"There's no question that data security continues to be a very significant concern," says Lisa Sotto, managing partner at law firm Hunton & Williams LLP's Privacy & Information Practice. "Where CEOs might not have focused on that as an issue several years ago, I would venture to guess that just about every CEO of a major company today is quite concerned about data security."
Specifically, organizations should be taking hard looks at their practices re: social media, portable media and security training for employees. There has been progress in each of these areas, Sotto says, "But the consensus is that we're still learning how to do data security right."
In an exclusive interview on the year's security/privacy agenda, Sotto discusses:
- Top security and privacy issues of 2011;
- Where organizations are most vulnerable;
- Pending regulatory and legislative issues to watch.
Sotto is the Managing Partner of the New York office, and her practice focuses on privacy, data security and information management issues. She was rated "No. 1 privacy expert" in 2007 and 2008 by Computerworld magazine. She also earned a number one U.S. national ranking for Privacy & Data Security from Chambers and Partners. In addition, Hunton & Williams LLP's Privacy & Information Practice received a number one U.S. national ranking from Chambers in Privacy and Data Security.
Sotto assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties. She conducts all phases of privacy assessments and information security policy audits. Ms. Sotto advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA/FACTA, Privacy Act, security breach notification laws, and other U.S. state and federal privacy requirements (including HR rules); Canada's PIPEDA; and global data protection laws (including those in the EU and Latin America). She drafts and negotiates contractual agreements concerning data uses, security and confidentiality. She also develops corporate records management programs, including policies, procedures, records retention schedules, and training modules.
TOM FIELD: To get us started why don't you tell us a little bit about yourself and your work, please?
LISA SOTTO: Sure. I head up the global privacy and data security practice at Hunton & Williams and our practice is really comprised of three parts. We do work on pure play privacy issues, which essentially means any issue that involves the appropriate use of personal information.
We also have a very significant data security practice ,which involves both the proactive and reactive side to data security, dealing with data breaches and data leaks; and then also helping companies to ensure that they have the strongest possible policies and procedures in place with respect to data security.
We also handle the regulatory side of records management, so that we help companies manage their records in a way to be most protective of privacy and data security issues.
Top Privacy Issues of 2010FIELD: Lisa from your perspective, looking back on this year past, what would you say were the biggest security and privacy issues that we dealt with?
SOTTO: Well I would say it was a banner year for privacy and data security. There is so much happening in this area and so much to look forward too. Probably the biggest ticket items included items like behavioral advertising. This is an issue that is on everyone's radar screen and very much on the radar screen of the Federal Trade Commission, as well as lawmakers in Washington, so we will hear quite a bit about this issue going forward.
Cloud computing is another very important issue in the recent agenda for privacy professionals. It is clear that many, many functions are moving to the cloud. The question is going to be how to deal with the various privacy and data security rules in the many jurisdictions around the world when those rules in some cases conflict with each other, and where data is residing in many different locations at the same time.
The third issue that I would say was really hot in 2010 was data security. That is an issue that we have been talking about for years now. Of course, the WikiLeaks issue is quite prominent, and we are also seeing a lot of focus on health data breaches because of requirements that came into effect in 2009 mandating notification in the event of breaches/compromises of health data.
FIELD: So, Lisa, given all of those issues, and they are big ones, what lessons would you say that we did or did not learn in the course of 2010?
SOTTO: I think the biggest lesson we learned is that we are still learning in the data privacy and data security fields. We certainly don't know enough right now. There are so many opportunities that technology brings. There is really enormous innovation going on, but along with all of that are privacy and data security pitfalls; they clearly accompany all of the good things that are happening, so we need to keep learning, keep understanding what privacy and security issues come along with our new innovative technologies.
There is no question that data security continues to be a very, very significant concern. I think where CEOs may not have focused on that as an issue several years ago, I would venture to guess that just about every CEO of a major company today is quite concerned about data security. Many companies have buttoned things up. So, for example, we are seeing more laptops encrypted and strong policies and procedures in place and more training for employees, but I think the consensus really is that we are still learning how to do data security right.
Top Challenges of 2011FIELD: Lisa certainly you have got a better perspective on this than I do, but from what I see the WikiLeaks incidents really woke up a lot of people to security and privacy issues at the end of 2010. I use that as a preface to ask you: What do you see as being the major security and privacy issues we are going to deal with here in 2011?
SOTTO: Well, you really hit the nail on the head, I think. There is no question that preventing data leaks is a priority for companies of course. Companies are paying close attention to the WikiLeaks debacle and focusing on that, so I think we are going to see more resources going towards the information security group in most companies, and I think that is an appropriate focus.
I also think we are going to see a continuing focus on online behavioral advertising. There was proposed legislation in 2010, and we understand that Kerry is proposing legislation shortly, maybe in January of 2011, so we will certainly see legislative proposals with respect to online privacy.
