Technological Evolution

Similar documents
Perspectives on Cybersecurity and Its Legal Implications

Privacy Law Basics and Best Practices

Financial Institutions and Cloud Computing What s on the Horizon

Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns. Privacy and Information Management Practice / Washington, DC

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Trends in Data Breach and CybersecurityRegulation, Legislation and Litigation. Part I

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Contracting for Cloud Computing

The potential legal consequences of a personal data breach

Intellectual Property & Data Protection 2015: Legal developments you need to know about

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

CSR Breach Reporting Service Frequently Asked Questions

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Policy Implications: Privacy, Security and Liability Big Data in Telecom. June TIA 2012: INSIDE THE NETWORK Dallas TX

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

AlixPartners, LLP. General Data Protection Statement

Privacy Risk Assessments

Data Privacy & Security: Essential Questions Every Business Must Ask

Competitive Intelligence Acquisition and Reverse Engineering

Cybersecurity: Protecting Your Business. March 11, 2015

Re: Big Data Request for Information

HIPAA and Beyond: The Evolving Landscape of Health Privacy

Cyberprivacy and Cybersecurity for Health Data

ACE Advantage PRIVACY & NETWORK SECURITY

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

How To Deal With Cloud Computing

Cyber Risks in the Boardroom

Information Security Law: Control of Digital Assets.

Data security: A growing liability threat

Big Data for Mutuals. Marc Dautlich 25 November 2013

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

WESTLAW JOURNAL COMPUTER & INTERNET

TERMINATION PAYMENTS AND INTERNATIONALLY MOBILE EMPLOYEES

Big Data and Cybersecurity: Standards for Safeguarding Personal Information

Bloomberg BNA Professional Learning Legal Course Catalog OnDemand Programs

U.S. Information Privacy Law

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in the United States

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Title V Preventing Fraud and Abuse. Subtitle A- Establishment of New Health and Human Services and Department of Justice Health Care Fraud Positions

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;

Transcription:

Technological Evolution The Impact of Social Media, Big Data and Privacy on Business Consumer Privacy & Big Data Advice, Regulatory and Resulting Litigation Denise Banks Chief Privacy Officer BMO Financial Group Kofi Kwarteng Assistant GC Mead Johnson Nutrition Nathan Rohrer Chief Privacy Officer Whirlpool Rebecca Eisner Partner Mayer Brown LLP Jeff Taft Partner Mayer Brown LLP

Denise Banks US Chief Privacy Officer BMO Financial Group Kofi Kwarteng Assistant General Counsel Mead Johnson Nutrition Nathan Rohrer Chief Privacy Officer Whirlpool Rebecca Eisner Partner Mayer Brown LLP Jeff Taft Partner Mayer Brown LLP 2

Agenda Social media privacy overview Big data and analytics Internet of Things (IoT) Enforcement trends Panel discussion 3

Privacy Regime in US Sector-specific federal legislation (financial services, health care and education) and marketing restrictions State laws fill gaps or raise standards (e.g., consumer privacy, breach notification and data security) Industry standards, voluntary codes and government guidance Various state and federal agencies enforcing privacy laws, including FTC, HHS, banking regulators, SEC, CFTC and State Attorneys General 4

Privacy Regime in US Gramm-Leach-Bliley Act (GLBA) Fair Credit Reporting Act/FACT Act (FCRA) Federal Trade Commission Act (FTC Act) Children s Online Privacy Protection Act (COPPA) Telephone Consumer Protection Act (TCPA) Health Insurance Portability and Accountability Act (HIPAA) 5

State Privacy Regime Privacy, data breach and security laws California s SB 1 Data breach laws Massachusetts security regulations Laws applicable to online and mobile privacy California Online Privacy Protection Act Uniform Fiduciary Access to Digital Assets Act 6

Industry Standards, Codes of Conduct and Voluntary Programs in US Payment Card Industry Data Security Standards (PCI DSS) White House Privacy Blueprint Privacy Bill of Rights Multistakeholder process for mobile application disclosures, facial recognition technology and other areas NIST Cybersecurity Framework (Feb. 12, 2014) US-EU Safe Harbor Direct Marketing Association Guidelines 7

Best Practices to Address Regulatory Concerns Develop clear and conspicuous privacy statements and related notices Provide effective and efficient options for consumers to exercise choice/consent/control over information shared Heed the principles of collection, use and retention limitation Practice good security Be transparent with respect to behavioral targeting strategies and third party sharing 8

Big Data Overview Traditional Inputs Big Data Inputs Traditional Sources (product registrations) Electronic Sources (websites, etc.) Third party data Social Media Mobile Devices Internet of Things Big Data Analytics Powered by Cloud Computing Engines Value Risk Data Scientists 9

Big Data & Privacy Concerns Collection, use and dissemination of Big Data has potential privacy concerns under US and EU laws Is the collection and use of personal data/pii compliant with legal requirements? US and EU restrictions Anonymized data How are potential reputational risks minimized and what is best practice? Clear consumer disclosures Data minimization 10

Legal Compliance: EU Data Privacy Concerns At this stage no reason to believe that the EU data protection principles are no longer valued and appropriate for the development of Big Data, subject to further improvements to make them more effective in principle ~ EU Article 29 Working Party Statement September 2014. EC member Gunther Oettinger Speech February : Americans are in the lead. They have the data, the business models and the power,.they come along with their electronic vacuum cleaner and suck up all the data, take it back to California, process it and sell it as a service for money. Anyone who wants to take advantage of our data will have to comply with our rules or they are going to have trouble with the competition authorities. ~ New York Times Bits : Tough Talk from European Commissioner About U.S. Tech Companies 11

The Big Conundrum: When Does Anonymized Data Become Personal Data/PII? Big Data processing might enable patterns of behavior relating to specific individuals to be identified using information which in itself does not identify any particular individual. EU Privacy law will not apply to genuinely anonymized data. EU Privacy laws do apply to information which alone, or together with other information held by a data controller, can identify a living individual in particular: by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ~ Article 2 EU Privacy Directive 95/46. 12

US Data Collection & Use Risks Collection of nonpublic personally identifiable information under US laws Anonymization/De-identification US privacy laws such as the Gramm Leach Bliley Act and FCRA generally do not cover aggregate information or blind data Anonymized or de-identified data can still present potential discrimination concerns (See, President s Report: Big Data and Differential Pricing February 2015) Whether information is truly anonymized or de-identified given the existing technology and ability of Big Data to correlate information should be a concern for companies relying on de-identification to avoid collection, use and sharing restrictions Fewer data points and zip code substitutes may be necessary to avoid correlation 13

US Data Collection & Use Risks Data Minimization General concern from regulators, consumers and politicians that companies tend to collect lots of information and retain the information for long periods of time often without any reason to believe it will be needed or used Review of certain data breaches has indicated data minimization would have prevented or mitigated the breach and steps have been taken to impose this requirement Examples PCI DSS impose limits on the types of information that can be collected and the time period for retention Data minimization included in some drafts of the federal data breach notice law; may eventually become a legal requirement imposed on anyone maintaining consumer information rather than best practice 14

Big Data Risks Adverse publicity (e.g., Samsung TV s recording voice data and Lenovo computers with embedded adware) The Well is Polluted Data has to be removed/cannot be used Investment is wasted The processes and practices are unlawful, unfair, opaque Risk of regulatory fines New EU Regulation proposes fines of up to 5% worldwide turnover Risk of consumer class actions In Re Google Privacy Policy litigation California and parallel European administrative actions 15

INTERNET OF THINGS Examples: In-vehicle telematics Fit bits Appliances/consumer products (e.g., beds) Medical devices

Internet of Things (IoT) Recent Developments FTC Report: Internet of Things Privacy & Security in a Connected World January 2015 U.S. Senate Committee on Commerce, Science & Transportation hearing on February 11, 2015 titled The Connected World: Examining the Internet of Things EU Article 29 Data Protection Working Party Opinion 8/2014 on Internet of Things 17

FTC Risks: Internet of Things Security: unauthorized access and misuse; attacks on systems; safety risks Privacy: collection of sensitive information, particularly over time, permitting inferences Undermining of consumer confidence 18

IoT Risks 1. Effective contracting with customers 2. Data collection issues 3. Data ownership, use and sharing 4. Data retention issues 5. Potential liability issues 6. Potential employee issues 7. Regulatory oversight risks 8. Additional issues faced in certain industries (e.g., auto industry distracted driver regulations)

Data Collection Issues Collect device data before the customer has signed up for the services? See Sirius XM Radio case for issue involving collection of data prior to user expressly entering into contract See OnStar example for issue involving collection of data postcancellation of services Effectiveness of online registration Changes in services or use of data require notice and consent?

Data Ownership, Use and Sharing Who owns IoT collected data? What rights does the individual have in the collected data? Does aggregated and anonymized use require consent? What if data has unintended secondary uses? Data sent from machinery reveals long idle periods, which reveal information about the operator of the machinery Data sent from medical device reveals worsening health of individual Geolocation information reveals private information and even trade secrets See article regarding Monsanto and DuPont s seed prescription services developed from data amassed from farms where farm techniques could be trade secrets

Other Risks Proposed legislation regarding collection and disclosure of geolocation information (e.g., Location Privacy Protection Act of 2014) without the user s consent. Risk that Internet-enabled devices may be remotely controlled or hacked by malicious third parties Commentators have noted that ease of availability of compliance, risk and product data may increase risk of more regulatory oversight and/or liability Regulators may demand data relating to regulatory compliance issues with devices More aggregation of data about devices may lead to more product liability claims, particularly class actions, as more data is discoverable to prove commonality of class action claims 22

FTC Enforcement Matters Data Collection Practices Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False (May 8, 2014) Medical Billing Provider Settles FTC Charges That It Misled About Collection of Personal Health Data (Dec. 3, 2014) Data Security Practices Medical Transcript Services Company Settles FTC Charges That It Failed to Protect Consumers Information (Jan. 31, 2014) Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Information (March 28, 2014) 23

US-EU Safe Harbor Enforcement Matters In 2014, 14 companies across many industries settled with the FTC regarding noncompliance with aspects of the US- EU Safe Harbor In November 2014, FTC entered into settlement with TRUSTe TRUSTe provides certification seals that indicate that an online business complies with privacy standards such as the US-EU Safe Harbor Framework FTC alleged that TRUSTe failed to conduct annual recertification of businesses displaying privacy seal in over 1,000 instances 24

FTC Litigation Wyndham Worldwide Corporation In June 2013, FTC filed suit against Wyndham for alleged data security failures that led to three data breaches at hotels in less than two years Wyndham filed motion to dismiss complaint and motion was denied (April 2014) Wyndham appealed denial to US Circuit Court of Appeals for Third Circuit and appeal was argued last week Case could have significant ramifications for FTC and data security actions under Section 5(a) of FTC Act 25

Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information