A Privacy Primer Russ Mathews Enterprise Risk Services March 6, 2001 A Privacy Primer Agenda • Introduction • General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 2 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 3 A Privacy Primer Definition of Privacy Information Privacy refers to the right of individuals to determine when, how, and to what extent “personally identifiable information” will be shared with others, and it has broad implications for the collection, storage and dissemination of consumer information by companies. Personally identifiable information is defined, in general, as any information relating to an identified or identifiable individual. Depending on regulatory and national requirements, Privacy Initiatives and Principles may address: • Company responsibility for ownership of personal information collected • Providing notice of how personal information will be used • Limiting data collection to specific business objectives • Time limits on retention and storage of personal data • Consumer options for how personal information is used • Responsibility for the accuracy, integrity and security of consumer data 4 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 5 A Privacy Primer Consumer Concerns 1999 Lou Harris-IBM Consumer Privacy Survey. 94% of Americans think personal information is vulnerable to misuse. And 78% claim they have refused to provide requested data to a business because they believe it is too personal. Wall Street Journal poll conducted in the Fall 1999. Americans were asked what they feared most in the new millennium. Privacy came out on top (29%), substantially higher than terrorism, global warming, and overpopulation (no higher than 23%). Media Focus Heightened Awareness Public Perception 6 A Privacy Primer General Concerns Simple Irritation – Information bombardment Feelings of Violation – Tracking what you read and watch Fear of Harm – Misuse of information Nightmarish Conspiracies – Government and Big Business (e.g., Orwellian vision of the future) 7 A Privacy Primer Increasing Privacy Encroachment 8 A Privacy Primer Feelings Of Loss of Control July 21, 2000. 39 States Object To Sale Of Toysmart’s Customer List. Toysmart, which filed for bankruptcy in June, is one of several e-commerce companies that either have sold or are trying to sell customer information, such as home addresses, phone numbers, transaction histories and family profiles. .... Who owns personal data? 9 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 10 A Privacy Primer Business Trends What has led to the current emphasis of collecting and using personally identifiable information? As always, to sell more! 11 A Privacy Primer Business Trends How can you sell more and what does that have to do with privacy? 1) One-to-one marketing Goal of all marketers 2) Rise of the Internet Global New channel for buying and selling 3) Increased computational power and speed Moore’s Law Speed and power required to process terabytes of information 12 A Privacy Primer Business Trends One-to-One Marketing? • Analytics: helps organizations to understand the consumers. • E-marketing: helps organizations define the structure for reaching their consumers. • Personalization: helps organizations provide one-to-one marketing of products and services to their consumers and customers. 13 A Privacy Primer Business Trends Analytics? • helps organizations to understand the consumers. • Raw data is useless to marketers. • Transform raw data into useful information. • Count heads, create reports, monitor web traffic, identify bottlenecks. • Create segments of customers based on behavior patterns. 14 A Privacy Primer Business Trends E-marketing? • helps organizations define the structure for reaching their consumers. • Uses the results from the analytics phase. • Helps to create marketing campaigns. • Can incorporate marketing results into a comprehensive plan to identify what to sell and when to sell. 15 A Privacy Primer Business Trends Personalization? • helps organizations provide one-to-one marketing of products and services to their consumers and customers. • Provides unique shopping experience to each user. • Rules-based customization. • Neural networks “learn” from experience. • Collaborative filtering uses statistical analysis. 16 A Privacy Primer Business Trends The Goal: Organizations want to achieve one-to-one marketing. The Method: Organizations are collecting and using personally identifiable information to expand the capabilities of their data warehousing and data mining efforts. The Problem: There exists a very fine line between personalization and privacy invasion. 17 A Privacy Primer Business Trends Personalization or Privacy Invasion? 