Privacy for Professionals

Right of deletion exceptions under CCPA

Data is required for: to complete a transaction responding to security incidents to exercise legal rights to engage public interest research for limited internal purposes (accounting)

Deidentified Data

Data that has been scrubbed of name, address, and other information that makes it personally identifiable data. No longer covered by CCPA

Basic State Breach Notification Law topics includ

Definition of PI (what triggers reporting requirements) What entities are covered Level of harm requiring notification Who, when, what, and how to notify

Sensitive personal information

Definition varies depending on jurisdiction and regulations o US defines sensitive information to include SSN, financial information, driver license numbers, and health information

Rights of Individuals (Choice and Consent) Includes

Describe the choices available with implicit or explicit consent with respect to collection, use, retention and disclosure of personal information · Important for disclosures of personal information to other data controllers

What is included by state laws within a notification

Description of the incident, type of PI, and advice to the affected person. Telephone number for the business Massachusetss prohibits including a description

OMB (Office of Management and Budget) Guidance for security breach response plan

Designate members of IR team Identify applicable privacy documentation Share information concerning the breach Determine what reporting is required Assess the risk of harm for individuals potentially affected by the breach Mitigate risk of harm for individuals impacted by the breach Notify impacted individuals

Steps for Incident Response

Determine if there has been a breach Contain, document, and analyze the breach Provide notice: Dependent on laws advising on what is required on who and how should be notified. Requires "50 state survey" to determine. Timing is Critical Follow up methods: Lessons learned, training, etc.

Data sale under CCPA does NOT include

Disclosure of PI as directed by the consumer Data shared to aid a consumers opt out decision Data shared with vendors necessary to provide services to the business (service providers)

Section 5 of the FTC Act does not apply to:

Does NOT apply to nonprofits, banks and other federal regulated financial institutions as well as common carriers.

Web Privacy Notices should include

Effective Data Scope Types of PI collected Information uses and disclosures Choices available to user Methods for accessing and correcting PI Methods for contacting the org Process for how policy changes will be communicated

CCPA Enforcement and Penalties

Enforced by Cali Attorney General $2500 cap for most violations Intentional violated capped a $7500 per violations Business have 30 day period to cure (resolve) violations before enforcement

Executive Branch

Enforces laws President, VP, Cabinet, Federal Agencies President appoints federal judges, can veto congress passed laws.

Guidelines for handling, storing and managing data with privacy, security and fairness since the 1970's

FIPS / FIPPs Fair Information Practices

Definition of PI common across state notification laws

FName, LName, SSN, DL Number, Account, Credit, Debit card number, medical and healthcare information, birometric data, mothers maiden name, tax information.

FTC Sanctions companies for unfair practices when companies:

Failed to implement protection measures for personal information Provided inadequate disclosures

Deceptive Practices include

False promises Misrepresentations Failures to comply with statements made to consumers (privacy policies & privacy shield certifications)

Early cases of FTC's privacy policy enforcement

First (1999): GeoCities - Provided personal homepages requiring personnel information. Collected information was sold counter to their privacy policy. Eli LIly and Company - FTC required them to develop a privacy and security program.

Madrid Resolution

Goal to create: · Effective and internationally uniform protection of privacy · Facilitation of the international flows of personal data needed in a global world §Lawfulness and Fairness § Purpose specification § Proportionality § Data Quality § Openness § Accountability

Non-personal information

If the identifying elements to individuals are removed the data is anonymized or de-identified. Privacy and data protection laws no longer apply generally.

Federal Trade Commision Disposal Rule

Maintains requirements for proper disposal of consumer reports

Methods for communicating privacy notices

Make it accessible online In places of business Provide updates and revisions Ensure appropriate personnel are knowledgeable about the policy

Legislative Branch

Makes Laws Congress (House and Senate) Congress confirms presidential appointess, can override vetoes

Penalties and rights of action of data subjects around breaches

Many states provide a private right of action Suits are common for businesses directly harmed by a breach (banks replacing credit cards)

Sources of privacy protection

Markets Technology Laws Self Regulation

FTC Enforcement Begins by

Begins with claim against a company that they have: § Committed unfair or deceptive practice § Violated specific consumer protection law § Brought to their attention through press reports or consumer complaints

Difference between information security and privacy

Both require CIA but information privacy involves the data subjects right to control the data

Contract Theory

When an entity holding sensitive information breaches a promise of confidentiality and causes harm (doctor, bank, lawyer, etc)

Pseudonymized Data

Where information is retained under UID's for each person. o Renders data temporarily nonpersonal but can be reversed to identify the individual.

Terms for personal information within the US

Personal Information Personal Identifiable Information (PII) § Information that makes it possible to identify an individual · Names, SSN, Passport numbers, etc.

