Privacy and Business:. Go Beyond Compliance to Competitive Advantage. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario. Rotman School of Management Executive MBA Program March 18, 2005. Growth of Privacy as a Global Issue. (EU Directive on Data Protection)
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Go Beyond Compliance to Competitive Advantage
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
Rotman School of Management
Executive MBA Program
March 18, 2005
Served to expand powers of surveillance on the part of the state, and reduce judicial oversight.And then came 9/11
Increased trust in government has not been paralleled by increased trust in business handling of personal information
Privacy On and Off the Internet: What Consumers Want
Harris Interactive, November 2001
Dr. Alan WestinConsumer Attitudes
Consumers either as concerned or more concerned about online privacy
Concerns focused on the business use of personal information, not new government surveillance powers
If consumers have confidence in a company’s privacy practices, consumers are more likely to:
Increase volume of business with company…….... 91%
Increase frequency of business……………….…... 90%
Stop doing business with company if PI misused…83%
Harris/Westin Poll, Nov. 2001 & Feb. 2002Importance of Consumer Trust
EU Directive on Data Protection
CSA Model Code for the Protection of Personal Information
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)Fair Information Practices: A Brief History
for personal information designate an individual(s) accountable for compliance
2. Identifying Purposes
purpose of collection must be clear at or before time of collection
individual has to give consent to collection, use, disclosure of personal informationThe Ten Commandments
collect only information required for the identified purpose; information shall be collected by fair and lawful means
5. Limiting Use, Disclosure, Retention
consent of individual required for all other purposes
keep information as accurate and up-to-date as necessary for identified purpose
protection and security required, appropriate to the sensitivity of the informationThe Ten Commandments
policies and other information about the management of personal information should be readily available.
9. Individual Access
upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate.
10. Challenging Compliance
ability to challenge all practices in accord with the above principles to the accountable body in the organization.The Ten Commandments
all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations
unless a substantially similar provincial privacy law is in forcePrivate Sector: PIPEDA
Electronic Commerce projected to reach $133 billion by 2004
Wharton Forum on E-Commerce, 1999The Promise
Estimates revised downward to reflect lower expectations
-U.S. Dept. of Commerce Census Bureau, November 2004
Canada: Online sales were only 0.8% of total revenues -- $18.6 billion in 2003
Statistics Canada, April 2004
Statistics Canada, April 2003The Reality
Forrester Research, September 2001
“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”
Jupiter Research, May 2002Lack of Privacy = Lack of Sales
CPO, Royal Bank of Canada, 2003
Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.The Business Case
25% of companies surveyed experienced some adverse publicity due to privacy
1 in 10 had experienced civil litigation, lost business or broken contracts
Robust privacy policies and staff training were viewed as keys to avoiding privacy problems
The Information Security Forum, July 7, 2004ISF Highlights Damage Done by Privacy Breaches
The “Privacy Dynamic” - Battle for the minds of the pragmatists — Dr. Alan Westin
Frederick F. Reichheld, Loyalty Rules:
How Today’s Leaders Build Lasting RelationshipsIt’s All About Trust
then enables the company to
form a more intimate relationship with its customers.”
Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders
Build Lasting RelationshipsThe High Road
Narrowline Study, 1997Lack of Trust on the Web
Customer Respect Group, February 2004 surveyTrust and Privacy Policies
10th WWW User Survey, October 1998Falsifying Information on the Web
Bank acknowledges reports of the misdirected faxes dating back to February 2002.
Scrap yard operator filed a lawsuit against CIBC claiming his business was ruined. CIBC filed a court action accusing him of deliberately leaking customer data.CIBC
Identity theft is the most frequently cited complaint received by the F.T.C. — 10 million new victims, and $50 billion in losses every year.
According to PhoneBusters, fraud has now become one of the most pervasive forms of white-collar crime, costing Canadians $40 million since 1995.
November 2004 — ChoicePoint: Identity theft involving 145,000 persons.
December 2004 — Bank of America: 1.2 million records misplaced.
January 2005 — T-Mobile: Illegal access to 16.3 million records.
January 2005 — HSBC: 180,000 MasterCard records stolen.
March 2005 — LexisNexis: Identity theft involving 32,000 records.
March 2005 — DSW Inc: Hacker theft of 103 credit card numbers.
March 2005 — Boston College: Hacker theft of 120,000 alumni donor recordsIdentity Theft
19 billion public records in its database: motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers.
ChoicePoint routinely sells dossiers to police, lawyers, reporters and private investigators.ChoicePoint
In response, ChoicePoint:
Notified 35,000 Californians as required by California law, SB1386.
Will notify an additional 145,000 persons that “unauthorized third parties” had obtained their personal information.
Los Angeles police believe that the actual number of persons affected could be 500,000 or more.ChoicePoint:Gateway for Identity Thieves
Since early February, ChoicePoint’s stock value has dropped by more than 23%.
February 2005, Lawsuit filed by identity theft victim.
March 2005, suspension of sales to small businesses — loss of 5% of annual revenue or $900 million.
March 2005, class action lawsuit filed by shareholders.ChoicePoint:Fallout and Cost
It is essential that privacy protection become a corporate priority throughout all levels of the organization
Senior Management and Board of Directors’ commitment is criticalMake Privacy a Corporate Priority
What You Don’t Know Can Hurt You”
Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency
Privacy among the key issues that Boards of Directors must address
Potential risks if Directors ignore privacy
Great benefits to be reaped if privacy included in a company’s business planGood Governance and Privacy
Free & self-administered
CSA model code to examine an organization’s privacy management practices
www.ipc.on.ca/PDTPrivacy Diagnostic Tool
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”
Forrester Research, March 5, 2001