Cloud Computing is like online dating....

Cloud computing, incorporating Platform, Software, and Infrastructure as services (PaaS, SaaS, IaaS), has long been a topic of discord and interest. I think that I am an anomaly among privacy professionals in that I embrace cloud technology and have since I first faced it as a privacy officer in a work environment.

Why?

Because cloud technology offers advantages to enable entities to focus on their core business. It, being cloud technology, offers the ability to scale, store, be faster, stronger, and leap tall buildings in a single bound - well, okay, so you may not be able to successfully do everything, but it sure opens possibilities.

It is not a magic pill, but it is (hopefully) a long-term relationship.

Online dating. I met the love of my life that way, and so far, we have been just ducky!



1.   Once you decide to enter the online dating field, do your research. What do you want out of it? How much do you want to put into it? What is your risk and your risk appetite? How much of yourself are you willing to share?

2.   Create a profile of what you are looking for. What do you want your new partner to look like, act like? What are their specialties? How much do they make? Are these preferences or hard lines?

3.   Go live and enter the field! Don't get excited, this is by far not your last step.

4.   Now you start screening with the information that the potential mates have made available. You may not like what you see, so those are easy enough to screen out. But if they look attractive/sound appealing, be careful. They don't deliberately put out bad information.

5.   Here is where you make a decision - do you start talking to all of those who are appealing? or do you do further research?  It depends on whether you want the experience of getting to know a wide range of vendors or if you are sincerely just focused on finding the right partner for a specific, identified need. (I don't judge here - it's your need.)

6.   Once it looks like you may have found the perfect mate or at least a few potential ones who could be your perfect mate, meet them in person. Look past the courting to the substance; but do make sure they do the fancy courting - you deserve it. If they cannot afford it, find out why. But don't discount the poor ones, just because they are poor. Ask the hard questions.

7.   Narrow down your selection and get to know each of them intimately (again, no judging. your level of intimacy is your choice.) Put them through a trust test. Introduce them to your friends and family (key stakeholders, compliance, etc.).

8.   Meet their friends and family - and importantly, their current and former mates. You really do not want this to be a monogamous relationship. If their entire business or a significant portion of it depends one mate, then they may not survive the loss of that mate. In this, polygamous love is a good thing.

9.   Heart, head, or gut.. Make a choice. I recommend going with the head over the heart, but sometimes the gut also works. Seriously, this choice should not be made lightly. Bring all of your evaluation tools to bear and be skeptical.

10.   Have an exit strategy. Make sure your prenup is strong. Hopefully, you never need it, but be prepared for the worst.

Good luck and may the goddesses of love and clouds be on your side.

oh no - a high school student asked me to explain what I do in privacy law...

Today, a high school student I mentor asked me to explain my job and privacy law...so I did. My response is below. It may not be academically extraordinary, but it gets the basics...

So in privacy, there are two approaches in law - the U.S. way and the rest of the world. The U.S. approaches privacy from a sectoral basis - you get a right to privacy of your information depending on the sector. Patients have HIPAA. Students have FERPA. Financial/banking/credit card customers have FCRA, GLBA, etc. A lot of acronyms - but the acronyms are not important. The key is that there is not a general right to privacy of your personal information. Almost all states, however, have data breach laws. So they are not privacy laws per se, but rather if certain protections are in place, a breach may not require notification to individuals, state authorities, regulators, etc. Therefore, many companies put in these protections which results in some privacy protections. 

The rest of the world, which is not all countries, but a whole lot of them, protect personal information on all people. In Europe, privacy is a fundamental right. Health information may be subject to more stringent protection, but not because of a law like HIPAA, but because health information is more sensitive - but so is ethnicity, banking information, etc. The European Economic Area has data transfer requirements, which mean that personal information is not permitted to cross the European borders unless certain protections are in place. EU assesses other countries' laws to see if their data protection laws meet the EU standards - if so, the country is deemed adequate and data can be transferred from the EU to that country. Only 14 countries have received an adequacy determination, meaning all other countries have to use a data transfer mechanism. Moving data across the borders does not just mean physically, it also means electronically. So a European accessing their email while outside Europe is actually transferring data across the borders. When you consider that many companies operate across EU borders (facebook, google, yahoo, linkedin, microsoft, etc.) then you understand how significant this is. So the US worked with the EU to create the EU-US safe harbor. US companies can self-certify to a set of standards and be deemed adequate like a country would be. The EU regulators are starting not to like this process, especially in light of the Snowden and NSA scandals last year. But - over 3000 US companies follow this. If you follow the news, you will see a lot about EU data issues involving the "Silicon Valley" companies - it comes down to a difference in philosophy about how personal data is handled. So it would hurt commerce between the US and EU if the safe harbor was eliminated. 

The other transfer mechanisms are traditional ways (model contract clauses, consent, etc.) which are burdensome to manage, track, review, and actually use on a practical level. The mechanism we went with is the BCRs: Binding Corporate Rules. This mechanism is like the gold standard for data transfers, because a company must develop policies to protect personal data on many different aspects - only collecting what is strictly needed, protecting individuals' rights to access and correct their data, deleting data when no longer needed, training personnel, etc. The data protection authorities in Europe have to review your application and approve it. It is quite lengthy and time-consuming - not to mention what it takes to put all the policies in place to begin with. When we started the process in 2012, there were only 19 companies in the world who had taken this step. We were approved (EU calls the success as a closed application) this year and there are 60 companies approved now. 

Many other countries have data protection laws, but they differ in many aspects - even though there are foundational similarities. The EU is considered the most stringent multinational privacy laws. The Asia Pacific countries are currently very active in creating and improving their privacy laws and South America is also really building some impactful laws, too. Canada and Mexico have really strong privacy laws - and I mention them because they border the US. What companies do in the US, they usually also roll out to Canada and sometimes Mexico. But the privacy requirements are quite different between US and Canada - and US and Mexico. 

... and that is a primer in global privacy law. :)

And yes, I have people that ask exactly what do I do that occupies me 40 hours a week. It's so funny if it weren't so sad. I have plenty to keep me busy! 

Implementing a Global Whistleblowing Program

Last month, I co-presented a short webinar with Jana Anderson, Partner, Foley & Lardner on implementing a global whistleblowing program with the Health Law Committee of ACC. If you are a member of the Association of Corporate Counsel, you can download the slides and materials here.

You may be asking yourself, why is a privacy attorney speaking to whistleblowing?

