aiim 2015 - data privacy
TRANSCRIPT
Data Privacy: The Coming Conflict
Alan Pelz-Sharpe
Research Director Social Business Applications
451 Research is an information technology research & advisory company
2
Founded in 2000
350+ employees, including over 100 analysts
1,000+ clients: Technology & Service providers, corporate
advisory, finance, professional services, and IT decision makers
25,000+ senior IT professionals in our research community
Over 52 million data points each quarter
4,500+ reports published each year covering 2,000+
innovative technology & service providers
Headquartered in New York City with offices in London,
Boston, San Francisco, and Washington D.C.
451 Research and its sister company Uptime Institute
comprise the two divisions of The 451 Group
Research & Data
Advisory Services
Events
3
451 Research provides
unique insight into emerging,
disruptive technologies and
the companies taking them
to market.
4
Research Channels A combination of research & data is delivered across fourteen channels aligned to the prevailing topics
and technologies of digital infrastructure… from the datacenter core to the mobile edge.
Why Data Privacy?
• Emerging and Invasive Technologies
• Data Breaches
• Legal and Regulatory Challenges
5
Why Data Privacy? - Emerging and Invasive Technologies
6
Why Data Privacy? Emerging and Invasive Technologies
7
Aliases
Private email
Address
Devices Locations
Friends & Associates
Work email Address
Why Data Privacy? – Personal Data is broader than you think
8
Social Network
Posts
IP addresses
Photographs
Basics – PII (Personally Identifiable Data)
9
What do I have?
• Why do I have it?
What am I collecting?
• Why am I collecting it?
How long should I keep it?
• How do I dispose of it?
Basics - Security
10
How have I secured it?
• Granular or a blanket approach?
Who accesses it?
• Should they be accessing it?
How do I know if I lose it?
• What do I do if I do lose it?
Why Data Privacy? – Data Breaches
11
• Difficult problem. Not if companies will be hacked, but when.
• US law is difficult—47 different state laws plus District of Columbia
• What is a reasonable legal requirement for data breach notification?
• Too many notices, and you have the Boy Who Cried Wolf problem of people
ignoring them.
• EU is considering data breach notification regulations as part of GDPR.
The Current Conflicts
• September 11 and the USA PATRIOT Act
• The NSA-Snowden Controversy
• Conflict of Cultures, Definitions, and Laws
12
The Current Conflicts September 11 and the USA PATRIOT ACT
13
• Laws in many nations would trigger government data demands in response to
a (real or perceived) threat to national security.
• “Don’t put your data on US servers” argument is somewhat of a red herring.
• September 11 and the PATRIOT ACT perfect illustrations of the ‘Privacy vs.
Security’ dilemma.
The Current Conflicts – NSA-Snowden
14
• Like the Patriot Act - the NSA-Snowden Controversy illustrate the ‘Privacy vs.
Security’ dilemma.
• Was the PATRIOT Act really a red herring? The NSA-Snowden controversy
has been a giant ‘We told you so’ for many around the world who argued the
USA PATRIOT Act was the manifestation of the Orwellian nightmare.
The Current Conflicts
15
• Freedom of Information versus Right to Privacy
• US First Amendment Freedom of Speech
The Current Conflicts
Different Definitions• Personally Identifiable Information (PII)—In 2010, the US Government’s Office of Management
and Budget (OMB) stated, “The definition of PII is not anchored to any single category of information
or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can
be identified. In performing this assessment, it is important for an agency to recognize that non-PII
can become PII whenever additional information is made publicly available—in any medium from
any source—that, when combined with other available information, could be used to identify an
individual.” See also US National Institute for Standards and Technology (NIST) definition.
• Personal Information—Mexico has a broad definition, including any information concerning an
individual.
• Sensitive Personal Information—For instance, in Argentina, it includes ethnic or racial origin,
political opinions, union membership, philosophical, while in Finland, it includes criminal sanctions
and the receipt of social welfare.
16
Personal Data: 2+2=4
17
Birthdate
Address
Social Security Number
Phone Number
eMailAddress
Twitter Handle
Credit Card
Number
US-EU Safe Harbor Framework
• Although US does not meet the minimum standards required by the 1995
Directive, the Safe Harbor has allowed data transfers between the EU and the
US.
• Companies self-certify compliance, which has never been popular in Europe.
• Negotiations are continuing to safe the Safe Harbor.
18
The Coming Conflicts
• EU General Data Protection Regulation (GDPR)
• Microsoft Dublin Warrant Controversy
19
The Coming Conflicts EU GDPR
• Change from Directive (Directive 95/46/EC) to Regulation (GDPR)
• The goal is to harmonize the laws of the 28 EU Member States
• Harmonizing the laws would make international business easier, but the GDPR
in its current form would create more substantial differences with the US.
• Right to be Forgotten/Right of Erasure—a major issue, but in May 2014, the EU
Court of Justice held in Google Spain that the Right to be Forgotten exists
under the current Directive in certain circumstances.
• International Transfer of Personal Data
• Data Breach Notification—Change from 24 hours to “without undue delay.”
• European Council must still approve.
20
The Coming Conflicts Microsoft Dublin Warrant
• In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by
Microsoft Corp. (S.D.N.Y. 2014)
• US court holds a warrant for email data stored is Dublin is valid under the US
Stored Communications Act of 1986 because the data are controlled by
Microsoft in the US—despite being stored in Ireland.
• Microsoft—supported by tech companies—is appealing to the US Court of
Appeals for the Second Circuit, arguing that it does matter where the data are
stored and that the US does not have authority to data stored in Ireland.
• If upheld, it could be a major blow to US tech companies. 21
Key Takeaways• Take ownership of the issue
• Know what data you are collecting and why
• The less you collect the more secure you are – the more you collect the richer
the data source – get the balance right
• Clearly define PII and non PII
• Figure out a Data Loss Prevention (DLP) strategy
• Know what laws impact your organization – does data travel overseas?
• Clear house – don’t just keep data because you can
• Take a scenario based approach – what are the scenarios for your
organization?
22