2020-09_CIPP-US Data Privacy Textbook Outline.pdf
Transcript
Introduction to Privacy Defining Privacy Def: The desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behavior to others Types of Privacy 1. 2. 3. 4. Information privacy is concerned with establishing rules that govern the co...
Introduction to Privacy Defining Privacy Def: The desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behavior to others Types of Privacy 1. 2. 3. 4. Information privacy is concerned with establishing rules that govern the collection and handling of personal information. Examples include financial information, medical information, government records and records of a person’s activities on the Internet. Bodily privacy is focused on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches. It also encompasses issues such as birth control, abortion and adoption. Territorial privacy is concerned with placing limits on the ability to intrude into another individual’s environment. “Environment” is not limited to the home; it may be defined as the workplace or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as vvlolo2ideo surveillance, ID checks, and use of similar technology and procedures. Communications privacy encompasses protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus. Which of the following is an industry standard formula for assessing risk? A. Risk = Threat x Vulnerability x Expected Loss B. Risk = Control / Threat x Vulnerability C. Risk = Threat + Vulnerability – Expected Loss D. Risk = Threat x Vulnerability / Control ANSWER: A. As indicated by the correct formula, the risk associated with an organization’s information technology is directly related to three parameters: (1) threats, (2) vulnerabilities, and (3) expected loss. Threats are any circumstances that may cause an undesirable event, such as a data breach. Vulnerabilities are weaknesses in an organization’s information systems, policies, or procedures. When a threat exploits some vulnerability, a security event that causes risk occurs. The amount of the risk for a particular security event is equal to the probability of the event occurring times the expected loss associated with the event. Answers B – D provide incorrect formulations of risk. Administrative Procedure Act Act that lays out the basic rules for agency enforcement actions Fair Information Practices ● ● Guidelines for handling, storing and managing data with privacy, security and fairness in a rapidly-evolving information society. Dates back to FIPs in a 1973 report by the US Dept. of Health, Education and Welfare Advisory Committee on Automated Systems. There are 4 categories of principles involved: 1. Rights of Individuals ● Notice. Organizations should provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained and disclosed. ● Choice and consent. Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers. ● Data subject access. Organizations should provide individuals with access to their personal information for review and update. 2. Controls on the Information ● Information security. Organizations should use reasonable administrative, technical and physical safeguards to protect personal information against unauthorized access, use, disclosure, modification and destruction. ● Information quality. Organizations should maintain accurate, complete and relevant personal information for the purposes 1 3. 4. identified in the notice. Information Lifecycle ● Collection. Organizations should collect personal information only for the purposes identified in the notice. ● Use and retention. Organizations should limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. Organizations should also retain personal information for only as long as necessary to fulfill the stated purpose. ● Disclosure. Organizations should disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. Management ● Management and administration. Organizations should define, document, communicate and assign accountability for their privacy policies and procedures. ● Monitoring and enforcement. Organizations should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes. OECD Guidelines (1980) Originally included the US and European countries. Expanded in a published set of privacy principles, “Guidelines Governing Protection of Privacy and Transborder Flows of Personal Data.” Last updated in 2013; most recognized framework for FIPs. Endorsed by the FTC. Principles: 1. 2. 3. 4. 5. 6. 7. 8. Collection Limitation Principle. Limits to collecting personal data; and data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date. Purpose Specification Principle. The purposes for which personal data should be specified not later than at the time of data collection; the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes; and are specified when the purpose is changed. Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except: (a) with the consent of the data subject or (b) by the authority of law. Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against risks like loss or unauthorized access, destruction, use, modification, or disclosure of data. Openness Principle. There should be a general policy of openness about developments, practices, and policies with respect to personal data; readily available means to establish the existence and nature of personal data, and the main purposes of their use; and the identity and usual residence of the data controller. Individual Participation Principle. An individual should have the right to: o confirm whether or not the data controller has data relating to him; o have communicated to him data relating to him, within a reasonable time and at his cost, in a reasonable manner and in a form that is readily intelligible to him; o if above is denied, the reasons for denial and be able to challenge the denial o challenge the data related to him, and if successful, have the data erased, rectified, completed or amended. Accountability Principle. A data controller should be accountable for complying with the above measures and principles. APEC Privacy Framework (2004) Non-binding agreement between Pacific coast members in Asia and the Americas. Contains Nine (9) information privacy principles that generally mirror the OECD Guidelines, but are more explicit about exceptions. 1. Purpose: Preventing Harm; recognizing the individual’s’ legitimate expectations of privacy, protection should be designed to prevent the misuse of personal information; remedial measures should be proportionate to the likelihood and severity of the harm posed by such collection. 2. Notice: controllers should be able to provide clear and easily accessible statements about their practices and policies at the time of collection or as soon after as is practicable; no notice is required where the information is publicly available. 