Monitor Assess Implement Build ePrivacy Assurance October 6, 2001 9:00 am – 10:30 pm S-1 © Deloitte & Touche LLP 2001 Plan / Design PERSONAL INFORMATION PRIVACY ePrivacy Assurance ROBERT PARKER Partner Deloitte & Touche rparker@deloitte.ca (416) 601-5927 S-2 © Deloitte & Touche LLP 2001 ePrivacy Assurance Personal Information Privacy and the various legislation, regulations and guidance thereon raise complex issues. This presentation is designed to provide a general overview of some of the issues in addressing privacy in an eBusiness environment. It is not intended to provide professional advice. Participants should obtain professional advice for specific issues. Neither The Conference Organizers, The University of Waterloo, The CICA, Deloitte & Touche LLP or the presenter can accept responsibility for reliance on the contents of this presentation. S-3 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Concerns Increase S-4 © Deloitte & Touche LLP 2001 Privacy Trends eBusiness Global sites - Global exposures Extraterritorial nature of legislation Information Economy Business value of information Knowledge is Power Business use of personal information Marketing Research Sell it! S-5 © Deloitte & Touche LLP 2001 eBusiness Privacy (trust) is considered key to the digital economy (eBusiness) Privacy Advocacy Groups Public Awareness and Concern Governments establishing public sector policies, creating a similar expectation of business S-6 © Deloitte & Touche LLP 2001 User Trust “ ” Amazon.com sued over privacy invasion Relayed personal information to its subsidiary Alexa Suit claims information transfer violated U.S. Electronic Communications Privacy Act U.S. Computer Fraud and Abuse Act California Business and Profession Code Information Week - February 28, 2000 S-7 Informationweek.com/773/privacy.htm © Deloitte & Touche LLP 2001 amazon.com S-8 © Deloitte & Touche LLP 2001 Royal Bank TORONTO, Sept. 14 (2000) /CNW/ - A new corporate benchmark for safeguarding Canadians' personal consumer information was established today as Royal Bank named Peter Cullen its corporate privacy officer. Cullen ranks among the first in the financial services industry to hold a position that deals exclusively with the use and protection of clients' personal information. "THIS IS THE WAY TO DO BUSINESS IN THE NEW ECONOMY. WE'RE BUILDING ON THE TRUST THAT IS A CORNERSTONE OF BANKING IN CANADA.” (Peter Cullen – Corporate Privacy Officer) S-9 © Deloitte & Touche LLP 2001 New York Life “THIS ISN'T JUST A LEGAL COMPLIANCE ISSUE FOR US. WE CONSIDER THE PRIVACY ISSUE TO BE AN OPPORTUNITY TO REINFORCE OUR BRAND IMAGE” (Tom Warga – Chief Privacy Officer) S-10 © Deloitte & Touche LLP 2001 Privacy is a Global Issue GLOBAL LEGISLATION AND REGULATIONS S-11 © Deloitte & Touche LLP 2001 Privacy is a Global Issue PIPEDA Council of Europe Convention OECD Guidelines UN Guidelines S-12 © Deloitte & Touche LLP 2001 EU` Directive 95/46/EC Privacy is a Global Issue Privacy Legislation Countries are adopting privacy legislation for social and competitive reasons Internet is a driver United Nations and OECD Guidelines/Policies EU Directive: Article 25 The Global Perspective Over 50 countries and counting: legislation Alternative approaches: self-regulation; technology Privacy seals S-13 © Deloitte & Touche LLP 2001 EU Data Protection Directive EU Data Protection Principles Adequate, relevant and not excessive Fairly and lawfully processed Processed for limited purposes Accurate and Secure Not kept longer than necessary Not transferred to countries without adequate protection Processed in accordance with the data subject's rights We have experience assisting our clients addressing the EU regulations. S-14 © Deloitte & Touche LLP 2001 Global Privacy Legislation OECD Guidelines - September 1980 Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data United Nations Guidelines - December 1990 Guidelines Concerning Computerized Personal Data Files European Directive 95/46 Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. S-15 © Deloitte & Touche LLP 2001 UNITED STATES The European Union is taking an aggressive position to protect the Privacy Rights of their citizens Source: USA Today June 7, 2000 D-1 S-16 © Deloitte & Touche LLP 2001 SAFE HARBOUR PRINCIPLES • • • • • • • S-17 NOTICE: an organization must inform individuals of the purposes for which it collects and uses their information, how to contact it with inquiries and complaints, the types of third parties to which it discloses the information and the choices and means it offers for limiting the use and disclosure of their information CHOICE: individuals must be given the opportunity to choose (opt-out) whether and how their information is disclosed to a third party or used for purposes incompatible with the original purposes ONWARD TRANSFER: disclosure of personal information must be consistent with the principles of notice and choice SECURITY: reasonable