In addition we will see in 2011 very significant engagement by both the Federal Trade Commission and the Department of Commerce. Now the FTC has been very active in this arena for at least a decade, a little more than a decade, so we are used to having them play in this arena but they are much, much more proactive this year and last year than they have been in the past, so we will see a lot of activity on that front, including a final paper that they will issue that is a response�that will be a development of many of the discussions they have had through roundtables that they have held over the past year.
In addition, and I think a new player here, is the Department of Commerce. We will be watching as Commerce gets very heavily into the act and starts to take a lead on the global stage in the privacy arena. The Department of Commerce has issued a draft, what they call a green paper, on privacy and we will see a final paper issued in 2011 so watch for much deeper FTC and Commerce engagement.
Top VulnerabilitiesFIELD: In terms of information security and data leakage, where do you see that organizations are most vulnerable today?
SOTTO: Well I think that many companies have started to or are really in the throes of thinking strategically about privacy, but there are still many of the companies that are not doing so and are thinking more about putting out fires than taking a step back, taking that 50,00- foot view and thinking at a strategic level.
I think that privacy by design, which is a concept that we have been talking about in the privacy world for a number of years, but it is really come to the fore in the United States in large part as a result of the FTC's paper, where they really put that concept on a pedestal. I think that is going to be a very important concept going forward, so instead of just dealing with the emergencies, we are going to see privacy embedded in the development of new products, new services and new technologies.
I think reputational risk is an enormous vulnerability for companies. This is an area that really has very little law compared with other areas, but what is extremely significant is the reputational risk of companies when there is a privacy or data security event.
And I also think there is vulnerability for companies on the human side. You know when we talk about data leaks and data security, we talk about having policies and procedures, having automated processes in place to back up those policies and procedures, but there is always the human element, and in the chain the human link is often the weakest. So it is very important to push resources toward training and management of employees.
Regulatory ChallengesFIELD: When I think back of the past couple of years there have been regulatory issues that have really come to the fore. I am thinking of the Identity Theft Red Flags Rule; this past year there was for healthcare the breach notification rule. This year what do you see as the major regulatory issues that organizations are really going to have to pay attention to?
SOTTO: I think the biggest issue is going to involve internet privacy. That is high on everybody's agenda, and there is no question that we are going to see some proposed legislation that will hit hard on that issue. And we also need to pay attention to the fact that the FTC's paper focused on this issue, though not exclusively, and that I think gives us the sense of the FTC's enforcement agenda.
I also think we are going to see a lot of interest by companies in social media. Social media has taken off in a way that could not have been anticipated several years ago, so managing how companies use social media for customers with respect to their employees, I think that is going to be a big area to watch this year.
FIELD: How far are we away from seeing a federal privacy legislation or breach notification law?
SOTTO: Well, I think breach notification is easier. We now have 46 states with breach notification laws. It is not too hard to conceive of a federal law along these lines, and of course we have seen many, many federal proposals for federal breach notification laws. There seems to be a bit of a hurdle getting that sort of a law over the edge but there is a fair amount of consensus over what that sort of a law should look like.
With respect to a an omnibus privacy law for this country, I think we are few years away, we are a few Congresses away from that, but we have made very significant strides. Certainly there is a growing consensus of what ought to be covered in these laws, if not consensus over how these issues ought to be addressed. So there will be continuing discussion, a huge amount of discussion around federal legislation in the privacy arena and then I would venture to guess that sometime in the next three or four years we will have an overarching privacy law in this country.
Advice for ProtectionFIELD: Lisa, just to sum it up, please, what steps could organizations and individuals be taking right now to better protect themselves?
SOTTO: Well, I think of course it is very important to consider legal risk, understand where the law is on various issues, but almost more importantly in this area is to think very hard about reputational risk. Where is it that a vulnerability, whether in privacy or data security, could really damage the reputation of a company? That is where there ought to be focus and ought to be resources given toward shoring up these vulnerabilities.
One very important part of that is knowing your data, and we do see a number of companies that really don't understand their data. Information is one of the greatest assets now of companies, and it is very important to know what data you have, where it is stored, how it used, how it is protected, with whom it is shared, and then of course how it is disposed of at the end of the day when it is no longer needed. So all of that, understanding the information lifecycle is absolutely critical; without understanding the lifecycle it is impossible to understand where the vulnerabilities are.
It is also very important I think to pay attention to providing individuals with appropriate privacy rights, and I say the word appropriate very meaningfully because it is appropriate in certain circumstances to provide certain rights and not necessarily appropriate in others. Giving a consideration to the issues of human dignity in data uses is very important, and certainly we have heard the dignity phrase used recently by a number of regulators in various countries so I think it is important to take that into consideration in considering how you deal with uses of data within companies.