Posted on October 24, 2011 by Christopher Wolf

Invitation to Complimentary Webinar on SEC Cybersecurity Disclosure Guidance

On October 13th, the SEC's Division of Corporation Finance issued a Disclosure Guidance that urges public companies to evaluate their cybersecurity risks and, if material, to disclose those risks to investors.

On October 31st, Hogan Lovells will present a complimentary webinar exploring the impact of the Disclosure Guidance featuring senior lawyers in the Hogan Lovells Capital Markets and Privacy and Information Management practices, as well as a managing director of Stroz Friedberg LLC, a technology firm assisting clients with digital risks.

For more information, and to register, click here.

Since all businesses using the Internet are, to some degree, vulnerable to intrusions, what does the new guidance actually mean for public companies?  That question and these will be addressed in the webinar:

  • When does the risk of intrusion become material? 
  • What are the triggers for reporting?  
  • What assessments are required?  
  • Does every company suffering a data security breach have to report it to the SEC?   
  • What has to be reported?
  • How can the reporting company make public disclosure of cybersecurity risks in a way that will not make the company a target for attacks?
  • What is the best way for a company to wrap its arms around a cyberattack so it can make the appropriate disclosure?
  • What steps should a company take to insure its disclosure is a fair, accurate, and timely description of the attack? 

Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend.

Tags: , , , ,
Posted on October 19, 2011 by Mark Brennan

New Guidelines Released for Mobile App Privacy Policies

On October 17, the Mobile Marketing Association (“MMA”) released a set of draft privacy policy guidelines for mobile applications (“apps”) designed to address key data and privacy security issues. Entitled “Mobile Application Privacy Policy Framework,” the draft guidelines provide a “starting point” privacy policy template written in consumer-friendly language with instructions for adapting the template to specific apps.

The guidelines provide a helpful tool for informing app users of the type of information that the app obtains and how that information is used, with sections devoted to both user-provided data and automatically collected information. The guidelines also address the collection and use of “precise" real-time location information, an issue that has garnered much media attention (and increasing regulatory scrutiny) due to the popularity of new location-based services. Finally, the guidelines also address other critical app areas, including:

  • Third-party access and use of consumer data;
  • Advertising (including the use of mobile advertising networks);
  • Consumer consent and opt-out rights;
  • Data retention;
  • Children’s Online Privacy Protection Act (“COPPA”) compliance;
  • Security and confidentiality safeguards; and
  • Future changes to the policy.

The guidelines are a response to data privacy and security concerns brought about by the skyrocketing consumer demand for and usage of apps, which have exploded in the last few years. For example, although the iTunes Store and Android Market only opened in 2008, today more than 1.2 million apps are currently available from multiple app stores on various operating systems. And consumers have downloaded more than 10 billion mobile apps to date.

Hogan Lovells represented the Future of Privacy Forum, a member organization of the MMA Privacy & Advisory Committee,which developed the guidelines. According to MMA, the draft guidelines are the first in a series of privacy policy materials that the organization is planning to develop. 

Comments on the draft guidelines are due November 18, 2011. After that date, the guidelines will be finalized and released publicly.
Tags: , , , , , , , , , , , , , , , , ,
Posted on July 15, 2011 by Elizabeth Khalil

Financial Services Industry Group Issues Social Media Guidance

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

  • By a financial institution to communicate with or service the financial institution's customers
  • By the financial institution's employees in their personal or professional capacities
  • By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

Tags: , , , , , , , , , , , ,
Posted on July 23, 2010 by Andrea Ward

UK's ICO Issues Code of Practice on Online Privacy

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

1. About this code


There is no legal requirement to adhere to the code, so organisations cannot be penalised for failing to follow the guidance it contains; only breaches of the DPA are actionable by the ICO. However, the ICO encourages all organisations, from electronic service providers to small online businesses to use the guidance and to give individuals easier ways to manage their online choices and protect their privacy. Anticipated benefits of using the code include:

• Improved levels of trust and relationships with customers;
• Increased public confidence in the way their information is handled and retained;
• Minimised risk of data breaches and enforcement action by the ICO and
• Reduced risk of customer questions, complaints and disputes over data use.


2. How does the DPA apply to information processed online?


The ICO understands that personal data will be processed online, as information is collected and analysed to distinguish one individual from another, to sell them a product, or perhaps to direct them to other websites, or advertisements. Data processing, as defined by the DPA, can take place even if there are no obvious identifiers, such as names or addresses. In the context of online processing, non-obvious identifiers, such as cookies, or IP addresses are linked to devices (such as home PCs), used by multiple users. In such cases, the ICO advises that even if it is not possible to identify the actual user of the device, the data should still be treated as personal data. Accordingly, the DPA principles of keeping that data secure, protecting it from inappropriate disclosure and being open about its collection and use, will apply.


Data should only be processed if it is necessary and can be justified. The ICO suggests that individuals should not be asked to give their personal data too early, as this may be off-putting and intrusive. Instead, organisations should wait for individuals to interact with them, by requesting details of their services, or loyalty schemes, for example. This will make it easier for organisations to seek consent and to legitimise their data processing.


The code also gives updated guidance on the retention and disposal of personal data, with this link to the National Archives guidance on retention schedules.


3. Marketing your goods and services online


Online advertising is often the subject of bad publicity, but the ICO adopts a sensible approach in the code. This chapter begins with the introduction "Organisations have always used information about their customers to market goods and services to them. This is an established practice that customers have come to expect and are generally happy with."


It is noted that relatively few complaints are made about online behavioural advertising, but individuals often misunderstand the use of technology. As a result, the ICO advises organisations to:

• be open about the marketing techniques they use;
• make individuals aware of the options they have to opt out of marketing, including the use of web browser settings and
• give clear and simple explanations.

Organisations are also reminded of the need to observe other laws (such as the Privacy and Electronic Communications Regulations), industry rules and other codes of practice on marketing, for example, those issued by the Direct Marketing Association and Advertising Standards Authority .


4. Privacy choices


Individuals may also be unfamiliar with the privacy settings available to them online. The code states that people often simply do not understand privacy settings and may not know how or where to find them. Although the code aims to improve individuals' control over their online personal data, if they do not adopt appropriate privacy settings themselves, it can be hard for organisations to do it for them. However, the ICO's view is that it is good practice for providers to set privacy defaults in a way that balances privacy protection and functionality. Individuals should be given choices over access to their information at the time data are collected. Even if they ignore the options, organisations are expected to set privacy defaults to reflect their likely wishes and expectations.


5. Operating internationally

As the DPA prohibits the transfer of personal data outside the EEA (unless an exemption applies), the code includes a chapter on the difficulties of complying with this principle online and offers advice on the use of encryption and contracts between data controllers and processors. This chapter also contains helpful guidance on cloud computing, where services, such as data storage are provided over the internet.

6. Individuals' rights online

The DPA gives individuals rights to access their data. This is interpreted by the ICO in the code, to enable individuals to gain access to their personal data as easily as possible. Although data controllers can charge individuals a fee of £10, organisations are advised to waive, or reduce this fee, as limited administration costs are expected online. Furthermore, the 40 day time-limit for providing the requested information, should be shortened.

7. Things to avoid

The final chapter of the code contains a neat summary on what not to do. Organisations doing business online should avoid:

• being secretive
• not being clear with customers
• collecting information too early, or when it is not needed
• keeping inaccurate or out of date records
• keeping data for longer than necessary
• not respecting individuals' rights
• providing inadequate security
• failing to ensure that data are transferred safely
 
Tags: , , , , , , ,