1 / 11

U.S. Rules on Privacy and Data Security

U.S. Rules on Privacy and Data Security. Organization for International Investment General Counsel Conference October 16, 2009. FTC Overview. Broad consumer protection mandate Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce”

imelda
Download Presentation

U.S. Rules on Privacy and Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009

  2. FTC Overview • Broad consumer protection mandate • Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce” • Jurisdiction over a wide variety of entities (excluding banks, common carriers, and non-profits) • Privacy and data security a major consumer protection priority

  3. FTC Overview • Multi-pronged approach for protecting consumers: • Law enforcement • Outreach to consumers and businesses • Policy initiatives, including working with industry to establish meaningful self-regulatory standards

  4. FTC Enforcement • Standard is reasonableness • Process-oriented approach that emphasizes identifying and mitigating risks • There is no one size fits all solution – take into account the size and complexity of the business operations and the sensitivity of the information at stake

  5. Outsourcing • Businesses subject to U.S. laws that outsource personal information retain responsibility for ensuring that there are reasonable procedures in place to safeguard that information. • This responsibility is the same whether the service provider is located within the U.S. or offshore.

  6. Self-regulation • Recent examples: • Online behavioral advertising principles • Self-regulatory initiative in APEC region to establish a framework for ensuring accountability for cross-border data transfers

  7. Case study: Cloud Computing NIST definition: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

  8. Case study: Cloud Computing • Consumer uses of cloud computing: • Email, social networking, online gaming, shopping • Growing enterprise use of cloud computing: • Software as a service, platform as a service, infrastructure as a service • Private clouds, public clouds, hybrid clouds, community clouds

  9. Case study: Cloud Computing • Legal issues: • Compliance with various data security laws (GLB, HIPAA, state breach notification laws) • Due diligence and oversight of service providers • Contractual issues over data, security issues

  10. FTC Privacy Roundtables • Series of day-long public roundtables to explore privacy challenges posed by new technologies and business practices • First roundtable: December 7, 2009 Washington, D.C. • Topics to be explored include online behavioral advertising and cloud computing

  11. For more information www.ftc.gov/privacy Katie Ratté kratte@ftc.gov

More Related