US Private Sector Privacy Chapter 04p2.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP information between two parts of the same company. Where multiple policies are used, it makes sense to align policies as closely as possible so as not to hinder cooperation between divisions. 4.1.4.1.3 Policy Review and Approval An organization should not finalize a privacy policy without legal consultation followed by executive approval. If a policy is too strict, then open-ended statements or overly ambitious security promises can result in legal penalties or reputational problems if the organization cannot satisfy its promises. If the policy is not strict enough, then consumers, regulators, and the press may criticize the company for its failure to protect privacy. If a privacy policy is revised, the organization should announce the change first to employees, then to both current and former customers through its privacy notice. According to the FTC, companies should obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations, noting that a “material” change “at a minimum includes sharing consumer information with third parties after committing at the time of collection not to share the data.” 56 4.1.4.1.4 Version Control for Privacy Policy An organization’s privacy policy will need to be updated as its information collection, use and transfer needs evolve. To ensure this update occurs on a timely basis, an organization should ensure it reviews the privacy policy periodically. With the rapid changes in technology and business practices, this evaluation should be scheduled to take place at least once a year. As such changes occur, a new version of the privacy policy must be drafted to replace the older version. Replacement of the policy must occur systematically across all areas of posting (physical and electronic) to reduce the risk that representations made under different versions of the policy will be implemented. Privacy policies should reflect the policy revision date along with a version number, if used. 21 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP For compliance purposes, it is useful to save and store older versions of the privacy policy and its associated notice. These earlier versions may be useful internally, for example, to show what representations have been made in connection with which customer transactions. The earlier versions may also be useful in the event of an enforcement action, to reduce the risk that the company will be held to an incorrect set of representations. Data should only be used in compliance with the policy notice in effect at the time the data was collected, unless the data subject later agrees to the terms of a revised notice. 4.1.4.2 Privacy Notice A privacy notice is an external statement that provides transparency concerning the organization’s privacy practices – how it collects, uses, shares, retains, and discloses personal information based on the organization’s privacy policy. In certain instances, a privacy notice must be provided to consumers when an organization collects information from individuals. Importantly, a privacy notice should be considered a promise that organization makes to consumers. 57 4.1.4.2.1 Communication of Privacy Policy Through a Notice Both the privacy notice and the privacy policy describe how personal information will be collected, used, shared, and stored. While the privacy policy in typically an internal document, directed at employees and contractors, the privacy notice is directed at customers (and potential customers), users, and employees, in certain instances. The goal of the privacy notice should be to assist the recipient in making informed decisions concerning privacy and to facilitate the reader in exercising rights. The content of privacy notices is based on laws as well as fair information practices such as the Organisation for Economic Co-operation and Development (OECD) Guidelines and Asia-Pacific 22 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Economic Cooperation (APEC) Principles. Some laws , such as HIPAA (Chapter 8 – Medical Privacy), specify the content of privacy notices. The easiest method to communicate an organization’s privacy notice, as well as to review the privacy notices of competitors or business partners, is to review the relevant organizations’ websites. Organizations may use multiple methods to communicate privacy notices to consumers and other external stakeholders. 1. Make the notice accessible online. The websites of most organizations, even those primarily involved in offline commerce, today contain the privacy notice. It is standard to have a link from the company’s front page. 2. Make the notice accessible in places of business. Clearly post the organization’s privacy notice at the location of business in areas of high customer traffic and in legible form. Organization staff also should have ready access to copies of the up-to-date company privacy policy in case a customer wishes to obtain a copy for review. 3. Provide updates and revisions. For financial institutions, GLBA requires that customers receive the privacy notice annually, with clear notice of the customer’s right with respect to opt-outs. 58 For institutions without this sort of required updating, provide good notice when the privacy policy is revised, with express customer consent for material changes and a clear opportunity to opt out for smaller changes. 4. Ensure that the appropriate personnel are knowledgeable about the policy. Organization staff who interact with PI should receive training in the organization’s privacy policy. HIPAA creates specific training requirements for all employees of covered entities. 59 Especially for employees working with sensitive data, organizations should provide regular training and keep records of which employees have been trained. 