Technological Evolution

Transcription

1 Technological Evolution The Impact of Social Media, Big Data and Privacy on Business Consumer Privacy & Big Data Advice, Regulatory and Resulting Litigation Denise Banks Chief Privacy Officer BMO Financial Group Kofi Kwarteng Assistant GC Mead Johnson Nutrition Nathan Rohrer Chief Privacy Officer Whirlpool Rebecca Eisner Partner Mayer Brown LLP Jeff Taft Partner Mayer Brown LLP

2 Denise Banks US Chief Privacy Officer BMO Financial Group Kofi Kwarteng Assistant General Counsel Mead Johnson Nutrition Nathan Rohrer Chief Privacy Officer Whirlpool Rebecca Eisner Partner Mayer Brown LLP Jeff Taft Partner Mayer Brown LLP 2

3 Agenda Social media privacy overview Big data and analytics Internet of Things (IoT) Enforcement trends Panel discussion 3

4 Privacy Regime in US Sector-specific federal legislation (financial services, health care and education) and marketing restrictions State laws fill gaps or raise standards (e.g., consumer privacy, breach notification and data security) Industry standards, voluntary codes and government guidance Various state and federal agencies enforcing privacy laws, including FTC, HHS, banking regulators, SEC, CFTC and State Attorneys General 4

5 Privacy Regime in US Gramm-Leach-Bliley Act (GLBA) Fair Credit Reporting Act/FACT Act (FCRA) Federal Trade Commission Act (FTC Act) Children s Online Privacy Protection Act (COPPA) Telephone Consumer Protection Act (TCPA) Health Insurance Portability and Accountability Act (HIPAA) 5

6 State Privacy Regime Privacy, data breach and security laws California s SB 1 Data breach laws Massachusetts security regulations Laws applicable to online and mobile privacy California Online Privacy Protection Act Uniform Fiduciary Access to Digital Assets Act 6

7 Industry Standards, Codes of Conduct and Voluntary Programs in US Payment Card Industry Data Security Standards (PCI DSS) White House Privacy Blueprint Privacy Bill of Rights Multistakeholder process for mobile application disclosures, facial recognition technology and other areas NIST Cybersecurity Framework (Feb. 12, 2014) US-EU Safe Harbor Direct Marketing Association Guidelines 7

8 Best Practices to Address Regulatory Concerns Develop clear and conspicuous privacy statements and related notices Provide effective and efficient options for consumers to exercise choice/consent/control over information shared Heed the principles of collection, use and retention limitation Practice good security Be transparent with respect to behavioral targeting strategies and third party sharing 8

9 Big Data Overview Traditional Inputs Big Data Inputs Traditional Sources (product registrations) Electronic Sources (websites, etc.) Third party data Social Media Mobile Devices Internet of Things Big Data Analytics Powered by Cloud Computing Engines Value Risk Data Scientists 9

10 Big Data & Privacy Concerns Collection, use and dissemination of Big Data has potential privacy concerns under US and EU laws Is the collection and use of personal data/pii compliant with legal requirements? US and EU restrictions Anonymized data How are potential reputational risks minimized and what is best practice? Clear consumer disclosures Data minimization 10

11 Legal Compliance: EU Data Privacy Concerns At this stage no reason to believe that the EU data protection principles are no longer valued and appropriate for the development of Big Data, subject to further improvements to make them more effective in principle ~ EU Article 29 Working Party Statement September EC member Gunther Oettinger Speech February : Americans are in the lead. They have the data, the business models and the power,.they come along with their electronic vacuum cleaner and suck up all the data, take it back to California, process it and sell it as a service for money. Anyone who wants to take advantage of our data will have to comply with our rules or they are going to have trouble with the competition authorities. ~ New York Times Bits : Tough Talk from European Commissioner About U.S. Tech Companies 11

12 The Big Conundrum: When Does Anonymized Data Become Personal Data/PII? Big Data processing might enable patterns of behavior relating to specific individuals to be identified using information which in itself does not identify any particular individual. EU Privacy law will not apply to genuinely anonymized data. EU Privacy laws do apply to information which alone, or together with other information held by a data controller, can identify a living individual in particular: by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ~ Article 2 EU Privacy Directive 95/46. 12

13 US Data Collection & Use Risks Collection of nonpublic personally identifiable information under US laws Anonymization/De-identification US privacy laws such as the Gramm Leach Bliley Act and FCRA generally do not cover aggregate information or blind data Anonymized or de-identified data can still present potential discrimination concerns (See, President s Report: Big Data and Differential Pricing February 2015) Whether information is truly anonymized or de-identified given the existing technology and ability of Big Data to correlate information should be a concern for companies relying on de-identification to avoid collection, use and sharing restrictions Fewer data points and zip code substitutes may be necessary to avoid correlation 13

