privacy and data security: drivers of corporate success ... · mintz levin. not your standard...

Privacy and Data Security: Drivers of CorporateSuccess and Business Value

Brian H. Lam, CISSP, CISM, CIPP-US

Mintz Levin. Not your standard practice.

Discussion Goals

1. Provide a way to analyze privacy issues by understanding the roledata plays in your business.

2. Arm you with ways of using privacy and data security to drivebusiness value. Panelists will be providing examples from their ownexperience.

3. Ask questions. We want this to be an informal and useful process.

2


Moderator: Brian H. Lam

• Attorney in the Privacy and Data Security Practice

• Member of Governor's California Cyber Security Task Force

• Previously worked at Accenture in the Cybersecurity AdvisoryPractice, and Coalfire in the Cyber Risk Management and CompliancePractice

• Lots of Fun Acronyms: B.S. Computer Science, M.S.Telecommunications Engineering, Certified Information SecuritySystems Professional (CISSP), Certified Information Systems Manager(CISM), Certified Information Privacy Professional (CIPP)

3


Panelist: Travis Stewart

• Senior Counsel at Lytx, Inc., one of the nation’s leading videotelematics and driver risk management companies, harnessing thepower of data to change human behavior

• Assists various teams at Lytx with a diverse range of mattersincluding compliance with privacy laws, data security, licensing andaddressing the changing legal landscape of internet connecteddevices

• Prior to joining Lytx, Stewart was Corporate Counsel at FTD, Inc.(formerly, Provide Commerce, Inc.)

4


Panelist: Chris Gross

• Senior Engineer, Fitbit

• Senior Firmware engineer at Fitbit, Inc. working on device Firmwareand UX

• Previously, Chris was a Senior Staff engineer at Qualcomm, Inc.providing solutions for the Windows Phone ecosystem. Chrisreceived his B.S. in Computer Science from the University ofCalifornia, San Diego

5


Panelist: Will Wong

• Legal Counsel at Organovo, Inc., a San Diego company focused oncutting-edge innovations for 3D bio-printed human tissues

• Handles IP, transactions, and other general legal matters

• Previously IP counsel at Beckman Coulter, Inc. where he strived tostrategically maximize the value of an extensive global patentportfolio for key clinical diagnostic products

6


What Is Privacy and Data Security?

A. List of requirements from Information Technology I don't want todeal with

B. Doesn't apply to our company. We do not collect any or use datawhatsoever, including any data about our employees when we hirethem, or any data from our customers

C. Refers to a set of legal requirements and best practices that canassist a company in protecting its intellectual property, engendercustomer confidence, and grow revenue beyond existing user base

7


Analyzing Privacy and Data Security1. Understand the data flows in your organization

2. Understand the states of data: Collection, Use &Storage, Transfer, and potentially Loss

3. Unfortunately, many organizations will eventually havea Loss event

4. Consider the Five W's: Who, What, Where, When, Why

8


Privacy by Design1. What if you thought about these states before your

company started collecting the data?

2. This is Privacy by Design in a nutshell

3. Better to understand the risks from the beginning andmake conscious choices than wait until something badhappens

9


Make Informed Privacy Decisions1. Data Collection: Challenge data collection decisions. Certain laws attach

based on the collection of types of data. Do you really need SSNs?

2. Data Use & Storage: Understand how data is being used, includingcombining it with other data. How long is data stored? Who can accessit and what security measures have been taken?

3. Data Transfer: Within the company, who can approve data transfers?Are there standard contractual safeguards?

4. Data Loss: Has the company planned for such events? Is an internalteam in place? Is there an external incident remediation team? Has thecompany considered how collecting certain types of data could impactloss risk?

10


• Use a "Standard" Privacy and Data Security Provision

• Contractor shall be responsible for assuring that the Software complieswith all applicable provisions of federal, state and local laws andregulations respecting the privacy and protection of any and allinformation collected or used by the Software and that all of itsemployees and contractors comply individually with all such laws andregulations

Why Not Just Transfer Risk to 3rd Party?

