Presentation is loading. Please wait.

Presentation is loading. Please wait.

u.s. privacy law RICK JEFFRIES, CIPP/US

Published byAlban Rich Modified over 5 years ago

Similar presentations

Presentation on theme: "u.s. privacy law RICK JEFFRIES, CIPP/US"— Presentation transcript:

1 u.s. privacy law RICK JEFFRIES, CIPP/US
CLINE WILLIAMS WRIGHT JOHNSON & OLDFATHER, L.L.P. PRESENTED TO IIA AUGUST 20, 2019

2 Unless you pay me, and we talk privately, I am not your lawyer
Disclaimer I am a lawyer Unless you pay me, and we talk privately, I am not your lawyer This is not legal advice Do not expose to open flame Tumble dry low Do not remove tag under penalty of law Your mileage may vary Results not typical

3 Privacy vs. security PRIVACY:
Doing the right things with data you obtain SECURITY: Making sure that only the right people access and modify data PRIVACY REQUIRES SECURITY SECURITY DOES NOT ENSURE PRIVACY

4 United states vs. the world
Freedom is more important than privacy People can collect whatever data they want Use of data is restricted by law If not restricted, use is acceptable “Opting out” must be honored MOST OTHER PLACES Privacy is a human right Permission to use data is granted by law If not permitted, collection and use is prohibited ”Opt-in” model of consent

5 General concepts “Name Plus”: In the US, usually two pieces of data make for identification Privacy law does not apply to anonymized data, unless identity of person can be inferred Judicial process and litigation are often exceptions to every rule Encryption is almost always an antidote Security policies and incident plans will usually mitigate punishment from government

6 Gramm-leach-bliley Applies to: “Financial Institutions” Governs:
Includes: Car dealerships, insurance companies, check cashers, and banks Governs: Use of “nonpublic personal information” about “consumers” Requires: Security for data Training, oversight, technology, locks, plan, responsible person Notice of practices Right to opt out of some sharing

7 HIPAA Applies to: Governs: Requires: DOES NOT REQUIRE:
Health care providers (“Covered Entities”) Anybody who processes protected health information (PHI) for Covered Entities Governs: PHI Requires: Privacy notices Business Associate Agreements Authorizations, minimum necessary disclosure Safeguards and accountability Breach notification DOES NOT REQUIRE: FAXING

8 FERPA Applies to: Governs: Requires:
Educational institutions that receive federal funds Governs: “Education records” – broadly defined Requires: Regular notice Nondisclosure Right of access and correction

9 COPPA Applies to: Governs: Requires: Can affect:
Web site operators and mobile app providers Governs: Data collected from children under 13 Requires: Nondisclosure Verifiable parental consent Can affect: Websites appealing to children (toy stores, etc.) Kids apps and games Fact-sensitive analysis Primary colors and cute characters

10 FACTA Applies to: Requires: Financial institutions
Lenders to consumers Businesses that “arrange credit” Requires: Truthful reporting to bureaus Data theft prevention measures (“Red Flags Rule”)

11 Deceptive trade practices
State Deceptive Trade Practices Acts/Federal Trade Commission Applies to: All commerce Governs: False or misleading statements Example: Uber We use industry standard practices Engineer posted AWS key to Github Uber paid $100,000 in hush money to hackers You have to do what you say in your privacy policy Note: California law requires every site to have a privacy policy

12 State Data breach notification laws
Applies to: Unauthorized access to electronic identification Governs: Conduct of persons in control of personal data Requires immediate analysis after data breach If significant probability of misuse, must notify every affected person Most states require notice to attorney general Residence of data subject, not location of breached company, controls Example: The nice lady who keeps the books

13 GDPR: Europe Changes the Game

14 General data protection regulation
Applies to: Single-piece data about residents of European Union Governs: Everything Requires: Almost the opposite of every practice acceptable in the US Notifications of subject’s rights Access Rectification Deletion Evidence of consent to contact Minimization Pseudonymization

15 What is the gdpr? Passed by EU parliament In effect now.
Uniform across EU member states

16 How is GDPR different from us privacy laws?
Privacy is a fundamental human right Centralized regulation One or more identifiers

17 What is the scope of the GDPR?
Offering goods & services to “persons in the Union” Tracking persons in the Union Processing or controlling data in the Union

18 Who IS SUBJECT TO GDPR? Data processor Data controller

19 Obligations of processors and controllers

20 Data Protection officer
Responsible to organization Responsible to government Responsible to outsiders

21 Risk assessment Understand data collected Understand risks to subjects
Appropriate action taken to protect

22 Minimization “Collected for a specific purpose” No repurposing “Limited to what is necessary”

23 Data security measures
Pseudonymization Encryption Security by design Security by default

24 Legal basis for processing
Consent Contract Legal obligation “Vital interests” “Public Interest” Under 16 = parental consent

25 Gdpr Consent Must be given freely Must not be “take it or leave it”
Especially if processing is not needed for service Granularity Schrems II - Facebook Process must be transparent Clear and plain language Processor must “demonstrate” consent

26 “special categories”:
Heightened scrutiny for processing of data regarding: Ethnic origin Sexual matters Union membership Health Biometrics

27 Breach notification To the subject To the authorities
“without undue delay” Encryption may be an exception To the authorities Within 72 hours Unless harm is “unlikely”

28 Fundamental rights under the gdpr

29 The right to be informed
Contact people (DPO) What information Why How long Notice of rights of access, rectification

30 The right of access “Do you have data about me?”
Right to be informed information

31 The right of rectification
Correct any inaccuracies “without delay”

32 The right to erasure If consent is legal basis, it can be withdrawn
If contract is the basis, if contact is over If processing is unlawful

33 The right to restrict Don’t process my data if: I dispute its accuracy
I dispute its lawful collection Processor no longer needs it

34 The right to data portability
Subject may obtain data about them that is: “Structured” Machine readable Commonly used format Sent to another processor

35 The right to object Opt-out I want a human to look at this

36 A GDPR “JOKE” Q. Do you know of an expert in the GDPR? A. Yes. Q. Can you give me her address? A. No.

37 Will gdpr come to America?
California know what personal information is being collected know whether personal information is sold or disclosed and to whom say no to the sale of personal information access their personal information equal service and price, even if they exercise their privacy rights Colorado General duty to protect data and require contractors to do the same Enhanced breach notification

38 Invest for success : Diversifying Your Audit Portfolio
Understand the risks of collecting and processing data Know the agencies and governments to whom you may be responsible Recognize the costs and duties if there is a data breach

39 Twitter: @JeffriesInfoSec rickjeffries@clinewilliams.com
QUESTIONS?

Download ppt "u.s. privacy law RICK JEFFRIES, CIPP/US"

Similar presentations

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.

Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Data Security and Privacy Overview and Update Peter Moldave October 28, 2015.

Data Security and Privacy Overview and Update Peter Moldave October 28, 2015.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
Understanding Privacy An Overview of our Responsibilities.

Understanding Privacy An Overview of our Responsibilities.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR

Key changes with the GDPR
Protection of CONSUMER information

Protection of CONSUMER information
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR

Similar presentations

Ads by Google