Data Security and Privacy Landscape 2012 (September 2012)
1. Copyright 2012 Bryan Cave
September 20, 2012
Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
Changes in the Data Security andChanges in the Data Security and
Privacy Landscape - 2012Privacy Landscape - 2012
7. Copyright 2012 Bryan Cave
No specific comprehensive
data privacy or security legislation
(in the US)
8. Copyright 2012 Bryan Cave
• EU Data Protection Directive (95/46/EC)
• Regulates the processing of personal data of EU subjects
– Broad scope of “personal data”
– Restricts processing unless stated conditions are met
– Prohibits transfer to countries not offering adequate levels of protection
• US Department of Commerce-negotiated “Safe Harbor Principles” enable
transfers to US companies
– Self-certification regime
– Allows US companies to register as compliant
– FTC oversight
• Proposed overhaul in the works (announced Jan. 25, 2012)
Longstanding EU Regulations
Legal Landscape
9. Copyright 2012 Bryan Cave
• State consumer protection statutes
– All 50 states
– Prohibitions on “unfair or deceptive” trade practices
• Data breach notification statutes
– At least 46 states (DC and various US territories)
– Notification of state residents (and perhaps regulators) affected by unauthorized
access to sensitive personal information
• Data safeguards statutes
– (Significant) minority of states
– Safeguards to secure consumer information from unauthorized access
• Data privacy statutes
– Requirements for online privacy policies covering use and sharing of consumer
information
– Requirements on use of personal information for direct marketing purposes
Growing Array of Relevant State Laws
Legal Landscape
10. Copyright 2012 Bryan Cave
• Consumer credit - Fair Credit Reporting Act (FCRA)
• Financial services - Gramm Leach Bliley Act (GLBA)
• Healthcare providers - Health Insurance Portability and Accountability Act
(HIPAA)
• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)
• Video content - Video Privacy Protection Act
• Others statutes covering education, payment processing, etc.
Industry-specific Federal Statutes
Legal Landscape
12. Copyright 2012 Bryan Cave
Federal Trade Commission Act (FTCA)
(15 U.S.C. 41, et seq)
Legal Landscape
13. Copyright 2012 Bryan Cave
“Unfair or deceptive acts or practices”
Legal Landscape
14. Copyright 2012 Bryan Cave
• No specific privacy or security requirements
– Broad prohibition on “unfair or deceptive acts or practices in or affecting
commerce” (Section 5)
• Failures to implement “reasonable and appropriate” data security measures
• Deceptive data privacy policies and promises
– Constituting unfair or deceptive acts or practices
• Increasingly active enforcement
– More than 39 actions to date
• 25 in the last 6 years
• Many more investigated but not brought
– Covering largely electronically stored data and information
– Targeting security breaches as well as privacy violations
Federal Trade Commission Act (FTCA)
Legal Landscape
16. Copyright 2012 Bryan Cave
• 20 year term
• Cease misrepresentations regarding practices for information security,
privacy, confidentiality, and integrity
• Conduct assessment of reasonably-foreseeable, material security risks
• Establish comprehensive written information security and privacy program
• Designate employee(s) to coordinate and be accountable for the program
• Implement employee training
• Conduct biannual independent third party audits to assess security and
privacy practices
• Implement multiple record-keeping requirements
• Implement regular testing, monitoring, and assessment
• Undergo periodic reporting and compliance requirements
• Impose requirements on service providers
Emerging Model for Settlement and Compliance
Compliance
18. Copyright 2012 Bryan Cave
Jon Leibowitz
Chairman of the FTC
Speaking on the settlement
“Facebook is obligated to keep the promises
about privacy that it makes to its hundreds
of millions of users.”
Compliance
19. Copyright 2012 Bryan Cave
Jon Leibowitz
Chairman of the FTC
Speaking on the settlement
“Innovation does not have to come at the
expense of consumer privacy.”
