A Privacy Primer
Russ Mathews
Enterprise Risk Services
March 6, 2001
A Privacy Primer
Agenda
• Introduction
• General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
2
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
3
A Privacy Primer
Definition of Privacy
Information Privacy refers to the right of individuals to determine when, how, and
to what extent “personally identifiable information” will be shared with others, and it
has broad implications for the collection, storage and dissemination of consumer
information by companies.
Personally identifiable information is defined, in general, as any information
relating to an identified or identifiable individual.
Depending on regulatory and national requirements, Privacy Initiatives and
Principles may address:
• Company responsibility for ownership of personal information collected
• Providing notice of how personal information will be used
• Limiting data collection to specific business objectives
• Time limits on retention and storage of personal data
• Consumer options for how personal information is used
• Responsibility for the accuracy, integrity and security of consumer data
4
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
5
A Privacy Primer
Consumer Concerns
1999 Lou Harris-IBM Consumer Privacy Survey. 94% of Americans
think personal information is vulnerable to misuse. And 78% claim
they have refused to provide requested data to a business because
they believe it is too personal.
Wall Street Journal poll conducted in the Fall 1999. Americans were
asked what they feared most in the new millennium. Privacy came
out on top (29%), substantially higher than terrorism, global
warming, and overpopulation (no higher than 23%).
Media Focus
Heightened Awareness
Public Perception
6
A Privacy Primer
General Concerns
Simple Irritation – Information bombardment
Feelings of Violation – Tracking what you read and
watch
Fear of Harm – Misuse of information
Nightmarish Conspiracies – Government and Big
Business (e.g., Orwellian vision of the future)
7
A Privacy Primer
Increasing Privacy Encroachment
8
A Privacy Primer
Feelings Of Loss of Control
July 21, 2000. 39 States Object To Sale Of
Toysmart’s Customer List. Toysmart,
which filed for bankruptcy in June, is one
of several e-commerce companies that
either have sold or are trying to sell
customer information, such as home
addresses, phone numbers, transaction
histories and family profiles.
....
Who owns personal data?
9
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
10
A Privacy Primer
Business Trends
What has led to the current emphasis of collecting and
using personally identifiable information?
As always, to sell more!
11
A Privacy Primer
Business Trends
How can you sell more and what does that have to do
with privacy?
1) One-to-one marketing
Goal of all marketers
2) Rise of the Internet
Global
New channel for buying and selling
3) Increased computational power and speed
Moore’s Law
Speed and power required to process terabytes of
information
12
A Privacy Primer
Business Trends
One-to-One Marketing?
•
Analytics: helps organizations to understand the
consumers.
•
E-marketing: helps organizations define the structure for
reaching their consumers.
•
Personalization: helps organizations provide one-to-one
marketing of products and services to their consumers
and customers.
13
A Privacy Primer
Business Trends
Analytics?
•
helps organizations to understand the consumers.
• Raw data is useless to marketers.
• Transform raw data into useful information.
• Count heads, create reports, monitor web traffic,
identify bottlenecks.
• Create segments of customers based on behavior
patterns.
14
A Privacy Primer
Business Trends
E-marketing?
•
helps organizations define the structure for reaching
their consumers.
• Uses the results from the analytics phase.
• Helps to create marketing campaigns.
• Can incorporate marketing results into a
comprehensive plan to identify what to sell and when
to sell.
15
A Privacy Primer
Business Trends
Personalization?
•
helps organizations provide one-to-one marketing of
products and services to their consumers and customers.
• Provides unique shopping experience to each user.
• Rules-based customization.
• Neural networks “learn” from experience.
• Collaborative filtering uses statistical analysis.
16
A Privacy Primer
Business Trends
The Goal:
Organizations want to achieve one-to-one marketing.
The Method:
Organizations are collecting and using personally
identifiable information to expand the capabilities of their
data warehousing and data mining efforts.
The Problem:
There exists a very fine line between personalization and
privacy invasion.
17
A Privacy Primer
Business Trends
Personalization or Privacy Invasion?
18
A Privacy Primer
Litigation
SAN DIEGO, Aug 2, 2000 (BUSINESS WIRE) -- Milberg Weiss today announced that a class action was
filed on July 28, 2000 on behalf of all persons who have visited either www.toysrus.com or
www.babiesrus.com and have had their private online Web browsing activities and their confidential
information covertly monitored, intercepted and/or transmitted to third parties by Toys R Us (NYSE:TOY)
(the "Class").