precautions must be taken to protect personal information from loss, misuse and unauthorized access, disclosure, misuse and alteration DATA INTEGRITY: personal information should be relevant for the purposes for which it was collected. An organization should take reasonable steps to ensure that data is reliable for the intended use, accurate, complete and current ACCESS: individuals must have access to personal information held and be able to correct, amend or delete it where it is inaccurate (exceptions exist) ENFORCEMENT: mechanisms must be put in place for assuring compliance with the principles, for recourse for individuals affected by non-compliance and for consequences for non-compliance © Deloitte & Touche LLP 2001 SAFE HARBOR PRINCIPLES The European Commission and the US Department of Commerce announced on March 15, 2000 that they had reached agreement on the Safe Harbor principles. However, the EU Parliamentary Committee on Citizens’ Freedoms and Rights produced a report that criticized the Safe Harbor as a weak, voluntary regime lacking the force of law. The European Parliament contested the Commission’s decision that protection for personal data provided by the Safe Harbor system is adequate. Parliament did not find that the Commission exceeded its legal powers in developing the agreement with the US Commerce Department and this means that the deal remains in place. Came into effect November 2000. S-18 © Deloitte & Touche LLP 2001 Current Safe Harbor Registration • • • • • • • • • • • • • • • • • • • Acurian, Inc. Acxiom Corporation Adar International, Inc. ArvinMeritor Inc. Audits & Surveys Worldwide Baxter International Inc. Berkshire Information Systems, Inc. CapitalVenue Cendant Data Service, Inc. ClientLogic Operating Corporation and its subsidiaries Crew Tags International Cybercitizens First Data Services, Inc. Database Marketing Concepts Davis Direct WorldWide Decision Analyst, Inc. Digital Impact, Inc. e-Dialog E-lection.com (LDE Inc.) • • • • • • • • • • • • • • • • • • • • • • • • • e2 Communications, Inc Electronic Arts, Inc. enfoTrust networks Entertainment Software Rating Board eTapestry.com, Inc. Exult, Inc. Genesee Survey Services, Inc. Genetic Technologies, Inc. Global-Z International, Inc. Global Intelligence Network, LLC Global Market Insite, Inc. (GMI) Global Medical Management, Inc. Gold Systems, Inc. Hanover Direct, Inc. HCI Direct Inc. HealthMedia, Inc. Hewlett Packard Intel Intelligence-Net Office InterGen Lebensart Technology Arizona, Inc. Level 3 Communications, LLC, and i-structure and Orygen subsidiaries Market Measures Interactive, L.P. Mediamark Research, Inc. MesageMedia, Inc. August 13, 2001 S-19 © Deloitte & Touche LLP 2001 Current Safe Harbor Registration • • • • • • • • • • • • • • • • • • • • • • • Microsoft Corporation MonteGen Naviant Marketing Solutions, Inc. NOP Automotive, Inc. Numerical Algorithms Group, Inc. Oak Technology Opt2Opt, Inc. Optimization Zorn Corporation Pharmaceutical Product Development, Inc. PPG Industries, Inc. Privacy Leaders Procter & Gamble Company & US affiliates Qpass Inc. Rehab Tool.com Responsys Roush Industries, Inc. Salesforce.com Seagate Technology LLC Software 2010 LLC SonoSite, Inc. Strategic Marketing Corporation The BMW Group, Inc. The Catastrophe Risk Exchange, Inc. (CATEX) • • • • • • • • • • • • • • • • • • • • The Dun & Bradstreet Corporation The EMMES Corporation The USERTRUST Network L.L.C. Time Customer Service, Inc. TruSecure Corporation TRUSTe TRW Inc. & U.S. subsidiaries United Information Group (c/o ASW) USERFirst USERTrust Inc. USinternetworking, Inc. Vality Technology Incorporated Vedanta Press Virage, Inc. WellMed Inc. Wireless Facilities World Research, Inc. dba Survey.com WorldChoiceTravel.com, Inc. Wunderman Yamaha Music Interactive, Inc. August 13, 2001 S-20 © Deloitte & Touche LLP 2001 EU Model Contracts Work commenced in September 2000 Target effective date 2001 Would change focus from “country to country” to Inter-organizational Would have audit abilities drafted into the contracts Not limited to the United States S-21 © Deloitte & Touche LLP 2001 Comparison of Privacy Policies Canadian Privacy Legislation • Accountability. Appoint an individual who is accountable for organizational compliance. • Identifying Purpose. Identify purpose before information is collected. • Consent. Knowledge and consent of individuals required for collection and use. • Limiting Collection. Collected by fair and lawful means and limited to that necessary for the identified purpose. • Use, Disclosure and Retention. Used or disclosed only for the purpose for which it was collected • Accuracy Accurate, complete and up to date • Safeguards. Protected by appropriate security safeguards • Openness. Provide individuals with specific information about its policies and practices • Individual Access Upon request inform individuals if existence, use and disclosure of personal information and ability to challenge accuracy and completeness - amend • Challenge Compliance. Ability to address concerns with an individual from the organization. • • • • • • • S-22 Safe Harbor Agreements • Notice. Organizations must inform individuals how collected information will be used. • Choice. Individuals must be given a choice regarding certain information. • Upstream transfer. Organizations must ensure that third parties receiving data also follow Safe Harbor principles. • Security/Data Integrity. • Access. Individuals must have access to information collected about them. • Enforcement. Organizations must provide effective means for ensuring compliance with Safe Harbor principles. Adequate, relevant and not excessive Fairly and lawfully processed Processed for limited purposes EU Data Protection Act Accurate and Secure Not kept longer than necessary Not transferred to countries without adequate protection Processed in accordance with the data subject's rights © Deloitte & Touche LLP 2001 Common Fair Information Principles Data collection must be lawful and fair Must be collected for a specific, disclosed purpose Collection must be agreed with the individual Data must be accurate, timely and relevant for the purpose Data must not provide or be capable of being used to allow discrimination Data must be protected and secure The individual must have the right to access, rectify or delete his or her personal information Transborder data flow restrictions must safeguard the individual’s information Restrictions on future use and disclosure Restrictions on retention and destruction Identifiable person to contact Published information privacy policies and procedures S-23 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Privacy’s Growing Importance in the United States S-24 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY United States Sectoral “regulatory frameworks” (rules, codes, regulations) Health Care Financial Services Pension Industry Human Resources S-25 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY United States Examples of privacy legislation Health Insurance Portability and Accountability Act of 1996 (HIPAA) (privacy effective early 2001) Children's Online Privacy Protection Act of 1998 (effective April 2000) Driver's Privacy Protection Act Of 1994 HR 49 Postal Privacy Act of 1997 HR 52. Fair Health Information Practices Act of 1997 HR 103 Financial Information Privacy Act of 1999 7HR 341 Genetic Privacy and Nondiscrimination Act of 1997 Gramm-Leach-Bliley Act of 1999 (effective July 2001) S-26 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY United States The National Association Of Attorneys General (NAAG)’s summer public sessions in Seattle were devoted, for the first time, to privacy issues. This follows NAAG members’ decision to unify in order to gain victories over large corporations. The success of this approach has already been seen in the cases of “Big Tobacco” and Microsoft. Michigan’s Attorney General has already filed notice of planned action against DoubleClick in relation to its efforts to build detailed demographic profiles of Internet users. S-27 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY United States Forrester predicts that the recent FTC report will generate sufficient momentum for privacy legislation in 2001. This will relate to practice, choice and security principles but will not extend to access rights. (Forrester Report, 23rd May 2000) Legal action has also been threatened against four companies in Michigan that have failed to disclose their privacy practices adequately. Washington State – Initiative 243: Privacy Over Profit, while being deferred, forces the State to accept proposed privacy language as law or face having the initiative put on the ballot in November 2001. (Requires consent before a private company could collect or disseminate personal information for a use different than what it was originally provided.) S-28 © Deloitte & Touche LLP 2001 United States GRAMM-LEACH-BLILEY ACT Generally prohibits financial institutions (‘fi’s) and their affiliates from disclosing customer non-public information to nonaffiliated third parties ‘Financial institution’ is defined as ‘any institution the business of which is engaging in financial activities as described in s4(k) of the bank holding company act. This encompasses a broad range of activities including: mortgage lenders, insurance companies, credit card and consumer finance companies, lenders and travel agencies, regardless of whether they are affiliated with a bank. Private customer information may be provided to third parties where: The customer does not ‘opt-out’ of such arrangements Third parties perform services or functions, including marketing for the FI - full disclosure of this practice must be made Particular non-marketing functions are involved, for example, servicing, maintaining or processing an account or financial service S-29 © Deloitte & Touche LLP 2001 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) United States HIPAA Title I Healthcar e Portability Transaction Standards & Code Sets Unique Unique Health Health Identifiers Identifiers Title II Administrativ e Simplification Privacy Legislation Titles III, IV, V Security Standards Electronic Signature Standards Privacy – Health and Human Services published proposed regulations in November 1999, received comments, issued the final rule in December 2000 to take effect on April 14, 2001. Two years to comply. S-30 © Deloitte & Touche LLP 2001 Canada Adopted April 2000 Requires compliance over a 3 year period Federally Regulated – January 1, 2001 Health Care – January 1, 2002 All Others – January January 1, 2004 S-31 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY The Impact of eBusiness on Privacy S-32 © Deloitte & Touche LLP 2001 Consumer Concerns About e-Business What are this site’s e-Commerce practices? I am worried about security Is it OK to give them may credit card information? I would like to maintain anonymity I do not like trace ability What are they going to do with my information? Who am I really doing business with? I am afraid I will get scammed, and won’t get my stuff? Will the products really be as advertised? What is the recourse if something goes wrong? S-33 © Deloitte & Touche LLP 2001 IS THERE REAL CONCERN? 40% said “Internet privacy and security concerns kept them from buying online” 10% of “Internet users trusted computers to safeguard data” source Harris Interactive and the Privacy Leadership Institution 2000 Survey – Darwin, August 2001, pp 60 Cookies are disabled .68% of the time based on a review of 1 million pages (less that 1%) source Web Audience Survey—Web Side Story 2001 Darwin, August 2001, pp 60 Concern over misuse of personal information 48% rated 9 or 10 Concern over information provided to offline businesses 35% rated 9 or 10 source Wirthlow Worldwide—Darwin, August 2001, pp 60 S-34 © Deloitte & Touche LLP 2001 eBUSINESS HAS: Increased the awareness of privacy Provided a global environment in which to promote privacy Increased the cross-border privacy issues In B2C, mandated – to an extent – payment instruments that provide for the easy capture of personal information Obtained, recorded and created significant personal information required to execute a transaction S-35 © Deloitte & Touche LLP 2001 eBusiness Security and Privacy What Are The Risks? S-36 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Privacy Risks Failure of written privacy policies and procedures to accurately reflect actual circumstances. Failure of systems capabilities to achieve privacy objectives resulting in an individual violation of an entity’s privacy policy. Inadequate systems protection and safeguard to meet the legislative and regulatory privacy requirements. Inadequate training and monitoring of employee activities when using personal information. Inadequate controls over third parties holding private information. S-37 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Privacy Risks Inability to effectively identify and manage personal information in an increasingly complex information technology environment. Inability of current systems to ensure compliance with the notice, consent, disclosure and security/safeguard requirements. Inability to establish due diligence over the release of personal information. How many of these are specific to eBusiness? S-38 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Other eBusiness Issues Exchanges Intranets Credit Card Data Profile Building—CRM Proprietary Information—Credit Point Scoring S-39 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Ten Items You Should Address Make Someone Responsible -Privacy Compliance Officer / Data Controller / Chief Privacy Officer. Create a Privacy Policy - Supported by privacy statements and privacy procedures Ensure Marketing Materials Meet Marketplace Privacy Experts Address Regulation Issues - profile for consent, disclosure opt-in, opt-out etc. Obtain Data Subjects consent Provide Access To Personal Information Ensure Effective Safeguards Ensure Accuracy of Personal Information Limit the Use Disclosure and Retention of Personal Information Train Personal Involved in Customer Activities S-40 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY Preparing eBusiness to Meet Privacy Requirements Harden networks and Interfaces - Firewalls, DMZ, etc Monitor Websites Activity (Volume, Spam, etc.) Use Intrusion Detection Software Secure Personal Information Screen Inbound/Out Bound Messages For Viruses Use PKI/Digital Signatures Validate/Authenticate Requestors Identify Prior To Release Of Information Keep Up To Date On All Patches, Particularly Security, Viruses Etc. Deal With Known Organizations S-41 © Deloitte & Touche LLP 2001 eBusiness Security and Privacy Assurance S-42 © Deloitte & Touche LLP 2001 The WebTrustTM Response A