Compliance
20. Copyright 2012 Bryan Cave
Speaking on the settlement
“We've made a bunch of mistakes.”
Mark Zuckerberg
CEO of Facebook
Compliance
25. Copyright 2012 Bryan Cave
• States have defined “sensitive information” to include SSN, drivers license
number, and financial account information
• FTC has broadened this definition to include
– Health information
– Information regarding children
– Geo-location information
• Trend is toward more activity in these areas
• Practical considerations
– Know when/where you collect sensitive information
– Consider seeking consent when using sensitive data for marketing purposes
– Ensure that WISPs appropriately protect sensitive information
• Note that these categories of sensitive information may not trigger a data
breach notification requirement under state laws
Sensitive Information
Compliance
27. Copyright 2012 Bryan Cave
• The “Safeguards Rule” under GLBA requires implementation of “written
information security plans” (WISPs)
– Describing the company’s program to protect customer information
– Appropriate to the company, nature and scope activities, and level of sensitivity
of information
• FTC consent orders now generally impose similar requirements
– Implementation comprehensive information security program
– Fully documented in writing
– Reasonably designed to protect the security and privacy of covered information
– Containing controls and procedures appropriate to the
• Size and complexity of the business
• Nature and scope of activities
• Sensitivity of the covered information
• Mass. state regs. also now require written information security policies for
companies handling personal information about Mass. residents
WISPs
Compliance
29. Copyright 2012 Bryan Cave
U.S. v. RockYou, Inc.
(N.D. Cal. Mar. 26, 2012)
Compliance
30. Copyright 2012 Bryan Cave
• RockYou is an online social gaming service
• Created an application for social networking sites allowing users to upload
photos and music to create a slide show
• When users registered for the app they were asked to provide email
address and password – app also collected birth date, gender, etc.
• RockYou represented that it used “commercially reasonable” security
measures
• All information actually stored only in plaint text (unencrypted)
• RockYou was hacked in December 2009
• 32 million accounts affected, including information about 179,000 children
• FTC settled for $250,000 and 20 year injunction that imposes standard
requirements (biannual third party risk assessments, etc.)
U.S. v. RockYou
Compliance
31. Copyright 2012 Bryan Cave
In the Matter of UPromise, Inc.
(FTC File No. 102 3116, Jan. 5, 2012)
Compliance
32. Copyright 2012 Bryan Cave
• UPromise is a membership reward service for saving for college
• Provided toolbar application purporting to track user online activity and
“provide college savings opportunities tailored to you”
• App collected not only the web sites visited but information entered on
some web pages
• Information included user names, passwords, credit cards and expiration
dates, financial account information, SSNs, etc.
• All of this information was transmitted to UPromise unencrypted, despite
statements that information was “automatically” encrypted
• Over 150,000 consumers participated
• FTC settled for 20 year consent decree requiring standard requirements
(biannual third party risk assessments, etc.)
In the Matter of UPromise
Compliance
33. Copyright 2012 Bryan Cave
• RockYou and UPromise settlements provide guidance on what is
not reasonable or appropriate
– Collecting PII from consumers unnecessarily
– Failing to test applications to ensure they are not collecting PII
– Not training employees about security risks
– Transmitting or storing sensitive information in unencrypted form
– Failing to segment servers
– Leaving systems susceptible to hacking (e.g., SQL injection attacks)
– Failing to ensure that service providers or third-party developers employ
reasonable and appropriate security
• Other settlements add additional considerations
• Practical Considerations
– Draft WISPs to prohibit these practices
– Review for these practices in audits and risk assessments
Reasonable and Appropriate Security
Compliance
35. Copyright 2012 Bryan Cave
• FTC settlements require contractual restrictions on third party
service providers
Requirements for Service Providers
In the Matter of Google, Inc. (FTC File No. 102-3136, March 30, 2011)
Compliance
36. Copyright 2012 Bryan Cave
• FTC settlements require contractual restrictions on third party
service providers
• Parallel newly effective Mass. regulation (201 CMR 17.03)
– Requiring companies providing service providers with personal information
about Mass. residents to contractually require the providers to “implement and
maintain . . . appropriate security measures”
– Went into full effect on March 1, 2012
• Practical implications
– Maintain a WISP with applicable policies
• Storage, access, and transportation of information
• Employees and downstream service providers
• Disciplinary measures for violations
– Conduct risk assessments, employee training, and security reviews
– Investigate incidents and document follow-up action
Requirements for Service Providers
Compliance
40. Copyright 2012 Bryan Cave
• Based on a yearlong series of privacy roundtables held by the FTC
• Extensive comment period (more than 450 comments received)
• Provides best practices for the protection of consumer privacy
• Applicable to both traditional (offline) and online businesses
• Intended to assist Congress as it considers privacy legislation
• Not intended to serve as a template for law enforcement actions
(but what about plaintiffs attorneys?)
