u.s. privacy law RICK JEFFRIES, CIPP/US CLINE WILLIAMS WRIGHT JOHNSON & OLDFATHER, L.L.P. PRESENTED TO IIA AUGUST 20, 2019
Unless you pay me, and we talk privately, I am not your lawyer Disclaimer I am a lawyer Unless you pay me, and we talk privately, I am not your lawyer This is not legal advice Do not expose to open flame Tumble dry low Do not remove tag under penalty of law Your mileage may vary Results not typical
Privacy vs. security PRIVACY: Doing the right things with data you obtain SECURITY: Making sure that only the right people access and modify data PRIVACY REQUIRES SECURITY SECURITY DOES NOT ENSURE PRIVACY
United states vs. the world Freedom is more important than privacy People can collect whatever data they want Use of data is restricted by law If not restricted, use is acceptable “Opting out” must be honored MOST OTHER PLACES Privacy is a human right Permission to use data is granted by law If not permitted, collection and use is prohibited ”Opt-in” model of consent
General concepts “Name Plus”: In the US, usually two pieces of data make for identification Privacy law does not apply to anonymized data, unless identity of person can be inferred Judicial process and litigation are often exceptions to every rule Encryption is almost always an antidote Security policies and incident plans will usually mitigate punishment from government
Gramm-leach-bliley Applies to: “Financial Institutions” Governs: Includes: Car dealerships, insurance companies, check cashers, and banks Governs: Use of “nonpublic personal information” about “consumers” Requires: Security for data Training, oversight, technology, locks, plan, responsible person Notice of practices Right to opt out of some sharing
HIPAA Applies to: Governs: Requires: DOES NOT REQUIRE: Health care providers (“Covered Entities”) Anybody who processes protected health information (PHI) for Covered Entities Governs: PHI Requires: Privacy notices Business Associate Agreements Authorizations, minimum necessary disclosure Safeguards and accountability Breach notification DOES NOT REQUIRE: FAXING
FERPA Applies to: Governs: Requires: Educational institutions that receive federal funds Governs: “Education records” – broadly defined Requires: Regular notice Nondisclosure Right of access and correction
COPPA Applies to: Governs: Requires: Can affect: Web site operators and mobile app providers Governs: Data collected from children under 13 Requires: Nondisclosure Verifiable parental consent Can affect: Websites appealing to children (toy stores, etc.) Kids apps and games Fact-sensitive analysis Primary colors and cute characters
FACTA Applies to: Requires: Financial institutions Lenders to consumers Businesses that “arrange credit” Requires: Truthful reporting to bureaus Data theft prevention measures (“Red Flags Rule”)
Deceptive trade practices State Deceptive Trade Practices Acts/Federal Trade Commission Applies to: All commerce Governs: False or misleading statements Example: Uber We use industry standard practices Engineer posted AWS key to Github Uber paid $100,000 in hush money to hackers You have to do what you say in your privacy policy Note: California law requires every site to have a privacy policy
State Data breach notification laws Applies to: Unauthorized access to electronic identification Governs: Conduct of persons in control of personal data Requires immediate analysis after data breach If significant probability of misuse, must notify every affected person Most states require notice to attorney general Residence of data subject, not location of breached company, controls Example: The nice lady who keeps the books
GDPR: Europe Changes the Game
General data protection regulation Applies to: Single-piece data about residents of European Union Governs: Everything Requires: Almost the opposite of every practice acceptable in the US Notifications of subject’s rights Access Rectification Deletion Evidence of consent to contact Minimization Pseudonymization
What is the gdpr? Passed by EU parliament In effect now. Uniform across EU member states
How is GDPR different from us privacy laws? Privacy is a fundamental human right Centralized regulation One or more identifiers
What is the scope of the GDPR? Offering goods & services to “persons in the Union” Tracking persons in the Union Processing or controlling data in the Union
Who IS SUBJECT TO GDPR? Data processor Data controller
Obligations of processors and controllers
Data Protection officer Responsible to organization Responsible to government Responsible to outsiders
Risk assessment Understand data collected Understand risks to subjects Appropriate action taken to protect
Minimization “Collected for a specific purpose” No repurposing “Limited to what is necessary”
Data security measures Pseudonymization Encryption Security by design Security by default
Legal basis for processing Consent Contract Legal obligation “Vital interests” “Public Interest” Under 16 = parental consent
Gdpr Consent Must be given freely Must not be “take it or leave it” Especially if processing is not needed for service Granularity Schrems II - Facebook Process must be transparent Clear and plain language Processor must “demonstrate” consent
“special categories”: Heightened scrutiny for processing of data regarding: Ethnic origin Sexual matters Union membership Health Biometrics
Breach notification To the subject To the authorities “without undue delay” Encryption may be an exception To the authorities Within 72 hours Unless harm is “unlikely”
Fundamental rights under the gdpr
The right to be informed Contact people (DPO) What information Why How long Notice of rights of access, rectification
The right of access “Do you have data about me?” Right to be informed information
The right of rectification Correct any inaccuracies “without delay”
The right to erasure If consent is legal basis, it can be withdrawn If contract is the basis, if contact is over If processing is unlawful
The right to restrict Don’t process my data if: I dispute its accuracy I dispute its lawful collection Processor no longer needs it
The right to data portability Subject may obtain data about them that is: “Structured” Machine readable Commonly used format Sent to another processor
The right to object Opt-out I want a human to look at this
A GDPR “JOKE” Q. Do you know of an expert in the GDPR? A. Yes. Q. Can you give me her email address? A. No.
Will gdpr come to America? California know what personal information is being collected know whether personal information is sold or disclosed and to whom say no to the sale of personal information access their personal information equal service and price, even if they exercise their privacy rights Colorado General duty to protect data and require contractors to do the same Enhanced breach notification
Invest for success : Diversifying Your Audit Portfolio Understand the risks of collecting and processing data Know the agencies and governments to whom you may be responsible Recognize the costs and duties if there is a data breach
Twitter: @JeffriesInfoSec rickjeffries@clinewilliams.com QUESTIONS? Twitter: @JeffriesInfoSec rickjeffries@clinewilliams.com