23 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP As one type of appropriate training, customer service representatives (CSRs), such as in customer call centers, should receive a summary statement or script that describes the privacy notice and can be used to answer customer questions. CSRs should have a full copy of the privacy notice in their standard reference material and should retain the ability to send or direct customers to a copy of the privacy notice that they can review in detail. They should know how to escalate privacy issues or incidents once observed. 4.4.2.2 Layered Notices As data practices have evolved and become more complex, many privacy notices have become quite lengthy. Companies over time have increasingly used a layered privacy notice approach. The basic idea is to offer “layers” that provide the key points on top in a short notice but give users the option to read a detailed notice or click through to greater detail on particular parts of the notice. Users typically click a link or scroll to read more about a particular topic. 60 The short notice is the top layer. Often using a standard format, it summarizes the notice scope as well as basic points about the organization’s practices for personal information collection, choice, use, and disclosure. Details for contacting the organization on information privacy matters are also included along with links to the full notice. The full notice is the bottom layer. Often referenced from the short notice via a hyperlink, it is a comprehensive information disclosure that articulates the organization’s privacy notice in its entirety. The full notice is thus available for end users who are interested. The full notice also guides an organization’s employees on permitted data practices and can be used for accountability by enforcement agencies or the general public. Another way that organizations help facilitate meaningful choice is by using a “just-in-time” notice, which follows the principle of notice “at or before the point of information collection” or 24 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP before a user accepts a service or product. Many websites choose to provide a link on every page to cover passive information collection. The best choice is an easy-to-find location, in a font that is no less prominent than other links on the page. Finally, an organization can provide transparent privacy notices as well as user control through the use of a privacy dashboard. A dashboard offers a summary of privacy-related information in a format that is intended to be easy to access and navigate. 4.1.4.2.3 Mobile Privacy Notices When designing a privacy notice, it is important for the organization to consider intended audience and how the user will view the privacy policy (on a computer screen or on a mobile device). Numerous privacy challenges arise in the mobile environment because of the vast amount of personalized information available on mobile devices. Privacy issues concerning geolocation data were previously discussed. Other categories of data are created more often on mobile devices than on traditional computers, including text messages, metadata from telephone calls, medical monitoring, and other information generated by the numerous apps that users download. The small screens available on most mobile devices make notice an especially challenging issue. Small screens make it difficult to convey the amount of information previously provided in privacy notices to laptops and desktops. 61 Because of the complexity of the issues regarding privacy in the mobile environment, the Federal Trade Commission (FTC) has recommended best practices for platforms, advertising networks, app developers, and app developer networks. 62 Overarching principles to address privacy and security in the mobile environment include “privacy by design (PbD)” (or even privacy by default), transparency, and simplification of consumer choices. 63 4.1.4.2.4 Criticisms of Privacy Notices Privacy practitioners should be alert that privacy notices have been criticized in numerous ways: 25 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Privacy notices have often been criticized for being written in “legalese”—dense prose, written by lawyers to reduce the risk of enforcement actions, and difficult to understand. When privacy notices are written in this way, research suggests that users rarely read these privacy notices. 64 4.1.5 Managing User Preferences and User Requests In following their privacy policies, organizations can face management challenges on topics including how to manage user preferences and respond to user requests related to consumer rights. Legal rules may set basic requirements for what must be done, but privacy professionals must often choose options within those requirements and ensure that implementation occurs correctly. Choice of the individual is a key concept related to processing of personal information by a company. In this context, there are two central concepts of choice. The individual can consent to processing by ‘opting in’ or the individual can withhold (or revoke) consent by ‘opting out.’ Prior to discussing the concepts of opting in and opting out, it is important to discuss choice. Individuals who do not have a choice about the processing of their personal information should not be led to believe that they do. Individuals who have a choice should be given the ability to exercise that choice. If consent is required by a law or regulation, the organization must ensure that it properly obtains this consent. For example, U.S. state privacy laws increasingly prohibit so-called “dark patterns” as a legitimate form of consent. “Dark patterns” are generally defined as any interface designed to substantially subvert an end-user’s autonomy. 