3. Collection Limitation: limited to the relevant purposes of collection through lawful and fair means 4. Uses of Personal Info: only to fulfill the purpose of the collection except where consent is provided, where necessary to provide a service or product requested by the individual; or by authority of law. 5. Choice: mechanisms to exercise choice re collection, use and disclosure 2 6. 7. 8. 9. Integrity of Personal Info: info should be accurate, complete and kept up to date to the extent necessary for the purposes of its use Security Safeguards: should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the info, and the context in which is held; and should be subject to periodic review and reassessment. Access and Correction: individual should have access to the collected information, be able to challenge its accuracy, have the data corrected EXCEPT where burden or expense is unreasonable or disproportionate to the individual’s privacy; should be disclosed due to legal or security info; or where the privacy of other persons would be violated. Accountability: Personal information controller should be accountable for complying with these principles. Types of Information Personal Information ● ● ● In the United States, the terms “personal information” and “personally identifiable information” (PII) are generally used to define the information that is covered by privacy laws. These definitions include information that makes it possible to identify an individual. Applies to both electronic and paper records “Sensitive personal information” is a subset of PII which requires additional security and privacy safeguards for its collection (e.g., Driver’s License, SSN) Non-Personal Information ● If the data elements used to identify the individual are removed, the remaining data becomes non-personal information, and privacy and data protection laws generally do not apply. Similar terms used include de-identified or anonymized information. Sources of Public Information ● ● ● Public records consist of information collected and maintained by a government entity and available to the public. These government entities include the national, state or provincial, and local governments. Public records laws vary considerably across jurisdictions. For instance, real estate records in some jurisdictions contain detailed information about ownership, assessed value, amount paid for the parcel, taxes imposed on the parcel, and improvements. Making this information public has certain advantages, such as enabling a person who owns real estate to determine if the taxes assessed are fair relative to other parcels in the area. Other jurisdictions, by contrast, do not release such information, considering it to be private. Publicly available information is information that is generally available to a wide range of persons. Some traditional examples are names and addresses in telephone books and information published in newspapers or other public media. Today, search engines are a major source of publicly available information. Nonpublic information is not generally available or easily accessed due to law or custom. Examples of this type of data are medical records, financial information and adoption records. A company’s customer or employee database usually contains nonpublic information. Processing Personal Information ● The term processing refers to: ● Collecting, recording, organizing, storing, updating or modifying, retrieving, consulting and using personal information. ● Disclosing by transmitting, disseminating or making available in any other form, linking, alignment or combination, blocking, erasing, or destroying personal information. Subjects involved in Personal Info Processing ● ● ● Data subject is the individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store. Data controller is an organization that has the authority to decide how and why personal information is to be processed. This entity is the focus of most obligations under privacy and data protection laws—it controls the use of personal information by determining the purposes for its use and the manner in which the information will be processed.31 The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership. Data processor/Business Associate (under HIPPA)/Service Provider (under Gramm-Leach-Bliley) is an individual or organization, often a third-party outsourcing service that stores, acts, or processes data on behalf of the data controller. Data processors are not authorized to do additional data processing outside the scope of what is permitted for the data controller itself. o Under the Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule, these data processors are called “business associates.” 3 Q: the role of a US-based software-as-a-service provider that stores employee personal data for a global company headquartered in the US with subsidiaries in the EU is that of a DATA PROCESSOR. Sources of Privacy Protection: 1. Markets: Consumers expressing concerns about their privacy, companies respond 2. Technology: Encryption 3. Law: enacting laws does not necessarily result in better privacy and security – laws may not be well drafted or enforced. 4. Self-regulation and Co-Regulation: compliments to law that comes from the government, and can refer to legislation, enforcement and adjudication a. Legislation refers to who defines privacy rules; for self-regulation, this is usually a company’s privacy policy b. Enforcement: who should initiate enforcement actions. Could be the affected individual c. Adjudication: who should decide whether an organization has violated a privacy rule; can be an industry association, government agency or a judicial officer. A Privacy professional determines who defines the requirements, which organization brings enforcement action, and who makes the judicial decisions. World Models of Data Protection Comprehensive vs. Sectoral Models 1. Comprehensive Model (e.g., EU): a country that enacts a law that governs the collection, use and dissemination of personal info in the public and private sectors. a. Usually an official or agency is responsible for overseeing enforcement. (e.g., in Europe, it is the Data Protection Authority (DPA) b. Data protection officials are granted varying degrees of enforcement power from country to country c. Reasons to adopt a Comprehensive Model: i. Remedy past injustices ii. Ensure consistency with European privacy laws iii. Promote electronic commerce. d. Reasons against adopting a Comprehensive Model i. Once size fits all rules may not address risk well ii. Cost of regulation can outweigh benefits iii. Insufficient opportunity for data processing innovation – comprehensive laws may discourage emergence of new services involving PII or require prior approval from Regulators. 2. Sectoral Model (e.g., US) a. Laws address a particular industry sector, which may provide more specific protection for data particular to that segment. b. Reasons against adopting a Sectoral Model i. Fills gaps that occur with legislation lags, tech changes (e.g, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 – introduced a breach notification requirement for vendors of personal health records vendors, which were not “covered entities” under HIPAA) ii. Unregulated segments may face privacy threats with no legislative guidance. 