Impact of Eli LIly Case

Prior, FTC only required companies to stop current unfair and deceptive practices. After - scope expanded to include implementing and evaluating security and privacy program

pros and cons of targeted ads

Pro: Provides value to web user and website operator as well as content Cons: Concerns that individuals receive unclear notice and don't know how to opt out/in of targeted advertisements.

Sources of information which impact the handling of the data

Publicly available Non public Public Record

Individual Rights under CCPA

RIght of deletion Right to access data 3rd party disclosures (identify categories of PI sold) Non discrimination (for users that have opted out)

Item within Texas notification law of note

Requires notification of residents within states that lack a data protection notification law.

UDAP Statutes

Unfair and Deceptive Acts and Practices Enforced by state attorneys general

· Section 5 of the FTC Act:

Unfair or deceptive acts or practices in affecting commerce are hereby declared unlawful Most important US Privacy law.

Types of data breach incidents

Unintended Disclosure: Sensitive information is posted publicly or sent to the wrong individual Hacking/Malware: Electronic entry by outside party Payment card fraud: Involving debit/credit card fraud without hacking Insider: User with legitimate access intentionally breaches information Physical Loss: lost or stolen records (paper) Portable device: Lost or stolen electronic device Stationary device: lost or stolen electronic device that's not designed for mobility Unknown / other

OMB (Office of Management and Budget) Guidance for vendor management

Vendors should: Provide training to its employees on identifying and reporting a breach Properly encrypting PII Report suspected or confirmed breaches Cooperate in breach investigations Make staff available to work with breach response team

Notice requirements under CCPA

Website Notice of Other Rights: Right to opt out notice: Must provide a clear and conspicuous link of business homepage that says "Do not sell my PI" Initial Notice: must inform consumers of the categories and usecase at or before point of collection Notice of deletion rights: rights to request the deletion of consumers PI must be communicated

Convention 108

The Council of Europe (1981) - Convention for the protection of individuals with regard to the automatic processing of personal data · Quality of data · Special Categories of data · Data Security · Transborder data flows

Asia-Pacific Economic Cooperation (APEC)

o 21 Pacific coast members in Asia. Operates without a binding agreements. o Contains 9 principles that mimic OECD Guidelines Preventing harm · Notice · Collection limitations · Uses of PII · Choice · Integrity of PI · Security Safeguards · Access and Correction · Accountability

· Mobile Privacy Notices Challenges

o A lot of PI available on mobile o Geo location o Text message o Metadata o Medical monitoring o App information o Small Screens

Information Lifecycle

o Collection: Collect ONLY what was disclosed or implied o Use and Retention.: Limit the use of information for the purposes identified in the notice, for only as long as required. o Disclosure: Should disclose only for purposes disclosed in the notice.

Contractual provisions which impact privacy

o Data usage o Data security o Breach notification o Jurisdiction o Damages

· Steps to build an information program

o Discover o Build o Communicate o Evolve

· Digital Fingerprinting Information

o IP address o Date/time stamp o URL of requested page o URL of previous page they came from o Browser type o Computer OS

US Office of Management and Budget (OMB)

o Lead agency for interpreting the Privacy Act of 1974 (Applies to federal agencies and support public companies) o Issues guidance on data breach disclosure and PIA's.

Main Privacy risk include

o Legal § Comply with applicable laws around information use § Comply with contractual commitments and privacy promises. o Reputational § Doesn't follow stated privacy policies undermines reputation o Operational § Ensure program is administratively efficient (too strict is detrimental "goldilocks") o Investment § Must be able to receive appropriate return on investment in IT systems

Management of data (FIPs) include

o Management and Administration: Should define, document, communicate and assign accountability for privacy policies/procedures. o Monitoring and Enforcement: Should monitor compliance with policies/procedures and have procedures to respond to privacy related complaints.

Type of cookies

o Session cookie o Persistent o First party (website the user visited) o 3rd party (other web sites that are sending cookies through visited site) o Flash cookie - Different from HTML Cookie in technology o Web Beacon (Web bug, pixel tag, clear gif) - operates as a tag that records a users visit. 1 x 1 pixel that is "invisible". Often used with a cookie as part of a 3rd party tracking service o Chocolate Chip. jk

· US Health, Education and Welfare FIPs 1973

o Stipulated there should be a way for a person to: No secret information on people find what information is recorded and how it's used § Prevent their information from being used other than how it was disclosed without consent § Correct or amend a record § Any organization must assure the reliability of the data

Consent Decree Basics

o The respondent does NOT admit fault o The respondent promises to change its practices and avoid further litigation o They are posted publicly with details around violations and FTC guidance.

