Earlier this month, privacy and security professionals from around the globe gathered for “Privacy. Security. Risk. 2015”—the second joint conference between the International Association of Privacy Professionals and the Cloud Security Alliance Congress (CSA). Over four days, the conference focused on the evolving interplay between data privacy and security, and featured keynote speeches by leading security blogger Brian Krebs and data privacy and technology journalist Adam Tanner, as well as a highly anticipated panel featuring two top Washington, D.C., consumer protection enforcers: the Federal Trade Commission’s Jessica Rich and the Federal Communications Commission’s Travis LeBlanc.
We were there to take it all in, and offer these seven key takeaways.
1. Security vs. Privacy
Keynote speakers Brian Krebs and Acuity Solutions Corp. President Kris Lovejoy, as well as a host of panelists, asked a question at the heart of the growing intersection between privacy and security: “Can we have better security without compromising our privacy?” Big Data analytics that examine website usage, email content and hundreds of other factors have catapulted the cybersecurity services industry. Companies are now able to do more than ever to ferret out, and even predict, where and how attackers may penetrate corporate networks. Behavioral-based defense tools can analyze trends and patterns in computer use and activity to create a baseline from which to better identify anomalies. Collecting more user data can also support layered identity “proofing” that enables more secure authentication methodologies versus the inherently weaker knowledge-based (e.g., password or security question) authentication protocols.
But, as always, the collection of even more data raises privacy concerns. Companies should consider how the adoption of Big Data-based security might erode privacy, and whether the collection/use of such data comports with their current internal and external privacy policies. As with any new technology, developers and implementing companies should conduct a privacy impact assessment and follow privacy-by-design principles to evaluate the contours of notice/awareness, choice/consent, access/participation, integrity/security and enforcement/redress.
2. Cloud Security
Of course, with the CSA’s co-sponsorship and heavy participation, there was continued focus on security and privacy in the cloud, with a significant number of presentations promoting ISO 27018 as the gold standard in privacy and security certification for cloud service providers. Coincidence or not, just days before the conference, Google Inc. announced that its Google Apps for Work was certified under the standard — joining early adopters Microsoft Corp. and DropBox Inc.
Throughout the conference, three common threads emerged to underscore early adoption of ISO 27018. First, ISO 27018 offers an international and auditable standard that cloud service buyers can use as a proxy for more tailored evaluation and testing, thereby gaining significant cost savings, which is particularly important to small- and medium-sized users with limited security budgets. Second, ISO 27018’s requirements can form an important part of an overall compliance program to address European Union data protection law, and is therefore a useful starting point for smaller data controllers in relation to their cloud providers (i.e., data processors). Third, it is clear that ISO 27018 certification requires a significant investment and can be a significant market and brand differentiator for cloud-service providers. But stay tuned, because soon to be released is ISO 27017, which will provide more information on security angles of cloud computing beyond privacy and offer additional controls and implementation advice beyond that provided in ISO 27002.
3. U.S.-EU Safe Harbor at the Edge
Although the European Court of Justice did not issue its final ruling in the Schrems matter until after the conclusion of P.S.R., many speakers focused on the uncertainty surrounding the U.S.-EU safe harbor mechanism, given the possibility — now realized — that the ruling would invalidate the U.S.-EU safe harbor agreement. Until recently, over 4,000 companies that transferred personal data to the U.S. from the EU relied on the safe harbor certification program to manage compliance with EU data transfer restrictions. As we now know, that mechanism was indeed invalidated on Oct. 6, 2015. European regulators will need time to assess how they will enforce the CJEU’s decision. At a minimum, businesses will need time to implement new data-transfer solutions (which regulators likely recognize), and with limited resources regulators themselves will likely follow the more prudent course of permitting reasonable grace periods for compliance before commencing enforcement actions. Moreover, the EU Commission has indicated a desire to continue its ongoing renegotiation of the safe harbor with the U.S. Department of Commerce recognizing that transatlantic data flows are critical to the global digital economy in both the U.S. and Europe.
4. FTC vs. FCC; Batman vs. Superman?
The much-anticipated keynote panel featured Travis LeBlanc (Chief, Bureau of Enforcement for the Federal Communications Commission) and Jessica Rich (Director, Bureau of Consumer Protection, Federal Trade Commission). Recently, there has been significant buzz that the FCC’s data security enforcement actions have encroached on consumer protection space historically patrolled by the FTC, and that the FCC’s very large recent fines (approximately $800 million in the last year and a half, according to LeBlanc) have made the FTC’s efforts on data security look weak. The panelists sought to dispel that notion.