Unique Seal of Assurance Provides assurance that a web site meets AICPA/CICA defined criteria for Principles relevant to: Businesses and Consumers transacting business online, Service Providers Certification Authorities Is designed to build customer confidence in electronic commerce Up-front and ongoing independent third party verification Ensures online disclosure of key practices and independently verifies that the business follows these practices WebTrustTM S-43 © Deloitte & Touche LLP 2001 The WebTrustTM Response A Unique Seal of Assurance Helps identify and reduce e-commerce business risks, including: privacy breaches security gaps other systems affecting the customer interface Provides a framework to assist e-commerce businesses in creating best practices Will be able to demonstrate a web site’s compliance with the privacy laws of major industrial countries Is a global seal that can be provided by qualified and licensed CPAs and CAs around the world WebTrustTM S-44 © Deloitte & Touche LLP 2001 Version 3.0 WebTrustTM Programs Business Practices / Transaction Integrity Online Privacy Four Categories: 1. Disclosures 2. Policies 3. Procedures 4. Monitoring Security confidentiality Non-Repudiation Customized Assertions S-45 Availability © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY The WebTrust Privacy Principle[1] The entity discloses its privacy practices, complies with such privacy practices, and maintains effective controls to provide reasonable assurance that personally identifiable information obtained as a result of electronic commerce is protected in conformity with its disclosed privacy practices. [1] The WebTrust Principles meet or exceed the significant requirements of the European Union (EU) Privacy Directives and The Online Privacy Alliance (OPA) Guidelines as of October 1999, Canadian Privacy Law, C6, The OECD Guidelines, and the U.S. Safe Harbor Privacy Principles issued July 21, 2000. [1 S-46 © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY A A1 Disclosure Discloses information privacy practices Kinds and sources of information collected, maintained, used etc, opt-in and opt-out consequences etc. S-47 A2 Use of cookies A3 Procedures used in case of breach in privacy A4 Contact information A5 Consumer recourse procedures A6 Additional privacy disclosure A7 Changes and updates to privacy A8 Clear disclosure when visitor is leaving the site © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY B S-48 Privacy Policies, Goals and Objectives B1 Entity’s Privacy Policies (List of items to be disclosed) B2 Employee awareness when handling private information B3 Accountability for privacy and related security assignments B4 Training and other support B5 Privacy and related security policies are consistent with disclosure and applicable laws and regulations © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY C S-49 Procedures and Technology Tools C1 Security procedures to establish new users C2 Identify and Authenticate new users C3 Allows users to change, update or delete their own user profile C4 Limits remote access to authorize personnel C5 Prevents access to other than the users own private or sensitive information C6 Limits access to personally identifiable information to authorized employees C7 Utilizes a minimum of 128-bit encryption to protect transmission of user authentication, verification, and sensitive or private information over the Internet C8 Maintains systems configuration and minimize security exposures. © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY C Procedures and Technology Tools (continued) C9 Private information only disclosed to parties essential to the electronic transaction C10 Private information obtained through eCommerce is used in ways associated by the business C11 Reasonable edit and validation checks of personally identifiable information S-50 C12 Assurance on the adequacy of protection over private information maintained by third parties C13 Customer permission is obtained before downloading files for storage or alteration C14 If privacy policy changed to be less restrictive, customers are contacted © Deloitte & Touche LLP 2001 PERSONAL INFORMATION PRIVACY D S-51 Monitoring and Performance D1 Monitor security of eCommerce systems D2 Maintains privacy and security policies current with laws and regulations D3 Privacy and security incident policies and plans are reviewed and updated D4 Procedures to monitor and act on privacy and security breaches © Deloitte & Touche LLP 2001 SysTrust - A CPA/CA’s assurance report on a system’s reliability US - SSAE #10 (January 2001) Canada – Handbook Section 5025 Opinion on controls using the SysTrust framework of 4 principles & 58 criteria on reliability S-52 © Deloitte & Touche LLP 2001 PRINCIPLES are defined as: “Principles are the a specified environment.” Four Principles: Availability Integrity Security Maintainability A Fifth Principle is being