The$New$Ethics$of$Privacy

TRUST IN FINANCIAL SERVICES

Source: 2015 Edelman Trust Barometer, available at http://www.edelman.com/insights/intellectual-property/2015-edelman-trust-barometer/trust-across-industries/financial-services-path-to-building-trust/

TRUST MATTERS FOR INNOVATION

• NEW Barometer metric in 2015: trust in innovation– 51% percent say the pace of innovation is too fast

– 66% say business growth, and 54% say greed/money, are the real impetuses behind innovation

Source: 2015 Edelman Trust Barometer, available at http://www.edelman.com/insights/intellectual-property/2015-edelman-trust-barometer/trust-across-industries/financial-services-path-to-building-trust/

EXECUTIVE SUMMARY FINDINGS

“In a world of dispersed authority, a new compact of trust must be forged between the individual

and the corporation.”

“The trust-building opportunity for business, therefore, lies squarely in the areas of

integrity and engagement.”

ENTER: ETHICS

• Ethics (or moral philosophy): a field of philosophy that involves systematizing, defending, and recommending concepts of right and wrong behavior.

• Balancing trust & insight

CASE STUDY

CASE STUDY

DATA-DRIVEN RESEARCH

• Different types of data-driven research, different risks– Data experimentation– Interventional testing– The line between Research and R&D

• Big Data’s “Creepy” and ethical lines– Technology outpacing social norms– Out-of-context data and inferences– May involve sensitive data or vulnerable populations

ETHICAL RISKS & ISSUES

• Transparency of data collection & use• Accuracy & reliability of data collected• Accurately representing quality of data• Accurately representing analytical limitations• Decision making based on big data

ETHICAL RISKS & ISSUES

• Perpetuating existing discriminatory practices and inequality (or even creating new ones)

• Exclusion of marginal populations from data• Compromising personal identity• Potential for economic, physical, emotional, or

psychological harm

WHAT QUESTIONS SHOULD WE BE ASKING?

• Is it right to do something that may cause someone to behave in a way that is in our interest, but may not be in their interest?

• Does it violate fundamental principles of equality and fairness to look at the behavior of a group when deciding the fate of an individual?

• What predictions and inferences will we allow, and what should we not allow?

• Is there really an ethical dilemma with data, or is the dilemma related to other business, social, or policy issues?

• Is it unethical to not use data that is available? • Is there an ethical obligation to not forget and exclude data subjects?• Who is responsible for making these ethical decisions?

Building$an$Ethics$Program

CONSIDERATIONS

• Data ethics is a multi-stakeholder issue, notjust a CPO issue

• Organizational ethics requires a culture of transparency and accountability

• Balancing business interests with client interests

TRADITIONAL PRIVACY SOLUTIONS MIGHT NOT WORK

• FIPPs applications strained– Notice and choice difficulties– Purpose specification and data minimization (needles, big data

haystack)

• Benefit-Risk Analysis, identifying individual and societal benefits and risks of data uses

• Risk of suppressing or locking up scientific research• Who decides when benefits outweigh risks?

LESSONS FROM IRB REVIEW• “Take a page from biomedical and behavioral sciences”

– IRBs, the Common Rule, and human subject testing

• Guiding principles from the Belmont and Menlo Reports– Respect for persons– Beneficence– Justice– Respect for law and the public interest

• Membership reflects experience, diversity, expertise• Proportional review based on informational risk: excused research,

expedited review, full review (Sept. 2015 NPRM: Federal Policy for the Protection of Human Subjects)

ETHICAL REVIEW BOARDS• Emerging alternative structures:

– Consumer subject review boards/privacy review boards– Private IRBs– Participant-led research, data cooperatives

• Internal versus external review structures• Ensuring independence, trust, documentation and

accountability• Scope, agility, and moving at the speed and scale of

business

WHAT MIGHT BE COVERED

• Not all data-driven research creates the same level of risk, but consider:– Sensitive data– Vulnerable populations– Data experimentation– Out-of-context uses of data– Disparate impact and algorithmic decision-making

COMPLIANCE BEST PRACTICES

• Compliance is about managing risk– Identify risks– Develop procedures to manage risk– Monitor compliance– Respond to non-compliance– Evaluate the procedures and results and

continuously improve

COMPLIANCE BEST PRACTICES

• Perform a risk assessment for potential ethics situations• Create awareness of ethics situations with an ethics

oversight team• Document an escalation procedure for possible ethics

situations (ethics hotline)• Document investigation and sanctions/reward policy

Ethical$Obligations$of$Privacy$Professionals

WHAT OBLIGATIONS?

• Typically, you have duties to your employer – but where does that leave clients?

