Privacy News Round-Up: Lessons Learned
Several important privacy issues were in the news in the first half of this week. Here's our take on these stories, which covered online data collection, employee privacy and legislative and regulatory debates about the future of online privacy.
On November 6, 2011, the Wall Street Journal reported that major websites are taking steps to control and limit tracking of their visitors by third parties. The sites' goal is to both mitigate the privacy risks associated with such third party tracking and to capture the revenue that could be derived from their users' data. A study cited in the article estimated that a sample of 50 popular U.S. websites is losing at least $850 million in revenue to third parties that collect and sell users' data without the sites' knowledge. The study also found that nearly a third of the tracking tools operating on the 50 sites are unauthorized. As the recent Facebook controversies demonstrate, clandestine or unauthorized use and collection of users' data may cause reputational harm to the sites, and not every company is able to withstand revelations of inappropriate data use as well as Facebook can.
There are more than a few examples of Internet ventures that were torpedoed by privacy blunders. In addition to the potential for reputational harm, Internet sites may face legal risks arising from representations they make in their online privacy policies. The Federal Trade Commission (FTC) has brought enforcement actions for privacy violations under Section 5 (which deems unfair or deceptive acts or practices unlawful), including in connection with statements in privacy policies that were inaccurate. In addition, many jurisdictions outside the U.S. impose myriad requirements with respect to privacy disclosures to consumers. Our takeaway from the story is to emphasize the importance for businesses of understanding and controlling how their websites collect, use and share personal data, and ensuring that the sites' consumer-facing privacy policies accurately reflect the company’s practices.
Our next story takes on the issue of employee privacy in the digital age. On November 8, 2010, the New York Times reported that the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NRLB argues in the complaint that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in this protected activity. While the terminated employee was a union member, the NLRB asserts that this right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions. The NRLB's complaint is set to go before an administrative judge in January of next year, but any result can be contested before an appellate board and in federal courts. Still, while this proceeding is pending, the complaint itself may serve as a rude awakening to many employers who have been implementing increasingly stringent policies regarding employees' use of social media and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company "in any way" on Facebook or other social media sites where the employees posted their pictures or from making disparaging or discriminatory comments when discussing the employer or management. Of course the right to talk about employers on the web or outside of work is not absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee's manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law. The lesson from this story is that the NRLB appears to be taking a more active role in protecting employee privacy, and employers are well-advised to carefully review and consider revising their social media and employee conduct policies to ensure consistency with federal law and NRLB guidance.
The final story is coming from the New York Times and Politico today on legislative and regulatory developments (and disagreements) regarding regulation of online privacy. The New York Times is predicting a battle among the industry, privacy advocates, legislators and the administration on how to regulate online privacy. Industry representatives are not necessarily opposed to all regulation, but argue that targeted ads and competition among advertisers is good for the economy. They do not believe that a “do not track” list that would allow Internet users a single point for opting out of being tracked online for advertising purposes is necessary for protecting web users' privacy. On the regulatory front, the FTC and the Commerce Department are set to release their independent reports on online privacy. Commerce will likely favor self-regulation, while the FTC is likely to argue for a "do not track" option. The White House has set up its own panel that will look into balancing consumer protection with making U.S. companies more competitive overseas. Not to be outdone, as Politico reports, Congress is planning to convene a hearing on online privacy in early December. The discussion will address the idea of a "do not track" list and other options for regulating online privacy. Finally, privacy advocates are concerned that the regulatory and legislative battles will produce rules that do not fully protect the interests of the consumers. We realize that business can't wait for these debates to be resolved. Our recommendation is that businesses build privacy and information security into their products and services and follow industry best practices. Privacy is good for business, and being proactive about privacy and information security helps a business control the story of how it is portrayed in the media and by regulators. There is no reason to be afraid of privacy. Privacy does not mean not using personal information; it means using the information in a fair and transparent manner.
If you would like to read our take on other privacy news, don't hesitate to let us know by posting a comment on the blog, emailing bsegalis@infolawgroup.com or on Twitter @InfoLawGroup.
Data Commissioners Conference in Jerusalem Focuses on Future of Privacy, Cooperation and Enforcement
Last week, we joined privacy regulators, practitioners and industry representatives from around the world in Jerusalem for the 32nd International Conference of Data Protection and Privacy Commissioners. On numerous panels, conference participants engaged in lively discussions about privacy compliance and enforcement as well as the future of privacy in light of evolving consumer expectations and advances in technology that tracks and identifies individuals.
In discussions about the current state and future of privacy, some industry representatives took the position that active sharing by consumers of personal data online, including through social networks, is a vote of confidence in the current approach to privacy regulation. In response, some of the regulators and academics called for stronger privacy protections, arguing that consumers are still unaware of the consequences of disclosing their personal data. Notably, opinions on the state and future of privacy did not necessarily split along the industry/regulator lines. Rather, some industry representatives took a decidedly pro-consumer view of privacy protection, seeing it as a good business practice, while some of the privacy regulators, including the Israeli regulator and some of the European officials, sought to balance privacy protection with the interests of the business community.
On the issue of privacy compliance, participants agreed that Europe continues to be a difficult landscape to navigate in understanding the applicability of local data protection laws to personal data processing activities. At the same time, European panelists acknowledged that diverging views on jurisdiction may not be compatible with the fact that data flows do not know physical borders, and called for more uniformity among EU member states.
The topic of privacy enforcement generated great interest among conference participants. It continues to be a source of frustration for the industry and privacy practitioners. At the conference, panelists acknowledged limitations and inconsistencies of the various privacy enforcement regimes. For example, many of the European regulators are constrained by limitations on their investigative or enforcement authority or discretion as to which consumer complaints to address, as well as budgetary constrains. U.S. regulators appear to be taking privacy seriously. The conference was well-attended by representatives of a number of U.S. federal agencies, including the Federal Trade Commission, the State Department, Commerce Department, and the Department of Homeland Security. The FTC’s Director of the Bureau of Consumer Protection David Vladeck explained that the FTC is choosing its enforcement actions carefully to give guidance to the industry as to which practices the Commission considers unacceptable. The FTC’s expectation is that the industry will follow the guidance provided by its privacy enforcement actions. At the same time, the Commission is ready to increase enforcement if it believes that privacy compliance levels are unsatisfactory. Panelists also suggested that private action enforcement, such class actions in the U.S. and group actions in Europe, may be gaining steam, although the practice is still in its infancy.
At the conclusion of the conference, the commissioners took a step in increasing international cooperation on privacy matters by admitting the FTC into membership in the conference. The admission is a vote of confidence in the FTC’s authority and independence in enforcing privacy regulations. It is also without a doubt the result of the FTC’s increased cooperation with European data protection commissioners. According to the FTC’s David Vladeck, this joint work will continue.
There are many more lessons learned from the Jerusalem conference that we expect to mention in future posts, so please stay tuned.
Information Governance
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how, key questions such as these:
• Which kinds of PII should be collected in the first place?
• Which categories of PII require particular safeguards or treatment, either legally or because the information is considered especially sensitive by customers and employees, or by the organization itself?
• How should PII be secured?
• Who should be given access to PII, and for what purposes?
• How are individuals informed of events (such as business changes and security breaches) and options (such as op-in or opt-out choices) that affect their privacy and personal security?
• How should PII be disposed of at the end of its useful life?
In some cases, legislators, regulators, and industry standards bodies provide guidance on PII management and governance, at least by implication. But for the most part, organizations must find their own way to weave privacy compliance and PII risk management into effective internal governance procedures. Adding privacy to the organization’s governance structure, with constant reference to evolving privacy rules and standards, is one way to avoid costly mistakes and arm the organization with legal defenses in the event of a security breach or a serious privacy complaint.
I recently presented a workshop on “information governance” at the Vanguard Security 2010 conference in Las Vegas. Some of the participants, typically managers of enterprise IT security functions, were concerned about whether their employers -- companies, universities, healthcare systems, and government agencies -- were organizationally equipped to make appropriate decisions about collecting, securing, and using PII in a rapidly changing legal and regulatory environment.
It’s a legitimate concern. Organizations in both the private and public sectors are increasingly held accountable for the proper handling of sensitive or potentially dangerous PII such as health records, Social Security Numbers, bank account and payment card details, credit reports, and background checks. An effective system of both privacy and security governance is essential if the organization is to achieve substantial compliance, manage litigation and market risks, and respond adequately to privacy challenges and to security threats and incidents. Relevant laws, standards, and contract requirements sometimes mandate certain aspects of privacy or security management and, less frequently, governance. Otherwise, it is ultimately a matter of finding what best fits your organization’s leadership culture – although it may be helpful to compare models from other organizations with similar needs.
What PII Do You Handle?
