Technology Law Forum Seminar on Certain US and EU Data Protection and Privacy Laws

Poorvi Chothani, Esq.

Correspondent to Cyrus D. Mehta & Associates, PLLC, New York (US Immigration & Nationality Law)

poorvi@lawquestinternational.com CP:022 6654 1671

Need for Protection

Technological readiness of the Indian BPO industry is very high

Regulatory frame work is inadequate

BPOs deal with sensitive and/or private data that needs protection
Internet instrument in flattening of the world level playing field for knowledge and access to ideas*
Ref. Thomas Friedmans The World is Flat

Monday, April 15, 2013

Need for Protection

Legal Lag Following Technology

Outsourcing Industry Great Economic

Advantage to India

Other, competing outsourcing destinations

are gaining importance

Monday, April 15, 2013

The US and the EU do not have Comprehensive Privacy or Data Protection Laws
Intellectual property Corporate secrets Confidential Customer

Personal Identifiable Information

Name Addresses National Identifying

Health Information

Financial Information Trade Secrets

Numbers Telephone Numbers Birth Date Drivers License information Credit History Court, and Traffic violation records
4

Monday, April 15, 2013

Sensitive Personal Information

the racial or ethnic origin of the data subject, his political opinions his religious beliefs or other beliefs of a similar

nature, whether he is a member of a trade union (within the meaning of the Trade Union and Labor Relations (Consolidation) Act 1992, his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence

Monday, April 15, 2013

Privacy Development

Multilateral discussions and Initiatives:

Organization for Economic Cooperation and Development (OECD)

Developed 1980 Privacy guidelines

Working Party on Information Security and Privacy Privacy also an issue within other OECD working parties: telecommunications, consumer protection, small businesses etc. India is a Member of OECD

In the US the US Supreme Court interpreted the Constitution and found a right to privacy

Monday, April 15, 2013

Introduction
US v EU

United States and the European Union share the goal of enhancing privacy protection for their citizens

Different approach to Privacy: The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin.
Effect: hampered U.S. companies ability to engage in many trans-Atlantic transactions.
Monday, April 15, 2013 7

US and EU Different Approaches

The United States System is based on: Self Regulation Sector specific Legislation Enforcement (FTC) Outreach and Awareness
The European Unions System Based on Common Legislation Covering all industry sectors and almost all personal data EU authorities could legally stop data flows at any time

Monday, April 15, 2013

Council of European Convention

Established a committee of experts on data protection that reported its findings in early 1979. Was enacted for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981. Came into force on 1985 after five States ratified it. Set forth the individual data subjects right to privacy Enumerates a series of basic principles for data protection Provides for transborder data flows Finally lead to the European Union Directive 95/46/EC
Monday, April 15, 2013 9

The EC Data Protection Directive 95/46/EC (EU Directive)

Data processing systems are designed to serve human beings

Respects fundamental rights and freedoms, the right to privacy Lays down conditions which must be fulfilled for legally processing personal data

The European Parliament confirmed the existence of a network of supercomputers operated by the secretive United States National Security Agency, an agency responsible for intercepting communications across the world for the benefit of American business and Government.
Monday, April 15, 2013 10

EU Data Protection Directive The EU Directive

Each EC Member State has to enact laws in

keeping with the EU Directive

For e.g. the EU Directive implemented by the

United Kingdom Data Protection Act 1998. may be used

Approved set of standard contractual clauses

EU Directive applies to the processing of

personal data

Data Protection Principle

General Prohibition on collection and processing of

personal data Subject to limited exceptions Burden of proof is on the data controller

Restricts the transfer of personal data outside the

EU Countries unless the other country ensures an adequate level of protection

The data controller or data aggregator is liable for

ensuring that these principles are adhered to

Monday, April 15, 2013

12

Principles of Data Protection - UK

The Data Protection Act 1998 requires that data controllers process personal data in accordance with Eight Principles. These require that personal data is:
1. 2. 3.

Fairly and lawfully processed; Processed for limited purposes; Adequate, relevant and not excessive;

4.
5. 6. 7. 8.

Accurate;
Not kept longer than necessary; Processed in accordance with individuals' rights; Kept secure; Not transferred Monday, April 15, to countries outside without adequate protection. 2013 the European Economic Area
13

The EU Directive
Applies tp personal data includes customer,

employee and coded data

Corresponding obligations of data controllers (need to

give notice, choice, access, rectification, etc.)

