Data Privacy Security Breach Exercise€¦ · IAPP Summit Sessions Debrief • Session at which you presented • Session(s) attended where you learned something new • Comments

Quick Hits

IAPP KnowledgeNet DetroitMarch 19, 2014

Agenda• Debrief IAPP Summit sessions• Discuss IAPP Privacy Impact Assessment Tool• Reprise 2013 in Quick takes• Next meeting

2

IAPP Summit Sessions Debrief• Session at which you presented• Session(s) attended where you learned

something new• Comments from all as we proceed

3

Privacy Impact Assessment (APIA) System

Next meeting Topics and Logistics

5

2013 Reprise Quick Takes

6

Marketing

7

Behavioral Targeting1. iPhone Users Lose Privacy Lawsuit Against – unique ID

sent to app developers 2. Google to pay $17 million to states in Apple cookies

case – unauthorized cookie placement 3. Hulu Asks Judge To Dismiss Video Privacy Class-Action 4. Google Wins Dismissal of Suit Over Web Browser

Cookies5. Bed Bath & Beyond sued over using zip codes to

allegedly send unwanted junk mail

1.http://www.mediapost.com/publications/article/214346/iphone-users-lose-privacy-lawsuit-against-apple.html 2. http://www.macworld.com/article/2064581/google-to-pay-17-million-to-states-in-apple-cookies-case.html 3. http://www.mediapost.com/publications/article/210475/hulu-asks-judge-to-dismiss-video-privacy-class-act.html#ixzz2huSWOaZa 4. http://www.bloomberg.com/news/2013-10-09/google-wins-dismissal-of-suit-over-cookies-on-internet-browsers.html 5. http://www.boston.com/businessupdates/2013/03/21/bed-bath-beyond-sued-over-using-zip-codes-allegedly-send-unwanted-junk-mail/Vx1HtVgAkrMbBuwf037gKN/story.html

8

Mobile Apps1. Industry, consumer advocates agree to make it easier to

understand mobile app privacy policies2. FTC Issues Staff Report on Mobile Privacy Disclosures and

Announces Settlement with Social Networking Service for Mobile App Privacy Violations

3. Four Ways the FTC's New Privacy Rules Affect Mobile Banking Apps

4. WhatsApp Violates Privacy Laws Over Phone Numbers: Report

5. California AG Has Privacy Recommendations for Mobile Industry

1. http://www.washingtonpost.com/business/technology/industry-groups-agree-to-make-it-easier-to-know-what-data-is-getting-sucked-up-by-a-mobile-app/2013/07/25/8cbd91d6-f54b-11e2-81fa-8e83b3864c36_story.html 2http://www.huntonprivacyblog.com/2013/02/articles/ftc-issues-staff-report-on-mobile-privacy-disclosures-and-announces-settlement-with-social-networking-service-for-mobile-app-privacy-violations/ 3. ttp://www.americanbanker.com/issues/178_25/four-ways-ftc-new-privacy-rules-affect-mobile-banking-apps-1056466-1.html 4. http://www.reuters.com/article/2013/01/28/us-whatsapp-privacy-idUSBRE90R0T520130128 5. http://www.boston.com/businessupdates/2013/03/21/bed-bath-beyond-sued-over-using-zip-codes-allegedly-send-unwanted-junhttp://www.mercurynews.com/business/ci_22345237/california-ag-has-privacy-recommendations-mobile-industrymail/Vx1HtVgAkrMbBuwf037gKN/story.html

9

Geo-location Tracking1. Location Tracking: Now Coming to a Government,

Employer and Retailer Near You2. Their Apps Track You. Will Congress Track Them3. Tracking Shoppers Via Smartphones Is A Major

