May Event Spotlight: IAPP Canada, GDPR – DPIA & Data Breach Requirements Webinar & #CyberAware On Your Summer Travel Twitter Chat 

UN Global Pulse and the International Association of Privacy Professionals (IAPP) Present: Building a Strong Privacy and Data Ethics Program – From Theory to Practice
May 4
New York
The meeting will focus on how to implement privacy and data ethics in international organizations, and on how to access public-private sector data for use in humanitarian and development contexts.
Four topics will be discussed during the day by experts from UN, public and private sector, namely:

  1. Privacy on the Ground: Managing Personal Data in Organizations;
  2. Ethics and a Rights Based Approach to Data: From Principles to Institutions;
  3. Privacy and Data Protection Frameworks: The Regulatory and Policy-making Perspective;
  4. Access to Data for Public Good: Mechanisms and Schemes for Sharing Data for Humanitarian and Development Causes.

TRUSTe’s Hilary Wandall will be presenting on “Privacy on the Ground: Managing Personal Data and Privacy Risks in Organizations”.
> Learn more here


IAPP Canada Privacy Symposium 2017
May 17-18
Toronto, Canada
With so many critical privacy issues facing you this year and so much uncertainty on the international horizon, Symposium could not be happening at a better time.
Stop by TRUSTe booth #9 to say hi and learn about TRUSTe’s GDPR Implementation Solution.
> Register here


GDPR: DPIA & Data Breach Requirements – Assessing Individual Harm
May 23 @ 9:00 am – 10:00 am PST
Online Webinar
Through this webinar, you will learn:

  • What is required when and if a data breach occurs
  • Requirements for conducting DPIAs
  • Best practices for creating DPIA templates
  • How to create sustainable DPIA processes

> Register here


#ChatSTC Twitter Chat: Online Safety on the Go – Be #CyberAware On Your Summer Travel
May 25 @ 12:00 pm – 1:00 pm
Online Twitter Chat
With warm weather and a holiday weekend right around the corner, you may be thinking about a summer getaway. Whether you’re planning a family trip, attending an out-of-town wedding or taking an exotic getaway, you’re likely to use your connected devices for pre-travel planning, while you’re on the road and when you return. It’s important to keep cybersecurity and privacy in mind while navigating your summer travel plans. Join @STOPTHNKCONNECT for a Twitter chat that will discuss steps you can take to protect yourself, your devices and your information and enjoy a safe, stress-free summer escape.


Guests: CSID (@CSIdentity); Dashlane (@dashlane); Family Online Safety Institute (@FOSI); Generali Global Assistance North America (@GGA_NA); Get Cyber Safe (@GetCyberSafe); Herjavec Group (@herjavecgroup); Higher Education Information Security Council (@HEISCouncil); Hueya (@hueyainc); iKeepSafe (@iKeepSafe); LastPass (@LastPass); Secure Ideas (@secureideas); Security Awareness Company (@SecAwareCo); Sticky Password (@stickypassword); TRUSTe (@TRUSTe); National Cyber Security Alliance (@StaySafeOnline), additional guests TBD
Use #ChatSTC to join!

DON’T FORGET: Register for the upcoming Privacy Risk Summit! Seats are limited. Visit the event page for more information.

First Set of Panel Topics Announced for the 2017 Privacy Risk Summit

The TRUSTe 2017 Privacy Risk Summit is only two months away! The event will bring together the industry’s top thinkers, practitioners and solution providers to share emerging best practices and tools and models for success for privacy risk management, with a focus on the GDPR.

From IoT to GDPR, see below for a sneak peek at a sampling of the confirmed panels:

– What’s your Wallet In? The Privacy and Security of In-Car Payment Systems –

Car manufacturers such as Honda, Ford and Volkswagen will soon be unveiling connected payment systems that will allow drivers to pay for parking, fuel, and other items through a connected interface on their dashboard. These systems promise to be convenient and feature-laden, but they also present privacy and data security challenges. A panel that includes attorneys from the US and Europe, a client manufacturer and a corporate counsel and privacy officer will discuss challenges of implementing the new standards imposed by the US Federal Trade Commission, as well as French, German and British data protection authorities.

– GDPR Implementation in a US-Owned International Company: A View from Europe –

With more or less one year to go before the GDPR is legally enforced in the EU, this panel will offer a practical, in-house, and substantially European, view of how the GDPR can be implemented effectively within a US organisation or a US-owned international organisation that processes European personal data. In light of the major differences in legal concepts, cultural ideology and regulatory structures in place in the EU and the US when it comes to addressing data protection/privacy, “bridging the gaps”, in an effective and constructive manner, has never taken on such a critical meaning. The session will also take into consideration, and reflect on general corporate and business behaviours in place on each side of the Atlantic.