18 A Privacy Primer Litigation SAN DIEGO, Aug 2, 2000 (BUSINESS WIRE) -- Milberg Weiss today announced that a class action was filed on July 28, 2000 on behalf of all persons who have visited either www.toysrus.com or www.babiesrus.com and have had their private online Web browsing activities and their confidential information covertly monitored, intercepted and/or transmitted to third parties by Toys R Us (NYSE:TOY) (the "Class"). August 14, 2000 -- Coremetrics uses technology such as Web bugs and cookies--or tiny digital identifying tags that track visitors' whereabouts online--to compile information about online shoppers. For example, its technology can record when a consumer adds a product to his or her shopping cart then takes it out. With this information, online stores could potentially send an email to the consumer offering a discount on the product he or she decided against. Using JavaScript, Coremetrics can also extract personally identifiable information such as names, addresses and phone numbers from online forms filled out during the checkout process. August 15, 2000, Toys R Us Inc. [NYSE:TOY] has stopped using the services of Coremetrics.com, a market data collection company that figured in lawsuits alleging ... Website Statement Concerning CoreMetrics For a short period of time, we had a trial arrangement with a service called CoreMetrics to assist us in evaluating information about how visitors use our site. This trial arrangement is no longer in effect. As part of this service, cookies may have been placed on the computer systems of certain visitors to our site. Because we no longer are using CoreMetrics' services, future visitors to our site will not have CoreMetrics cookies placed on their systems. 19 A Privacy Primer Litigation Financial Institutions: • U.S. Bancorp. • Allegedly sold credit card information to MemberWorks • Chase Manhattan Bank • Allegedly provided information to non-financial direct marketers about its credit card and mortgage customers • Charter Pacific Bank • Allegedly sold credit card data base to pornographic website 20 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 21 A Privacy Primer Business Considerations Stuck between a rock and a hard place… Rock • Regulations, consumer groups, class action law firms and regulatory agencies are litigating or considering litigation to curtail business use of private data. Hard Place • In order to compete effectively in today’s market, businesses need to become better at gaining and retaining customers. 22 A Privacy Primer Business Considerations Other rocks and hard places… • Privacy Is A Multi-dimensional challenge Senior Management Legal Compliance Information Technology Marketing Human Resources Risk Management Financial Reporting • Technology Issues Are Complex Cookies Applets • Databases Banner ads What Level Of Data “Stewardship” Does Your Customer Base Demand? 23 A Privacy Primer Business Considerations Globalization Extended Enterprise Regulatory Requirements Business Issues Driving Privacy Initiatives Customer Sensitivity Competition Brand Image 24 A Privacy Primer Business Considerations How to handle the rock and hard place issue - Create an effective privacy initiative using the following steps: • Retaining a Chief Privacy Officer (CPO) • Creating a task group to evaluate and propose a comprehensive privacy initiative for the entire organization (headed by the CPO) • Restructuring technology and business practices for privacy compliance • Educating and training for privacy awareness • Evaluating applications, products, services and third parties for privacy compliance on a periodic basis 25 A Privacy Primer Business Considerations Rise of the Chief Privacy Officer (CPO) “The rise in CPOs stem from one of two reasons: damage control and prevention.” Damage Control Prevention • RealNetworks • Microsoft • Doubleclick • American Express • Citigroup • Prudential Insurance 26 A Privacy Primer Business Considerations Duties of the Chief Privacy Officer • Organize and coordinate Privacy Task Force or Committee • Commission or conduct privacy risk assessment and inventory of privacy risks • Track privacy environment and provide reports • Monitor privacy law and regulations compliance • Develop privacy policies and procedures • Do privacy review of new products and new Net developments • Support employee privacy training • Interact with consumer groups and regulators • Provide contact point for consumers • Manage privacy dispute resolution • Speak for the company and prepare executives for legislative/agency testimony • Conduct regular/annual privacy audits • Report to top management 27 A Privacy Primer Business Considerations What are the costs of not having a comprehensive privacy initiative? • Loss of brand image • Loss of revenue • Loss of share price • Cost of litigation and class action suits • Cost of penalties for non-compliance • Damage to public trust • Damage to employee morale 28 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 29 A Privacy Primer Regulatory Concerns Ad Networks 2) Should consumers have a right to opt out or opt in before Web sites channel ad networks’ cookies to their machines ? Partners/Affiliates/Subsidiaries 3) What kind of sharing takes place with