Protection obligations (notification to government

agencies)

Covers all sectors of industry and commerce

Monday, April 15, 2013

14

Transfer of Data Under the EU Directive

Transfer to Countries with Adequate

Protection without additional adequacy requirements

Switzerland, Canada, Argentina and the UK territories of Guernsey and the Isle of Man, all recognized by the EU as offering adequate data protection.

Options to transfer restrictions under the EU Directive

Adopt Standard Contract Clauses Obtain Unambiguous Consent to transfer from affected individuals Negotiated Protections acceptable in the UK Codes of Conduct Direct Compliance/registration with EU Authority Some EU countries require that a copy of the executed agreement with the standard clauses be deposited with the regulatory authority this is not the case in the UK.

US Safe Harbor Framework to Facilitate Business with EU States

Safe Harbor" Framework bridges the different privacy approaches Is a streamlined means for US organizations to comply with the Directive The U.S. Department of Commerce created the Safe Harbor Framework in consultation with the European Commission The Safe Harbor -- approved by the EU in 2000-- important for U.S. companies to avoid interruptions to dealings with entities in the EU or facing prosecution in the EU Certifying to the Safe Harbor assures EU organizations that the US company provides "adequate" privacy protection, as defined by the Directive. More than 933 members registered with the Department of Commerce (some registrations are not current)

Safe Harbor
Result of the US and EUs expressed commitment to

bridging different approaches to privacy while maintaining data flows and high level of privacy protection. position

FTC Act permitted each side to maintain their

U.S Companies made voluntary commitments. EU Satisfied because FTC Act made those

commitments legally binding.

Monday, April 15, 2013

18

Safe Harbor

It recognizes and implements principles of the EU Data Directive. Creates a system of notice, opt-out, opt-in for certain sensitive information, control of subsequent transfers, data security and integrity systems.

Safe Harbor framework includes:

-

7 privacy principles 15 FAQs EUs adequacy determination Letters between Doc and European Commission

Monday, April 15, 2013

19

Other options

Model ( standard) Contracts: privacy clauses contracts they sign with each other.
The EC has approved two based importers of

EU-based exporters or U.S by including

personal data can also satisfy the adequacy requirements types of clauses:
Transfers: controller-to-controller
controller-to-processor transfers

The latter concerns transfers between data controllers based in the EU and processors outside the EU.

Model Contracts
Enforcement is in Europe Potentially different interpretation and

enforcement approaches in different member states requirements

Potential for member states to add contractual

Joint and Several Liability Higher Standards than the Safe Harbor
Monday, April 15, 2013 21

Penalties Under the EU Directive

Each Member States national laws will

determine the penalty

For Instance Under The UK Data

Protection Act 1998 The Regulatory Authority who is The Information Commissioner also imposes the penalty
Fines; and

Document that infringes privacy to be forfeited, destroyed or erased.

Monday, April 15, 2013

22

The Safe Harbor Principles

An organization entering the Safe Harbor
-

must adhere to 7 principles: Notice Choice Onward transfer Security Data integrity Access Enforcement

Monday, April 15, 2013

23

Safe Harbor Pros/Cons

Public attention/positive privacy image Added liability Increased compliance flexibility EU-wide solution Response to customer concerns Dispute jurisdiction Unavailable to financial services firms
Monday, April 15, 2013 24

Enforcement of Safe Harbor Principles

Enforced by US government agencies
One set of rules Less specific standards, only principles

specified

Eliminates model contract burdens and

onerous negotiations

Monday, April 15, 2013

25

Some US Laws

Graham-Leach-Bliley Act (GLBA) Fair Credit Reporting Act The Sarbanes-Oxley (SOX) Act

Right to Financial Privacy Act

The Health Insurance Portability and Accountability Act (HIPAA) The Childrens Online Privacy Protection Act (COPPA)

Monday, April 15, 2013

26

Some More US Laws

The Electronic fund transfer Act Right to Financial Privacy Act Provisions of the Federal Trade Commission

The Drivers Privacy Protection Act: Restricts the ability of Motor Vehicle Department to disclose

motor vehicle operator permits, motor vehicle titles and motor vehicle registrations.

Information on accidents, driving violations and drivers

status is expressly excluded from the federal disclosure rules.

Violations are punishable by a criminal fine or by civil fine

against the Department of Motor Vehicles.

Monday, April 15, 2013

27

The Privacy Act of 1974

Establishes citizens rights against the Government

to know what information the Government collects from them, why it is collecting, who has accessed the information Allows to receive a copy of the information. Governs the activities of federal agencies with regard to why they may or may not collect certain pieces of data.

