Playing in the Big (Data) Leagues: Consumer Data, Mining Data, Privacy & Compliance Presented by Charlie Bingham, Legal and Corporate Affairs - Enterprise Partner Group, Microsoft Corporation Rachel Reid, Senior Counsel and Chief Privacy Officer, Voya Financial Cassie Sadowitz, Deputy General Counsel, Jacksonville Jaguars Danielle Vanderzanden, Shareholder, Ogletree, Deakins, Nash, Smoak & Stewart, P.C. Moderated by Emily Roisman, Attorney Agenda Phenomenon of Big Data Information Privacy and Data Security Why Do They Matter? Preventing Breaches Statutory Landscape Data Capture Concerns Data Sharing Risks Prevention, Compliance, Training and Development Phenomenon of Big Data Every day, we create 2.5 quintillion bytes of data 90% of the data in the world today has been created in the last two years alone Big Data comes from everywhere: Sensors used to gather information Posts to social media sites Digital documents, pictures, music and videos Online transactions and mobile devices Phenomenon of Big Data Every minute: Facebook users share nearly 2.5 million pieces of content. Twitter users tweet nearly 300,000 times. Instagram users post nearly 220,000 new photos. YouTube users upload 72 hours of new video content. Apple users download nearly 50,000 apps. users send over 200 million messages. Amazon generates over $80,000 in online sales. Phenomenon of Big Data In the Media and Entertainment Industry Big Data allows companies to: Analyze trends, classify fan engagement, and identify triggers of churn Create audience profiles based on demographics, behavior, and brand affinity Understand program preferences, and dynamic advertising opportunities Predict program viewership and recommend program and ad placements Information Privacy & Data Security: Why Do They Matter? Interpret laws & regulations to establish requirements Establishes Privacy Policy as basis for Program Determine who can access what data Determine how data can be used Provide individual choices Determine data retention cycles Technology enabler based on established requirements Controls access to information based on policy Implements authentication measures Limits use of information Monitors logs & reports on security Use technology to control choice Information Privacy refers to the authorized and appropriate use of customer/consumer data. Typically Information Privacy issues involve: Data Use Data Location Data Access Data Ownership Data Sharing with 3 rd Parties Information Privacy & Data Security: Why Do They Matter? Data Security refers to the confidentiality, availability and integrity of customer/consumer data. Typically Data Security issues involve: Trade Secrets Personally Identifiable Information Integrity and availability of business-critical systems Information Privacy & Data Security: Why Do They Matter? No company wants to end up on the front page of the news for a data breach! Enterprise Risk and Brand Management! Customers and consumers need to be able to trust their information is safe and will be used only for their benefit! Information Privacy & Data Security: Why Do They Matter? Big Data - Breaches Due to the value of Big Data, Cyber Security attacks are inevitable Its not if but when there is a cyber security threat Symantecs 2014 Internet Security Threat Report highlights a 91% increase in targeted attacks and a 62% increase in the number of breaches Just a few well-publicized breaches/security incidents: Ashley Madison 37 million records Anthem 80 million records Office of Personnel Management 21.5 million records Sony 100 terabytes IRS 330,000 records Home Depot 56 million records Target 70 million records Adult Friend Finder 3.5 million records United Airlines 10 million records Ebay 145 million records Big Data - Breaches Data Breaches may lead to: Millions in settlement fees with victims Millions in notification and credit monitoring costs Brand damage Loss of jobs Disclosure of sensitive company data Embarrassment Civil and criminal fines Data Breaches have led to: Recall of 1.4 million vehicles to block hacking Resignation of CEO/35-year employee Resignation of Agency Chief Termination of CIO Disclosure of trade secrets Disclosure of embarrassing company information Alleged suicides Big Data - Breaches Poll Whos in our Audience? Public or private company Multi-dimensional privacy team or single person US-based operations only or Canada EU Asia Pacific Incident response plan in place Multiple outside legal resources in case of ethical conflict IT Security