The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/411912
WWW.ILTANET.ORG 65 their data, as well as key rights, such as the right of access, rectification and erasure of their data, the right to lodge a complaint and to go to court, and the right to compensation if unlawful processing occurs. (You read that right…compensation!) Such rights should be exercised free of charge (Article 9a, Articles 11 through 17). Directive 95/46/EC defines personal data as any information concerning a person's private, professional or public life. Personal data could be a name, a photo, an email address, bank details, posts on social networks, medical information or a computer's IP address. Non-compliance with Directive 95/46/ EC or disclosure of a EU citizen's personal data leads to one of three penalties: • A written warning, in the event of less serious breaches • Periodic data protection audits • For companies, a fine up to €100 million or five percent of annual worldwide turnover, whichever is greater (the European Commission proposed up to €1 million or two percent of annual worldwide turnover) For the estimated 250 million people using the Internet daily in Europe, this is a step in the right direction, and it will likely help them all sleep a little better. DATA PROTECTION IN AUSTRALIA Australia has taken steps to ensure better safeguarding of its citizens' personal data with The Privacy Act, which introduces 13 privacy principles that regulate the handling of personal information by Australian government agencies and many private sector organizations. These principles, known as the Australian Privacy Principles (APPs), replace the former Information Privacy Principles and the National Privacy Principles, which applied to government agencies and the private sector, respectively. The APPs will have a huge impact on the collection and handling of personal information for individuals and organizations, as they also include extended provisions for investigation and enforcement to ensure compliance, as well as civil penalties for breaches of privacy. These penalties are relative to the type of data disclosed, with health and personal credit information garnering larger penalties. The APPs assign values to these penalties, whereby a smaller organization might see fines of greater than $300,000, and a larger organization can be fined up to $1.7 million. An interesting APP feature calls for the enhancement of organizations' privacy policies, specifically around the management of personal information. Policies must include areas around multiple data classifications, while organizations are expected to implement policies and technical systems that will help them comply with APP. An especially noteworthy APP feature is that organizations must take reasonable steps to protect personal information from "interference," which can comprise malicious attacks or nefarious behavior on employees' computer systems — all the while maintaining standard protections against unauthorized access, misuse or disclosure of information. The one area in which the principles might have come up short is in their lack of requiring disclosure of data loss. HOPE FOR IMPROVED PERSONAL DATA SECURITY As our mobile devices hemorrhage data with every application installed and websites collect vast quantities of data for targeted marketing and analytics, it's not shocking that a recent Microsoft survey found that close to 50 percent of respondents would sacrifice privacy for mobile access to services they use frequently. We are stuck in a quagmire between collaboration and exposure, where the proliferation of social networking and data analytics in every aspect of life is increasing the risk of personal data disclosure. But those same individuals who worry about their identities being stolen or accounts being accessed when a company is compromised are content to sacrifice privacy for a better browsing experience or easier access to documents via an online hosted service. How do we get to a place where a person's privacy is considered throughout every electronic transaction, click or data transfer? The EU and Australia have developed some ideas about how to solve that problem, and it is looking as if that solution involves protecting people from unintentional recklessness with their personal data. In the enterprise, the problem of transferring data securely presents challenges with so many public cloud services and mobile devices in use and removable media being passed around the globe. The application of more stringent privacy principles is fostering conversations that will bring about action. Whether or not organizations or the individuals they employ will take these changes seriously is yet to be seen, but the growing levy of monetary fines will certainly increase awareness about personal data security. Companies exist that enable organizations to navigate data protection regulations across any state or country, and they streamline the incident management process. There is hope that the software industry is developing tools to assist everyone in minimizing security incidents and managing breaches more effectively. About the Author Jamie Herman, C|CISO, CISM, CISSP is the Manager of Information Security at Ropes & Gray. He is also a member of the firm's Information Steering Committee. He has more than 15 years of experience in information security, risk management and information technology. Jamie sits on ILTA's LegalSEC steering committee and has presented and written for ARMA, ILTA and CISO events and publications. Contact him at jamie.herman@ropesgray.com.