August 14, 2000 -- Coremetrics uses technology such
as Web bugs and cookies--or tiny digital identifying
tags that track visitors' whereabouts online--to
compile information about online shoppers. For
example, its technology can record when a consumer
adds a product to his or her shopping cart then takes
it out. With this information, online stores could
potentially send an email to the consumer offering a
discount on the product he or she decided against.
Using JavaScript, Coremetrics can also extract
personally identifiable information such as names,
addresses and phone numbers from online forms filled
out during the checkout process.
August 15, 2000, Toys R Us Inc.
[NYSE:TOY] has stopped using the
services of Coremetrics.com, a
market data collection company that
figured in lawsuits alleging ...
Website Statement Concerning CoreMetrics For a short
period of time, we had a trial arrangement with a service
called CoreMetrics to assist us in evaluating information
about how visitors use our site. This trial arrangement is
no longer in effect. As part of this service, cookies may
have been placed on the computer systems of certain
visitors to our site. Because we no longer are using
CoreMetrics' services, future visitors to our site will not
have CoreMetrics cookies placed on their systems.
19
A Privacy Primer
Litigation
Financial Institutions:
• U.S. Bancorp.
• Allegedly sold credit card information to
MemberWorks
• Chase Manhattan Bank
• Allegedly provided information to non-financial
direct marketers about its credit card and
mortgage customers
• Charter Pacific Bank
• Allegedly sold credit card data base to
pornographic website
20
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
21
A Privacy Primer
Business Considerations
Stuck between a rock and a hard place…
Rock •
Regulations, consumer groups, class action law firms and
regulatory agencies are litigating or considering litigation to
curtail business use of private data.
Hard Place •
In order to compete effectively in today’s market, businesses need
to become better at gaining and retaining customers.
22
A Privacy Primer
Business Considerations
Other rocks and hard places…
• Privacy Is A Multi-dimensional challenge




Senior Management
Legal
Compliance
Information Technology




Marketing
Human Resources
Risk Management
Financial Reporting
• Technology Issues Are Complex
 Cookies
 Applets
•
 Databases
 Banner ads
What Level Of Data “Stewardship” Does Your Customer Base Demand?
23
A Privacy Primer
Business Considerations
Globalization
Extended Enterprise
Regulatory Requirements
Business Issues
Driving Privacy
Initiatives
Customer Sensitivity
Competition
Brand Image
24
A Privacy Primer
Business Considerations
How to handle the rock and hard place issue - Create
an effective privacy initiative using the following
steps:
• Retaining a Chief Privacy Officer (CPO)
• Creating a task group to evaluate and propose a
comprehensive privacy initiative for the entire organization
(headed by the CPO)
• Restructuring technology and business practices for privacy
compliance
• Educating and training for privacy awareness
• Evaluating applications, products, services and third parties
for privacy compliance on a periodic basis
25
A Privacy Primer
Business Considerations
Rise of the Chief Privacy Officer (CPO)
“The rise in CPOs stem from one of two reasons: damage
control and prevention.”
Damage Control
Prevention
• RealNetworks
• Microsoft
• Doubleclick
• American Express
• Citigroup
• Prudential Insurance
26
A Privacy Primer
Business Considerations
Duties of the Chief Privacy Officer
• Organize and coordinate Privacy Task Force or Committee
• Commission or conduct privacy risk assessment and inventory of privacy risks
• Track privacy environment and provide reports
• Monitor privacy law and regulations compliance
• Develop privacy policies and procedures
• Do privacy review of new products and new Net developments
• Support employee privacy training
• Interact with consumer groups and regulators
• Provide contact point for consumers
• Manage privacy dispute resolution
• Speak for the company and prepare executives for legislative/agency testimony
• Conduct regular/annual privacy audits
• Report to top management
27
A Privacy Primer
Business Considerations
What are the costs of not having a
comprehensive privacy initiative?
• Loss of brand image
• Loss of revenue
• Loss of share price
• Cost of litigation and class action suits
• Cost of penalties for non-compliance
• Damage to public trust
• Damage to employee morale
28
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
29
A Privacy Primer
Regulatory Concerns
Ad Networks
2) Should consumers have
a right to opt out or opt in
before Web sites channel
ad networks’ cookies to
their machines ?
Partners/Affiliates/Subsidiaries
3) What kind of sharing
takes place with a Web
sites’ business partnerswhich are considered
“third parties” ?
Other Third Parties
4) Should Web sites be
required to have opt-in or
opt-out policies on thirdparty data sharing ?
