250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office.
The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield from Justin Antonipillai, Counselor to the Secretary Penny Pritzker after two years as the co-lead U.S. negotiator with the European Commission.
The TRUSTe Privacy Risk Summit – Highlights
Chris Babel, CEO TRUSTe kicked off the Summit and explained how this event builds on the success of previous TRUSTe events, the EU Data Protection Conference and the IoT Privacy Summits in 2014 and 2015.
Adam Sedgwick and Sean Brooks from NIST were joined by Dan Caprio and Jonathan Litchman Co-Founders of The Providence Group to discuss the NIST CyberSecurity Framework and its role in managing privacy and data risk.
Lively discussions and networking continued in the halls outside the breakout rooms.
Josh Harris, Director of Policy at TRUSTe and Hilary Wandall AVP & Chief Privacy Officer, Merck & Co., Inc. spoke about an accountability-based approach to global frameworks and local laws.
Attendees heard from Paul Plofchan about how ADT had used privacy technology to streamline their ongoing privacy risk management and provide visibility to senior leadership.
Justin Antonipillai delivered the closing keynote on negotiations with the European Commission on the EU-U.S. Privacy Shield.
Thank you to our speakers, sponsors, partners and our team of volunteers from WISP and the University of California, Hastings College of the Law. This event would not have been possible without your support!
To read about future TRUSTe events, visit our upcoming events page or subscribe to the TRUSTe blog.
The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.
However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers. TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco), features three sessions devoted to IoT privacy issues. In this second preview blog, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to Privacy by Design in the IoT context.
The Internet of Things Continues to Grow Exponentially
The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people. According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.
Consumer-focused, “smart home” devices are already a fixture in many retail outlets (think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats and lighting systems, the list goes on), and the next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. In short, there is no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.
The Connected World Requires Pre-Conceived Privacy by Design
A recently released survey conducted by Ipsos on behalf of TRUSTe/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. This is why Privacy by Design, or the practice of building privacy and security controls into a product or service at the outset of the planning process, rather than as an afterthought, is imperative.
There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes Privacy by Design. Indeed, in the context of IoT devices, Privacy by Design in practice ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users. Still, some issues should form the basis of any Privacy by Design assessment throughout product development, and these include:
Data Minimization. Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy regimes mandate that only data relevant to the purposes for which consent was originally given may be processed. And with the new EU GDPR privacy regulation’s effective date inching closer each day—along with its application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions—all IoT folks should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).
Perform Privacy and Security Risk Assessments Throughout All Stages of Development These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data. As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.” TRUSTe’s SaaS-based Assessment Manager was designed with this in mind, by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an on-going basis.
Use Security Hygiene Best Practices This entails utilizing security transmission protocols and encryption techniques for personal information in transit and at rest, building in proper authentication controls, training company staff in privacy and data security best practices, limiting permissions, and using secure options as a smart device’s default settings that are changeable later by more advanced or aware end users.
Vet Vendors and Partners Privacy by Design considerations do not end with the device manufacturer, they extend to the partners and service providers associated with the device maker. Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.
Transparency and Control IoT companies must be transparent with consumers—in easy to understand language and format—about how their troves of data are collected and used. This means up-front and accurate privacy statements, building in mechanisms for on-going notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, and effective communication—beyond the design phase—of access options, recommended security updates and other manifestations of respect for users’ preferences.
The Future of IoT Privacy by Design
As more devices, platforms and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust. Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalise privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation. Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives. For insights and analyses of these issues and more, be sure to check out next month’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.
Today, registration opens for “EU Data Protection 2015 – Regulation Meets Innovation,” which will take place in San Francisco on Dec. 8. Check out details on the new event website and book your seat today at www.truste.com/eudatap.
The conference brings together thought leaders in privacy, security and regulation to address the changes in the proposed European General Data Protection Regulation and the business impact. The proposed Regulation represents the most significant development in global data protection law in the last 20 years.
The event is timed to coincide with the conclusion of the negotiations of the EU GDPR. It will take place at Bespoke, in downtown San Francisco, from 8 a.m.- 6 p.m.
- John Bowman, Senior Principal, Promontory & Former UK Negotiator for EU GDPR
- Dennis Dayman, Chief Privacy & Security Officer, Return Path
- Josh Harris, Director of Policy, TRUSTe
- Barbara Lawler, Chief Privacy Officer, Intuit
- Phil Lee, Partner & Head of US Officer, Fieldfisher
- Robert Stankey, Partner, Davis Wright Tremaine,
- Christian Wiese Svanberg, Attorney-at-Law, Plesner, & Former Danish Negotiator for EU GDPR
- Hilary Wandall, AVP Compliance & Chief Privacy Officer, Merck & Co., Inc.
- Tom Widgery, Director of Privacy and Information Security Governance, SVB Financial Group
- Jack Yang, Associate General Counsel, Vice President, Head of Data Use and Privacy, Visa Inc.
Thank you to our launch sponsors and partners Davis Wright Tremaine LLP, National Cyber Security Alliance, Online Trust Alliance and Trunomi.
If you’re interested in speaking or sponsoring this event, please contact Eleanor@truste.com.
TRUSTe is proud to support the development of the Online Trust Alliance’s (OTA) 2015’s Most Trustworthy Online Retailers through our privacy technology and analysis. The list, which was announced today, comes after a thorough audit and evaluation of each website’s best practices in brand and consumer protection, security and privacy.
More than three-dozen data attributes are weighted in the audit to determine if a company is following the OTA’s best practices. TRUSTe’s technology was leveraged to rank each online retailer based on privacy best practices.
“As more devices become connected in the IoT era, companies must proactively take steps to protect consumers and be transparent in how this vast amount of data is collected and used,” says TRUSTe CEO Chris Babel. “TRUSTe is dedicated to developing cutting-edge technology to analyze and identify privacy-centric online retailers for inclusion in OTA’s Honor Roll while helping businesses navigate the emerging IoT market and build consumer trust.”
Heather M. Federman
Director of Public Policy, Online Trust Alliance
Join TRUSTe at the OTA’s Data Privacy Day Town Halls in NYC, Seattle and San Francisco & Save 20%
It’s no longer an “if” your company will become the target of a data breach; it’s just a matter of “when.” From small nonprofits to Fortune 500 tech-savvy organizations, breaches and data loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill prepared to manage the fallout. In addition to the confusing (and conflicting) regulatory landscape, breaches can be quite expensive, with the average cost equaling $5.5 million. And while innovative defenses against privacy and security threats are introduced with each passing year, cybercriminals outpace those innovations with new and more malicious tactics.
As online trust is on the decline, 2014 needs to be the year of “Data & Privacy Stewardship.” This requires moving from minimal compliance to enhancing the protection of your company, your data and your customers. In order to do so, consider the following New Year “data resolutions”: (more…)