1 / 34

“Maintaining Trust in an Electronic World”

“Maintaining Trust in an Electronic World”. Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States Government San Diego; July 11, 2001. Overview:. Tylenol as an example of gaining trust My background Banking Heritage of Trust:

kenley
Download Presentation

“Maintaining Trust in an Electronic World”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “Maintaining Trust in an Electronic World” Professor Peter P. Swire George Washington University Former Chief Counselor for Privacy for the United States Government San Diego; July 11, 2001

  2. Overview: • Tylenol as an example of gaining trust • My background • Banking Heritage of Trust: • Security • Privacy • Authentication

  3. I. The Tylenol Example • History: Tylenol episode in 1982 • 7 people died from cyanide poisoned capsules • Massive publicity worldwide • Threatened a flagship product and Johnson & Johnson itself

  4. The Immediate Response • Tylenol as a textbook case of good crisis management • All pills immediately taken off store shelves • Principles: • Long-run considerations drive decisions • Take action immediately • Provide truthful information

  5. Visible Signs of Trust • Packaging sends strong, credible message that customer can trust the product • Pre-1982: Twist-off cap, then pills • Today: Plastic wrap, then child-proof twist-off cap, then foil seal to demonstrate physical integrity, then pills

  6. Lessons from Tylenol • You must prepare for public relations challenges, especially for new products online: • Very fast press cycle today • Public perception of risk stokes press stories • What are you doing for financial services on-line to reinforce customer trust? • What compares to the foil seal?

  7. II. My Background • Lawyer for banks and ABHC beginning in 1980s • Taught banking law 6 times in law schools • Book on E.U. Data Protection Directive • Academic writings on financial cryptography and electronic payments • Current research on computer security • Editor of Cyberspace Law Abstracts

  8. Chief Counselor for Privacy • Early 1999 became Clinton Administration Chief Counselor for Privacy (new position) • Gramm-Leach-Bliley & privacy • Money laundering & privacy • Encryption policy changes 1999 • Safe harbor talks • Medical privacy (including payments) • Other privacy & e-commerce policy

  9. III. Banking Heritage of Trust • Confidentiality and trust as great banking traditions • Trust: Safety and Soundness • Financial stability & no runs • Physical security -- the bank vault • Trust that your money will be there

  10. Heritage of Trust • Trust as Confidentiality: • Customer as borrower • Customer as depositor • Customer who seeks advice from banker • Customer who uses a bank’s cash management services • Trust that banker will not disclose my business

  11. Heritage of Trust • Security • Privacy • Authentication

  12. IV. Security and Trust • Lessons from history • Information sharing and computer security

  13. History: The Pay Telephone • The pay phone as a distributed payment system • Vulnerable pot of cash • Early attacks by shock, gun, etc. • Successive generations of learning by security professionals • Today, a mature & trusted technology

  14. Lessons from the Pay Phone • Challenge today -- can have big outflow of cash over computer networks • “Open networks” like “open road” with phone booth in remote location • We will need successive generations of learning • Will need new encryption, procedures, etc. to become the standard

  15. Security & Information Sharing • My current research: what should be hidden or open in computer security? • In physical world, security done by each institution -- competitors did not have the floor plans to your vault • Today, banks may use same software, hardware, standard procedures • Today, banks subject to same virus or other attack

  16. Security & Information Sharing • When banks have same infrastructure and subject to same attacks, new reason to share security data • ISACs -- Information Sharing & Analysis Centers part of U.S. critical infrastructure protection effort • Moral: will need to trust other security professionals to face common threats, while guarding company proprietary information

  17. V. Privacy • Is confidentiality in banking outdated? • Perhaps: • Lower cost for all information flows • One-to-one marketing uses data to deliver what the customer wants, at a profit • Mergers for banking, insurance, securities, etc. to match customers with new products • Customer profiling to reduce fraud and money laundering

  18. Privacy • Is confidentiality in banking outdated? • Perhaps not: • Don't you, as an individual, expect your financial information to be treated confidentially? • WSJ poll on privacy in the new century • Individuals and businesses cannot have each purchase revealed to all the world

  19. Are there real privacy problems? • U.S. Bank case, 1999 • Information here from public documents • U.S. Bank made major commitments to change • 600,000 checking account customers • name, home phone & address, SSN, DOB, product code, account number, routing & transit number

  20. U.S. Bank (continued) • 330,000 credit card customers • name, home address & phone, last purchase date, date opened, current balance, credit limit, YTD finance charges, last payment date, amount last payment, SSN, DOB, behavior score, bankruptcy score

  21. U.S. Bank (continued) • Notice: “Periodically we may share our cardholder lists with companies that supply products and services that we feel our customers will value.” • Apparently no opt-out • Apparently similar activities by other banks

  22. What problems from U.S. Bank? • Data released for unrelated purpose -- a dental plan • “Negative option” by Memberworks: • Postcard then have 30 days to cancel • If not, then billed annual fee ($59.95) • Lots of complaints once fee taken out of account

  23. New U.S. Privacy Law as a Response • Notice -- the bank’s policy • Choice -- customers can say no to transfers to third parties • Enforcement -- examiner authority as with other consumer laws • Anti-fraud: fight pretext calling and identity theft, scrutinize risky data flows

  24. Why customer choice? • Don't “stop all marketing” • Do respect choices of individuals who do not want marketing or other transfers • The price of opening an account should not be undisclosed and unlimited data flows • Consumers’ ability to choose creates trust, and less need for fear

  25. What will happen next for privacy laws? • In U.S., may have more privacy laws in coming years • Internet-specific law? • Financial services laws -- state or federal? • Safe Harbor and financial services • To satisfy regulators, press & public, financial companies should expect to announce good policies & follow them

  26. VI. Authentication and Trust • In electronic environment, how can you be sure that it is the real customer? • First question -- do you need to know the identity? • Cash • Smart cards & can be without identity

  27. Levels of Authentication • Where identify, can have levels of authentication, often with loss limits • For ATMs, $300 daily limit and 4-digit PIN • Debit cards as a loss limit -- customer can’t lose more than the account balance • For credit cards, customer has $50 loss limit & banks have anti-fraud programs up to customer credit limit

  28. Authentication • But, how to do big transactions? • For consumers, that may take a long time • Walk before run • Amazon online before mortgage online • Can “Grandma lose her house”?

  29. Authentication • For businesses, build infrastructure • Banks as certificate authorities for digital signatures • Rely on institutional controls, much as you do for large corporate checks • Remember the pay telephone: • Successive generations • Improve the ways to authenticate and be secure

  30. Conclusions • Tylenol and the foil seal: what are you doing to give visible demonstrations of trustworthiness? • Security • The pay phone & constant improvement • When to share information

  31. Conclusions (continued) • Privacy: • Confidentiality in banking is not outdated • Develop policies and follow them • Authentication • Walk before you run • Use stop losses & other tools to manage risk • To gain trust you must deserve trust:

  32. President Clinton, at Aspen Institute:“Do you have privacy policies you can be proud of? Do you have privacy policies you would be glad to have reported in the media?”

  33. For security, privacy & authentication: If you can be proud of your policies, then they will gain trust, and help your organization prosper, in the information age. That is your job in the coming years

  34. Contact Information • Professor Peter Swire • Phone: (301) 213-9587 • Email: pswire@main.nlc.gwu.edu • Web: www.osu.edu/units/law/swire.htm • Presidential Privacy Archives: www.privacy2000.org (containing privacy documents from Clinton Administration)

More Related