Web Sites
1) What kinds of notice
should Web sites be required
to provide before they collect
information? Should limits
be imposed on what can be
collected and how long it can
be kept ?
Offline Transactions
6) What
access should
consumers
have to their
information
30
Source: Forrester May 2000
A Privacy Primer
Disjointed US Market Approach
•
Deceptive Trade Practices
FTC Enforcement
•
Health Care
HIPAA Privacy & Security Standards
•
EU Safe Harbor Principles
Unknown acceptance
•
Financial & Insurance Industry
Gramm-Leach-Bliley Act (implementation 7/2001)
NAIC Model Law
•
The Children’s Online Privacy Protection
Act
•
Proposed Consumer Legislation In
Congress and Multiple States
31
A Privacy Primer
Proliferation of Privacy Regulations
•
Information crossing multiple borders
•
Complex third party relationships
(providers, buying exchanges,
alliances)
•
•
FTC, HIPAA, NAIC, GLB, Safe
Harbor Principle, COPPA
Personal Information Protection
and Electronics Document Act
UK Data Protection Act
Increased use of web-based
applications and systems
Following EU Data Protection
Directive
Restrictive regulatory environment
being adopted across regions
Federal Privacy
Amendment Bill
Guidelines for the Protection of
Computer Processed Personal Data
Privacy Ordinance
E-Commerce Code for the Protection
of Personal Information
32
A Privacy Primer
Increasing Regulatory Tension
•
European Union findings
show that United States does
not provide adequate
protection for Personally
Identifiable Data
•
Multiple regulatory agencies
promulgating various rules
for the same statute (e.g.,
GLB Act and SEC Banking
and FTC rules)
•
State Legislatures enacting
conflicting laws (e.g., must
give customer opt-in rights v.
opt-out rights)
33
A Privacy Primer
Gramm-Leach-Bliley Act
Financial Services Modernization Act of 1999
Condensed Timeline:
November 12, 1999 – GLB signed into law
May 2000 – several Federal agencies published their final
rules (OTS, FDIC, FTC)
June/July 2000 – final rules published
November 13, 2000 – GLB privacy regulations enacted
July 1, 2001 – mandatory compliance deadline
34
A Privacy Primer
Gramm-Leach-Bliley Act
Scope of Coverage:
• Financial Institutions: any institution significantly engaged
in financial activities
• Non-Public Personal Information: personally identifiable
financial information provided by a consumer to a financial
institution, resulting from any transaction with the consumer or
any service performed for the consumer, or otherwise obtained
by the financial institution.
• Consumer vs. Customer:
– Consumer: an individual who obtains a financial product or
service for personal, family or household purposes
• Occasional or isolated contact (e.g., ATM cash)
– Customer: has an established relationship (e.g., depositor,
borrower, or insurance policyholder
35
A Privacy Primer
Gramm-Leach-Bliley Act
Statutory Requirements:
•
Clearly and conspicuously give a privacy notice to each consumer
customer, at least once each year, of the institution’s policies for
collecting and sharing nonpublic personal information
– A mere consumer need not receive a privacy notice, unless the
financial institution intends to disclose that individual’s nonpublic
personal information to nonaffiliated third parties
•
Afford consumers choice (e.g., the right to “opt-out” of disclosures to
non-affiliated third parties), subject to certain exceptions
– Opt-out does not apply with respect to affiliate disclosure
•
Cannot disclose account access information (e.g., account numbers) to
third party marketers
•
Abide by regulatory standards to protect the security and confidentiality
of consumer non-public personal information
36
A Privacy Primer
Gramm-Leach-Bliley Act
Notice: Initial and Annual:
•
Categories of NPI collected
•
Categories of NPI disclosed to others
•
Categories of entities to whom NPI is disclosed
•
Disclosure practices with regard to former customers
•
NPI disclosed under joint marketing/agency exceptions
•
Gramm-Leach-Bliley opt-out right
•
FCRA opt-out right: applies to “secondary” information that a customer may
volunteer in certain applications to a financial institution (e.g., an income
statement). Does not apply to “experience” information.
•
Security and confidentiality practices and procedures
•
Disclosures covered by general exceptions (need only say that “certain other
disclosures are made ‘as permitted by law’”)
37
A Privacy Primer
Gramm-Leach-Bliley Act
Opt-Out: A financial institution may not disclose NPI to a
“nonaffiliated” third party unless:
•
The financial institution clearly and conspicuously discloses to the consumer that
such information may be disclosed to the third party;
•
The consumer is given the opportunity to direct that the information not be
disclosed to the third party; and
•
The consumer is given an explanation of how to exercise that right.
