US Private Sector Privacy Chapter 04p1.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP CHAPTER 4 Information Management and Privacy Risk Management The first three chapters in this book have introduced key material in the study of privacy. Chapter 1 explored fundamental concepts for modern protection of privacy. Chapter 2 explained essential aspects of the U.S. legal system. Chapter 3 introduced the technological aspects of privacy. This chapter focuses on principles that businesses must address as they handle data - information management and privacy risk management. 1 Almost every business, regardless of industry, faces a plethora of decisions in how to handle personal data. These decisions grow more complicated as consumers and regulators demand more from businesses related to the privacy and security of this personal data. Businesses that handle socalled sensitive data, which often includes medical, financial, or children’s data, are expected to meet an even higher bar as they make decisions about how to collect, use, and possibly disseminate this data. Businesses that operate on a global scale, which is far more common with the internet than it once was, face cross-border data issues that include multiple sets of regulation related to privacy and security. Businesses face significant costs to come into compliance with federal and state privacy requirements as well as legal requirements in other countries. With the enactment of the EU’s General Data Protection Regulation (GDPR) in 2018, a joint survey by IAPP and EY found that companies reported spending more than $1 million per year on GDPR compliance. 2 In the absence of a federal comprehensive privacy law in the United States, the Information Technology & Innovation Foundation (ITIF) estimated in 2022 that the yearly out-of-state cost for compliance in a scenario where all 50 states enact privacy laws would be approximately $100 billion per year. 3 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP It is worth pointing out that the cost of mishandling personal data can be significant for a business, both for the short-term impact to the business’ profits and also potentially for its long-term viability as a business. 4 For example, in 2022 IBM found that the global average cost of a data breach is more than 4 million dollars, with costs even higher in healthcare and financial industries. 5 In the longer term, as it relates to the treatment of personal data, numerous studies have indicated that consumer trust (or lack thereof), can have a positive (or negative) impact on a consumer’s decision to engage with a particular business. 6 According to Edelman’s Trust Barometer, trust of a company is linked to purchase decisions, and ethics are more important in creating consumers’ trust of a company than competence. 7 Cisco’s 2022 survey reported that elements of trust are key to consumers’ decisions to be associated with a business. According to the research, consumers expect businesses to be both truthful and transparent about the handling of personal data, and also expect businesses to handle their personal data responsibly. More than 80 percent of participants in the survey reported that the way that a business treats personal data is indicative of the degree to which the business respects its customers. Approximately 75 percent of those surveyed stated they would not buy from a business that they did not trust with their data. 8 When examined through the lens of trust, privacy can be viewed as a core business priority that has the potential to increase consumer loyalty, improve brand perception, drive business outcomes, and lead to higher earnings. 9 This chapter begins by discussing best practices for developing an information management program that addresses privacy and other information management concerns, including security. The chapter then turns to an examination of privacy risk management, focusing on privacy impact assessments, vendor/third party risk assessments, and data breach readiness assessments. The chapter concludes with an overview of key global issues related to data traveling to or from the United States. 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP This material should be read in the context of more detailed discussions of legal rules in the other chapters of this book. Numerous chapters in the book look at the legal regulation of privacy, including Chapter 5 (State and Federal Regulators of Privacy), Chapter 8 (Medical Privacy), Chapter 9 (Financial Privacy), Chapter 10 (Education Privacy), Chapter 11 (Telecommunications and Marketing), and Chapter 12 (Workplace Privacy). Two chapters focus on state regulation of privacy – Chapter 6 (State Comprehensive Laws) and Chapter 7 (State Data Breach Notification Laws). Chapter 14 (The GDPR and International Privacy Issues) provides additional insight into the global landscape – with particular emphasis of the EU’s GDPR. This chapter provides a management perspective on how to meet any and all such legal requirements. This chapter draws heavily on the IAPP book, “Privacy Program Management: Tools for Managing Privacy Within Your Organization,” edited by Russell Densmore. 10 We recommend that book (or any update) for those wishing to gain a deeper understanding of these concepts. 4.1 Information Management Information management focuses on establishing, implementing, and monitoring the organization’s privacy program under the direction of a senior person in the organization, such as the Chief Privacy Officer (CPO). Information management requires a combination of skills: legal, marketing, sales, human resources, public and government relations, and information technology. In large organizations, privacy professionals may be part of a team that draws on a mix of these skill sets. Although the details of information management vary by organization, information management generally involves numerous levels of management, where each contributes particular types of expertise and resources. Executive leaders emphasize the needs of the organization as a whole and have the authority to ensure that the organization’s vision is carried out. Frontline 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP managers are more familiar with procedural and technical requirements, and typically better understand the problems of the organization’s systems as well as its customers. 11 This section focuses on a variety of topics relevant to information management: the role of the privacy professional; data sharing and data transfers; the privacy program; the privacy policy and the privacy notice; and managing user preferences and user requests. 