Monday, April 15, 2013

28

Graham-Leach-Bliley Act (GLBA)

Applies to Financial Institutions National Banks Banks Financial and Operating Subsidiaries Affects how institutions share information

Restricts Transmission to Third Parties

Exceptions disclosure to affiliated third

parties

Transfer of Data Prohibits Disclosures for Marketing Purposes.

Monday, April 15, 2013

29

GLBA
Organizations must: Deliver Privacy Policies to each customer

Provide a Reasonable Opportunity to Opt-Out of certain information sharing arrangements Develop, Implement and maintain a comprehensive information security Program.

Program must include administrative, technical and physical safeguards appropriate to the

Monday, April 15, 2013

30

The Fair Credit Reporting Act (FCRA)

Applicable to: Credit Rating Agencies and in some instances to Banks and other financial service providers Affects customers Credit Report pertaining to: credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living
Monday, April 15, 2013 31

FCRA
FCRA sets standards for: Collection; Communication; and Use of credit related information FCRA requirements include:
Furnishing consumer reports only for

permissible purposes Maintaining high standards Ensuring accuracy Enabling individuals to correct misinformation Resolving customer disputes
32

Monday, April 15, 2013

The Sarbanes-Oxley (SOX) Act

Reactionary measure to US corporate

scandals, has a significant impact on US companies as well as auditing firms. restore investors confidence.

To strengthen corporate governance and

Companies must attest that outsourcing

firms have internal controls in place to comply with SOX and other regulations.

Sarbanes Oxley
Legislation is wide ranging and establishes

new or enhanced standards for all US public company Boards, Management, and public accounting firms.

Contains 11 titles, or sections, ranging

from additional Corporate Board responsibilities to criminal penalties. Requires Security and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.

The Health Insurance Portability and Accountability Act (HIPAA)

Establishes

privacy protection for health care information. offer health plans, doctors, hospitals and other health care providers and in turn the Medical Transcription Industry

HIPAA provisions apply to organizations that

Limits the use of patient information In most cases would extend to the

Offshored activity of the organizations

HIPAA Contd.
Information may be disclosed to a

business associate if

The data owner obtains satisfactory

assurance in a written agreement that the information will be safeguarded

Data Owner will most likely require

business associates to agree to the same obligations that apply to the covered entity.

HIPAA Compliance
Self-assessments, employee training, and

increased technological capacities

Administrative, technical, and physical safeguards

Must reasonably safeguard from any intentional or unintentional use or disclosure that is in violation of the standard

Implementation specifications or other

requirements of (Companys Privacy Rules).

Business associate would have to comply too.

The Telephone Consumer

Protection Act, (TCPA)
Restricts the use of the telephone and

facsimile machine to deliver unsolicited advertisements. prerecorded messages to residences from a particular company, that company may not call that consumer.
38

Prohibits the delivery of artificial or

Once a consumer asks not to receive calls

Monday, April 15, 2013

TCPA & Related FCC Rules

Exempts autodialed calls to emergency telephone

lines, health care facilities, paging services, cellular telephones, and any service for which the called party is charged for the call
A National Do-Not-Call registry It includes all telemarketers (with the exception of certain nonprofit organizations) Covers both interstate and intrastate telemarketing calls Consumers can place their telephone numbers on the registry through one telephone call or one Web click.

Enforcement

Monday, April 15, 2013

39

Other US laws
The Fair and Accurate Credit Transactions Act

of 2003 Disposal of Records (affects almost every business in the US.

US Patriot Act Affects bank secrecy to

combat money laundering, terrorism and criminal behavior.

Monday, April 15, 2013

40

More US Laws
The Video Privacy Protection Act

Forbids a video rental or sales outlet from disclosing information concerning what tapes a person borrows/buys ore releasing identifiable information. Enforced through civil liability action.

Electronic Communication Privacy Act

Prohibits the unauthorized interception or disclosure of many types of electronic communications including telephone conversations and electronic mail, although disclosure y one of the parties to the communication is permitted. Applies both to the Government and private persons and entities. Violations are subject to civil and criminal penalties.

Monday, April 15, 2013

41

Data Protection Laws in the US.

