Consumer Privacy Laws What is IT’s Responsibility?

Managing Privacy Risk and Promoting Ethical Culture in the Digital Age

About Perficient

Perficient is a leading information technology consulting firm serving clients throughout

North America.

We help clients implement business-driven technology solutions that integrate business

processes, improve worker productivity, increase customer loyalty and create a more

agile enterprise to better respond to new business opportunities.

Fast Facts

Founded in 1997 Public, NASDAQ: PRFT 16 locations throughout the U.S. & Canada:

Chicago, Cincinnati, Cleveland, Columbus, Dallas, Denver, Detroit, Fairfax, Houston, Indianapolis, Minneapolis, New Orleans, Philadelphia, San Jose, St. Louis and Toronto

1,100+ employees Dedicated solution practices Served 400+ clients in past 12 months Alliance partnerships with major technology vendors Multiple vendor/industry technology and growth

awards

Our Solutions

Agenda

Why should you care?

Consumer privacy laws today

Why are the requirements difficult to manage?

Changing your approach- look for the commonality

Building a management framework

Promoting a privacy law compliance culture

Merging framework and culture

Questions

Privacy Laws - Why Should You Care?

Businesses that responsibly manage privacy and educate their customers

about their privacy practices benefit greatly - especially with regard to

positive brand development.

68 percent of all consumers "consider the privacy protections of a company

before they will do business with that company, especially in industries that

handle their most sensitive information."

83 percent of all respondents said that they will "stop doing business

entirely with a company if they hear or read that a company is using its

customers' information in a way they consider to be improper."

You can never make your customers feel too secure.

What is Consumer Privacy?

Consumer privacy, also known as customer privacy, involves the

handling and protection of sensitive personal information that

individuals provide in the course of everyday transactions. This

involves the exchange or use of data electronically or by any

other means, including telephone, fax, written correspondence,

and even direct word of mouth.

Consumer Privacy Requirements Today

Multiple Standards and Regulations Need to be Considered

Privacy Laws and IT- Why Is It So Difficult?

In the U.S. and globally there is no overarching privacy law. A

complex arrangement of federal laws and even more complex state

laws govern the use of personal information in different industries

and contexts. All of these laws touch IT in a direct or indirect way

Depending on the geographic location, breaches are handled in

different ways

Other regulators are increasingly involved in enforcing the rules in

regard to privacy information

These laws are often vague, impractical and expensive to manage

For Example: MA201 CMR17

The law applies to any company anywhere in the world that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents. Personal information is defined as a person’s first and last name, or first initial and last name in combination with any of the following: Social Security Number; driver’s license or state-issued I.D. card numbers; financial account numbers; and credit or debit card numbers.

At the heart of the law is the requirement that companies develop a comprehensive Written Information Security Program (WISP) that contains technical, administrative, and physical safeguards that take into account the size and nature of their business; the amount of resources available; the amount of stored data; and the risk of identity theft. These safeguards must also be consistent with existing state and federal regulations for protection of personal information “of a similar character,” such as the Health Insurance Portability and Accountability Act, and the Gramm-Leach Bliley Act.

Managing Privacy Challenges:Changing Your Approach

Manage Commonality in Privacy Laws

Satisfying regulatory requirements

Securing applications and database

Protecting privacy-related information

Creating policies & procedures in relation to regulatory

requirements

Ensuring staff is trained on policies and procedures

Passing internal and external audits

Notifying clients when violations occur

Management Challenges: Consumer Privacy Laws

Management of privacy laws is generally classed as a business ethics

issue

Generally managed between IT/Compliance/Legal/Internal Audit

departments

Generally there is no single person/job role to lead ethics compliance

Main challenges in managing compliance is low staff and budgets

From a business user perspective, most companies inform employees

of corporate ethics via a code of conduct but little else

Operational Challenges: The Threat from Within

Most security breaches happen from within:

52% of the breaches were accidental

19% deliberate

26% Equal Combination

Whether accidental or deliberate, the cost to the

organization is the same.

Why do violations occur?

