Information Governance
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
Privacy's Trajectory
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. Monday morning you can find the whitepaper here. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. Where exactly is privacy going in today's environment? What is the role of the privacy professional over the next 10 years? And, a lot of people I know and love (you know who you are) would ask, what in the world is a privacy professional anyway?
Of late, I have found myself reiterating, and getting a lot of positive feedback for, the following proposition: with data (massive amounts of it) as the new currency, the explosion in outsourcing to "trusted partners," and the growth of legal risks associated with an ever-expanding body of privacy and data security regulation, the role for professionals who understand privacy is becoming increasingly important. Further, such professionals are uniquely positioned to bring together various key stakeholders in an organization, including Information Security, Legal, IT, and various business units. Why? Because privacy professionals are, by virtue of what they do, multidisciplinary. And the growing opportunities for such professionals are inextricably intertwined with that quality. The IAPP has summed this up succinctly, and eloquently in its whitepaper, as follows:
Continue Reading...Thoughts from the RSA Conference
As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes:
- We all need to work together, and we can. Legal, Information Security, Privacy, Compliance, IT, and the affected business units. Now more than ever, it is essential that ALL the stakeholders join forces, as early as possible, to address security and privacy risks, assess and vet business deals, and put in place appropriate procedures - RFPs, due diligence, contract negotiation - to address the risks.
- Cloud, cloud, cloud, yada, yada, yada. Hold up - the technology is not new - but usage and the business model have changed dramatically. I have been having this argument with my information security and technology friends for months. OK, I get it. "Cloud" technology in some form or another has been around for 30 or 40 years. What is new is the massive scale, availability and changes in usage and the business model - in part driven by the economics. Guess what? Those business model changes make the legal risks even more pervasive. Going back to (1) above, all of the stakeholders need to be in the room (or on the phone or videoconference) discussing the issues BEFORE the decision is made to enter into a cloud arrangement. ANY cloud arrangement. Not after the RFP is issued. Not after IS does its due diligence. Not after the contract negotiations have begun. And not after the contract is inked. The same due diligence and attention to risks that would apply in a traditional outsourcing/offshoring relationship must be applied here, too. The cost savings are illusory if the short-term and/or long-term risks are significant. Think about the kind of data at issue. What are the risks? Evidence preservation, data security, breach response, enforcement rights, indemnification. And before we even get to those - can the data be transferred across borders in the first place? Think about it early. And then talk about it before decisions are made.
More after the jump.
Continue Reading...Massachusetts Data Security Regulations Final Amendments Released
As we noted earlier this week, Massachusetts indicated late last week it would issue its last round of amendments to its data security regulations scheduled to take effect March 1, 2010, 201 CMR 17.00. The last round of amendments are not particularly significant, although it is worth noting that, contrary to the amendments made in August, this round clarifies that the regulations cover any entity that stores personal information of Massachusetts residents, in addition to those that receive, maintain, process, or otherwise have access to personal information. Here is the press release from the Office of Consumer Affairs and Business Regulation. Here is the final version of the Regulations. Doug Cornelius has a great analysis here. The effective date of the regulations is still March 1, 2010.
Final Amendments to Massachusetts Data Security Regulations to Be Announced Shortly
Friday was a busy day for identity theft and data security regulations. Not long after the Federal Trade Commission announced it was extending the enforcement deadline for the Red Flags Rule for the fourth time, word came from BNA's Privacy & Security Law Report that the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) had filed with the Massachusetts Secretary of State its final amendments to 201 CMR 17.00, the state's data security regulations. BNA reported that OCABR plans to make the amendments public sometime this week. BNA further reported that there are no major changes, but that there will be some clarification with respect to contracts between persons who own or license personal information and third-party service providers (201 CMR17.03(2)(f)(2)). You can check out Dave's post on the last round of significant revisions to the regulations in August, complete with redline. We have seen a lot of activity in the blogosphere about the new changes, but nothing official yet. And so far, no announcements of further delays in the effective date, currently set for March 1, 2010. We will report as soon as we hear more information.
