u.s. privacy law RICK JEFFRIES, CIPP/US

Slides:



Advertisements
Similar presentations
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Advertisements

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA PRIVACY AND SECURITY AWARENESS.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Data Security and Privacy Overview and Update Peter Moldave October 28, 2015.
The EU General Data Protection Regulation Frank Rankin.
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
Understanding Privacy An Overview of our Responsibilities.
General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR
Protection of CONSUMER information
Issues of personal data protection in scientific research
Microsoft 365 Get help with regulatory compliance
Presentation to GTMC on GDPR
Obligations of Educational Agencies: Parents’ Bill of Rights
General Data Protection Regulation (GDPR
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
GDPR Overview Gydeline – October 2017
GDPR Overview Gydeline – October 2017
The European Union General Data Protection Regulation (GDPR)
Nina Barakzai November 2017
Chapter 3: IRS and FTC Data Security Rules
Data protection reform:
Data Protection & Freedom of Information- An Introduction
Public Sector Organisations - are you GDPR ready?
Bob Siegel President Privacy Ref, Inc.
GENERAL DATA PROTECTION REGULATION (GDPR)
Data Protection Reform in Local Government
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
State of the privacy union
G.D.P.R General Data Protection Regulations
Disability Services Agencies Briefing On HIPAA
The new data protection rules
GDPR Overview and Use Cases.
General Data Protection Regulation
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Relocation CARNIVAL come one…come all
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR (General Data Protection Regulation)
IMPLICATIONS OF GDPR ROBERT BELL.
GDPR Workshop MEU Symposium Prague 2018
Welcome!.
GDPR enforcement begins
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
Governing the risk of GDPR compliance
The General Data Protection Regulation: Are You Ready?
General Data Protection regulation (GDPR)
Data Protection in Law Enforcement Area Chapter 9a of the draft law
General Date Protection Regulation
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
General Data Protection Regulation Q & A Session
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
General Data Protection Regulation (GDPR)
GDPR Session
The European Union’s General Data Protection Regulation (GDPR): Overview and Guidance SUNY Office of General Counsel Spring 2019.
Data Privacy by Design Expanding Security for bepress Users
General Data Protection Regulation
Privacy Update John L. Wood – Egerton, McAfee, Armistead & Davis, P.C.
Presentation transcript:

u.s. privacy law RICK JEFFRIES, CIPP/US CLINE WILLIAMS WRIGHT JOHNSON & OLDFATHER, L.L.P. PRESENTED TO IIA AUGUST 20, 2019

Unless you pay me, and we talk privately, I am not your lawyer Disclaimer I am a lawyer Unless you pay me, and we talk privately, I am not your lawyer This is not legal advice Do not expose to open flame Tumble dry low Do not remove tag under penalty of law Your mileage may vary Results not typical

Privacy vs. security PRIVACY: Doing the right things with data you obtain SECURITY: Making sure that only the right people access and modify data PRIVACY REQUIRES SECURITY SECURITY DOES NOT ENSURE PRIVACY

United states vs. the world Freedom is more important than privacy People can collect whatever data they want Use of data is restricted by law If not restricted, use is acceptable “Opting out” must be honored MOST OTHER PLACES Privacy is a human right Permission to use data is granted by law If not permitted, collection and use is prohibited ”Opt-in” model of consent

General concepts “Name Plus”: In the US, usually two pieces of data make for identification Privacy law does not apply to anonymized data, unless identity of person can be inferred Judicial process and litigation are often exceptions to every rule Encryption is almost always an antidote Security policies and incident plans will usually mitigate punishment from government

Gramm-leach-bliley Applies to: “Financial Institutions” Governs: Includes: Car dealerships, insurance companies, check cashers, and banks Governs: Use of “nonpublic personal information” about “consumers” Requires: Security for data Training, oversight, technology, locks, plan, responsible person Notice of practices Right to opt out of some sharing

HIPAA Applies to: Governs: Requires: DOES NOT REQUIRE: Health care providers (“Covered Entities”) Anybody who processes protected health information (PHI) for Covered Entities Governs: PHI Requires: Privacy notices Business Associate Agreements Authorizations, minimum necessary disclosure Safeguards and accountability Breach notification DOES NOT REQUIRE: FAXING