a Web sites’ business partnerswhich are considered “third parties” ? Other Third Parties 4) Should Web sites be required to have opt-in or opt-out policies on thirdparty data sharing ? Web Sites 1) What kinds of notice should Web sites be required to provide before they collect information? Should limits be imposed on what can be collected and how long it can be kept ? Offline Transactions 6) What access should consumers have to their information 30 Source: Forrester May 2000 A Privacy Primer Disjointed US Market Approach • Deceptive Trade Practices FTC Enforcement • Health Care HIPAA Privacy & Security Standards • EU Safe Harbor Principles Unknown acceptance • Financial & Insurance Industry Gramm-Leach-Bliley Act (implementation 7/2001) NAIC Model Law • The Children’s Online Privacy Protection Act • Proposed Consumer Legislation In Congress and Multiple States 31 A Privacy Primer Proliferation of Privacy Regulations • Information crossing multiple borders • Complex third party relationships (providers, buying exchanges, alliances) • • FTC, HIPAA, NAIC, GLB, Safe Harbor Principle, COPPA Personal Information Protection and Electronics Document Act UK Data Protection Act Increased use of web-based applications and systems Following EU Data Protection Directive Restrictive regulatory environment being adopted across regions Federal Privacy Amendment Bill Guidelines for the Protection of Computer Processed Personal Data Privacy Ordinance E-Commerce Code for the Protection of Personal Information 32 A Privacy Primer Increasing Regulatory Tension • European Union findings show that United States does not provide adequate protection for Personally Identifiable Data • Multiple regulatory agencies promulgating various rules for the same statute (e.g., GLB Act and SEC Banking and FTC rules) • State Legislatures enacting conflicting laws (e.g., must give customer opt-in rights v. opt-out rights) 33 A Privacy Primer Gramm-Leach-Bliley Act Financial Services Modernization Act of 1999 Condensed Timeline: November 12, 1999 – GLB signed into law May 2000 – several Federal agencies published their final rules (OTS, FDIC, FTC) June/July 2000 – final rules published November 13, 2000 – GLB privacy regulations enacted July 1, 2001 – mandatory compliance deadline 34 A Privacy Primer Gramm-Leach-Bliley Act Scope of Coverage: • Financial Institutions: any institution significantly engaged in financial activities • Non-Public Personal Information: personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer, or otherwise obtained by the financial institution. • Consumer vs. Customer: – Consumer: an individual who obtains a financial product or service for personal, family or household purposes • Occasional or isolated contact (e.g., ATM cash) – Customer: has an established relationship (e.g., depositor, borrower, or insurance policyholder 35 A Privacy Primer Gramm-Leach-Bliley Act Statutory Requirements: • Clearly and conspicuously give a privacy notice to each consumer customer, at least once each year, of the institution’s policies for collecting and sharing nonpublic personal information – A mere consumer need not receive a privacy notice, unless the financial institution intends to disclose that individual’s nonpublic personal information to nonaffiliated third parties • Afford consumers choice (e.g., the right to “opt-out” of disclosures to non-affiliated third parties), subject to certain exceptions – Opt-out does not apply with respect to affiliate disclosure • Cannot disclose account access information (e.g., account numbers) to third party marketers • Abide by regulatory standards to protect the security and confidentiality of consumer non-public personal information 36 A Privacy Primer Gramm-Leach-Bliley Act Notice: Initial and Annual: • Categories of NPI collected • Categories of NPI disclosed to others • Categories of entities to whom NPI is disclosed • Disclosure practices with regard to former customers • NPI disclosed under joint marketing/agency exceptions • Gramm-Leach-Bliley opt-out right • FCRA opt-out right: applies to “secondary” information that a customer may volunteer in certain applications to a financial institution (e.g., an income statement). Does not apply to “experience” information. • Security and confidentiality practices and procedures • Disclosures covered by general exceptions (need only say that “certain other disclosures are made ‘as permitted by law’”) 37 A Privacy Primer Gramm-Leach-Bliley Act Opt-Out: A financial institution may not disclose NPI to a “nonaffiliated” third party unless: • The financial institution clearly and conspicuously discloses to the consumer that such information may be disclosed to the third party; • The consumer is given the opportunity to direct that the information not be disclosed to the third party; and • The consumer is given an explanation of how to exercise that right. The opt-out right must be easy to exercise and reasonable: • A reply form with check-off boxes