Data Security and Privacy Regulations and Compliance. October 26, 2012 from 11:55 to 12:45
|
|
- Ashley Cory Tyler
- 7 years ago
- Views:
Transcription
1 Data Security and Privacy Regulations and Compliance October 26, 2012 from 11:55 to 12:45
2 Abstract Governance Track: Data Security and Privacy - Regulations and Compliance October 26, 2012 from 11:55 AM to 12:45 PM United Federation of Teachers, 52 Broadway, NY, NY This session will focus on new regulations and frameworks that you may need to worry about and includes recent case studies in security and privacy failure. Several agencies (e.g., FTC, HHS, SEC) has ramped-up their compliance enforcement mechanisms and have had wide-reaching impact that may affect your security and privacy programs. Michael Money, CIPP, CISA, CISSP, QSA Director-Security & Privacy - Protiviti 2
3 Agenda Mike Money - Protiviti Introduction Focus of This Session The New Sheriffs in Town The Privacy & Security Frameworks Recent Case Studies Challenges and Next Steps Handy References 3
4 Mike Money - Protiviti Introduction Mike Money, CIPP is a Director for Protiviti's Information Security & Privacy Practice. Protiviti is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. Our firm includes leading experts in areas of finance and accounting, risk and compliance, information technology, security and privacy, litigation, investigations and financial restructuring. Our professionals have powerful insights on par with the largest consulting organizations in the world, but we are more nimble and adept than these competitors in delivering value for our clients. Career included: KPMG Chase Manhattan Bank Union Carbide SRI Consulting Atomic-Tangerine Red Siren Protiviti 4
5 Focus of This Session Security and Privacy Enforcement on the Rise 1. The New Sheriffs 2. Legislation 3. Frameworks 4. Enforcement Techniques 5. Case Studies 6. Challenges 7. Conclusions 8. Questions 5
6 1. The New Sheriffs Privacy & Security Enforcement 1. HSS and OCR 2. FTC Complaints 6/30/11 to 6/30/12 65, Consumer Sentinel 1,813, SEC - ARP Dozens 4. CFPB 7/21/11 to 9/30/12 79, EU and DPA Unknown 6
7 2. Legislation Privacy & Security Enforcement Type 1. US Regulations Road Map Decentralized Industry Focus 2. International Road Map Privacy Focused 7
8 US Regulatory Roadmap Overall Increasing regulatory environment Growing enforcement Continued fragmented approach until post election Industry Specific Fair Credit Reporting (FCRA) COPPA Video Protection Act GLBA - HIPAA Health Data HHS-OCR Actions HIPAA Audits Pilots and next steps HITECH Omnibus still pending States All have consumer protection Most have breach disclosure 1 state has data safeguards statutes some pending Privacy legislation pending 8
9 Basics US Rule Making - OMB 9
10 EU Regulations EU Data Protection Overhaul Broad scope of personal data Restricts processing and transfer with out adequate protection levels US on unsafe list Many Countries Are Regulated 10
11 Sectoral and Omnibus Privacy and Data Protection Laws 11
12 3. Privacy Frameworks There are no required Privacy frameworks: Privacy & Security Enforcement Source A. FTC Privacy Framework FTC B. US Safe Harbor FTC C. EU Privacy Framework EU D. Generally Accepted Privacy Principles (GAPP) AICPA E. NIST Privacy Control Catalog NIST F. Privacy by Design 12
13 A. FTC Privacy Framework Recommendations Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy; Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities. Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them. Focus Areas: Do-Not-Track Mobile -. Data Brokers Large Platform Providers Promoting Enforceable Self-Regulatory Codes Process 5,000 consumers a year 13
14 B. FTC Safe Harbor Principles 1. Notice Tell employees and customers what personal data the company collects and how such data shall be used or disclosed - Privacy Policy and Notice. 2. Choice If employees and customers personal data must be used for a purpose other than that which was originally indicated, formulate a policy that requests authorization (Obtain consent). 3. Onward Transfer When personal employee data and customers are disclosed to outside vendors obtain assurance that vendors will comply with privacy standards. 4. Security Put in place reasonable and appropriate safeguards to protect personal employee information from unauthorized access, use, or disclosure. 5. Access Formulate a Policy and Procedure that allows employees to obtain reasonable access to the personal data the company maintains about them and to have appropriate corrections made. 6. Data Integrity Only collect the personal data the company needs to operate its business (or that is required by law) and assure that this data is accurate and up-to-date. 7. Enforcement Establish mechanisms to verify compliance with privacy requirements, and a Policy for Dispute Resolution, which provides a process for resolving questions and issues regarding the collection, use, or disclosure of an employee or customer data by the company. 14
