Advisories
Protecting Your Business with Strong Operational Privacy Controls
By Paul Glist, Christin S. McMeley, and Daniel P. Reing
09.19.13
For decades basic requirements to secure business records have been rooted in various legal silos, from corporate governance to rules of evidence to the discrete privacy rules that govern select technologies. Today, however, data security is becoming an integral part of how government authorities, the press, and the public judge how well companies protect personal privacy—and whether they can be trusted to do so without the need for even more intrusive mandatory laws and regulations. Incorporating robust operational controls over how personally identifiable information (PII) is secured, and thus how consumers’ privacy is maintained, will be key to an organization’s ability to avoid future enforcement actions, comply with looming legislative or regulatory action, and sustain consumer confidence.
Federal and State Direction
This expanded focus on what and how information must be secured to protect privacy is evident from increased activity at both the federal and state levels.
The FTC, for example, changed the privacy debate in its 2012 white paper entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. Before that white paper, information was either PII or not; consumers suffered tangible harm from intrusion or they did not. After the white paper, the lines grew blurred: information purged of name and address could still be “personal,” and consumer fears could be cognizable in law, even if no tangible harm was suffered. In the more subtle new world, how a company secures and handles information may very well determine whether “personal” information has been shown enough respect to dissipate “harmful” fears and meet the rising expectations for privacy protection.
The FTC has taken this approach on the road. In one of the few areas where it has rulemaking authority, it added security obligations to COPPA. Where it does not have rulemaking authority, it has taken enforcement action against companies of various sizes and in various industries for not delivering consumers promised or “reasonable and appropriate” security—whether or not any consumer suffered direct harm—especially when such security defenses were publicly available at low or no cost. The vast majority of these target companies—including Facebook, Google, and most recently TRENDnet—reach settlements with the FTC that include establishing comprehensive security programs with robust operational controls. Companies like Wyndham Hotels and LabMD are challenging the FTC’s authority to enforce what they call “arbitrary” security standards that have not been formally promulgated. But the fact remains that the FTC continues to bring enforcement actions; privacy issues continue to dominate discussions in the legislative, regulatory and public arenas; and those discussions increasingly call for operational controls to ensure the security of information, and thereby ensure privacy compliance.
The Department of Health and Human Services (HHS) has also been busy bringing enforcement actions against companies that have failed to take proper measures to secure patients’ personal health information (PHI). In August, HHS published a $1.2 million settlement with a company that failed to wipe PHI from the hard drive of a leased photocopier before turning it back in to the leasing company, a precaution that would be wise for any company handling PII.
Federal agencies are not alone. State legislatures and attorneys general have certainly not waited for the federal government to enact uniform legislation before taking on privacy and data security themselves. Many state data breach laws have built-in incentives to encrypt stored personal information. Massachusetts and Nevada have taken the direct route by imposing encryption and data security requirements, regardless of breach. Fourteen states currently require that data breach notifications be sent to the attorney general’s office. Maryland Attorney General Doug Gansler made privacy a priority of the National Association of Attorneys General and a priority for Maryland. Numerous attorneys general have followed suit by creating Internet privacy units within their offices, claiming existing authority to treat data breaches or failure to meet privacy promises as unfair and deceptive trade practices under state law, and often coordinating their privacy enforcement. Gansler and Connecticut’s Attorney General George Jepsen met Living Social’s recent breach notice with lengthy and detailed requests for additional information. Jepsen’s Privacy Task Force teamed up with California Attorney General Kamala Harris to investigate a breach of an online credit card security system and reached an Aug. 29, 2013 settlement. Harris’s Privacy Unit is aggressively pursuing privacy enforcement actions and seeking new enforcement hooks through state privacy legislation. Harris recently recommended that the state legislature require encryption for data in transit, and expand “personal information” to include online credentials such as email addresses or other usernames and the passwords that would permit access to an account. Nebraska and Pennsylvania statutes explicitly provide that it is an unfair business practice for a business to knowingly make a false or misleading statement in an online privacy policy.
Self-Regulation and Multi-Stakeholder Collaboration
In the face of the increased willingness by federal and state authorities to regulate and enforce privacy and security promises and protocols, active self-regulation and multi-stakeholder processes have become more important to demonstrate that industry understands the importance of keeping personal information secure.