4 iii. Overlaps can exist, previously separate industries can converge, resulting in conflicts. 5 3. Co-Regulatory and Self-Regulatory Models a. Co-Regulatory: industry development of enforceable codes or standards of privacy against a backdrop of legal requirements by the government. (e.g., Children’s Online Privacy Protection Act (COPPA), which allows that code compliance is sufficient for statute compliance once the codes have been approved by the FTC. b. Self-Regulatory: Creation of codes protecting PI by a company, industry or independent body. (e.g., Payment Card c. Industry Data Security Standard (PCI-DSS) which enhances cardholder data security. i. Seal Programs: type of Self-Regulatory model that requires participants to abide by codes of info practices and submit some variation of monitoring to ensure compliance. Companies that abide by the terms of the seal program are allowed to display the program’s privacy seal on its website. (e.g., FTC for the COPPA recognizes the Aristotle International Incl, Children’s Advertising Review Unit (CARU), the Entertainment Software Rating Board (ESRB), kidSAFE, iKeepSafe, PRIVO and TrustArc.) ii. Critics of Self-Regulatory: concerns about adequacy and enforcement; industry-developed codes can provide limited data protection and may not incorporate the interests of the consumer or other stakeholders who are not part of the industry. Technology-based model: using tech means to reduce administrative measures for overall privacy protection (e.g., Google and Microsoft increasing email encryption between sender and recipient). US Legal Framework Branches of the Government ● ● ● Legislative (Congress): Makes laws Judicial (Federal Courts): Interprets laws Executive (Pres, VP, Cabinet, Federal Agencies (e.g., FTC)): Enforces laws o E.g., the FTC has statutory responsibility for issues such as children’s privacy online and commercial email marketing. Sources of Law in the United States ● Constitution Constitution doesn’t contain the word “Privacy” but parts of the Constitution directly affect privacy (e.g., 4th Amendment) o includes “penumbra” of unenumerated constitutional rights arising from constitutional provisions) o State constitutions may create stronger rights than those in the US Constitution. Legislation: where federal law does not prevent it, states have power to make law (10th Amendment) Regulations and Rules: regulatory agencies (FTC, FCC) issue regulations and rules. (e.g., CAN_SPAM provide shte FTC and FCC with authority to issue regulations re how opt-out provisions are managed) Case Law: final decisions made by judges in court cases. o Common Law: created by legal precedent and social customs Consent Decree: judgment entered by consent of the parties whereby the defendant agrees to stop alleged illegal activity, usually without admitting guilt or wrongdoing. Contract law: a binding agreement enforceable in a court of law o Provisions may include data usage, data security, breach notification, jurisdiction and damages. Tort Law: Civil wrongs recognized by law as grounds for lawsuits; can be intentional, negligent, or strict liability o ● ● ● ● ● ● Key Definitions i. ii. iii. iv. Person: An entity with legal rights, including an individual or a corporation Jurisdiction: The authority of a court or a government agency to hear a particular case General vs. Specific Authority: a. General Authority: blanket authority to regulate a field of activity b. Specific Authority: targeted at singular activities outlined by legislation Preemption: A superior government’s ability to have its laws supersede those of an inferior government. E.g., Federal law 6 v. vi. preempts state laws that might impose greater obligations. Private Right of Action: right of an individual harmed by a violation of law to file a lawsuit against the violator Notice: A description of an organization’s information management practices. Typically an external communication issued to consumers, customers and users. a. Purposes include: i. Consumer Education ii. Corporate Accountability b. Notice typically includes i. (1) what info is collected; ii. (2) how the info is used and disclosed; iii. (3) how to exercise choices about uses or disclosures; iv. (4) whether an individual can update the info. c. Note: Promises made in a company’s privacy notice are legally enforceable by the FTC and the states. vii. viii. Choice: ability to specify whether personal info will be collected and/or how it will be used. Can be express or implied. Access: ability to view personal info held by an organization Regulatory Authorities ● FTC (Federal): general authority to enforce against unfair and deceptive trade practices, incl. the power to bring ● “deception” enforcement actions when a company has broken a privacy promise. State Attorney General: ability to bring actions pursuant to state laws prohibiting unfair and deceptive practices. Self-Regulation: (See above) Trade regulations which need to be followed by members. E.g., Networking Advertising Initiative, Direct Marketing Association, Children’s Advertising Review Unit. Understanding Laws – 6 key questions; examples are based on California Security Breach Notification Law Scope: 1. Who is covered by this law? California law covers anyone with computerized data that conducts business in California. 2. What types of information are covered? Computerized personal information of California residence, including SSN, California ID Cards, Driver’s License Number, or password information required to permit access to an individual’s financial account when not encrypted. o Databased that contain only names and addresses or only encrypted info are not subject to the law. 3. How to comply with the law: o What exactly is required or prohibited? Disclosure of any security system breach to any resident of California whose unencrypted personal info was or believed to be acquired by a non-authorized person. Assessing risk for non-compliance 4. Who enforces the law? California AG, and there is a private right of action 5. What happens if I don’t comply? civil lawsuit seeking damages and forcing compliance 6. Motivation behind the law: Why does this law exist? Security breaches of computerized data feared to cause identity o theft; notification allows those affected to take steps to protect themselves. 7 Federal and State Regulators and Enforcement of Privacy Law Types of Litigation and Enforcement ● ● Civil litigation occurs in the courts, when one person (the plaintiff) sues another person (the defendant) to redress a wrong. Criminal litigation involves lawsuits brought by the government for violations of criminal laws. This contrasts with civil litigation, which generally involves an effort by a private party to correct specific harms. Criminal prosecution can lead to imprisonment and criminal fines. In the federal government, criminal laws are prosecuted by the Department of Justice (DOJ). Administrative Procedure Act (APA) governs the process by which federal agencies develop and issue regulations. It includes requirements for publishing notices of proposed and final rulemaking in the Federal Register, and provides opportunities for the public to comment on notices of proposed rulemaking. Administrative enforcement actions are carried out pursuant to the statutes that create and empower an agency, such as the FTC and the FCC. 1. Medical privacy – Office of Civil Rights in the Department of Health and Human Services is responsible for HIPAA 2. Financial privacy – Consumer Financial Protection Bureau (CFPB), Federal Reserve; Office of the Comptroller of the Currency for jurisdiction under the Gramm-Leach-Bliley Act (GLBA) 3. Education Privacy – Department of Education for the Family Educational Rights and Privacy Act 4. Telemarketing and marketing privacy – FCC Commission, under the Telephone Consumer Protection Act (TCPA) and other statutes 5. Workplace privacy – EEOC, for the ADA and other antidiscrimination statutes. 6. Others providing privacy oversight, enforcement and policy: Dept. of State, Dept. of Commerce, USDOT/FAA/NHTSA; Office of Management and Budget; IRS; Homeland Security 7. DOJ is the only federal agency that can bring criminal enforcement actions. Some statutes provide for both civil and criminal enforcement. FTC Jurisdiction Consists of: chairperson + 4 commissioners, not under U.S. president’s control, with the authority to enforce against “unfair and deceptive trade practices.” Powers of the FTC: ● Penalizing and halting unfair or deceptive trade practices ● Seeking monetary redress for conduct injurious to consumers ● Prescribing trade regulation rules ● Establishing requirements to prevent unfair or deceptive trade practices Evolving Prioritization of the FTC: ● FTC was founded in 1914 under the Executive Branch as an independent agency (not under direct control of the president) to enforce antitrust laws; general consumer protection mission established by a statutory change in 1938. o The FTC navigates both roles today, and privacy and computer security issues have become an important part of its work. o Enforcement of privacy violations began under the Fair Credit Reporting Act of 1970; amended by the Fair and Accurate Credit Transactions Act of 2003, and the Gramm-Leach-Bliley Act of 1999. o Enforcement under Section 5 of the FTC Act -- perhaps the single most important piece of U.S. privacy law. ▪ ▪ ● Section 5 states that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful” in commerce; Section 5 doesn’t apply to non-profit organizations and doesn’t extend to certain industries such as banks and other federally-regulated financial institutions, and common carriers such as transportation and communications industries. Late 1990s: Notice and Choice approach o o ● Focus on providing notice of privacy policy, allowing choice on how/whether consumer info is shared with 3ps Focus on deception and failure to comply 2000s: Harm based model: emphasis on substantial injury as a requirement under FTC’s unfairness authority, including 8 harm to consumers due to identity theft ● 2007: GPEN and APEC formed o o ● The Organization for Economic Cooperation and Development (OECD) adopts the Cross-Border Cooperation in the Enforcement of Laws protecting Privacy, which promotes common privacy issues globally. Recommendation motivated the FTC and other global enforcement agencies to form ▪ OECD the Global Privacy Enforcement Network (GPEN) ● GPEN was established to strengthen personal privacy protections by assisting public authorities with interfacing domestic privacy laws for cross-border cooperation. Asia Pacific Economic Cooperation (APEC) Cross-Border Enforcement Arrangement framework was also established; allows members to share info and evidence in cross-border investigations in Asia-Pacific enforcement actions 2012: Transparency and consumer control o ● ● WH Report on Consumer Data Privacy, emphasizing individual’s control, transparency, respect for content, security, access and accuracy, focused collection and accountability o FTC report principles re “Protecting Consumer Privacy in an Era of Rapid Change,” emphasizes Privacy by Design, simplified consumer choice and transparency 2015: Shift to responsibilities of controllers and data processers via FTC’s Privacy and Data Security Update’s 5 principles o Know what you have o Limit data retained to legitimate need o Implement safeguards o Dispose of data no longer needed o Have a plan for responding to consumer incidents 2016: Consumer protection issues raised by new technologies o o o o ● ● ● Smart TVs: ability to track consumer viewing habits ▪ FTC v. Lenovo: Customers harmed by defendant when it pre-installed software VisualDiscovery w/o disclosing it to consumers. Software acted as middle-man between customers and websites that interfered with how a user’s browser integrated w/websites, and created serious security vulnerabilities in order to deliver ads to consumers ▪ FTC v. Vizio: unfair and deceptive practices case. Smart TV collection collected viewing data w/o notice to and consent by consumers. Led to stipulated Federal order to pay $2.2m, delete data collected before 3.1.2016, and implement comprehensive data privacy program with bi-annual review. Drones: Privacy and security concerns, practical issues of providing choice and transparency Ransomware: steps businesses can take to prevent infiltration FTC v. Tru-Commission: Deception by falsely claiming participation and certification in the EU-Privacy shield framework. 2017: FTC hosts workshops on privacy issues re: o Consumer cards o Education Technology o Identity Theft 2018: FTC hosts workshops on privacy issues re: fraudulent practices around cryptocurrency, data breaches o FTC v. VenMo/PayPal: Misleading, failure to disclose case; failure to satisfy Gramm-Leach-Bliley Privacy Rule and Safeguards Rule requirements when it failed to disclose to consumers that transfers to external banks were subject to review, and funds could be frozen or removed. 2019: FTC issues record-breaking fine against FB for selling user data (including viewing practices) to, among others, Cambridge Analytica. Cambridge Analytica used data to target certain individuals with false news stories, designed to sway the presidential election. Q: 1. Which of the following may be classified as an unfair trade practice by the FTC? A. A website’s privacy notice clearly states that it will not encrypt sensitive personal information, and the website does not in fact encrypt the data B. An organization promises to honor opt-out requests within 10 days but fails to honor opt-out requests C. A rogue employee steals credit card information even though the organization took reasonable precautions to protect the credit card information D. A federally insured bank does not comply with a regulation prohibiting the bank from revealing information about its customers 9 ANSWER: A. Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Answer A is an example of an unfair trade practice because the website is not being deceptive, but the potential harm caused by the website’s failure to encrypt sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control. o Answer B is an example of a deceptive trade practice. When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade practice. o Answer C would not be an unfair trade practice because the organization has implemented reasonable security measures, and the employee simply committed a crime, which is generally considered an unforeseeable event. o Answer D is incorrect because the FTC has no jurisdiction over banks and common carriers, which are under the supervision of other governmental agencies. ● Enforcement under Statutes o Congress added privacy-related responsibilities via the Administrative Procedure Act (APA): e.g., COPPA (1998) and Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act (2003) o The FTC shares rule-making and enforcement power with: ▪ the FCC under the Telemarketing Sales Rule and the CAN-SPAM Act; ▪ the HHS for data breaches re medical records under HITECH. FTC Enforcement Process and Consent Decrees ● ● ● ● FTC has broad investigatory authority, including authority to subpoena witnesses, demand civil investigation and require businesses to submit written reports under oath. If a violation exists, the FTC may initiate enforcement actions by issuing a complaint, and conducting an administrative trial before an ALJ. That decision can be appealed to the 5 commissioners, which can then be appealed to the federal district court. Although the FTC lacks the authority to assess civil penalties, if an FTC ruling is ignored, the FTC can seek civil penalties in federal court of up to $40,654 per violation and can seek compensation for those harmed by the unfair or deceptive practices. In practice, FTC privacy enforcement actions have usually been settled through consent decrees and accompanying consent orders. o In a consent decree, the respondent does not admit fault, but promises to change its practices and avoids further litigation on the issue. o Consent decrees are posted publicly on the FTC’s website, and the details of these decrees provide guidance about what practices the FTC considers inappropriate. Privacy Policies and Notices and Early FTC Enforcement Actions There is no omnibus federal law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements. Enforcement Actions and Deceptive Trade Practices ● For a practice to be deceptive, it must involve a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances. Deceptive practices include false promises, misrepresentations, and failures to comply with representations made to consumers o In re Nomi: sensors placed on mobile devices searching for Wi-Fi service to detect MAC addresses. Nomi used the info to provide analytics reports to clients. FTC found that Nomi misled consumers about ability to opt out of their service and failed to inform consumers about the location of stores where the tracking was taking place. Consent order restricted company from engaging in the business practices for 20 years. o In re SnapChat: Snapchat promised short-lived messaging “snaps” that disappeared “forever” after a period of time. App included “Find Friends” feature. Company knew about ways to save chats indefinitely, and was collecting and saving names and phone numbers of all contacts in the user’s mobile device. Was hacked resulting in spam, phishing, etc., of people in the database. Consent order entered restricting company for 20 years. o In re TRUSTe, Inc.: Company’s website stated annual recertifications of privacy issues provided to company would be conducted every year. Failed to do that; Settlement agreement reached requiring company to maintain comprehensive records for 10 year re its certifications, + penalty. o In re Lifelock: Company advertised that it could prevent all identity theft in exchange for a monthly fee. FTC 10 asserted that the business practice was deceptive because its approach was to protect only certain forms of identity theft, and that customer’s data was not properly restricted or encrypted, putting data it held at risk. Company paid a settlement 11 Enforcement Actions and Unfair Trade Practices ● Unfair claims can exist even where the company has not made any deceptive statements if the injury is substantial, lacks offsetting benefits, and cannot be easily avoided by consumers. o The FTC has sanctioned companies for unfair practices when they failed to implement adequate protection measures for sensitive personal information or when they provided inadequate disclosures to consumers. o In re Wyndham Worldwide Corp: Company stored credit card info in unencrypted text, permitted easily guessable passwords, failed to use firewalls between hotels, corporate systems and the Internet; allowed out-of-date operating systems and failed to timely update security; failed to adequately control computer access by 3p vendors; didn’t have unauthorized access detection measures in place; and failed to add security measures after they suffered known breaches. Wyndham established FTC’s authority to regulate “unfair methods of competition in or affecting commerce” under Section 5 of the FTC Act, extending it to regulation of cyberspace practices that are harmful to consumers. o In re LabMD: Company was hacked and sensitive patient information was taken twice and placed on a peer-to-peer platform. FTC brought an action for unfair trade practices by failing to take appropriate measures to prevent unauthorized disclosure of sensitive data on its network. ALJ dismissed the action stating that FTC failed to establish actual harm to the customer, which is required under the legal test for unfairness. FTC reversed the decision by the ALJ and issued a final order requiring the company to implement a comprehensive program. LabMD appealed to the Federal District Court. Fed.D.C. presumed that FTC had general authority over data security. Issue was the remedy imposed by the FTC. It held: “In the case at hand, the cease-and-desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” o DesignerWare: Concerned FTC unfairness concerns beyond data breach. Software licensed to rent-to-own companies registered log key strokes, captured screen shots and took photos using the computer’s webcam. Data gathered included sensitive information – user names and passwords, SSN, medical/financial records, partially undressed individuals, pics of kids, etc. Software used geolocation tracking software without permission of computer users. Also contained a fake software program registration screen that tricked individuals into providing personal contact info. FTC alleged unfair