15 FTC FAQ Guidance 15
16 C. EU Privacy Framework Framework Directive adopted in 1995 effective 1998 Established overall groundwork Transposed into national laws Supplemented by numerous additional law and administrative rules Primary functions Impose basic obligations on those controlling data - E.g., obligations of fair and lawful processing, purpose, relevance, accuracy, retention, security Vest rights in data subjects - E.g., rights of access and modification Establishes Data Controllers responsible for privacy and establishes broad processing limitations Limitations depend on nature of data and jurisdiction General obligations Notify national privacy regulators DPA s Obtain processing approval Inform data subjects Article 25 limits transfers to personal data may not be transferred from an EU country to a non-eu country that does not provide an adequate level of data protection. EU regularly conducts adequacy determinations Adequate: Switzerland, Argentina, Uruguay - Not adequate: United States 16
17 D. GAPP 1 - Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 2 - Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 3 - Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 4 - Collection: The entity collects personal information only for the purposes identified in the notice. 5 - Use and Retention: The entity limits the use of personal information based on the notice and for which the individual has provided implicit or explicit consent. Retained only as necessary for purpose. 6 - Access: The entity provides individuals with access to their personal information for review and update. 7 - Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8 - Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical). 9 - Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice Monitoring & Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 17
18 E. NIST Privacy Provisions 18 Source: NIST SP Draft
19 F. Privacy by Design 1. Proactive not Reactive; Preventative not Reactive 2. Privacy as the Default 3. Privacy Embedded into Design 4. Full Functionality Positive-Sum, not Zero-Sum 5. End-to-End Lifecycle Protection 6. Visibility and Transparency 7. Respect for User Privacy 19
20 Selection of a Framework Degree of assurance required by management Ease of implementation vs. degree of completeness Risk tolerance Capability maturity in security and privacy Counsel recommendations 20
21 4. Enforcement Techniques- FTC Focus Areas Fair Trade Commission Act (FTCA) - Section 5: Unfair Trade and Deceptive Acts - Reasonable and appropriate security measures Execution: Actions Cases Adjudication Consent Degrees - Emerging Model: 20Year Term Cease deceptive practices Conduct Audit Written Program Record keeping Test, Monitor, Improvement Assessment Impose requirements on service providers 21
22 FTC Actions - Site 22
23 5. Case Studies Focus Areas Facebook Google My Space 23
24 Case Study - Facebook Facebook- November 2011 Count #1 Facebook s privacy settings. Count #2 Privacy changes (material omission). Count #3 Privacy changes (unfair practices). Count #4 What info apps had access to. Count #5 What info Facebook shared with advertisers. Count #6 Facebook s Verified App program. Count #7 Photo and video deletion. Count #8 US-EU Safe Harbor program. Settlement: Barred from future privacy misrepresentations. Implement a comprehensive privacy program. Independent privacy audits for the next 20 years. Allow the FTC to monitor compliance with its order. Get consumers' approval before it changes the way it shares their data. Required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences. 24