· What's in Consent Decrees?

o What actions the respondent needs to take o Which practices the respondent must refrain from o Requires proof of resolution (confirmation of its compliance) o Inform the FTC if company changes its ability to adhere to its terms o Companies be subject to periodic outside audits (for 20 years) and implement an internal Privacy practice.

negligent tort

occurs when the defendant fails to act in a responsible way and thereby subjects other people to an unreasonable risk of harm> Speeding in a car Inadequate security controls

Data Controller

organization that has the authority to decide how and why PI is to be processed

4 categories of FIPs

rights of individuals Controls on the information Information Lifecycle Management

Administrative Procedure Act

sets forth rules and regulations that govern the procedures administrative agencies follow in performing their duties

self-regulation

the exercise of voluntary control over the self to bring the self into line with preferred standards. Network Advertising Initiative Direct Marketing Association

intentional tort

tort in which the defendant means to commit the injurious act

Data Subject

whom information is being processed

Department of Commerce

§ Administers the Privacy Shield agreement between the US and the EU. § Negotiates internationally on privacy.

Task for privacy professionals

§ Alert the organization to divergent perspectives § Manage a range of risk consistent with meeting the organizations growth, profitability and other goals. § Identify areas where compliance is difficult in practice. Design policies to close gap between practice and operations.

person

§ Any entity with legal rights (individual and corporations)

Organization for Economic and Cooperation (OECD) 1980

§ Collection limitation principle § Data Quality Principle § Purpose Specification Principle § Use Limitation Principle § Security Safeguards Principle § Openness Principle § Individual Participation Principle § Accountability Principle

o Precautions to consider in written contracts:

§ Confidentiality provision § No further use of shared information § Use of subcontractors § Required to notify and disclose breach. § Information Security Provisions § Promise not to reidentify data

Data inventory should include

§ Customer and employee data records § Data location and flow § How, when and with whom the organization shares such information § The means for data transfer used

Department of Homeland Security

§ E-Verify program for new employees. § Air traveler records § Many others

Department of Transportation

§ Enforcing violations of the Privacy Shield agreement for some transport companies · FAA controls drones. § National Highway Traffic Safety Administration (NHTSA) · Addresses privacy and security for connected cars.

o US Laws to provide consumer with access to the PI they hold

§ FCRA: Individuals have right to access credit reports § HIPAA: Right to access their medical records

Unfair Trade Practices Requirements

§ If the injury is substantial (not speculative) § Cannot be easily avoided by consumers § Lacks offsetting benefits

2015 FTC Update in reasonable data security practices Includes

§ Know what information they have § Limit the information they collect § Protect maintained information § Properly dispose of information § Maintain a plan for incident response

Skills required to succeed as a privacy professional

§ Legal § Marketing § Sales § HR § Public and government relations § Information technology

Area of focus from Obama Era FTC Report

§ Privacy by design § Simplified consumer choice § Transparency

o Standards for selecting vendors:

§ Reputation § Financial condition § Insurance maintained? § Infosec controls § Point of data transfer § Disposal of information processes § Employee training § Vendor Incident Response § Audit Rights

Role of Privacy Professional

§ Research laws § Educate the organization § Design and recommend policies § Monitor and manage risk

Managing User Preferences Challenges

§ The scope and mechanism of opt out or other preference can vary § Linking a users interactions through multiple channels is difficult for management Time period for implementing preferences Managing 3rd party vendors that interact with data

o Determination of data

§ Where, how and for what length of time the data stored? § Should the information be encrypted § Will the information be transferred to or from other countries? How? § Who determines information rules? § How is it processed and how is process maintained? § What are procedures for new or changing data flows?

o Data classification Should include

§ the clearance of individuals who can access data § baseline level of protection for the data

5 Areas of attention proposed by FTC report (Obama Area)

· Do not track mechanism · Mobile related services · Data brokers · Large platform providers · Promotion of enforceable self-regulatory codes

Progress of FTC enforcement approaches

· Late 90's - Notec and Choice Approach · 201 -2009 - Harm Based Model - emphasis on addressing substantial industry After 2009 - Comprehensive approach

APEC Personal Information Explicit Consent

· With the consent of the data owner · When necessary to provide a service or product (UPS Delivery) · By the authority of law

Jurisdiction

(n.) an area of authority or control; the right to administer justice

Why Self Regulation is controversial

* European approach states industries are not strict enough Supporters state industry has greater insight into how they operate.

· Provision which applies to 3rd parties that do NOT meet the definition of business:

3rd party may not sell personal information that has been sold to them by a business unless a consumer has received express notice and an opportunity to opt out of the sale.