Background
FTC Report
41. Copyright 2012 Bryan Cave
Privacy Framework
FTC Report
• Proposed framework is based on several core concepts
– Simplified consumer choice
42. Copyright 2012 Bryan Cave
FTC Report
• Proposed framework is based on several core concepts
– Simplified consumer choice
– Transparency
Privacy Framework
43. Copyright 2012 Bryan Cave
• Proposed framework is based on several core concepts
– Simplified consumer choice
– Transparency
– Privacy by design
Privacy Framework
FTC Report
44. Copyright 2012 Bryan Cave
• Continued expansion of “personal information”
• Codification of the definitions used in FTC settlements
• Shades of the definition in the EU Data Protection Directive
• Blurring of the line between PII and non-PII
• When is information not PII?
Scope of Personal Information
FTC Report
45. Copyright 2012 Bryan Cave
• Data is not PII if it is not reasonably linkable to a specific consumer,
computer or other device
• Breaking the link
– Take reasonable measures to ensure that data is de-identified
– Publicly commit to not try to re-identify
– Contractually prohibit downstream recipients from trying to re-identify
– Take measures to silo de-identified data from PII
• Cannot remove concerns by simply envisioning the sharing of only
“de-identified” or anonymous data
• Must actually follow FTC guidance
– Prohibitions in privacy policies against re-identification
– Provisions in vendor contracts regarding re-identification
– Systems designed to silo off de-identified data
De-Identification of Personal Information
FTC Report
46. Copyright 2012 Bryan Cave
• Historically, divergent privacy policies and practices regarding information
sharing with corporate affiliates and subsidiaries
• FTC Report views affiliates as “third parties” unless the affiliate
relationship is “clear to consumers”
• Common branding is cited as sufficient to make a relationship clear
• Uncertainty remains
• Practical implications
– Disclose affiliate sharing in privacy policy
– Consider opt-in for sharing sensitive information with affiliates
– Opt-out for non-sensitive information
Requirements for Affiliates and Subsidiaries
FTC Report
49. Copyright 2012 Bryan Cave
• Combined effort of the White House, Department of Commerce, and
the FTC
• Provides a framework for consumer privacy protections
• Establishes 7 principles covering personal data
– Transparency - Easily understandable policies and practices
– Respect for Context - Collection and use consistent with context
– Security - Secure and responsible handling
– Access and Accuracy – Ability to access and correct
– Focused Collection - Reasonable limits on collection and retention
– Accountability - Appropriate measures to ensure compliance
• Similarities to the principles adopted by economic organizations in Europe
and Asia as well
Consumer Privacy Bill of Rights
White House Privacy Framework
50. Copyright 2012 Bryan Cave
• Industry codes of conduct
– Voluntary privacy and security “codes of conduct”
– Commerce Department National Telecommunications and Information
Administration (NTIA) to facilitate creation in “select” industries
– Other federal agencies may also convene industry stakeholders
– Industries can also convene stakeholders absent NTIA
• Encourages inclusive and transparent process
• Enforcement authority
– FTC to enforce codes of conduct
– Violation constitutes a deceptive practice under Section 5 of the FTC Act
– Adherence to codes to be looked upon “favorably” in FTC investigations
• No immediate changes, but. . .