practices by surreptitiously collecting information, and deceptive practices using fake software registration. Consent order entered. Future of Federal Enforcement 2012 White House and FTC Reports: Combined, provides a comprehensive approach to privacy enforcement ● 2012 White House Report Endorsed by Obama, but not signed into law. Defines the “Consumer Privacy Bill of Rights” based on traditional fair information practices: 1. Individual Control: Consumers have a right to exercise Individual Control over what personal data is collected and how it is used 2. Transparency: Privacy and security practices are Transparent – easily understandable and accessible 3. Context: Companies will respect the context in which consumers provide the data. 4. Secure: Consumers will secure and responsibly handle personal data. 5. Accessible & Correctible: Collected data is accessible and correctable 6. Limited: Consumers have a right to reasonable limits on collected data – it is limited and focused 7. Accountability: Companies are accountable to have appropriate measures in place to assure they adhere with the Consumer Privacy Bill of Rights. o Report recommended that the rights be included in federal legislation, emphasized the importance of achieving international/transborder-operability and cooperation on privacy enforcement, and emphasizes the role and expertise of the FTC for privacy enforcement. ● 2012 FTC Report emphasizes 3 areas: 1. 2. Privacy by design. Companies should promote consumer privacy throughout their organizations and at every stage in the development of their products and services. They should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy Simplified consumer choice. Companies should simplify consumer choice. They do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law. For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before (1) using consumer data in a materially 12 3. different manner than claimed when the data was collected or (2) collecting sensitive data for certain purposes. Transparency. Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use. All stakeholders should expand their efforts to educate consumers about commercial data privacy practices. 2015 FTC Privacy and Data Security Update: FTC states reasonable data security practices include at least 5 principles: Companies should: 1. Know the Data: be aware of what consumer info they have and who has legitimate access to the data 2. Limit: limit the info they collect and maintain for legitimate business purposes 3. Protect: protect the info they have by assessing risk and implementing security procedures, training 4. Remediation: have a plan in place to respond to any security incidents 2016 FTC Security Update: discusses various cases where consumers’ information was being collected without their knowledge, as well as 3 new technologies: ● Smart TVs (ability to track consumer viewing habits); ● Drones (practical issues of providing choice and transparency); and o National Telecommunications and Information Administration (NTIA) issued a report of best practices from its multi-stakeholder process concerning privacy, transparency and accountability issues for drones: ▪ Show care when operating the drone or collecting and storing data ▪ Limit the use and sharing of data ▪ Secure data ▪ Monitor and comply with evolving federal, state and local laws re drones. ● Ransomware (steps businesses can take to prevent and limit impact). State Enforcement ● ● The National Association of Attorneys General Consumer Protection Project helps coordinate the work of state AGs. Legislation State laws are commonly known as Unfair and Deceptive Acts and Practices (UDAP statutes), and are enforced by the State A.G. or, sometimes, by private individuals. Some states allow enforcement against “unconscionable” (harsh seller) practices Case and Common Law: o Torts: intrusion upon seclusion, appropriation of name or likeliness, publicity given to private life, and publicity placing a person in false light. o Contract law: breach of fiduciary responsibility and promise of confidentiality that causes harm. Self-Regulation and Enforcement ● ● ● ● ● The term self-regulation refers to a variety of approaches to privacy protection. Self-regulation, similar to government regulation, can occur through the three separation-of-powers components: o legislation (who defines the rules?); o enforcement (who should initiate enforcement actions?); and o adjudication (who should decide whether a company has violated the privacy, and with what penalties). Begins with voluntary industry rule-making Privacy seal and certifications improve consumer confidence and serves as a way to comply with legal requirements. o COPPA authorizes the FTC to confirm th,at certification programs are in compliance with the law. o AdChoices by Digital Advertising Alliance (DAA) allows users to click an icon near an ad and choose to what extent the user will view ads from participating advertisers. Pros and Cons of Self-Regulation: o Pro: Industry has expertise to know how their systems operate and should therefore lead the creation, establishment and enforcement of the rules o Con: Industries are not strict enough. 2012 White House and FTC Reports stress importance of engaging in a multistakeholder privacy self-regulatory process, with the DOC facilitating the efforts, meaning they are part of but not the sole player. 13 o See also, NTIA re Drones, supra. Cross-border Enforcement Issues ● ● ● OECD Recommendation on Cross-Border Co-operation in the Enforcement of Laws protecting Privacy. Which focuses on the need to address common privacy issues on a global scale, rather than country-by-country differences in laws and enforcement power. In response to the recommendation, the FTC, along with enforcement authoritie s from around the world, established the Global Privacy Enforcement Network (GPEN) in 2010. The GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world. Another cross-border enforcement cooperation effort is the Asia-Pacific Economic Cooperation (APEC). Principles of Information Management The Role of the Privacy Professional What a Privacy Professional does: ● Researches laws, guidelines, common practices and tools; monitoring current events and changing guidelines to provide guidance to their organization ● Educates the organization about privacy laws, organizational policies, risks and recommended practices ● Designs and recommends policies and procedures for the organization. Risks of Using PI Improperly ● ● ● ● Legal risks. Not complying with state, fed, and international privacy laws; not fulfilling contractual commitments. The organization must comply with applicable state, federal and international laws regarding its use of information or potentially face litigation or regulatory sanctions such as consent decrees, which may last for many years. The company must also comply with its contractual commitments, privacy promises