At Privacy. Security. Risk. 2015 (P.S.R.) in Las Vegas, NV, there was no shortage of content for privacy pros looking for help solving some of the day's most complicated and important issues. The show saw keynotes including software innovator Jean Yang; former IBM CISO Kristin Lovejoy, and a tweet-worthy panel featuring the FCC's Travis LeBlanc and the FTC's Jessica Rich. In addition, veteran pros from government and start-ups alike talked about controlling third-party vendors, how to prioritize budget spends and the pitfalls of cross-device tracking, among other topics. If you missed the conference or our coverage, we've summarized, below. 

The Problem? Connecting Academics' Ideas with Industry Implementation

There's no shortage of smart people doing smart things. But there’s a disconnect between the ideas being incubated and the execution of those ideas in ways that make real-world differences. That was the message from Jean Yang, assistant professor at Carnegie Mellon University’s School of Computer Science, during her keynote address at P.S.R. 

Privacy Start-Ups, Privacy at Start-Ups

There are challenges of doing privacy at start-ups. That topic was explored at P.S.R. in the sessions “The Internet on Your Terms—New Innovations in Privacy and Security” and “Privacy, Security & Risk in Collecting Personal Data at Tech Start-Ups.” For example, as one panelist noted, “You have to hire privacy people and spend money on them. And spending money on privacy might not be the highest priority.” 

FCC vs. FTC Isn't Batman vs. Superman
On the main stage at P.S.R., at what some may have expected to be a showdown between reportedly warring regulatory agencies, the FTC's Jessica Rich and the FCC's Travis LeBlanc shut down those rumors. "Let me say it," LeBlanc told the crowd. "There is no Batman vs. Superman. Together, we're the Justice League." 

The Privacy Pitfalls of Cross-Device Tracking
In November, FTC will host a workshop on cross-device tracking for marketing and advertising purposes. It's not that device-tracking is a new practice, but the number of devices each person uses has significantly increased over time, meaning lucrative opportunities for marketers to learn even more about web browsers' habits. Now, it's possible to watch users browse for vacation destinations on their iPads, buy a weekend in the country on their desktop and then drive there using their cell phone's GPS. That kind of detailed consumer picture is worth a lot of money if you're job is finding out what people are interested in with an eye toward selling them something. But it obviously presents privacy pitfalls. That was the topic of discussion at the P.S.R. session, "I See You Here, There, Everywhere: The Implications of Cross-Device Tracking. 

Lovejoy: You’re All Infected

“Fact: Every one of our institutions is infected.”  Thus did Kristin Lovejoy, former CISO at IBM and current CEO at Acuity Systems, step onto the P.S.R. stage. In fact, if your security team is telling you that you’re not infected, they’re probably just bad at their jobs. The last statistics generated by IBM say that the average organization of 15,000 employees would suffer 324 security attacks per week. Of those attacks, 2.1 would result in a compromise, Lovejoy said.

Are Your Privacy Impact Assessments Stuck in the 1970s?
The concept of the privacy impact assessment (PIA) has roots in the age of mainframe computers, an age when compliance was key to avoiding regulatory action or consumer backlash. But massive datasets, advanced algorithms and increased data collection points make these age-old PIAs a thing of the past and mean that organizations must go beyond mere compliance into governance. Though big data can help companies innovate and bring tangible benefits to consumers, ethical use of that data is not only being watched closely by privacy advocacy organizations; regulators are watching, too. 

New Healthcare Tech, New Privacy Issues
Healthcare isn’t immune to the need for privacy by design. Further, healthcare engineers and medical professionals are designing new data-collecting healthcare solutions faster than ever before.  How, for example, are you going to provide consent for access to the data being transferred from your swallowable diagnostic tool when you’re unconscious? Such were the tough questions posed by the panelists on “Managing Emerging Technology in Healthcare” at P.S.R. 

Drowning In a Sea of Vendors
Jordan Abbott, a compliance attorney at Acxiom, didn't mince words when he opened the P.S.R. preconference session on vendor management. "Bottom line you’re going to take away from this program is: vendors are a problem," Abbott said. That's because businesses have hundreds of thousands of vendors for myriad uses. It can be incredibly difficult to keep track of vendor compliance with the rules and regulations your organization is required to comply with. To have a fighting chance at it, panelists said at "Vendor Compliance: Drowning In a Sea of Vendors," it's essential to classify vendors by type, then the kind of access to data they have and finally applying rules around the data vendors will use for various services.