Jun 29 2016

NEW! Summer/Fall Privacy Insight Webinar Series

Blog_gen_H2-2016-v1As the privacy landscape gets increasingly complicated, you need constant access to key insights to stay on top.

The Summer / Fall schedule for the Privacy Insight Series is a set of six live webinars featuring renowned speakers, and cutting edge research, tips, and tools. This program will continue to provide the perfect opportunity to gain insights from leading privacy practitioners on the key trends impacting data privacy management in 2016 and beyond.

Each event is free to attend and will feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

Check out the Summer / Fall schedule below:

July 21                                                         

Validating Vendor Assessments: Preparing for Privacy Shield

With many global companies working with thousands of vendors to process HR and customer data, this webinar will tackle important questions such as:

  • How can they take a prioritized approach to risk management?
  • What are current best practices?
  • How can they ensure compliance with Privacy Shield within the projected timelines?

Register today >>

 

August 18

Brazil & Beyond: Privacy Trends in Latin America

Latin America is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework. Join this webinar to get:

  • A comprehensive approach of the evolution and general principles inside the different LATAM privacy regulations for both customer and employee data
  • A focus on consent, duty of information, habeas data and the right to be forgotten as applied in the region

Register today >>

 

September 22

Changing Role of the CPO in todays Privacy Ecosystem

The Chief Privacy Officer is now center stage with responsibility for driving an important strategic agenda within the enterprise. Recent IAPP research claimed there would need to be 28,000 more Data Protection Officers in Europe to meet the new GDPR requirements. Join this webinar to get insight into changing role of the CPO by examining questions such as:

  • What will this new role look like?
  • How will these new requirements impact the qualities, experience and responsibilities of the CPO within the enterprise?
  • What do you need to do to make sure you’re ready to be a CPO in the new privacy landscape?

 

October 20

Building a Privacy Governance Program

The proliferation of networked devices is bringing tremendous opportunity to business and consumers alike. Many organizations are struggling with where to start with securing their enterprise — so some don’t, or worse yet, take expensive action that has little impact. Join this webinar to learn how to:

  • Put security and privacy into the context of your operations – despite their natural tensions
  • Integrate them into an effective data protection program focused on trust, transparency and accountability
  • Examine case studies from two companies from very diverse sectors

 

November 17

DPIAs, PIAs, Understanding new EU Guidance on ‘Risky Processing’

Whether you call them Data Protection Impact Assessments or just PIAs, they are an indispensable way to gauge the potential impact of projects, systems, programs, products or services on the data an organization holds. Having a good understanding of what DPIA/PIAs are, how to implement them and who needs to be involved can be the key to embedding privacy in the heart of your organization. And of course they are now a requirement for certain types of processing under the GDPR. Join this webinar to:

  • Review PIA best practices
  • Review latest compliance guidance from the EU regulators
  • Provide a range of tips and tools to help streamline and embed the process in your organization

 

December 8

Metrics for Success: Quantifying the Value of the Privacy Function

As we look towards 2017 and the future of the privacy profession being able to better quantify, risk, level of effort, value to the organization will be essential to privacy’s ongoing upward trajectory. Join this webinar to:

  • Review current best practices
  • Provide takeaways and new years’ resolutions for when you’re back at your desk

 

Jun 28 2016

Going for Olympic Gold Data Practices in Latin America

Screenshot 2016-06-28 09.54.55

Latin America is in the summer spotlight with the hosting of the International Olympic Games in Brazil and the 100th anniversary of the Copa América futbol tournament, making this a timely moment to take stock of where data privacy regimes stand in Latin America.

Powered by new education initiatives and increased investment in telecom network infrastructure, Internet usage in Latin America is burgeoning. Public-private partnerships, evolving finance laws, and an explosion in mobile broadband adoption has led to an environment in which, since 2008, Internet usage has more than doubled. Observers estimate that sixty percent of Latin Americans will have Internet access in 2016.

However, before an organization seeks to establish its presence in Latin America, it would do well to recognize that the vast region is not a monolith. On the contrary, the region is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework.

Screenshot 2016-06-26 11.28.21

The July TRUSTe Client Advisory Note was prepared by Darren Abernethy J.D., CIPP/US, CIPM, Privacy Solutions Manager at TRUSTe, and provides an overview of some of the key privacy themes and differences across the region for enterprises considering their involvement in these developing markets.