11


• Companies can and should use provisions to transfer privacy and datasecurity risks

• Simply using a "catch all" provision like this will not allow thecompany to make informed decisions

• In many cases, company will not be able to transfer the privacy anddata security risks it faces to its contractors completely

• If you are aware that a certain regulation or standard applies, bespecific

Good Enough?

12


Travis Stewart, Senior Counsel• Tell us about what Lytx does?

• What sorts of customers does Lytx have?

• Where does Lytx operate?

• How are Lytx offerings integrated with customer systems?

13

Mintz Levin. Not your standard practice. 14


Privacy by Design: Data Collection

• What information does Lytx collect?

• Tell us about the role that engineering plays in privacy by design

• Do backend systems need to enforce this concept? How did thisrequire legal to interact with other stakeholders?

15


Privacy by Design: Data Storage/Transfer• Do customers often have their own data storage and transfer

requirements?

• What differences in requirements and requests have you seeninternationally?

• How can internal privacy and data security stakeholders assist thesales team?

16


Security by Design: Data Storage/Transfer• Customers have data security requirements they wish to impose

upon their vendors

• For example, support for single sign on, password complexity, roleand group based access controls, and configuration

• Clients provide questionnaires and standard addendums

• Customization means complexity. Productize where applicable.

17


Privacy by Design: Generic Data Storage/Transfer• What considerations do you have with leveraging third party

services, such as cloud based storage or payment processors?

• What role did understanding the data flows play in this process?

• Given business requirements such as disaster recovery andavailability concerns, should companies be planning to work withthird parties from the start?

18


Security by Design: Transfer To/From System• Customers may desire to transfer data to and from Lytx provided

system, including through an Application Programming Interface(API).

• What issues does this create?

• Is this something that Lytx needs to support to provide acompetitive service?

19


Security by Design: Data Loss• We have talked a lot about security.

• Let's discuss planning for potential data loss.

• How does relate with the collection process we discussed earlier?

• Beyond legally required remediation issues, how do you see thereputational impacts on the business? Is this something that canbe effectively dealt with through an indemnity?

20


Generic Advice / Take away (beyond the policy)

• Understand the technology. Ask a lot of questions. Get into the weeds.

• Understand the risks involved with the data (leverage experienced counsel).

• Understand client / customer drivers. Create a feedback loop with sales /marketing.

• Privacy and data security done right is a silent hero, therefore take the time toturn the efforts into a positive, marketable attribute.

• Where to start? Grab a (large) coffee and review standard InfoSec controls /questions (ISO27001/2, NIST SP 800-53, CSA CAIQ)

21


Chris Gross, Senior Engineer• Tell us about what Fitbit does?

• What sorts of customers does Fitbit have?

• Where does Fitbit operate?

• How are Fitbit offerings integrated with customer systems?

22


Privacy by Design: Fitbit Data Collection• Tell us about the role that engineering plays in privacy by design

• How do the backend systems enforce this concept?

• How was is data collection dictated by the product design?

23


Security by Design: Data Loss• CloudFlare incident: Reported that 3rd Party Contractor CloudFlare

may have leaked certain customer information.

• What role did planning play in the remediation process?

• Could consumer trust have been maintained without actionsimplemented?

24


Privacy Enables Monetization Beyond User Base• Fitbit integrates with Qualcomm Life’s 2net Platform to as part of

UnitedHealthcare's Motion Program

• Participants earn Up to $1,500 in Annual Rewards

• What role did having privacy and data protection play?

25


Will Wong, Legal Counsel

• Tell us about what Organovo does?

• What sorts of customers does Organovo have?

• Where does Organovo operate?

• How are Organovo offerings integrated with other systems?

26


Security by Design: Intellectual Property Protection• Can you describe the multidisciplinary approach taken?

• What actions are important from an employee and contractorperspective?

• What role has interacting with appropriate law enforcementplayed?

27


Questions?

• Check out our blog: https://www.privacyandsecuritymatters.com/

• Contact me: [email protected]

28

privacy and data security: drivers of corporate success ... · mintz levin. not your standard...

Documents