and commitments to follow industry standards, such as the Payment Card Institute Data Security Standard (PCI DSS).8 Reputational risks. Damaging trust in the brand. The organization can face reputational harm if it announces privacy policies but does not carry them out; it may also face enforcement actions—particularly from the Federal Trade Commission (FTC). An organization should seek to protect its reputation as a trusted institution with respected brands. Operational risks. Affecting efficiency; inhibiting use of PI that benefits the organization and customers. The organization must ensure that its privacy program is administratively efficient. If a privacy program is too heavy-handed, it may interfere with relationships and inhibit uses of PI that benefit the organization and its customers, such as for personalization or risk management. Investment risks. Hampering the ability of the organization to receive an appropriate return on its investments in information, IT and information processing programs. The organization must be able to receive an appropriate return on its investments in information, information technology and information-processing programs in light of evolving privacy regulations, enforcement and expectations. Developing an Information Management Program A holistic approach to PI management: develop an info management program re risks and benefits of processing PI; the program helps create policies and practices appropriate for the organization’s activities including those for marketing, human resources, executing contracts, international data flows, publishing online privacy notices when data is collected. ● Statements on websites are either called “privacy notices” (internal organization statements of policies) or “privacy policies” (external communications). 4 Basic Steps for Info Management: ● ● ● ● Discover – consider the company’s environment, info goals, and corporate culture. o Issue identification and self-assessment – goals will serve as the foundation for the company’s policies. o Determination of best practices – some standards are mandatory for members of a specific industry group. Build o Procedure development and verification – close coordination between those writing the policies and IT experts and others who work in the various departments requiring policy compliance. o Full implementation Communicate o Documentation – internal and external so that appropriate messages are made to relevant audiences. o Education Evolve o Affirmation and monitoring 14 o Adaptation Data Sharing and Transfer ● Create an Inventory: Where, how and for what length of time is the data stored? o An inventory may be legally required for some institutions (e.g., Gramm-Leach-Bliley Act (GLBA) Safeguards Rule) ● Classify the Data: How sensitive is the information? ● Document Data Flows to map systems, applications and processes handling data. Helps identify areas for compliance attention. Questions for Data Accountability: o Inventory of the data o Sensitivity of the data o Encryption: Should the information be encrypted? Under many breach notification laws, no notice is required if the lost PI is sufficiently encrypted or protected; encourages encryption o Transferability: Will the information be transferred to or from other countries, and if so, how will it be transferred? Familiarize originating and receiving privacy requirements for transborder data flows. o Governing: Who determines the rules that apply to the information? o Handling: How is the information to be processed, and how will these processes be maintained? o Dependency: Is the use of such data dependent upon other systems? Privacy Policies and Disclosure ● Communication of Privacy Policy Through a Notice – ways to do this o Make the notice accessible online. o Make the notice accessible in places of business. Clearly post the organization’s privacy notice at the location of business in areas of high customer traffic and in legible form. Organization staff also should have ready access to copies of the up-to-date company privacy policy in case a customer wishes to obtain a copy for review. o Provide updates and revisions. ▪ For financial institutions, GLBA requires that customers receive the privacy notice annually, with clear notice of the customer’s right with respect to opt-outs. ▪ For institutions without this sort of required updating, provide good notice when the privacy policy is revised, with express customer consent (opt-in) for material changes and a clear opportunity to opt-out for smaller changes. ▪ FTC stated that companies should obtain express (opt-in) affirmative consent before making material retroactive changes to privacy representations. “Material change” means “at a minimum includes sharing customer information with third parties after committing at the time of collection not to share the data” o Ensure that the appropriate personnel are knowledgeable about the policy. ▪ HIPPA creates specific training requirements for all employees of covered entities ▪ Customer service representatives (CSRs) should receive a statement or script describing the privacy notice and that can be used to answer customer questions; they should also have a full copy of the privacy notice and be able to send or direct customers to the notice so the customer can review in detail. They should also know how to escalate. Managing User Preferences and Access Requests Generally, the mechanism for marketing should be the same channel for exercising user preference. (e.g., CAN-SPAM email solicitation must be exercisable by the consumer through an online mechanism, not a requirement to mail or call in their opt-out.) The time period for implementing user preferences is sometimes provided by law (e.g., CAN-SPAM mandates specific time periods for processing customer preferences. ● Opt-In: Affirmative consumer consent o o HIPAA requires opt-in consent before Personal Health Information is disclosed to a third party, subject to exceptions: Fair Credit Reporting Act (FCRA) requires opt-in before a consumer’s credit report may be provided to an employer, 15 o o o ● lender or other authorized recipient. Industry standards: email marketers require a “double op-in” or “confirmed opt-in”. EU in the GDPR) takes position that opt-in consent is appropriate for marketing to occur Opt-in is preferred consent when collecting sensitive info such as customer’s geolocation data. No Consumer Choice/No Option o ● FTC approves implied authority where sharing data is consistent with the context of the transaction, the company’s relationship with the consumer, or as required or specifically authorized by law. ▪ PI is given to the organization and the consumer expects it to be shared to fulfill the order ▪ e.g., online purchase, a consumer expects PI to be shared with the shipping company, credit card processor, and others engaged in fulfilling the order. Opt-Out/Consumer Choice; some statutes require companies to at least provide