65 The discussion here illustrates major areas where user preferences are handled through optin, opt-out or no option, and then examines management issues for handling user preferences and customer access and redress requests. 4.1.5.1 Opt-in, Opt-out and No Option 26 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Privacy professionals should become aware of situations that call for different approaches to user preferences, notably opt-in, opt-out, or no option for the consumer. Opt-in is sometimes called affirmative or express consent. Some U.S. federal privacy laws require affirmative consumer consent, or opt-in, before data is used or collected. As discussed in Chapter 5, the Children’s Online Privacy Protection Act (COPPA) requires express consent from a parent before a child’s PI is collected. 66 The Health Insurance Portability and Accountability Act (HIPAA) requires opt-in consent before personal health information is disclosed to third parties, subject to important exceptions discussed in Chapter 8. 67 As detailed in Chapter 9, the Fair Credit Reporting Act (FCRA) requires opt-in before a consumer’s credit report may be provided to an employer, lender or other authorized recipient. 68 As discussed above, the FTC believes that opt-in consent should occur before PI collected under one privacy notice is processed under a materially changed privacy notice. 69 Some industry segments commonly employ opt-in, such as email marketers who send a confirmation email requiring a response from the subscriber before the subscriber receives actual marketing emails. This email approach is sometimes called “double opt-in” or “confirmed opt-in,” because a consumer first indicates interest in the mailing list and then confirms that interest in response to the follow-up email. In addition, the EU takes a general position that opt-in consent is the appropriate way for marketing to occur, and this position is underscored in the General Data Protection Regulation (GDPR), as discussed in Chapter 14. Opt-in is often the preferred consent mechanism when collecting sensitive information such as a customer’s geolocation data. In many instances in the United States, it is common practice for companies to offer an opt-out, sometimes referred to as consumer choice, before customer information is sold or shared with third parties. Although a less stringent approach to using or collecting consumers’ data than the opt-in approach, this privacy approach nonetheless creates an enforceable promise. If an individual sells the 27 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP information for individuals who have opted out, the FTC or state enforcers may bring suit under the unfair and deceptive trade practices laws. Some U.S. statutes require that companies provide consumers with the opportunity to opt-out. As discussed in Chapter 9, the Gramm-Leach-Bliley Act (GLBA) requires that an individual have the opportunity to opt-out before a financial institution transfers the customer’s PI to an unaffiliated third party for the latter’s own use. As discussed in Chapter 11, the Video Privacy Protection Act (VPPA) requires providing an opportunity for a consumer to opt-out before covered movie and other rental data is provided to a third party. Also detailed in Chapter 11, the Controlling the Assault of NonSolicited Pornography and Marketing Act (CAN-SPAM Act) requires email marketers to provide consumers with a means to opt-out of unwanted communications. The Do Not Call rules provide the opportunity to opt out of telemarketing phone calls, both in general or on a company-by-company basis. Opt-outs are required for companies that subscribe to any of a number of self-regulatory systems. For instance, the Data & Marketing Association has long operated an opt-out system for consumers who do not wish to receive commercial mail sent to their homes. 70 The Network Advertising Initiative, 71 TrustArc, 72 and the Digital Advertising Alliance 73 operate opt-out systems in connection with online advertising. In certain circumstances, the consumer is provided no consumer choice, or no option when an organization uses or collects the consumer’s data because an organization has been given implied authority to share PI. The 2010 preliminary FTC staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” called these situations “commonly accepted practices.” For example, a consumer who orders a product online expects her PI to be shared with the shipping company, the credit card processor and others who are engaged in fulfilling the transactions. The consumer does not expect to have to sign an opt-in or be offered an opt-out option for the shipping company to learn the address. 28 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP In addition to product fulfillment, other examples provided by the FTC include “internal operations such as improving services offered, fraud prevention, legal compliance and first-party marketing” by the seller to the customer. 74 The FTC received public comments that the term commonly accepted practices would not work well for companies providing innovative services. The final report, in 2012, addressed the same issue by saying: “Companies do not need to provide choice before collecting and using consumers’ data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.” 75 4.1.5.2 Managing User Preferences Effective management of user preferences can become quite challenging, especially for organizations that interact with their customers with multiple channels and for multiple products. The following are some of these challenges: 1. The scope of an opt-out or another user preference can vary. As mentioned above, financial institutions must provide an opt-out by law prior to sharing personal information with third parties, but sharing with affiliates can be done without offering such an opt-out. An organization must decide how broadly an opt-out or another user preference will apply. Some opt-out rules are by channel, such as specific limits on phone calls or commercial emails. 