, March 27, 2014
– Personal Data Privacy and Security Act of 2014
• S.1897, Sen. Leahy, January 8, 2014
– Data Security Act of 2014
• S.1927, Sen. Carper, January 15, 2014
– Commercial Privacy Bill of Rights of 2014
• S.2378, Sen. Menendez, May 21, 2014
• Other Initiatives– Do Not Track movement - CalOPPA
– Big Data: Seizing Opportunity, Preserving Value, May 2014, Executive Office of the President
Regulatory Review (U.S.)
![Page 18: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/18.jpg)
18
• State
– Security breach notification statutes
– Point of sale collection – Michael’s case
– Security Obligations - MA 201 CMR 17.00
– State consumer protection laws
– FERPA-like
– HIPAA-like
– ECPA-like
Regulatory Review (U.S.)
![Page 19: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/19.jpg)
19
• California
–CALOPPA, BPC 22575-22579
• Now includes Do Not Track as of 1/1/14
–Shine the Light, CA Civ Code 1798.83
–CALCOPPA, S.B.568
–SB-1 – California’s GLB
Regulatory Review (U.S.)
![Page 20: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/20.jpg)
20
• Health Information
– HIPAA/HITECH – enforced primarily by OCR of HHS
• LabMD – overlapping with FTC
• State Attorneys’ General
– Health Breach Notification Rule – enforced by FTC
– GINA – enforced by EEOC
Regulatory Review (U.S.)
![Page 21: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/21.jpg)
21
• Financial Information
– GLB
• Privacy Rule – FTC and CFPB
• Safeguards Rule – FTC and CFPB
– FCRA – FTC, CFPB and state attorneys’ general
– FACTA – FTC, CFPB and banking regulators
• Red Flags Rule – FTC
Regulatory Review (U.S.)
![Page 22: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/22.jpg)
22
• EU
– Directives – Personal Information and Cookie
– DPAs
– Works Councils
• Canada
– PIPEDA
– CASL
• Australia – Privacy Amendment Act 2012
Regulatory Review (Int’l)
![Page 23: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/23.jpg)
23
• Credit Card Data
– PCI DSS v.3
– Nevada 603A.215
– Minnesota 325E.64
• Online Tracking
– Digital Advertising Alliance
– OBA and retargeting
• NIST
– Media Sanitization
– Cybersecurity Framework
• NERC
• Contractual obligations and self-imposed obligations
Industry Review
![Page 24: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/24.jpg)
24
• “systematic, measurable technical assessment of how the organization's security policy is employed at a specific site” (Symantec 2003)
• “appropriate” and “reasonable”
• What is involved?
– Personal interviews
– Vulnerability scans (pen-testing)
– Examinations of operating system settings
– Analyses of network shares and other data
• Go to the experts
– Find the right vendor
– Set parameters
Security Audit
![Page 25: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/25.jpg)
25
• WISP
• Consider Insurance Options
• Identify Key Team Members
– Key Executives
– Compliance – CISO?
– Legal
– Marketing/HR
– PR
– IT/Forensics
– Incident Response Vendor?
• Incident Response Plan
• Tabletop Exercises
When, Not If
![Page 26: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/26.jpg)
26
• Internal Privacy Program–Education
–Sensitization
• Data Retention Schedule
• Regularly Review
Next Steps
![Page 27: Data 101: The New World of Privacy & Security](https://reader035.vdocuments.mx/reader035/viewer/2022062706/557d5befd8b42ae1438b4b57/html5/thumbnails/27.jpg)
27
Heather L. Buchta
Quarles & Brady LLP
(602) 229-5228
©2014 Quarles & Brady LLP. This document provides information of a general nature. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations or issues. Additional facts and information or future developments may affect the subjects addressed in this document. You should consult with a lawyer about your particular circumstances before acting on any of this information because it may not be applicable to you or your situation.