Privacy and Business:
1 / 40

Go Beyond Compliance to Competitive Advantage - PowerPoint PPT Presentation

  • Uploaded on

Privacy and Business:. Go Beyond Compliance to Competitive Advantage. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario. Rotman School of Management Executive MBA Program March 18, 2005. Growth of Privacy as a Global Issue. (EU Directive on Data Protection)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Go Beyond Compliance to Competitive Advantage' - hashim-torres

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Go beyond compliance to competitive advantage

Privacy and Business:

Go Beyond Compliance to Competitive Advantage

Ann Cavoukian, Ph.D.

Information & Privacy Commissioner/Ontario

Rotman School of Management

Executive MBA Program

March 18, 2005

Impetus for change

Growth of Privacy as a Global Issue.

(EU Directive on Data Protection)

Exponential growth of personal data collected, transmitted and exploited.

Convergence of growth in bandwidth, sensors, data storage and computing power.

Consumer Backlash; heightened consumer expectations

Impetusfor Change

And then came 9 11

U.S. Patriot Act and series of anti-terrorism laws introduced.

Served to expand powers of surveillance on the part of the state, and reduce judicial oversight.

And then came 9/11

The aftermath

It’s business as usual: introduced.

Clear distinction between public safety and business issues – make no mistake

NO reduction in consumer expectations

Increased value of trusted relationships

The Aftermath

Consumer attitudes

Business is not a beneficiary of the post-9/11 “Trust Mood”

Increased trust in government has not been paralleled by increased trust in business handling of personal information

Privacy On and Off the Internet: What Consumers Want

Harris Interactive, November 2001

Dr. Alan Westin

Consumer Attitudes

Importance of consumer trust

In the post-9/11 world: Mood”

Consumers either as concerned or more concerned about online privacy

Concerns focused on the business use of personal information, not new government surveillance powers

If consumers have confidence in a company’s privacy practices, consumers are more likely to:

Increase volume of business with company…….... 91%

Increase frequency of business……………….…... 90%

Stop doing business with company if PI misused…83%

Harris/Westin Poll, Nov. 2001 & Feb. 2002

Importance of Consumer Trust

Information privacy defined

Information Privacy: Data Protection Mood”

Freedom of choice; control; informational self-determination

Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

Information Privacy Defined

What privacy is not

Security Mood” Privacy

What Privacy is Not

Privacy and security the difference

Authentication Mood”

Data Integrity



Privacy; Data Protection

Fair Information Practices


Organizational control of information through information systems

Privacy and Security: The Difference

Fair information practices a brief history

OECD Mood”Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

EU Directive on Data Protection

CSA Model Code for the Protection of Personal Information

Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

Fair Information Practices: A Brief History

Summary of fair information practices

Accountability Mood”

Identifying Purposes


Limiting Collection

Limiting Use, Disclosure, Retention


Summary of Fair Information Practices

  • Safeguards

  • Openness

  • Individual Access

  • Challenging Compliance

The ten commandments

1. Accountability Mood”

for personal information designate an individual(s) accountable for compliance

2. Identifying Purposes

purpose of collection must be clear at or before time of collection

3. Consent

individual has to give consent to collection, use, disclosure of personal information

The Ten Commandments

The ten commandments1

4. Limiting Collection Mood”

collect only information required for the identified purpose; information shall be collected by fair and lawful means

5. Limiting Use, Disclosure, Retention

consent of individual required for all other purposes

6. Accuracy

keep information as accurate and up-to-date as necessary for identified purpose

7. Safeguards

protection and security required, appropriate to the sensitivity of the information

The Ten Commandments

The ten commandments2

8. Openness Mood”

policies and other information about the management of personal information should be readily available.

9. Individual Access

upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate.

10. Challenging Compliance

ability to challenge all practices in accord with the above principles to the accountable body in the organization.

The Ten Commandments

Public sector privacy laws

Privacy Act (federal) Mood”

Access to Information Act, (federal).

Freedom of Information and Protection of Privacy Act (Ontario).

Municipal Freedom of Information and Protection of Privacy Act, (Ontario).

Public Sector Privacy Laws

Private sector pipeda

As of January 1, 2004, the federal Mood”Personal Information Protection and Electronic Documents Act applies to:

 all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations

 unless a substantially similar provincial privacy law is in force

Private Sector: PIPEDA

Provincial private sector privacy laws

Québec Mood”: Act respecting the protection of personal information in the private sector

B.C.: Personal Information Protection Act

Alberta:Personal Information Protection Act

Ontario: Personal Health Information Protection Act

Provincial Private-Sector Privacy Laws

The bottom line

Privacy should be viewed as a Mood”business issue, not a compliance issue

The Bottom Line

The promise

Electronic Commerce projected to reach Mood”$220billion by 2001 WTO, 1998

Electronic Commerce projected to reach $133 billion by 2004

Wharton Forum on E-Commerce, 1999

The Promise

Estimates revised downward to reflect lower expectations

The reality

United States: e-commerce sales were only 1.6% of total sales -- $54.9 billon in 2003.

-U.S. Dept. of Commerce Census Bureau, November 2004

Canada: Online sales were only 0.8% of total revenues -- $18.6 billion in 2003

Statistics Canada, April 2004

Statistics Canada, April 2003

The Reality

Lack of privacy lack of sales

“Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.”

Forrester Research, September 2001

“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”

Jupiter Research, May 2002

Lack of Privacy = Lack of Sales

The business case

“Our research shows that 80% of our customers would walk away if we mishandled their personal information.”

CPO, Royal Bank of Canada, 2003

Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.

The Business Case

Isf highlights damage done by privacy breaches

The Information Security Forum reported that a company’s privacy breaches can cause major damage to brand and reputation:

25% of companies surveyed experienced some adverse publicity due to privacy

1 in 10 had experienced civil litigation, lost business or broken contracts

Robust privacy policies and staff training were viewed as keys to avoiding privacy problems

The Information Security Forum, July 7, 2004

ISF Highlights Damage Done by Privacy Breaches

How the public divides on privacy
How the Public Divides on Privacy privacy breaches can cause major damage to brand and reputation:

The “Privacy Dynamic” - Battle for the minds of the pragmatists — Dr. Alan Westin

It s all about trust

“Trust is more important than ever online … Price does not rule the Web … Trust does.”

Frederick F. Reichheld, Loyalty Rules:

How Today’s Leaders Build Lasting Relationships

It’s All About Trust

The high road

“When customers DO trust an online vendor, they are much more likely to share personal information. This information

then enables the company to

form a more intimate relationship with its customers.”

Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders

Build Lasting Relationships

The High Road

Lack of trust on the web

“In 70% of instances where Internet users were asked to provide information in order to access an online informational resource, those users did not pursue the resource because they thought their privacy would be compromised.”

Narrowline Study, 1997

Lack of Trust on the Web

Trust and privacy policies

Fully 50% of online users said they would leave a Web site if they were unhappy with a company’s privacy policy.

Customer Respect Group, February 2004 survey

Trust and Privacy Policies

Falsifying information on the web

“42.1% have falsified information at one time or another when asked to register at a Web site.”

10th WWW User Survey, October 1998

Falsifying Information on the Web

Hot topics
Hot Topics when asked to register at a Web site.”

Go beyond compliance to competitive advantage

West Virginia scrap yard operator reported that since 2001, his telephone system has been deluged with confidential CIBC customer data (e.g. SIN, account information, client signature).

Bank acknowledges reports of the misdirected faxes dating back to February 2002.

Scrap yard operator filed a lawsuit against CIBC claiming his business was ruined. CIBC filed a court action accusing him of deliberately leaking customer data.


Identity theft

The fastest growing form of consumer fraud in North America. his telephone system has been deluged with confidential CIBC customer data (e.g. SIN, account information, client signature).

Identity theft is the most frequently cited complaint received by the F.T.C. — 10 million new victims, and $50 billion in losses every year.

According to PhoneBusters, fraud has now become one of the most pervasive forms of white-collar crime, costing Canadians $40 million since 1995.

November 2004 — ChoicePoint: Identity theft involving 145,000 persons.

December 2004 — Bank of America: 1.2 million records misplaced.

January 2005 — T-Mobile: Illegal access to 16.3 million records.

January 2005 — HSBC: 180,000 MasterCard records stolen.

March 2005 — LexisNexis: Identity theft involving 32,000 records.

March 2005 — DSW Inc: Hacker theft of 103 credit card numbers.

March 2005 — Boston College: Hacker theft of 120,000 alumni donor records

Identity Theft


A data aggregation and clearinghouse company that maintains databases of background information on virtually every U.S. citizen.

19 billion public records in its database: motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers.

ChoicePoint routinely sells dossiers to police, lawyers, reporters and private investigators.


Choicepoint gateway for identity thieves

In a plot twist taken from a Hollywood movie, criminals were creating false identities to establish accounts with ChoicePoint and then using those accounts to commit identity theft.

In response, ChoicePoint:

Notified 35,000 Californians as required by California law, SB1386.

Will notify an additional 145,000 persons that “unauthorized third parties” had obtained their personal information.

Los Angeles police believe that the actual number of persons affected could be 500,000 or more.

ChoicePoint:Gateway for Identity Thieves

Choicepoint fallout and cost

ChoicePoint will re-screen and re-credential 17,000 customers to verify that they are legitimate businesses.

Since early February, ChoicePoint’s stock value has dropped by more than 23%.

February 2005, Lawsuit filed by identity theft victim.

March 2005, suspension of sales to small businesses — loss of 5% of annual revenue or $900 million.

March 2005, class action lawsuit filed by shareholders.

ChoicePoint:Fallout and Cost

Make privacy a corporate priority

An effective privacy program needs to be integrated into the corporate culture

It is essential that privacy protection become a corporate priority throughout all levels of the organization

Senior Management and Board of Directors’ commitment is critical

Make Privacy a Corporate Priority

Good governance and privacy

corporate culturePrivacy and Boards of Directors:

What You Don’t Know Can Hurt You”

Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency

Privacy among the key issues that Boards of Directors must address

Potential risks if Directors ignore privacy

Great benefits to be reaped if privacy included in a company’s business plan

Good Governance and Privacy

Privacy diagnostic tool

Simple, plain-language tool (paper and e-versions) corporate culture

Free & self-administered

CSA model code to examine an organization’s privacy management practices

Privacy Diagnostic Tool

Final thought
Final Thought corporate culture

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

How to contact us

How to Contact Us corporate culture

Commissioner Ann Cavoukian

Information & Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333