recent privacy developments isaca january 12, 2012 keith a. cheresko and robert l. rothman...

Recent Privacy Developments

ISACAJanuary 12, 2012

Keith A. Cheresko and Robert L. RothmanPrincipals, Privacy Associates International LLC

Purpose

Purpose

Purpose

Purpose

Purpose

Purpose

Purpose

Areas or Topics of Privacy Activity

• Breach• Cloud• Geo-location• Facial Recognition• BYOD• Marketing• Social Media • OBA• Consumer Financial

Protection Bureau

• Federal Trade Commission• COPPA• Health Care • International • EU Cookie Rules• EU Data Protection

Directive• APEC• USA PATRIOT ACT• Supplier Relationships

Focus on Several Items

• Social Media• Breach • Marketing • Supplier Relationships• Privacy Developments from the EU• TEST!

US Developments

Breach

PII

States Continue Tightening Requirements

Class Actions Proliferating

Breach Notification

No general national beach notification law - BUT

Breach Notification

• Internal processes• Training • Policies and practices• Supplier action implications

Social Media

Endorsements

HR Implications

Social Media

Labor Relations

Social Media

NLRB Actions

Social Media

• Policies and practices• Internal processes• Training • Enforcement

BYOD

Marketing

OBA – Online Behavioral Advertising

Geo-Location

COPPA

Texting

Marketing

• Policies and practices• Internal processes• Training • Enforcement

Facial Recognition

Supplier Relationships

Supplier Relationships

Cloud Computing

Supplier Relationships

Contracts!

Supplier Relationships

• Contract• Allocation of liability • Responsibility for actions of others

European Data Protection Directive

The European Data Protection Laws Have Been a Compliance Headache for

Companies Around the World

Proposed New Data Protection Regulation

The Good News

DIRECTIVE

REGULATION

The Bad News

Nearly Everything

Else

Significantly Increased Fines and Penalties

Consent Narrowed

Data Breach Notification

Right to Be Forgotten

Data Minimization

Accountability

Mandatory Data Privacy Officer

Companies Outside Europe Potentially Subject to the Regulation

Status of Regulation

My Head Hurts

BULL NO-BULL TEST

Statements about the Update

• Bull – the statement is not true • Not Bull – the statement is true• Requires audience participation –Vocalization of response–Be careful of “trick” statements

Sample Statement

The proposed EU privacy regulation will finally prevent the possibility of English mad cows from entering this country.

BULL NO-BULL

BULL

Statement One

The US is unique in the world by requiring notification to individuals who are affected by a security breach involving the loss of personal information.

BULL NO-BULL

BULL

Statement Two

The Proposed EU Data Privacy Regulation will require all companies to appoint an independent data protection officer to serve for a term of not less than two years.

BULL NO-BULL

BULL

Statement Three

Personal Identification Information breaches in the US are regulated by the federal breach notification statute.

BULL NO-BULL

BULL

Statement Four

Product claims made on social media are not covered by normal FTC advertising rules under the “Zuckerman” exception.

BULL NO-BULL

BULL

Statement Five

The basic rule in the EU is that personal data can not be sent to the US because the US does not have adequate privacy laws.

BULL NO-BULL

NO BULL

Question Six

A company can not contract away all its privacy responsibility to its suppliers.

BULL NO-BULL

NO BULL

Final Statement

This has been an interesting and informative and somewhat entertaining session.

Contact Information

Keith A. ChereskoPrivacy Associates International LLCkcheresko@privassoc.comwww.privassoc.com(248) 535-2819

Robert L. RothmanPrivacy Associates International LLCrrothman@privassoc.comwww.privassoc.com(248) 880-3942