Don Harris of HR Privacy Solutions often refers to personal data as the latest “controlled substance.” For purposes of this discussion, I use the term “PII” to mean whatever personally identifiable information your organization has an obligation to protect from unauthorized disclosure, use, loss, or alteration. In the US, that varies considerably by sector and jurisdiction. US state laws requiring personal information security measures or notification of security breaches (in all but four states) typically apply only to limited categories of PII that raise the greatest risk of identity theft, such as the SSN, driver’s license number, and bank account or payment card number (combined with a PIN or other access code). The US federal HIPAA and HITECH acts and a number of state laws more broadly regulate health records, while the federal Gramm-Leach-Bliley Act (GLBA) and financial supervisory authorities focus on the confidentiality of financial records. The Fair Credit Reporting Act is concerned with consumer reports. Equal Employment Opportunity laws often address the proper collection and use of information about race, ethnicity, religion, age, gender, disability, family status, or sexual life. Other laws protect information about students and their parents, licensed drivers, telephone and cable subscribers, persons renting DVDs and videotapes, library patrons, clients of mental health and substance abuse programs, people who seek refuge in battered women’s shelters, genetic data, and an array of other categories of PII deemed potentially risky to individuals. Meanwhile, an organization may be required contractually to handle certain kinds of data in a prescribed manner, such as the PCI-DSS standards that apply to the processing of credit and debit card payments.
By contrast, PII can be almost any information relating to an identifiable individual under the more comprehensive privacy and data protection laws in Canada, the European Union, Australia, Japan, and several other jurisdictions. Even in those jurisdictions, however, there is often an enhanced obligation to protect especially sensitive categories of PII such as those relating to race or ethnicity, health and sex life, religion, political opinion, trade union involvement, criminal records, consumer profiles, bankruptcy, personal financial records, genetic data, geolocation data (such as tracking a person’s physical location through his mobile phone or RFID security badge), and official identifiers such as passports and national ID numbers that could be used in fraud and identity theft.
Who Is Responsible?
Within the organization, who accepts responsibility for ensuring that all relevant categories of PII are handled appropriately? In some organizations, the Chief Legal Officer, Chief Information Officer, or Chief Technology Officer is considered primarily responsible for PII policy decisions. In others, the decisions may be made by senior executives responsible for human relations (employee data) or customer relations (consumer data). Obviously, policy decisions should be made in consultation with the legal or compliance functions in the organization. IT security managers will provide some of the tools and techniques – once they know what the requirements are and how to classify the data. HR management should be on top of employee privacy issues in all the jurisdictions in which the organization has employees (and their dependents) or independent contractors and temporary workers. The customer relations and marketing managers should understand the restrictions under which they operate and the disclosures and choices they must provide. Records management should implement appropriate storage and disposal policies. And many organizations now have a “privacy officer” (under any of a variety of titles) who is charged with offering guidance and making recommendations relating to PII.
Business managers also typically make recommendations, but their primary job is to see that the organization’s policies are implemented – that is the management function. Security and privacy governance refers to the process by which those policies are adopted in the first place and then monitored and adjusted. Ultimately, policy decisions should be made by senior or C-level executives or (for the most fundamental policies) by the board of directors or agency chief. Ideally, the CEO and directors are at least broadly aware of privacy and security issues affecting the organization’s handling of PII -- well before the first embarrassing privacy complaint or security breach hits the news.
Governance Requirements and Tools
Most PII laws and regulations are not terribly detailed in referring to information governance issues. It is simply the organization’s obligation to find the best ways to achieve compliance.
Corporate governance, particularly in publicly traded companies, offers some familiar and relevant models for information governance. In the US (especially under the Sarbanes-Oxley Act or “SOX”), Canada, Europe, and Japan, financial reporting laws or stock exchange rules require management controls in all areas material to the accurate reporting of financial results to investors and regulators. Under those laws, a CFO, CEO, or Audit Committee of the board must certify the effectiveness of the company’s control procedures. In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management “control objectives,” often with reference to the COBIT Framework published by ISACA.
IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks. In some companies, there is such a dependence on protected PII that management reporting expressly refers to relevant PII compliance requirements such as those imposed by HIPAA, GLBA, FRCA, PCI-DSS, PIPEDA, or national laws based on the EU Data Protection Directive. In those cases, PII compliance requirements are documented in specific control objectives with associated policies and procedures, assigned to responsible functions, and periodically audited and certified.
