Privacy Requirements Engineering in an Ever-Changing World

Fluxx®

Fluxx® Basics

Four kinds of cards: Action, Goal,

Keeper/Creeper, Rule

To win, collect K/C cards and meet the

requirements of the current Goal

Basic Rules: draw 1 card, play 1 card

Any player can change the Goal

Any player can change the Rules

Some Actions change the Rules

Non-players can join game at any time by picking

up three cards from the top of the deck

Actions

Keepers/Creepers

Goals

Rules

Fluxx® as a Metaphor

System objectives evolve – new Goals

System requirements evolve – new Rules

Some system attributes hinder achievement of

some objectives – and system objectives

sometimes compete

Actions of players (and orders of actions) are not

predictable

Non-players routinely take actions that affect the

system

Non-players can also change the rules

Traditional System Design

Game Table for Systems Fluxx®

What the Players Can Do

Change the goals

CRM database used for risk management

Customer data used for analytics, business

intelligence

Take actions

Data enhancement, consolidation, outsourcing

Have breaches

Change the rules

New security standards

New client or regulatory expectations

Basic Rule: Security Programs

Have “reasonable security”

Reasonable security requires you to assess risks, have a written program to manage the risks with administrative, technical and physical controls, and train on the program

Scope of program can vary depending on the risks, the size of the company, etc.

The New Rule Requires

Specific policies (e.g., terminated workers, discipline)

At least annual audits

Secure user authentication protocols and access control

measures, including “need to access” rules, unique IDs

and secure passwords

Encryption of data in transit, on laptops and devices

System monitoring for unauthorized access or use

Up-to-date firewalls and OS patches for all systems

connected to the Internet, up-to-date system security

agent software with malware protection on all systems

Train employees on the proper use of the computer

security system and the importance of personal

information security

New Rule: Securing PHI

The only valid encryption processes for

data in motion are those which comply,

as appropriate, with NIST SP 800-52

Guidelines for Selection and Use of

Transport Layer Security, 800-77,

Guide to IPsec VPNs, 800-113 Guide

to SSL VPNs, or FIPS 140-2

Electronic media must be cleared,

purged, or destroyed consistent with

NIST Special Publication 800-88,

Guidelines for Media Sanitation.

14

New Rule: Post It!

Basic Rule: Security Breaches

Notify individuals promptly if they are at risk of harm because their sensitive personal information has been exposed to unauthorized third parties

Understand the Basic Rule

A “breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business

Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure

New Rules: Redefine “Breach”

18

New Definition of “Breach”

The FTC’s rule defines “breach of security” as

the acquisition of identifiable information

“without the authorization of the individual”

Unauthorized acquisition is presumed from

unauthorized access, unless you have “reliable

evidence” showing otherwise

“…no breach has occurred if an unauthorized

employee inadvertently accesses a PHR and

logs off without reading, using or disclosing

anything. If the unauthorized employee read the

data… he ‘acquired’ the information, thus

triggering the notification obligation…”

These New Rules Requires

Protect paper as if it were electronic media

Guard against internal disclosures with the

same rigor as external disclosures

Protect non-sensitive data with the same

controls as sensitive data

New Rule: Speed it Up!

Proposed New Rule: Apply Expanded Breach Requirements to Everyone in Europe!

22

Update card

Basic Rule: Children’s Data

Commercial website operators that collect PI from children under 13 must obtain verifiable parental consent

Applies to websites that target kids and general interest sites if the operator knows that kids are providing PI

The New Rule

Expands the definition of "personal information"

to include persistent identifiers, device IDs,

geolocation data, images

Expands the definition of "website or online

service directed to children" to clarify that a

plug-in or ad network is covered by the Rule

when it knows or has reason to know that it is

collecting personal information through a child-

directed website or online service

Requires websites that appeal to children and

adults to age screen all users

Basic Rule: EU Data Processors

Only controllers make decisions about data processing, but…

Contractual authority of processor to subcontract could historically be reasonably inferred from the circumstances in connection with the performance of the services

25

The New Rule Limits Processor and Controller Discretion

Every instance of subcontracting by a data

processor must be approved in writing by the

EU-based data controller

New model contract terms do not differentiate

between affiliates and 3rd party processors

Controllers liability for failure to supervise sub-processing activities is increased

26

Fluxx® Expansion Decks

27

Security Expansion

Monster Mandate Pack

Additional required controls – as a matter of

law and contract

Rules vary with geography

Time to comply may be short

Standards for vendor due diligence and

management – customer security

certification requirements

Expanded definition of “breach”

Expanded liability for breaches

28

Consumer Protection Expansion

Redefining Harm Pack

Minimum necessary rules

Additional privacy and security notice rules

Specific collection/use/disclosure rules – e.g.,

for secondary uses

Additional limits on collection, use, disclosure

of marketing data, pre-employment screening

data, etc.

29

Data Protection Expansion

Geographic Considerations Pack

Consolidation efforts must account for all

possible local requirements and build to the

“most restrictive”

Additional limits on data transfers

Regulatory focus on data security

Regulatory focus on data retention

Conflicts of laws become more pronounced

Customer uncertainly about subjecting data to

foreign legal requirements

30

It’s Not Just Europe

31

RED = country with a comprehensive data protection law

ORANGE = country with a partial data protection law

YELLOW = country with a draft data protection law

BLUE = country with broad sectoral privacy regulations

Brazil is currently blue, but considering a

comprehensive data protection law

Final Thoughts

32

More Productive Final Thoughts

“Compliance by Design” has always been

complicated – users can barely articulate basic

rules/objective for a simple system on a good day

and the rules keep changing

For data-centric products:

The rules are going to continue to change, often

drastically and in real time

Non-players are going to continue to impact the

requirements

Must respond strategically – piecemeal is too hard

But that’s why the game is so much fun! 33