managing privacy risk and promoting ethical culture in the digital age
DESCRIPTION
Businesses that responsibly manage privacy and educate their customers about their privacy practices benefit greatly - especially with regard to positive brand development.TRANSCRIPT
Consumer Privacy Laws What is IT’s Responsibility?
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
About Perficient
Perficient is a leading information technology consulting firm serving clients throughout
North America.
We help clients implement business-driven technology solutions that integrate business
processes, improve worker productivity, increase customer loyalty and create a more
agile enterprise to better respond to new business opportunities.
Fast Facts
Founded in 1997 Public, NASDAQ: PRFT 16 locations throughout the U.S. & Canada:
Chicago, Cincinnati, Cleveland, Columbus, Dallas, Denver, Detroit, Fairfax, Houston, Indianapolis, Minneapolis, New Orleans, Philadelphia, San Jose, St. Louis and Toronto
1,100+ employees Dedicated solution practices Served 400+ clients in past 12 months Alliance partnerships with major technology vendors Multiple vendor/industry technology and growth
awards
Our Solutions
Agenda
Why should you care?
Consumer privacy laws today
Why are the requirements difficult to manage?
Changing your approach- look for the commonality
Building a management framework
Promoting a privacy law compliance culture
Merging framework and culture
Questions
Privacy Laws - Why Should You Care?
Businesses that responsibly manage privacy and educate their customers
about their privacy practices benefit greatly - especially with regard to
positive brand development.
68 percent of all consumers "consider the privacy protections of a company
before they will do business with that company, especially in industries that
handle their most sensitive information."
83 percent of all respondents said that they will "stop doing business
entirely with a company if they hear or read that a company is using its
customers' information in a way they consider to be improper."
You can never make your customers feel too secure.
What is Consumer Privacy?
Consumer privacy, also known as customer privacy, involves the
handling and protection of sensitive personal information that
individuals provide in the course of everyday transactions. This
involves the exchange or use of data electronically or by any
other means, including telephone, fax, written correspondence,
and even direct word of mouth.
Consumer Privacy Requirements Today
Multiple Standards and Regulations Need to be Considered
Privacy Laws and IT- Why Is It So Difficult?
In the U.S. and globally there is no overarching privacy law. A
complex arrangement of federal laws and even more complex state
laws govern the use of personal information in different industries
and contexts. All of these laws touch IT in a direct or indirect way
Depending on the geographic location, breaches are handled in
different ways
Other regulators are increasingly involved in enforcing the rules in
regard to privacy information
These laws are often vague, impractical and expensive to manage
For Example: MA201 CMR17
The law applies to any company anywhere in the world that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents. Personal information is defined as a person’s first and last name, or first initial and last name in combination with any of the following: Social Security Number; driver’s license or state-issued I.D. card numbers; financial account numbers; and credit or debit card numbers.
At the heart of the law is the requirement that companies develop a comprehensive Written Information Security Program (WISP) that contains technical, administrative, and physical safeguards that take into account the size and nature of their business; the amount of resources available; the amount of stored data; and the risk of identity theft. These safeguards must also be consistent with existing state and federal regulations for protection of personal information “of a similar character,” such as the Health Insurance Portability and Accountability Act, and the Gramm-Leach Bliley Act.
Managing Privacy Challenges:Changing Your Approach
Manage Commonality in Privacy Laws
Satisfying regulatory requirements
Securing applications and database
Protecting privacy-related information
Creating policies & procedures in relation to regulatory
requirements
Ensuring staff is trained on policies and procedures
Passing internal and external audits
Notifying clients when violations occur
Management Challenges: Consumer Privacy Laws
Management of privacy laws is generally classed as a business ethics
issue
Generally managed between IT/Compliance/Legal/Internal Audit
departments
Generally there is no single person/job role to lead ethics compliance
Main challenges in managing compliance is low staff and budgets
From a business user perspective, most companies inform employees
of corporate ethics via a code of conduct but little else
Operational Challenges: The Threat from Within
Most security breaches happen from within:
52% of the breaches were accidental
19% deliberate
26% Equal Combination
Whether accidental or deliberate, the cost to the
organization is the same.