Key themes and requirements covered in the Advisory include:

  • Data Protection Authority (DPA) registration requirements
  • Adequacy and cross-border data transfers
  • Recent DPA enforcement actions
  • Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules
  • Data security & data breach notification requirements
  • Appointment of a Data Protection Officer (DPO)
  • The “Right To Be Forgotten” (RTBF)

The Advisory also includes a list of key takeaways for companies seeking to comply with Latin American privacy requirements.

If you would like a copy of this latest Client Advisory Note then look out for your copy via e-mail today or contact TRUSTe at 1-888-878-7830.

 

Jun 28 2016

What the UK Brexit Vote Could Mean for Privacy

Screenshot 2016-06-27 22.25.57

It is early days since the UK voted to leave the EU and there is still plenty of uncertainty along the road ahead. However, when it comes to privacy law, there are some certainties. Ralph O’Brien, Principal Consultant EU at TRUSTe reviews the options.

In the short term the UK Data Protection Act 1998 is still the law of the land, a law that implements the older EU privacy directive EC/46/95 into UK national law. The UK ICO will continue to advise and enforce privacy upon global organisations, and individuals still have the privacy rights afforded by the 1998 Act. Whilst the UK Data Protection Act 1998 and Directive EC/46/95 contain themes and principles that are common to the new privacy paradigm of the General Data Protection Regulation, the GDPR introduces new rights and obligations that are not reflected in current UK law.

In the medium term, the GDPR has been approved by Europe and will be enforceable by May 2018. Even if the UK invokes Article 50 and starts the two year leave count down today, that date will take the UK past that deadline and the GDPR becomes directly enforceable into national law.

In the longer term the UK will need to work out an exit strategy of some kind, including what parts of the EU legacy will continue to apply post leaving the EU, and on what terms it will continue to trade with Europe.

Option 1 – European Free Trade Association Membership and bilateral agreements

The UK could remain membership of the European Free Trade Association (EFTA), but drop its membership of the European Economic Area and EU member state status. The UK would then negotiate a set of agreements bilaterally for specific market segments with the EU to retain access to the EU Single Market (such as Switzerland today). The UK would not be bound by EU legislation as a result, but may be obliged to have certain laws by these agreements. The UK pays no EU fees, but pays fees to the EFTA. In terms of privacy law the UK would continue to be bound by the Data Protection Act 1998, but may be required by the bilateral agreements to pass a revised Data Protection law to bring it into line with EU law (such as the GDPR requirements), or indeed agree to be directly bound by the GDPR itself in order to allow data transfers between the EU and the UK.

Option 2 – European Economic Area Membership (including EFTA)

The UK could leave the EU, but retain memberships of the EFTA and European Economic Area (EEA). This is how Norway, Iceland and Liechtenstein currently deal with the EU. As a member of the EEA, the UK would have to pay membership fees, and be compliant with EU laws, but have no voting rights within the EU. In terms of Privacy law, the GDPR would continue to have direct effect and applicability as if it were an EU member state, however the UK would have no voting rights on future amendments.

Option 3 – Entering into a Customs Union

The UK could follow the Turkish model and form a customs union which allows it to co-operate with the EU in certain trade categories. It would not be required to follow EU trade policy. It would not pay membership fees, or have any right to help shape EU laws. This would be a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 4 – Free Trade agreement

By taking this option, the UK drops out of the EU single market. It would not pay any membership fees, or have any right to help shape EU laws. It instead negotiates a single free trade agreement with the EU. This is a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 5 – World Trade Agreement

The UK is already part of the World Trade Agreement, and could rely on this as a basis of trade, with no further ties to the EU. That means it would not be required to adopt EU laws, not contribute to the EU budget or, have any voting rights.

in terms of Privacy law, the GDPR would have no effect, and the UK would continue with its own legislation such as the Data Protection Act 1998. As the Act would be “inadequate” against the GDPR, the UK would have to seek additional assurances should it continue to process data on EU citizens (or market services to them), as such it would have to adopt an agreement similar to the EU-U.S. Privacy Shield or have its laws amended to be regarded as “essentially equivalent” to the GDPR.

Conclusion

In options 1 to 5 above, the UK remains bound by the GDPR or has to pass laws or agreements that ensure similar levels of protection to it. If the UK itself does not have laws or arrangements that ensure its “adequacy” to EU privacy law, then in order to continue to trade they would still need to prove adequacy on a business by business basis. Businesses would then have to individually adopt an international transfer mechanism once the UK pulls away from the EU that ensures adequacy with EU laws, such as Model Contract Clauses, Binding Corporate Rules, Explicit Consent or enact a type of international certification standard such as the EU-U.S. Privacy Shield.