Invasion Of Privacy4. How stores use your phone’s WiFi to track your

shopping habits5. Retail Surveillance Is About To Make Your Online

Targeting Seem A Lot Less Creepy

1https://www.privacyassociation.org/publications/location_tracking_now_coming_to_a_government_employer_and_retailer_near_you 2 http://www.nytimes.com/2013/01/06/technology/legislation-would-regulate-tracking-of-cellphone-users.html?ref=technology&_r=03http://newyork.cbslocal.com/2013/07/28/schumer-tracking-shoppers-via-smartphones-is-a-major-invasion-of-privacy/ 4. http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits/ 5. http://www.mediapost.com/publications/article/196878/retail-surveillance-is-about-to-make-your-online-t.html#axzz2PLVWplvY

10

Facial Recognition1. I See You: The Databases That Facial-Recognition Apps

Need to Survive2. Privacy and Facial Recognition Technology-multi-

stakeholder process round two3. Feds schedule eight public meetings to examine facial

recognition and privacy4. How brands are using facial recognition to transform

marketing5. When Stores, and Credit Firms, Watch You Shop

1http://www.theatlantic.com/technology/archive/2014/01/i-see-you-the-databases-that-facial-recognition-apps-need-to-survive/283294/2http://www.ntia.doc.gov/blog/2013/privacy-and-facial-recognition-technology 3http://www.gsnmagazine.com/node/39378?c=access_control_identification 4. http://www.washingtonpost.com/business/on-it/how-brands-are-using-facial-recognition-to-transform-marketing/2013/04/15/dcf3a7da-a483-11e2-bd52-614156372695_story.html 5. http://www.marketplace.org/topics/business/when-stores-and-credit-firms-watch-you-shop

11

Do Not Track1. Dataium Settles Browser History Sniffing Charges2. DoNotTrackMe browser extension creates 'disposable'

data for privacy3. Do Not Track effort at a crossroads4. W3C Do Not Track in Limbo5. DMA Places Focus on ‘Do Not Track’ – Making Case for

Self-Regulation

1http://www.informationweek.com/security/compliance/dataium-settles-browser-history-sniffing-charges/d/d-id/1112817?f_src=informationweek_gnews2http://www.pcworld.com/article/2066280/browser-extension-creates-disposable-data-for-privacy.html 3. http://thehill.com/blogs/hillicon-valley/technology/326855-this-week-in-tech-do-not-track-effort-at-a-crossroads#ixzz2huYlMMId 4. https://www.privacyassociation.org/publications/w3c_do_not_track_in_limbo 5. http://www.aboutads.info/blog/dma-places-focus-%E2%80%98do-not-track%E2%80%99-%E2%80%93-making-case-self-regulation

12

Children1. Another California Based Mobile App Developer

Settles with New Jersey AG’s Office Over Child Privacy Violation Allegations

2. FTC Hands Down New Online Privacy Rules for Children

3. COPPA and Signaling

1 https://www.huntonprivacyblog.com/2013/12/articles/another-california-based-mobile-app-developer-settles-new-jersey-ags-office-child-privacy-violation-allegations/2. http://thehill.com/blogs/regwatch/1465-pending-regs/277507-ftc-hands-down-new-online-privacy-rules-for-children#ixzz2IAiStTnO3. https://techatftc.wordpress.com/2013/01/02/coppa-and-signaling/

13

California1. Guidelines to Healthcare Industry on Medical

Identity Theft2. California Amends Online Privacy Policy Law to Require

Tracking Disclosures – AB3703. California Expands Online Privacy Law to Bolster

Protection for Minors – AB 5684. New hope for Do Not Track as California enacts ad

disclosure law

1. https://www.privacyassociation.org/resource_center/guidelines_to_healthcare_industry_on_medical_identity_theft 2. http://www.huntonprivacyblog.com/2013/09/articles/california-amends-online-privacy-policy-law-to-require-tracking-disclosures/3 http://www.huntonprivacyblog.com/2013/09/articles/california-expands-online-privacy-law-to-bolster-protection-for-minors/ 4. http://www.theverge.com/2013/9/30/4789078/new-hope-for-do-not-track-as-california-enacts-ad-disclosure-law

14

Social Media1. Yahoo Sued for Eavesdropping on E-Mail Communications

With Non-Yahoo Users2. Facebook Hit With New Privacy Lawsuit Over Message

Scanning3. Google Accused in Suit Again of Violating Privacy Policy 4. Facebook, Zynga Users Try to Revive Privacy Claims on

