The Third Tool: An Information Security

The final tool in minimizing information security risks is a potential exhibit or statement of work that specifically defines the security require- ments relevant for a particular engagement. For example, engagements in which highly sensitive information will be entrusted to a third party may require the third party to observe strict practices in its handling of the information; for example, the information security requirements exhibit may prohibit the third party from transmitting the information on the business over internal wireless networks (e.g., 802.11a/b/g) or from transferring that information to removable media that could be easily misplaced or lost. The exhibit may also contain specific requirements for use of encryption and access control technology, decommissioning hard- ware, and storage media on which the business’s information was stored

to ensure that the information is properly scrubbed from the hardware and media. Other specific physical and technological security measures should be identified as relevant to the particular transaction.

3.6 CONCLUSION

Unique risks are presented when Big Data is entrusted to third parties. Those risks can be mitigated by employing the tools discussed in this chapter: appropriate and uniform due diligence, use of specific contrac- tual protections relating to information security, and, where relevant, use of exhibits or other attachments to the agreement detailing unique secu- rity requirements to be imposed on the third party. Doing so will ensure data is handled in a secure manner. The due diligence questionnaire will enable the business to ask the right questions and obtain critical informa- tion—before the contract is entered into—with respect to the ability of the third party to adequately safeguard intellectual property. The contractual provisions described (1) set out the business’s expectations with respect to security requirements, (2) provide the basis for compelling the third party to comply with those requirements, and (3) give the business remedies for asserting a claim against the third party in the event of the third party’s failure to provide adequate security measures. Finally, the optional infor- mation security requirements exhibit allows the business to customize security requirements to fit the particular circumstances of the engage- ment and provide a level of detail that ordinarily would not be found in standard contractual provisions.

33

4

Privacy and Big Data

Chanley T. Howell

4.1 INTRODUCTION

This chapter examines the privacy compliance challenges when dealing with Big Data and provides guidance on how to comply with applicable privacy laws, regulations, and standards when implementing Big Data initiatives. Big Data is different from structured data in terms of the pri- vacy issues and challenges in protecting personal data. There are two funda- mental characteristics of Big Data that make it different: (1) The analysis of Big Data is often for a purpose different from the original purpose for which the data was gathered, and (2) the volume of data used for Big Data purposes can be vastly greater than that found in traditional structured databases.

The primary objective of Big Data is to derive new insights—predicting outcomes and behavior based on very large volumes of data collected from a large number of sources. Each data source, in turn, typically contains data that relates to numerous data subjects. Thus, the gathering and analysis of the data for Big Data purposes is often different from the purpose for which the data was obtained at the time it was initially collected. This change in purpose regarding the use of the data creates issues under the principles of notice and choice, which are fundamental to privacy laws and standards.

Consumers should be given notice of how a company will use and share the consumer’s personal information and be provided a meaningful choice with respect to such use and sharing. Any company collecting data must understand how it intends to use personal information when it is collected so that the required notice and choices can be provided. For example, an online retailer may collect large volumes of purchase and transaction his- tories for the primary purpose of documenting sales for revenue reporting

and product purchases for warranty purposes. The retailer may also want to analyze that data to identify purchasing trends, thereby using that infor- mation for marketing purposes. If the retailer did not provide adequate notice to the customer of this subsequent Big Data use, it may run afoul of the notice and choice privacy principles.

The second characteristic of Big Data that makes it different from tradi- tional structured data is the sheer volume of the data. Another core prin- ciple common to privacy laws and standards is access. The access principle provides that consumers are entitled to know what information a company collects about the consumers so they can effectively exercise their right to choose how that information is used. With a single database containing a manageable amount of customer information, this may not be too dif- ficult. If, however, the dataset resides over multiple databases, and perhaps even with third-party data processors, providing the consumer with access, choice, and transparency can be difficult. Companies should design their Big Data initiatives on the front end with the ability to provide access, choice, and transparency to consumers by taking the steps identified in this chapter.

4.2 PRIVACY LAWS, REGULATIONS, AND PRINCIPLES

THAT HAVE AN IMPACT ON BIG DATA

The United States does not have a comprehensive federal privacy regimen, such as the Data Protection Act of the European Union. Rather, privacy laws in the United States follow a sectoral approach (e.g., health care, finan- cial, educational information). These sectoral laws are expanded by a layer of guidelines, principles, and rulings from the Federal Trade Commission (FTC). That is not the end of the privacy regulation. States have their own patchwork of privacy and security laws, covering a broad range of subjects, including the protection of health information, financial information, and more general personal information. Finally, all these federal and state laws are subject to a stream of court decisions that provide practical interpretations of the laws and additional compliance direction to data holders. As a result, navigating which of the multiple layers of laws applies to each type and source of data presents a significant compliance challenge for most organizations.