Believe it or not, many of the impediments to an effective (and legal) whistleblowing program are related to privacy laws and/or underlying privacy reasons.

Here are some of the highlights:

What is a whistleblower?

• Ralph Nader coined the phrase in the early1970s to avoid the negative connotations found in words such as "snitches” or “tattle-tells.” 
• Whistleblowers report perceived violations of a law by an entity (govt., private, educational, etc.) 
• Whistleblowers are typically employees due to the need for insider knowledge. 
• Internal – acts within entity to prevent/report violations 
• External – reports externally, reward system 

Recent cases:

• Medtronic Inc.’s recent settlement involved a business development manager as the whistleblower, who will receive $1.73 million as part of a $9.9 million settlement. 
• Omnicare’s recent FCA actions involve a former collection manager and a former customer support employee as whistleblowers. 
• Halifax Health Medical System’s recent Stark settlement for $85 million was a result of a qui tam suit brought by a former compliance officer for the system. 

The views on whistleblowing between the U.S. and other countries are vastly different. Here in the U.S. we view it as the right to keep businesses honest, to expose fraud, and to enforce compliance. Other countries view it as betrayal and that the U.S. is trying to govern business in their countries.

The laws that impact a global whistleblowing program fall into six categories. I give credit to the fabulous Don Dowling, Jr. of White and Case for his work in this area. Most of my knowledge in this area comes from intense study of his work.)

The six areas of laws that should be evaluated when implementing a global whistleblower program:

• Mandating whistleblower procedures specifically
• Requiring disclosures and cooperation with authorities
• Restricting reporting hotlines (most especially anonymous reports or minor misbehavior)
• Retaliation laws
• Laws around internal investigations
• Laws silent on whistleblowing, but programs possibly triggering data protection laws or work rules

Most of the legal implications are in Europe, which is no surprise given their fundamental right to personal data privacy.

Global whistleblowing programs fall into one of these categories:

• One global program 
• Meet both US law requirements and EU restrictions 
• Two hotlines 
• one in EU (meet SOX and most conservative EU country); another everywhere else 
• Tailored hotlines to each local jurisdiction 
• No EU hotline 
• Informal EU reporting 

Last, a short checklist to implementing a global whistleblowing program (drawn heavily from Mr. Dowling's work):

• Pay attention to EU particularly 
• Check whistleblowing laws and privacy laws 
• Disclose hotlines where required 
• Secure data (calls, reports, investigations) 
• That includes destroying the file after investigating 
• Adhere to data transfer requirements 
• Limit reporting topics to ensure proportionality
• several nations only permit reporting of potential major criminal activity
• Have routing for other reports that are not major crimes to a less formal process
• Enable alternate reporting channels 
• phones, emails, supervisor, HR, online
• Do not encourage anonymity 
• if you cannot bar anonymous in applicable countries, at least do not encourage or advertise it
• Have a list of due process rights for accused 
• Translations and multi-lingual operators should be easily available
• Verify compliance, knowledge, capability of hotline vendor 

Sensitive PII - a shout out from Dan Solove

This blog entry by Dan Solove references information that I compiled about sensitive PII - that I also discussed briefly yesterday on this blog. Happy reading.

Sensitive Personal Information

Personally Identifying Information ("PII") is often defined by law. In the U.S., this generally occurs in sectoral law, such as the Health Information Portability and Accountability Act ("HIPAA").

But PII has layers, like an onion a la Shrek. There is your regular everyday PII, such as name, date of birth, and address. Then there is sensitive PII and sometimes even highly sensitive PII. These distinctions are generally found in countries other than the U.S. In addition, where sensitive information is being collected, there are generally laws or rules around having clear consent of the person to collect it as well as how this information can be stored, shared, used, transmitted, and protected. Let's explore these definitions and where they can be found.

For this exercise, I relied heavily on two publicly available resources:

• DLA Piper Data Protection Laws of the World: a fabulous online interactive, searchable resource that can be downloaded as a pdf.
• Baker & McKenzie's Global Privacy Handbook 2013: a quite thorough discussion of privacy laws globally.

What I am looking at here is what is considered sensitive PII ("sPII"). The laws or rules may not include a category of data called "sensitive personal information." For these purposes, if there are requirements to protect certain data at a higher level, then we will consider it "sensitive."

The typical definition of sPII, if there is such a thing, is: racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, labor union membership, and information concerning health conditions or sexual habits or behavior. 

Most countries with a definition of sPII explicitly include the elements listed above or some statement in the law that anything that would cause discrimination against the person or that the government would consider to be private information. 

The European Union, in general, uses the definition above - they actually set the standard as the strongest multi-national privacy laws in the world. Some of their countries add criminal records, proceedings, and/or investigations to sPII. Switzerland goes a little further and includes social welfare programs along with government identifiers.

Argentina and the Republic of Turkey also use the definition above. Russia and Chile use most of the standard definition, but do not include trade unions.

Australia and Hungary build on the standard plus criminal definition above, but both add membership in a trade association. A trade association is like the American Medical Association, where individuals voluntarily or perhaps are required to join based on their profession. Interestingly, Hungary specifically includes "abnormal addictions" as sPII. Australia adds biometrics.

Speaking of biometrics, two other countries list that as sPII, along with the standard plus criminal elements: the Czech Republic and Azerbaijan. However, Azerbaijan goes on to include social welfare, domestic violence, taxes, marriage or family matters, and child adoption. Likewise, the Philippines take sPII to a more detailed level. In addition to the standard plus criminal definition, the Philippines add taxes, family or marriage matters, age, education, and government issued numbers.

Some of the more economically active Asian countries are strengthening their privacy laws. Commonly, these countries may not define sPII, but they do include general provisions that private data either is prohibited from being collected or deserves greater protection, without necessarily listing examples of sPII.  These nations include China, India, Indonesia, Japan, Malaysia, South Korea, Thailand, Taiwan, and Vietnam. Vietnam includes taxes and financial account information, while Japan includes financial data,  marriage and family matters, social status, and registered domicile. India includes biometrics and passwords. South Korea includes unique identifying numbers, such as passport numbers.

Although respect is a common foundation for privacy, many of the privacy protections in the Asian region are centered on this concept. An individual's personal information is expected to be respected and therefore, protected. So in many cases, sPII is simply afforded the same protection as regular PII.

A few other countries also do not necessarily define sPII, but require a judgment call on private information: Canada, Colombia, Egypt, Israel, and Mexico. Thus, everything discussed in this entry could be considered sensitive. (oh, Israel considers information about one's personality to be sPII.)