and a return address • It is unreasonable to require the consumer to write a letter 38 A Privacy Primer Gramm-Leach-Bliley Act NPI Sharing Exceptions: • Necessary to process a transaction requested or authorized by the customer • Necessary to effect, administer or enforce transaction • Made with the consent of the consumer • Made to protect against fraud • Made to a consumer reporting agency • Made in connection with the merger or sale of a financial institution • Made to comply with a regulatory investigation • Made to auditors • Service Provider/Joint Marketing – A third party provides services on behalf of financial institution – Two financial institutions jointly market a product or service Re-Use/Disclosure Restrictions Apply 39 A Privacy Primer Gramm-Leach-Bliley Act Timing Issues: • July 1, 2001 Date Misleading • Nonaffiliated Third Party Sharing: – Must provide consumers with approximately 30 days to make “opt-out” choice – Financial institution requires reasonable amount of time to collect and implement optout choices made by consumers – Must implement no later than end-April 2001 Regulators Overseeing Preparedness: • Office of Thrift Supervision Privacy Preparedness Check-Up • Office of Comptroller of Currency Advisory Notice 40 A Privacy Primer COPPA Children’s Online Privacy Protection Act of 1998 The final ruling of the Act went into effect on April 21, 2000. • Applies to organizations or individuals who operate a commercial Web site or an online service directed to children under the age of 13 that collects personal information from children, AND to those who operate a general audience Web site, if they have actual knowledge that they collect personal information from children; • The notice itself must be clearly written and understandable and should not include unrelated or confusing materials; • Parental consent must be obtained before a child's personal information is collected, used or disclosed; • A new notice must be furnished if there are material changes in the collection, use or disclosure practices. • Requires a link to the institution's privacy notice on the home page and at each area where it collects personal information from children; 41 A Privacy Primer Federal Health Privacy Regulations (“HIPAA”) Health Insurance Portability and Accountability Act Finalized December 20, 2000 What entities are regulated: Health Plan Providers, Health Care Clearinghouses, Certain Health Care Providers What information is covered: Protected Health Information: In general, information related to physical or mental health, the provision of health care, or the payment of health care 42 A Privacy Primer Federal Health Privacy Regulations (“HIPAA”) Key provisions include: •Access - People have the right to see and copy their own medical records. Most states do not currently grant people such broad access. •Limits on Disclosure - The regulation greatly restricts access to health information. Of note: for disclosures relating to treatment, payment and health care operations, providers must obtain patient consent. •Employers - Employers are barred from receiving "protected health information" except for specific functions related to providing and paying for health care. Employers must establish a firewall between the health care division and employees who make decisions about employment. 43 A Privacy Primer Federal Health Privacy Regulations (“HIPAA”) Key provisions continued: •Law Enforcement - Health care providers and plans are prohibited from releasing patient data to federal, state, or local law enforcement without some form of legal process, including a warrant, court order or administrative subpoena. •Research - All research, whether publicly or privately funded, must be overseen by either an Institutional Review Board (IRB) or Privacy Board if the researcher seeks a waiver of informed consent. •Penalties - Health care providers, health plans, and clearinghouses are subject to civil and criminal penalties (up to $250,000/year and 10 years in jail) for violating the law. HIPAA constrained the Secretary from including a private right of action for individuals to sue for violations of the law. 44 A Privacy Primer EU Data Protection Directive Cross-Border Flow Of Personally Identifiable Information EU Data Protection Principles • Adequate, relevant and not excessive • Fairly and lawfully processed • Processed for limited purposes • Accurate and Secure • Not kept longer than necessary • Not transferred to countries without adequate protection • Processed in accordance with the data subject's rights European Union finding that United States does not provide an adequate level of data protection for PII 45 A Privacy Primer Safe Harbor Principles Principles establish an “adequate” level of data protection for non-financial United States companies • Notice - Organizations must inform individuals how collected information will • Choice - Individuals must be given an opportunity to chose to provide • Upstream transfer - Organizations must ensure that third parties receiving • Security/Data Integrity - Reasonable precautions must be taken to • Access - Individuals must have access to information collected about them. • Enforcement - Organizations must provide effective means for ensuring be used information if it is disclosed to a third party or used for purposes incompatible with the original purposes data also follow Safe Harbor principles protect personal information from loss, misuse and unauthorized access, disclosure, misuse and alteration Organizations should take reasonable steps to ensure that data is collected for the intended use, accurate, complete and current compliance with Safe Harbor principles and consequences for non-compliance 46 A Privacy Primer Consequences of Non-Adoption of Safe Harbor • Must adhere to privacy standards as interpreted in each EU member state (as opposed to one standard) • Subject to actions brought by each EU member state where directive is violated, and possible shutdown of cross border data flows and assessment of damages • Negative publicity and possible loss of market share in EU member states • However, certification without complete adoption of Safe Harbor Principles can subject a company to regulatory action in the United States and in the EU. 47 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 48 A Privacy Primer Technological Challenges • Written procedures often fail to accurately reflect actual systems capabilities and practices. • Information may be stored incorrectly and shared with third parties. • Organizations may not have inventoried personally identifiable information, and may not understand data flows through systems and processes. • Web sites are easily able to record and track individual identity and associated activities on the Internet. • Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements. • Information systems are rarely integrated and unable to capture the total customer relationship throughout an enterprise. • Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation. 49 A Privacy Primer “Were going to do a Smith & Wesson on DoubleClick” - Michigan State Attorney General Browser Browser Browser Internet Internet Internet Web Site X DoubleClick created profiles of individuals using the World Wide Web by placing a cookie with a unique identification number on user’s browsers. DoubleClick Server Web Site Y DoubleClick Server When a browser went to a member web site which contained an invisible DoubleClick graphic, a request is sent to the DoubleClick Server which assigns the user’s browser a cookie containing a unique identification number From that time forward whenever the user connects to any Web site that subscribes to the DoubleClick System, their browser returns the identification number to the DoubleClick server, allowing the server to recognize her. Over a period of time DoubleClick compiles a list of which member sites the user has visited and revisited and a profile of the user's tastes and interest. This information is used to compile valuable feedback for its member Web sites, such as providing them with audience profiles DoubleClick Server 50 A Privacy Primer Browser Internet RealNetworks Real Jukebox Use RealJukebox Real Jukebox Play music Download music Internet GUID Music RealNetworks Server RealNetworks Server In 1999, RealNetworks faced several class-action lawsuits alleging the violation of privacy of its customers by using software that would track not only individual users but also what music they played and listened to using the RealJukebox. RealNetworks Director of Systems Marketing, Peter Zaballos, said that the features were "built out by an aggressive development team that was not yet married to business policies." “To put the matter another way, while the public voices of the company [RealNetworks] are proclaiming their adherence to strict privacy standards, their technical staff are putting forth software that violates those standards.”, Tom Maddox. Other Servers GUID Music 51 A Privacy Primer Initiatives on the Web Privacy initiatives in the marketplace • Private Payments • P3P • Private E-mail • Content Management Providers • Web Analytic Tools • Privacy Tools Endorsements/Privacy Seal Programs • Truste • BBB Online • WebTrust 52 A Privacy Primer Technology Definitions Transmission Control Protocol/Internet Protocol (TCP/IP) - A protocol developed for the Department of Defense that has become the de facto communications standard of the Internet. HyperText Transfer Protocol (HTTP) - The protocol most often used to transfer information from World Wide Web servers to browsers, which is why Web addresses begin with http://. Globally Unique Identifier (GUID) - A number assigned to a user to track application access and use. Specifically, a number embedded in Microsoft's Windows 98 operating system which could be used to track a user's network usage and other activities. The number, attached to software and even documents