an opt-out o GLBA requires opt-out before transferring customer’s PI to an unaffiliated 3rd party. ▪ Financial institutions must provide an opt-out by law prior to sharing PI with third parties, but sharing with affiliates can be done without offering an opt-out. ▪ An opt-out request from a customer must comply across all communications regardless of the media used to communicate the request. o o o o Video Privacy Protection Act requires opt-out before movie or rental data is provided to a 3rd party CAN-SPAM requires email marketers to provide an opt-out Do Not Call rules – opt out of telemarketing phone calls, in general and on a company-by-company basis. Opt-outs are required for companies that subscribe to self-regulatory systems Access Requests APEC Principles provide guidance on the proper scope of access requests and exceptions 1. Individuals should be able to: a. Obtain from the PI controller confirmation of whether or not the controller holds PI about them; b. Receive, after providing sufficient proof of their identity, PI about them i. Within a reasonable time ii. At a charge, if any, that is not excessive iii. In a reasonable manner iv. In a form that is generally understandable c. Challenge the accuracy of the information and, if appropriate, have the information rectified, completed, amended or deleted except: i. Where the burden or expense of doing so is unreasonable or disproportionate to the risks to the individual’s privacy ii. Where the information should not be disclosed by law iii. Where the PI rights of another would be violated. Contract and Vendor Management ● Vendor Contracts: Prior to a US-based organization sharing personal info with a US-based third party, assure appropriate privacy terms and conditions are included in a contract with the third party. o o o ● Vendor contracts should include a confidentiality provision Specify that data will be used only for the purposes contracted If subcontractors are used, the contractor organization should require all subcontractors to follow the privacy and security provisions under the contract. AND address whether data can flow across borders o Promptly notify data or contract breaches o May include provisions concerning security controls, encryption, etc., employee background checks, audit rights. Vendor Due Diligence: standards for selecting vendors should include: o Reputation o Financial condition and insurance o Information security controls o Point of transfer vulnerability o Disposal of information o Employee training and user awareness o Vendor incident response o Audit rights 16 17 Global Perspective GDPR requires: 1. 2. 3. 4. 5. 6. notification of security breaches; new requirements for processors; designation of data protection officers; accountability obligations; rules for international transfers; and sanctions of up to 4% of worldwide revenues. GDPR provides extensions of individual’s rights including: 1. 2. 3. Right to be forgotten; Right to data portability; and Implementation of principles of data protection by design and by default Bases for data transfer between EU and US ● ● ● Privacy Shield: Invalid now for EU/US data transfers (Schrems II). o The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. o Schrems II: Held that any transfers under the Privacy Shield from the EU to the US are now illegal, and that data exporters that wish to continue transferring personal data to the US must use other data transfer mechanisms. ▪ Left open whether Standard Contract Clauses for Controller-to-Controller SCC or BCR transfers were valid. Standard Contract Clauses (SCC) Binding Corporate Rules (BCR): internal rules which define the international policy in a multinational group of companies and international organizations regarding intra-organizational personal data cross-border transfers. Online Privacy Tracing Stages of Personal Information: 1. 2. 3. 4. Collection Use Dissemination to third parties Archiving or Deletion Internet Basics: ● ● HTTP: application protocol that manage data communication over the internet using a TCP/IP network for websites HTML: content-authoring language used to create web pages. Describes the content of a web page in terms of how it ● should be displayed. HTTPS: transfer of data from a browser to a website over an encrypted connection. HTML5 is the latest version and has ● ability to run video, audio and animation directly from websites without a plugin like Flash. XML: Like HTML, a language that facilitates the transport, creation, retrieval and storage of documents. But it describes the ● ● ● ● ● content of a web page in terms of the data that is being produced, enabling automatic processing of data in large volumes and necessitating attention to privacy issues. Web server: computer connected to the internet that hosts web content and is configured to share the content. Proxy Server: intermediary server that provides a gateway to the web. A proxy server typically masks what is going on behind the organization’s firewall so that an outside website sees only the IP address, not detailed info about which part of an organization is communicating with the outside website. VPN: category of proxy server used in the US for employee web access. Encrypts the info from the user to the organization’s proxy server, thus masking both content and web destinations of that user. Web server log: sometimes auto created when a visitor requests a web page. IP: specifies the format of data packet that travels over the Internet and provides the appropriate addressing protocol. It is 18 ● ● ● ● ● ● ● ● ● ● ● ● ● a unique number assigned to each connected device. ISP: Internet service provider. TCP: Transmission control protocol enables 2 devices to establish ta stream-oriented reliable data connection. TLS: Transport layer security is a protocol that ensures privacy between a user and a web server Javascript: scripting language used to produce a more interactive and dynamic website. Vulnerable to cross-site scripting (XSS), which is code injected by malicious web users into web pages viewed by others. CSS: Cascading style sheets: language used to describe the presentation of web pages; includes colors, layout and font. CSS and HTML are independent of each other. Flash: Bandwidth-friendly interactive animation and video technology used to enliven web pages and advertisements. Active Data Collection: end user deliberately provides info to the website Passive Data Collection: data that is collected automatically, often without the end user’s knowledge (e.g., navigating through a web page). This is usually done using cookies. Syndicated content: not actually created by the host site, but rather is developed by and/or purchased or licensed from outside sources. Vulnerable to XSS. Web services: facilitate direct communication between computers, allowing, for example, organizations to interconnect with their suppliers online. Co-branded sites: online partnerships between 2 or more c