And last, keep in mind, in nearly all cases if there is something not specifically listed in the law that would be discriminatory to the individual or disclose highly personal information, you should err on the side of caution and protect that information.

EU Approves Align Technology, Inc. as BCRs Enter Their "Golden Age."

From the IAPP

EU Approves Align Technology, Inc. as BCRs Enter Their " Golden Age"

Medical device manufacturer one of just a handful to get approval as both controller and processor

June 26, 2014

By Angelique Carson, CIPP/US

With Safe Harbor constantly under fire, the binding corporate rules (BCR) process is becoming an increasingly attractive way for companies to ensure their ability to transfer data out of the European Union. This week, Align Technology, a U.S. medical device company, entered an exclusive club when its BCR application as both a data controller and a data processor was approved by EU data protection authorities.

As K Royal, CIPP/US, CIPP/E, Align’s first dedicated privacy officer, can tell you. It wasn’t an easy process, but she’s confident it’s been time and money well spent.

Despite various champions’ sweat-inducing work to keep Safe Harbor afloat, it’s becoming increasingly difficult to find days of the week that don’t feature headlines from one side of the pond or the other on its impending doom. While the U.S. Department of Commerce and regulators like the Federal Trade Commission’s Julie Brill have indeed invested time and resources in quelling Europeans’ skepticism (at best) or downright distrust (at worst) of the data transfer mechanism, the Snowden revelations’ significant impact on any trust  Europeans had in the U.S. on data protection and privacy can’t be denied by anyone who’s been paying attention.

So while EU Justice Commissioner Viviane Reding and her team conduct a review of Safe Harbor and the European Court of Justice prepares to rule on its scope, companies hoping to seal international deals aren’t taking chances. For that reason among others, BCRs are becoming an increasingly attractive alternative, as promoted recently by Eduardo Ustaran, CIPP/E, in his blog post, “Five Reasons To Do BCRs Now.”  

Align Technology brought on Royal just as the European government was setting forth its plans to update the European data protection regulation. Align had just gone through an internal privacy review and was looking to improve its privacy program. While the U.S.-EU Safe Harbor agreement was the initial plan, Align soon realized a BCR regime would establish compliance with a multitude of privacy laws in one fell swoop—COPPA, HIPAA, etc. With the ability to register as both a controller and a processor under the BCR framework established in 2012, Royal and her team were among the first to wind their way through the process.

Making the Case for BCRs at Your Company

No, it wasn’t easy, Royal admits. It took a year to negotiate the terms, and Royal had to be creative in how she would effect change at Align in order to satisfy the BCR requirements.  Plus, she was new at the company, and she had a lot to learn—from the ground up—about how Align’s processes worked.

The good news was that Royal’s case for BCRs was supported by Align’s executives and board of directors, who understood that while other data transfer mechanisms might be easier to implement, they were looking for the “right” solution, and not necessarily the easiest one.

“Privacy departments typically don’t get big budgets or lots of project time,” said Royal. “If you want a project done or you approach to change a system, privacy is not generally high on the business priority list.”

She had some help, though.

The HITECH Act was in play, for example, which applies to business associates like Align. Couple that with the Snowden revelations and a flurry of massive breach headlines within the last year or so, and Royal had a case. 

“The more bad news other people make, the better it is for those of us trying to get this done,” she said.

Bolstered by the headlines, Royal took sort of a backdoor approach to getting things done. Rather than try to dictate terms from the top down, she jumped on Align’s project team and worked with them from the start.

“Every project that went through, we used that opportunity to leverage or put in place more privacy,” she said. “We kind of built that in; we baked it into the portfolio.” For critical privacy projects, Royal says she had to prioritize projects in order to get the support she needed to get them done.

The BCR process was particularly difficult for Royal because of the company’s youth and aggressive forward march. The focus is innovation, making products better.

“We’re in the technology field, we’re in the medical device field, we’re regulated by the FDA,” she said, adding that the company acts “very much the way one imagines an innovative, technology-focused Silicon Valley company would act. The priorities are centered around the products,” and less about the policies that guide the product development.

But that’s where Royal came in.

She relied heavily on Align’s project engineers, its information security officer and the IT team. The process required weekly meetings, which was a heavy lift. Additionally, Align had previously developed a cross-functional team that serves as the Privacy Working Group.

In late 2012, Royal’s boss, the VP of litigation and regulatory affairs, flew to Europe to meet with the lead data protection regulators in person, feeling it would be a good thing to do early on.

“We said, ‘We want to do BCRs for processors,’ and they said ‘Here’s what to do,’” Royal said, adding that the in-person visit “really went far in helping us when the application came around.”

In the year between the date Align filed the BCR application and it being “closed,” multiple revisions were made to each of the policies submitted. But Royal said the lead European regulators who worked with Align—the Netherlands, as the lead authority, and the UK and Italy—took a very practical approach to the process and understood that the policies and procedures Align would promise to comply with may not be in place from the jump. It was more important to them that the wheels for such processes be in motion, rather than such processes be completely perfect.  

“For example, one policy states that we’ll train toward the BCR policies,” Royal said, but “you can’t train toward them until the policies are approved.”

The Golden Age of BCRs

Phil Lee, CIPP/E, CIPM, partner at law firm Fieldfisher, who counseled Align through the BCR application process, said BCRs are entering a “Golden Age” and for a couple of reasons. First, the Snowden revelations, after which his firm saw an “exponential uptick” in the number of applications for BCRs. Indeed, when Royal started the process for Align, she noted there were 19 companies approved for BCRs. When she’d completed the process, there were 53.

“With Safe Harbor, we’re getting clients who are making deals and having customers refuse to sign unless they do something other than Safe Harbor,” Lee said. “It doesn’t matter that Safe Harbor is still legal, they just don’t like it because they’re nervous about it.” He added that in particular, the cloud industry is reaching for BCRs.

Second, BCRs are so comprehensive, they aren’t only a data export solution, but the foundation for a global privacy program itself, capable of helping firms achieve compliance all over the world—beyond just the EU and U.S.

Want to Apply for BCRs? Take a Deep Breath

“Don’t be daunted,” Lee said. “BCRs are actually a very straight forward process to go through. The guidance is overwhelming and makes it appear far more daunting than it is.”

But the process has become increasingly streamlined as EU regulators have become more familiar with their shape. And besides, for companies who are employing responsible data protection policies, it’s more about capturing those policies in documented form.

