250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office.
The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield from Justin Antonipillai, Counselor to the Secretary Penny Pritzker after two years as the co-lead U.S. negotiator with the European Commission.
The TRUSTe Privacy Risk Summit – Highlights
Chris Babel, CEO TRUSTe kicked off the Summit and explained how this event builds on the success of previous TRUSTe events, the EU Data Protection Conference and the IoT Privacy Summits in 2014 and 2015.
Adam Sedgwick and Sean Brooks from NIST were joined by Dan Caprio and Jonathan Litchman Co-Founders of The Providence Group to discuss the NIST CyberSecurity Framework and its role in managing privacy and data risk.
Lively discussions and networking continued in the halls outside the breakout rooms.
Josh Harris, Director of Policy at TRUSTe and Hilary Wandall AVP & Chief Privacy Officer, Merck & Co., Inc. spoke about an accountability-based approach to global frameworks and local laws.
Attendees heard from Paul Plofchan about how ADT had used privacy technology to streamline their ongoing privacy risk management and provide visibility to senior leadership.
Justin Antonipillai delivered the closing keynote on negotiations with the European Commission on the EU-U.S. Privacy Shield.
Thank you to our speakers, sponsors, partners and our team of volunteers from WISP and the University of California, Hastings College of the Law. This event would not have been possible without your support!
To read about future TRUSTe events, visit our upcoming events page or subscribe to the TRUSTe blog.
The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.
However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers. TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco), features three sessions devoted to IoT privacy issues. In this second preview blog, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to Privacy by Design in the IoT context.
The Internet of Things Continues to Grow Exponentially
The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people. According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.
Consumer-focused, “smart home” devices are already a fixture in many retail outlets (think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats and lighting systems, the list goes on), and the next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. In short, there is no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.
The Connected World Requires Pre-Conceived Privacy by Design
A recently released survey conducted by Ipsos on behalf of TRUSTe/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. This is why Privacy by Design, or the practice of building privacy and security controls into a product or service at the outset of the planning process, rather than as an afterthought, is imperative.
There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes Privacy by Design. Indeed, in the context of IoT devices, Privacy by Design in practice ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users. Still, some issues should form the basis of any Privacy by Design assessment throughout product development, and these include:
Data Minimization. Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy regimes mandate that only data relevant to the purposes for which consent was originally given may be processed. And with the new EU GDPR privacy regulation’s effective date inching closer each day—along with its application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions—all IoT folks should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).
Perform Privacy and Security Risk Assessments Throughout All Stages of Development These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data. As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.” TRUSTe’s SaaS-based Assessment Manager was designed with this in mind, by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an on-going basis.
Use Security Hygiene Best Practices This entails utilizing security transmission protocols and encryption techniques for personal information in transit and at rest, building in proper authentication controls, training company staff in privacy and data security best practices, limiting permissions, and using secure options as a smart device’s default settings that are changeable later by more advanced or aware end users.
Vet Vendors and Partners Privacy by Design considerations do not end with the device manufacturer, they extend to the partners and service providers associated with the device maker. Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.
Transparency and Control IoT companies must be transparent with consumers—in easy to understand language and format—about how their troves of data are collected and used. This means up-front and accurate privacy statements, building in mechanisms for on-going notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, and effective communication—beyond the design phase—of access options, recommended security updates and other manifestations of respect for users’ preferences.
The Future of IoT Privacy by Design
As more devices, platforms and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust. Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalise privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation. Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives. For insights and analyses of these issues and more, be sure to check out next month’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.
At the IoT Privacy Summit on June 17th a panel of four data privacy experts discussed, “Finding a New Paradigm – Consent and Choice for IoT.” The panel consisted of Marc Loewenthal, Director, Promontory Financial Group LLC; Emilio Cividanes, Partner, Venable LLP; Debra Farber, Senior Privacy Consultant & Product Manager, TRUSTe; and Erin Kenneally, Founder & CEO Elchemy, Inc., University of California at San Diego.
Old world technologies such as corporate telephone systems give clear notice that your conversation may be recorded. Callers can act on that information by hanging up or proceeding with the call thereby giving an implied consent to the possible recording of the conversation. The main consideration when providing consumer notice is that it is conspicuous and prior in time to the collection/use of data. A good example in mobile is Geo-location notice. Consumers see a pop-up notice that they can act upon that requests access to their location information and they can deny such access.
In the IOT it is fundamental to understand the nature of the information and the links between all of the entities that have legitimate interest in that data. One panelist felt that a consumer may not have to know every piece of data that is being collected and shared, but does have a right to have their data used in a way consistent with their expectations. Some saw notice in the IOT context evolving into a set of obvious symbols inferring what is happening with the data, which is in line with the proposed EU General Data Privacy Regulation (GDPR).
By Matthew E.S. Coleman, JD, CIPP/US, Enterprise Privacy Solutions Manager at TRUSTe
Regulators are struggling. They are struggling to find a paradigm to protect consumer privacy in the face of rapid technological change. This sentiment kicked off a panel titled, “Can Self-Regulation Meet Privacy Challenges of IoT?” at TRUSTe’s Internet of Things (IoT) Privacy Summit in Menlo Park, CA on Wednesday. The panel, moderated by Nancy Libin, former Chief Privacy Officer of the Department of Justice, contained a diverse array of privacy professionals from private, public, and, non-profit backgrounds. Panelists included Alex Reynolds, Director and Regulatory Counsel, Consumer Electronics Association; Justin Brookman, Director of Consumer Privacy, Center for Democracy & Technology; Hilary Cain, Director of Technology & Innovation Policy, Toyota Motor North America, Inc.; and Nithan Sannappa, Senior Attorney, Federal Trade Commission.
The panelists largely focused on the recommendations presented in the Federal Trade Commission’s January 2015 report titled, “Internet of Things: Privacy and Security in a Connected World.” There are three main principles from the report touted as a workable privacy standard for IoT device manufacturers: 1) Security; 2) Data Minimization; and 3) Notice and Choice.
The FTC has historically enforced reasonable security as a part of its unfair practices purview. In the context of IoT devices, what is deemed reasonable is largely based on context. What types of information is the device collecting? Is it sensitive personal information (e.g., geolocation, protected health information, etc.)? What quantity of data is collected? The higher the risk profile associated with the data collected then the stronger the protections required on a device.
Leading up to the second annual IoT Privacy Summit on June 17th we’ll be featuring a series of blog posts about the panels and speakers at the upcoming event.
It’s finally here! The 2nd Annual IoT Privacy Summit 2015 is this Wednesday in Silicon Valley. We look forward to all the interesting and timely IoT topics that’ll be discussed in the numerous panels, as well as meeting a wide variety of people working in privacy in some capacity.
During the past couple weeks we’ve been sharing some details about the panels attendees at the Summit will have the opportunity to hear. We’ve been very fortunate to get numerous experts in various IoT topics to speak at the Summit. One panel titled, “Protecting Your Home from IoT Bandits” will cover the benefits and many challenges of keeping personal data protected as homes become ‘smarter.’
The panel will take place from 1-1:45 p.m. Speakers include Michael Kaiser, Chief Executive, NCSA; Jeff Hagins, CTO & Co-Founder, SmartThings; Jim Hunter, Chief Scientist and Technology Evangelist, Greenwave Systems; Alex Danoyan, VP of Platform, Control4; and Kraig L. Marini Baker, Partner, Davis Wright Tremaine.
Leading up to the Summit we’ve been sharing details about individual sessions on our blog. You can read more about them here:
Tickets for this event are sold out, however you can tune-in via live stream. Click here to register.