Why do violations occur?
Unintentional data loss, due to employee negligence
Malware/spyware attacks
Excessive privilege/access rights
Deliberate information security policy violations
Unauthorized access to systems and confidential information
Data loss through external attacks by former employees
Exposure through provisioning and de-provisioning delays
Media loss and theft exposing confidential information
Unintentional threats from shortcuts around security policies
System vulnerabilities exposing confidential information
Internal fraud for financial gain
The Negative Impact of Ethics Violations
Government fines
Embarrassment
Brand damage
Employee turnover
Litigation
Negative work environment
Custodial sentences/Personal financial fines
Loss of business contracts
Lost customers
IT Security:Frameworks vs. Cultures
Culture vs. Frameworks
Ethics Culture: The informal and social systems that set the “norms” for
employee behavior that tells employees how things really work in that
organization
In companies where a strong business ethics culture is evident,
employees are much more likely to report violations
Ethics culture has a stronger impact within a corporation than the
formal ethics and compliance programs
Management needs to set the example and tone for the entire
organization 30 People were fired from Cedars - Sinai Hospital in the days following Michael Jackson’s
death for illegally trying to access his medical records
Traditional IT Privacy Control Frameworks
IT focused on privacy control frameworks - not building privacy controls
culture
Traditionally focused on IT infrastructure only
Administrative
Technical
Physical
Policy control, training and skills monitoring, auditing and regulatory
compliance done through legal, HR, and other departments and not
integrated with IT frameworks
Compliance tends to siloed by regulatory requirement
Stronger IT focus on external breaches or deliberate fraud
Need for Integrated Consumer Privacy Platform
Source: Open Compliance & Ethics Group
Proactive risk andcompliance management
Why?
ROI:
1. Compliance simplification
2. Operational efficiencies
3. Breeds stronger culture
Benefits?
1. Eliminate silos
2. Enable consistency
3. Improve quality
4. Reduce enterprise risk
5. Increase ROI / Benefits
How to Measure a Security Ethics Culture
Focus on culture and use cultural metrics to track trends and
patterns of misconduct, reporting, retaliation, openness and
accountability
Employee’s exposure to circumstances that invite misconduct
Employee’s recognition of those situations as misconduct
Pressure to compromise the standards of the organization
Preparedness of employees to respond to these situations
Promoting a Privacy-Compliant Culture
Increasing and promoting awareness and understanding of
security policies and procedures
Higher visibility in monitoring and enforcement of policies
Risk planning, assessment and mitigation
Effective non-compliance resolution management
Tightening of access and control privileges
Faster updating of access privileges
Implementing electronic signatures
Integration into business systems to eliminate silos and
minimize exposure to private information
Consumer Privacy Compliance Portal
• Manage policies, audits, issues, CAPA, T&S and risk across all regulations from a single view
• Scheduler for all related activities
• Real-time work items and reporting
Tools Available to Help …
Manage all regulations and standards
• Ability to manage an unlimited number of gov’t standards, accreditations and link back to all aspects of eGRC
• Reduce prep time for inspections and audits by as much as 80%
Reference back to
standards & regulations
Link back to associated compliance activities
Quick access to external
sites relevant to consumer
privacy
Ability to request acknowledgements that policies were read & understood
Questions?
Follow Perficient Online
Facebook.com/PerficientTwitter.com/Perficient
Perficient.com/SocialMediaDaily unique content about content management, user experience, portals and other enterprise information technology solutions across a variety of industries.
Next Month:
Achieve Budgeting and Forecasting Excellence with Enterprise Performance Management
Tuesday, June 29, 201012:00 – 1: 00PM CST
Budgeting is often a manual process driven by spreadsheets that are error-prone, static, and generally speaking, not collaborative. The result is a static budget that becomes irrelevant as soon as the new fiscal year begins.
A more nimble response is needed for constantly changing market conditions. Planning needs to be a continuous, flexible exercise, based on rolling forecasts.
Through the careful application of best practices and the use an automated Enterprise Performance Management system, intelligent enterprises can reap the benefits of flexible budgeting, accurate forecasting, and dynamic planning.