Electronic Funds Transfer Act
Requires institutions which deal with

electronic banking services to inform their consumers of the circumstances under which automated bank account information will be disclosed to third parties, in the ordinary course of business. Violators are subject to civil and/or criminal penalties. Enforced by the Federal Revenue Board.
Monday, April 15, 2013 42

Data Protection Laws in the US.

Right to Financial Privacy Act

Mandates that the Federal Government present proper legal process or formal written request to inspect an individual financial records kept by a financial institution including credit card companies Gave simultaneous notice to the consumer to provide him/her with the opportunity to object. Provides for civil liability. The Cable Communication Policy Act as amended by the Cable Television Consumer Protection Act Establishes written disclosure requirements regarding the collection and use of personally identifiable information by cable television service providers prohibits the sharing of such information without prior consent.
Monday, April 15, 2013

43

Communications Act
Requires the Telecommunication Commission to

protect the confidentiality of customer proprietary network information

Includes the destinations and numbers of calls made

by customers

Except as required to provide the customers

telecommunications service or pursuant to consumer consent.

Penalties may include attorneys fees and punitive

damages and reasonable litigations cots in addition to actual damages

Monday, April 15, 2013 44

Penalties
Each violation of (COPPA) The Childrens Online Privacy Protection Act invokes a penalty of $11,000. Penalty actual damages, statutory damages up to $1000, punitive damages per violation (no cap on class action damages, attorney fees and civil penalties up to $2,500

Monday, April 15, 2013

45

Penalties-HIPAA violations

Certain violations attract a US$100 penalty for each violation Total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed US$25,000. Knowing wrongful disclosure invokes penalty of US$ 50,000 and/or imprisonment up to one year False pretenses, the offender may be fined up to US$ 1000,000 and/or imprisoned up to 5 years, the penalty is increased respectively to US$ 250,000, and 10 years if the offense is committed with intent to gain commercial advantage for violating HIPAA.

Monday, April 15, 2013

46

Penalties

The penalties for violating GLBA are steep and cost up to $11,000 per day Penalties for violation of FACTAs (Fair and Accurate Credit Transactions Act) rule of disposal, which affects most businesses, - actual damages, statutory damages, punitive damages per violation, attorneys fees and penalties up to US$ 2,500 and imprisonment of not more than 2 years.

Penalties for violation of FCRA (Fair Credit Reporting Act) - damages of not less than $ 100 and civil penalty of not more than $2,500 per violation or punitive damages and imprisonment up to 2 years.

Monday, April 15, 2013

47

US or State Laws and Pending Bills

US States, laws or pending bills to: Regulate privacy and personal data; Impose obligations on call center activities; Try to minimize or ban offshoring of state contracts; Some of these measures are protective of the US workforce. Many of the bills may fail, be significantly diluted or be challenged on grounds of constitutionality or found to violate international trade agreements.

Bills or recent laws that curtail the granting of state contracts to Non-US workers or restrict performance of state contracts outside the US
New York; Maryland;

Massachusetts;
Texas; Oregon;

Missouri; and
Nevada

Pennsylvania;
Florida;

Monday, April 15, 2013

49

California Privacy Laws

Law of Notice of Security Breach: Owner of

personal information becomes aware of a breach of security must disclose the breach to every resident of California whose unencrypted personal information was, or is believed to have been, accessed by an unauthorized person.

Privacy of financial information: Stricter than

GLBA requires affirmative opt-in for sharing of information with third parties, provides for optout for sharing with affiliates unless in the same line of business under the same name.

Monday, April 15, 2013

50

California Privacy Laws

Online Privacy Act
Information sharing disclosure: Business

having personal information of a California resident must give list of categories of information shared with third parties with the names and contact information of the third parties, OR provide a conspicuous privacy statement with a cost free opt out prior to the disclosure.
51

Monday, April 15, 2013

Prohibitions on the Transmission of Information

Tennessee requires a express written

permission of a customer before sending any financial, credit or identifying information to a foreign country.

In California proposed legislation requires

strict privacy compliance when sending an individuals personal information abroad.

Protectionism-Implications for the US and the World

Create friction and hurdles in commercial activities Effective measures to stifle meaningful outsourcing US companies will be less competitive and will put even more jobs in danger if they cannot benefit from service cost arbitrage

Deterrent to American companies from offshoring medical, accounting, financial consulting or other information-based services overseas

Absence of legal ramifications does not alleviate the harm to public image

Protectionism-Implications for the US and the World

Legislation banning state awards of grants,

loans, or tax credits to companies that outsource immediate future. business.