Since Align has gained approval, Royal has been focused on doing personal training for every department at the company. Asked what advice she’d give to a company looking to go through this process themselves, Royal said privacy pros should leverage projects that are based on business needs rather than privacy alone.

Royal said BCRs had executive sponsorship and approval from the board, so when there were setbacks, she could leverage that executive approval.

“But you have to use that power sparingly and strategically,” she said. “Most projects were accomplished by finding where privacy fit within those projects based on business needs.”

Why you should not sign everything put in front of you: HIPAA Business Associate Agreements

courtesy of backstage.com

The Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments ("HIPAA") includes the contractual arrangements between Covered Entities and Business Associates, and now downstream Business Associates, or subcontractors (under the Health Information Technology for Economic and Clinical Health Act "HITECH").

This entry presumes the reader has a basic knowledge of HIPAA, but if not, please see the above link for HIPAA.

Today, we look at the evolving and complicated nature of Business Associate Agreements ("BAAs"). These are the agreements mandated by HIPAA, and now HITECH, although the recent amendments and the preamble make clear that the requirements of HIPAA and the HITECH Act apply to a Subcontractor regardless of whether the Business Associate fails to enter into a contract with the Subcontractor. This is very important below when we cover some of the complications.

First:
HIPAA requires certain provisions to be covered in BAAs. Often, the Covered Entity will put in additional provisions, usually around indemnity, audits, breach notification timelines, and data protection minimums not required by HIPAA, such as encryption.  These provisions are unduly burdensome, especially given the characteristics of most Business Associates - small operations. It is understandable why an entity would want to put these protections in place, but it may may stifle the ability to outsource and place a strain on relationships.

Second:
It is understandable why the government wants to reach further than Covered Entities and have direct oversight of Business Associates. Think about it, Dr. Jones on the neighborhood corner may not have the wherewithal to properly secure data or to respond to breaches. Or given that the new provisions provide for the State Attorneys General to bring civil actions on behalf of state residents for HIPAA violations, for damages or to enjoin further violations. I once had a privacy attorney argue with me via email (which cc'd numerous colleagues) that HIPAA as amended by HITECH absolutely did not provide for a private right of action. Well, duh - but given that the states can now do so on behalf of its citizens...it is practically the same thing. But I understand, in the law, one must be precise.

Third:
Large organizations that are now clearly defined as Business Associates, according to the guidance issued with the final rules, at first stated they would not sign BAAs. Remember above, where the new rules provide for liability whether a BAA is signed or not...?  Well, their refusal did not last long. See a discussion about Amazon Web Services here. What large providers who do not wish to be rolled under HIPAA have done, is placed administrative requirements on the Covered Entities or Business Associates which use their services, such as list all accounts for which they have patient data. Many organizations are unable to fulfill these requirements. So what is the solution - sign something they cannot fulfill or don't sign and HIPAA applies anyway. This is yet to be tested, but it is a popular conundrum.

Organizations should be careful about signing any old BAA placed in front of them. Watch your salespeople, too. They are likely presented individual BAAs when they show -  either the BAA does not apply or the employees are committing the company to a BAA without proper review. And this can be costly given the additional items that are in a BAA as discussed above.  And how can an organization signing tens or hundreds of BAAs possibly manage to push all the same provisions to downstream vendors? They conflict with each other - and Covered Entities need to understand that with the additions of clauses that are not required by HIPAA, they are setting their Business Associates up for failure.

Last, many small business owners that are Covered Entities do not understand HIPAA completely. Heck, neither do I. After a professional conference, Business Associates or potential Business Associates will be deluged with requests to sign BAAs. Sometimes, the exact same template is used, including with various clauses that include internal directions such as [choose one of the two clauses below]. It can be frustrating on all sides. Most individuals, however, are just trying to do the right thing. If a Covered Entity wants an organization to sign a BAA and the relationship does not exist, the organization can easily respond with a tight explanation. If still pushed, adding a line such as "This agreement only applies where the organization acts in the capacity of a Business Associate under HIPAA" will generally satisfy the needs of both sides. This is another untested, yet relatively popular strategy.

The conclusion here is that you should not sign everything put in front of you - or your employees. Educate all individuals to send the BAAs to a central office. Push back, or scale back, non-HIPAA provisions. It will be interesting to see how these natural conflicts play out in the next few years.

Hummingbirds and Platypuses: Terminology Matters

In the first grade, I was sent to second grade for math classes. I was five. I was close to the youngest person in my school for first grade (simply due to my birthday being in December), so many of my classmates were already a year older than I was, and second graders were two or more years older than that. One day, the teacher told us "No talking." So I whispered. My verbal logistics were well-rewarded with the only time-out I ever had in school. I explained that whispering is not talking, but she was having none of it. 

In a poorly worded segue, let's transition to a deposition. In 2010, an Ohio Supreme Court case contained a ten-page argument over the meaning of the word "photocopier" from a deposition of the head of IT of a county recorder's officer. You can watch a verbatim reenactment of the transcript here. It is well worth the time, for attorneys, IT, or laymen. Both sides seem slightly ridiculous, but also logical.

Second poor segue alert (but stay with me...it all comes together): That is a problem we have with technology and law. We use terms that when in question can have minute differences that matter. The word makes sense. The concept makes sense. People generally understand what the intent is with the law, but when trying to determine whether a specific technology or its use falls within or outside the law, it becomes quite complicated.

For example, let's play off the transcript above. If there is a rule that a document cannot be photocopied - we know it means, no copying of the document, right? Or does it? Does it mean no photostatic copies - or no digital scanning? or who knows, someone may have an old carbon copying machine lying around just waiting to be used to circumvent the new rule.

Words have meaning and technology is testing the ultimate limits of the words used in our current laws. Courts do their best to interpret law based on its intent, but that intent can usually only be present if the way in which something functions can be imagined (Constitutional wording aside - that is a whole 'nother argument). And sometimes, if the intent can be inferred - or is even explicit - the wording of the law/rule/regulation/guidance is so ambiguous that the courts can do nothing but decide against what seems to be fair to a layman.