2. The mechanism for providing an opt-out or another user preference can also vary. A good rule of thumb is that the channel for marketing should be the channel for exercising a user preference. This rule is written into law for the CAN-SPAM Act, where an email solicitation must be exercisable by the consumer through an online mechanism; it is not acceptable under the law to require customers to mail or call in their opt-out. 76 Similarly, if communication 29 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP with a customer is done via a website, good practice is to enable user preferences to be expressed through a web channel, and not to insist on mailing or a phone call. 3. Linking a user’s interactions through multiple channels, including in person, by phone, by email or by web, can be a management challenge when customers interact with an organization. Good practice is for the organization to implement the opt-out or other user preference across channels and platforms. Under GLBA a bank receiving an opt-out request from a customer must comply across all communications regardless of the media used to communicate the request. 77 4. The time period for implementing user preferences is sometimes provided by law. For instance, the CAN-SPAM Act and Telemarketing Sales Rules mandate specific time periods for processing customer preferences. 78 5. Third-party vendors often process PI on behalf of the company that has the customer relationship. In such instances, the user preferences expressed to the first organization should be honored by the vendor. 79 It is important to note that choice and control should be offered to individuals even after the optin stage. In other words, when individuals can freely give consent, they must be able to freely revoke that consent. In certain circumstances, laws and regulations may require an organization to provide individuals with access to their personal information, as well as information about the processing performed on it and to allow individuals to correct this information. 4.1.5.3 Responding to User Requests Related to Consumer Rights Many federal and state laws provide individuals with rights of control related to their personal information. Although these rights are not encompassed in one federal law in the United States, 30 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP numerous federal laws across sectors include these rights. Also, state laws grant individuals these types of rights. These rights include: the right to access; the right to correction (or rectification); the right to delete; the right to portability; the right against automated decision making; and the right to non-discrimination. Individuals typically exercise these rights by making a request to a business or government agency. Typically, the business or government agency has a defined period to provide a timely response. If the individual’s request is denied, the individual may have the right to request that the business or government agency reconsider, often referred to as a right to appeal. If the individual is dissatisfied, the person may complain to a regulator. Some U.S. laws provide consumers with clear rights to access the PI held about them. For instance, individuals have the right to access their credit reports under FCRA and rectify incorrect data. 80 Patients can access their medical records under HIPAA, with records that the patient believes are incorrect noted as such in the patient files. 81 Under the Judicial Redress Act of 2015, the United States expressly extended the right to a civil action against a U.S. government agency for qualifying non-U.S. individuals to obtain access to covered records, as well as rectification of incorrect records. 82 In the EU, access and the opportunity to correct mistakes is required by the GDPR. 83 Where customer access is not required under a specific statute, access is included in statements of fair information practices such as the OECD Guidelines and the APEC Principles. 84 4.2 Privacy Risk Management Privacy risk management is an important topic for organizations as they deal with privacy concerns. Privacy risk management is a process that identifies and assesses the risks to an organization’s information assets and then implements appropriate mitigation strategies to reduce or eliminate these risks. 85 31 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP According to the National Institute of Standards and Technology (NIST), privacy risk management is intended to “help enterprises weigh the benefits of data processing against the risk of doing so and determine which risk response measure should be adopted.” 86 According to resources from the Information Systems Audit and Control Association (ISACA), privacy risk management is intended to build consumer trust by safeguarding personal data throughout the data life cycle. 87 Having an organizational code of ethics in place may assist in assessing the benefits and risk of processing personal data. A code of ethics focuses on topics such as: how to respect the individuals whose personal data is held by the organization; what are the downstream uses of the personal data; what are the consequences of utilizing analytical tools; whether to collect data that the organization does not need; and how should the organization design practices to ensure transparency, accountability, and auditability. 88 Privacy risk is defined as “the likelihood that individuals will experience problems resulting from data processing, and the impact of these problems should they occur.” 