• What should you do when you see a potential ethical or code of conduct violation?

• Do you have an ethical obligation to:– Notify senior management?– Report the company to authorities?– Report your findings to the media?– Quit your job?

ATTORNEY OBLIGATIONS UNDER ABA RULES

• Competence• Diligence• Confidentiality of information• Safekeeping property• Truthfulness

WHO IS THE ATTORNEY’S CLIENT?

• Attorneys could represent the interests of the: – Corporation– Individual officers or directors– Employeees– Clients– Shareholders

• What if their interests conflict?

CORPORATIONS AND LEGAL ETHICS

ABA$Rule$1.13$“If$a$lawyer$for$an$organization$knows$that$an$officer,$employee$or$other$person$associated$with$the$organization$is$engaged$in$action,$intends$to$act$or$refuses$to$act$in$a$matter$related$to$the$representation$that$is$a$violation$of$a$legal$obligation to$the$organization,$or$a$violation$of$law$that$reasonably$might$be$imputed$to$the$organization,$and that$is$likely$to$result$in$substantial$injury$to$the$organization,$then$the$lawyer$shall$proceed$as$is$reasonably$necessary$in$the$best$interest$of$the$organization.”

LAWYER CONFIDENTIALITY EXCEPTIONS

“A$lawyer$may$reveal$information:

(1)$to$prevent$reasonably$certain$death$or$substantial$bodily$harmL

(2)$to$prevent$the$client$from$committing$a$crime$or$fraud that$is$reasonably$

certain$to$result$in$substantial$injury to$the$financial$interests$or$property$of$another$and$in$furtherance$of$which$the$client$has$used$or$is$using$the$lawyer's$servicesL

(3)$to$prevent,$mitigate$or$rectify$substantial$injury$to$the$financial$interests$or$property$of$another$that$is$reasonably$certain$to$result$or$has$resulted$

from$the$client's$commission$of$a$crime$or$fraud$in$furtherance$of$which$the$client$has$used$the$lawyer's$servicesL”

SOX “UP THE LADDER” REPORTING

• SEC Rule requires an attorney to report evidence of material violations of securities laws, breaches of fiduciary duties, or similar violations– Up the ladder within the company to the CLO or CEO– If they do not respond appropriately, report the evidence to

the audit committee, another committee of independent directors, or the full board of directors

SOX – SECURITIES FILINGS

• SEC Rule requires public companies to disclose in their annual report whether they have adopted a code of ethics for their principal executive officer and senior financial officers, and if not, why not

SOX – SECURITIES FILINGS

CORPORATE OFFICER & DIRECTOR FIDUCIARY DUTIES

• Officers and Directors are fiduciaries of the corporation and shareholders

• Duties:– Care (informed decisions)– Loyalty– Good faith Who else may have them?

CPA ETHICAL OBLIGATIONS

• Duties:– Professional competence– Integrity– Independence– Due care– Confidentiality

• AICPA also uses an up-the-ladder approach

OTHER LICENSED PROFESSIONS

• Doctors: “A physician shall, while caring for a patient, regard responsibility to the patient as paramount”

• Realtors: “Protect and promote the interests of the clients.”• Bankers: “The board should make certain that compliance

with all laws and regulations receives a high priority and that violations are not knowingly committed by bank employees.”

• Auctioneers: “[Auctioneers] pledge to lawfully and ethically protect and promote the interests of the seller.”

Questions?

ARTICLES & OTHER RESOURCES

• Neil Richards and Jonathan King, Big Data Ethics, 49 Wake Forest L. Rev. 393 (Summer 2014)

• Ryan Calo, Consumer Subject Review Boards, 66 Stan. L. Rev. Online 97 (2013).• Jules Polonetsky, Omer Tene & Joseph Jerome, Beyond the Common Rule: Ethical

Strucures for Data Research in Non-Academic Settings, 13 Colo. Tech. L.J. 333 (2015)

• D. Dittrich and E. Kenneally, Tech. rep., U.S. Department of Homeland Security, The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research (2012).

• Department of Health, Education, and Welfare, The Belmont report: Ethical principles and guidelines for the protection of human subjects of research (1979).

• Statistical ethical guidelines (http://www.amstat.org/about/ethicalguidelines.cfm)

THANK YOU!

• Kelsey Finch, CIPP/US, Policy Counsel, Future of Privacy Forum,KFinch@fpf.org

• Helen Odom, CIPP/US, Counsel, Intellectual Property, TD Ameritrade, Helen.Odom@tdameritrade.com

• Gerry Stegmaier, CIPP/US, Privacy and Data Security, Partner, Goodwin Procter LLP, GStegmaier@goodwinprocter.com