Of course, security has long been a part of Fair Information Practice Principles (FIPPs), and any company that holds itself to FIPPs standards has long had security obligations. Under the White House privacy initiative and the Commerce Department “bill of rights,” personal data (broadly defined) must be secured. But security has taken on new momentum in the many multi-stakeholder processes now underway. In the World Wide Web Consortium’s (W3C) Do-Not-Track (DNT) process, the debate shifted away from a stark black and white world in which data was either personal or anonymous and consumers were either tracked or not tracked, and moved to a more nuanced acceptance of the controlled usage of information if permitted uses are delimited and security measures protect against unpermitted uses. The same approach—embedding data security principles as part of privacy protection frameworks—is part of NTIA’s multi-stakeholder work on mobile privacy, and in NIST guidance on how to de-identify information. Various draft privacy bills echoed similar themes in prior Congresses—securing consumer information is necessary to ensure that consumers are protected in their privacy choices.
In attacking the problem of cybersecurity for critical infrastructure, NIST, with industry participation, is already paving a formal road for migrating from occasional efforts to secure data systems to systematic security built into company procedures and treating cybersecurity risk as a part of an organization’s overall risk management portfolio. The draft NIST framework, although voluntary, paints a picture of what potential litigants may claim to be the de facto reasonable standard for cybersecurity. The current environment at both the state and federal levels suggests that similar standards may be imposed on companies’ handling and securing of personal data.
All these trends point industry to adopt robust technical and organizational controls on data.
What do you do? What can you do?
In this environment, it is worth asking yourself (and your legal, IT, engineering, product development, marketing, HR and finance departments) just how well you secure data that government authorities, the press, and the public may judge to be threateningly personal. It is not enough to assume that IT is “handling it.” All departments need to partner with other groups in the organization who collect, access, store or use customer and employee information. What is “reasonable” will depend on the company’s size, business and technological capabilities as well as the nature and amount of information it collects. But you should specifically ask:
Not long ago, C-level executives might have been skeptical about investing resources in privacy, but today, there are some pretty clear reasons for investing.
Federal and State Direction
This expanded focus on what and how information must be secured to protect privacy is evident from increased activity at both the federal and state levels.
The FTC, for example, changed the privacy debate in its 2012 white paper entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. Before that white paper, information was either PII or not; consumers suffered tangible harm from intrusion or they did not. After the white paper, the lines grew blurred: information purged of name and address could still be “personal,” and consumer fears could be cognizable in law, even if no tangible harm was suffered. In the more subtle new world, how a company secures and handles information may very well determine whether “personal” information has been shown enough respect to dissipate “harmful” fears and meet the rising expectations for privacy protection.
The FTC has taken this approach on the road. In one of the few areas where it has rulemaking authority, it added security obligations to COPPA. Where it does not have rulemaking authority, it has taken enforcement action against companies of various sizes and in various industries for not delivering consumers promised or “reasonable and appropriate” security—whether or not any consumer suffered direct harm—especially when such security defenses were publicly available at low or no cost. The vast majority of these target companies—including Facebook, Google, and most recently TRENDnet—reach settlements with the FTC that include establishing comprehensive security programs with robust operational controls. Companies like Wyndham Hotels and LabMD are challenging the FTC’s authority to enforce what they call “arbitrary” security standards that have not been formally promulgated. But the fact remains that the FTC continues to bring enforcement actions; privacy issues continue to dominate discussions in the legislative, regulatory and public arenas; and those discussions increasingly call for operational controls to ensure the security of information, and thereby ensure privacy compliance.
The Department of Health and Human Services (HHS) has also been busy bringing enforcement actions against companies that have failed to take proper measures to secure patients’ personal health information (PHI). In August, HHS published a $1.2 million settlement with a company that failed to wipe PHI from the hard drive of a leased photocopier before turning it back in to the leasing company, a precaution that would be wise for any company handling PII.
Federal agencies are not alone. State legislatures and attorneys general have certainly not waited for the federal government to enact uniform legislation before taking on privacy and data security themselves. Many state data breach laws have built-in incentives to encrypt stored personal information. Massachusetts and Nevada have taken the direct route by imposing encryption and data security requirements, regardless of breach. Fourteen states currently require that data breach notifications be sent to the attorney general’s office. Maryland Attorney General Doug Gansler made privacy a priority of the National Association of Attorneys General and a priority for Maryland. Numerous attorneys general have followed suit by creating Internet privacy units within their offices, claiming existing authority to treat data breaches or failure to meet privacy promises as unfair and deceptive trade practices under state law, and often coordinating their privacy enforcement. Gansler and Connecticut’s Attorney General George Jepsen met Living Social’s recent breach notice with lengthy and detailed requests for additional information. Jepsen’s Privacy Task Force teamed up with California Attorney General Kamala Harris to investigate a breach of an online credit card security system and reached an Aug. 29, 2013 settlement. Harris’s Privacy Unit is aggressively pursuing privacy enforcement actions and seeking new enforcement hooks through state privacy legislation. Harris recently recommended that the state legislature require encryption for data in transit, and expand “personal information” to include online credentials such as email addresses or other usernames and the passwords that would permit access to an account. Nebraska and Pennsylvania statutes explicitly provide that it is an unfair business practice for a business to knowingly make a false or misleading statement in an online privacy policy.