– Profiling and Big Data: The Reality of the GDPR Impact –

Profiling is one of the provisions of the GDPR that will have the most significant impact on businesses. In particular, Article 22 and its companions present challenges for analytics and other automated processing that uses personal data as an input – which will capture most of the ad tech world and others that rely on “Big Data”. This panel will discuss the practical impact of the GPDR on profiling and Big Data techniques and what companies can start doing to prepare for the changes ahead.

– Assessing Vendors for Privacy Risk & Compliance: We’re all in this together –

Panel discussion of in-house counsel and compliance specialist to discuss the challenges of engaging third parties with access to personal data globally. Includes managing conflict of laws issues, assessments in less technically proficient jurisdictions, audits, contracting and updating contracts with the fast pace of change in privacy regulation.

– Customizable PIA and DPIA Assessments: Analyze Benefits and Risks of Data Processing –

This session will introduce a comprehensive assessment process and explain how this assessment process is customizable for other risks, regions, sectors and industries and how this assessment process can be used as a Data Protection Impact Assessment under the GDPR. This speakers will also Introduce how to automate this assessment process and share how automation will enable customization and adaptation for GDPR compliance and a broad range of organizational use cases.

– Smart Tech and Smart Nation Initiative: Balancing Privacy and Innovation –

Singapore is gearing up to be the world’s first Smart Nation. This vision entails ubiquitous efficient connectivity for individuals and for devices on a machine-to-machine basis, whereby businesses can innovate with new solutions and human lives are bettered. At the same time, corporate businesses are embracing this digital age with new disruptive technologies, leveraging on the Internet of Things, and cloud solutions. This panel will look at the lessons from Singapore’s Smart Nation initiative, key data protection and security challenges that each country will face and rationalising with individuals’ growing concern over privacy and security in this age of ‘data-terrorism’.

Book Your Seat Now!

TRUSTe Privacy Risk Summit 2016 – Highlights

Privacy Risk Summit Highlight

250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office.

The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield from Justin Antonipillai, Counselor to the Secretary Penny Pritzker after two years as the co-lead U.S. negotiator with the European Commission.

The TRUSTe Privacy Risk Summit – Highlights

Chris Babel, CEO TRUSTe kicked off the Summit and explained how this event builds on the success of previous TRUSTe events, the EU Data Protection Conference and the IoT Privacy Summits in 2014 and 2015.Screenshot 2016-06-09 08.33.05

Adam Sedgwick and Sean Brooks from NIST were joined by Dan Caprio and Jonathan Litchman Co-Founders of The Providence Group to discuss the NIST CyberSecurity Framework and its role in managing privacy and data risk.

Screenshot 2016-06-10 10.37.10
Lively discussions and networking continued in the halls outside the breakout rooms.

Screenshot 2016-06-09 08.32.11Josh Harris, Director of Policy at TRUSTe and Hilary Wandall AVP & Chief Privacy Officer, Merck & Co., Inc. spoke about an accountability-based approach to global frameworks and local laws.

Screenshot 2016-06-09 08.31.08

Attendees heard from Paul Plofchan about how ADT had used privacy technology to streamline their ongoing privacy risk management and provide visibility to senior leadership.

Screenshot 2016-06-09 08.29.16

Justin Antonipillai delivered the closing keynote on negotiations with the European Commission on the EU-U.S. Privacy Shield.
Screenshot 2016-06-09 08.27.55Thank you to our speakers, sponsors, partners and our team of volunteers from WISP and the University of California, Hastings College of the Law. This event would not have been possible without your support!

Screenshot 2016-06-09 08.22.16

To read about future TRUSTe events, visit our upcoming events page or subscribe to the TRUSTe blog.


The Privacy Implications of Home Monitoring – Summit Preview

Home Monitoring

The rapid rise of the Internet of Things—always-on devices equipped with sensors and transmitting chips that allow for the continual collection and communication of user-generated data—has begun to transform areas as diverse as connected cars, cooking, smart infrastructure, digital healthcare, agriculture and industrial channels. While each of these domains is sensitive, and necessitates the rigorous application of Privacy/Security by Design, few areas are more private than the inner sanctum of one’s home, which is increasingly becoming “connected” in various ways.

TRUSTe’s Privacy Risk Summit (this Wednesday, June 8th in San Francisco) features a session devoted to the privacy implications of home monitoring presented by Jill Bronfman, Director of the Privacy Tech Project and Adjunct Professor, University of California, Hastings College of the Law. In this final preview in our series, Darren Abernethy, Privacy Solutions Manager at TRUSTe, offers a brief introduction to some of the vulnerabilities and opportunities in the “smart home” space.