created by the user, made it possible to track applications that were used and documents that were created throughout a network. Personal Identifiable Information (PII) - Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. (EU Data Protection Act) 53 A Privacy Primer Technology Definitions HyperText Markup Language (HTML) - The language used to create World Wide Web pages, with hyperlinks and markup for text formatting Common Gateway Interface (CGI) - A way of interfacing computer programs with HTTP or Web servers, so that a server can offer interactive sites instead of just static text and images. Perl - A general-purpose programming language which has become the language of choice for World Wide Web development, text processing, Internet services, and every other task requiring portable and easily-developed solutions. JavaScript - A cross-platform WWW scripting language from Netscape Communications, very popular because it is simple, easy to learn, and can be included in a HTML file. Public-Key Encryption - A way of encrypting messages in which each user has a public key and a private key.Messages are sent encrypted with the receiver's public key; the receiver decrypts them using the private key. Public-Key Infrastructure (PKI) - provides the people, policies, processes and technology for managing the various public keys that are used to provide network security and confidentiality though encryption and digital signatures. 54 A Privacy Primer General Privacy Issues • Definition of Privacy • Consumer Concerns • Business Trends • Business Considerations • Regulatory Environment • Technological Challenges • Summary of General Privacy Issues 55 A Privacy Primer Competitive Advantage vs. Increased Risk • Regulations form a baseline requirement for compliance. • Brand image is susceptible to breaches in customer privacy. • A proactive approach to privacy makes a statement about the importance of the customer’s trust. • Aggressive Privacy Initiative Value Brand Image Competitive Advantage vs. Increased Risk Therefore, companies have the opportunity to create a differential advantage through sound privacy policies and practices. • However, a more aggressive approach may subject the company to heightened scrutiny and increased risk. • Systems, products and services must accurately reflect privacy policy Less Aggressive Regulatory Requirements Regulations 56 Time A Privacy Primer Lessons Learned • Failure To Understand Customer Concerns And Perceptions – E.g., Sharing of information with third parties vs. solicitation • Failure To Plan For Multi-Regulatory Environment – Little rationalization of various regulations (e.g., EU Data Protection Directive, GLB, HIPAA) • Focus On Privacy Policy And Notice, Without Detailed Understanding Of Whether Systems Are In Compliance – Leads to regulatory non-compliance and charges of deceptive practices – Often business and legal components of business unfamiliar with system capabilities • Few Companies Have Adequately Inventoried The Personally Identifiable Information Collected And Understand Where, When And How It Is Shared With Third Parties (Or Its Affiliates) 57 A Privacy Primer Lessons Learned • • • Technology “Fixes” Are Not Designed For The Long-Term Environment – Minimal thought to the design and implementation of customer choice databases, or mechanisms for reviewing compliance – Infrastructure may be inadequate or unable to incorporate privacy policy and regulations – Failure to implement across enterprise (silo approach to privacy) Management Unaware Of Privacy Risks Associated With Web-Environment – E.g., Toys R Us and Coremetrics Litigation (no intent to violate privacy policy, but charged with deceptive practices) – Easy to track identity and activities of customers over web Failure To Maximize Privacy Work – After inventory of personally identifiable information and data flows, opportunity to develop systems and methodologies for maximizing customer data mining within privacy policy framework – Little exploitation of leadership within the extended enterprise (e.g., assisting partners implement successful privacy programs in order to further cement relationship) 58 A Privacy Primer Lessons Learned • Failure To Analyze Products And Services Sold To Marketplace For Privacy Compliance – Not simply an internal system issue – Complex regulatory problems for products and services sold globally – During development process procedures and controls need to be developed to include privacy considerations • Failure To Recognize Impact On Mergers And Acquisitions – Can consumer information be shared between entities – What is the cost of ensuring the new or combined entity is compliant – Does the acquisition or merger subject entity to new regulatory environment Trust Is An Asset 59 A Privacy Primer Summary • Questions?? • Useful websites www.privacyheadquarters.com (pop quiz on GLB) www.privacyfoundation.org www.privacy.org www.privacytimes.com www.epic.org www.pandab.org 60