THE MOVE TO SOCIAL MOBILE AND THE CLOUD: A snapshot of the privacy, security and other legal risks to be managed Presenter: David Yates Partner, Perth 9 May 2014 11009050/11
INFORMATION SECURITY All organisations are exposed to information security risk in today s world given the quantity and ubiquity of electronic data. ABS survey statistics released in August 2012 concerning internet security incidents or breaches show 12% of business reported a security incident during the survey period. Apart from the damage to the organisation itself, an information security breach creates exposure to legal claims by other parties Breach of contract Potential sources of liability General law obligation regarding confidential information Breach of occupational health and safety law Actionable misrepresentation of information security capability 2
PRIVACY Australian Privacy Principles (APPs) apply to most government agencies and private sector organisations with turnover of more than $3 million. The Australian Privacy Act was implemented in 2012 creating the APPs. The APPs form the cornerstone of Australia s privacy protection framework. The APPs are structured by the 5 stages of the personal information life-cyle Stage of the information lifecycle Relevant APP Consideration of personal information privacy APPs 1 and 2 Collection of personal information APPs 3, 4 and 5 Dealing with personal information APPs 6, 7, 8, and 9 Integrity of personal information APPs 10 and 11 Access to and correction of personal information APPs 12 and 13 3
PRIVACY The new definition of personal information shapes the operation of the law, it is defined as Information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information is true or not; and whether the information or opinion is recorded in material for or not. Taking reasonablee steps to protect personal information from being exposed in breach of the law will include implementing sound policies and monitoring: manage governance; ICT security data breaches; physical security over data; personal security and training; and workplace monitoring. 4
PRIVACY Recent media reports have suggested that organisations that experience a data breach as a result of a cyber-attack or hack are off the hook... Regular review of information security measures is crucial, particularly given how regularly organisations change their processes, information, personnel, applications and infrastructure, as well as changing technology and security risks. Organisations must implement and maintain information security measures that respond to this changing landscape. The OAIC also expects that entities will regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect personal information. - Office of Australian Information Commissioner 6 March 2014 5
CLOUD Before actioning a cloud solution consider undertaking a preliminary risk assessment that asks, amongst other things: Who is the cloud solution vendor? What type of data will be transferred into the cloud? What are the continuing or additional obligations regarding data on the cloud? What can be done with the data? What are the transition in and transition out arrangement with going to the cloud? Federal Government National Cloud Computing Strategy: Current legislative framework is sufficient. Australian Consumer Law and Privacy Act protection are in place. These arrangements will be subject to review and change. 6
CLOUD Moving to the cloud does not necessarily have to be privacy invasive, but the migration of data does mean moving it outside of the users direct control. It is recommended that careful consideration of the contract with the cloud vendor are made so as to limit the legal risks inherent in the move to the cloud. Conduct pre-contract due diligence. The physical location of the data being stored on the cloud. Protection of information Who will assume liability for a breach. Performance management Ending the arrangement. Dispute resolution. 7
BRING YOUR OWN DEVICE (BYOD) Key risks when engaging in a BYOD based solution from a legal standpoint are Information security risk; and Document control and retrieval. Office based hardware Firm provided remote devices BYOD Risk that control of documents is reduced 8
DISCOVERY IN A DIGITAL WORLD Litigation doesn t happen to you until it does. When parties become involved in a legal dispute they will usually be required to discover documents relating to matters in question that are in their possession, power and control. What documents exist? Where are they? How do we get them? Information management Identification Preservation / collection Production Presentation 9
SOCIAL MEDIA Businesses are eager to capture the benefits of social media. It can lead to a source of legal liability if not correctly managed. Sources of Liability Defamation Liability is created through the publishing of defamatory material. The test of whether an organisation publishes depends on factors such as their knowledge and control over a statement as well as subsequent action. Misleading and deceptive conduct Misleading or deceptive conduct in trade and commerce is a breach of the law. Again questions of the knowledge, control and response of an organisation are relevant to liability. Employee dismissal Social media blurs the distinction between workplace and private comments and actions. The law is increasingly viewing the balance in favour of comments being public. 10
CASE STUDY #1 FORD S BIG REVEAL Ford s campaign to reveal the new 2011 Explorer used social media rather than unveiling the new model at an auto show. Facebook page launched in 2010. Only a single day event, but the 2011 Ford Explorer reveal was a viral sensation as it was broadcast live on Facebook continuing to gain momentum for days and weeks to come. Ford used Facebook to go viral by creating anticipation and buzz around an eagerly anticipated product. The final result: 75,000 fans logged on and viewed the auto show, Ford held the #1 trending topic position on Twitter for the entire duration of launch day, the #2 trending topic on Google and received over 1,000,000 views on YouTube. Before the vehicle even landed in dealerships, 15,000 had been sold! 11
CASE STUDY #2 BURGER KING S SACRIFICE Burger King sacrifice a friend campaign : during this campaign, fans were encouraged to sacrifice (de-friend) ten of their friends on Facebook in order to receive a coupon for a free burger. As fans began to delete friends, the Burger King Facebook application would then notify the friends that they had been sacrificed for a burger. This was probably why it was shut down, although confirmation never came from Burger King or Facebook. Nearly 234,000 friends had been sacrificed with more than 23,000 coupons for free Whoppers given away. Fans were motivated by their love of a Whopper and could delete friends without worry. They could easily come back and add them again the next day. That said, the bad news that you had been de-friended was delivered by Burger King not a good look. 12
CASE STUDY #3 MCDONALDS In 2012 McDonalds attempted to alter the perception of its brand by encouraging customers to share their stories using #McDStories. The hashtag was hijacked by the brand s critics. From slamming individual outlets, the quality of the service and health implications of their products to the controversial environmental impact of their production process, McDonalds came under fire. They made up ground with the Our Food. Your Questions campaign. A way for the public to ask anything they liked and have it answered in an honest and frank way. The questions were varied and a lot were negative which was no different to the response to their #McDStories campaign. This time however, instead of opening the campaign up through social media, they created a platform which allowed them a little more control and were able to respond in a structured way to each question. They also prepared videos of experts answering some of the popular questions. One video has had over 7 million views. 13
CASE STUDY #4: BUTT SERIOUSLY, CHAPSTICKS The maker of the Chapstick lip balm posted an image on their Facebook page of a woman, with the caption Where do lost Chapsticks go? Apparently the image required an explanation, and users were invited to share their thoughts on what explanation should be afforded to the image. 14
15
16
RISKS FOR BUSINESS User generated content: As advertising Defamatory Negative Social media as advertising Defamatory publications Employee use at work Employee use at home Negative impact of false information Identifying offenders The responsibility for monitoring Information security 17
ANY QUESTIONS? 18