Self-Regulation and Multi-Stakeholder Collaboration
In the face of the increased willingness by federal and state authorities to regulate and enforce privacy and security promises and protocols, active self-regulation and multi-stakeholder processes have become more important to demonstrate that industry understands the importance of keeping personal information secure.
Of course, security has long been a part of Fair Information Practice Principles (FIPPs), and any company that holds itself to FIPPs standards has long had security obligations. Under the White House privacy initiative and the Commerce Department “bill of rights,” personal data (broadly defined) must be secured. But security has taken on new momentum in the many multi-stakeholder processes now underway. In the World Wide Web Consortium’s (W3C) Do-Not-Track (DNT) process, the debate shifted away from a stark black and white world in which data was either personal or anonymous and consumers were either tracked or not tracked, and moved to a more nuanced acceptance of the controlled usage of information if permitted uses are delimited and security measures protect against unpermitted uses. The same approach—embedding data security principles as part of privacy protection frameworks—is part of NTIA’s multi-stakeholder work on mobile privacy, and in NIST guidance on how to de-identify information. Various draft privacy bills echoed similar themes in prior Congresses—securing consumer information is necessary to ensure that consumers are protected in their privacy choices.
In attacking the problem of cybersecurity for critical infrastructure, NIST, with industry participation, is already paving a formal road for migrating from occasional efforts to secure data systems to systematic security built into company procedures and treating cybersecurity risk as a part of an organization’s overall risk management portfolio. The draft NIST framework, although voluntary, paints a picture of what potential litigants may claim to be the de facto reasonable standard for cybersecurity. The current environment at both the state and federal levels suggests that similar standards may be imposed on companies’ handling and securing of personal data.
All these trends point industry to adopt robust technical and organizational controls on data.
What do you do? What can you do?
In this environment, it is worth asking yourself (and your legal, IT, engineering, product development, marketing, HR and finance departments) just how well you secure data that government authorities, the press, and the public may judge to be threateningly personal. It is not enough to assume that IT is “handling it.” All departments need to partner with other groups in the organization who collect, access, store or use customer and employee information. What is “reasonable” will depend on the company’s size, business and technological capabilities as well as the nature and amount of information it collects. But you should specifically ask:
- Who is responsible for your organization’s security program?
- Have you identified your data assets and determined the need for protection as a result of legal requirements and business need?
- Do you run background checks on personnel who handle protected data?
- Do you have the paper trail of NDAs, records of access, retention policies and internal audits?
- Do you go beyond paper policies and train personnel who handle protected data? Do you periodically refresh and reinforce that training (e.g. implementing “pop-quizzes” or internal “spear-phishing” attempts)?
- Do you physically secure your computers and servers against unauthorized physical access?
- Do you restrict access to protected information to need-to-know personnel?
- Do you secure networked workstations and other devices with firewalls, password policies, and centralized patch management?
- Do you secure your network perimeter, limit remote access and maintain intrusion detection and response systems? Do you review the logs, monitor alarms, and respond accordingly?
- Do you protect data at rest and in transit?
- Do you periodically conduct risk assessments and test your network against penetration?
- Do you have policies, procedures, and teams in place to respond immediately to breach?
- Do you have contracts in place that commit service providers, vendors and other counterparties to security, limited data uses, audit and breach response, and indemnity?
Not long ago, C-level executives might have been skeptical about investing resources in privacy, but today, there are some pretty clear reasons for investing.
- First, the press or Capitol Hill can shut you down, as both did to NebuAd. Both expect privacy protections, whether or not they are “the law” or required by the opinion letter you have. The FTC is already treating conduct it deems offensive to those expectations as an unfair or deceptive act that it can punish without waiting for any new law—and state AGs are following suit. Your product needs to protect privacy, and not be seen as an affront to consumer or political expectations. At minimum, respecting privacy is insurance.
- Second, responsible privacy policies can create trust, and trust is valued currency in the market and before government.
- Third, proactively adopting security measures can help you retain your freedom to innovate and change. Sooner or later, rules are coming—whether legislative or “voluntary” reasonableness standards. Self-regulation is far more flexible than legislation. What gets fixed into law creates design constraints that cannot keep up with technology. Self-regulatory principles can respect privacy but still adjust rapidly with innovation and changing consumer expectations.