Considered: System Boundaries S-53 © Deloitte & Touche LLP 2001 4 Principles Availability - System is available at times set forth in service-level statements or agreements Security - The system is protected against unauthorized physical and logical access Integrity - System processing is complete, accurate, timely, and authorized Maintainability - System can be updated in a manner that provides availability, security, and integrity S-54 © Deloitte & Touche LLP 2001 Each Principle has series of Criteria Criteria categories: policies exist and are appropriate policies are implemented and operate adherence to policy is monitored Definition of Criteria: measurable objective S-55 © Deloitte & Touche LLP 2001 relevant complete Why The Need For SysTrust? No Common Definition of Reliability e.g. is security in or out? No Basis for Comparison How do the organization’s systems compare with competitors No Established Benchmark at what point is reliability achieved Differing levels of Objectivity & Rigor how much and how good is assessment S-56 © Deloitte & Touche LLP 2001 Why an Assurance Report? Confidence in Business Partners’ Systems common evaluation framework - baseline better selection of business partners Confidence in Internal Systems appropriate controls protect shareholder value better decision making Marketing of a System differentiate against competitors no restrictions on use S-57 © Deloitte & Touche LLP 2001 PRIVACY The Business Case S-58 © Deloitte & Touche LLP 2001 PRIVACY BUSINESS ISSUES Privacy is now a major consumer concern, both in the online and offline world. eCommerce statistics and surveys Privacy compliance officers Privacy audits and investigations Personalization through profiling is a key strategy for gaining and retaining customers- both online and offline. (CRM systems) Detecting privacy violations is a ‘gotcha’ pursuit. Privacy is an element in investor dot.Com valuations. Privacy is a global issue. S-59 © Deloitte & Touche LLP 2001 PRIVACY BUSINESS RISKS Loss of reputation and credibility are major privacy risks. Privacy failures will hit the bottom-line. Privacy violations may be unintentional, accidental or unforeseen…the press and the public will not care. Both customers and employees may be affected by privacy breaches. Privacy is not the same as security. S-60 © Deloitte & Touche LLP 2001 PRIVACY BUSINESS PITFALLS Contract violations Foreign litigation Web Site blackout Reduced customer confidence and spending Inability to attract and participate in global technologies (call centers, processing sites, data repositories, network infrastructures and NOCs) Inability to attract business partners S-61 © Deloitte & Touche LLP 2001 PRIVACY BUSINESS STRATEGY Addresses privacy issues early on Privacy provides a competitive advantage in the global economy Ensure customers’ / clients’ requirements are met Privacy Confidentiality Security Integrity of transactions Contracts Consider legislation / regulations of trading partners’ countries S-62 © Deloitte & Touche LLP 2001 PRIVACY BUSINESS PITFALLS Privacy Initiatives Continually monitor privacy legislation Global requirements are changing very quickly Trade agreements will likely re-enforce privacy requirements Build products and supporting systems with privacy in mind Strategic systems processes include privacy component Products should be privacy compliant Products can be enhanced with privacy components Ensure employees and customers are aware of your privacy initiatives S-63 © Deloitte & Touche LLP 2001 S-64 © Deloitte & Touche LLP 2001 PRIVACY The Business Value of Privacy In a global economy In a digital world New “rules of the road” are being established Privacy is one of them Privacy compliance may be the price of admission to the world of global eBusiness S-65 © Deloitte & Touche LLP 2001 Additional Information Gramm-Leach-Bliley •links to legislation and further information available at: http://www.ftc.gov/privacy/index.html •for information concerning D&T initiatives in the US please see: HIPAA •regulations are available at: http://www.hhs.gov/ocr/part1.pdf •further information resources are available at: http://www.hhs.gov/ocr/hipaa/ COPPA •Childresn' Online Privacy Protection Act •links to information on the legislation: http://kidzprivacy.com/ •'Business Buzz' contains information about obligations under the legislation Federal Trade Commission's website: http://www.ftc.gov/. Includes information on the Safe Harbor agreement and Model Contracts both on this site and at: http://europa.eu.int/comm/internal_market/en/media/dataprot/index.htm. • Canada - Personal Information Protection and Electronic Documents Act Federal Privacy Commissioner's website: S-66 http://www.privcom.gc.ca/ © Deloitte & Touche LLP 2001 ePrivacy Assurance Thank You ROBERT PARKER Partner Deloitte & Touche rparker@deloitte.ca (416) 601-5927 S-67 © Deloitte & Touche LLP 2001 Discussion S-68 © Deloitte & Touche LLP 2001