FERPA Applies to: Governs: Requires: Educational institutions that receive federal funds Governs: “Education records” – broadly defined Requires: Regular notice Nondisclosure Right of access and correction

COPPA Applies to: Governs: Requires: Can affect: Web site operators and mobile app providers Governs: Data collected from children under 13 Requires: Nondisclosure Verifiable parental consent Can affect: Websites appealing to children (toy stores, etc.) Kids apps and games Fact-sensitive analysis Primary colors and cute characters

FACTA Applies to: Requires: Financial institutions Lenders to consumers Businesses that “arrange credit” Requires: Truthful reporting to bureaus Data theft prevention measures (“Red Flags Rule”)

Deceptive trade practices State Deceptive Trade Practices Acts/Federal Trade Commission Applies to: All commerce Governs: False or misleading statements Example: Uber We use industry standard practices Engineer posted AWS key to Github Uber paid $100,000 in hush money to hackers You have to do what you say in your privacy policy Note: California law requires every site to have a privacy policy

State Data breach notification laws Applies to: Unauthorized access to electronic identification Governs: Conduct of persons in control of personal data Requires immediate analysis after data breach If significant probability of misuse, must notify every affected person Most states require notice to attorney general Residence of data subject, not location of breached company, controls Example: The nice lady who keeps the books

GDPR: Europe Changes the Game

General data protection regulation Applies to: Single-piece data about residents of European Union Governs: Everything Requires: Almost the opposite of every practice acceptable in the US Notifications of subject’s rights Access Rectification Deletion Evidence of consent to contact Minimization Pseudonymization

What is the gdpr? Passed by EU parliament In effect now. Uniform across EU member states

How is GDPR different from us privacy laws? Privacy is a fundamental human right Centralized regulation One or more identifiers

What is the scope of the GDPR? Offering goods & services to “persons in the Union” Tracking persons in the Union Processing or controlling data in the Union

Who IS SUBJECT TO GDPR? Data processor Data controller

Obligations of processors and controllers

Data Protection officer Responsible to organization Responsible to government Responsible to outsiders

Risk assessment Understand data collected Understand risks to subjects Appropriate action taken to protect

Minimization “Collected for a specific purpose” No repurposing “Limited to what is necessary”

Data security measures Pseudonymization Encryption Security by design Security by default

Legal basis for processing Consent Contract Legal obligation “Vital interests” “Public Interest” Under 16 = parental consent

Gdpr Consent Must be given freely Must not be “take it or leave it” Especially if processing is not needed for service Granularity Schrems II - Facebook Process must be transparent Clear and plain language Processor must “demonstrate” consent

“special categories”: Heightened scrutiny for processing of data regarding: Ethnic origin Sexual matters Union membership Health Biometrics

Breach notification To the subject To the authorities “without undue delay” Encryption may be an exception To the authorities Within 72 hours Unless harm is “unlikely”

Fundamental rights under the gdpr

The right to be informed Contact people (DPO) What information Why How long Notice of rights of access, rectification

The right of access “Do you have data about me?” Right to be informed information

The right of rectification Correct any inaccuracies “without delay”

The right to erasure If consent is legal basis, it can be withdrawn If contract is the basis, if contact is over If processing is unlawful

The right to restrict Don’t process my data if: I dispute its accuracy I dispute its lawful collection Processor no longer needs it

The right to data portability Subject may obtain data about them that is: “Structured” Machine readable Commonly used format Sent to another processor

The right to object Opt-out I want a human to look at this

A GDPR “JOKE” Q. Do you know of an expert in the GDPR? A. Yes. Q. Can you give me her email address? A. No.

Will gdpr come to America? California know what personal information is being collected know whether personal information is sold or disclosed and to whom say no to the sale of personal information access their personal information equal service and price, even if they exercise their privacy rights Colorado General duty to protect data and require contractors to do the same Enhanced breach notification

Invest for success : Diversifying Your Audit Portfolio Understand the risks of collecting and processing data Know the agencies and governments to whom you may be responsible Recognize the costs and duties if there is a data breach

Twitter: @JeffriesInfoSec rickjeffries@clinewilliams.com QUESTIONS? Twitter: @JeffriesInfoSec rickjeffries@clinewilliams.com