1 / 34

Analysis of Corporate Privacy Practices

Analysis of Corporate Privacy Practices. Presentation by Dr. Larry Ponemon CEO, Privacy Council Workshop on the Relationship between Privacy & Security Carnegie-Mellon University, May 29, 2002. Proposed Agenda:. The drivers to privacy

adam-williamson
Download Presentation

Analysis of Corporate Privacy Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of Corporate Privacy Practices Presentation by Dr. Larry Ponemon CEO, Privacy Council Workshop on the Relationship between Privacy & Security Carnegie-Mellon University, May 29, 2002

  2. Proposed Agenda: • The drivers to privacy • The impact of 9/11 on corporate privacy compliance initiatives • Review of corporate privacy management practices

  3. A “Right” to Privacy? Do You Have a Right to: Control information collected about you and your family? Control how that information is being used? Have access to review your personal information? Have the ability to change incorrect information?

  4. How Bad Does it Get? • Story: In Arizona, about 100 members of a retirement community were given “free” personal computers, full access to the Internet and a basic ‘hands-on” training program. • Sounds too good to be true? • Real deal is about providing significant information about yourself and your immediate family (children, grandchildren and so forth). • So, who has the choice now? What recourse do these people have. And, how about our relatives who had their privacy violated?

  5. Fact . . . • A recent analysis of major organizations show that less than 24% of companies in the United States are in “reasonable” compliance with their stated Internet privacy policy. • Far fewer companies would be able to comply with the provisions of new regulations,laws and standards around the world.

  6. Why is Privacy a Hot Issue? • Post 9/11 – Surveillance society • Growing misuse of personal (sensitive information) • Exponential growth in identity theft • Increased regulatory oversight • Press and media coverage • Aggressive advocacy

  7. Review: The “Ethical” Principles • Notice and Awareness: • Information collection practices • Usage and sharing • Choice and Consent: • Opt-in and opt-out policies and methods • Access and Accuracy: • Right to view, modify or delete relevant information • Reasonable Security: • Ensuring the integrity and protection of data • Redress and Enforcement: • Including dispute resolution mechanism

  8. Post 9/11 Impact on Privacy and Surveillance • Authentication has become major focus • Something that the company has about you usually in the form of individuated data (mother’s maiden name) • Something that your carry in your wallet, computer or PDA (smart card) • Something that defines you such as a finger print, and facial scan, (biometrics) Better authentication reduces both privacy and security risks, but only if the credentialing process is nearly perfect.

  9. Post 9/11 Impact on Privacy and Surveillance • Security has become dominant over privacy • The focus on stopping the “bad guy” from getting inside the critical infrastructure or gaining access to assets • Privacy rights are still important, but not at the cost of diminishing security and public safety • New surveillance methods draw upon multiple sources of customer-centric information creating a potential privacy blow-up if this personal information is not protected or managed properly.

  10. Factors Increasing Post 9/11 Privacy Risks • Growing use for personal information • Over-reliance on new biometric and surveillance technologies (increasing misclassification risk, false positives) • Lax controls over personal information used for surveillance • Increased information sharing practices among organizations, without proper control or consistent application • Limited or fragmented regulatory enforcement of privacy • Lack of awareness, understanding or general complacency about the continued need for privacy

  11. The New Surveillance Society Growing concerns for most people: • Who is watching me? • Who is watching the watchers? • Do individuals have a choice? • How will surveillance data (negative data) be used and/or shared? • What are the long-term consequences to our rights to privacy (and what are the costs to business)?

  12. Regulations and Industry Initiatives • Financial Services Gramm-Leach-Bliley Act (GLBA) • Health Care - Health Insurance Portability and Accountability Act (HIPPA) • Children’s Online Privacy Protection Act - COPPA • Federal Trade Commission • EU Data Protection Directive • New Canadian Regulations - PIPEDA • Proposed Bills for Internet, Government and Financial Services • Over 400 State bills (including recent legislation in Vermont)

  13. Beyond Regulation • Consumer concerns are costing business in terms of lost sales, market value and potential litigation • Strong and well funded advocacy groups have major impact on corporate reputation • Privacy concerns are not independent of national boundary and culture • Privacy regulation is creating large demand for privacy enabling technology such as P3P • Privacy issues create real social and ethical risk

  14. Consequences . . . • Many companies have become paralyzed by the proverbial privacy storm. • Privacy advocates and regulators are quickly turning their attention to off-line companies with respect to the sale of personal (sensitive) information. • The largest area for potential abuse concerns telephony and the wireless web, which many take years to get off the ground because of regulatory groundswells. • But, most companies are still complacent about privacy risk