Apart from public company governance requirements, some laws and regulations specifically require that there is a designated person or department accountable for the security of covered PII, with an obligation to report to senior management. This is true of US federal health and financial privacy regulation, as it is of Canadian legislation incorporating the CSA’s Model Code for the Protection of Personal Information. In several EU countries and Switzerland, the organization may or must designate an internal data protection officer who reviews and maintains a “registry” of PII processing in the organization, renders a written opinion on proposals for handling sensitive categories of data, and reports directly to the highest level of management.
Increasingly, laws and regulations governing PII mandate a risk-based, written security policy. In the US, the HIPAA and GLBA privacy and security rules require written policies, as do the “Red Flag Rules” adopted by the Federal Trade Commission and the federal financial regulatory bodies to combat identity theft. The Massachusetts Personal Information Security Regulation requires a written information security policy (commonly called a “WISP”) covering the categories of data for which security breach notices are required. The Canadian CSA standard and several European countries similarly require or recommend written security policies, documented procedures, and approvals by the governing body of a company or agency.
E-government laws and executive policies in the US and Canada require agencies to designate a privacy officer, reporting to a senior agency executive, with oversight by an auditor or inspector general from outside the agency (or by the federal or provincial privacy commissioner, in Canada). US and Canadian federal agencies are also now generally required to prepare a privacy impact assessment (PIA), identifying PII needs and measures to mitigate privacy risks, before implementing a new or substantially modified information system that includes PII.
Some companies and nonprofits in North America and Europe follow a similar approach of requiring the responsible manager to prepare a PIA for review by a privacy officer and, if there are serious objections, by executive management. Some also undertake a baseline privacy audit to determine where the organization is already handling PII and where it might be at risk. Periodic security audits are common in many organizations, but the scope often needs to be adjusted to include protected categories of PII.
A variety of vendors offer “GRC” (governance, risk, and compliance) software tools and databases to help automate the task of identifying PII in the organization’s information systems and checklisting PII compliance requirements and actions. These can be helpful, although there is inevitably a need for knowledgable individuals to review the scope, methodology, and results.
As much PII processing is ultimately outsourced, and PII is often exchanged with business partners, a key aspect of compliance is contract management. HIPAA and GLBA, the Canadian CSA standards incorporated in PIPEDA and provincial laws, and the EU Data Protection Directive all require a measure of due diligence in contracting with vendors to handle PII. Contracts that refer to the confidentiality of proprietary information should also address the confidentiality and security of PII. The procurement function in the organization needs to be made aware of PII risks and requirements, and procurement and legal personnel should ensure that there are appropriate confidentiality and indemnification clauses, security schedules, and any required provisions to meet sectoral requirements or legal conditions for cross-border transfers of PII (e.g., from the EU to the US or India). In some cases, it is practical and appropriate to make contractual reference to established information security management and control standards such as ISO 27001 / 27002, PCI-DSS, or NIST 800 series guidelines. An aspect of information governance is setting policies for such contract requirements and monitoring procurement practices that involve PII, since accountability itself can rarely be outsourced.
Trends and Keys
The privacy and data protection laws and PII security and breach notification legislation have motivated organizations to better understand changing legal requirements, to inventory their collection, use, and sharing of PII, and to minimize the use or retention of sensitive PII throughout the organization. In some companies that means, for example, reducing the instances where SSNs and other official identifiers are recorded or communicated, encrypting PII, outsourcing payment card verification, and imposing stricter data destruction schedules on customer and employee records.
Organizations have also been driven to establish or update written policies and procedures for handling PII, and then include these in training and internal audits, as well as in contracts with third parties.
Another trend has been to raise information governance to a more centralized and higher level of management and reporting, with privacy officers and IT security managers reporting to senior executives rather than to middle managers. This is an understandable result of high-profile privacy and security lapses affecting the organization or its peers, as well as of SOX, security breach notice laws, FTC and state investigations, and pressure from privacy commissioners and sectoral regulators.
From our observation, and from reports by professional associations and conference participants, it appears that two elements are key to the success of organizations that have established effective information governance relating to PII: a high-level champion that the CEO, board, and business managers will listen to, and a liaison team to review PII issues and make recommendations to management. Depending on the structure and mission of the organization, the privacy liaison team might include representatives of several functions that deal with PII: IT, security, HR, customer relations, marketing, government relations, labor relations, legal, compliance, audit, procurement or contract management, product development, international subsidiaries (subject to different PII rules). It is not hard to imagine who should have a seat at the table (or more likely on the email list and occasional conference call), but it may be a challenge to identify who will convene and lead the team, unless the organization has already designated a chief privacy officer or equivalent position.
In the end, good information governance depends not only on procedures and tools but on the quality, drive, and authority of those who lead the effort.