The layers of regulation can act independently and cumulatively, depending on factors such as the type of information collected, the age of the individual from whom the data is collected, and the manner of data

collection. For example, at the federal level, financial information of vari- ous types is protected under the Fair Credit Reporting Act (as amended and supplemented by the Fair and Accurate Credit Transactions Act) and the Gramm-Leach-Bliley Act (GLBA). Health information is regulated under the Health Insurance Portability and Accountability Act (HIPAA; as amended and supplemented by the Health Information Technology for Economic and Clinical Health Act). Information collected from children under the age of 13 is regulated by the Children’s Online Privacy Protection Act. Student information is protected under the Family Educational Rights and Privacy Act. The Telephone Consumer Protection Act, Telemarketing Sales Rule, and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) protect the privacy of consumers with respect to receiving marketing communications from companies. Finally, any gaps in the coverage of these laws are filled by various enforcement decrees, rulings, guidelines, and principles published by the FTC as well as court decisions interpreting both the statutes and the FTC’s pronounce- ments. Because of this complexity, compliance efforts can be greatly enhanced by understanding the underpinnings of the privacy and security laws. The remainder of this chapter discusses the foundational principles of privacy compliance and key laws with which your organization’s data collection and handling policies may need to comply.

4.3 THE FOUNDATIONS OF PRIVACY COMPLIANCE

Throughout this chapter, we discuss the importance of transparency with respect to Big Data initiatives and complying with privacy requirements. Transparency is the combination of notice, access, and choice. Together, notice, access, and choice underlie nearly all laws and regulations governing data privacy, and these principles must be understood and incorporated into effective policies governing data collection and use in your organization.

4.4 NOTICE

For over 20 years, notice has been at the core of essentially all global privacy laws, regulations, and principles. In 1998, the FTC presented its Online

Privacy report to Congress, which included the Fair Information Practice Principles (FIPPs). This report drew heavily from privacy principles in other jurisdictions, such as the Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) and the European Union Directive on the Protection of Personal Data (1995). As noted by the FTC, “the most fundamental principle is notice.”1 _{Although the content of the}

notice will vary based on the substantive practices of the organization, the FIPPs note that the following disclosures are critical to providing proper notice to consumers:

• The entity collecting the data.

• The uses to which the data will be put. • Potential recipients of the data.

• The nature of the data collected and the means by which it is col- lected if not obvious (e.g., passively, by means of electronic monitor- ing, or actively, by asking the consumer to provide the information). • Whether the provision of the requested data is voluntary or required

and the consequences of a refusal to provide the requested information. • The steps taken by the organization to ensure the confidentiality,

integrity, and quality of the data.

4.5 CHOICE

As stated by the FTC in the FIPPs, “At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”2 _{Choice is particularly relevant with respect to secondary uses}

of information—using information in ways beyond those necessary to com- plete the contemplated transaction. For example, when ordering products online, the consumer understands his or her mailing address and credit card information are needed by the seller to process and fulfill the purchase. The individual would not, however, necessarily understand or appreciate that this information could be used by the company for future marketing communications or shared with third parties for their own direct market- ing purposes. The choice principle states that the consumer is entitled to know when there will be secondary uses of personal information, and the consumer must be provided the right not to permit such uses.

Big Data collection and analytics make it more probable that informa- tion collected for one purpose will be used for another. For example, as reported in the New York Times, Target used shopping statistics to pre- dict which women were pregnant and then marketed pregnancy products to them.3 _{Target analyzed historical shopping data to identify changing}

trends in purchasing behaviors that could be associated with pregnancy. For example, the data revealed that women bought larger quantities of unscented lotion around the beginning of their second trimester, and dur- ing the first 20 weeks, pregnant women loaded up on supplements like calcium, magnesium, and zinc. According to the New York Times article, Target was able to identify about 25 products that could be used to develop a “pregnancy prediction” score, as well as the estimated due date. This enabled Target to send certain coupons directed not only to the fact of the pregnancy but also to the stage of the pregnancy.

According to the New York Times article, about a year after Target developed the pregnancy predictor model, an angry man complained to Target, demanding an explanation for why Target was sending his teenage daughter coupons for baby clothes and cribs. The manager apologized in person and then called the father a few days later to reiterate the apology. The embarrassed father told the manager: “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

Target did not face enforcement action, but did have to contend with the public relations fallout after the New York Times article went viral and ended up modifying its privacy policy. Target’s current privacy pol- icy is now much more informative about what information is collected and that it uses the information—including purchase history—for mar- keting purposes, such as to “deliver coupons, mobile coupons, newslet- ters, in-store receipt messages, emails, mobile messages, and social media notifications.”4 _{Target also permits its customers to opt out of receiving}

catalogs, coupons, and other marketing communications, as well as from Target sharing customer information with third parties for their own direct marketing purposes. The lesson learned from the Target example is that companies engaged in Big Data analytics using personal informa- tion for purposes other than those related to the original purpose for the collection of such data should be transparent regarding how the informa- tion is used and how the consumer can opt out of receiving marketing communications and sharing of personal information with third parties for marketing purposes.