89 Privacy risks focus on data processing throughout the data life cycle such as collection, storage, adaptation (or alteration), transmission, and dissemination. Example of privacy risks include: lack of appropriate safeguards; third party access; lack of encryption; mobile malware; social media attacks; social engineering; and outdated security software. 90 As discussed below, privacy risk management activities often include: conducting Privacy Impact Assessments (PIAs); conducting vendor/third party risk assessments; and conducting data breach readiness assessments. 4.2.1 Privacy Impact Assessments (PIAs) From a practical standpoint, privacy risk management includes: privacy risk assessment (assess privacy risk); privacy risk treatment (select security and privacy controls); and privacy controls implementation (implement security and privacy controls). PIAs, similar to Data Protection 32 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Impact Assessments (DPIAs), typically combine privacy risk assessment and privacy risk treatment. In some instances (and under some regulatory schemes), the PIA can be restricted to only privacy risk assessment while other PIAs may include privacy risk assessment, privacy risk treatment, and privacy controls implementation. 91 According to NIST, PIAs provide an analysis of how personal information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating personal information in identifiable form; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. 92 The core of the PIA process is privacy risk assessment, which focuses on determining the level of privacy risk by looking at two variables. The first is the privacy impact, which focuses on the privacy harm to individuals and businesses. The second variable is the likelihood of the privacy harm, given the controls. For this assessment (or calculation), the term ‘privacy harms’ is key. It can include: loss of self-determination (such as loss of autonomy, exclusion, loss of liberty, and physical harm); discrimination; loss of trust; and economic loss. 93 4.2.2 Vendor/Third Party Risk Assessments Many U.S. organizations elect to outsource information processing to an outside vendor or plan to sell the collected information to a third party. Specific precautions must be taken if a company plans to share personal data with a third-party data processor. 94 Companies are responsible for the actions of vendors with whom they contract to collect, analyze, catalog or otherwise provide data management services on the company’s behalf. 95 The claims in a privacy policy also apply to third parties when they are working with an organization’s data. To ensure the responsibility and security of data once it is in the hands of a contractor or vendor, precautions to consider incorporating in written contracts include: 33 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP 1. Confidentiality provision. Contractors and vendors involved in personal information collection for an organization—or with whom an organization shares data—should be required to sign a contract containing a confidentiality provision before engaging in business that uses the information. 2. No further use of shared information. The contract with the vendor managing personal information on the organization’s behalf should specify that the data be used only for the purposes contracted. 3. Use of subcontractors. If the vendor intends to use subcontractors in the collection, use, or processing of personal information, the contractor organization should require all subcontractors to follow the privacy and security protection terms in the vendor’s contract (which, in turn, should be consistent with the organization’s own privacy protection terms). Vendor contracts should also address whether the data can flow across borders to ensure that the organization’s policy on this issue is not violated. 4. Requirement to notify and to disclose breach. An organization should require prompt notification in the event of a data breach or breach of contract. Details of the breach should be disclosed promptly and in detail. 5. Information security provisions. Contracts may include provisions concerning specific security controls; encryption of data in transit, on media and on portable devices; network security; access controls; segregation of data; employee background checks; audit rights and so on. 6. End of relationship. The contract with the vendor should contemplate the termination of the relationship and how the data will be handled at that time. In particular, the contract should 34 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP include a provision concerning the return of the data at the conclusion of the relationship or the deletion of the data after a certain timeframe. In addition, the contract may include provisions to address either the return or the deletion of the data while the relationship is ongoing – particularly if the organization suspects misuse of specific data by the vendor or if the organization is investigating potential misuse of the data by the vendor. 96 Vendor due diligence focuses on a procuring organization having specific standards and processes in place for vendor selection. A prospective vendor should be evaluated against these standards. Standards for selecting vendors may include: 1. Reputation. A vendor’s reputation with other companies can be a valuable gauge of the vendor’s appropriate collection and use of personal data. Requesting and contacting references can help determine a vendor’s reputation. 2. Financial condition and insurance. The vendor’s finances should be reviewed to ensure the vendor has sufficient resources in the case of a security breach and subsequent litigation. A current and sufficient insurance policy can also protect the procuring organization in the event of a breach. 