Budget Data map Logging Poll Whos in our Audience? Plans for business and personnel continuity in event of attack Third party/vendor due diligence Insurance Multiple outside technical and legal teams in case of conflict Poll Whos in our Audience? Evolving Compliance Challenges Statutory and Regulatory schemes HIPAA ECPA COPPA CAN-SPAM Act PCI-DSS FCRA International Issues Statutory Landscape International expectations differ Canada EU focuses on 6 issues Asia Pacific Statutory Landscape Domestic Enforcers: FTC - broad power under Section 5 of the FTC Act FCC - generally in partnership with the FTC related to telemarketing and marketing CFPB & Office of Comptroller of the Currency authority over specific groups of financial institutions HHS OCR - enforces HIPAA Dept. of Commerce & Transportation share responsibilities under Safe Harbor agreement controlling data transfers between the U.S. and the EU State Attorneys Generals enforce their own stat laws; failure to comply with federal laws Statutory Landscape Data Capture Concerns What, why and how do you collect data Who collects on your behalf? Do you collect and share? Where and when do you store collected data Consider statutory and regulatory issues TCPA, COPPA, CAN-SPAM, HIPAA PCI-DSS, IRS 1075 Safeguards, FERPA FISMA/FEDRamp, ISO 27018 Data Capture Best Practices Collect only what you need Keep only as long as necessary Identify what you collect Define usage accurately Provide conspicuous, comprehensible notice Data Capture Best Practices As collection practices change, adjust Notices, policies and practices Update data collection forms regularly Hard copy Electronic Comply with applicable requirements Data Capture Best Practices Avoid collecting keystroke data Protect site from malware Provide conspicuous website notice Hypernotify re behaviorial tracking Comply with applicable requirements Data Sharing Data sharing refers to the exchange of data among People Technologies Organizations Examples Social Media Vendors/Sponsors Customers/Researchers Data Sharing - Pillars Confidentiality Integrity Availability Notice Data Sharing - Best Practices Detailed data protection/processing agreements Data indemnity licenses Due diligence and audit programs Robust disclaimers in Terms and conditions of use Marketing materials Data Sharing - Best Practices Protocols for secure storage and transmission Database management Specificity regarding use, ownership, and access Waivers and registration Data Sharing - Best Practices Incident notification and response processes State data breach notification laws HIPAA Notify law enforcement and credit reporting bureaus as required Provide identity theft protection As required To protect goodwill Data Sharing - Best Practices Review third-party service provider agreements Accurately describe privacy, security, integrity of user information Audit regularly and take remedial measures Data Sharing - Best Practices With third party SaaS, IaaS and Paas Vendors: Share security and privacy responsibilities Establish detailed agreements Address access to customer data issues Verify compliance independently Check for appropriate certifications (SOC, FEDRamp, PCI-DSS) Apply EU model clauses Follow ISO best practices Prevention, Internal Compliance, Training and Development Collaborate with Marketing, Data Analytics to provide training: TCPA; CAN-SPAM; CASL; FTC Guidelines Explain legal background Provide prospecting guidelines Address social media issues Navigating social media platforms TOU Your companys privacy notice, privacy policy and TOU Prevention, Internal Compliance, Training and Development PCI Compliance Establish internal controls/processes for transactions Ticketing Vendors Live chat Phone Conduct internal audits Prevention, Internal Compliance, Training and Development Implement and enforce protective policies Develop administrative, technical and physical safeguards for data Restrict access to sensitive data and transmit securely Update protective measures as technology develops Prevention, Internal Compliance, Training and Development Designate accountable employees Provide comprehensive employee training Use portable devices safely and guard them zealously Surf and communicate electronically in a responsible manner Security program must evolve with business Prevention, Internal Compliance, Training and Development Remediation Document Preservation Legal consultation and privilege issues Public relations Prevention, Internal Compliance, Training and Development