Privacy in a Digital Age Business Risks, Information Challenges, & Corporate Responsibilities

Agenda • Privacy is Dead but Your Risks are Very Alive • Historical review of Privacy Law • Death of Privacy at the hands of Government & Business • The Spirit of Privacy in the Digital Age – A Look at Legal Intents • Practical Privacy Recommendations • Information Processors • Consumer Products • Legal Teams

Obligatory Definition Slide • Pri·va·cy (n) – state of being apart from company or • Lets examine... • “Right to Privacy” – Every citizen deserves their information protected from public scrutiny. • In·for·ma · tion - Facts provided or learned about something or someone. • Observation(s) – How do we ensure that observations of our own information or information to which we are entrusted is obfuscated for the preservation of privacy? observation information

Risky Business Why privacy’s digital afterlife introduces new business risks

Going Digita ▪ Rise in electronic data facilitates ability for data exchanges ▪ APIs allow for data to be easily called by both individual &otgher apps ▪ Demand for data from government & commercial sectors is increasing ▪ Immature Cloud IT operations create data loss mishaps ▪ Legacy IT environments still make elementary mistakes: ▪ Lost tapes ▪ Unencrypted data ▪ Excessive data retention periods

Escalating Privacy Litigation ▪ Laws open avenues for prosecution ▪ State, Federal and International laws offer vehicles for financial

Privacy’s Duck, Duck, Goose

Lawsuits & Fines Leave Largest Impact Direct ▪ Legal Fees & Fines ▪ Public Relations ▪ Client retention ▪ Vendor support Indirect ▪ Consumer/ commercial confidence ▪ Company Reputation

Legal Impact ▪ Fines ▪ State, federal, or international agencies ▪ Civil lawsuits ▪ Court cases ▪ Impact from consumer/ commercial confidence ▪ Compounded by length of time ▪ Legal fees (defense teams) ▪ Cost of Representation ▪ Behind the numbers

HIPAA/ HiTech (since 2008) • $2.75 Million for UMMC + 1 year credit reporting • BA fines have been few and far between • Is increasing privacy regulation and fines going to alter practices in information management & data privacy? 275 237 4 71 1281 HIPAA OCR "Wall of Shame" Incident Totals (since 2008) # BAs # health plans # clearing house # undefined # hc provider

Playing the #s • Looking at HIPAA Business Associates since 2009, a LOT of data has been lost and very little fines have ensued. • If you’re looking around as a BA, how likely are you to alter your data management policies and practices?

Privacy Violations to Business Mitigations • Threat model for many in HC should be around theft. • Incidents & threats need examination in order to determine mitigation strategy • Knowing your information assets • Followed by knowing your information flows • Legal mitigations need to aligns services to legal liabilities 15% 4% 8% 5% 43% 25% 0% HIPAA Violations by Incident Type hacking incident improper disposal loss other theft unauth access/ disclosure other

No content

Ensuring Opt-Ins • Opting in to control ads sent to you VS control data managed by Google • As long as it doesn't personally identify you Google can share with advertisers 100% of your digital activity, connected with the places you visit and the purchases you make in the real world. Credit to Mike Nolet for his research on Google’s data management of personal records.

Privacy is Dead • [Macro Economics] Companies want greater intelligence around their customer/ consumer behaviors; greater economic forces to abusing privacy than resurrecting it • [Legal] Terms of Services are never read b/c consumers are: • Disinterested, lazy, or value their time more • Overly trusting • Confused by the language • Inherently, ToS, Opt-X language is flawed by design for the consumer, optimized for the service provider • [Consumerism] We (consumers) want more social integrations over integrated applications that offer more “convenient” (targeted) functionality. • “Nothing is free when you are the product” • Privacy Ideology vs Privacy Pragmatism

Source: Emotion Research Labs

Legalese... Laws revealing deep beliefs, changing values & business actions

Securing Privacy – Always a Step Behind

Privacy History Snapshot • Colonial America: “solitude was readily available…” – David H. Flaherty, Privacy in Colonial America (1972) • Flaherty observes, since people lived in towns, physical surveillance was difficult to escape • Home was ‘castle’ of one individual’s privacy • Revolutionary War: Introduced central privacy theme of freedom of government intrusion. • 1890 introduced Right to Privacy, - Warren & Brandeis • Response to media, gossiping, cameras • Harry Kalven Jr, “most influential law review article of all.” • Increase in privacy laws/ revisions in 20th century • Rise in litigation hasn’t helped, or has it? If so, who? 3/21 9/19 1790 U.S Census Formed 1600s Colonial America 1775 - 1783 Revolutionary Period Dec 1791 U.S Bill of Rights Ratified (Art 3-12) 1890 Outcry over Census asking on diseases, finances, disabilities 3/21/2018 - 4/27/2018 Copies of Census posted in public places to validate errors 1890 Warren & Brandeis Right to Privacy Birthed 1960 William Prosser recognizes 4 distinct torts 1935 Social Security System, FBI created 1946 Birth of the Computer Privacy Act of 1974 1970 FCRA Born Increase in pirvacy laws from 1980 onward

Attitudinal Inherency on Privacy Law • “…nothing to hide” overpowers rising “…nothing to fear” beliefs • Consumerism, security trumps privacy as shown by market demand • Perception that gov’t collects info to ‘improve’ social services • Industry leaders claim to improve service, treatment, based upon access to broader information (e.g. – Medical) • Information sharing is needed in order to ‘evolve’ advancements in products, services. This rationalizes privacy law violations • Privacy terms and information considered to be private is mutating.

Florida vs Jardines (Supreme Court Case – Oct 2012) • Police suspects Jardines of growing marijuana • Bring K-9 unit to detect scent • Warrant obtained after K-9 detects scent • Jardines jailed • Court ruled Jardines’ privacy violated; • Search warrant deemed invalid • Scents detected by K-9 outside home violated private • Jardines released on court ruling Jail House Jardines House

Corporate Responsibilities... Practical steps to shoring privacy risks

1: Threat Model for Privacy • Threats to a Privacy Violation • Threat Model should illustrate weaknesses • Correlate prior incidents experienced by organization • Threat intelligence for the sector will also help • Identify scope of systems of record by data classification • Correlate information assets to technology assets • Manage a series of DFDs for your information flows • Integrate vendor infrastructure into DFDs

2: Data Privacy Impact Assessments • Leverage your Privacy Threat Model to scope what systems to prioritize Data Privacy Impact Assessments • Understand the level of PII for components in your DFDs • Correlate State, Federal, International impacts to data systems/ interfaces • Filter out technical and process based controls for data privacy from DPIA efforts to get residual risk register of issues • Establish a cadence and governance for your DPIAs

3: Revisit Legal & Governance • Examine how legal contracts are inflating legal liabilities for the organization • Review how legal agreements reflect inaccuracies in privacy controls and processes • Incorporate legal privacy language in all your vendor agreements and incorporate right to audit languages to support proof of privacy controls • Review governance strategy on online, offline data governance and re-calibrate based upon recommendations 1 & 2.

Thank you! @VerSprite @t0nyuv tonyuv@versprite.com