1 / 60

A Privacy Primer

A Privacy Primer. Russ Mathews Enterprise Risk Services March 6, 2001. Agenda. Introduction General Privacy Issues Definition of Privacy Consumer Concerns Business Trends Business Considerations Regulatory Environment Technological Challenges Summary of General Privacy Issues.

abbot-sanders
Download Presentation

A Privacy Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Privacy Primer Russ Mathews Enterprise Risk Services March 6, 2001

  2. Agenda • Introduction • General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  3. General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  4. Definition of Privacy Information Privacy refers to the right of individuals to determine when, how, and to what extent “personally identifiable information” will be shared with others, and it has broad implications for the collection, storage and dissemination of consumer information by companies. Personally identifiable information is defined, in general, as any information relating to an identified or identifiable individual. Depending on regulatory and national requirements, Privacy Initiatives and Principles may address: • Company responsibility for ownership of personal information collected • Providing notice of how personal information will be used • Limiting data collection to specific business objectives • Time limits on retention and storage of personal data • Consumer options for how personal information is used • Responsibility for the accuracy, integrity and security of consumer data

  5. General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  6. Consumer Concerns 1999 Lou Harris-IBM Consumer Privacy Survey. 94% of Americans think personal information is vulnerable to misuse. And 78% claim they have refused to provide requested data to a business because they believe it is too personal. Wall Street Journal poll conducted in the Fall 1999. Americans were asked what they feared most in the new millennium. Privacy came out on top (29%), substantially higher than terrorism, global warming, and overpopulation (no higher than 23%). Media Focus Heightened Awareness Public Perception

  7. General Concerns Simple Irritation – Information bombardment Feelings of Violation – Tracking what you read and watch Fear of Harm –Misuse of informationNightmarish Conspiracies – Government and Big Business (e.g., Orwellian vision of the future)

  8. Increasing Privacy Encroachment

  9. Feelings Of Loss of Control July 21, 2000. 39 States Object To Sale Of Toysmart’s Customer List. Toysmart, which filed for bankruptcy in June, is one of several e-commerce companies that either have sold or are trying to sell customer information, such as home addresses, phone numbers, transaction histories and family profiles. . . . . Who owns personal data?

  10. General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  11. Business Trends • What has led to the current emphasis of collecting and using personally identifiable information? • As always, to sell more!

  12. Business Trends • How can you sell more and what does that have to do with privacy? • One-to-one marketing • Goal of all marketers • Rise of the Internet • Global • New channel for buying and selling • Increased computational power and speed • Moore’s Law • Speed and power required to process terabytes of information

  13. Business Trends • One-to-One Marketing? • Analytics: helps organizations to understand the consumers. • E-marketing: helps organizations define the structure for reaching their consumers. • Personalization: helps organizations provide one-to-one marketing of products and services to their consumers and customers.

  14. Business Trends • Analytics? • helps organizations to understand the consumers. • Raw data is useless to marketers. • Transform raw data into useful information. • Count heads, create reports, monitor web traffic, identify bottlenecks. • Create segments of customers based on behavior patterns.

  15. Business Trends • E-marketing? • helps organizations define the structure for reaching their consumers. • Uses the results from the analytics phase. • Helps to create marketing campaigns. • Can incorporate marketing results into a comprehensive plan to identify what to sell and when to sell.

  16. Business Trends • Personalization? • helps organizations provide one-to-one marketing of products and services to their consumers and customers. • Provides unique shopping experience to each user. • Rules-based customization. • Neural networks “learn” from experience. • Collaborative filtering uses statistical analysis.

  17. Business Trends The Goal: Organizations want to achieve one-to-one marketing. The Method: Organizations are collecting and using personally identifiable information to expand the capabilities of their data warehousing and data mining efforts. The Problem: There exists a very fine line between personalization and privacy invasion.

  18. Business Trends Personalization or Privacy Invasion?

  19. Litigation SAN DIEGO, Aug 2, 2000 (BUSINESS WIRE) -- Milberg Weiss today announced that a class action was filed on July 28, 2000 on behalf of all persons who have visited either www.toysrus.com or www.babiesrus.com and have had their private online Web browsing activities and their confidential information covertly monitored, intercepted and/or transmitted to third parties by Toys R Us (NYSE:TOY) (the "Class"). August 15, 2000, Toys R Us Inc. [NYSE:TOY] has stopped using the services of Coremetrics.com, a market data collection company that figured in lawsuits alleging ... August 14, 2000 -- Coremetrics uses technology such as Web bugs and cookies--or tiny digital identifying tags that track visitors' whereabouts online--to compile information about online shoppers. For example, its technology can record when a consumer adds a product to his or her shopping cart then takes it out. With this information, online stores could potentially send an email to the consumer offering a discount on the product he or she decided against. Using JavaScript, Coremetrics can also extract personally identifiable information such as names, addresses and phone numbers from online forms filled out during the checkout process. Website Statement Concerning CoreMetrics For a short period of time, we had a trial arrangement with a service called CoreMetrics to assist us in evaluating information about how visitors use our site. This trial arrangement is no longer in effect. As part of this service, cookies may have been placed on the computer systems of certain visitors to our site. Because we no longer are using CoreMetrics' services, future visitors to our site will not have CoreMetrics cookies placed on their systems.

