powerpoint presentation
DESCRIPTION
TRANSCRIPT
Privacy and Information SecurityPrivacy and Information Security
Lisa J. SottoPartner
Hunton & Williams LLP(212) 309-1223
April 7, 2006
2
Our Firm• Founded in 1901, Hunton & Williams is one of the nation’s
leading law firms with over 850 attorneys in 16 offices, serving clients in over 100 countries
• 21 privacy professionals in the U.S., EU and Asia• Our privacy clients include:
- Kraft Foods - Visa- General Dynamics - British Telecom- Holtzbrinck Publishers - Google- Kodak - TJX- Estee Lauder - IKEA- Pitney Bowes - Computer
Associates• The Center for Information Policy Leadership at Hunton &
Williams
3
What is Privacy?
• Privacy is the appropriate use of information as defined by:
• Law• Consumer expectations
• Security is the protection of information
• Confidentiality (protection against unauthorized access to data)
• Data integrity
4
Four Privacy Risks
• Legal compliance• Reputation• Investment• Reticence
5
U.S. Privacy Laws
• Major federal laws are:• GLB: Financial institutions• HIPAA: Health care entities• FCRA/FACTA: Consumer reporting agencies
• FTC Disposal Rule• DPPA: DMV records• CAN-SPAM: Commercial e-mail• COPPA: Children’s data• Do-Not-Call Registry: Telemarketing• FTC Act Section 5: Prohibits unfair or deceptive trade
practices• Privacy Act of 1974
6
California
• Disclosures to Direct Marketers Law (SB 27)
• California Online Privacy Protection Act• Security of Personal Information
(AB 1950)• California Computer Security Breach Act
(SB 1386)
7
Information Security
• 2005 was the year of the security breach• In 2005/2006,141 information security breaches
so far- ChoicePoint - DSW- Bank of America - CardSystems- Lexis Nexis - Boston Globe
• Over 53 million potentially affected• 22 additional state security breach notification
laws• Numerous federal bills
8
Recent FTC Enforcement Actions
• Most FTC privacy enforcement actions result from security breaches
• CardSystems• ChoicePoint• DSW• BJ’s Wholesale Club• Petco• Tower Records• Barnes & Noble.com• Guess.com, Inc.
9
Data Protection Laws Around the World
USA
Canada
Mexico
Australia
Europe
Japan
Argentina
Brazil
10
The EU Directive
• Enacted in 1995, each country has its own national data protection law – the Directive sets the floor
• Requires entities to notify authorities or register before processing personal data
• Prohibits transfer of personal data to non-EU jurisdictions unless “adequate level of protection” is guaranteed
• U.S. is not “adequate” • Data transfer is permitted:
• To “adequate” countries (e.g., Switzerland, Canada)• Within the safe harbor framework (from EU to U.S. only)• Where a contract ensures adequate protection • With “unambiguous consent” of data subject• BCRs
11
PIPEDA• The Personal Information Protection and Electronic Documents
Act (effective January 1, 2004)• Establishes rules for the management of personal
information by organizations involved in commercial activities• Applies to the collection, use and disclosure of personal
information by organizations during commercial activities • Personal information is any information about an identifiable
individual whether recorded or not• Requirements:
• Identify purposes of data collection• Obtain consent and limit use to identified purposes• Limit collection to necessary information• Limit use, disclosure and retention• Individual access
12
Latin America
• Argentina has an “adequate” comprehensive law, and now an active DPA
• Several nations have draft data protection laws• Other nations codify privacy in consumer
protection laws • Many Latin American nations implement data
protection concepts through habeas data rights• Habeas data rights are found in many national
constitutions
13
Japan• Personal Information Protection Act• Enacted in 2003, fully effective April 1, 2005• “Personal information” is any information that
identifies an individual “data subject” contained in a personal information database (online or offline)
• Applies to each “entity using a personal information database”
• “Third party” does not include data processors but does include affiliates
• Civil and criminal penalties for violations• Guidelines have been published by various
Ministries
14
APEC
• Created an information privacy framework with 9 privacy principles:
- Preventing harm - Integrity- Notice - Security- Collection limitation - Access and
correction- Uses of personal information - Accountability- Choice
• Endorsed by 21 member economies in November 2004
• Consistent with OECD Guidelines
15
Final Thoughts
• Information security is the topic du jour• Expect new US privacy legislation• New level of professionalism of EU
DPAs• There is significant activity globally to
enact new data protection laws• There will be a focus on data protection
harmonization in coming years
16
Questions?
Lisa J. SottoPartnerHead, Privacy and Information Management PracticeHunton & Williams LLP(212) [email protected]
219913