This is where data protection and privacy seem to reside. Technology and its resulting misuse far outstrips the incremental changes in law. We're not even talking cigarette boats vs. paddle boats. We're talking hummingbirds vs. platypuses (platypi was incorrect). They exist on the same world and breathe the same air, but they probably do not play well together - seriously, a platypus could squash the hummingbird, but the hummingbird moves too fast for the platypus to catch. Hummingbirds might not even notice the platypus exists! Hummingbirds are stunning to observe and need to keep moving. Platypuses need to be protected and well-grounded. One can absolutely exist without the other, but both need to co-exist with humanity. (wow, this analogy really works all the way through for technology and privacy.)

(and five-year-olds who play with words just might become attorneys.)

InBloom: Seeded before its time

Yesterday, inBloom (non-profit education software company) announced its plans to wind down operations over the next few months due to objections by parents and legislators. Adults became concerned about putting in too much information into this database (400 fields), such as students' social security numbers, details about school withdrawals, and family relationships. This month, New York passed legislation prohibiting their department of education from providing data to aggregators (like InBloom).

In mid-November of last year, parents in New York petitioned for a restraining order against the state department of education preventing them from providing student data to inBloom. Parents cited that providing this information was a dramatic departure from the then current practice and seemed to be taking steps backwards in terms of privacy.

inBloom describes its mission and goals as:
"a set of shared technology services that includes a secure, multi-tenant data store and middleware for identity management and data integration . . .  designed to help School Districts and State Educational Agencies provide educators, parents, elementary and secondary school students with learning data from many sources and connect them to relevant instructional resources to support personalized learning through inBloom. The service also helps State Educational Agencies in evaluating federal- and state-supported education programs."

The goal was to provide  "districts and states as a utility for them to more easily synchronize and transfer data, including student personally identifiable information (PII), across the various learning applications they deploy to teachers, students, and families."

So now it ends. inBloom is Out. 

But let's think about this for a few moments...

Is the population of the United States seriously considering the privacy rights of its vulnerable citizens? What?? This turns my privacy meter on its head. Since when did we care what information we share as long as no one gets hurt. What harm can come from this type of data aggregation? It's not like inBloom was going to turn over its education records to the department of child services to show that certain students had certain educational challenges - or home challenges that interfered with education. Data would not be misused or misinterpreted, right? Or shared with watchdog groups or even governmental agents who would put a spin on the data that might adversely affect students, families, school districts, or state funding, right?

Good googli moo

Privacy: Don't let it go (our take on the ubiquitous song)

Information is shared around the world today

With a few data laws to be seen

One might wish for regulation

So do I, the Privacy Queen

Companies collect data like a swirling storm inside

Couldn’t keep them straight, heaven knows we’ve tried

Don’t let them in, don’t let them see

Be the private person you always want to be

Conceal, don’t reveal, don’t let them know

How much do they know?

Don’t let it go, don’t let it go

We can stop it furthermore

Don’t let it go, don’t let it go

Block cookies and slam the door

Someone should care

What they’re going to say

The argument rages on

Cause breaches don’t bother them anyway

It’s great how some countries protect personal data by law

And the companies that once controlled it can’t get to it at all

It’s time to see what we can do

To test the limits and break through

Do right, not wrong, pass data laws

For all

Don’t let it go, don’t let it go

Pass some laws and rules

Don’t let it go, don’t let it go

Scrap those data tools

Take a stand, the data stays

Let your rights rage on

Big data flurries through the web and into the ground

Information spirals in millions of bits all around

And one thought crystallizes like an icy blast

Data is rarely deleted – the past is never past

Don’t let it go, don’t let it go

New uses rise like the breaking of the dawn

Don’t let it go, don’t let it go

Once given, that data’s gone

Take a stand

In this big data reign

Should data brokers rage on?

Privacy never stopped them anyway

Job Security?

In 2013 at the IAPP fall conference, Lisa Sotto (a renowned privacy and cybersecurity attorney with Hunton & Williams and member of the Board for IAPP) remarked during an open session to the attendees that if she heard one more person exclaim "Job Security" she might have to punch them - I may be paraphrasing. I think she was kidding. But she was not exaggerating the repetitiveness of the sentiment by the attendees.

Is there job security for privacy professionals?  Probably yes. Oh, what the heck - let's abandon the pretense of being objective: yes. Yes. YES!  The world of privacy and data protection is growing by leaps and bounds. And not just in one area of the globe. Privacy and data protection is growing everywhere.

You may recall the somewhat recent headlines containing words like Snowden, NSA, and leak. These headlines, or rather the actions behind them, have created some additional headlines involving European Union and the U.S. trade. I will not address whether Snowden is a hero or a traitor - or whether what he did is even right or wrong. The end result is that the European Commission and various data protection authorities seemed to question their faith in the U.S./EU Safe Harbor program.

I do not really believe that the EU will completely withdraw it's determination in the adequacy of the Safe Harbor program if only because international trade would suffer tremendously. But on the other hand, I would not brush off their concerns either. Recently, the U.S. FTC Commissioner and the U.K.'s Information Commissioner signed a memorandum of understanding to work together to protect the privacy rights of consumers. Rather contemporaneously, the FTC initiated actions against 13 U.S. companies for violations of their safe harbor certification statements, as this author wrote about in an earlier post. So international cooperation is on the table and probably not disappearing anytime soon although there is a lot of work to be done.

Which segues rather nicely back to job security. Privacy is probably the hottest area of law right now, but privacy professionals can not allow themselves to get cocky or complaisant. We must be strategists and visionaries; we must foster understanding and better understand the business case; and we must see the trees and the forest. Privacy law is growing faster than any one person can track. There are multiple think tanks and watch dog groups dedicated to the topic.

I laugh - usually out loud - when I hear other compliance professionals complain that they run from fire to fire. We all do. It's the nature of compliance. I dream of a day when I am notified that some area is suffering a drought and we can proclaim a high alert for the potential for fire. And even ban burning. Ha. Are you following me in this analogy?  Privacy professionals are like the forest rangers on lookout towers. There is a lot of landscape to watch, we are usually alone, we have to track winds, investigate smoke, and be able to call the troops when needed....but only when needed.

It's not glamorous. It's a hard job, but someone needs to do it. In fact, lots of someones need to do it. 

If I were to counsel someone who was interested in either entering the privacy profession or growing within it, there are three things I recommend:

• Learn the technical aspect of the job. Yes, there are Information Security Professionals who generally originate in IT, but it would benefit the privacy professional to learn to speak intelligently about the technology.
• Partner with the Information Security professional. This person should be your other half. They need to respect your knowledge and be able to depend on you and vice-versa.
• Never think you know it all or that you are an expert. There is simply too much untested in the courts and much too much being changed every day - from laws to technology. 

