Cybersecurity and Privacy

Big Data, Big Trouble? Privacy and Legal Concerns with Big Data

Posted September 26, 2013

Google has figured out that I shop for a lot of children’s clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have purchased. That is Big Data at work, as it is being used to identify other brands that I might be interested in purchasing based on shoppers with similar consumer profiles to mine. But let’s say that the next banner ad I receive isn’t for children’s clothing, but is instead for an all-inclusive Caribbean vacation. Well, I have never searched for Caribbean vacations, why would this be turning up? Again, this is Big Data at work, because patterns in human behavior have informed Google that people with small children are likely good targets for a quick getaway vacation. This is an example of the value of Big Data in predicting individual consumer behavior based on the behavior of many.

“Big Data” is the somewhat uncreative but accurate term for the process of collecting, culling, and categorizing of data from diverse sources on a massive scale. Through the application of algorithms, companies are analyzing Big Data in order to see patterns in human behavior, and (most commonly) using it to develop targeted, individualized marketing. The primary goal of Big Data is to learn from a large body of information things that we could not comprehend when we used only smaller amounts. Recent trends point to an increase in the use of Big Data, but there are several cautionary points from a legal and privacy perspective to consider.

What are the uses of Big Data, and who uses it? The potential benefits are wide ranging, but can be categorized as follows:

Too Much of A Good Thing? Mind the Privacy Implications of iOS 7’s New MDM Capabilities in Your BYOD Workforce

Posted September 20, 2013

By Joshua B. Konvisser

Joshua B. Konvisser

In addition to the consumer hoopla over iOS 7, companies managing BYOD programs also have reason to rejoice. As reported on CIO.com, iOS 7 brings about a new level of control for companies through expanded app-level MDM Capabilities. MDM, or Mobile Device Management, is the technology that companies use to try to segregate the corporate and the personal realms on mobile devices.

Of course, the trick is not in having the coolest technology, but it how you use it. For app-level MDM to work, the company takes control over the app (including the ability to wipe the app and its data). For some apps that themselves share personal and corporate activities (e.g., the address book), the company’s use of MDM to protect its corporate assets will also sweep in personal assets. One can debate whether this is good or bad, but it does exacerbate challenges in balancing personal versus corporate interests. The tool makes it easier to protect the corporate assets, but exposes the personal assets to greater risk.

As we have outlined in prior posts, courts have striven to protect the individual’s interest in their personal data stored on mobile devices from over-reaching companies. Again, as we have previously discussed, the best way for the company to protect itself is by being very clear in its BYOD policies as to what it will and will not do. This requires the manager of the BYOD policy to understand clearly the technical implications of the new iOS 7 capabilities–including both the intended and unintended consequences of leveraging those capabilities–and to make those implications clear to company employees.

New watchdog study shows that approximately half of all web privacy policies are non-compliant and risk enforcement action

Posted September 4, 2013

By Steven Farmer

Steven Farmer

It has been said for some time that data is the new oil, but many global organizations continue to struggle to comply with regulatory requirements when it comes to the exploitation of this valuable resource.

A recent worldwide audit of over 2,000 websites, coordinated by the Global Privacy Enforcement Network (“GPEN”), has revealed “significant shortcomings” at many organizations. In particular, approximately half of the websites “swept” failed to display a complete, coherent and compliant privacy policy, or worse still, any policy at all.

The audit, the first of its kind, was conducted in May of this year by 19 different data protection authorities around the world, including the UK’s Information Commissioner’s Office (“ICO”).”The results reveal significant shortcomings” reports Adam Stevens, Intelligence Officer at the ICO, on 16 August, stating that 23% of the 250 websites it reviewed had no privacy policy at all and that a third of those that did have policies ” were considered to be difficult to read, and many weren’t sufficiently tailored to the actual website”.

Help Clients Insure Against Cyberattacks

Posted August 6, 2013

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

This article was originally published in the July 22, 2013 issue of Texas Lawyer.

The constant threat of cyberattacks presents many and varying challenges for businesses. Insurance provides one way to deal with them. Because the market for insurance covering these risks and the law interpreting these policies both continue to develop, this is an area in which attorneys can help clients by maximizing their opportunity to secure the broadest possible coverage.

A look at federal and state action on cybersecurity risks provides some critical background. President Obama issued his Executive Order on Improving Critical Infrastructure Cybersecurity in February. In October 2011, the U.S. Securities and Exchange Commissions Division on Corporate Finance issued relevant guidance on financial-disclosure obligations concerning cybersecurity issues in CF Disclosure Guidance Topic No. 2 – Cybersecurity.

Mobile Privacy Practices: Recent California developments indicate what’s to come

Posted July 16, 2013

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

Jim Gatto and James Chang recently published “Mobile Privacy Practices: Recent California developments indicate what’s to come” in the June issue of Computer Law Review International.