  15. What Makes a Privacy Policy Work?

  16. Setting the Tone of the Program • Understanding your business and data management environment • Focus program on identified risk areas • Avoid the “CYA” orientation • Avoid too much control over behavior • Get commitment from senior executives and the Board • Get input and buy-in from all key stakeholders • Avoid the “one size fits all” syndrome • Privacy policy needs to fit corporate culture • Decentralized environment may require separate policies • Make sure that you “walk-the-talk”

  17. Establishing Governance • Establish privacy leader and organizational sponsor • Assigned the title Privacy Officer • High-level reporting responsibility to the CEO • Establish cross-functional committee composed of key stakeholders, including: • Legal • Marketing/CRM • Human Resources • Corporate Compliance • Regulatory Affairs and Public Relations • Information Technology • Security

  18. Writing the Policy • Start with pledge of the CEO and Board • Define overarching principles • Keep sections clear and concise • If possible, avoid legalese • Include examples and short cases • Explain the redress process • Define what is meant by personal accountability

  19. Five Typical Policy Components • Requirements and process for fair disclosure and proper notice • Opportunity to provide individuals with choice or consent to data capture, secondary usage and sharing • Pledge of reasonable security and data protection efforts over all personal (private) information • Opportunity to access personal information (and correct identified errors) • Pledge of reasonable redress and dispute resolution process for individuals

  20. Vetting the Privacy Policy • Get buy in from business unit leaders • Hold workshops with groups of employees to determine understanding and usefulness • Revise document based on legitimate issues and concerns raised by stakeholders • Get finalized approval from the Board • Send policy to all employees, contractors and business partners • Think about external disclosure (on Web sites and other public venues)

  21. Benchmark Results on Privacy Policy Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to determine the existence, coverage and effectiveness of program efforts on a global basis

  22. Reality Check “Most people don’t do what they believe in, they just do what’s most convenient -- and then they repent.”Source: Bob Dylan.

  23. Privacy Management Process

  24. What is the Privacy Management Process? “A management process comprised of compliance programs and systems designed to motivate, measure, and monitor the organization’s privacy and data protection practices.”

  25. The Privacy Management Process Process Management Including performance-based measurement, scorecards, external verification and crisis management plan Ongoing Monitoring Including formal process for identifying privacy and information security risk and vulnerability areas within core business units Training Including classroom based training, facilitated training, and e-learning programs for all employees who handle sensitive personal information Communications Including policies, corporate communications, employee handbooks, and compliance procedures Enforcement Including the formal mechanism and due process for evaluating privacy and data protection blow-ups

  26. Building an Effective Privacy Management Process • PMP helps to identify and reduce the most salient cases of privacy compliance and data protection risks. • PMP helps to make policies real and meaningful to employees and other key stakeholders. • PMP helps people to learn about their role in managing privacy and in protecting sensitive personal data within the organization. • PMP serves as a tool to foster feedback and learning for employees and managers. • PMP fosters climate and cultural change with respect to accountability and empowerment.

  27. Measuring the Effectiveness of the Privacy Management Process • Develop process performance benchmarks and guidelines that can be verified (perhaps by independent third-party). • Use drill-down approach to assess privacy and data protection risk at the core business process level. • Develop performance indicators that focus on the antecedents to privacy and data protection risk. • Used “balanced scorecard” approach to measuring improvements and establishing accountability.

  28. Objective Measures Existence of PMP Training coverage Understanding and knowledge Compliance breaches Customer complaints Customer churn Litigation Perception Measures Quality of policy Beliefs about program Culture toward compliance Consumer trust Reputation Pressure to bend the rules Performance Indicators for Privacy Management Process

  29. What Companies are Doing Today

  30. What Companies are Doing Today • Privacy policy with limited training or awareness activity during rollout phase • Governance model using cross-functional committee • Basic education program, often using e-learning technology to disseminate information and test understanding • Minimal downstream communication efforts • Appointment of a high level executive as the “ privacy officer” often with unclear reporting lines • Limited monitoring or assessment of compliance-related risks

  31. Benchmark on Privacy Practices Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to determine the existence, coverage and effectiveness of program efforts on a global basis

  32. Benchmark by Industry Classification Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to determine the existence, coverage and effectiveness of program efforts on a global basis. Companies in each industry category scored “yes” to 4 or more benchmarks (of the 12 shown on the previous slide).

  33. Best Practices for Global Corporations • Integration with information security team • High-level reporting to the CEO with periodic reports to the Board • Use of enabling technologies such as P3P • Empowering local privacy managers • Real budget authority • Black Belt training orientation • Redress program with real powers to investigate and enforce • Internal monitoring of privacy program (and mock regulatory audits) • Third-party verification • Good quality disclosure • Greater use of choice (such as opt-in approach for sensitive information) • Use of insurance to mitigate privacy and data protection blow-ups • Balanced approach to data collection for marketing and other uses

  34. Questions & Answers Presentation by Dr. Larry Ponemon CEO, Privacy Council (972) 997 4016 Larry.ponemon@privacycouncil.com

More Related