CCPA

A Business must protect certain CONSUMER privacy rights and the sharing of personal information

Common Law

A legal system based on custom and court rulings

Rights of Individuals (Data Subject Access) Includes

Access to their data to review and correct data

Active and Passive Data Collection

Active: o When the user provides data to the website (photo upload, web form completion) · Passive data collection o Done without any action from the user

Business definition under CCPA

Any legal entity that does business in California and meets one of the following: * Annual gross revenue > $25 million * Has personal information of 50k or more consumers, households, or devices *Has 50% of annual revenue from sales of consumer information

Types of access rights under CCPA

Categories of PI collected Purpose of selling/collecting PI Specific pieces of data collected

COPPA

Children's Online Privacy Protection Act (1998) requires commercial online content providers (websites) to obtain verifiable parental consent of children under the age of 13 before they can collect, archive, use, or resell any personal information pertaining to that child personally identifiable information is anything that would allow someone to identify or contact the child (i.e. full name, address, e-mail address, telephone number, or Social Security number, and, when combined with an identifier, information collected through cookies such as hobbies, interests, or other data concerning the child and/or the parents)

Aspects of Opt-out

Consumer Choice Offered BEFORE customer information is sold or shared with 3rd parties Examples: GLBA, Video Privacy Protection Act, CAN-SPAM Act

Tort Law

Law that deals with harm to a person or a person's property. Goal is to provide relief for damages incurred

Data sale under CCPA

Includes disclosure of PI to another party in exchange for value of any kind, monetary or otherwise.

Obama proposed Consumer Bill of Rights

Individual Control Transparency Respect for context Security Access and accuracy Focused collection Accountability

4 Classes of Privacy

Information Bodily Territorial Communications

Controls on information include (FIPs)

Information Security: Should use reasonable admin, technical and physical safeguards against unauthorized access, use, disclosure, modification and destruction. Information Quality: Should maintain accurate, complete, and relevant for the purposes identified in the notice.

Personal Information under CCPA

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked (directly or indirectly) with a consumer HOUSEHOLD

Judicial Branch

Interprets the laws Federal Courts Determines if laws are constitutional

Privacy Torts

Intrusion, publication of private facts, false light, appropriation

WHat's required to be deceptive

Must be a material statement, likely to mislead consumers operating in normal circumstances (they relied on the lie)

Consumer defined under CCPA

Natural person who is a california resident. The rights do NOT extend to corporations or other legal entities

Aspects of No Option

No Consumer Choice "Commonly accepted practices" Implied authority to share Personnel information (Shipping company receiving shipping data)

Business exclusions under CCPA

Non- Profit orgs Entities that do NOT determine the purpose and means of processing. (Those that act at the direction of of companies for processing (Service Provider (US), Processor (EU)) That that do no conduct California business

Cookie best practices should:

Not store unencrypted personal information Provide adequate notice usage Only use persistent cookie when justified and not with long expiration date Disclose the involvement of a 3rd party cookie provider

Elements for the Rights of Individuals (FIPs)

Notice Choice and Consent Data Subject Access

Basic practices for developing and managing a website privacy statement

Say what the organization does Tailor disclosures to business operations Frequency revisiting to the privacy statement to ensure accuracy Communicate privacy notices to entire company

Rights of Individuals (Notice) Includes

Should provide privacy notice on their policies and procedures as well as the purpose for which personal information is collected, used, retained and disclosed.

Origins of Privacy include

Social: Rooted in ancient texts (Bible) Historical: Human rights enacted throughout the centuries

Standard practices to protect privacy information on the web

Strong credentials AV and Firewalls Secure WiFi Secure File Sharing Caution around public computers Caution around public charging stations

opt out

System in which users must explicitly decide not to participate.

Opt-in

System in which users must explicitly decide to participate.

Processes for working with deidentified Data under CCPA

Technical safeguards to prohibit reidentification Processes that specifically prohibit reidentification, prevent inadvertent release of deidentified information must not attempt to reidentify the information

Private Right of Action

The ability of an individual harmed by a violation of law or data breaches to bring suit against the violator. $100 - $750 per incident, actual damages, or other court mandated remedies

Private Right of Action

The ability of an individual harmed by a violation of law to bring suit against the violator.

consent decree

The accused party, without admitting guilt, agrees to stop the alleged activity if the government drops the charges

Preemption

The right of a federal law or a regulation to preclude enforcement of a state or local law or regulation.

Data Processors

individual or organization operating on behalf of the data controller.

Definition of covered entities for state notification laws

Those who conduct business and maintain computerized data that contains personal information . Georgia only applies to information brokers

Judicial Redress Act

US extended right to non US citizens to access covered records

States definition of breach of security

Unauthorized access Compromise confidentiality Access to PI without encryption

Threats to Online Privacy

Unauthorized access malware phishing spear phishing social engineering Technical attacks

Exceptions to state notification requirements

Your subject to more strict reporting requirements (HIPAA) Entities that already follow a robust privacy program and follow breach notification procedures as part of their own policies If the data is redacted/encrypted/unusable.

self-regulation

an alternative to government control, whereby an industry attempts to police itself through companies creating it's own policies or industry making it's own standards.