society for information management fairfield & westchester chapter “privacy, it, and the...

SOCIETY for INFORMATION MANAGEMENTFAIRFIELD & WESTCHESTER CHAPTER

“Privacy, IT, and the Changing Landscape”

A Panel Discussion with

Doral ArrowwoodRye Brook, New York

April 15, 2004

Bill Bandon - Wiggin & Dana, LLPIndy Crowley – Yale UniversityRuth Nelson – PricewaterhouseCoopers LLPEran Marom – Tory Ventures

Pete Petrusky – PricewaterhouseCoopers LLP(Moderator)

2

Agenda

Introductions

Privacy & Fair Information Principles– Privacy & Security

Privacy Legislation– U.S. Perspectives & Enforcement Activity– International Privacy Landscape

Privacy & Business– Why It Is a Hot Topic– Privacy Incidents

Panel Discussion

Q&A

Appendices– Privacy Best Practices– Reference Sites

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT


3Privacy, IT, and the Changing Landscape

An individual’s right to: Know how their information is handled

Control the information collected about them

Control what that information is used for

Control who has access to the information

Amend, change & delete their personal information

What is Privacy?



Fair Information Principles

Collection

Data quality

Purpose specification

Use limitation

Security safeguards

Openness

Individual participation

Accountability



Privacy vs SecurityPrivacy vs Security

PRIVACY

Involves the whole

information lifecycle

Is about more than just

protecting personal

information

Most privacy legislation

includes security as one

aspect

SECURITY

Is a core component of good

privacy practice

Is a key instrument for

executing privacy policies

Viewed as a technology

enabler, supporting policies,

access controls, individual

choice and 3rd party sharing



Financial Services Modernization –

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and

Accountability Act (HIPAA)

Children’s Online Privacy Protection Act (COPPA)

US Safe Harbor

FTC & SAG Enforcement

CAN SPAM Act

Patchwork of State Laws

The US Perspective – Jigsaw Regime



Recent privacy legislation (Australia, Hong Kong, Canada) trending toward EU-style privacy regulationand away from U.S. sectoral/data elements-based models

The Global Picture

Sample of Data Protection Laws

Around the World

The EU Data Protection Directive & comparable privacy legislation by 15 member states

Switzerland – Federal Act on Data Protection (1992)

Hungary – Protection of Personal Data and Disclosure of Data of Public Interest (1992)

Czech Republic – Act on Protection of Personal Data (2000)

Norway – Personal Data Registers Act of 2000

Canada – Personal Information Protection and Electronic Documents Act (2000)

Argentina – Personal Data Protection Act (2000)

Chile – Law for the Protection of Private Life (1999)

Australia – Privacy Amendment (Private Sector) Act (2001)

Hong Kong – The Personal Data (Privacy) Ordinance (1996)

New Zealand – Federal Privacy Act (1993)and more…



Privacy & BusinessQuestion: What keeps you up at night?

Top 7 concerns for CEOs and Directors based on recent research by the Personalization Consortium

CEOs and Boards of top e-Businesses

Customer Loyalty

Burn Rate/Profitability

Privacy

Sustainable Growth

New Regulations

Competition

Staffing/Leadership

CEOs and Boards of Fortune 500s

Shareholder Value

Market Convergence

Privacy/Data Integrity

New Regulations

Customer Loyalty

Global Competition

Technology Change



Privacy & Business

Privacy Failures Can Have Major Consequences

– Damage to brand and reputation

– Loss of customers/increased costs for acquiring new ones

– Loss of revenues and new business opportunities

– Regulatory Action/Penalties for non-compliance

– Litigation

– International enforcement actions

– Disruption of cross-border data flows



What are people talking about?Are consumers really concerned?

Hotmail glitch exposesemail addresses

Activists charge DoubleClick Double Cross

AT&T customers’privacy left

blowing in the wind

Yahoo sued over use of cookies

AmEx, EDS May Face

European

Privacy Lawsuits

Travelocity

Privacy

Violation

Would You Sell Your

Secrets for Free Internet

Service?