4.1.1 The Role of the Privacy Professional Privacy professionals need to appreciate both the benefits and the risks of using personal information. PI is essential to most businesses—every organization with employees or even volunteers manages PI. Organizations may collect consumer PI for many purposes, both directly from prospective and existing customers and indirectly through data available from public and private sources. Organizations may disclose information to service providers, affiliates, business partners and government agencies for a wide range of purposes. At the same time, as discussed in this book, many risks can arise from the collection, use and disclosure of PI. Perceptions of acceptable privacy practices vary, creating challenges for privacy professionals. Decades of opinion surveys show that people can be categorized in three groups: the “privacy fundamentalists” (people with a strong desire to protect privacy), the “privacy unconcerned” (people with low worries about privacy), and the “privacy pragmatists” (people whose concern about privacy varies with context and who are willing to give up some privacy in exchange for benefits). 12 Perceptions about privacy risks not only vary within the population, but they also shift over time. Sometimes the shift is toward greater privacy protection. For example, Social Security numbers used to be visible through the envelope window of millions of Social Security and Supplemental Security Income checks mailed by the U.S. Treasury. With rising fears of identity theft, that practice was abolished in 2000. 13 Sometimes the shift is toward less privacy protection. For example, the modern 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP world is filled with people who post intimate details of their lives on widely adopted social networks. 14 Sometimes the target of privacy concerns shifts— Edward Snowden’s 2013 revelations about National Security Agency (NSA) surveillance practices raised concerns about privacy from government surveillance. 15 Recent news stories have been filled with concerns about company practices in relation to privacy – from how companies store and protect data to how companies use the consumer data that they hold. With regard to data breaches, the American public typically reacts strongly in the months following such occurrences but has generally been forgiving of these lapses in security over time – particularly when the companies are perceived to have adequately addressed the breach after it was discovered. 16 For example, after the data breach involving approximately 150 million consumers, the credit bureau Equifax was dubbed the “most hated” company in the United States. 17 A year later, Equifax had nearly regained the level of public trust that it had before the breach. This turnaround is believed to be helped by public apologies and online portals to address issues that consumers encountered due to the incident. 18 Members of the public have been less willing to forgive when business models are based on data collection practices that are deemed to be inappropriate and in contrast with consumers’ expectations. The Cambridge Analytica scandal, which involved data from a major platform being utilized by a third party in an attempt to influence both the user and the user’s friends and family, 19 sparked a backlash against numerous major tech companies. 20 Concerns such as these led to worldwide concerns about ‘surveillance capitalism,’ the term coined by Professor Shoshana Zuboff to describe business practices by tech companies to collect data about individuals and to use this knowledge to influence the behaviors of these individuals. 21 At the writing of this book, this widespread angst against the tech community has led officials to pursue numerous antitrust and privacy enforcement measures against these companies in both in the U.S. and beyond, along with consideration of potential legislation. 22 Certain proposals for a federal comprehensive privacy law in the United States 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP have included a duty of loyalty, where businesses would be required to act in the best interests of those whose personal data is processed. 23 Although established techniques exist for information security, such as installing firewalls or using industry-standard encryption for communications, 24 there is less consensus about good practice for many privacy issues. Laws vary across jurisdictions and industry sectors, and views about good practice often differ, both within an organization and as defined by external norms. 25 The role of the privacy professional may include: researching laws, guidelines, common practices and tools; educating and communicating to the organization; designing and recommending policies; and monitoring and managing organizational risk. Privacy professionals engage in numerous tasks, such as alerting their organizations to these often-divergent perspectives. Privacy professionals also help their organizations manage a range of risks that can arise from processing personal information and do so in a manner consistent with meeting the organization’s growth, profitability and other goals. Privacy professionals can assist the organization in identifying areas where compliance is difficult in practice, and in designing policies to close gaps between stated policies and actual operations. Setting up the privacy team includes a number of important tasks. One early task for the privacy team is establishing responsibilities and a reporting structure that is appropriate to the size of the organization. It is important to note that the reporting structure can vary considerably from organization to organization. 26 The privacy team should designate a point of contact for privacy issues. Also, the privacy team should determine how to evaluate the work of the team. Another critical task that the privacy team can undertake is to operationalize privacy across the organization. 27 This involves: ensuring that an ethical code of conduct is in place for the organization, with privacy as a core value; developing practical approaches to addressing privacy challenges and to designing to engender trust; and using privacy best practices throughout the privacy program’s lifecycle. 28 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Depending on the size of the organization, numerous individuals with various job titles may be part of the privacy team. The team may include: The Chief Privacy Officer (CPO) is charged with developing and implementing policies related to the data processing and properly handling of personal information. The CPO is typically in a leadership position in the organization. 29 The Data Protection Officer (DPO), a term more widely used in Europe than the United States, is tasked with ensuring that the organization’s processing and properly handling personal information is in compliance with legal privacy requirements. The DPO cannot be directly involved with decision making regarding data processing activities and cannot have other responsibilities within the organization that are in conflict with the DPO role. 30 The Chief Legal Officer is responsible for the legal affairs of the entire organization. Privacy would be one area of concern among many. This function can also be performed by an attorney within the legal department; in a large organization, such an attorney might be dedicated to privacy matters. The Privacy Engineer works to ensure that compliance with legal requirements has occurred through the technical processes of the organization. Although concerned generally with compliance, the focus of a privacy engineer is also to ensure that the strategic direction of the organization better supports customers and those affected by the practices of the organization. 