1 / 19

Privacy for Business

Privacy for Business. "Privacy: the Biggest IT Challenge Yet?". The Learning Center at Miami Valley Research Park Greater Dayton IT Alliance Breakfast Forum, 9/18/02. Stephen Cobb, CISSP Senior Vice President Research & Education. Privacy for Business Agenda.

rasha
Download Presentation

Privacy for Business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy for Business "Privacy: the Biggest IT Challenge Yet?" The Learning Center at Miami Valley Research Park Greater Dayton IT Alliance Breakfast Forum, 9/18/02 Stephen Cobb, CISSPSenior Vice PresidentResearch & Education

  2. Privacy for Business Agenda • The privacy challenge—how we got here • Privacy imperatives—what you have to do • COPPA, FTCA, HIPAA, GLB, Torts, AGs • “No New Privacy Laws” = more FTC privacy prosecutions? • What happens when companies make privacy mistakes? • Eli Lilly, Ziff Davis, Microsoft, Doubleclick, Eckerd Drug • 4 Way Privacy Pressure = 4 X Privacy Risk • 3-step privacy program: Target, Treat, Train • The Chief Privacy Officer and the Privacy Team • The IT challenge and the Privacy Pay-off • Sources of assistance

  3. The Privacy Challenge — How We Got Here • Remember when cars were the greatest thing? • Then came smog, the oil crisis, etc. • Remember when computers were the greatest? • Then came security holes and the privacy crisis • Amount of information computerized in last 5 years is staggering, and connectivity has exploded • Not everyone is happy with all the uses to which those data have been put, particularly the way some companies have used personally identifiable information (PII) for marketing purposes

  4. Privacy Concerns Are Clearly Increasing Fundamentalists want more privacy rules. Pragmatists favor self-regulation. Survey of 1500 consumers by Privacy and American Business

  5. Privacy Was Front Page News Before 9/11

  6. Business Has Responded, But Slowly • So far only 51% of companies privacy policies,even though 97% have Web sites and 53% use those sites for e-commerce • Weak sectors (retail, healthcare, manufacturing) • Stronger sector (banking, transportation) • Computer Economics Institute, March 2002 • Barely half of companies post privacy notices on their Web sites • 60% don’t monitor their Web sites to make sure they deliver the privacy that’s promised • Watchfire/PWC

  7. Privacy Imperatives: What You Have to Do • The Laws: • COPPA (kids on the Web) • HIPAA (covers a lot of health care organizations) • G-L-B (covers many finance-related companies) • FTCA? FTC’s mandate to act on “deceptive practices” • Torts—Established right of private privacy action • Yesterday Tammy, today Prozac in the mail box • Class action privacy lawsuits are on the increase • States Attorneys General—No downside for them • New York AG Spitzer particularly aggressive

  8. “No New Privacy Laws” = Many More Cases • Familiar argument: We don’t need any more laws, we need enforcement of existing laws • So the FTC is enforcing the law against “deceptive business practices” • For example, if you promise consumers you will protect their PII but PII is exposed, you deceived consumers and sought unfair advantage • See: Microsoft Passport case, Eli Lilly case, etc. • Note that breaking of promises does not need to be intentional to be judged deceptive

  9. When Companies Make Privacy Mistakes • Eli Lilly • Prozac email incident, FTC settlement, states • Microsoft Passport • FTC settlement, like Lilly, lasts 20 years • Fines if broken ($11K per incident) • DoubleClick • Class action, FTC, $400K states • Ziff Davis • Exposed credit cards on Web, identity theft resulted, $125K states • Eckerd Drug • Prescription drug signature sheets used as permission to market to patients—settled with Florida AG at a cost of $1 million (endows a university chair in Ethics) Consider the Fallout: Stock price takes a hitPress goes negative Brand tarnished Resources diverted Opportunity costs mount (e.g. Marketing Lobbying

  10. 4 Way Privacy Pressure = 4 X Privacy Risk FTC State AGs 4 WayPrivacy Pressure4 X Privacy Risk Compliance Civil Suits

  11. 3-step privacy program: Target, Treat, Train • Target • Find current privacy exposures and prioritize • (Talk to department heads, map data flows, ask questions, especially of marketing) • Treat • Make necessary changes and then institute policies and procedures to prevent recurrence • Train • Make sure everyone understands the importance of privacy, especially anyone who touches PII • (This goes a lot further than customer service, e.g. contracts, programming, product development)

  12. Privacy Incident Cost Containment Model • Identify biggest risk in key areas of the business • Fix these first • Move on to thelesser risks • While developingpolicy, procedures,training • Faster, cheaperrisk reduction than “assess-then-amend” Assess/Amend Risk PICC Time

  13. Training for All Employees Who Touch PII Web-basedtraining isvery cost- effective

  14. General and Compliance Courses Third-party endorsedtraining isgood duediligence

  15. Chief Privacy Officer and the Privacy Team • Appointing a CPO shows that your company takes privacy seriously • Great way to focus energy on privacy programs • But CPO quickly swamped, needs support team • CPO/Team must be inter-disciplinary (legal, technical, PR, marketing, management) • CPO has both internal and external roles • Riding herd on privacy policies, procedures, questions • Lobbying, networking, evangelizing, building brand differentiation based on privacy leadership

  16. The IT Challenge • Use IT security tools to serve customer interests as well as company interests • Security is about how you control access to data • Privacy is about who has access to data • And what they are allowed to do with it • Applies internally and externally: • What can marketing do with this data? • How do we keep this data from unauthorized outsiders? • While allowing authorized outsiders access to this data? • How do we track and respect customer privacy preferences?

  17. Privacy Positives • Consumer response to trust seals shows privacy efforts do have a pay-off • More people buy when a Web site displays a trust seal • Recent tests of a trust stamp in email show that the model extends beyond the Web • Trust stamped email produced:28% more opens42% more click-thrus

  18. Millions of Dollars Are at Stake • Royal Bank of Canada calculates that the shareholder value of its consumer and retail business is $9 billion (that’s US) • RBC has taken a privacy positive stance, has re-engineered its IT systems to track customer privacy preferences, insuring they are respected by all bank departments, affiliates, partners • RBC has determined that privacy drives 7% of demand for the bank’s consumer/retail business • That values privacy at $630 million!

  19. Thank You! — For More Information November 13 Executive Briefing “Privacy for Business” The Learning Center • Email Stephen Cobb • sc at cobbassociates dot com • Check out: IAPO • International Association of Privacy Officers • www.privacyassociation.org • Privacy and Security AcademyChicago October 16-18

More Related