110 likes | 237 Views
U.S. Rules on Privacy and Data Security. Organization for International Investment General Counsel Conference October 16, 2009. FTC Overview. Broad consumer protection mandate Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce”
E N D
U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009
FTC Overview • Broad consumer protection mandate • Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce” • Jurisdiction over a wide variety of entities (excluding banks, common carriers, and non-profits) • Privacy and data security a major consumer protection priority
FTC Overview • Multi-pronged approach for protecting consumers: • Law enforcement • Outreach to consumers and businesses • Policy initiatives, including working with industry to establish meaningful self-regulatory standards
FTC Enforcement • Standard is reasonableness • Process-oriented approach that emphasizes identifying and mitigating risks • There is no one size fits all solution – take into account the size and complexity of the business operations and the sensitivity of the information at stake
Outsourcing • Businesses subject to U.S. laws that outsource personal information retain responsibility for ensuring that there are reasonable procedures in place to safeguard that information. • This responsibility is the same whether the service provider is located within the U.S. or offshore.
Self-regulation • Recent examples: • Online behavioral advertising principles • Self-regulatory initiative in APEC region to establish a framework for ensuring accountability for cross-border data transfers
Case study: Cloud Computing NIST definition: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Case study: Cloud Computing • Consumer uses of cloud computing: • Email, social networking, online gaming, shopping • Growing enterprise use of cloud computing: • Software as a service, platform as a service, infrastructure as a service • Private clouds, public clouds, hybrid clouds, community clouds
Case study: Cloud Computing • Legal issues: • Compliance with various data security laws (GLB, HIPAA, state breach notification laws) • Due diligence and oversight of service providers • Contractual issues over data, security issues
FTC Privacy Roundtables • Series of day-long public roundtables to explore privacy challenges posed by new technologies and business practices • First roundtable: December 7, 2009 Washington, D.C. • Topics to be explored include online behavioral advertising and cloud computing
For more information www.ftc.gov/privacy Katie Ratté kratte@ftc.gov