Protectionist measures only affect the

Offshoring is a valuable tool for American

American business men are very innovative

Non-Delegable Responsibilities for Offshored Work

Data protection laws, that are modeled

on the European regime, are aimed at data controllers or processors without regard to any employment relationship.

Customer retains legal responsibility for

transgressions by the sourced processor abroad.

Canada Legislation
Legislation similar to the EU Data Privacy Directive.

Canada - The Personal Information and Protection of Electronic Documents Act, (PIPEDA)

PIPEDA creates a Privacy Commissioner. Citizens

may bring complaints to the Commissioner who has the power to enforce the Act in Canadian Federal Court.

PIPEDA requires prior consent before disclosure

and prohibits disclosure without consent. A strong opt in provision, the Act clearly covers businesses based outside of Canada who collect, use, or transfer data including personal information about individuals within Canada.

Strategies to Optimize Opportunities in the Face of International Laws

Suggested Best Practices for Working Managers and Chief Executives

Compliance

Conducting an inventory of information collection and disclosure practices; Evaluating agreements with third parties that involve the disclosure of consumer information Establishing mechanisms to handle opt-out elections by consumers Developing or revising existing privacy policies Determining how to deliver privacy notices to consumers (by the data controller in the US)

Establishing employee training and compliance programs

Setting Targets for implementation and regular checks of the compliance program

Monday, April 15, 2013

58

Non-tangible Essentials
Honesty Flexibility Transparency

Supported by contracts that adequately address the risks associated with the outsourced service, be it risk of OSPs capabilities of customers compliance needs
59

Monday, April 15, 2013

Contracts

Effective and Comprehensive Contracts

Clear and unambiguous

Transition and Exit

contracts Flexibility in Contracts

Service Level Contracts Employee Contracts Limitations on Liability Confidentiality Contracts Third Party Licenses and Service Contracts

Procedures Dispute Resolution Alternate Dispute Resolution Governing Law and Jurisdiction

Service Level

Breakdown

Monday, April 15, 2013

60

Contracts
Aspects of Business

Continuity Compliance with legal and regulatory requirements pertaining to the

Requirements Confidentiality Choice of law (may be more than one to govern OSPs country different aspects Customers country of the contract

HR Training

Monday, April 15, 2013

61

Contracts Contd.
Adopting the EU model contractual provisions in

contracts to mitigate problems with EU Directive compliance issues OSP and the customer for violations of the rights of third parties and, indeed, liability for punitive damages. indemnity in the contract.

Careful and clear allocation of responsibility of the

Careful consideration before granting customer

Any liability agreement should include a cap.

Monday, April 15, 2013

62

Management Related Best Practices

Due Diligence by both parties Commitment of negotiating representative and Senior Management Staff to ensure security and compliance Regular and frequent monitoring of the relationship Ensure that knowledge of compliance policies percolates through all operation levels Technical and Physical Security of Infrastructure Operational protection measures - No devices to save data locally - Communication restrictions

Monday, April 15, 2013

63

Management Related Best Practices Contd.

Dedicated Physical Security Officer appointed by the

OSP

Onsite Manager appointed by the customer Dedicated

and Trained Compliance Officer

(in

the

requirements)

OSPs should configure a complex matrix or capabilities, scale, skills, language, management and infrastructure when making commitments.
Monday, April 15, 2013

64

Management Related Best Practices Contd.

Consolidate information for managing business

performance

Improve Business Intelligence Periodically Asses internal controls Record Management and Provisions to Examine

Audit Trails Services

Monitoring, Managing and Transforming the

Monday, April 15, 2013

65

Management Related Best Practices Contd.

Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals

Disaster Recovery Plan

Insurance to cover risks of security breaches and/or loss of data Insurance to cover risk of claims arising out of the quality, timeliness and quantity of services Employee certified security professionals
Monday, April 15, 2013

66

Employee Related Best Practices

Employee Background Checks Centralized Data Bank of all BPO related employees, helps identify prior violators (as initiated by NASSCOM) Need Based Dissemination of Information - Division of process, access and/or control

Technical Limitations on Access or Communication of different processes

Standard Written Internal Company Practices to Enhance Security with Recorded Standard Operating Procedures Manuals

Technological Best Practices

Encryption
Installing and Using Standardized

Technical Measures

Monday, April 15, 2013

68

Industry Related Best Practices

Establishment of an Independent Governing Body to regulate the industry Independent Certification About Security Standards
Some Certifying Authorities British Standards Institute (BSI) BS 7799 ISO 1799 Det Norske Veritas (DNV) Standardization Testing Quality Certification (STQC- Govt. of India) KPMG Ernst & Young