Appeal5. Court Grants Final Approval To Class Action Settlement Over

AOL's 2006 Anonymization Failure; Big Data Precursor Settles For Millions

1. http://www.bna.com/yahoo-sued-eavesdropping-n17179877668/ 2. http://www.mediapost.com/publications/article/218023/facebook-hit-with-new-privacy-lawsuit-over-message.html 3 http://www.bloomberg.com/news/2014-01-17/google-violated-privacy-policy-users-say-in-new-complaint-1-.html4http://www.businessweek.com/news/2014-01-17/facebook-zynga-users-seek-to-revive-privacy-claims-on-appeal5http://www.mondaq.com/unitedstates/x/243962/Data+Protection+Privacy/Court+Grants+Final+Approval+To+Class+Action+Settlement+Over+AOLs+2006+Anonymization+Failure+Big+Data+Precursor+Settles+For+Millions

15

The Internet of Things1. Most People Are Cool with 'Smart Toilets' That

Share Their Personal Data2. LG promises firmware update will fix smart TV

privacy snafu3. Can We Adapt to the Internet of Things? 4. Smart Homes: Our Next Digital Privacy Nightmare 5. Disruptions: At Odds Over Privacy Challenges of

Wearable Computing2. http://crave.cnet.co.uk/televisions/lg-promises-firmware-update-will-fix-smart-tv-privacy-snafu-50012828/3 https://www.privacyassociation.org/privacy_perspectives/post/can_we_adapt_to_the_internet_of_things 4 http://readwrite.com/2013/03/18/smart-homes-our-next-digital-privacy-nightmare5 http://bits.blogs.nytimes.com/2013/05/26/disruptions-at-odds-over-privacy-challenges-of-wearable-computing/

16

Health Care1. The spread of mobile telephones opens new possibilities for

delivering healthcare services cheaply and effectively to more people, but data privacy rules have failed to keep pace LG promises firmware update will fix smart TV privacy snafu

2. FDA Issues Guidance on Medical Device Cybersecurity Smart Homes: Our Next Digital Privacy Nightmare

3. Online Campaign For 23andMe Violated Ad Privacy Code, BBB Says

4. Poking Holes in Genetic Privacy5. Accord Aims to Create Trove of Genetic Data

1. http://www.trust.org/item/20130625074016-vba1w/?source=hpeditorial2. https://www.privacyassociation.org/privacy_tracker/post/fda_issues_guidance_on_medical_device_cybersecurity 3 http://www.mediapost.com/publications/article/213917/online-campaign-for-23andme-violates-ad-privacy-co.html4 http://www.nytimes.com/2013/06/18/science/poking-holes-in-the-privacy-of-dna.html?pagewanted=all&_r=0 5 http://www.nytimes.com/2013/06/06/health/global-partners-agree-on-sharing-trove-of-genetic-data.html?pagewanted=all&_r=2&%27&

17

HIPAA1. Court ruling in lost PHI case muddies HIPAA waters

– lost encrypted hard drive w/o confirmation of access

2. HHS Releases Model Notices of Privacy Practices 3. HIPAA omnibus changes to notice of privacy

practices for PHI4. HHS Issues Final HIPAA Omnibus Rule 5. HIPAA Update Tightens Data Breach Liability Risks

for IT Companies1 http://www.mhealthnews.com/news/court-ruling-lost-phi-case-muddies-hipaa-waters2. http://www.huntonprivacyblog.com/2013/09/articles/hhs-releases-model-notices-of-privacy-practices/3 http://healthitsecurity.com/2013/05/21/hipaa-omnibus-changes-to-notice-of-privacy-practices-for-phi/4 https://www.privacyassociation.org/publications/2012_01_18_hhs_issues_final_hipaa_omnibus_rule5 http://www.eweek.com/security/hipaa-update-tightens-data-breach-liability-risks-for-it-companies/