Consumer Privacy Bill of Rights
White House Privacy Framework
51. Copyright 2012 Bryan Cave
Legislative Proposals
White House Privacy Framework
• Provide FTC with direct authority to enforce some variant of the Consumer
Privacy Bill of Rights
– Potentially significant increase in FTC enforcement authority
– Misrepresentations or unfair practices would no longer be required
• Provide FTC with rulemaking authority to design a system for review and
approval of codes of conduct
– Review period (180 days)
– Open public comments
– Approve or reject
• Companies encouraged to create and comply with codes of conduct
– Obtain greater clarity concerning the rules to which they will be held
– Safe harbor status for compliance with an approved code
55. Copyright 2012 Bryan Cave
• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012)
– Large number of apps (75%) targeted at children (under 13)
– Apps did not provide good privacy disclosures
– Will conduct additional COPPA compliance reviews over the next 6 months
• FCRA Warning letters (Feb. 2012)
– FTC sent letters to marketers of 6 mobile apps
– Warned that apps may violate Fair Credit Reporting Act (FCRA)
– If apps provide a consumer report, must comply with FCRA requirements
• FTC Dot Com Disclosures Workshop (May 30, 2012)
– New guidance for advertisers on disclosures in the online and mobile
environment
– Focus on advancements and developments since the FTC issued its “Dot Com
Disclosures” guidelines for online advertising disclosure (released in 2000)
– Emphasis on the notion that consumer protection laws apply equally to online
and mobile marketers
Additional Activity
Mobile Applications
57. Copyright 2012 Bryan Cave
• Released September 5, 2012
• Reiterates that the mobile market is not different from the Internet
• General “guidelines” or “principles” for mobile app developers
– Tell the Truth About What Your App Can Do
– Disclose Key Information Clearly and Conspicuously
– Build Privacy Considerations in From the Start
– Offer Choices that are Easy to Find and Easy to Use
– Honor Your Privacy Promises
– Protect Kids’ Privacy
– Collect Sensitive Information Only with Consent
– Keep User Data Secure
• Acknowledges there can be no “one-size-fits-all” approach
• But also states that the laws apply to all companies
FTC Guide To Marketing Mobile Apps
Mobile Applications
58. Copyright 2012 Bryan Cave
• Expect more activity – discussion and enforcement
• Particularly involving mobile apps directed at children
• Review existing mobile applications for legal compliance
Additional Activity
Mobile Applications
65. Copyright 2012 Bryan Cave
• Increasing value means increasing scrutiny
• Enforcement will continue (and may increase)
– Actual security breaches are not required (nor dispositive)
– Focus is on reasonable and appropriate measures
– Companies held to privacy-related promises
– Scope of personal information is growing
• Enforcement actions are influencing and defining industry expectations
(consumer expectations too?)
• Premium on increased transparency into data practices
• Your enforcement issue may not come from the FTC, but from a
potential customer, financing source, or acquirer
Lessons Learned
Conclusion
66. Copyright 2012 Bryan Cave
• Institute procedures to secure sensitive information
• Implement “privacy by design” concepts
• Know your data, particularly sensitive data
• Minimize the data collected
– Collect only as needed
– Hold only as long as needed
• Map data collection, usage, and sharing
• Prepare and adopt a written information security plan (WISP)
– Address known risks
– Prepare for a breach
• Educate employees regarding the WISP
• Manage vendors and contractors
– Contractual provisions covering data transfer
– Compliance monitoring
Best Practices
Conclusion
67. Thank You.Thank You.
Jason Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
http://www.linkedin.com/in/haislmaier