The opt-out right must be easy to exercise and reasonable:
•
A reply form with check-off boxes and a return address
•
It is unreasonable to require the consumer to write a letter
38
A Privacy Primer
Gramm-Leach-Bliley Act
NPI Sharing Exceptions:
•
Necessary to process a transaction requested or authorized by the customer
•
Necessary to effect, administer or enforce transaction
•
Made with the consent of the consumer
•
Made to protect against fraud
•
Made to a consumer reporting agency
•
Made in connection with the merger or sale of a financial institution
•
Made to comply with a regulatory investigation
•
Made to auditors
•
Service Provider/Joint Marketing
–
A third party provides services on behalf of financial institution
–
Two financial institutions jointly market a product or service
Re-Use/Disclosure Restrictions Apply
39
A Privacy Primer
Gramm-Leach-Bliley Act
Timing Issues:
•
July 1, 2001 Date Misleading
•
Nonaffiliated Third Party Sharing:
–
Must provide consumers with approximately 30 days to make “opt-out” choice
–
Financial institution requires reasonable amount of time to collect and implement optout choices made by consumers
–
Must implement no later than end-April 2001
Regulators Overseeing Preparedness:
•
Office of Thrift Supervision Privacy Preparedness Check-Up
•
Office of Comptroller of Currency Advisory Notice
40
A Privacy Primer
COPPA
Children’s Online Privacy Protection Act of 1998
The final ruling of the Act went
into effect on April 21, 2000.
• Applies to organizations or individuals
who operate a commercial Web site or
an online service directed to children
under the age of 13 that collects
personal information from children,
AND to those who operate a general
audience Web site, if they have actual
knowledge that they collect personal
information from children;
• The notice itself must be clearly written
and understandable and should not
include unrelated or confusing
materials;
• Parental consent must be obtained
before a child's personal information is
collected, used or disclosed;
• A new notice must be furnished if there
are material changes in the collection,
use or disclosure practices.
• Requires a link to the institution's
privacy notice on the home page and
at each area where it collects personal
information from children;
41
A Privacy Primer
Federal Health Privacy
Regulations (“HIPAA”)
Health Insurance Portability and Accountability Act
Finalized December 20, 2000
What entities are regulated:
Health Plan Providers, Health Care Clearinghouses, Certain
Health Care Providers
What information is covered:
Protected Health Information: In general, information
related to physical or mental health, the provision of health
care, or the payment of health care
42
A Privacy Primer
Federal Health Privacy
Regulations (“HIPAA”)
Key provisions include:
•Access - People have the right to see and copy their own medical
records. Most states do not currently grant people such broad access.
•Limits on Disclosure - The regulation greatly restricts access to
health information. Of note: for disclosures relating to treatment,
payment and health care operations, providers must obtain patient
consent.
•Employers - Employers are barred from receiving "protected health
information" except for specific functions related to providing and
paying for health care. Employers must establish a firewall between
the health care division and employees who make decisions about
employment.
43
A Privacy Primer
Federal Health Privacy
Regulations (“HIPAA”)
Key provisions continued:
•Law Enforcement - Health care providers and plans are prohibited
from releasing patient data to federal, state, or local law enforcement
without some form of legal process, including a warrant, court order or
administrative subpoena.
•Research - All research, whether publicly or privately funded, must be
overseen by either an Institutional Review Board (IRB) or Privacy Board if
the researcher seeks a waiver of informed consent.
•Penalties - Health care providers, health plans, and clearinghouses are
subject to civil and criminal penalties (up to $250,000/year and 10 years
in jail) for violating the law. HIPAA constrained the Secretary from
including a private right of action for individuals to sue for violations of
the law.
44
A Privacy Primer
EU Data Protection Directive
Cross-Border Flow Of Personally Identifiable
Information
EU Data Protection Principles
•
Adequate, relevant and not excessive
•
Fairly and lawfully processed
•
Processed for limited purposes
•
Accurate and Secure
•
Not kept longer than necessary
•
Not transferred to countries without adequate
protection
•
Processed in accordance with the data subject's rights
European Union finding that United States does not
provide an adequate level of data protection for PII
45
A Privacy Primer
Safe Harbor Principles
Principles establish an “adequate” level of data protection
for non-financial United States companies
•
Notice - Organizations must inform individuals how collected information will
•
Choice - Individuals must be given an opportunity to chose to provide
•
Upstream transfer - Organizations must ensure that third parties receiving
•
Security/Data Integrity - Reasonable precautions must be taken to
•
Access - Individuals must have access to information collected about them.