18

DNA1. Privacy Experts: Supreme Court Ruling on DNA

Swabs Could Lead to Big Brother Scenario HHS Releases Model Notices of Privacy Practices

2. Police can collect DNA from arrestees, court says HHS Issues Final HIPAA Omnibus Rule

1 http://www.usnews.com/news/articles/2013/06/04/privacy-experts-supreme-court-ruling-on-dna-swabs-could-lead-to-big-brother-scenario2. http://www.boston.com/news/nation/washington/2013/06/03/court-police-can-take-dna-swabs-from-arrestees/ydXPxGEPtmmYwo2B2n0wrK/story.html

19

HR1. BYOD Became the 'New Normal' in 2013HHS

Releases Model Notices of Privacy Practices 2. Layoffs, terminations, resignations -- here's how not

to get burned when employees leave with their devices HHS Issues Final HIPAA Omnibus Rule

3. Is there a BYOD escape clause at your company?4. Bosses May Use Social Media to Discriminate

Against Job Seekers

1 http://news.idg.no/cw/art.cfm?id=7CF46A2C-ACCB-44BD-D80C82196E2CA87E2. http://www.infoworld.com/d/consumerization-of-it/byod-blues-what-do-when-employees-leave-2209933 http://www.zdnet.com/is-there-a-byod-escape-clause-at-your-company-7000013616/4 http://online.wsj.com/news/articles/SB10001424052702303755504579208304255139392?tesla=y

20

Litigation1. HTC America Settles FTC Charges It Failed to Secure Millions

of Mobile Devices Shipped to Consumers - settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices.

2. Remember When Path Stole All Of Its Users Contacts? App to Pay FTC $800,000. – data collection

3. Netflix Finalizes $9 Million Privacy Settlement - requires Netflix to stop linking former subscribers' names with their movie-viewing history

4. Obama Signs Netflix-Backed Amendment to Video Privacy Law

5. SCOTUS to hear phone search case –cellphone w/o warrant1 http://ftc.gov/opa/2013/02/htc.shtm2. http://blogs.forbes.com/kashmirhill/3 http://www.mediapost.com/publications/article/196486/netflix-finalizes-9-million-privacy-settlement.html#ixzz2OUCjm3Bf4 http://news.cnet.com/8301-1023_3-57563408-93/obama-signs-netflix-backed-amendment-to-video-privacy-law/5 http://www.politico.com/story/2014/01/supreme-court-cellphone-search-cases-102329.html#ixzz2rjVAayY6

21

Regulatory Actions1. The SEC’s Cybersecurity Guidelines: A Potential Game-

Changer for How Companies Disclose Risks of Cybersecurity Breaches

2. FTC Settles with Twelve Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework

3. FTC v. Wyndham: Round4. Aaron's Rent-To-Own Chain Settles FTC Charges That it

Enabled Computer Spying by Franchisees5. FTC Staff Revises Online Advertising Disclosure Guidelines1 https://www.privacyassociation.org/publications/2013_01_22_the_secs_cybersecurity_guidelines_a_potential_game_changer_for2. http://www.ftc.gov/news-events/press-releases/2014/01/ftc-settles-twelve-companies-falsely-claiming-comply3 https://www.privacyassociation.org/publications/ftc_v._wyndham_round_one4 http://www.ftc.gov/opa/2013/10/aarons.shtm5 http://www.ftc.gov/opa/2013/03/dotcom.shtm

22

Regulatory Actions-FCRA1. TeleCheck to Pay $3.5 Million for Fair Credit

Reporting Act Violations 2. FTC Settlement Targets Mobile App Background

Checks 3. Kmart Settles FCRA Class Action for $3 Million 4. FTC Settlement Targets Mobile App Background

Checks 1 http://www.ftc.gov/news-events/press-releases/2014/01/telecheck-pay-35-million-fair-credit-reporting-act-violations2. http://www.huntonprivacyblog.com/2013/01/articles/ftc-settlement-targets-mobile-app-background-checks/#more-38653 http://www.huntonprivacyblog.com/2013/02/articles/kmart-settles-fcra-class-action-for-3-million/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PrivacyInformationSecurityLawBlog+%28Privacy+%26+Information+Security+Law+Blog%294 .http://www.huntonprivacyblog.com/2013/01/articles/ftc-settlement-targets-mobile-app-background-checks/#more-3865

