New privacy laws both Internationally and in the U.S. have expanded in scope to include technical data that evade current modes of internal review and assessment. This data includes device IDs, advertising IDs, obfuscated data, location, and data from nearby devices and networks. The transmission of this data is often unexpected by companies due to the rise of modular development (relying on third party code, SDKs, and APIs with unknown or untested behaviors), the rush to production under Dev Ops and Agile Development, and the fact that the transmission of data to third parties is most often intermediated by the consumer’s device—and therefore doesn’t appear in company server logs. At the same time, this transmission of this data is an “open book” for regulators, class action plaintiffs’ attorneys, and the media—all of whom retain computer experts to conduct network traffic analysis and “out” companies. The purpose of this session will be to review specific types of data transmission and how they can create exposure under specific provisions of GDPR, CCPA, GLBA, HIPAA, and other laws. The session will also discuss technical mitigations and how to manage these risks within the context of large organizations. The content of the presentation will include examples from mobile, web, and IoT.
Chris Cwalina, Global Co-Head of Cyber Risk, Norton Rose Fulbright
Steven Roosa, Head of NRF Digital Analytics and Technology Assessment Platform, Norton Rose Fulbright