Report Labels Internet

Privacy Policies ‘A Joke’

Missouri Privacy Suit

RealNetworks in Real trouble

Lack of Notice Snags e-service

Hackers bust Telecom NZ

security compromising privacy

Ikea exposes customer information on catalog site

TiVo criticized by privacy group - TV

service secretly collects info about

viewers

Privacy Suit Charges Sites with Misrepresentation Over Placing of

Cookies on Users Drives

AOL Time Warner in Privacy Dilemma

CreditCards.com database stolen

Devices Locate

Children, Create

Privacy Issues

Amazon's Wish: No More Bad PR



Problem: Websites are not static and are large in nature

1. Web team knows about the corporate privacy policy and local legislative requirements

2. Web team is not using technologies or methods that breach the policy

3. Appropriate and adequate links to the privacy policy are maintained on every site

4. New or specific website transactions and functionality have been assessed for privacy risk

5. Back of house procedures have been developed to support the websites privacy disclosures

Assumes:

Sites are growing and changing on a daily basis

Challenge to monitor and ensure new content and new sites are in compliance with the privacy policy

Too many privacy issues spread across too many web pages

Difficult and labor intensive to measure current and ongoing compliance

Costly to manage using existing tools and techniques

Many individuals responsible for site creation

Increases the risk of privacy glitches

Privacy compliance becomes reactive rather than proactive

Managing Website PrivacyCurrent On-line Privacy Compliance Challenges



Panel Discussion



Questions?



Privacy Red Flags

Lack of an adequate privacy statement

Privacy statement does not accurately reflect practices

Back of house procedures do not support the policy disclosures

Lack privacy awareness throughout the company

– Marketing, IT, web developers, business development

New legislation and regulations which impact the business

Existing transborder dataflows to the US

Use of third parties and new technologies

Failure to maintain adequate security

Websites or businesses operating in regulated regions



Where to Begin…

Mobilize appropriate resources

Designate privacy champions and project governance team

Determine privacy work that has previously been performed

Communicate project needs and goals

Assess privacy compliance requirements and drivers

Develop the overall privacy vision and strategy

Determine current level of privacy compliance based on existing procedures

Determine high risk areas or areas that need specific focus



Responsible Privacy Practices

Brand

Protection

Customer

Trust &

Confidence

Customer

Loyalty

Shareholder

value

Responsible

Customer

Relationship

Management

Business

Partner

Confidence

Differentiation

from

Competitors

Litigation Reputation

Damage

Interrupted

Data Flows

Privacy

Breach

Case for

Regulation

Unwanted

Attention

Benefits of Good Privacy Practices



Maintaining Privacy Compliance

Designate a privacy subject matter expert

Continue to educate, train and raise awareness throughout the company

Stay abreast of legislative and industry developments

Build processes to manage changes to your Website

Review information handling practices periodically

Assess new third parties and partners practices

Assess information disclosures & third-party data sharing

Disclose any changes in your policy

Perform periodic compliance reviews

Regular audits



Conclusions

Enhances trust and consumer confidence

Increases customer loyalty

First mover advantage – competitive differentiation

Aim for positive media, not negative

Promotes shareholder value

Reduces barriers to International trade

Avoids litigation and regulatory action



Selected sites for topical research concerning information privacy International Association of Privacy Professionals www.privacyassociation.org.

Federal Trade Commission Site for Consumers http://www.ftc.gov/.

U.S. Department of Commerce Site for Safe Harbor http://www.export.gov/safeharbor/.

Privacy Foundation http://www.privacyfoundation.org/.

Truste Privacy Seal Program http://www.truste.org.

BBBOnline Privacy Seal Program http://www.bbbonline.org.

Electronic Privacy Information Center http://www.epic.org.

Online Privacy Alliance http://www.privacyalliance.org.

Draft Commission Decision on Standard Contractual Clauses on the Web. http://www.europa.eu.int. March, 27, 2001.

ICRT Comments on Binding Corporate Rules http://www.icrt.org/pos_papers/2003/030930_EE.pdf.

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org.

Hong Kong Data Protection Act Summary. http://www.privacyexchange.org.

Privacy and Human Rights 2000. http://www.privacyinternatinal.org.

Proposed/Pending National Legislation. http://www.privacyexchange.org.

Recent Developments in Latin American Privacy Laws. http://www.haledorr.com.

Standardization: A business Tool for Data Privacy. CEN/ISSS Open Seminar. http://www.cenorm.be.

society for information management fairfield & westchester chapter “privacy, it, and the...

Documents

information management

privacy vs security

privacy policies

information management

information lifecycle

eustyle privacy regulation

changing landscape

disclosure of data