I would not proclaim job security except when joking. Half the time I am afraid I am failing at the job because there is so much to do. The other half does a victory dance when a co-worker knows what the letters PII mean. It's the small things that make me happy - and the big things that keep me employed.

Lessons from The Butler

Recently, we watched Lee Daniels' The Butler.

This was one of those movies I knew I could not watch in a theater, so I had planned to watch it at home. It was worth the wait. Forest Whitaker was the lead playing Cecil Gaines. At a young age in the cottonfields of Mississippi (1926), he watched his mother pulled into a shed by the farm owner, a Caucasian guy. Cecil's father objected after screams were heard from the shed and was shot for his insolence. The elderly white landowner took Cecil into the house to train him as a house worker (not even for the purposes of this blog will I use the horrible word I heard so much growing up). He was told that when he was in a room, it should feel empty.  After a few years, he left. He wound up working in a bar/restaurant who taught him to see what the customers want and provide it. Never be political. Never have an opinion. He then moved to a hotel in DC. Eventually, he was recruited for the White House during Eisenhower's term. He served through the Reagan term.

Throughout the movie, we also see the personal interactions with friends and family - his wife (played by Oprah Winfrey) who drank to cope, his oldest son who was a civil rights activist and often in and out of jail, and his youngest son who died in the Vietnam war.

So what lessons can we learn from the Butler?

Let's start with the premise of servants not existing - the room should feel empty. Many workers are unobtrusive. In fact, it does not even need to be a worker - people can be unobtrusive. Eventually, others forget or do not even notice they are there. It is an incredibly effective way to gain information. "Don't mind me...no one here....just discuss your deepest secrets." Can you imagine what this man learned serving the presidents, their wives, kids, the other politicians?  wow.

Some people perfect the art of listening and watching. Cecil learned to identify what the customers want and provide it before they themselves knew they wanted it. Discerning based on person, activity, mood, etc.

Gaines had issues with his wife who sometimes asked just for some little tidbit of inside information, like ho many shoes Jackie Kennedy had. Gaines would not tell her. However, it came out that one of the other butlers did tell his wife small things. Gaines seemed to have an issue with that sharing, but there was no evidence that these "breaches" were reported. And later in the movie, he did tell his wife that Mrs. Kennedy had about 125 pairs of shoes.

One thing Gaines learned from the bar.restaurant was to have two faces: one you showed when at work and one for your personal life. As a butler, he was expected to show no emotion, preference, or opinion. Two faces. He came face-to-face with that effect, if you'll forgive both the pun and the redundancy, when he was a guest at a state dinner at the Reagan's behest. He was served by his co-workers and saw the face directed towards him. He did not like facing the reality of who he was and/or what others saw him as. He was forced to hide himself in order to work. Rather than a public face and a private face, he had a private face for work and a real face for private.

Gaines took pride in his work. From the shoes he polished to the people he served and protected. And he was humble as a person, proud of his work, and willing to stand up for the right thing. He made mistakes and learned from them.

So there were some lessons to learn in The Butler. Perhaps some of the greatest events of our history occurred or were made in the presence of some very discrete individuals, who might not have even been noticed or even considered persons with equal rights.

Interesting movie. Interesting times. Interesting.

My Privacy Heroes

I haven't written in a while, so please forgive me. Privacy issues remain daily headliners and I have no excuse for not writing. First, last week, I was at the International Association of privacy Professionals' Global Summit. It was sold out, which I think means a total of 3000 people attended. Wow.

I know, right? 3000 people from around the globe care about privacy. Yes, we are all dorks. But we're really cool dorks and have our own set of heroes and villains. Some of my own personal privacy heroes are listed below.

Dan Solove, John Marshall Harlan Research Professor of Law at the George Washington University Law School. He is a Senior Policy Advisor at Hogan Lovells. He is also the founder of TeachPrivacy, a company that provides privacy and data security training programs to businesses, schools, healthcare institutions, and other organizations. I had the privilege of getting to know Dan a little over the past two years and still have that little piece inside me that still squeals like a little girl simply because my privacy hero talks to me. The IAPP did a little blurb on me once (the link only works for those who log into IAPP, sorry) and soon thereafter, Dan sent me an email. Please understand that at the time, I probably had 5 articles and three books of his sitting on my desk. So I did a little happy dance before I calmly replied to him. I am happy to say that we have maintained a friendly relationship and I hope - I pray - to one day be on his level of competency.

Kirk Nahra a partner with Wiley Rein, LLC. Kirk has been involved with IAPP, I think since its inception. He has been on the IAPP's Board of Directors several times and currently serves as editor of the publications. I do not remember if I met him at a Blue Cross forum in Colorado or at an IAPP event, but either way, we seem to cross paths often, just not often enough. He sends out privacy law updates and observations - and frankly, is simply my most favorite U.S. privacy attorney.

Cass Sunstein is currently a professor at Harvard Law School and is a scholar beyond reproach. This is the only privacy hero I have that I do not know personally and have not met. I was supposed to hear him last year at a conference that my travel was cancelled due to weather. Oddly, I know more of him through my PhD program in Public Affairs than I do my privacy work. I would probably give my right kidney to talk with him for a hour or so (my right kidney is pretty shot, so that might not be a high enough payment).

So there is my list of heroes. I am not currently providing a list of villains, but let's just agree that most of them are corporate level, not individuals.

Cross-posted on IAPP
https://www.privacyassociation.org/publications/its_complicated_the_social_lives_of_networked_teens_does_not_shy_away_from 

How often have we heard or uttered the refrain that the newer generations—“Millennials” or “Generation Zs”—have no concept of privacy, that they live a life online devoid of personal restraint? I confess I have had that thought myself. So when asked to review danah boyd’s new book It’s Complicated: The Social Lives of Networked Teens, available through Yale University Press, I was delighted to do so.

This book was 10 years in the making and is dedicated to boyd’s friend, mentor and former professor, Peter Lyman. It is obvious throughout the book that boyd discusses some technological aspects that society may consider outdated, such as the social network MySpace, but boyd addresses this upfront. She disclaims early on, “The technical shifts that have taken place since I began this project—and in the time between me writing this book and you reading it—are important, but many of the arguments made in the following pages transcend particular technical moments, even if the specific examples used to illustrate those issues are locked in time.”