3. Information security controls. A service provider should have sufficient security controls in place to ensure the data is not lost or stolen. Service providers often provide evidence of their controls, such as a certification by an auditor that an organization is compliant with the SOC 2 controls defined by the American Institute of CPAs. 97 4. Point of transfer. The point of transfer between the procuring organization and the vendor is a potential security vulnerability. Mechanisms of secure transfer should be developed and maintained. 35 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP 5. Disposal of information. Appropriate destruction of data and/or information in any format or media is a key component of information management—for both the contracting organization and its vendors. As discussed in Chapter 9 (Financial Privacy), the Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) sets forth required disposal protections for financial institutions. The Disposal Rule requirements provide a good baseline for disposal of PI more generally. 6. Employee training and user awareness. The vendor should have an established system for training its employees about its responsibilities in managing personal or sensitive information. 7. Vendor incident response. Because of the potentially significant costs associated with a data breach, the vendor should clearly explain in advance its provisions for responding to any such breach, with required cooperation to meet the organization’s business and legal needs. 8. Audit rights. Organizations should be able to monitor the vendor’s activities to ensure it is complying with contractual obligations. Audit needs can sometimes be satisfied through periodic assessments or reports by independent trusted parties regarding the vendor’s practices. 98 The high-profile breach of SolarWinds resulted in important lessons for vendor management. SolarWinds was a company that provided software to more than 18,000 organizations. In 2020, SolarWinds’ software system was compromised by hackers. Subsequently, SolarWinds inadvertently sent out software updates to its customers that included this malicious code. Hackers used the malicious code to create backdoors that ultimately permitted them to spy on the customers of SolarWinds, including Fortune 500 businesses and multiple agencies in the U.S. government. The 36 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP example of SolarWinds highlights the risks associated with vendors and demonstrates the devastating consequences that can result. 99 According to a recent IAPP survey, the most common type of risk assessment performed by organizations is the vendor/third party risk assessment. Note that the more an organization relies on vendors and third parties, the more complex that the assessment can be. Factors to be considered in vendor/third party risk assessments: 1) review data sources, data types, data location, local regulatory requirements, data retention period, minimum safeguards, and additional processing purposes (such as subcontracts); 2) determine whether a PIA (or DPIA) has been conducted for the data processing operations performed by the third party; 3) review potential data uses that may impact the level of risks for individuals, such as artificial intelligence and cloud computing; 4) review whether the third party has certifications such as SOC 2 or the Payment Credit Card Industry Data Security Standard (PCI DSS); 5) disclose to customers any use of subcontractors to process personally identifiable information; and 6) inform customers of any intended changes concerning the addition or replacement of subcontractors. 100 4.2.2 Risks Related to Information Security As discussed in detail in Chapter 3 (An Introduction to the Technological Aspects of Privacy), information security is the protection of information for the purpose of preventing loss, unauthorized access, or misuse. 101 Information security requires an ongoing assessment of threats and risks to information and the procedures and controls to preserve the information, consistent with three key attributes: Confidentiality—access to data is limited to authorized parties Integrity—assurance that the data is authentic and complete 37 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Availability—knowledge that the data is accessible, as needed, by those who are authorized to use it 102 Security controls are mechanisms put in place to prevent, detect or correct a security incident. The three types of security controls are: Physical controls—such as locks, security cameras, and fences Administrative controls—such as incident response procedures and training Technical controls—such as firewalls, antivirus software, and access logs 103 Information security is different from information privacy. Generally, information security is the protection of information, whether it is personal or other types of information, from unauthorized access, use and disclosure. Information privacy notably includes deciding what sorts of use and disclosure of personal information should be authorized. Despite this distinction, the two concepts are similar and overlap in certain respects. Information security is a necessary component of privacy protection—if security is breached, then privacy controls will not be effective. Information privacy and information security both include the use and confidentiality of as well as access to personal information. Information privacy, however, also involves the individual’s (often called the “data subject,” following European usage) right to control the data, such as rights to notice and choice. The NIST Cybersecurity Framework is a voluntary tool for organizations to better manage and reduce cybersecurity risks. The Framework can be used as a strategic planning tool to assess risks. Core elements of the NIST Cybersecurity Framework include: Identify looks at people, systems, data, and capabilities to understand what a potential risk could be. Protect focuses on safeguards for risks that an organization wants to mitigate. Detect is defined as activities that identify a cyber security incident such as anomalies in the network. 