Which ever way the UK turns now, and whatever the future holds for the country, it will continue to trade in a global economy which will have to include processing data and marketing services to EU countries and citizens. Whichever option the UK chooses from this point on, it remains clear that global businesses will have to either comply with, or prove itself adequate or equivalent to the new requirements of the GDPR. If the UK chooses not to do this, the barrier to trade will be untenable to global business and further investment in the country.

The advice to businesses is to proceed on that basis, and continue their GDPR preparedness, as part of their global privacy framework.

Jun 22 2016

Your Path to GDPR Compliance | Step 3

image001 (3)

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

Step 3: Develop Plan

In Step 3 of Your Path to GDPR Compliance, we leverage the progress and results from Step 1: Assess Readiness and Step 2: Build Consensus to answer the question, “How do I build a plan that’s prioritized based on risks and accounts for level of effort?”

Several things must happen at this stage to develop an effective plan including:

  • Conducting a risk analysis
  • Conducting a level of effort (LOE) analysis
  • Creating a project plan

By investing the time up front to perform the proper analysis and planning, you can be confident that your GDPR Compliance Program will efficiently and effectively mitigate risk while meeting your company’s business objectives.

 

A. Conduct Risk Analysis

Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that may result in “high risk”.  “The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA.”

While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, the following are common questions to begin to identify areas of risk, including “high risk”.  These particularly reflect the more stringent GDPR requirements.

  • Security / Data Protection.  Are the necessary data protection controls in place, e.g., encryption, data loss prevention, enhanced access control, anonymization?
  • Sensitive Data, Genetic and Biometric Data.  Are there stronger security protections in place for this data?  Are there business processes around sensitive data that violate the stated use in the privacy policy? Are processes for gaining explicit consent in place (as required under the GDPR)?
  • International Data Transfers.  Are all transfers protected according to the appropriate data transfer mechanism in place (i.e., under Model Contract Clauses, Binding Corporate Rules, EU-US Privacy Shield if ratified, Consent, or other)?
  • New Products / Processes.  Do new plans require a change in the way you collect, transfer, store, process, use, and dispose of personal data?  Are there newer ways of using geo-location or online unique identifiers that trigger a discrepancy with what is stated in the privacy policy?
  • Vendor Management.  How do the vendors in your data flow manage the personal data?  What stated data privacy and security policies and controls are in place?  Can they be verified?
  • Mergers & Acquisitions.  What data privacy and security processes are in place at the merged or acquired company?  Is there discrepancy between the processes at your organization?  
  • Large Scale Processing:  Are there any profiling processes in place?  Is there systematic monitoring of publicly accessible areas or special categories (i.e., genetic, biometric data, criminal records)?
  • Conversions & System Changes.  Have or will there be conversion of records from paper-based to electronic form?  Or conversion of info from anonymous to identifiable form?  Have or will there be system management changes with new uses or applications of technology?
  • Database Changes.  Have or will there be merging, matching, manipulation of multiple databases with personal data (e.g., between subsidiaries or in M&A context)?  Or incorporation into existing databases of personal data obtained from commercial or public sources?

With gaps identified from the initial GDPR Readiness Assessment in Step 1 and from a deeper dive risk analysis as discussed above, you can build a table of gaps organized by risk level – Low, Medium, and High.

Example Table of Gaps with Risk Level

Gap and Risk Analysis Image

Assessing levels of risk will be highly dependent on the priorities that your organization attributes to certain components.  A strong understanding of the current legal and regulatory environment is also essential to proper risk level determination.  Common risk categories to keep in mind when assigning risk levels are legal, regulatory, political, operational, strategic, market, credit, reputational, event, and country-specific risks.

You can build your own templates for this analysis or leverage those available in data privacy management platforms like the Assessment Manager, with built in workflows to guide you through the process.  

 

B. Conduct Level of Effort (LOE) Analysis

For each gap, you’ll then need to identify specific remediation actions and estimate Levels of Effort (LOEs) – Low, Medium, and High.  By mapping the Risk Levels to the LOEs of each activity, you can start grouping activities in a Risk / LOE matrix to help visualize your plan’s priorities.