Choice is typically obtained either through an opt-in or an opt-out presentation to the consumer. As discussed more fully in the follow- ing material, some laws with an impact on Big Data use are opt-in laws, while some are opt-out laws. Opt-in laws require affirmative action by the consumer to allow the collection and use of the information. Opting out permits the use of the information unless the consumer takes affirma- tive steps to prevent the collection and use of the information. Thus, for example, the Telephone Consumer Protection Act requires consumers to provide express written (opt-in) consent to receive telemarketing calls and text messages to cell phones before a company can make such calls or send text messages. The GLBA permits financial institutions to share personal information with third parties for marketing purposes unless the consumer opts out of such sharing by, for example, mailing in an opt-out form, opting out through an online form, or opting out by call- ing a toll-free telephone number. Similarly, the Federal Credit Reporting Act (FCRA) prohibits certain uses and sharing of personal information without proper notice and the opportunity to opt out of such uses and sharing. Under FCRA, consumers must be given the ability to opt out of disclosures to third parties or affiliates for marketing purposes or dis- closure of credit report information to affiliates. As discussed in more detail in this chapter, companies engaging in Big Data initiatives need to be aware of laws that require choice and how those choices must be presented to consumers.

After-the-fact notice to the consumer without express consent can be ineffective. Accordingly, to avoid the need to renotify and obtain express consent from consumers, companies should anticipate, to the greatest extent possible, potential Big Data uses and provide proper notice for con- sumers when the information is first collected. Obtaining consent after the fact often results in large dropout or opt-out rates caused by consumers failing to provide the required consents.

4.6 ACCESS

Access is an individual’s ability to (a) access data that a company has about the individual and (b) require the company to correct inaccurate informa- tion or delete information not needed or properly held by the company. Access is critical to ensuring personal information remains accurate and

complete. To be effective, a consumer’s ability to access relevant data must be timely and not overly burdensome with respect to cost or effort required to access the data. Similarly, the methods for reporting and chal- lenging inaccurate information should be relatively quick and easy for the consumer to accomplish. Organizations should implement practices and procedures for updating, correcting, and deleting personal information as required by the consumer or applicable law.

The three principles—notice, choice, and access—are at the heart of a successful privacy compliance program for Big Data initiatives.

The following sections describe selected laws and legal requirements that often implicate privacy compliance for Big Data projects.

4.7 FAIR CREDIT REPORTING ACT

Companies can be subject to compliance with FCRA arising from the manner in which they collect, use, and share Big Data. FCRA regulates the sharing and use of personal information used for credit, insurance, employment, and certain other specified purposes. FCRA allows consum- ers to access their credit reports. This provides transparency to consum- ers so they can see what information the consumer reporting agencies have about them. In addition, if there are errors or inaccuracies in the information, the consumer can dispute the information and, if appropri- ate, require the consumer reporting agency to correct the information. It is commonly understood that the largest consumer reporting agencies (Experian, Equifax, and TransUnion) are consumer reporting agencies under FCRA. However, the reach of the act is not limited to the big three reporting agencies, and many more businesses than they may realize are subject to FCRA because of the way they use certain personal information.

Whether a company is a consumer reporting agency does not depend on how the company characterizes or markets itself, but rather the nature of the information it provides to third parties and the use of the information by third parties. A company is a consumer reporting agency if it provides “consumer reports” to third parties. Because of the increased regulatory obligations under FCRA and the increased risks resulting from noncom- pliance, many companies take steps to avoid that status. If a company is a consumer reporting agency, it is required to comply with the requirements of FCRA, such as the following:

• Provide consumer reports only to companies that agree to use them for a purpose that is permissible under FCRA (see discussion of per- missible purposes further in the chapter).

• Obtain certification from users of consumer reports that the infor- mation will be used for permissible purposes under FCRA and only those purposes.

• Implement procedures to ensure the accuracy of information con- tained in consumer reports.

• Provide consumers with access to consumer reports, including sources of information and recipients of consumer reports on the consumer. • Provide consumers with a Summary of Consumer Rights when

making required privacy-related disclosures to the consumer. • Take reasonable steps to verify the identity of third parties seeking