LeBlanc explained they are working together: “There is no Batman vs. Superman in the FTC and FCC. We are the Justice League.” Rich added that the FTC considered the FCC “a valued partner” in privacy enforcement, but emphasized that the FTC has a responsibility over “the whole marketplace, and “telecommunications is just one slice.” Although they presented a united front, the agency leaders did not provide any road map or guidance on how they might navigate overlaps in their privacy and security mandates. Instead, each agency announced their (apparently non-overlapping) respective data security/privacy focus in the coming year: the FTC on Internet of Things privacy enforcement and new technologies protection of sensitive data; and the FCC on data security for cable and satellite providers.
5. The Ethics of Big Data
Mobile and connected device tracking is becoming increasingly sophisticated, leading to a burgeoning wave of data collection. From cars to smart televisions to fitness trackers, the Internet of Things, as well as mobile device tracking, mobile ads and cross-device tracking capabilities were widely discussed panel topics. While much of the discussion was devoted to the need for traditional privacy and security assessments, including disclosure and choice mechanisms, data minimization and anonymization, an important undertone emerged throughout the week. As the IoT and cross-device tracking mechanisms proliferate, so too does the quantity and quality of data collected. Just as the mobile device environment revolutionized Big Data analytics projects by adding context and a geographical dimension, IoT and cross-device tracking data offer the ability to enrich data sets even further. With that, many warned that the ethics of Big Data is a topic that will gain prominence in the next year, as organizations of all sizes are forced — by regulators or consumers — to carefully consider whether their Big Data analytics efforts are consistent with the organizations’ ethical values and their privacy policies.
6. Health Care Still Hot
Following a year in which (by some estimates) at least one in four Americans was affected by a string of data breaches at health care organizations, it is hardly surprising that a larger number of panels at the conference discussed proactive and reactive Health Insurance Portability and Accountability Act privacy and security compliance strategies. Panelists and attendees were drawn from a diverse group of ecosystem participants, including regulators, covered entities, business associates, service providers, academics, legal counsel and risk officers. However, far from a sophisticated look at emerging threats or technologies, most of the health care sessions were boot camps on the basics.
Many of the best speakers stressed core organizational awareness regarding the privacy and security duties of covered entities (CEs), understanding how to identify and manage protected health information and other regulated data sets, as well as strategies for assessing, choosing, contracting with and auditing business associates (BAs) and sub-BAs. This “HIPAA 101” approach is a strong indication that while cyberattacks are becoming more and more sophisticated, CEs and BEs are struggling to address even the basic minimum privacy and security requirements. Indeed, this is consistent with the types of enforcement actions in 2015 that were brought by the U.S. Department of Health and Human Services’ Office of Civil Rights.
7. Taking Compliance Programs “To the Next Level”
While many panels discussed the block-and-tackle basics of data privacy and security compliance, several presentations were squarely directed at companies looking to “up their game.” To be sure, most large organizations today have implemented global privacy and information security programs that contain many of the most important requirements under various rules, regulations, industry guidelines and best practices. However, even these organizations are trying to understand what more can and should be done: Is it enough to have an enforced, internal privacy policy that governs how our employees handle data? Is it sufficient to have an incident response plan that has been table topped and regularly updated? The short answer is “Maybe.”
It is clear that companies still struggle to define “reasonable” security standards and privacy best practices sufficient to satisfy the expectations and requirements of myriad regulators across this complex and multijurisdictional environment, not to mention the ever-present and increasingly sophisticated risk of cybercrime. In-house panelists shared creative and tested tools, policies and procedures that generated more consistent performance outcomes. For example, speakers demonstrated software tools that incorporated department-by-department feedback and automated data-classification output to support privacy-by-design programs. Other speakers discussed “red team” games and ethical hacking programs that enabled companies to take their incident response tabletops to new levels of sophistication and insight, which led to more robust procedures development.
As with any industry conference, the ideas presented only go as far as the participants’ willingness to return to their organizations, raise awareness and drive change. The cloud. The safe harbor. FTC v. FCC. Big Data ethics. HIPAA. Next-level compliance. These are critical topics at the seams between data privacy and cybersecurity, and they require careful consideration and action as the digital economy continues to innovate and expand.
* The content of this communication was first printed in Law360 on October 13, 2015. Reprinted with permission.