Example Risk / Level of Effort Matrix

Risk to LOE Matrix

 

C. Build the Project Plan

Armed with the results of the gap, risk and LOE analysis, you can then build a project plan against a timeline for completion.  The plan should take into account:

  • The privacy team’s stated goals – short, mid, long-term
  • Budget and people resources available
  • Prioritization for work on “high risk” areas
  • Sufficient period for activities with higher LOEs and longer implementation times
  • GDPR developments and likely enforcement milestones
  • Ability to leverage other frameworks such as the EU-US Privacy Shield (once ratified) as a way to meet EU data transfer requirements and cover a large percentage of the GDPR requirements at the same time

A GDPR Project Plan will be highly-specific to each organization, but here’s an example of what a prioritized plan may look like as a targeted schedule in Gantt chart format.

Example of a Prioritized GDPR Project Plan

Prioritized Plan Image

TRUSTe provides informational resources to help you develop your organization’s GDPR plan.  Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building complex privacy programs such as the GDPR, to help with the project planning process outlined above.

TRUSTe’s privacy consultants can work with you to conduct the entire process – including a risk analysis, level of effort analysis, and a prioritized project plan – through the GDPR Strategic Priorities Assessment.  TRUSTe’s privacy consultants leverage the power of the Assessment Manager technology platform to guide the GDPR assessment workflow process and track the company’s progress against GDPR requirements.

Once the prioritized plan is in place, you’ll be in solid position to start “Step 4: Implement Programs” to be covered in a subsequent blog post.

Learn More about the TRUSTe Privacy Education Series: Your Path to GDPR Compliance:

Step 1: Assess Readiness Blog >>

Step 2: Build Consensus Blog >>

Step 3: Develop Plan Blog >>

Jun 13 2016

LegalTech West Coast Opens in San Francisco Today

legaltech-event

Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts and see the latest and most innovative products & services.

TRUSTe Assessment Manager was recently named a 2016 Legaltech Innovation Award Winner for Risk Management. The platform transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.

Stop by booth #406 for a demo of the TRUSTe Assessment Manager platform or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

Find out more here

Jun 10 2016

TRUSTe Privacy Risk Summit 2016 – Highlights

Privacy Risk Summit Highlight

250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office.

The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield from Justin Antonipillai, Counselor to the Secretary Penny Pritzker after two years as the co-lead U.S. negotiator with the European Commission.

The TRUSTe Privacy Risk Summit – Highlights

Chris Babel, CEO TRUSTe kicked off the Summit and explained how this event builds on the success of previous TRUSTe events, the EU Data Protection Conference and the IoT Privacy Summits in 2014 and 2015.Screenshot 2016-06-09 08.33.05

Adam Sedgwick and Sean Brooks from NIST were joined by Dan Caprio and Jonathan Litchman Co-Founders of The Providence Group to discuss the NIST CyberSecurity Framework and its role in managing privacy and data risk.

Screenshot 2016-06-10 10.37.10
Lively discussions and networking continued in the halls outside the breakout rooms.

Screenshot 2016-06-09 08.32.11Josh Harris, Director of Policy at TRUSTe and Hilary Wandall AVP & Chief Privacy Officer, Merck & Co., Inc. spoke about an accountability-based approach to global frameworks and local laws.

Screenshot 2016-06-09 08.31.08

Attendees heard from Paul Plofchan about how ADT had used privacy technology to streamline their ongoing privacy risk management and provide visibility to senior leadership.

Screenshot 2016-06-09 08.29.16

Justin Antonipillai delivered the closing keynote on negotiations with the European Commission on the EU-U.S. Privacy Shield.
Screenshot 2016-06-09 08.27.55Thank you to our speakers, sponsors, partners and our team of volunteers from WISP and the University of California, Hastings College of the Law. This event would not have been possible without your support!

Screenshot 2016-06-09 08.22.16

To read about future TRUSTe events, visit our upcoming events page or subscribe to the TRUSTe blog.

 

Jun 09 2016

Your Path to GDPR Compliance | Step 2

image001 (3)TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

View Step 1: Assess Readiness

 

Step 2: Build Consensus

In Step 2 of Your Path to GDPR Compliance, we address the most common next question, “what do I need to do to secure stakeholder commitment and resources for execution?”

Building consensus up-front is critical to the success of any privacy program within an organization and is not specific to the GDPR. Fundamental leadership principles and organizational decision-making come into play.

Because the GDPR has such a substantial impact on organizations – with significantly increased obligations, a stepped up regulatory enforcement regime, and potential fines of up to 4% of annual worldwide turnover (or revenue) – a GDPR program merits its own organizational awareness campaign.

In fact, “Awareness” is at the top of the list on the UK ICO’s (“Information Commissioner’s Office”) recently released guidance “Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now.” ICO’s guidance states, “You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”

The guidance goes on to recommend that companies “use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming”.