14 US Data Collection & Use Risks Data Minimization General concern from regulators, consumers and politicians that companies tend to collect lots of information and retain the information for long periods of time often without any reason to believe it will be needed or used Review of certain data breaches has indicated data minimization would have prevented or mitigated the breach and steps have been taken to impose this requirement Examples PCI DSS impose limits on the types of information that can be collected and the time period for retention Data minimization included in some drafts of the federal data breach notice law; may eventually become a legal requirement imposed on anyone maintaining consumer information rather than best practice 14

15 Big Data Risks Adverse publicity (e.g., Samsung TV s recording voice data and Lenovo computers with embedded adware) The Well is Polluted Data has to be removed/cannot be used Investment is wasted The processes and practices are unlawful, unfair, opaque Risk of regulatory fines New EU Regulation proposes fines of up to 5% worldwide turnover Risk of consumer class actions In Re Google Privacy Policy litigation California and parallel European administrative actions 15

16 INTERNET OF THINGS Examples: In-vehicle telematics Fit bits Appliances/consumer products (e.g., beds) Medical devices

17 Internet of Things (IoT) Recent Developments FTC Report: Internet of Things Privacy & Security in a Connected World January 2015 U.S. Senate Committee on Commerce, Science & Transportation hearing on February 11, 2015 titled The Connected World: Examining the Internet of Things EU Article 29 Data Protection Working Party Opinion 8/2014 on Internet of Things 17

18 FTC Risks: Internet of Things Security: unauthorized access and misuse; attacks on systems; safety risks Privacy: collection of sensitive information, particularly over time, permitting inferences Undermining of consumer confidence 18

19 IoT Risks 1. Effective contracting with customers 2. Data collection issues 3. Data ownership, use and sharing 4. Data retention issues 5. Potential liability issues 6. Potential employee issues 7. Regulatory oversight risks 8. Additional issues faced in certain industries (e.g., auto industry distracted driver regulations)

20 Data Collection Issues Collect device data before the customer has signed up for the services? See Sirius XM Radio case for issue involving collection of data prior to user expressly entering into contract See OnStar example for issue involving collection of data postcancellation of services Effectiveness of online registration Changes in services or use of data require notice and consent?

21 Data Ownership, Use and Sharing Who owns IoT collected data? What rights does the individual have in the collected data? Does aggregated and anonymized use require consent? What if data has unintended secondary uses? Data sent from machinery reveals long idle periods, which reveal information about the operator of the machinery Data sent from medical device reveals worsening health of individual Geolocation information reveals private information and even trade secrets See article regarding Monsanto and DuPont s seed prescription services developed from data amassed from farms where farm techniques could be trade secrets

22 Other Risks Proposed legislation regarding collection and disclosure of geolocation information (e.g., Location Privacy Protection Act of 2014) without the user s consent. Risk that Internet-enabled devices may be remotely controlled or hacked by malicious third parties Commentators have noted that ease of availability of compliance, risk and product data may increase risk of more regulatory oversight and/or liability Regulators may demand data relating to regulatory compliance issues with devices More aggregation of data about devices may lead to more product liability claims, particularly class actions, as more data is discoverable to prove commonality of class action claims 22

23 FTC Enforcement Matters Data Collection Practices Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False (May 8, 2014) Medical Billing Provider Settles FTC Charges That It Misled About Collection of Personal Health Data (Dec. 3, 2014) Data Security Practices Medical Transcript Services Company Settles FTC Charges That It Failed to Protect Consumers Information (Jan. 31, 2014) Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Information (March 28, 2014) 23

24 US-EU Safe Harbor Enforcement Matters In 2014, 14 companies across many industries settled with the FTC regarding noncompliance with aspects of the US- EU Safe Harbor In November 2014, FTC entered into settlement with TRUSTe TRUSTe provides certification seals that indicate that an online business complies with privacy standards such as the US-EU Safe Harbor Framework FTC alleged that TRUSTe failed to conduct annual recertification of businesses displaying privacy seal in over 1,000 instances 24

25 FTC Litigation Wyndham Worldwide Corporation In June 2013, FTC filed suit against Wyndham for alleged data security failures that led to three data breaches at hotels in less than two years Wyndham filed motion to dismiss complaint and motion was denied (April 2014) Wyndham appealed denial to US Circuit Court of Appeals for Third Circuit and appeal was argued last week Case could have significant ramifications for FTC and data security actions under Section 5(a) of FTC Act 25

26 Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.