Boyd does not shy away from the tough subjects. It is apparent that she observed teenagers in their natural setting over a period of time. She also observed those people around teenagers and drew observations not only on the behavior or expectations of the youths but also the behavior and expectations of other youths and adults who interact with teenagers. In this book, boyd combines her personal observations with her research into technology, the Internet and social media to present a broad and insightful view of teenagers that might clash with the generally held belief about youth.

This book contains eight chapters, along with a hearty introduction. The chapters are presented topically and boyd skillfully weaves certain characters throughout the book, which provides a stabilizing effect. The chapters, which are bold incursions into topics many shy away from truly contemplating or speak about without true knowledge, are presented in a logical order.

Boyd first discusses teens’ search for identity online, which does not differ from their need to find their identity—only nowadays, a teen’s world is technology. She draws us into a world where teens’ identities are taken out of context because they do not necessarily create identities to satisfy all possible audiences. boyd writes, “Unlike face-to-face settings in which people took their bodies for granted, people who went online had to consciously create their digital presence.” She skillfully introduces us to the world of creating identities and managing impressions.

Next, boyd tackles the topic of privacy. Adults seem dismissive of teens’ awareness of the need for privacy, and, boyd writes, teens “have little patience for adults’ simplistic views about teen privacy.” She instructs us that teens achieve privacy by controlling their social situations and describes how they have learned to live with surveillance. boyd explains the concept of “social steganography,” in which teens conduct conversations and send messages in plain sight encoded to hide from adults or other teens. This segues nicely into the next chapter on social media, which boyd titles “addiction,” yet explains it is more of a necessary outlet that adults view as an unhealthy addiction due to its time demands.

Moving beyond the first three chapters, which provide a foundation upon which to explain and explore teens and social media, boyd examines the more controversial topics of teens online: dangers of being online, bullying and social inequality. She discusses these dangers frankly, without shying from the realities. She recommends that to keep our youth safe online, society needs to patrol digital streets with the same determination that is used to patrol real streets.

The last two chapters of the book are dedicated to understanding the world that teens now live in. She starts with examining the concept of “digital natives.” Boyd exhorts us all to be media-savvy, writing, “Learning is a lifelong process.” She concludes the book with a caution that media is not bad, it is a technology. It merely “mirrors and magnifies” the world we live in; it does not create it.

It’s Complicated: The Social Lives of Networked Teens was easy to read, applicable to the privacy field and full of interesting, well-considered research. The material was presented well and would appeal not only to those of us in the privacy profession but to some of the general public. I do not feel that it would appeal to all of the public, but what book does? My perspective stems from the depth of the material into which a reader sinks until some readers may be over their heads. But the material is so smooth that some readers might not realize they are over their heads until they turn a few pages and realize how deep they have gotten. However, as a past youth counselor, mother of teens and current privacy professional, I found the book riveting. And even I had to read it twice because the material is so rich. I did find the conclusion to be a little too cavalier given the seriousness that came before it. Agreed, our world is a technological one and we should approach its dangers and its benefits with our eyes wide open, but online there are challenges that require different approaches to those dangers and benefits. Yet, it is a remarkable feat boyd accomplished to link tangible experiences to digital ones and to enable us to relate teens’ current experiences with those of our youth. This takes the book to a new level of triumph.

I can do nothing less than highly recommend this book for those who have an interest in such fields—whether teens’ issues or privacy.

K Royal, CIPP/US, CIPP/E, is privacy counsel at Align Technology and has over 20 years of professional experience in the legal and health-related fields.

Read more by K Royal:
Book Review: The Future of Privacy

How to Brew the Perfect Privacy Officer

Cross-posted to IAPP
https://www.privacyassociation.org/privacy_perspectives/post/what_makes_a_good_privacy_officer  

Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.

To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?

Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.

Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.

CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.

Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.

Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.

Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.

Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?

Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.

This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?

HIPAA encounters of the Personal Kind

I wish today's post to be light-hearted, but realize in the end, there may be some lessons learned....be careful. You, too, may become conscious of your own privacy.

My cell phone rang the other day and I answered it "hello."  What follows is the gist of the conversation. I could be partially wrong in the exact wording, but the meaning remains the same. I have changed Paul's name to protect the unknowing.

K: Hello
Bob: Hi. I'm calling to speak with K Royal about an emergency room visit to blah blah hospital on this past Saturday on February 8.
(please note - at this point, he has disclosed my protected health information if someone other than me had answered the phone).
K: this is K.
B: Hi, this is Bob, an RN at blah blah hospital. Before I go any further, I need to confirm your identity to maintain confidentiality. What is your date of birth?
K: (really?! you've already blown it, mister) Hi Bob, can you confirm your identity to me before I provide you with my date of birth?
B: Uh, no. 
K: So there is nothing you can do, at all, to prove you are calling from the hospital? (I was expecting him to say - sure, call the hospital and ask for me or my extension)
B: No. can't think of anything. I just want your date of birth.
K: Okay, let's try this - tell me if you are calling to survey me on how well your service was or if you want to discuss something of a medical nature.
B: Ma'am, I can't tell you that. It violates HIPAA.
K: Actually, it does not. I am not asking you to give me any personal or protected information. I am just asking for the general nature of your call.
B: Ma'am that does violate HIPAA. HIPAA won't let me tell you the purpose of my call. 
K: Bob, I am a privacy attorney and very familiar with HIPAA, I can assure you that it does not. How about this...are you calling to survey me about your service? cause if you are, it was fabulous and I felt everything went smoothly. 
B: Ma'am, I cannot answer that question because it would violate HIPAA. And if you won't give me your date of birth, we seem to have a problem. I know HIPAA very well - and it won't let me continue without it.
K: Bob, I actually seem to know HIPAA better than you do ... at least in this instance ... because HIPAA would not stop you from answering that question. 
B: So what do you want to do?
K: I guess we're at an impasse, Bob. You cannot verify who you are or where you are calling from, you want me to provide you with even further personal information, and you won't tell me the purpose of your call. Sooooo, I think we're done here - and I truly hope you were not calling to tell me something popped up on the tests and I am dying. Feel free to call me back when you either learn more about what you can say under HIPAA or can provide verification of who you are. Have a good afternoon. Bye bye.

I called the privacy officer and left a message to call me. Nothing.

So what did we learn here (other than stupid stuff like this brings out my snarky side)?
1) It is a HIPAA violation for a covered entity to give out information before verifying the patient's identity - as in his opening statement.
2) When people ask for personal information, verify who they are.
3) Not all health care personnel in the US really know and understand HIPAA rules.
4) Patients need to be vigilant about their health care AND their personal information.