How We Arrived Here

The exponential proliferation of Internet of Things (IoT)-connected devices can be explained by the timely melding of various drivers and technological capabilities. The prevalence of low-cost sensors, advanced and inexpensive cloud computing platforms, social media, “big data” analytics, and increased spectral efficiency of wireless technologies and networks have all expedited the creation of more interconnected devices. The fact that these devices generate valuable user data that can be anonymized, aggregated and sold to marketers and other businesses in order to provide insights about customers and prospects, has made a consumer’s behavioral data from inside the home that much more treasured.

First, the Worst Case Scenarios

The Potential for Creepiness

When in the home setting, people are at their most vulnerable. There may be children around, conversations are had that are not meant for public consumption, and generally one’s guard is relaxed in ways it might not be at work or in public. And so, the “creepiness factor” can be high. This is no better reflected than in the chilling recent case of a man hacking a couple’s baby monitor to speak to a 3-year-old boy in his bedroom and control the night-vision-enabled video camera inside. Such a violation of privacy and decency highlights the fact that there will always be people who view connected devices as an attack vector ripe for exploitation.

Exploiting Vulnerabilities

And, aside from the unsettling manipulation of baby monitors, outsiders will no doubt look for ways to compromise connected garage doors and locks in order to gain physical entry into a home, or to demand payment of a ransom before allowing the owner re-entry. Moreover, even if a hacker does not wish to personally engage in further crimes first-hand, it is not hard to fathom a black market where IoT-related vulnerabilities for devices and individuals’ homes can be peddled.

Enter Voice and Facial Recognition

Voice, video and biometric capabilities are likewise becoming components of the smart home experience. Google recently announced its plans to enter the voice-controlled virtual assistant market (a la Amazon’s Echo) with Google Home, which “becomes a hub to run a home network of Internet-connected devices that collect millions, if not billions, of pieces of data—frequently.” Google Home enables two-way conversations, can interact with the Nest smart thermostat and will engage with other smart devices that, collectively, contain data indicating when someone is home or away, and information about an individual’s preferences and more.

Next, the Good News: Good Practices Build Customer Trust

Although no device or service unequivocally can be made 100% safe and impregnable, there are ascertainable steps that any company can take to mitigate the risk of creepiness, 3rd party exploitation and other smart home cybercrime.

As a threshold matter, companies must continually test and be aware of all of the data that a connected home device collects and transmits. When this data is appropriately categorized (e.g., non-PII vs. PII vs. sensitive PII; actively vs. passively collected; persistent identifiers; transmission medium, etc.), inventoried, and secured (e.g., encrypted and/or de-identified), and it is understood with whom the information is shared (vendors, service processors, partners, etc.) over which networks, then companies are better able to ensure security by building in appropriate controls. Ongoing monitoring throughout the lifecycle of a connected device, as well as accurate disclosures to consumers before and throughout usage of a product, are also requisites of building customer trust.

Open Questions at the Hearth of the Connected Home

This relatively nascent frontier of monitoring about and within the home raises as yet unanswered issues for privacy-aware consumers and regulators. These include:

  • What limits, if any, are needed around the granular profiling of individuals from combined IoT-device data collected on a single platform (including, e.g., protected health information or geolocation)?
  • Should a special regulatory status be afforded to data collected in the home?
  • Where do advertisers and marketers fit into the connected home landscape?
  • How can meaningful notice and consent be provided in the IoT home setting?
  • What of unknown or future secondary uses of connected home data?

For insights and analyses of these issues and more, be sure to check out this week’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.


June Spotlight – Privacy Risk Summit, Legaltech West Coast, AIIM UK

Legaltech Event

Privacy Risk Summit 2016

June 8

San Francisco

The 2016 Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address top privacy risks in the year ahead and share strategies for success.

The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to bring you an expanded program with three parallel conference tracks focusing on risks rising from technological and regulatory change and privacy risk management best practices.

TRUSTe is hosting this event. We invite you to join us in San Francisco this summer for a packed day of inspiring keynotes, dynamic panel presentations and interactive workshops.

> Register here


Legaltech West Coast

June 13 – June 14

San Francisco

Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts, see the latest and most innovative products & services.

TRUSTe is exhibiting and speaking this event. Stop by booth #406 to see the latest privacy compliance tools or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

> Register here



June 22


The AIIM Forum UK is a free independent event brought to you by AIIM International, to deliver thought leadership, market insights and expert advice through a one-day program of educational seminars and a major showcase of the latest information management innovations.

TRUSTe’s Ralph O’Brien will be speaking on Wednesday, June 22, 4.05 – 5.00pm on the panel discussion, “Europe, Privacy & the New General Data Protection Regulations”. Key discussion points will be the legal requirements and timescales of the GDPR, plus further exploration of provisions such as the ‘Right to be Forgotten’, the ‘Right to object to Automated Processing’ and ‘Privacy by Design’, data portability vs data sharing, information governance, risk management and other commercial impacts that will affect all organizations operating in Europe.

> Register here