Presentation - gener8tor - Data Privacy, Security, and Rights 130627

1

Copyright 2012 Bryan Cave Copyright 2013 BryanCave LLP Copyright 2013 BryanCave LLP

June 27, 2013

Jason Haislmaier

[email protected]

Data Privacy, Security, Rights

Copyright 2013 Jason D. Haislmaier

Copyright 2012 Bryan Cave Copyright 2013 BryanCave LLP

This presentation is intended for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances, nor is it intended to address specific legal compliance issues that may arise in particular circumstances. Please consult counsel concerning your own situation and any specific legal questions you may have.

The thoughts and opinions expressed in this presentation are those of the individual presenters and do not necessarily reflect the official or unofficial thoughts or opinions of their employers.

For further information regarding this presentation, please contact the presenter(s) listed in the presentation.

Unless otherwise noted, all original content in this presentation is licensed under the Creative Commons Creative Commons Attribution-Share Alike 3.0 United States License available at: http://creativecommons.org/licenses/by-sa/3.0/us.

http://creativecommons.org/licenses/by-sa/3.0/us/

2


Data

Privacy

Security

Rights


Increasing importance

Increasing value

Data

3


Data

as

Property


What “rights”

protect data?

4


No specific

comprehensive legal protection

for data or databases

in the US


Trademarks

Branding and

Identity

Patents

Ideas and

Inventions

Trade Secrets

“Know-How”

Copyrights

Creative

Expressions

5


Data Rights

• No specific comprehensive protections under US law

• Limited protections may be available through traditional IP laws

– Copyright

– Trade secret

– Contract

– Other legal theories (but generally limited)

• Growing data privacy and security protections are also shaping

rights in data

– General purpose laws

– Industry-specific federal laws

– State data security and privacy laws

– Increasing federal (and state) enforcement actions

In General


Traditional IP laws provide

limited and inconsistent protections

Data Rights

6


Other sources of protection. . .


?

Data

Rights

Data

Privacy

Data

Security

Copyright Trade

Secret

Contract Industry

Practice

State

Law

FTC

Action

7


Contracts

Terms of Service

Privacy Policy


• Emerging as a primary form of protection for data

• Permit broad protection, potentially even over data and databases not

subject to traditional IP protection

• Limited to the entities bound by the contract

• Even where traditional IP protection is not available, contracts have

become critical to obtaining and clarifying rights in data

– Each form of IP has its own rules regarding ownership

– Left to applicable law, ownership is often (very) unclear

– At best this leaves the potential for confusion

– Assignments and licenses are preferred to clarify these rights

• Industry expectations have risen with the rising value of data

– Contracts required to evidence adequate rights in transactions involving data

– Not unlike rights in software itself

Contracts

Contract Rights in Data

8


Data Privacy

Data Security


No specific comprehensive

data privacy or data security

legislation in the US

9


Established Standards

Growing Expectations


“Promises”

not just

Policies

Compliance

10


Jon Leibowitz

Chairman of the FTC

Speaking on the settlement

“Facebook is obligated to keep the

promises about privacy that it makes to its

hundreds of millions of users.”


Jon Leibowitz

Chairman of the FTC


“Innovation does not have to come at the

expense of consumer privacy.”

11



“We've made a bunch of mistakes.”

Mark Zuckerberg

CEO of Facebook


• State consumer protection statutes

– All 50 states

– Prohibitions on “unfair or deceptive” trade practices

• Data breach notification statutes

– At least 46 states (DC and various US territories)

– Notification of state residents (and perhaps regulators) affected by unauthorized access

to sensitive personal information

• Data safeguards statutes

– (Significant) minority of states

– Safeguards to secure consumer information from unauthorized access

• Data privacy statutes

– Online privacy policies covering use and sharing of consumer information

– Use of personal information for direct marketing purposes

Growing Array of Relevant State Laws

Data Privacy and Security

12


• EU Data Protection Directive (95/46/EC)

• Regulates the processing of personal data of EU subjects

– Broad scope of “personal data”

– Restricts processing unless stated conditions are met

– Prohibits transfer to countries not offering adequate levels of protection

• Requires the member countries to pass consistent laws (more or less)