38 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Respond refers to what activities an organization takes when there is an incident. Recover is defined as plans to restore business operations from a cyber security incident. 104 4.2.3 Data Breach Readiness Assessments A data breach readiness assessment examines the level of risk of a data breach coupled with the likelihood and severity of a personal data breach. In a data breach readiness assessment, the following factors are examined in determining the likelihood and severity of a personal data breach: Type and nature of personal data involved, particularly sensitive personal information Whether appropriate technical safeguards have been applied (e.g., encryption, pseudonymization) Whether the data subject will be directly or indirectly affected Possibility that personal data can be maliciously used Possibility of substantial damage on a physical level 105 4.3 Global Perspective Governments around the world vary in their approach to privacy law, policy, and regulation—as was discussed in Chapter 1. As of this writing, more than 160 nations globally have enacted significant privacy laws that apply to companies doing business within their borders and with their citizens. 106 As of the writing of this book, the greatest attention has focused on the legal responsibility of companies, including those based in the United States, to comply with the comprehensive EU privacy requirements of the General Data Protection Regulation (GDPR), as discussed in greater detail in Chapter 14. 107 Much of this concern has been prompted by fines for violations of the GDPR 39 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP that are based on a company’s worldwide revenues, making sanctions significant enough to garner the attention of even the top management in businesses. When companies are designing compliance programs for the GDPR, top management should be cognizant of that fact that numerous countries around the world have adopted laws that are similar to Europe’s regulation 108 at least in part to benefit from a preferential trading status that allows free flow of data with Europe. 109 Companies should keep in mind that the requirements of the GDPR and those of the countries that are deemed by Europe to be legally similar are not identical, meaning that it is critical for companies to comply with the particular legal regimes in each country where they do business. Most basically, privacy professionals should advise management that countries are reevaluating legal protections - which often have privacy at their core - in an effort to address concerns raised by technological advances. Noteworthy countries that have enacted significant privacy protections during this timeframe include: China, 110 India, 111 Brazil, 112 Japan, 113 and South Korea. 114 Companies with cross-border data flows should be particularly astute to follow updates concerning regulation of transfers of data from one country to another as well as to stay abreast of the increasing trend towards requirements related to data localization. 115 When examining the regulation of cross-border data flows, it can be helpful to examine the multiple mechanisms that exist to help enable trust with these data flows: Domestic Approaches (or Unilateral Mechanisms) – According to a recent report by the OECD, more than half of countries with safeguards for cross-border data flows employ “preauthorization safeguards.” This means these countries use government adequacy determinations and/or standard contractual clauses. 40 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Multilateral Arrangements – Multilateral arrangements include: OECD Privacy Guidelines; APEC Cross-Border Privacy Rules; and Council of Europe Convention 108 and 108 plus. Trade Agreements – Trade Agreements increasingly include provisions concerning data flows. Note that these provisions are not identical. Some include binding language concerning data flows. Even those with binding language generally have exceptions that allow parties to restrict data flows to meet “legitimate public policy objectives.” Standards and Technology-Driven Initiatives – Standards and Technology-Driven Initiatives, such as ISO standards and Privacy Enhancing Technologies (PETs), are increasingly being used to protect and control data access in the context of cross-border data flows. 116 4.4 Conclusion The often-quoted adage is that the law lags behind technological developments. 117 For privacy practice within an organization, this can be an opportunity to put in place a privacy program built on best practices and to assess the privacy and security risks related to the personal data held by the business. In such a program, the decisions related to handling data are made based on the business’ overall mission statement as well as the privacy vision for the company, and not merely in response to concerns for fines from privacy regulators. The business approach can balance profit and return on investment with ethical practices related to the treatment of customers, including their personal data. In this scenario, businesses will have a mature privacy program in place when new laws and regulations are enacted by federal or state enforcers of privacy. When considering information management and privacy risk assessment, it is important to remember that protection of privacy requires far more than the writing of policies that comply with 41 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.