To do so, you’ll need to:

  • marshal the evidence to support a compelling business case; and
  • plan and execute your GDPR awareness campaign to secure stakeholder buy-in.

 

 

What Evidence Do I Need to Tell the Story and Support a Compelling Business Case for GDPR Compliance?

As the privacy champion, you will have to tap your inherent mastery of the art of persuasion. This means gathering as much ammunition as you need to generate a sense of urgency and persuade key stakeholders that the GDPR warrants a strong compliance program. Below are several key messages that are critical to tell a compelling story, along with a list of helpful evidence to support each proposition.

 

The GDPR Impacts the Company…Posing Threats and Opportunities

  • An overview of the GDPR and what specific activity makes the company subject to the new regulation
  • Key organizational risks, fines & penalties, regulatory trends and likely enforcement landscape
  • Specific stories of privacy regulation violations and what that meant to the company and to the data subject who experienced the violation
  • Reports illustrating consumer sentiment and impact to business when brand is damaged via privacy violations
  • Benchmark reports and infographics to illustrate the GDPR risk and show that other companies are taking action in response
  • Stories of companies that used its strong privacy posture as competitive advantage

 

The Company Has Compliance Gaps That Require Remediation

  • The results of the initial GDPR Readiness Assessment to provide a Corporate Scorecard of where the company currently stands, with specifically identified gaps and risks
  • Any internal metrics / reports providing privacy breach incidents in the organization, any past regulatory inquiries or enforcement against the organization, history of the organization’s privacy training

 

The GDPR Program Proposed and the Level of Effort Required

  • Overview of the activities typically required to build a GDPR Response Program, including best practices and benchmark information from other companies
  • Summary of what it would take to close the gaps, including a rough time and cost analysis of the level of effort (LOE) to make operational changes, including training, monitoring, measuring, tech / process for privacy impact assessments and product development, contract reviews, privacy policy reviews, etc.
  • Proposed overview of how the GDPR program would operate, a rough timeline, methodology, and success metrics by which to measure progress

 

How Do I Plan and Execute an Effective GDPR Awareness Campaign?

Facilitate an internal kickoff and on-going planning sessions with relevant stakeholders across the organization. This initiative will be easier if you already have a designated privacy task force. If a committee is not already in place, you’ll need to start identifying and reaching out to stakeholders and key influencers. This should include senior leadership and, if possible, the CEO and Board Members. In addition, identify and invite colleagues with influence across functional areas from lines of business, legal, IT, InfoSec, HR, product development, engineering, marketing, and others.

Build and deliver a strong presentation leveraging all of the evidence gathered to tell the story. To be effective, this takes considerable preparation. Rather than go in with a dry recitation of the policy and regulatory requirements, experienced privacy practitioners recommend planning interactive and engaging sessions that may possibly even be considered a fun team-building exercise. Running your presentation by a subset of the group ahead of time to get feedback and tweak accordingly will help get stakeholders on your side before going into the kick-off meeting.

At the outset, it will be important to clearly state the following goals of the kick-off session:

  • Formalize GDPR program team structure / roles / responsibilities
  • Secure commitment that the GDPR program is a prioritized pillar / initiative aligned to the overall organization planning for the next couple years
  • Agree on short, medium and long-term goals of the GDPR program
  • Set measurable objectives with success criteria, key milestones

  • Based on a rough estimate of the level of effort (LOE), secure budget and resources

     

Schedule on-going planning meetings with a regular cadence to then develop the full plan, implement all required operational changes, and provide a dashboard report on the GDPR program’s progress. These topics will be covered in our next blog post “Step 3: Develop Plan” and remaining steps in the TRUSTe “Your Path to GDPR Compliance” Education Series.

 

TRUSTe provides informational resources such as GDPR research and infographics that can serve as evidentiary assets in support of your efforts to build consensus. Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building privacy programs such as the GDPR, to help successfully prepare for and guide the important kick-off sessions. TRUSTe provides the GDPR Response Workshop, which is a half to full day of on-site interactive session led by TRUSTe Privacy Consultants custom-tailored to your organization. For more information on TRUSTe On-Site Privacy Workshops, click here to learn more.

