Security Standard: “reasonable security” OECD: Personal data should be protected by reasonable security safeguards against risks such as FTC Commission Statement: Not perfect security, but a continuous process of assessing and addressing risks. Product Testing/QA/Compliance Red Team/Monitoring Security Tools & Vendor Review Employee Training loss or unauthorized access destruction use modification or disclosure of data

California AG 2016 Data Breach Report CA Statute: Requires businesses to use “reasonable security procedures and practices… to protect personal information from unauthorized access, destruction, use, modification, or disclosure.” The 20 Controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all of the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

Full List of 20 Controls Inventory of Authorized and Unauthorized Devices Secure configurations for Network Devices such as Firewalls, Routers, and Switches Inventory of Authorized and Unauthorized Software Boundary Defense Data Protection Security configurations for Hardware and Software on Mobile Devices, Workstations, and Servers Controlled Access Based on Need to Know Wireless Access Control Account Monitoring and Control Continuous Vulnerability Assessment and Remediation Security Skills Assessment and Appropriate Training Controlled Use of Administrative Privileges Application Software Security Maintenance, Monitoring, and Analysis of Audit Logs Incident Response and Management Penetration Tests and Red Team Exercises Email and Web Browsing Protection Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capability

Security Standard: “reasonable security” PRODUCT TESTING/QA/RISK ASSESSMENT/COMPLIANCE Code Review Design Review Test Product against Choice Mechanisms (Asutek Computer) Security Audits/investigations (Microsoft) Monitor compliance (CVS) RED TEAM TESTING/REGULAR MONITORING Pen Testing Bug Bounty Program or Process to investigate vulnerability research (Asutek Computer) Widely known security flaws (Lookout) Network scanning (EPN) Anti-virus (Lifelock) Security warning process (TJX) SECURITY TOOLS Use SSL/encryption to protect information (Credit Karma; Fandango) Password policies and regular required password changes (Lifelock/Twitter/Reed Elsevier) Access/Identity Management (CBR/Accretive Health) VENDOR REVIEW Should make sure vendors implement reasonable security (GMR Transcription/Credit Karma) TRAINING Train employees adequately on infosec and privacy (Upromise/HTC/Tower Records) Incident response training and plan (EPN) Few examples of “reasonable security” failures from Enforcement Actions: In 2014, FTC reached 50 enforcement actions – so number continues to grow.

Privacy by Design & Security by Design to Prevent and Mitigate Cyber Attacks

Product Lifecycle Privacy lawyer/privacy ops should be involved in all parts of product lifecycle (process may be shorter/longer from company to company) Inception/Strategy/Remedy Policy - Early Documentation/Product Requirements Docs Awareness - Consult with Stakeholders Implement Test Product (Internal/Beta/Focus Group) Document Security Decisions Made + Reasoning QA Test / Red Team Tests - Monitor Implement - Consult all Stakeholders and make changes

Privacy by Design Focus on prevention of a cyber attack via proactive privacy. More of a combo of evolving concepts and technology instead of principles. 1. Proactive, not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full functionality – Positive-sum, not Zero-sum (more on this later) 5. End-to-end Security – Full Lifecycle Protection 6. Visibility and Transparency – Keep it Open 7. Respect for User Privacy – Keep it User-Centric (v. Data Centric)

Security by Design More focused concept than PbD – focused on prevention of data loss through Confidentiality, Integrity, and Availability (CIA). Confidentiality: focused on avoiding disclosure of information/limiting access Tools – encryption/firewalls, taking security controls outside of user’s control user/employee training Integrity: Accurate and complete over lifecycle (privacy overlap / integrity principle) Data stewards/custodians & training Availability: Available when necessary to the right users (privacy overlap / access principle) Access management/policies (used in data-centric design) Tools like encryption

Case Study: Harmonization of Privacy and Security Interests both focused on prevention/mitigation of a cyber attack Security Concern: “Users can’t be trusted with passwords. We need to collect data to protect our data or else we’re subject to a cyber attack.” Banking website uses browser fingerprinting or device fingerprinting to identify your browser or device when you log on. Security wants to collect additional data sets to verify user. Privacy Concern: The information could be used by the company for secondary purposes that are not so innocuous. Want to collect less personal information to mitigate potential damages in event of a breach. Harmonization: (1) Data Minimization; (2) Purpose/Use limitations; (3) Altering Retention; (4) Restricting Internal Access