25 Case Study - Google Google Buzz April 2011 Count # 1 - Used deceptive tactics and violated its own privacy promises when it launched in Count #2 Failed to disclose adequately that frequent contacts would become public by default. Count # 3 - U.S.-EU Safe Harbor privacy framework. Settlement Barred from future privacy misrepresentations. Implement a comprehensive privacy program. Independent privacy audits for the next 20 years. Allow the FTC to monitor compliance with its order. 25
26 Case Study MySpace MySpace May 2012 Count #1 Advertisers could obtain users full names since override was difficult Count #2 Customers told web browsing shared with advertisers would be anonymized Count #3 Customers told that advertiser cookies would not be told names but the Friend ID could be linked (unfair practices). Count #4 US-EU Safe Harbor program. Settlement: Barred from future privacy misrepresentations Implement a comprehensive privacy program Independent privacy audits for the next 20 years Allow the FTC to monitor compliance with its order Identify reasonably foreseeable material risks from inside the company and out that could result in the unauthorized collection or disclosure of covered information Assess the sufficiency of safeguards in place to control those risks Take reasonable steps to ensure that service providers protect the privacy of covered information, including putting privacy provisions in their contracts Adjust its privacy program in light of testing, changes to how it does business, and any other circumstances that may have a material impact on the program 26
27 6. Challenges Cost of implementing and maintaining Control Training Breach Regulatory agencies Lawyers Risks are not articulated or accepted Organizational Support: Lack of security governance and enterprise ownership Decision authority unclear or improperly defined Unclear roles and responsibilities Tracking the flow of data inside the organization and it gets more complicated when onward transfers are made to 3 rd parties such as advertisers and service providers Identify 3 rd parties and review contracts for onward transfer agreements, security, incident response and privacy provisions 27
28 7. Conclusions 1. Frameworks and Self-Assessments do not need to be internal they can be done by an independent entity 2. It is critical that we protect personally identifiable information 3. Do not underestimate or trivialize costs and resources 4. Protect all personally identifiable information as if it you were own information 5. Services providers need to comply as well 6. Do not disclose personally identifiable information to anyone who has no authorized reason to know 7. If you are aware of an unauthorized disclosure or exposure, report, escalate and follow the Incident Response process 28
29 Questions and Answers 29
30 Safe Harbor References CFPB: 30-snapshot.pdf FTC Sentinel Complaints: FTC Actions: NYMITY Privacy Legislation: EU Privacy Framework: Generally Accepted Privacy Principles (GAPP): AcceptedPrivacyPrinciples/Pages/default.aspx FTC Privacy Framework: NIST Privacy Control Catalog: Special Publication Security and Privacy Controls for Federal Information Systems and Organizations: Privacy by Design: 30
Privacy Risk Assessments
Privacy Risk Assessments Michael Hulet Principal November 8, 2012 Agenda Privacy Review Definition Trends Privacy Program Considerations Privacy Risk Assessment Risk Assessment Tools Generally Accepted
More informationCOMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER THE FEDERAL TRADE COMMISSION. In the Matter of Myspace, LLC. FTC File No. 102 3058.
COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER to THE FEDERAL TRADE COMMISSION In the Matter of Myspace, LLC FTC File No. 102 3058 June 8, 2012 By notice published on May 14, 2012, the Federal Trade
More information3/17/2015. Overview HIPAA. Who s Covered? Who s Not Covered? PRIVACY & SECURITY. Regulatory Patchwork: Mobile Health
PRIVACY & SECURITY Regulatory Patchwork: Mobile Health Anna Watterson, Davis Wright Tremaine, LLP Overview When HIPAA applies to mobile apps When FTC has jurisdiction over mobile apps Other considerations:
More informationPrivacy Statement. What Personal Information We Collect. Australia
Privacy Statement Kelly Services, Inc. and its subsidiaries ("Kelly Services" or Kelly ) respect your privacy and we acknowledge that you have certain rights related to any personal information we collect
More informationPrivacy Policy. February, 2015 Page: 1
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
More informationPrivacy Law Basics and Best Practices
Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?