  20. Litigation • Financial Institutions: • U.S. Bancorp. • Allegedly sold credit card information to MemberWorks • Chase Manhattan Bank • Allegedly provided information to non-financial direct marketers about its credit card and mortgage customers • Charter Pacific Bank • Allegedly sold credit card data base to pornographic website

  21. General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  22. Business Considerations • Stuck between a rock and a hard place… • Rock - • Regulations, consumer groups, class action law firms and regulatory agencies are litigating or considering litigation to curtail business use of private data. • Hard Place - • In order to compete effectively in today’s market, businesses need to become better at gaining and retaining customers.

  23. Business Considerations • Privacy Is A Multi-dimensional challenge • Technology Issues Are Complex • What Level Of Data “Stewardship” Does Your Customer Base Demand? Other rocks and hard places… • Marketing • Human Resources • Risk Management • Financial Reporting • Senior Management • Legal • Compliance • Information Technology • Cookies • Applets • Databases • Banner ads

  24. Extended Enterprise Globalization Regulatory Requirements Competition Business Issues Driving Privacy Initiatives Customer Sensitivity Brand Image Business Considerations

  25. Business Considerations • How to handle the rock and hard place issue - Create an effective privacy initiative using the following steps: • Retaining a Chief Privacy Officer (CPO) • Creating a task group to evaluate and propose a comprehensive privacy initiative for the entire organization (headed by the CPO) • Restructuring technology and business practices for privacy compliance • Educating and training for privacy awareness • Evaluating applications, products, services and third parties for privacy compliance on a periodic basis

  26. Business Considerations Rise of the Chief Privacy Officer (CPO) “The rise in CPOs stem from one of two reasons: damage control and prevention.” • Damage Control • RealNetworks • Doubleclick • Prevention • Microsoft • American Express • Citigroup • Prudential Insurance

  27. Business Considerations Duties of the Chief Privacy Officer • Organize and coordinate Privacy Task Force or Committee • Commission or conduct privacy risk assessment and inventory of privacy risks • Track privacy environment and provide reports • Monitor privacy law and regulations compliance • Develop privacy policies and procedures • Do privacy review of new products and new Net developments • Support employee privacy training • Interact with consumer groups and regulators • Provide contact point for consumers • Manage privacy dispute resolution • Speak for the company and prepare executives for legislative/agency testimony • Conduct regular/annual privacy audits • Report to top management

  28. Business Considerations • What are the costs of not having a comprehensive privacy initiative? • Loss of brand image • Loss of revenue • Loss of share price • Cost of litigation and class action suits • Cost of penalties for non-compliance • Damage to public trust • Damage to employee morale

  29. General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  30. Regulatory Concerns Partners/Affiliates/Subsidiaries 3) What kind of sharing takes place with a Web sites’ business partners-which are considered “third parties” ? Other Third Parties Ad Networks 4) Should Web sites be required to have opt-in or opt-out policies on third-party data sharing ? 2) Should consumers have a right to opt out or opt in before Web sites channel ad networks’ cookies to their machines ? Web Sites 1) What kinds of notice should Web sites be required to provide before they collect information? Should limits be imposed on what can be collected and how long it can be kept ? Offline Transactions 6) What access should consumers have to their information Source: Forrester May 2000

  31. Disjointed US Market Approach • Deceptive Trade Practices • FTC Enforcement • Health Care • HIPAA Privacy & Security Standards • EU Safe Harbor Principles • Unknown acceptance • Financial & Insurance Industry • Gramm-Leach-Bliley Act (implementation 7/2001) • NAIC Model Law • The Children’s Online Privacy Protection Act • Proposed Consumer Legislation In Congress and Multiple States