31 For many organizations, this job title can be relatively new, but typically is given a significant amount of responsibility. The Privacy Manager is responsible for development, maintenance and enforcement of privacy policies and procedures within an organization. 32 A privacy manager is typically a mid-level manager within the organization, and may work within a particular business unit. 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP The Privacy Analyst manages legal and operational risks related to personal information held by the organization. The Privacy Analyst assesses business unit operations. In addition, the Privacy Analyst develops policies, procedures, and trainings. The position of privacy analyst can be an entry-level position in many organizations. 33 Within an organization, there can also be individuals who play more informal parts related to privacy: privacy champions and ‘first responders.’ Privacy champions can be in an area of the organization. These are individuals within the organization who are passionate about privacy and/or who focus on the details of the legal requirements related to privacy. These individuals do their best to understand and implement privacy requirements. ‘First responders’ are those individuals within an organization who are “on the front lines” so they respond when the organization deals with a specific difficulty. 34 4.1.2 Data Sharing and Transfers This section examines practices and controls for managing PI in the often-complex flows among U.S. business enterprises, both within the United States and across geographic boundaries. For a company seeking to develop a privacy program, it is critical to identify the types, sources, and uses of personal information (PI) within an organization. For a company that already has a privacy program, it is important to remember that this is a process that requires constant updates as business practices evolve and technology changes. In addition, the regulatory landscape is not static. Before examining the practices and controls related to data sharing and transfers, it is likely helpful to remember that data should be managed through its lifecycle, and that approaches which are privacy protecting in one stage may not be as appropriate to accomplish these goals in another stage. The stages of the data lifecycle are: data creation; data storage; data sharing and usage; data archival; and data deletion. 35 It is also worth noting that legal requirements may arise at different stages of the 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP lifecycle. For example, numerous states have data destruction laws (discussed in Chapter 7) which mandate requirements in the last stage of the data lifecycle. 36 The section examines practices and controls for managing personal information in the oftencomplex flows among U.S. business enterprises, both withing the United States and across geographic boundaries: data inventory, data classification, data flow mapping, and data accountability. 4.1.2.1 Data Inventory It is important for an organization to undertake an inventory of the PI it collects, stores, uses or discloses—whether within the organization or to outside entities. This inventory should include both customer and employee data records. It should document data location and flow as well as evaluate how, when and with whom the organization shares such information—and the means for data transfer used. One benefit of the inventory can be that it identifies risks that could affect reputation or legal compliance. If a problem subsequently occurs, current enforcement practices indicate penalties are likely to be less severe if the company has an established system of recording and organizing this inventory. The organization’s inventory should be reviewed and updated on a regular basis. This sort of inventory is legally required for some institutions, such as those covered by the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule discussed in Chapter 9 (Financial Privacy). 4.1.2.2 Data Classification After completing an inventory, the next step is to classify data according to its level of sensitivity. The data classification level defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data. 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Most organizations handle different types of PI, such as personnel and customer records, as well as other information the organizations treats as sensitive, such as trade secrets and business plans. Data that is more sensitive generally requires greater protection than other information held by the organization. It may be segregated from less sensitive data, for instance, through access controls that enable only authorized individuals to retrieve the data, or even kept in an entirely separate system. If all data is held in the same system, temporary or lower-level employees might gain access to sensitive data. Holding all data in one system can increase the consequences of a single breach. In the United States, classification is often important for compliance purposes because of sectorspecific privacy and security laws. As discussed throughout this book, different rules apply to financial services information, medical information, and numerous other categories. An effective data classification system helps an organization address compliance audits for a particular type of data, respond to legal discovery requests without producing more information than necessary, and use storage resources in a cost-effective manner. 4.1.2.3 Data Flow Mapping Once data has been inventoried and classified, data flows should be examined and documented. Questions to be answered in data mapping include: What data does the organization process? Where does the organization process data? Why does the organization process data? An organization chart can be useful to help map and document the systems, applications and processes for handling data. Documenting data flows helps identify areas for compliance attention. 37 There can be different approaches to data mapping. Two common examples are top-down and bottom-up. When undertaken primarily for regulatory purposes, the top-down approach is typically employed. This top-down approach often starts with the Record of Processing Activities (RoPA) which is required under the EU’s GDPR (discussed generally in Chapter 14). The RoPA 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.