TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Pubcon Privacy Legal Presentation by David Mink
1. Privacy Law Developments Handling the sensitive personal information of others. A high stakes venture.
2. Hypothetical Your office is broke into and several company files and company computers are stolen… Sensitive personal information (“SPI”) of your customers is included in these files/computers…
3.
4. Nevada 1. Current law was enacted on October 1, 2008 and requires that “a business in this state” must encrypt personal information of a customer prior to transmission. On January 1, 2010 law will be expanded to also require encryption when data storage devices containing SPI are moved beyond the physical controls of the business. 2. The law does not define “business in this state”, nor does it define “customer” or “personal information”.. . so we do not know whether these definitions are limited to Nevada residents. Therefore, the law appears very broad on its face. 3. Encryption is defined broadly as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: A. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; B. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or C. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
5.
6.
7.
8. Real Risk is the Damage to Brand Image: What is the value of your brand’s image? “ I t takes many good deeds to build a good reputation, and only one bad one to lose it.” -Benjamin Franklin
9. Security Breach = Brand Damage In today’s world, handling people’s sensitive personal information can be a high stakes venture.
10. Best Privacy Practices 1. Review the SPI of individuals which you are collecting information from and the residencies of those individuals. 2. Is it necessary to both collect and store the SPI? Or, to electronically transfer the information? 3. If so, where do you store the SPI? Do you send the SPI to any third parties? 4. Review your Privacy Policy to make sure it is consistent with your business practice of collecting and storing data. 5. Take inventory of how the data is protected. Should it be encrypted? 6. Do you have a “comprehensive information security plan?” How about third parties with access to the SPI?
11. David Mink Dream Systems Media, Owner/Counsel http://www.dreamsystemsmedia.com @dmmink on Twitter