DevEX - reference for building teams, processes, and platforms
AIIM 2015 - Data Privacy
1. Data Privacy: The Coming Conflict
Alan Pelz-Sharpe
Research Director Social Business Applications
2. 451 Research is an information
technology research & advisory company
2
Founded in 2000
350+ employees, including over 100 analysts
1,000+ clients: Technology & Service providers, corporate
advisory, finance, professional services, and IT decision makers
25,000+ senior IT professionals in our research community
Over 52 million data points each quarter
4,500+ reports published each year covering 2,000+
innovative technology & service providers
Headquartered in New York City with offices in London,
Boston, San Francisco, and Washington D.C.
451 Research and its sister company Uptime Institute
comprise the two divisions of The 451 Group
Research & Data
Advisory Services
Events
4. 4
Research Channels
A combination of research & data is delivered across fourteen channels aligned to the prevailing topics
and technologies of digital infrastructure… from the datacenter core to the mobile edge.
5. Why Data Privacy?
• Emerging and Invasive Technologies
• Data Breaches
• Legal and Regulatory Challenges
5
7. Why Data Privacy? Emerging and Invasive Technologies
7
Aliases
Private
email
Address
Devices Locations
Friends &
Associates
Work email
Address
8. Why Data Privacy? – Personal Data is broader than you think
8
Social
Network
Posts
IP
addresses
Photographs
9. Basics – PII (Personally Identifiable Data)
9
What do I have?
• Why do I have
it?
What am I
collecting?
• Why am I
collecting it?
How long should
I keep it?
• How do I
dispose of it?
10. Basics - Security
10
How have I
secured it?
• Granular or
a blanket
approach?
Who accesses
it?
• Should they
be
accessing
it?
How do I know
if I lose it?
• What do I
do if I do
lose it?
11. Why Data Privacy? – Data Breaches
11
• Difficult problem. Not if companies will be hacked, but when.
• US law is difficult—47 different state laws plus District of Columbia
• What is a reasonable legal requirement for data breach notification?
• Too many notices, and you have the Boy Who Cried Wolf problem of people
ignoring them.
• EU is considering data breach notification regulations as part of GDPR.
12. The Current Conflicts
• September 11 and the USA PATRIOT Act
• The NSA-Snowden Controversy
• Conflict of Cultures, Definitions, and Laws
12
13. The Current Conflicts September 11 and the USA PATRIOT ACT
13
• Laws in many nations would trigger government data demands in response to
a (real or perceived) threat to national security.
• “Don’t put your data on US servers” argument is somewhat of a red herring.
• September 11 and the PATRIOT ACT perfect illustrations of the ‘Privacy vs.
Security’ dilemma.
14. The Current Conflicts – NSA-Snowden
14
• Like the Patriot Act - the NSA-Snowden Controversy illustrate the ‘Privacy vs.
Security’ dilemma.
• Was the PATRIOT Act really a red herring? The NSA-Snowden controversy
has been a giant ‘We told you so’ for many around the world who argued the
USA PATRIOT Act was the manifestation of the Orwellian nightmare.
15. The Current Conflicts
15
• Freedom of Information versus Right to Privacy
• US First Amendment Freedom of Speech
16. The Current Conflicts
Different Definitions
• Personally Identifiable Information (PII)—In 2010, the US Government’s Office of Management
and Budget (OMB) stated, “The definition of PII is not anchored to any single category of information
or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can
be identified. In performing this assessment, it is important for an agency to recognize that non-PII
can become PII whenever additional information is made publicly available—in any medium from
any source—that, when combined with other available information, could be used to identify an
individual.” See also US National Institute for Standards and Technology (NIST) definition.
• Personal Information—Mexico has a broad definition, including any information concerning an
individual.
• Sensitive Personal Information—For instance, in Argentina, it includes ethnic or racial origin,
political opinions, union membership, philosophical, while in Finland, it includes criminal sanctions
and the receipt of social welfare.
16
18. US-EU Safe Harbor Framework
• Although US does not meet the minimum standards required by the 1995
Directive, the Safe Harbor has allowed data transfers between the EU and the
US.
• Companies self-certify compliance, which has never been popular in Europe.
• Negotiations are continuing to safe the Safe Harbor.
18
19. The Coming Conflicts
• EU General Data Protection Regulation (GDPR)
• Microsoft Dublin Warrant Controversy
19
20. The Coming Conflicts EU GDPR
• Change from Directive (Directive 95/46/EC) to Regulation (GDPR)
• The goal is to harmonize the laws of the 28 EU Member States
• Harmonizing the laws would make international business easier, but the GDPR
in its current form would create more substantial differences with the US.
• Right to be Forgotten/Right of Erasure—a major issue, but in May 2014, the EU
Court of Justice held in Google Spain that the Right to be Forgotten exists
under the current Directive in certain circumstances.
• International Transfer of Personal Data
• Data Breach Notification—Change from 24 hours to “without undue delay.”
• European Council must still approve.
20
21. The Coming Conflicts Microsoft Dublin Warrant
• In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by
Microsoft Corp. (S.D.N.Y. 2014)
• US court holds a warrant for email data stored is Dublin is valid under the US
Stored Communications Act of 1986 because the data are controlled by
Microsoft in the US—despite being stored in Ireland.
• Microsoft—supported by tech companies—is appealing to the US Court of
Appeals for the Second Circuit, arguing that it does matter where the data are
stored and that the US does not have authority to data stored in Ireland.
• If upheld, it could be a major blow to US tech companies.
21
22. Key Takeaways
• Take ownership of the issue
• Know what data you are collecting and why
• The less you collect the more secure you are – the more you collect the richer
the data source – get the balance right
• Clearly define PII and non PII
• Figure out a Data Loss Prevention (DLP) strategy
• Know what laws impact your organization – does data travel overseas?
• Clear house – don’t just keep data because you can
• Take a scenario based approach – what are the scenarios for your
organization?
22
instant gratification > depth, hard hitting > depth, speed, cofee break > ride home, 10 minutes/30 minutes/ one hour, speak up in a meeting > run the meeting
----- Meeting Notes (3/19/15 07:13) -----
--These technologies change the way people communicate and thus, the way personal information is transmitted.
--Social Media have changed people’s sensitivities about what is private, and research shows many people don’t realize how much personal data they share.
--Additional inadvertent disclosure of information, e.g., ‘fat finger syndrome’
--If you want to throw in a legal case, you could mention the US Supreme Court’s mobile phone decision from last year in Riley v. California, which illustrates how technology has changed how the law has changed the law handles private data (and you’ve got the link to my report.)