The use of mobile applications has seen huge growth in the past few years. As the use of apps become increasingly commonplace, social concerns such as the privacy of app users will increasingly need addressing. California is taking the lead in regulating this important issue. For more information, including an overview of mobile privacy, a summary of California’s stance on how to address the issue, an overview of the state’s principles regarding privacy, its best tips for complying with its principles, and an examination of the privacy related laws outside of California, please read the full article: Mobile Privacy Practices: Recent California developments indicate what’s to come.

Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0

Posted May 16, 2013

By Steven Farmer

Steven Farmer

Steve Farmer recently published an article in World Data Protection Report titled “Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0.”

What exactly is the ‘”best” solution for an international business needing to handle and transfer personal data across borders?

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.

Privacy Resolutions for Mobile App Providers in the New Year

Posted January 4, 2013

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

The end of 2012 saw a flurry of activity in the area of privacy enforcement. In July, Kamala Harris, the Attorney General of California, announced the formation of California’s own state agency, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit to investigate and enforce the state’s robust privacy laws. By the end of the year, Harris made it clear that she did not intend this new unit to sit on the sidelines. On December 6th, Harris filed a groundbreaking civil suit against Delta Air Lines alleging a violation of the California Online Privacy Protection Act for the company’s failure to include a privacy policy on its “Fly Delta” mobile app. The State of California is seeking up to $2,500 in penalties from Delta for each violation of the California law.

California is not the only government entity that is ramping up its privacy enforcement efforts. The Federal Trade Commission has signaled that it plans to get in on the action as well. On August 9th, the FTC announced a record $22.5 million civil penalty to be paid by Google in order to settle charges that the company made misrepresentations with respect to how it planned to track users’ online activity.

On December 10th, the FTC published a report following up on a year-long investigation in which it found only 20% of mobile apps targeting children properly disclosed how the apps collected and shared personal data. The FTC announced it would be launching multiple investigations to determine whether certain companies have violated the Children’s Online Privacy Protection Act (COPPA), which requires operators of online services (including mobile apps) directed to children under the age of 13 to provide notice and obtain parental consent before collecting personal information from children. The FTC’s record settlement with Google suggests that these investigations could yield serious penalties.

Anonymization: The UK Response to Big Data

Posted December 5, 2012

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

“Everywhere you look, the quantity of information in the world is soaring.”

ICD has predicted that, by 2012, mankind will have created 2.7 zettabytes of data! The numbers are mind boggling – a zettabyte is a 1 billion terabytes. With all of that data comes the Next Big Thing – namely, Big Data.

What is Big Data?

UK Information Commissioner’s Office issues Guidance on the Deletion of Personal Data under the Data Protection Act 1998

Posted September 4, 2012

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

On 16 August 2012, the ICO published guidance on deleting personal data under the Data Protection Act 1998 (DPA). The guidance describes how organisations can ensure compliance with the DPA when they delete or archive personal data, and explains what the ICO means by deletion and archiving and introduces the concept of putting personal data ‘beyond use.’ The guidance aims to counteract the problem of organisations informing people that their personal data has been deleted when, in fact, it is merely archived and could be re-instated; archived information is “subject to the same data protection rules as ‘live’ information, although information that is in effect inert is far less likely to have any unfair or detrimental effect on an individual than live information.”

Given the fifth data protection principle which provides that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes,” the deletion of personal data is an important activity for organisations which control or process personal data. The ICO notes that, although the DPA does not define “delete” or “deletion”, a plain English interpretation implies “destruction” which, in the case of electronic storage, is less certain than, say, incineration of paper records, since information which has been “deleted” may still exist within an organisation’s systems in some form or other.

The ICO says that it will “adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place.” The ICO gives specific examples of where putting information ‘beyond use’ would be an acceptable alternative to ‘deletion’. For example, an acceptable alternative may arise where for technical reasons, it is not possible to delete this information without also deleting other information held in the same batch, or where information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether where it is waiting to be over-written with other data. The ICO will be satisfied that information has been ‘put beyond use’ if the “data controller holding it:

Protecting Your Data When Your Subcontractor Hires a Subcontractor

Posted August 10, 2012

By Benjamin M. Dean

Benjamin M. Dean

When customers sign a contract with a service provider that will be holding the customer’s confidential data (for example, the customer’s business records, human resources data, personally identifiable information, protected health information, payroll data), in addition to laying out the service provider’s responsibility for protecting the data, customers focus on restrictions allowing the customer to audit and confirm over the life of the contact that its data is being stored and maintained securely and appropriately by the service provider.

However, everyone (including service providers) seems to be outsourcing or subcontracting today. Customers must be vigilant about ensuring that their service contracts allow them not only to review, audit and confirm that their service provider is maintaining their data appropriately, but also that the customer can track and audit any customer data held by their service providers’ subcontractors (and those subcontractors’ subcontractors, and so on).

Service providers today frequently partner with subcontractors to provide discrete portions of their suite of services – sometimes those subcontracted services are (arguably) “not material” to the overall scope of the services provided, while sometimes those subcontracted services are mission-critical.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: