recent privacy developments isaca january 12, 2012 keith a. cheresko and robert l. rothman...
TRANSCRIPT
Recent Privacy Developments
ISACAJanuary 12, 2012
Keith A. Cheresko and Robert L. RothmanPrincipals, Privacy Associates International LLC
Purpose
Purpose
Purpose
Purpose
Purpose
Purpose
Purpose
Areas or Topics of Privacy Activity
• Breach• Cloud• Geo-location• Facial Recognition• BYOD• Marketing• Social Media • OBA• Consumer Financial
Protection Bureau
• Federal Trade Commission• COPPA• Health Care • International • EU Cookie Rules• EU Data Protection
Directive• APEC• USA PATRIOT ACT• Supplier Relationships
Focus on Several Items
• Social Media• Breach • Marketing • Supplier Relationships• Privacy Developments from the EU• TEST!
US Developments
Breach
PII
States Continue Tightening Requirements
Class Actions Proliferating
Breach Notification
No general national beach notification law - BUT
Breach Notification
• Internal processes• Training • Policies and practices• Supplier action implications
Social Media
Endorsements
HR Implications
Social Media
Labor Relations
Social Media
NLRB Actions
Social Media
• Policies and practices• Internal processes• Training • Enforcement
BYOD
Marketing
OBA – Online Behavioral Advertising
Geo-Location
COPPA
Texting
Marketing
• Policies and practices• Internal processes• Training • Enforcement
Facial Recognition
Supplier Relationships
Supplier Relationships
Cloud Computing
Supplier Relationships
Contracts!
Supplier Relationships
• Contract• Allocation of liability • Responsibility for actions of others
European Data Protection Directive
The European Data Protection Laws Have Been a Compliance Headache for
Companies Around the World
Proposed New Data Protection Regulation
The Good News
DIRECTIVE
REGULATION
The Bad News
Nearly Everything
Else
Significantly Increased Fines and Penalties
Consent Narrowed
Data Breach Notification
Right to Be Forgotten
Data Minimization
Accountability
Mandatory Data Privacy Officer
Companies Outside Europe Potentially Subject to the Regulation
Status of Regulation
My Head Hurts
BULL NO-BULL TEST
Statements about the Update
• Bull – the statement is not true • Not Bull – the statement is true• Requires audience participation –Vocalization of response–Be careful of “trick” statements
Sample Statement
The proposed EU privacy regulation will finally prevent the possibility of English mad cows from entering this country.
BULL NO-BULL
BULL
Statement One
The US is unique in the world by requiring notification to individuals who are affected by a security breach involving the loss of personal information.
BULL NO-BULL
BULL
Statement Two
The Proposed EU Data Privacy Regulation will require all companies to appoint an independent data protection officer to serve for a term of not less than two years.
BULL NO-BULL
BULL
Statement Three
Personal Identification Information breaches in the US are regulated by the federal breach notification statute.
BULL NO-BULL
BULL
Statement Four
Product claims made on social media are not covered by normal FTC advertising rules under the “Zuckerman” exception.
BULL NO-BULL
BULL
Statement Five
The basic rule in the EU is that personal data can not be sent to the US because the US does not have adequate privacy laws.
BULL NO-BULL
NO BULL
Question Six
A company can not contract away all its privacy responsibility to its suppliers.
BULL NO-BULL
NO BULL
Final Statement
This has been an interesting and informative and somewhat entertaining session.
Contact Information
Keith A. ChereskoPrivacy Associates International [email protected](248) 535-2819
Robert L. RothmanPrivacy Associates International [email protected](248) 880-3942