More informationAn Executive Overview of GAPP. Generally Accepted Privacy Principles
An Executive Overview of GAPP Generally Accepted Privacy Principles Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business
More informationThe Digital Marketing Ecosystem: Trends, Risks and Obligations
The Digital Marketing Ecosystem: Trends, Risks and Obligations Teena H. Lee, Vice President, Privacy and E-commerce Counsel The Estée Lauder Companies Inc. Bridget C. Treacy, Partner, Hunton & Williams
More informationData, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller
Data, Privacy, Cookies and the FTC in 2013 Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller BIOS Kevin Stark: Product Manager at ExactTarget. Focused on data security,
More informationRPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015
RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE EFFECTIVE AS OF: August 12, 2015 This Notice sets forth the principles followed by RPM International Inc.,
More informationPrivacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014
Privacy & Big Data: Enable Big Data Analytics with Privacy by Design Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014 Agenda? What is 'Big Data'? Privacy Implications Privacy
More informationPrivacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems
Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they
More informationThe U.S.-EU Safe Harbor Guide to Self-Certification
U.S.-EU Safe Harbor Framework A Guide to Self-Certification Table of Contents Introduction.............................................................1 Overview...............................................................3
More informationBBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade
BBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade Commission, Bureau of Consumer Protection Allison M. Lefrak, Attorney,
More informationEU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.
EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in
More informationA Privacy and Data Security Checklist for All
July 2015 Many companies know they have to follow privacy and data security rules. Companies in the health care industry know about Health Insurance Portability and Accountability Act (HIPAA). Financial
More informationHealthcare Horizons Webinar Series:
Healthcare Horizons Webinar Series: HIPAA and HITECH Enforcement Pete Enko peter.enko@huschblackwell.com 816.983.8312 Steve James steve.james@huschblackwell.com 816.983.8374 Husch Blackwell LLP Before
More informationGUESTBOOK REWARDS, INC. Privacy Policy
GUESTBOOK REWARDS, INC. Privacy Policy Welcome to Guestbook Rewards, Inc. the online and mobile service of Guestbook Rewards, Inc. ( The Guestbook, we, or us ). Our Privacy Policy explains how we collect,
More information[ 2014 Privacy & Security Update ].
U.S. Privacy Law: Hiding in Plain Sight U.S. Federal Trade Commissioner Julie Brill Second German-American Data Protection Day Munich, Germany April 30, 2015 Thank you, Dr. Ehmann, for your kind introduction.
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationThe Importance of Privacy & Data Security in a Changing World
Cyber, PrivaCy & Data SeCurity 360 www.mpplaw.com about our PraCtiCe Data is the lifeblood of our global economy. Collected, stored and transmitted, digital data not only imparts great opportunities, but
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationWHAT DOES THE FUTURE LOOK LIKE FOR MARKETING IN CYBERSPACE?
WHAT DOES THE FUTURE LOOK LIKE FOR MARKETING IN CYBERSPACE? Keynote Address for the Consumer Marketing, Advertising, Distribution and Sales Conference Suffolk University Law School March 23, 2012 Good
More informationPrivacy Policy & Terms of Use Effective: 12/13/2011. Terms and Conditions. Changes in this Privacy Policy. Internet Privacy & Security
Privacy Policy & Terms of Use Effective: 12/13/2011 Terms and Conditions Schoology (the "Service") provided by Schoology, Inc. ("Schoology") with permission of your local school, local school district,
More informationE-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY
E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:
More informationIAPP PRIVACY ACADEMY
IAPP PRIVACY ACADEMY KEEPING UP WITH EMERGING STANDARDS FOR MOBILE PRIVACY Joanne McNabb Julie Mayer Tim Tobin Director of Privacy Staff Attorney Partner Education & Policy Northwest Regional Office Hogan
More informationHIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations
HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationLATISYS SAFE HARBOR POLICY
LATISYS SAFE HARBOR POLICY Latisys Corporation ( Latisys or Company ), a wholly-owned subsidiary of Zayo Group, LLC, is a global provider of bandwidth infrastructure services, including dark fiber, wavelengths,
More informationData Protection in the United States
Data Protection in the United States Bruce E. H. Johnson Chair, Privacy and Security Group Davis Wright Tremaine LLP Pacific Rim Advisory Council Singapore, October 18, 2011 Overview of US Privacy Regulations
More informationInformation Collected. Type of Information Collected. We may collect two general types of information when you use the Site:
Privacy Policy (Last revised March 1, 2016) This website is owned and operated by Temple Square Hospitality Corporation ( Operator ). The following Privacy Policy (the Policy ) describes how Operator collects,
More informationAN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA
AN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA By Peter K. Yu Introduction The Internet and new communications technologies have made shopping more convenient than ever. Online
More informationWearables and Big Data and Drones, Oh My! How to Manage Privacy Risk in the Use of Newer Technologies 1
Wearables and Big Data and Drones, Oh My! How to Manage Privacy Risk in the Use of Newer Technologies 1 Julie S. McEwen, CISSP, PMP, CIPP/G/US, CIPM, CIPT 2 2015 Project Management Symposium, University
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationSharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?
Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Bruce Heiman K&L Gates September 10, 2015 Bruce.Heiman@klgates.com (202) 661-3935 Why share information? Prevention
More informationSAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014
SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationZubi Advertising Privacy Policy
Zubi Advertising Privacy Policy This privacy policy applies to information collected by Zubi Advertising Services, Inc. ( Company, we or us ), on our Latino Emoji mobile application or via our Latino Emoji
More informationPrivacy & Data Security: The Future of the US-EU Safe Harbor
Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT
More informationPrivacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices
Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Ann Cavoukian, Ph.D. Information & Privacy Commissioner, Ontario, Canada Purpose: This document
More informationInformation Security, Privacy and Compliance Convergence
Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges
More information2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012
The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,
More informationTHE MOBILE MAJORITY: BUILDING PRIVACY BY DESIGN INTO MOBILE APPS
THE MOBILE MAJORITY: BUILDING PRIVACY BY DESIGN INTO MOBILE APPS Clarissa Cerda, EVP, Chief Legal Officer and Secretary, LifeLock Kimberly Cilke, CIPP/US Deputy General Counsel, GoDaddy.com Timothy Sparapani
More informationPrivacy Policy for Data Collected by Blue State Digital s Clients
Privacy Policy for Data Collected by Blue State Digital s Clients Blue State Digital LLC. ("Blue State Digital", BSD or "we") provides various services to nonprofits and business entities ("Clients"),
More informationThe Legal Pitfalls of Failing to Develop Secure Cloud Services
SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global
More informationPrivacy Policy documents for
Privacy Policy documents for Praendex Incorporated doing business as PI Worldwide Product User Privacy Policy - For Customers, as well as those invited to our websites to complete a PI Survey or SSAT General
More information2. A Note about Children. We do not intentionally gather Personal Data from visitors who are under the age of 13.
PRIVACY POLICY Macromeasures Inc. ("Macromeasures") is committed to protecting your privacy. We have prepared this Privacy Policy to describe to you our practices regarding the Personal Data (as defined
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationMind Your Business: Privacy, Data Security & Regulatory Compliance Best Practices & Guidance
Mind Your Business: Privacy, Data Security & Regulatory Compliance Best Practices & Guidance National Bar Association - Commercial Law Section 2015 Corporate Counsel Conference February 26, 2015 www.alston.com
More informationThe 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.
Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada Purpose: This document provides
More informationPolicy Implications: Privacy, Security and Liability Big Data in Telecom. June 7 2012 TIA 2012: INSIDE THE NETWORK Dallas TX
Policy Implications: Privacy, Security and Liability Big Data in Telecom June 7 2012 TIA 2012: INSIDE THE NETWORK Dallas TX Who We Are Leading trade association in support of information and communications
More informationHiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint
HiSoftware Policy Sheriff SP HiSoftware Security Sheriff SP Content-aware Compliance and Security Solutions for Microsoft SharePoint SharePoint and the ECM Challenge The numbers tell the story. According
More informationBUSINESS CHICKS, INC. Privacy Policy
BUSINESS CHICKS, INC. Privacy Policy Welcome to businesschicks.com, the online and mobile service of Business Chicks, Inc. ( Company, we, or us ). Our Privacy Policy explains how we collect, use, disclose,
More informationPrivacy of Consumer Financial Information
Background and Overview Introduction Title V, Subtitle A of the Gramm-Leach-Bliley Act ( GLBA ) 1 governs the treatment of nonpublic personal information about consumers by financial institutions. Section
More informationPRIVACY POLICY. Last updated February 2, 2009 INTRODUCTION
PRIVACY POLICY Last updated February 2, 2009 INTRODUCTION This Privacy Policy explains how personal information about you may be collected, used, or disclosed by the Canadian Education and Research Institute
More informationHIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act
International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More informationU.S. Information Privacy Law
U.S. Information Privacy Law Ivan Rothman Joseph Grasser January 28, 2014 Introduction and Agenda Sources of US Privacy Law Some Basic Concepts Sectors of US Privacy Law Non-Sector Specific Issues Privacy
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationHow To Protect Your Privacy Online From Your Company Or Affiliates
Data Security and Privacy Proposed Threshold Questions and Initial Due Diligence Personal information means any information that can be used to identify a specific individual, for example, such individual
More informationYEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008
YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008 The final weeks of 2007 saw a flurry of regulatory activity by the federal banking regulatory
More informationBoys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology
Effective: Feb 18, 2015 Executive Director Replaces: 2010 Policy Page 1 of 5 REFERENCE: HIGH FIVE 1.4.3, 2.2.4, 2.5.3, PIDEDA POLICY: Our Commitment Boys and Girls Clubs of Kawartha Lakes (BGCKL) and the
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationAcxiom Privacy by Design: Accountability
Acxiom Privacy by Design: Accountability Sheila Colclasure Acxiom Global Public Policy and Privacy Officer 06/05/2014 2013 Acxiom Corporation. All Rights Reserved. 2013 Acxiom Corporation. All Rights Reserved.
More informationARYZTA PRIVACY POLICY
ARYZTA PRIVACY POLICY TABLE OF CONTENTS 1. Privacy Statement 2. Consent 3. Consent to Share and Disclose Information, Including International Data Transfers 4. Consent to Electronic Notice If There is
More informationOnline and Mobile Privacy Notice ( Privacy Notice )
Online and Mobile Privacy Notice ( Privacy Notice ) Introduction This Privacy Notice applies to the operations of Cigna Global Health Benefits and its affiliated companies listed at the end of this Privacy
More informationCybersecurity Assessment
Cybersecurity Assessment What Will the Regulators Be Looking For? Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar March 18, 2015 1 Introduction & Overview Today
More informationPrivacy by Design Setting a new standard for privacy certification
Privacy by Design Setting a new standard for privacy certification Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure,
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationThe Manitoba Child Care Association PRIVACY POLICY
The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information
More informationSpecial Report The HITECH Act
Special Report The HITECH Act Privacy and Data Breach Notification Provision An Overview of the HITECH Act On February 17, 2009, President Obama signed into law the $787 billion stimulus package known
More informationCybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective
Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationTOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS
TOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS JULY 2012 Overview Members of the toy industry are fast embracing the world of mobile applications ( apps ). Apps offer a new world of engaging content
More informationU. S. EU SAFE HARBOR FRAMEWORK GUIDE TO SELF-CERTIFICATION MARCH 2009
U. S. EU SAFE HARBOR FRAMEWORK GUIDE TO SELF-CERTIFICATION MARCH 2009 U.S.- EU Safe Harbor Framework A Guide to Self-Certification Table of Contents Introduction... 1 Overview... 3 Helpful Hints Guide...