23

Regulatory Actions - FCC1. Federal Court Rules All Debt-Collection Calls Exempt

from TCPA2. Reminder: October 16 Is the Effective Date for the FCC’s

Written Consent Rule for Prerecorded Telemarketing Calls and Autodialed Telemarketing to Cellphones

3. Robocalling and Wireless Numbers: Understanding the Regulatory Landscape

4. FCC cites robocallers for illegal campaign calls to cellphones

1 http://www.insidearm.com/daily/debt-collection-news/debt-collection/federal-court-rules-all-debt-collection-calls-exempt-from-tcpa/2. http://www.privacyandsecuritymatters.com/2013/10/reminder-october-16-is-the-effective-date-for-the-fccs-written-consent-rule-for-prerecorded-telemarketing-calls-and-autodialed-telemarketing-to-cellphones/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+PrivacyAndSecurityMattersBlog+%28Privacy+and+Security+Matters+Blog%293 http://apps.americanbar.org/buslaw/blt/content/2013/05/article-01-smith.shtml?goback=.gde_1243587_member_246503759 4http://www.washingtonpost.com/business/technology/fcc-cites-robocallers-for-illegal-campaign-messages-to-cellphones/2013/03/15/f0014f32-8dac-11e2-9838-d62f083ba93f_story.html

24

Drones-States-FAA1. FAA Issues Privacy Rules for Drone Sites2. FBI Uses Drones in Domestic Surveillance, Mueller

Says3. Can state laws protect you from being watched by

drones4. Idaho restricts drone use by police agencies amid

privacy concerns FTC Staff Revises Online Advertising Disclosure Guidelines

1 http://www.courthousenews.com/2013/11/20/63093.htm2. http://www.bloomberg.com/news/2013-06-19/fbi-uses-drones-in-domestic-sureillance-mueller-says.html 3 http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/18/can-state-laws-protect-you-from-being-watched-by-drones/ 4 http://www.chicagotribune.com/news/sns-rt-us-usa-drones-idahobre93b03s-20130411,0,1216395.story

25

Motor Vehicles1. AAA urges 'consumer rights' to protect car data2. Feds: No Warrant Needed to Track Your Car With a

GPS Device3. Car Black Boxes: Privacy Nightmare or a Safety

Measure?4. Privacy and the Car of the Future: Cars Talking to

Each Other and to Infrastructure

1 http://www.usatoday.com/story/driveon/2014/01/21/aaa-car-data/4727723/2. http://www.wired.com/threatlevel/2013/03/gps-warrant-requirement/3. http://www.latimes.com/business/autos/la-fi-hy-advocates-say-car-black-boxes-could-become-a-privacy-nightmare-20130215,0,5120489.story4 http://blogs.computerworld.com/privacy/21571/privacy-and-car-future-cars-talking-each-other-and-infrastructure

26

International1. Google/Mosley case a reminder to review your

online privacy policies2. Google Fined $1.2 Million by Spain’s Privacy

Watchdog 3. THE NETHERLANDS—Dutch DPA Gets Power To Fine1 http://www.techrepublic.com/blog/web-designer/google-mosley-case-a-reminder-to-review-your-online-privacy-policies/2. http://www.bloomberg.com/news/2013-12-19/google-fined-1-2-million-by-spain-s-privacy-watchdog.html3 https://www.privacyassociation.org/publications/the_netherlands_dutch_dpa_gets_power_to_fine

27

International1. New EU rules to curb transfer of data to US after

Edward Snowden revelations2. U.S. to EU: Don’t scapegoat Safe Harbor over NSA3. Commission Gives U.S. 13 Ways To Save Safe Harbor4. The Plain Truth About Safe Harbor5. Treacherous Waters: What the World Would Look

Like Without Safe Harbor

1 http://www.theguardian.com/world/2013/oct/17/eu-rules-data-us-edward-snowden2. http://www.politico.com/story/2013/11/us-european-union-safe-harbor-nsa-99495.html#ixzz2l80LoWxs3 https://www.privacyassociation.org/publications/commission_gives_u.s._13_ways_to_save_safe_harbor14. https://www.privacyassociation.org/privacy_perspectives/post/the_plain_truth_about_safe_harbor5. https://www.privacyassociation.org/privacy_tracker/post/treacherous_waters_what_the_world_would_look_like_without_safe_harbor

28

International - Cookies1. French Data Protection Authority Issues Guidance

on Cookie Consent and Expiration2. Cookie-replacement tracking technology would be

subject to same 'cookie law' rules, says ICO3. Italian DPA Releases Rules on Spam and

Viral Marketing4. A Guide to the Spanish Cookie Guidance5. Informed users’ default browser settings can signal

consent to cookies in Poland 1 https://www.huntonprivacyblog.com/2013/12/articles/french-data-protection-authority-issues-guidance-cookie-consent-expiration/2. http://www.out-law.com/en/articles/2013/november/cookie-replacement-tracking-technology-would-be-subject-to-same-cookie-law-rules-says-ico/3 https://www.privacyassociation.org/publications/italy_italian_dpa_releases_rules_on_spam_and_viral_marketing4. https://www.privacyassociation.org/publications/a_guide_to_the_spanish_cookie_guidance5. http://www.out-law.com/en/articles/2013/april/informed-users-default-browser-settings-can-signal-consent-to-cookies-in-poland-/

29

International - China1. Peoples Bank of China Issues Administrative

Measures for Credit Reference Agencies2. State Post Bureau of China Releases Draft

Normative Rules Involving Personal Information Protection for Public Comment

3. Recent Data Breach Events in China4. Evolving Chinese Regulations Both Expand and

Restrict Access to Corporate Information5. China to Enforce First Privacy Protection Standard1 https://www.huntonprivacyblog.com/2013/12/articles/peoples-bank-china-issues-administrative-measures-credit-reference-agencies/2. https://www.huntonprivacyblog.com/2013/12/articles/state-post-bureau-china-releases-draft-normative-rules-involving-personal-information-protection-public-comment/3 https://www.huntonprivacyblog.com/2013/12/articles/recent-data-breach-events-china/4. http://www.huntonprivacyblog.com/2013/09/articles/evolving-chinese-regulations-both-expand-and-restrict-access-to-corporate-information/5. http://news.xinhuanet.com/english/china/2013-01/21/c_132117408.htm

30

International - Asia1. Malaysian Data Protection Law Takes Effect2. Malaysia's Data Privacy Act Slow to Take Off3. New data protection guidelines issued for

businesses operating in Singapore

1 https://www.huntonprivacyblog.com/2013/11/articles/malaysian-data-protection-law-takes-effect/2. http://www.zdnet.com/my/malaysias-data-privacy-act-slow-to-take-off-7000010827/3 http://www.out-law.com/en/articles/2013/september/new-data-protection-guidelines-issued-for-businesses-operating-in-singapore-/

31

International1. South Africa: The Protection Of Personal

Information Bill – Time To Comply! 2. UN advances Internet privacy resolution3. OECD Issues Updated Privacy Guidelines4. Germany Lobbies for UN Online Privacy Charter5. House Creates Privacy Working Group

1http://www.mondaq.com/x/264480/Data%20Protection%20Privacy/The%20Protection%20of%20Personal%20Information%20Bill%20time%20to%20comply2. http://www.miamiherald.com/2013/11/26/3780690/un-advances-internet-privacy-rights.html#storylink=cpy3 http://www.huntonprivacyblog.com/2013/09/articles/oecd-issues-updated-privacy-guidelines/4. http://abcnews.go.com/Technology/wireStory/germany-lobbies-online-privacy-charter-197563245. http://www.broadcastingcable.com/article/494855-House_Creates_Privacy_Working_Group.php

32