•
Enforcement - Organizations must provide effective means for ensuring
be used
information if it is disclosed to a third party or used for purposes incompatible
with the original purposes
data also follow Safe Harbor principles
protect personal information from loss, misuse and unauthorized access,
disclosure, misuse and alteration
Organizations should take reasonable steps to ensure that data is collected for
the intended use, accurate, complete and current
compliance with Safe Harbor principles and consequences for non-compliance
46
A Privacy Primer
Consequences of Non-Adoption of
Safe Harbor
• Must adhere to privacy standards as interpreted in each
EU member state (as opposed to one standard)
• Subject to actions brought by each EU member state
where directive is violated, and possible shutdown of
cross border data flows and assessment of damages
• Negative publicity and possible loss of market share in EU
member states
• However, certification without complete adoption of Safe
Harbor Principles can subject a company to regulatory
action in the United States and in the EU.
47
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
48
A Privacy Primer
Technological Challenges
•
Written procedures often fail to accurately reflect actual systems
capabilities and practices.
•
Information may be stored incorrectly and shared with third parties.
•
Organizations may not have inventoried personally identifiable information,
and may not understand data flows through systems and processes.
•
Web sites are easily able to record and track individual identity and
associated activities on the Internet.
•
Current technology infrastructure may be unable to incorporate policies and
controls to comply with notice, choice and security requirements.
•
Information systems are rarely integrated and unable to capture the total
customer relationship throughout an enterprise.
•
Business and legal departments may be unfamiliar with the capabilities of
their enterprise technology and its implementation.
49
A Privacy Primer
“Were going to do a Smith & Wesson on DoubleClick”
- Michigan State Attorney General
Browser
Browser
Browser
Internet
Internet
Internet
Web Site X
DoubleClick created profiles of individuals using
the World Wide Web by placing a cookie with a
unique identification number on user’s browsers.
DoubleClick Server
Web Site Y
DoubleClick
Server
When a browser went to a member web site
which contained an invisible DoubleClick
graphic, a request is sent to the DoubleClick
Server which assigns the user’s browser a cookie
containing a unique identification number
From that time forward whenever the user
connects to any Web site that subscribes to the
DoubleClick System, their browser returns the
identification number to the DoubleClick server,
allowing the server to recognize her.
Over a period of time DoubleClick compiles a list
of which member sites the user has visited and
revisited and a profile of the user's tastes and
interest.
This information is used to compile valuable
feedback for its member Web sites, such as
providing them with audience profiles
DoubleClick Server
50
A Privacy Primer
Browser
Internet
RealNetworks
Real Jukebox
Use RealJukebox
Real Jukebox
Play music
Download music
Internet
GUID
Music
RealNetworks Server
RealNetworks
Server
In 1999, RealNetworks faced several
class-action lawsuits alleging the
violation of privacy of its customers by
using software that would track not only
individual users but also what music they
played and listened to using the
RealJukebox.
RealNetworks Director of Systems
Marketing, Peter Zaballos, said that the
features were "built out by an aggressive
development team that was not yet
married to business policies."
“To put the matter another way, while
the public voices of the company
[RealNetworks] are proclaiming their
adherence to strict privacy standards,
their technical staff are putting forth
software that violates those standards.”,
Tom Maddox.
Other Servers
GUID
Music
51
A Privacy Primer
Initiatives on the Web
Privacy initiatives in the marketplace
•
Private Payments
•
P3P
•
Private E-mail
•
Content Management Providers
•
Web Analytic Tools
•
Privacy Tools
Endorsements/Privacy Seal Programs
•
Truste
•
BBB Online
•
WebTrust
52
A Privacy Primer
Technology Definitions
Transmission Control Protocol/Internet Protocol (TCP/IP) - A
protocol developed for the Department of Defense that has become the de facto
communications standard of the Internet.
HyperText Transfer Protocol (HTTP) - The protocol most often used to
transfer information from World Wide Web servers to browsers, which is why Web
addresses begin with http://.
Globally Unique Identifier (GUID) - A number assigned to a user to track
application access and use. Specifically, a number embedded in Microsoft's Windows
98 operating system which could be used to track a user's network usage and other
activities. The number, attached to software and even documents created by the
user, made it possible to track applications that were used and documents that were
created throughout a network.