Why are the people in the U.S. so blase' about Privacy?

So this was the question I received today about privacy: "Why are people in the U.S. so blase' about privacy?"

Frankly, my dear, I don't know.

I do have some theories that my mind is sorting through as I write - and if you have some thoughts (yes, you, the one person who is reading this), please do write me and let me know your opinion.

First, I do not think it is related to the fact that we do not have an explicit right to privacy guaranteed to us in the U.S. Constitution. However, I do think it is related to what rights we are guaranteed and how those rights have been enforced over the years. Most importantly, I think the freedom of speech as personified through the freedom of the press has been a huge factor in how blase' we are about privacy. As citizens, we are allowed to say what we want to say (in general), do what we want to do (shy of breaking laws), move where we want to move, live how we want to live, love as we desire - and act on that love. Freedom of speech includes our actions, our apparel, and our writings. And this freedom comes with a price - that we are ever so willing to pay - the lack of privacy.

Next, the American dream reinforces the lack of privacy. To achieve our dreams - or at least for those ridiculously mega-rich people to achieve their dreams, they take chances and go where no one has gone before, with information, brazenness, and wild willingness to use any tools at their disposal. Information is mostly free and can be used in ways that the average person would find mind-boggling.

Additionally, most Americans have not suffered atrocious crimes and deeply personal invasions like countries with currently strong privacy laws have in the past - where thousands of people were tortured and killed based on information, like their race, religion, or even just their name.

Thus on one hand, we see benefits in the freedom of information and on the other hand, we see no penalties in the misuse of information. I have often been told that if a company treats personal information with the respect other nations require, the company would lose its competitive edge. So what would motivate us to care? When I posted previously questioning why we are not outraged at the NSA, one of the responses I got was that once the PATRIOT ACT was enacted, any person who read it or watched the news knew that we now had no right to privacy. In a way, I agree. Not enough people were outraged then - and you cannot let the exploding holes in the dam go unnoticed and then complain about a flooded home.

We need a fundamental shift in our thinking. Information is a power tool. And it can be dangerous in the wrong hands. It can be dangerous in the right hands - if those are not your hands holding your own information. We need to be stingy. For example, unless you are on a government health insurance program or workers' comp, your doctor does not need your social security number. Such a simple thing. But try telling your doctor he/she does not need it and they freak out - they are so used to getting it, they just want to fill the blank. So I just pretend not to know it. "Ooops sorry. Don't carry the card either, but I'll really try to remember to bring it the next time." Not.

My review of the book: The Future of Privacy posted on IAPP

https://www.privacyassociation.org/publications/book_review_the_future_of_privacy  

January 28, 2014
By K Royal, CIPP/US, CIPP/E

Being a strong believer in taking a pragmatic approach to compliance, I was incredibly pleased to read The Future of Privacy by Eduardo Ustaran, CIPP/E, published by DataGuidance. In general, I find the books available through the IAPP to be thorough, on point and useful to privacy professionals. This book went the further step and was actually fun to read and useful to those of the general public who have an interest in privacy.

Ustaran writes in a manner that is easy to comprehend and practical, yet steeped in substantive law. It’s like sitting comfortably with an expert who shares his insight and expertise as a conversation—at times relaxed and sometimes highly animated. And the timing for this book is perfect. At no other time in recent history have privacy and its challenges been at the forefront of global news.

The Future of Privacy is divided into three parts: “Catalysts,” “Policy Making” and “Compliance.” “Catalysts” provides a simplistic yet robust summary in three chapters covering of the evolution of technology, the value of data and data globalization. We start with the terminology: Information Superhighway, the Internet of Things, the cloud, cookies, social networking and the mobile ecosystem. This foundational coverage continues with analytics, Big Data and behavioral targeting.

Part I segues into Part II, “Policy Making” with frank coverage of the globalization of data. Ustaran clearly believes that the prohibition on data exportation prevalent in many nations’ laws is exasperating. It is also naïve in the technological age in which we live and function. Part II discusses regulating technology, policy-making, interoperability and incentivizing compliance. Ustaran recommends “just in time” regulation that is lean and consistent. Within these three chapters come the concepts of Privacy by Design, a global privacy blueprint and mutual recognition.

The book concludes with Part III on “Compliance,” perhaps the most critical section for privacy professionals. In Chapter 7, we start to see more of Ustaran’s European roots. He discusses the evolution of transparency in the use of an individual’s data, recognizing the debate about whether individuals have true control over the use of said data, anonymization, privacy and security by default rather than design and finally, the role of safe processors. He continues this discussion in the next chapter from the perspective of data as an asset—which may be controversial to some privacy professionals. He is clear that irrespective of a privacy professional’s belief in the idea of data as an asset, our roles depend on managing this idea and being committed to finding the right approach. The concluding chapter of the book addresses accountability in an era of competing regimes, uncertainty of law and the cost of consistency. He supports privacy within an organization as a team effort and advocates for the use of privacy impact assessments. He tackles the topic of global privacy compliance and advocates for the EU’s Binding Corporate Rules as a corporate framework. Ustaran concludes with two sentences: “We just need to get cracking because the future is here. Now.”

Generally, I read privacy and/or compliance books because I must in order to do my job. It’s rarely amusing or captivating, even when the book is well-written by a noted expert in the subject matter. Yet, this book is different. And the difference is in the presentation and writing style. The law is provided through thoughtful analysis wrapped in delightful examples and honest opinions. Whether you are new to privacy law or already immersed in its depths, this book is one that you should have—and not just on the bookshelf. Take notes in the margins, because you are just as likely to find yourself disagreeing with various points, questioning their validity or simply taking a deeper look into certain elements. This is the challenge of such a book; rather than merely absorbing the law dryly and reciting it back iteratively, it initiates thinking processes. It dares you to skim across and engages you in thought-provoking analysis.

Ustaran presents his beliefs without hesitation, but in his forthrightness, the reader responds with the same honesty—whether in agreement or not. This is the power of such a book, defining one’s own professional and personal belief system about privacy and forming a foundational understanding of technology and policy-making. I do not know if a global compliance program is truly achievable, but like many other privacy professionals, I have to attempt it. I agree with Ustaran in that the future is here and we need to stop playing catch-up and develop a workable regulatory framework where there is a basic understanding of the role data plays and how to be transparent in that use. I highly recommend this book for privacy professionals and anyone else with an interest in data handling.