Technical Program

Privacy & Information Management Services – Margaret P. Eisenhauer, P.C.

Software and systems designers historically struggle to capture and address all requirements, including those related to functionality, usability, interoperability and compliance. Systems that collect or process personal information must also consider legal and practical issues associated with information privacy and security. Unfortunately, privacy and security requirements are not static and may rapidly evolve during the system’s life cycle. Additionally, because the requirements are often subject to post-implementation evaluation by users, consumers and/or regulators, it can difficult to determine if the requirements have been properly articulated at the design stage.

Recent Federal Trade Commission enforcement activity provides an interesting case study for system designers regarding the evolution of privacy requirements. The Commission’s action against Sears Holdings Management Corp raises significant questions about the viability of privacy statements to achieve legal-required transparency of information management practices. Systems that use privacy notices as a basis for collecting personal information must evaluate their operation in light of Sears Holdings. Additional measures may be required to achieve an appropriate level of compliance with privacy laws and regulatory expectations. The Sears Holdings case will have critical implications for developers of online systems that collect or aggregate consumer information, including behavioral targeting, social networking and other Web 2.0 applications.

Using the Sears Holdings case as an example, the session will consider existing and emerging privacy/security requirements as well as requirement change triggers that impact Web 2.0 design. The session will include an interactive discussion of the implications of evolving privacy and security requirements and offer suggestions for managing requirement change events during the system design process.