Data Privacy: The Coming Conflict

Alan Pelz-Sharpe

Research Director Social Business Applications

451 Research is an information technology research & advisory company

2

Founded in 2000

350+ employees, including over 100 analysts

1,000+ clients: Technology & Service providers, corporate

advisory, finance, professional services, and IT decision makers

25,000+ senior IT professionals in our research community

Over 52 million data points each quarter

4,500+ reports published each year covering 2,000+

innovative technology & service providers

Headquartered in New York City with offices in London,

Boston, San Francisco, and Washington D.C.

451 Research and its sister company Uptime Institute

comprise the two divisions of The 451 Group

Research & Data

Advisory Services

Events

3

451 Research provides

unique insight into emerging,

disruptive technologies and

the companies taking them

to market.

4

Research Channels A combination of research & data is delivered across fourteen channels aligned to the prevailing topics

and technologies of digital infrastructure… from the datacenter core to the mobile edge.

Why Data Privacy?

• Emerging and Invasive Technologies

• Data Breaches

• Legal and Regulatory Challenges

5

Why Data Privacy? - Emerging and Invasive Technologies

6

Why Data Privacy? Emerging and Invasive Technologies

7

Aliases

Private email

Address

Devices Locations

Friends & Associates

Work email Address

Why Data Privacy? – Personal Data is broader than you think

8

Social Network

Posts

IP addresses

Photographs

Basics – PII (Personally Identifiable Data)

9

What do I have?

• Why do I have it?

What am I collecting?

• Why am I collecting it?

How long should I keep it?

• How do I dispose of it?

Basics - Security

10

How have I secured it?

• Granular or a blanket approach?

Who accesses it?

• Should they be accessing it?

How do I know if I lose it?

• What do I do if I do lose it?

Why Data Privacy? – Data Breaches

11

• Difficult problem. Not if companies will be hacked, but when.

• US law is difficult—47 different state laws plus District of Columbia

• What is a reasonable legal requirement for data breach notification?

• Too many notices, and you have the Boy Who Cried Wolf problem of people

ignoring them.

• EU is considering data breach notification regulations as part of GDPR.

The Current Conflicts

• September 11 and the USA PATRIOT Act

• The NSA-Snowden Controversy

• Conflict of Cultures, Definitions, and Laws

12

The Current Conflicts September 11 and the USA PATRIOT ACT

13

• Laws in many nations would trigger government data demands in response to

a (real or perceived) threat to national security.

• “Don’t put your data on US servers” argument is somewhat of a red herring.

• September 11 and the PATRIOT ACT perfect illustrations of the ‘Privacy vs.

Security’ dilemma.

The Current Conflicts – NSA-Snowden

14

• Like the Patriot Act - the NSA-Snowden Controversy illustrate the ‘Privacy vs.

Security’ dilemma.

• Was the PATRIOT Act really a red herring? The NSA-Snowden controversy

has been a giant ‘We told you so’ for many around the world who argued the

USA PATRIOT Act was the manifestation of the Orwellian nightmare.

The Current Conflicts

15

• Freedom of Information versus Right to Privacy

• US First Amendment Freedom of Speech

The Current Conflicts

Different Definitions• Personally Identifiable Information (PII)—In 2010, the US Government’s Office of Management

and Budget (OMB) stated, “The definition of PII is not anchored to any single category of information

or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can

be identified. In performing this assessment, it is important for an agency to recognize that non-PII

can become PII whenever additional information is made publicly available—in any medium from

any source—that, when combined with other available information, could be used to identify an

individual.” See also US National Institute for Standards and Technology (NIST) definition.

• Personal Information—Mexico has a broad definition, including any information concerning an

individual.

• Sensitive Personal Information—For instance, in Argentina, it includes ethnic or racial origin,

political opinions, union membership, philosophical, while in Finland, it includes criminal sanctions

and the receipt of social welfare.

16

Personal Data: 2+2=4

17

Birthdate

Address

Social Security Number

Phone Number

eMailAddress

Twitter Handle

Credit Card

Number

US-EU Safe Harbor Framework

• Although US does not meet the minimum standards required by the 1995

Directive, the Safe Harbor has allowed data transfers between the EU and the

US.

• Companies self-certify compliance, which has never been popular in Europe.

• Negotiations are continuing to safe the Safe Harbor.

18

The Coming Conflicts

• EU General Data Protection Regulation (GDPR)

• Microsoft Dublin Warrant Controversy

19

The Coming Conflicts EU GDPR

• Change from Directive (Directive 95/46/EC) to Regulation (GDPR)

• The goal is to harmonize the laws of the 28 EU Member States

• Harmonizing the laws would make international business easier, but the GDPR

in its current form would create more substantial differences with the US.

• Right to be Forgotten/Right of Erasure—a major issue, but in May 2014, the EU

Court of Justice held in Google Spain that the Right to be Forgotten exists

under the current Directive in certain circumstances.

• International Transfer of Personal Data

• Data Breach Notification—Change from 24 hours to “without undue delay.”

• European Council must still approve.

20

The Coming Conflicts Microsoft Dublin Warrant

• In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by

Microsoft Corp. (S.D.N.Y. 2014)

• US court holds a warrant for email data stored is Dublin is valid under the US

Stored Communications Act of 1986 because the data are controlled by

Microsoft in the US—despite being stored in Ireland.

• Microsoft—supported by tech companies—is appealing to the US Court of

Appeals for the Second Circuit, arguing that it does matter where the data are

stored and that the US does not have authority to data stored in Ireland.

• If upheld, it could be a major blow to US tech companies. 21

Key Takeaways• Take ownership of the issue

• Know what data you are collecting and why

• The less you collect the more secure you are – the more you collect the richer

the data source – get the balance right

• Clearly define PII and non PII

• Figure out a Data Loss Prevention (DLP) strategy

• Know what laws impact your organization – does data travel overseas?

• Clear house – don’t just keep data because you can

• Take a scenario based approach – what are the scenarios for your

organization?

22

alan.pelzsharpe@451research.com

Twitter: @socialbizalan