Data Security and Privacy Regulations and Compliance. October 26, 2012 from 11:55 to 12:45

Transcription

1 Data Security and Privacy Regulations and Compliance October 26, 2012 from 11:55 to 12:45

2 Abstract Governance Track: Data Security and Privacy - Regulations and Compliance October 26, 2012 from 11:55 AM to 12:45 PM United Federation of Teachers, 52 Broadway, NY, NY This session will focus on new regulations and frameworks that you may need to worry about and includes recent case studies in security and privacy failure. Several agencies (e.g., FTC, HHS, SEC) has ramped-up their compliance enforcement mechanisms and have had wide-reaching impact that may affect your security and privacy programs. Michael Money, CIPP, CISA, CISSP, QSA Director-Security & Privacy - Protiviti 2

3 Agenda Mike Money - Protiviti Introduction Focus of This Session The New Sheriffs in Town The Privacy & Security Frameworks Recent Case Studies Challenges and Next Steps Handy References 3

4 Mike Money - Protiviti Introduction Mike Money, CIPP is a Director for Protiviti's Information Security & Privacy Practice. Protiviti is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. Our firm includes leading experts in areas of finance and accounting, risk and compliance, information technology, security and privacy, litigation, investigations and financial restructuring. Our professionals have powerful insights on par with the largest consulting organizations in the world, but we are more nimble and adept than these competitors in delivering value for our clients. Career included: KPMG Chase Manhattan Bank Union Carbide SRI Consulting Atomic-Tangerine Red Siren Protiviti 4

5 Focus of This Session Security and Privacy Enforcement on the Rise 1. The New Sheriffs 2. Legislation 3. Frameworks 4. Enforcement Techniques 5. Case Studies 6. Challenges 7. Conclusions 8. Questions 5

6 1. The New Sheriffs Privacy & Security Enforcement 1. HSS and OCR 2. FTC Complaints 6/30/11 to 6/30/12 65, Consumer Sentinel 1,813, SEC - ARP Dozens 4. CFPB 7/21/11 to 9/30/12 79, EU and DPA Unknown 6

7 2. Legislation Privacy & Security Enforcement Type 1. US Regulations Road Map Decentralized Industry Focus 2. International Road Map Privacy Focused 7

8 US Regulatory Roadmap Overall Increasing regulatory environment Growing enforcement Continued fragmented approach until post election Industry Specific Fair Credit Reporting (FCRA) COPPA Video Protection Act GLBA - HIPAA Health Data HHS-OCR Actions HIPAA Audits Pilots and next steps HITECH Omnibus still pending States All have consumer protection Most have breach disclosure 1 state has data safeguards statutes some pending Privacy legislation pending 8

9 Basics US Rule Making - OMB 9

10 EU Regulations EU Data Protection Overhaul Broad scope of personal data Restricts processing and transfer with out adequate protection levels US on unsafe list Many Countries Are Regulated 10

11 Sectoral and Omnibus Privacy and Data Protection Laws 11

12 3. Privacy Frameworks There are no required Privacy frameworks: Privacy & Security Enforcement Source A. FTC Privacy Framework FTC B. US Safe Harbor FTC C. EU Privacy Framework EU D. Generally Accepted Privacy Principles (GAPP) AICPA E. NIST Privacy Control Catalog NIST F. Privacy by Design 12

13 A. FTC Privacy Framework Recommendations Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy; Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities. Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them. Focus Areas: Do-Not-Track Mobile -. Data Brokers Large Platform Providers Promoting Enforceable Self-Regulatory Codes Process 5,000 consumers a year 13

14 B. FTC Safe Harbor Principles 1. Notice Tell employees and customers what personal data the company collects and how such data shall be used or disclosed - Privacy Policy and Notice. 2. Choice If employees and customers personal data must be used for a purpose other than that which was originally indicated, formulate a policy that requests authorization (Obtain consent). 3. Onward Transfer When personal employee data and customers are disclosed to outside vendors obtain assurance that vendors will comply with privacy standards. 4. Security Put in place reasonable and appropriate safeguards to protect personal employee information from unauthorized access, use, or disclosure. 5. Access Formulate a Policy and Procedure that allows employees to obtain reasonable access to the personal data the company maintains about them and to have appropriate corrections made. 6. Data Integrity Only collect the personal data the company needs to operate its business (or that is required by law) and assure that this data is accurate and up-to-date. 7. Enforcement Establish mechanisms to verify compliance with privacy requirements, and a Policy for Dispute Resolution, which provides a process for resolving questions and issues regarding the collection, use, or disclosure of an employee or customer data by the company. 14

15 FTC FAQ Guidance 15

16 C. EU Privacy Framework Framework Directive adopted in 1995 effective 1998 Established overall groundwork Transposed into national laws Supplemented by numerous additional law and administrative rules Primary functions Impose basic obligations on those controlling data - E.g., obligations of fair and lawful processing, purpose, relevance, accuracy, retention, security Vest rights in data subjects - E.g., rights of access and modification Establishes Data Controllers responsible for privacy and establishes broad processing limitations Limitations depend on nature of data and jurisdiction General obligations Notify national privacy regulators DPA s Obtain processing approval Inform data subjects Article 25 limits transfers to personal data may not be transferred from an EU country to a non-eu country that does not provide an adequate level of data protection. EU regularly conducts adequacy determinations Adequate: Switzerland, Argentina, Uruguay - Not adequate: United States 16

17 D. GAPP 1 - Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 2 - Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 3 - Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 4 - Collection: The entity collects personal information only for the purposes identified in the notice. 5 - Use and Retention: The entity limits the use of personal information based on the notice and for which the individual has provided implicit or explicit consent. Retained only as necessary for purpose. 6 - Access: The entity provides individuals with access to their personal information for review and update. 7 - Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8 - Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical). 9 - Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice Monitoring & Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 17

18 E. NIST Privacy Provisions 18 Source: NIST SP Draft

19 F. Privacy by Design 1. Proactive not Reactive; Preventative not Reactive 2. Privacy as the Default 3. Privacy Embedded into Design 4. Full Functionality Positive-Sum, not Zero-Sum 5. End-to-End Lifecycle Protection 6. Visibility and Transparency 7. Respect for User Privacy 19

20 Selection of a Framework Degree of assurance required by management Ease of implementation vs. degree of completeness Risk tolerance Capability maturity in security and privacy Counsel recommendations 20

21 4. Enforcement Techniques- FTC Focus Areas Fair Trade Commission Act (FTCA) - Section 5: Unfair Trade and Deceptive Acts - Reasonable and appropriate security measures Execution: Actions Cases Adjudication Consent Degrees - Emerging Model: 20Year Term Cease deceptive practices Conduct Audit Written Program Record keeping Test, Monitor, Improvement Assessment Impose requirements on service providers 21

22 FTC Actions - Site 22

23 5. Case Studies Focus Areas Facebook Google My Space 23

24 Case Study - Facebook Facebook- November 2011 Count #1 Facebook s privacy settings. Count #2 Privacy changes (material omission). Count #3 Privacy changes (unfair practices). Count #4 What info apps had access to. Count #5 What info Facebook shared with advertisers. Count #6 Facebook s Verified App program. Count #7 Photo and video deletion. Count #8 US-EU Safe Harbor program. Settlement: Barred from future privacy misrepresentations. Implement a comprehensive privacy program. Independent privacy audits for the next 20 years. Allow the FTC to monitor compliance with its order. Get consumers' approval before it changes the way it shares their data. Required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences. 24

25 Case Study - Google Google Buzz April 2011 Count # 1 - Used deceptive tactics and violated its own privacy promises when it launched in Count #2 Failed to disclose adequately that frequent contacts would become public by default. Count # 3 - U.S.-EU Safe Harbor privacy framework. Settlement Barred from future privacy misrepresentations. Implement a comprehensive privacy program. Independent privacy audits for the next 20 years. Allow the FTC to monitor compliance with its order. 25

26 Case Study MySpace MySpace May 2012 Count #1 Advertisers could obtain users full names since override was difficult Count #2 Customers told web browsing shared with advertisers would be anonymized Count #3 Customers told that advertiser cookies would not be told names but the Friend ID could be linked (unfair practices). Count #4 US-EU Safe Harbor program. Settlement: Barred from future privacy misrepresentations Implement a comprehensive privacy program Independent privacy audits for the next 20 years Allow the FTC to monitor compliance with its order Identify reasonably foreseeable material risks from inside the company and out that could result in the unauthorized collection or disclosure of covered information Assess the sufficiency of safeguards in place to control those risks Take reasonable steps to ensure that service providers protect the privacy of covered information, including putting privacy provisions in their contracts Adjust its privacy program in light of testing, changes to how it does business, and any other circumstances that may have a material impact on the program 26

27 6. Challenges Cost of implementing and maintaining Control Training Breach Regulatory agencies Lawyers Risks are not articulated or accepted Organizational Support: Lack of security governance and enterprise ownership Decision authority unclear or improperly defined Unclear roles and responsibilities Tracking the flow of data inside the organization and it gets more complicated when onward transfers are made to 3 rd parties such as advertisers and service providers Identify 3 rd parties and review contracts for onward transfer agreements, security, incident response and privacy provisions 27

28 7. Conclusions 1. Frameworks and Self-Assessments do not need to be internal they can be done by an independent entity 2. It is critical that we protect personally identifiable information 3. Do not underestimate or trivialize costs and resources 4. Protect all personally identifiable information as if it you were own information 5. Services providers need to comply as well 6. Do not disclose personally identifiable information to anyone who has no authorized reason to know 7. If you are aware of an unauthorized disclosure or exposure, report, escalate and follow the Incident Response process 28

29 Questions and Answers 29

30 Safe Harbor References CFPB: 30-snapshot.pdf FTC Sentinel Complaints: FTC Actions: NYMITY Privacy Legislation: EU Privacy Framework: Generally Accepted Privacy Principles (GAPP): AcceptedPrivacyPrinciples/Pages/default.aspx FTC Privacy Framework: NIST Privacy Control Catalog: Special Publication Security and Privacy Controls for Federal Information Systems and Organizations: Privacy by Design: 30