Personal Identifiable Information (PII) - Any information relating to an
identified or identifiable natural person; an identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an identification number
or to one or more factors specific to his physical, physiological, mental, economic,
cultural or social identity. (EU Data Protection Act)
53
A Privacy Primer
Technology Definitions
HyperText Markup Language (HTML) - The language used to create World
Wide Web pages, with hyperlinks and markup for text formatting
Common Gateway Interface (CGI) - A way of interfacing computer
programs with HTTP or Web servers, so that a server can offer interactive sites
instead of just static text and images.
Perl - A general-purpose programming language which has become the language
of choice for World Wide Web development, text processing, Internet services, and
every other task requiring portable and easily-developed solutions.
JavaScript - A cross-platform WWW scripting language from Netscape
Communications, very popular because it is simple, easy to learn, and can be
included in a HTML file.
Public-Key Encryption - A way of encrypting messages in which each user has
a public key and a private key.Messages are sent encrypted with the receiver's
public key; the receiver decrypts them using the private key.
Public-Key Infrastructure (PKI) - provides the people, policies, processes
and technology for managing the various public keys that are used to provide
network security and confidentiality though encryption and digital signatures.
54
A Privacy Primer
General Privacy Issues
• Definition of Privacy
• Consumer Concerns
• Business Trends
• Business Considerations
• Regulatory Environment
• Technological Challenges
• Summary of General Privacy Issues
55
A Privacy Primer
Competitive Advantage vs. Increased Risk
•
Regulations form a baseline
requirement for compliance.
•
Brand image is susceptible to
breaches in customer
privacy.
•
A proactive approach to
privacy makes a statement
about the importance of the
customer’s trust.
•
Aggressive
Privacy
Initiative
Value
Brand
Image
Competitive
Advantage vs.
Increased Risk
Therefore, companies have
the opportunity to create a
differential advantage
through sound privacy
policies and practices.
•
However, a more aggressive
approach may subject the
company to heightened
scrutiny and increased risk.
•
Systems, products and
services must accurately
reflect privacy policy
Less Aggressive
Regulatory
Requirements
Regulations
56
Time
A Privacy Primer
Lessons Learned
•
Failure To Understand Customer Concerns And Perceptions
– E.g., Sharing of information with third parties vs. solicitation
•
Failure To Plan For Multi-Regulatory Environment
– Little rationalization of various regulations (e.g., EU Data
Protection Directive, GLB, HIPAA)
•
Focus On Privacy Policy And Notice, Without Detailed Understanding
Of Whether Systems Are In Compliance
– Leads to regulatory non-compliance and charges of deceptive
practices
– Often business and legal components of business unfamiliar with
system capabilities
•
Few Companies Have Adequately Inventoried The Personally
Identifiable Information Collected And Understand Where, When And
How It Is Shared With Third Parties (Or Its Affiliates)
57
A Privacy Primer
Lessons Learned
•
•
•
Technology “Fixes” Are Not Designed For The Long-Term Environment
–
Minimal thought to the design and implementation of customer choice
databases, or mechanisms for reviewing compliance
–
Infrastructure may be inadequate or unable to incorporate privacy policy
and regulations
–
Failure to implement across enterprise (silo approach to privacy)
Management Unaware Of Privacy Risks Associated With Web-Environment
–
E.g., Toys R Us and Coremetrics Litigation (no intent to violate privacy
policy, but charged with deceptive practices)
–
Easy to track identity and activities of customers over web
Failure To Maximize Privacy Work
–
After inventory of personally identifiable information and data flows,
opportunity to develop systems and methodologies for maximizing
customer data mining within privacy policy framework
–
Little exploitation of leadership within the extended enterprise (e.g.,
assisting partners implement successful privacy programs in order to
further cement relationship)
58
A Privacy Primer
Lessons Learned
•
Failure To Analyze Products And Services Sold To Marketplace For
Privacy Compliance
– Not simply an internal system issue
– Complex regulatory problems for products and services sold
globally
– During development process procedures and controls need to be
developed to include privacy considerations
•
Failure To Recognize Impact On Mergers And Acquisitions
– Can consumer information be shared between entities
– What is the cost of ensuring the new or combined entity is
compliant
– Does the acquisition or merger subject entity to new regulatory
environment
Trust Is An Asset
59
A Privacy Primer
Summary
• Questions??
• Useful websites
www.privacyheadquarters.com (pop quiz on GLB)
www.privacyfoundation.org
www.privacy.org
www.privacytimes.com
www.epic.org
www.pandab.org
60