Archive for October, 2011

How to Build a Winning Privacy Program

Posted by fgilbert on October 27th, 2011

Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company actually “said what it does;” that the disclosures in its privacy statement are accurate, complete, and up-to date; and that they clearly describe the company’s commitment to protect personal information. How, then, does it ensure that it “does what it said it does”?

How can CEOs and Board of Directors ensure that the company in their custody actually does what its privacy statement provides? Indeed, failure to act in accordance with this privacy statement could cause the company to be investigated by one or several of the Federal or State enforcement agencies. These enforcement actions have often resulted in the investigated entity agreeing to be supervised by the enforcement agency for 20 years, as was the case recently in the Google case. Fines in the millions may have to be paid, as was the case for Sony, Choice Point, and others. The company could also become the target of a suit for fraud and misrepresentation, breach of contract, negligence and much more. There, again, the disruption, damages and lawyers fees could be crippling.

To ensure that it acts in accordance with its public commitment to protect the privacy of its users and customers, a company must have a “Privacy Program” that addresses as appropriate the different aspects of privacy protection that attach to the personal information that it collects, processes, or shares with third parties. In the recent settlement of the Federal Trade Commission investigation of Google, Inc., the FTC has provided its views and requirements for a “Privacy Program.” This excellent and concise description can serve as a blueprint for companies that understand that they must build a Privacy Program to implement and support their privacy statements.

According to the Federal Trade Commission, a Privacy Program intended to protect customer and third party information must meet the following requirements:

Design and Analysis

The Privacy Program must be reasonably designed to:

·   Address the privacy risks related to the development and management of new and existing products and services for consumers; and

·   Protect the privacy and confidentiality of personal information

Meeting the Needs of the Company

The Program must contain privacy controls and procedures appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the personal information that it has committed to protect, or that it is required by law to protect.

Components of the Privacy Program

The Privacy Program must include at least the following:

·   A responsible person

The company must designate one or several individuals to coordinate and be responsible for the Privacy Program.

·   An analysis of needs

The Program must identify what personal information is to be protected according to the promises made in its Privacy Statement(s) and its other legal obligations. It must then identify the reasonably foreseeable, material risks, both internal and external, that could result in the company’s unauthorized collection, use, or disclosure of personal information.

·   An assessment of the risks

The program must include an assessment of the sufficiency of any safeguards in place to control the risks of unauthorized collection, use, or disclosure of personal information. This assessment should include consideration of risks in each area of relevant operation. At a minimum, this assessment should include an assessment of the design and development of products, and the management and training of employees.

·   Privacy Controls and Procedures

Reasonable privacy controls and procedures should be designed and implemented to address the risks identified through the privacy risk assessment.

·   Testing and Monitoring

The effectiveness of these privacy controls and procedures should be regularly tested and monitored. Infringers should be disciplined.

·   Control of Service Providers and Third Parties

Reasonable steps and measures should be developed and used to identify and retain service providers capable of appropriately protecting the privacy of personal information that these third parties receive from the company. Written contracts should require these service providers to implement and maintain appropriate privacy protections.

·   Evaluation and Adjustment

The Privacy Program should include a process that ensures that the Program is periodically evaluated and adjusted in light of the results of the testing and monitoring and of any material changes to the company’s operations or business arrangements, and any other circumstances that the company knows or has reason to know may have a material impact on the effectiveness of its Privacy Program.

Documentation

The content and implementation of the Program must be documented in writing.

The program described above is intended to address the protection of customers, clients, and other individuals with whom a company interacts. A slightly different guidance would apply in the case of the collection and processing of employee personal information, since this information is usually collected in a different manner, held and used by different people, and is subject to different laws. However, all companies do have a legal obligation to protect the personal information of their employees, and they would equally benefit from taking the steps described above to ensure the proper protection of their employee personal information.

Action Item

It is not enough to make statements and representations in a document. A company or other entity that wants, or is required by law, to have a privacy policy must also adopt a plan or Privacy Program, that identifies and implements the appropriate policies, procedures, processes and measures – including discipline – that are needed to ensure that there is substance behind their privacy statement, and that they policy that these statements describe is actually implemented and followed.

Lessons Learned from the Google FTC Settlement

Posted by fgilbert on October 25th, 2011

The Decision and Order settling charges by the Federal Trade Commission that Google used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010 became final as of October 24, 2011. Google is barred from future privacy misrepresentations, is required to implement a comprehensive privacy program, and must submit to independent privacy audits every other year, for the next 20 years.

The finalization of the Order gave me an opportunity to refresh my recollections about the terms of the settlement, and reflect upon them.  There are, indeed, many lessons to learn from the FTC – Google settlement:

What is a Comprehensive Privacy Program

The Google settlement order is the first one where the FTC requires a company to implement a comprehensive privacy program to protect the privacy of consumers’ personal information. As a result, there is now FTC guidance on the components of a comprehensive privacy program: from designating an individual responsible for the program, to identifying and assessing the risks that could result from the unauthorized collection, use or disclosure of personal information, to designing and implementing reasonable privacy controls and procedures, and training the personnel and supervising service providers.

What Personal Information is to be Protected

The Google settlement applies to “covered information.” The size of the universe of personal information to be protected is significant. It is much broader than “sensitive information” i.e. social security numbers, credit card and financial information, identity information, and the like, a limited, narrow group of personal information that too many view as the only personal information that must be protected. The “covered information” (or protected information) in the Google order encompasses all of the information that is collected from or about an individual, including, but not limited to, an individual’s:

  • First and last name;
  • Home or other physical address, including street name and city or town;
  • Email address or other online contact information, such as a user identifier or screen name;
  • Persistent identifier, such as IP address;
  • Telephone number, including home telephone number and mobile telephone number;
  • List of contacts;
  • Physical location; or
  • Any other information from or about an individual consumer that is combined with the above.

In other words, if you collect it, you have to protect it. This is a reminder that personal information need not be confidential, secret, or strategic to require protection.

How to Make a Material Change to a Policy

There is also specific guidance on how to implement a change in policy with respect to the sharing of personal information. If the personal data handling practices that were in effect when the company collected personal information change, the company must:

  • Obtain express, affirmative users’ consent before sharing their information with third parties, and
  • Prominently disclose, separate from any privacy policy, terms of use or similar document:  that the user’s information will be disclosed to one or more third parties; the identity or specific categories of such third parties; and the purpose(s) for sharing this information.

Safe Harbor Promises Must be Kept

The Google settlement order is also the first time that the FTC has alleges violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. Safe Harbor promises must be kept. It not enough to fill out a form and ignore the commitments made.

Privacy Promises Must be Kept

Misrepresenting the extent to which the privacy and confidentiality of personal information is maintained is not acceptable. A company may not misrepresent the purposes for which it collects and uses the information, and the extent to which consumers may exercise control over the collection, use, or disclosure of personal information. When promises are made, they must be kept.

If one Product fails, the Entire Company will Bear the Consequences

Finally, the FTC Settlement does not cover just the Google Buzz and Gmail products. It applies broadly to all products and services of Google. For a large company like Google, the repercussions of a single error are extensive and significant. Do not assume that a little mistake can only have little consequences.

Now, Google has twenty years to think about what it could have done better, and how it could have avoided to be elected to the FTC’s Hall of Shame. May the lessons from the FTC Google settlement order be learned by other companies.

 

Posted in FTC

Compliance By Design

Posted by fgilbert on October 15th, 2011

How to build cloud applications that anticipate your customers’ legal constraints?

To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.

Understand the Legal Constraints that Govern your Customers

Companies that use cloud services or cloud based applications remain responsible for fulfilling their legal obligations and compliance requirements. These restrictions and requirements come from federal laws or state laws, and their related regulations, may stem from standards or from preexisting contracts, or may result from foreign laws.

These companies will demand that their cloud service providers be aware of these requirements and design their applications and offerings in such a manner that it provides the customer with the necessary tools to comply with its own legal or contractual obligations.

A savvy cloud architect, designer or developer will anticipate its customers’ needs and design applications that facilitate the customers’ compliance requirements, and help them fulfill their legal obligations.

Consider, for example, the following:

– Federal Laws

Numerous federal laws and their related regulations may apply to the specific category of data that are hosted in the cloud. Several laws and regulations, as well as orders issued by the Federal Trade Commission, require companies to adopt specific privacy and security measures to protect certain categories of data, and to pass along these requirements when entering into a contract with a third party such as a service provider or a licensee.

There are other requirements, such as ensuring the authenticity and integrity of financial records in order to comply with the Sarbanes Oxley Act. On the marketing side, anti-spam and other laws limit the use of personal data for commercial purposes and require the use of exclusion databases to ensure that communications are made only to the appropriate party.

– State Laws

Numerous state laws also create obligations on companies, and these obligations follow the data when these data are entrusted to third parties. For example, there are restrictions on the use of social security numbers or driver license numbers. If your application requires the processing of these data, it should include the required technology to mask the numbers from most users, and block mailings that would disclose these protected numbers, when required by law.

Some state laws require that companies enter into written contracts with their service providers – including of course cloud providers – and these contracts must contain very specific provisions. If you are not prepared to sign these contracts and abide by the related requirements, do not waste time building a cloud application.

– Standards

Standards such as PCI DSS or ISO 27001 define specific information security requirements that apply to companies, and flow down to subcontractors, in a domino effect similar to that of federal or state laws.

– Foreign Laws

Cloud customers will also want to know in which country their data will be hosted, because the location of the data directly affects the choice of the law that will govern the data. If the data reside in a foreign country, it is likely that that country’s laws will govern at least some aspects of access to the servers where the data are hosted. For example, that country’s law may permit the local government to have unlimited access to the data stored in its territory whereas you may be more familiar with the stricter restrictions to access to US stored data by US law enforcement.

– Crossborder Transfer Prohibitions

When servers are located abroad, there is also a significant obstacle:  the prohibition against the cross border transfers of personal data. This is for example the case throughout the European Union, where the data protection laws of all member states have implemented in their national laws the 1995 EU Data Protection Directive prohibitions against transfers of personal data out of the European Economic Area to countries that do not offer an adequate level of protection for personal data and privacy rights.

As part of your Compliance by Design endeavor, you should anticipate that your customers might be concerned about where the personal data of their employees or clients will be hosted or located, because foreign data protection laws may impose restrictions on these data. And you should design your offering accordingly.

Ensure Personal Data Protection

A substantial amount of data that might be held in the cloud will be personal data. In the US and abroad, personal data are protected by a growing number of privacy and data protection laws. In general, these laws put on the entity that originally collected the data and has become the custodian of these personal data, an obligation to protect the privacy rights of the individuals to whom these data pertain.

In a cloud environment, each entity or data steward must continue to be able to fulfill the legal requirements to which it is subject and to meet the promises and commitments that it made to the third parties from whom it collected the personal data. It must also ensure that individuals’ choices about their information continue to be respected, even when the data are processed in a cloud environment. For example, individuals may have agreed only to specific uses of their information. Data in the cloud must be used only for the purposes for which they were collected, whether the data were collected in or through the cloud, or otherwise.

Anticipate the Need to Provide for Access, Modification, and Deletion of Personal Data

In addition to the above, the applicable law or privacy notice may allow individual data subjects to have access to their personal data, and to have this information modified or deleted if inaccurate or illegally collected. In this case, the cloud service provider must design its application in anticipation of the fact that the application will have to allow, easily and conveniently, for the exercise of these access, modification and deletion rights to the same extent and within the same timeframes, as it would in an off-cloud relationship.

Ensure Adequate Information Security

You should also be prepared to address your customer’s security needs. All data entrusted to you will require a reasonable level of security, whether they are the photos of the company picnic, or the secret formula for that special product for which your customer is famous. In addition, many categories of data that might be hosted in the cloud, such as personal data, financial data, customer purchases and references, or R&D data are sufficiently sensitive to require being protected through more extensive security measures.

The obligation to provide adequate security for personal data stems from numerous privacy and data protection laws, regulations, standards, cases, and best practices. For some categories of data, such as personal data or company financial data, specific laws or security standards require the use of specific security measures to protect these data. These laws and standards include, among others, the Sarbanes Oxley Act, GLBA, HIPAA, Data Protection Laws in Europe or Asia, as well as the PCI DSS and the ISO 27001 security standards. Further, the common law of information security created by the FTC or State Attorney General rulings also requires that adequate security measures be used to protect sensitive data. The obligation to maintain a reasonable level of security may also result from contracts or other binding documents where the cloud customer has previously committed to a third party that it would use adequate security measures.

You should design the security foundation and architecture of your cloud offering to address the applicable security requirements of the market that you wish to reach. You should also be prepared to commit to your client that you will use specified information security measures to protect the personal data processed through your cloud application.

Be Prepared to Disclose Security Breaches

Security incidents are prone to occur. The US States and an increasing number of foreign countries have adopted security breach disclosure laws that require the custodian of specified categories of personal data to notify individuals whose data might have been compromised in a breach of security. Frequently, the local State Attorney General, Data Protection Supervisory Authority, or other government agency must be notified, as well.

If a security incident occurs in the cloud, the customer – who usually has the primary contact with the concerned individuals –, expects to be informed of the incident, so that it can, in turn, notify the affected business contacts, employees or clients of the occurrence of the breach. To do so, the cloud customer must have been informed promptly of the occurrence, nature, and scope of the breach of security.

Thus, as a cloud service provider you should have in place the processes necessary to identify a security breach, and to promptly notify your customers of the occurrence of the breach. Just like your own customers, you should have in place a security incident response plan to address the security breach thoroughly and expeditiously, promptly stop any leakage of data, eliminate the cause of the breach of security, identify who and which category of data were or might have been affected, and interact with your customers to mitigate the effect and consequences of the breach.

Ensure Business Continuity

Your customers and prospects may also be required by law or by contract to ensure the continuity of their operations and uninterrupted access to their data. This is the case, for example, under the HIPAA Security Safeguards. A hospital that provides technology or medical information database services to the physicians on its staff must provide continued access to patient information in order to ensure proper patient care. This requirement applies as well to the business associates that provide services to the hospital. The PCI DSS standard also requires companies to have an incident response plan that includes business recovery and continuity procedures.

When these applications are hosted in a cloud, the customers or prospects will want to ensure that the cloud service provider has in place proper business continuity and disaster recovery capabilities because they are essential to ensure the viability of their own operations and in some cases because this is required by applicable law. Thus, if you design a cloud offering, be sure to plan and implement appropriate disaster recovery and business continuity measures, so that you can help your customers meet their own business continuity requirements.

Be Prepared to Assist your Client with its E-Discovery Obligations

If there is a civil suit in which the cloud service customer is a party, or if there is an investigation by a government agency, the cloud service provider is likely to receive a request for access to the information that it holds as the hosting entity. This request may come directly from the customer, for the benefit of the customer, or it may come from third parties who wish to have access to evidence against the customer.

You should anticipate your customers’ request for assistance in implementing a litigation hold or responding to a request for documents. You should be ready to respond to inquiries from your prospects or potential customers about how you will work and cooperate with them to address compliance with the requirements of the E-Discovery provisions of the Federal Rules of Civil Procedure and the State equivalents to these laws. You should plan and agree ahead of time on each other’s roles and responsibilities with respect to litigation holds, discovery searches, the provision of witnesses to testify on the authenticity of the data, and the provision of primary information, metadata, log files and related information.

Anticipate Requests for Due Diligence and Monitoring

Whether it is required to do so by law, by contract, or otherwise, your customer or prospect will also want to conduct due diligence before entering into the contract, and will also want to be able to periodically monitor the performance and security of your applications. Consider, for example the monitoring and testing requirements under the Security Safeguards under HIPAA or GLBA, or those in the orders issued by the Federal Trade Commission or the State Attorneys General.

Be prepared to respond to these requests for due diligence, monitoring, or inspection and provide for the cloud customer’s ability to conduct its investigation in a manner that satisfies the customer’s needs while not disrupting your operations. For example, develop a security program that is consistent with industry standards, provide for easy to access logs for access to data, and put in place controls that prevent the modification of data.

Ensure a Smooth Termination

No one wants to lose a good customer. Be realistic, however, and accept that termination might occur. Do not be an obstacle to the termination of a contract, or your reputation will suffer. Show your prospective clients that they can trust you, and that they will not be kept hostage if they want to move on.

Accept that, in case of termination of the contract, the cloud customers must be able to retrieve their data, or to have destroyed data that are no longer needed. Make it easy for them to do so; show respect for, and awareness of your customers’ own constraints. Be prepared to respond to a customer’s request for the return, transfer, or destruction of the data, assess in advance the costs associated with it, and have in place technology, processes and procedures to be used to address the special needs resulting from termination.

Planning for termination will reduce disputes and the resulting disruptions. If termination is not planned properly, problems might occur. The data might have been commingled with other customers’ data to save space or for technical reasons. This entanglement might make it difficult, time consuming, expensive, or perhaps impossible to disentangle the data.

Conclusion

If you want your cloud offering to be successful, put yourself in your customers’ shoes. Anticipate their needs. Help them comply with their obligations. Design a cloud offering that will allow them to continue to comply with their own obligations in the same way as they did when their data, files, trade secrets, and other crown jewels were in their direct control.