  32. FTC, HIPAA, NAIC, GLB, Safe Harbor Principle, COPPA Personal Information Protection and Electronics Document Act UK Data Protection Act Following EU Data Protection Directive Federal Privacy Amendment Bill Guidelines for the Protection of Computer Processed Personal Data Privacy Ordinance E-Commerce Code for the Protection of Personal Information Proliferation of Privacy Regulations • Information crossing multiple borders • Complex third party relationships (providers, buying exchanges, alliances) • Increased use of web-based applications and systems • Restrictive regulatory environment being adopted across regions

  33. European Union findings show that United States does not provide adequate protection for Personally IdentifiableData Multiple regulatory agencies promulgating various rules for the same statute (e.g., GLB Act and SEC Banking and FTC rules) State Legislatures enacting conflicting laws (e.g., must give customer opt-in rights v. opt-out rights) Increasing Regulatory Tension

  34. Gramm-Leach-Bliley Act Financial Services Modernization Act of 1999 Condensed Timeline: November 12, 1999 – GLB signed into law May 2000 – several Federal agencies published their final rules (OTS, FDIC, FTC) June/July 2000 – final rules published November 13, 2000 – GLB privacy regulations enacted July 1, 2001 – mandatory compliance deadline

  35. Gramm-Leach-Bliley Act Scope of Coverage: • Financial Institutions: any institution significantly engaged in financial activities • Non-Public Personal Information: personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer, or otherwise obtained by the financial institution. • Consumer vs. Customer: • Consumer: an individual who obtains a financial product or service for personal, family or household purposes • Occasional or isolated contact (e.g., ATM cash) • Customer: has an established relationship (e.g., depositor, borrower, or insurance policyholder

  36. Gramm-Leach-Bliley Act Statutory Requirements: • Clearly and conspicuously give a privacy notice to each consumer customer, at least once each year, of the institution’s policies for collecting and sharing nonpublic personal information • A mere consumer need not receive a privacy notice, unless the financial institution intends to disclose that individual’s nonpublic personal information to nonaffiliated third parties • Afford consumers choice (e.g., the right to “opt-out” of disclosures to non-affiliated third parties), subject to certain exceptions • Opt-out does not apply with respect to affiliate disclosure • Cannot disclose account access information (e.g., account numbers) to third party marketers • Abide by regulatory standards to protect the security and confidentiality of consumer non-public personal information

  37. Gramm-Leach-Bliley Act Notice: Initial and Annual: • Categories of NPI collected • Categories of NPI disclosed to others • Categories of entities to whom NPI is disclosed • Disclosure practices with regard to former customers • NPI disclosed under joint marketing/agency exceptions • Gramm-Leach-Bliley opt-out right • FCRA opt-out right: applies to “secondary” information that a customer may volunteer in certain applications to a financial institution (e.g., an income statement). Does not apply to “experience” information. • Security and confidentiality practices and procedures • Disclosures covered by general exceptions (need only say that “certain other disclosures are made ‘as permitted by law’”)

  38. Gramm-Leach-Bliley Act Opt-Out: A financial institution may not disclose NPI to a “nonaffiliated” third party unless: • The financial institution clearly and conspicuously discloses to the consumer that such information may be disclosed to the third party; • The consumer is given the opportunity to direct that the information not be disclosed to the third party; and • The consumer is given an explanation of how to exercise that right. The opt-out right must be easy to exercise and reasonable: • A reply form with check-off boxes and a return address • It is unreasonable to require the consumer to write a letter

  39. Gramm-Leach-Bliley Act NPI Sharing Exceptions: • Necessary to process a transaction requested or authorized by the customer • Necessary to effect, administer or enforce transaction • Made with the consent of the consumer • Made to protect against fraud • Made to a consumer reporting agency • Made in connection with the merger or sale of a financial institution • Made to comply with a regulatory investigation • Made to auditors • Service Provider/Joint Marketing • A third party provides services on behalf of financial institution • Two financial institutions jointly market a product or service Re-Use/Disclosure Restrictions Apply

  40. Gramm-Leach-Bliley Act Timing Issues: • July 1, 2001 Date Misleading • Nonaffiliated Third Party Sharing: • Must provide consumers with approximately 30 days to make “opt-out” choice • Financial institution requires reasonable amount of time to collect and implement opt-out choices made by consumers • Must implement no later than end-April 2001 Regulators Overseeing Preparedness: • Office of Thrift Supervision Privacy Preparedness Check-Up • Office of Comptroller of Currency Advisory Notice

  41. COPPAChildren’s Online Privacy Protection Act of 1998 • The final ruling of the Act went into effect on April 21, 2000. • Applies to organizations or individuals who operate a commercial Web site or an online service directed to children under the age of 13 that collects personal information from children, AND to those who operate a general audience Web site, if they have actual knowledge that they collect personal information from children; • Requires a link to the institution's privacy notice on the home page and at each area where it collects personal information from children; • The notice itself must be clearly written and understandable and should not include unrelated or confusing materials; • Parental consent must be obtained before a child's personal information is collected, used or disclosed; • A new notice must be furnished if there are material changes in the collection, use or disclosure practices.