Self-Regulation and Compliance Training OSP should inform customer about any infractions to mitigate damage

Industry Related Best Practices

Card Holder Information Security Program

(CISP)

Payment Card Industry (PCI) Data Security

Standard, to safeguard sensitive data for all card brands - result of a collaboration between Visa and MasterCard - creates common industry security requirements endorsed by other card services

Industry
Monday, April 15, 2013

70

Industry Related Best Practices

Technology Regulation and Certification COBIT Control Objectives for Information and related Technology (by ISACA) based on ITIL
ITIL (the IT Infrastructure Library) -

Office of Government Commerce (UK) is the most widely accepted approach to IT service management
Monday, April 15, 2013 71

Relevance of US Laws to Indian Businesses

Extraterritorial reach?
Affect conduct of business (both onshore and

offshore).

Stringent reporting requirements and penalties. Assumption of liability under contract. Choice of law of a foreign jurisdiction automatically

extends liability.
Monday, April 15, 2013

72

Future
Indian-US security Forum to shortly sign an

MoU formalizing the roadmap for cooperation on information security issues

Industry could lobby with the Government To create an Indian version of the Safe Harbor To provide regulatory authority and frame work like SEBI and SEBI guidelines to Protect Privacy The amendments to the IT Act should be in sync with global laws and trends.
Monday, April 15, 2013 73

Conclusion

Factors that nurture BPOs also spawn crimes. Elaborate, onerous, technical security measures reduce productivity and erode employee motivation. Combination of Best Practices. US Protectionist Measures likely to have an adverse effect upon both the US and the global economy.

Laws will have to evolve to govern the runaway proliferation of outsourcing.

Fraud and Data Violations can occur anywhere in the world.

Monday, April 15, 2013

74

Data Protection Strategy

Organize
Determine the scope Assign resources Separate duties where sensitive data

resides

Monday, April 15, 2013

75

Data Protection Strategy

Assess Data Risk
Identify sensitive and critical data

Perform risk analysis of entire backup process

Conduct a cost/benefit analysis on backup data

encryption
costs

Inform business managers of risk solutions and

Monday, April 15, 2013

76

Data Protection Strategy

Develop an backup Data Protection Program
Devise a multi-layered approach that includes Authentication Authorization Encryption Auditing Copy the backup data-get that copy off-site, off-line

and out-of-reach

Monday, April 15, 2013

77

Data Protection Strategy

Develop a Backup Data Protection Program End-to-end chain of custody Need a sound method to track backup media when moved Report daily on tapes sent off-site and those on-site Reconcile between tapes off-site to tapes on-site to account for all media Destroy all media once it has become obsolete-get a certificate of destruction
Monday, April 15, 2013

78

Data Protection Strategy

Develop a Backup Data Protection Program
Protect all the backup data
Consider the use of technologies like

Electronic Vaulting to securely backup distributed data

Not protecting this data exposes it to

potential risk and unauthorized access

79

Monday, April 15, 2013

Data Protection Strategy

Implement the Plan Execute the plan based on standard guideline developed Train staff Communicate the process to the organization

Monday, April 15, 2013

80

Data Protection Strategy

Test the Process
Periodically test the process-understand if

some backup data is left exposed and where

Recommend improvements - Decide on corrective actions

Conduct disaster recovery tests to ensure

you can recover the data

Change the data protection process as the

business changes
Monday, April 15, 2013

81

Conclusions

Data protection Directive was not conceived with e-commerce in mind and raises numerous problems and legal uncertainty Government control and discretionary authority are inconsistent with innovative information society and consumer choice Data Protection applies even if consumer does not want it, resulting in paternalism. Privacy protection increases risk of fraud EC exports its consumer and data protection regime to the rest of the world, thus reducing availability of e-commerce services and making them more expensive.

Monday, April 15, 2013

82

Conclusions
There is cost to privacy protection
In market setting, cost is self-limiting Governments monopoly over force and absence

of self-limiting mechanism are differences that should have consequences

Privacy versus security debate highlights

problems of quantifying cost of privacy

Monday, April 15, 2013

83

Thank You
Poorvi Chothani, Esq. LawQuest 36, Maker Tower F Cuffe Parade Mumbai 400 005 E-mail poorvi@lawquestinternational.com Telephone 00 91 22 6654 1671