1 / 39

u.s . privacy law

u.s . privacy law. RICK JEFFRIES, CIPP/US CLINE WILLIAMS WRIGHT JOHNSON & OLDFATHER, L.L.P. PRESENTED TO IIA AUGUST 20, 2019. Disclaimer. I am a lawyer Unless you pay me, and we talk privately, I am not your lawyer This is not legal advice Do not expose to open flame Tumble dry low

jeremyallen
Download Presentation

u.s . privacy law

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. u.s. privacy law RICK JEFFRIES, CIPP/US CLINE WILLIAMS WRIGHT JOHNSON & OLDFATHER, L.L.P. PRESENTED TO IIA AUGUST 20, 2019

  2. Disclaimer • I am a lawyer • Unless you pay me, and we talk privately, I am not your lawyer • This is not legal advice • Do not expose to open flame • Tumble dry low • Do not remove tag under penalty of law • Your mileage may vary • Results not typical

  3. Privacy vs. security PRIVACY: Doing the right things with data you obtain SECURITY: Making sure that only the right people access and modify data PRIVACY REQUIRES SECURITY SECURITY DOES NOT ENSURE PRIVACY

  4. United states vs. the world UNITED STATES • Freedom is more important than privacy • People can collect whatever data they want • Use of data is restricted by law • If not restricted, use is acceptable • “Opting out” must be honored MOST OTHER PLACES • Privacy is a human right • Permission to use data is granted by law • If not permitted, collection and use is prohibited • ”Opt-in” model of consent

  5. General concepts • “Name Plus”: In the US, usually two pieces of data make for identification • Privacy law does not apply to anonymized data, unless identity of person can be inferred • Judicial process and litigation are often exceptions to every rule • Encryption is almost always an antidote • Security policies and incident plans will usually mitigate punishment from government

  6. Gramm-leach-bliley • Applies to: “Financial Institutions” • Includes: Car dealerships, insurance companies, check cashers, and banks • Governs: • Use of “nonpublic personal information” about “consumers” • Requires: • Security for data • Training, oversight, technology, locks, plan, responsible person • Notice of practices • Right to opt out of some sharing

  7. HIPAA • Applies to: • Health care providers (“Covered Entities”) • Anybody who processes protected health information (PHI) for Covered Entities • Governs: • PHI • Requires: • Privacy notices • Business Associate Agreements • Authorizations, minimum necessary disclosure • Safeguards and accountability • Breach notification • DOES NOT REQUIRE: • FAXING

  8. FERPA • Applies to: • Educational institutions that receive federal funds • Governs: • “Education records” – broadly defined • Requires: • Regular notice • Nondisclosure • Right of access and correction

  9. COPPA • Applies to: • Web site operators and mobile app providers • Governs: • Data collected from children under 13 • Requires: • Nondisclosure • Verifiable parental consent • Can affect: • Websites appealing to children (toy stores, etc.) • Kids apps and games • Fact-sensitive analysis • Primary colors and cute characters

  10. FACTA • Applies to: • Financial institutions • Lenders to consumers • Businesses that “arrange credit” • Requires: • Truthful reporting to bureaus • Data theft prevention measures (“Red Flags Rule”)

  11. Deceptive trade practices • State Deceptive Trade Practices Acts/Federal Trade Commission • Applies to: • All commerce • Governs: • False or misleading statements • Example: Uber • We use industry standard practices • Engineer posted AWS key to Github • Uber paid $100,000 in hush money to hackers • You have to do what you say in your privacy policy • Note: California law requires every site to have a privacy policy

  12. State Data breach notification laws • Applies to: • Unauthorized access to electronic identification • Governs: • Conduct of persons in control of personal data • Requires immediate analysis after data breach • If significant probability of misuse, must notify every affected person • Most states require notice to attorney general • Residence of data subject, not location of breached company, controls • Example: The nice lady who keeps the books

  13. GDPR: Europe Changes the Game

  14. General data protection regulation • Applies to: • Single-piece data about residents of European Union • Governs: • Everything • Requires: • Almost the opposite of every practice acceptable in the US • Notifications of subject’s rights • Access • Rectification • Deletion • Evidence of consent to contact • Minimization • Pseudonymization

  15. What is the gdpr? • Passed by EU parliament • In effect now. • Uniform across EU member states

  16. How is GDPR different from us privacy laws? • Privacy is a fundamental human right • Centralized regulation • One or more identifiers

  17. What is the scope of the GDPR? • Offering goods & services to “persons in the Union” • Tracking persons in the Union • Processing or controlling data in the Union

  18. Who IS SUBJECT TO GDPR? • Data processor • Data controller

  19. Obligations of processors and controllers

  20. Data Protection officer • Responsible to organization • Responsible to government • Responsible to outsiders

  21. Risk assessment • Understand data collected • Understand risks to subjects • Appropriate action taken to protect

  22. Minimization • “Collected for a specific purpose” • No repurposing • “Limited to what is necessary”

  23. Data security measures • Pseudonymization • Encryption • Security by design • Security by default

  24. Legal basis for processing • Consent • Contract • Legal obligation • “Vital interests” • “Public Interest” • Under 16 = parental consent

  25. Gdpr Consent • Must be given freely • Must not be “take it or leave it” • Especially if processing is not needed for service • Granularity • Schrems II - Facebook • Process must be transparent • Clear and plain language • Processor must “demonstrate” consent

  26. “special categories”: • Heightened scrutiny for processing of data regarding: • Ethnic origin • Sexual matters • Union membership • Health • Biometrics

  27. Breach notification • To the subject • “without undue delay” • Encryption may be an exception • To the authorities • Within 72 hours • Unless harm is “unlikely”

  28. Fundamental rights under the gdpr

  29. The right to be informed • Contact people (DPO) • What information • Why • How long • Notice of rights of access, rectification

  30. The right of access • “Do you have data about me?” • Right to be informed information

  31. The right of rectification • Correct any inaccuracies “without delay”

  32. The right to erasure • If consent is legal basis, it can be withdrawn • If contract is the basis, if contact is over • If processing is unlawful

  33. The right to restrict • Don’t process my data if: • I dispute its accuracy • I dispute its lawful collection • Processor no longer needs it

  34. The right to data portability • Subject may obtain data about them that is: • “Structured” • Machine readable • Commonly used format • Sent to another processor

  35. The right to object • Opt-out • I want a human to look at this

  36. A GDPR “JOKE” Q. Do you know of an expert in the GDPR? A. Yes. Q. Can you give me her email address? A. No.

  37. Will gdpr come to America? • California • know what personal information is being collected • know whether personal information is sold or disclosed and to whom • say no to the sale of personal information • access their personal information • equal service and price, even if they exercise their privacy rights • Colorado • General duty to protect data and require contractors to do the same • Enhanced breach notification

  38. Invest for success : Diversifying Your Audit Portfolio • Understand the risks of collecting and processing data • Know the agencies and governments to whom you may be responsible • Recognize the costs and duties if there is a data breach

  39. QUESTIONS? Twitter: @JeffriesInfoSec rickjeffries@clinewilliams.com

More Related