Learn More about the TRUSTe Privacy Education Series: Your Path to GDPR Compliance:

Step 1: Assess Readiness Blog >>

Step 2: Build Consensus Blog >>

Step 3: Develop Plan Blog >>

Jun 07 2016

The Privacy Implications of Home Monitoring – Summit Preview

Home Monitoring

The rapid rise of the Internet of Things—always-on devices equipped with sensors and transmitting chips that allow for the continual collection and communication of user-generated data—has begun to transform areas as diverse as connected cars, cooking, smart infrastructure, digital healthcare, agriculture and industrial channels. While each of these domains is sensitive, and necessitates the rigorous application of Privacy/Security by Design, few areas are more private than the inner sanctum of one’s home, which is increasingly becoming “connected” in various ways.

TRUSTe’s Privacy Risk Summit (this Wednesday, June 8th in San Francisco) features a session devoted to the privacy implications of home monitoring presented by Jill Bronfman, Director of the Privacy Tech Project and Adjunct Professor, University of California, Hastings College of the Law. In this final preview in our series, Darren Abernethy, Privacy Solutions Manager at TRUSTe, offers a brief introduction to some of the vulnerabilities and opportunities in the “smart home” space.

How We Arrived Here

The exponential proliferation of Internet of Things (IoT)-connected devices can be explained by the timely melding of various drivers and technological capabilities. The prevalence of low-cost sensors, advanced and inexpensive cloud computing platforms, social media, “big data” analytics, and increased spectral efficiency of wireless technologies and networks have all expedited the creation of more interconnected devices. The fact that these devices generate valuable user data that can be anonymized, aggregated and sold to marketers and other businesses in order to provide insights about customers and prospects, has made a consumer’s behavioral data from inside the home that much more treasured.

First, the Worst Case Scenarios

The Potential for Creepiness

When in the home setting, people are at their most vulnerable. There may be children around, conversations are had that are not meant for public consumption, and generally one’s guard is relaxed in ways it might not be at work or in public. And so, the “creepiness factor” can be high. This is no better reflected than in the chilling recent case of a man hacking a couple’s baby monitor to speak to a 3-year-old boy in his bedroom and control the night-vision-enabled video camera inside. Such a violation of privacy and decency highlights the fact that there will always be people who view connected devices as an attack vector ripe for exploitation.

Exploiting Vulnerabilities

And, aside from the unsettling manipulation of baby monitors, outsiders will no doubt look for ways to compromise connected garage doors and locks in order to gain physical entry into a home, or to demand payment of a ransom before allowing the owner re-entry. Moreover, even if a hacker does not wish to personally engage in further crimes first-hand, it is not hard to fathom a black market where IoT-related vulnerabilities for devices and individuals’ homes can be peddled.

Enter Voice and Facial Recognition

Voice, video and biometric capabilities are likewise becoming components of the smart home experience. Google recently announced its plans to enter the voice-controlled virtual assistant market (a la Amazon’s Echo) with Google Home, which “becomes a hub to run a home network of Internet-connected devices that collect millions, if not billions, of pieces of data—frequently.” Google Home enables two-way conversations, can interact with the Nest smart thermostat and will engage with other smart devices that, collectively, contain data indicating when someone is home or away, and information about an individual’s preferences and more.

Next, the Good News: Good Practices Build Customer Trust

Although no device or service unequivocally can be made 100% safe and impregnable, there are ascertainable steps that any company can take to mitigate the risk of creepiness, 3rd party exploitation and other smart home cybercrime.

As a threshold matter, companies must continually test and be aware of all of the data that a connected home device collects and transmits. When this data is appropriately categorized (e.g., non-PII vs. PII vs. sensitive PII; actively vs. passively collected; persistent identifiers; transmission medium, etc.), inventoried, and secured (e.g., encrypted and/or de-identified), and it is understood with whom the information is shared (vendors, service processors, partners, etc.) over which networks, then companies are better able to ensure security by building in appropriate controls. Ongoing monitoring throughout the lifecycle of a connected device, as well as accurate disclosures to consumers before and throughout usage of a product, are also requisites of building customer trust.

Open Questions at the Hearth of the Connected Home

This relatively nascent frontier of monitoring about and within the home raises as yet unanswered issues for privacy-aware consumers and regulators. These include:

  • What limits, if any, are needed around the granular profiling of individuals from combined IoT-device data collected on a single platform (including, e.g., protected health information or geolocation)?
  • Should a special regulatory status be afforded to data collected in the home?
  • Where do advertisers and marketers fit into the connected home landscape?
  • How can meaningful notice and consent be provided in the IoT home setting?
  • What of unknown or future secondary uses of connected home data?

For insights and analyses of these issues and more, be sure to check out this week’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.

 

Older posts «

» Newer posts