Unintentional data loss, due to employee negligence

Malware/spyware attacks

Excessive privilege/access rights

Deliberate information security policy violations

Unauthorized access to systems and confidential information

Data loss through external attacks by former employees

Exposure through provisioning and de-provisioning delays

Media loss and theft exposing confidential information

Unintentional threats from shortcuts around security policies

System vulnerabilities exposing confidential information

Internal fraud for financial gain

The Negative Impact of Ethics Violations

Government fines

Embarrassment

Brand damage

Employee turnover

Litigation

Negative work environment

Custodial sentences/Personal financial fines

Loss of business contracts

Lost customers

IT Security:Frameworks vs. Cultures

Culture vs. Frameworks

Ethics Culture: The informal and social systems that set the “norms” for

employee behavior that tells employees how things really work in that

organization

In companies where a strong business ethics culture is evident,

employees are much more likely to report violations

Ethics culture has a stronger impact within a corporation than the

formal ethics and compliance programs

Management needs to set the example and tone for the entire

organization 30 People were fired from Cedars - Sinai Hospital in the days following Michael Jackson’s

death for illegally trying to access his medical records

Traditional IT Privacy Control Frameworks

IT focused on privacy control frameworks - not building privacy controls

culture

Traditionally focused on IT infrastructure only

Administrative

Technical

Physical

Policy control, training and skills monitoring, auditing and regulatory

compliance done through legal, HR, and other departments and not

integrated with IT frameworks

Compliance tends to siloed by regulatory requirement

Stronger IT focus on external breaches or deliberate fraud

Need for Integrated Consumer Privacy Platform

Source: Open Compliance & Ethics Group

Proactive risk andcompliance management

Why?

ROI:

1. Compliance simplification

2. Operational efficiencies

3. Breeds stronger culture

Benefits?

1. Eliminate silos

2. Enable consistency

3. Improve quality

4. Reduce enterprise risk

5. Increase ROI / Benefits

How to Measure a Security Ethics Culture

Focus on culture and use cultural metrics to track trends and

patterns of misconduct, reporting, retaliation, openness and

accountability

Employee’s exposure to circumstances that invite misconduct

Employee’s recognition of those situations as misconduct

Pressure to compromise the standards of the organization

Preparedness of employees to respond to these situations

Promoting a Privacy-Compliant Culture

Increasing and promoting awareness and understanding of

security policies and procedures

Higher visibility in monitoring and enforcement of policies

Risk planning, assessment and mitigation

Effective non-compliance resolution management

Tightening of access and control privileges

Faster updating of access privileges

Implementing electronic signatures

Integration into business systems to eliminate silos and

minimize exposure to private information

Consumer Privacy Compliance Portal

• Manage policies, audits, issues, CAPA, T&S and risk across all regulations from a single view

• Scheduler for all related activities

• Real-time work items and reporting

Tools Available to Help …

Manage all regulations and standards

• Ability to manage an unlimited number of gov’t standards, accreditations and link back to all aspects of eGRC

• Reduce prep time for inspections and audits by as much as 80%

Reference back to

standards & regulations

Link back to associated compliance activities

Quick access to external

sites relevant to consumer

privacy

Ability to request acknowledgements that policies were read & understood

Contact Details

Amy ShavorEnterprise Content Management Compliance Practice

amy.shavor@perficient.com210-845-9297

Questions?

Follow Perficient Online

Facebook.com/PerficientTwitter.com/Perficient

Perficient.com/SocialMediaDaily unique content about content management, user experience, portals and other enterprise information technology solutions across a variety of industries.

Next Month:

Achieve Budgeting and Forecasting Excellence with Enterprise Performance Management

Tuesday, June 29, 201012:00 – 1: 00PM CST

Budgeting is often a manual process driven by spreadsheets that are error-prone, static, and generally speaking, not collaborative. The result is a static budget that becomes irrelevant as soon as the new fiscal year begins.

A more nimble response is needed for constantly changing market conditions. Planning needs to be a continuous, flexible exercise, based on rolling forecasts.

Through the careful application of best practices and the use an automated Enterprise Performance Management system, intelligent enterprises can reap the benefits of flexible budgeting, accurate forecasting, and dynamic planning.