  42. Federal Health Privacy Regulations (“HIPAA”) Health Insurance Portability and Accountability Act Finalized December 20, 2000 What entities are regulated: Health Plan Providers, Health Care Clearinghouses, Certain Health Care Providers What information is covered: Protected Health Information: In general, information related to physical or mental health, the provision of health care, or the payment of health care

  43. Federal Health Privacy Regulations (“HIPAA”) • Key provisions include: • Access - People have the right to see and copy their own medical records. Most states do not currently grant people such broad access. • Limits on Disclosure - The regulation greatly restricts access to health information. Of note: for disclosures relating to treatment, payment and health care operations, providers must obtain patient consent. • Employers - Employers are barred from receiving "protected health information" except for specific functions related to providing and paying for health care. Employers must establish a firewall between the health care division and employees who make decisions about employment.

  44. Federal Health Privacy Regulations (“HIPAA”) • Key provisions continued: • Law Enforcement - Health care providers and plans are prohibited from releasing patient data to federal, state, or local law enforcement without some form of legal process, including a warrant, court order or administrative subpoena. • Research - All research, whether publicly or privately funded, must be overseen by either an Institutional Review Board (IRB) or Privacy Board if the researcher seeks a waiver of informed consent. • Penalties - Health care providers, health plans, and clearinghouses are subject to civil and criminal penalties (up to $250,000/year and 10 years in jail) for violating the law. HIPAA constrained the Secretary from including a private right of action for individuals to sue for violations of the law.

  45. EU Data Protection Directive Cross-Border Flow Of Personally Identifiable Information EU Data Protection Principles • Adequate, relevant and not excessive • Fairly and lawfully processed • Processed for limited purposes • Accurate and Secure • Not kept longer than necessary • Not transferred to countries without adequate protection • Processed in accordance with the data subject's rights European Union finding that United States does not provide an adequate level of data protection for PII

  46. Safe Harbor Principles Principles establish an “adequate” level of data protection for non-financial United States companies • Notice - Organizations must inform individuals how collected information will be used • Choice - Individuals must be given an opportunity to chose to provide information if it is disclosed to a third party or used for purposes incompatible with the original purposes • Upstream transfer - Organizations must ensure that third parties receiving data also follow Safe Harbor principles • Security/Data Integrity - Reasonable precautions must be taken to protect personal information from loss, misuse and unauthorized access, disclosure, misuse and alteration • Access - Individuals must have access to information collected about them. Organizations should take reasonable steps to ensure that data is collected for the intended use, accurate, complete and current • Enforcement - Organizations must provide effective means for ensuring compliance with Safe Harbor principles and consequences for non-compliance

  47. Consequences of Non-Adoption of Safe Harbor • Must adhere to privacy standards as interpreted in each EU member state (as opposed to one standard) • Subject to actions brought by each EU member state where directive is violated, and possible shutdown of cross border data flows and assessment of damages • Negative publicity and possible loss of market share in EU member states • However, certification without complete adoption of Safe Harbor Principles can subject a company to regulatory action in the United States and in the EU.

  48. General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues

  49. Technological Challenges • Written procedures often fail to accurately reflect actual systems capabilities and practices. • Information may be stored incorrectly and shared with third parties. • Organizations may not have inventoried personally identifiable information, and may not understand data flows through systems and processes. • Web sites are easily able to record and track individual identity and associated activities on the Internet. • Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements. • Information systems are rarely integrated and unable to capture the total customer relationship throughout an enterprise. • Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.

  50. “Were going to do a Smith & Wesson on DoubleClick” - Michigan State Attorney General DoubleClick created profiles of individuals using the World Wide Web by placing a cookie with a unique identification number on user’s browsers. When a browser went to a member web site which contained an invisible DoubleClick graphic, a request is sent to the DoubleClick Server which assigns the user’s browser a cookie containing a unique identification number From that time forward whenever the user connects to any Web site that subscribes to the DoubleClick System, their browser returns the identification number to the DoubleClick server, allowing the server to recognize her. Over a period of time DoubleClick compiles a list of which member sites the user has visited and revisited and a profile of the user's tastes and interest. This information is used to compile valuable feedback for its member Web sites, such as providing them with audience profiles Browser Internet Web Site X Browser Internet DoubleClick Server Browser Internet Web Site Y DoubleClick Server DoubleClick Server

More Related