More informationPrivacy Impact Assessment
MAY 24, 2012 Privacy Impact Assessment matters management system Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220 claire.stapleton@cfpb.gov DOCUMENT
More informationWho s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management
Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management 2015 LBA Bank Counsel Conference Marx Sterbcow, Managing Attorney, Sterbcow Law Group The Bureau s Scrutiny of Vendor Management
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More information2014 NMSBA School Law Conference
2014 NMSBA School Law Conference STUDENT PRIVACY IN THE CLOUD Andrew M. Sanchez Jun Roh June 7, 2014 Student Privacy Concerns What is cloud computing? Kinds of Clouds: Public Cloud managed, owned and provided
More informationSpeakers. Navigating Through The Legal Complexities And Cloudy Conditions To Implement A Successful Global OBA Program
Speakers Navigating Through The Legal Complexities And Cloudy Conditions To Implement A Successful Global OBA Program Speakers: Ashlen Cherry, Americas Privacy Officer, Dell, ashlen_cherry@dell.com Ruth
More informationCloudy Privacy Computing
Cloudy Privacy Computing Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI Final Draft for December 2008 CSI Alert Is cloud computing cumulous or cirrus? At Thanksgiving dinner, some of my relatives (none
More informationRecent Developments in U.S. Law: Privacy and Information Technology Health - 2013
Recent Developments in U.S. Law: Privacy and Information Technology Health - 2013 Amyt M. Eckstein Moses & Singer LLP 405 Lexington Avenue New York, NY 10174-1299 (212) 554-7843 What Does Privacy Mean?
More informationInhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie
Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A
More informationFederal Trade Commission
Federal Trade Commission The FTC s Privacy and Data Security Program: Where It Came From, Where It s Going Jessica Rich 1 Director, Bureau of Consumer Protection, FTC International Association of Privacy
More informationIntroduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery
Today s Topics Introduction to Data Privacy & ediscovery General Overview Data Privacy in the United States Data Privacy in Foreign Countries Intersection of Data Privacy & ediscovery Preservation of Data
More informationCW Government Travel Inc. Data Protection and Privacy Policy
CW Government Travel Inc. Data Protection and Privacy Policy Last updated 25 August 2014 Why do we collect personal data? This Data Protection and Privacy Policy explains how CW Government Travel, Inc.,
More informationCredit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
More informationPrivacy Policy. log in to the Services with social networking credentials;
Privacy Policy Effective Date: November 20, 2015 This Privacy Policy is incorporated by this reference into the Mobli Media Inc. Terms of Use located at https://www.mobli.com/tou.html (the Terms of Use
More informationAnthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now
Anthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now March 6, 2015 On January 29, 2015, Anthem, Inc., an insurer and service provider for many employer-sponsored
More information#socialmediarisk Social Media and Consumer Marketing for Financial Services Organizations
#socialmediarisk Social Media and Consumer Marketing for Financial Services Organizations Social media has created significant opportunities for organizations to connect with their customers and the overall
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
More informationMEMBI PRIVACY POLICY
MEMBI 1 PURPOSE OF OUR POLICY 1.1 Membi Limited (Company Number 09775238) of 396a Kingston Road, Kingston Road, London SW20 8LL, United Kingdom (Membi, we, us or our) provides the services offered on the
More informationSocial Marketing & Liability
Social Marketing & Liability Fred E. Karlinsky, Esq. Co-Chair, Insurance Regulatory & Transactions Practice Shareholder, Greenberg Traurig Louisiana Insurers Conference Insurance Compliance Seminar August
More informationCYBER & PRIVACY LIABILITY INSURANCE GUIDE
CYBER & PRIVACY LIABILITY INSURANCE GUIDE 01110000 01110010 011010010111011001100001 01100 01110000 01110010 011010010111011001100001 0110 Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G,
More informationOnline Interest-Based Advertising: The Road Traveled and the Road Ahead
Online Interest-Based Advertising: The Road Traveled and the Road Ahead Genie Barton VP & Director, Online Interest-Based Advertising Program Advertising Self-Regulatory Council (ASRC)/ Council of Better
More informationBaker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationTechnological Evolution
Technological Evolution The Impact of Social Media, Big Data and Privacy on Business Consumer Privacy & Big Data Advice, Regulatory and Resulting Litigation Denise Banks Chief Privacy Officer BMO Financial
More information