• US Department of Commerce-negotiated “Safe Harbor Principles” enable transfers to US companies

– Self-certification regime

– Allows US companies to register as compliant

– FTC oversight

• Proposed overhaul in the works (announced Jan. 25, 2012)

Longstanding Comprehensive EU Regulations



• Consumer credit - Fair Credit Reporting Act (FCRA)

• Financial services - Gramm Leach Bliley Act (GLBA)

• Healthcare providers - Health Insurance Portability and Accountability Act

(HIPAA)

• Children (under 13) - Children’s Online Privacy Protection Act (COPPA)

• Video content - Video Privacy Protection Act

• Others statutes covering education, payment processing, etc.

Industry-specific Federal Statutes


13


Federal Trade Commission Act

(15 U.S.C. 41, et seq)

“Unfair or deceptive acts or practices”


• Trend toward increasing enforcement

– More than 45 actions to date

– More than 25 in the last 6 years

– Many more investigated but not brought

• Covering largely electronically stored data and information

• Targeting data security as well as data privacy

• Increasing trend toward mobile data privacy and security

Increasing Activity

FTC Enforcement Actions

14


Emerging Models

For Compliance



• 20 year term

• Cease misrepresentations regarding practices for information security, privacy,

confidentiality, and integrity

• Conduct assessment of reasonably-foreseeable, material security risks

• Establish comprehensive written information security and privacy program

• Designate employee(s) to coordinate and be accountable for the program

• Implement employee training

• Conduct biennial independent third party security and privacy assessments

• Implement multiple record-keeping requirements

• Implement regular testing, monitoring, and assessment

• Undergo periodic reporting and compliance requirements

• Impose requirements on service providers

Legislation by Consent Decree


15


Not just enforcement. . .

Standards

Best practices

Codes of Conduct


Mobile Applications

16



• FTC report on Children’s Mobile App’s and Privacy (Feb. 16, 2012)

– Large number of apps (75%) targeted at children (under 13)

– Apps did not provide good privacy disclosures

– Will conduct additional COPPA compliance reviews over the next 6 months

• FCRA Warning letters (Feb. 2012)

– FTC sent letters to marketers of 6 mobile apps

– Warned that apps may violate Fair Credit Reporting Act (FCRA)

– If apps provide a consumer report, must comply with FCRA requirements

• FTC Dot Com Disclosures Workshop (May 30, 2012)

– New guidance for advertisers on disclosures in the online and mobile environment

– Focus on advancements and developments since the FTC issued its “Dot Com Disclosures” guidelines for online advertising disclosure (released in 2000)

– Emphasis on the notion that consumer protection laws apply equally to online and mobile marketers

Lots of Activity

17


• The mobile market is not different from the Internet

• General “guidelines” or “principles” for mobile app developers

– Tell the Truth About What Your App Can Do

– Disclose Key Information Clearly and Conspicuously

– Build Privacy Considerations in From the Start

– Offer Choices that are Easy to Find and Easy to Use

– Honor Your Privacy Promises

– Protect Kids’ Privacy

– Collect Sensitive Information Only with Consent

– Keep User Data Secure

• Acknowledges there can be no “one-size-fits-all” approach

• But also states that the laws apply to all companies

FTC Guide To Marketing Mobile Apps


What Should You Do?

18



Make each use of data

A knowing (and compliant) use of data

Know your data

19



You

?

20


• We are in an era of increasing data value

• Increasing value means greater focus on data rights

• We do not have the benefit of strong and comprehensive laws to match

• Data “rights” are defined through an increasingly broad array of sources

– Traditional IP rights,

– Contract protections

– Growing data privacy and data security obligations

• Understand the protections, understand the inconsistencies

• Appreciate the growing standards and expectations

• Issues relating to data will only continue to increase

(transactions and litigation)

Lessons Learned

Closing Thoughts

Copyright 2012 Bryan Cave Copyright 2013 BryanCave LLP Copyright 2013 BryanCave LLP

Thank You.

Jason Haislmaier [email protected]

@haislmaier

http://www.linkedin.com/in/haislmaier

Presentation - gener8tor - Data Privacy, Security, and Rights 130627

Technology

Transcript of Presentation - gener8tor - Data Privacy, Security, and Rights 130627