200 likes | 331 Views
SOCIETY for INFORMATION MANAGEMENT FAIRFIELD & WESTCHESTER CHAPTER “Privacy, IT, and the Changing Landscape” A Panel Discussion with. Bill Bandon - Wiggin & Dana, LLP Indy Crowley – Yale University Ruth Nelson – PricewaterhouseCoopers LLP Eran Marom – Tory Ventures
E N D
SOCIETY for INFORMATION MANAGEMENTFAIRFIELD & WESTCHESTER CHAPTER “Privacy, IT, and the Changing Landscape” A Panel Discussion with Bill Bandon - Wiggin & Dana, LLP Indy Crowley – Yale University Ruth Nelson – PricewaterhouseCoopers LLP Eran Marom – Tory Ventures Pete Petrusky – PricewaterhouseCoopers LLP (Moderator) Doral Arrowwood Rye Brook, New York April 15, 2004
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Agenda • Introductions • Privacy & Fair Information Principles • Privacy & Security • Privacy Legislation • U.S. Perspectives & Enforcement Activity • International Privacy Landscape • Privacy & Business • Why It Is a Hot Topic • Privacy Incidents • Panel Discussion • Q&A • Appendices • Privacy Best Practices • Reference Sites
What is Privacy? An individual’s right to: • Know how their information is handled • Control the information collected about them • Control what that information is used for • Control who has access to the information • Amend, change & delete their personal information
Collection Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability Fair Information Principles
PRIVACY Involves the whole information lifecycle Is about more than just protecting personal information Most privacy legislation includes security as one aspect SECURITY Is a core component of good privacy practice Is a key instrument for executing privacy policies Viewed as a technology enabler, supporting policies, access controls, individual choice and 3rd party sharing Privacy vs Security Privacy vs Security
The US Perspective – Jigsaw Regime Children’s Online Privacy Protection Act (COPPA) Financial Services Modernization – Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) • FTC & SAG Enforcement • CAN SPAM Act • Patchwork of State Laws US Safe Harbor
Sample of Data Protection Laws Around the World The EU Data Protection Directive & comparable privacy legislation by 15 member states Switzerland – Federal Act on Data Protection (1992) Hungary – Protection of Personal Data and Disclosure of Data of Public Interest (1992) Czech Republic – Act on Protection of Personal Data (2000) Norway – Personal Data Registers Act of 2000 Canada – Personal Information Protection and Electronic Documents Act (2000) Argentina – Personal Data Protection Act (2000) Chile – Law for the Protection of Private Life (1999) Australia – Privacy Amendment (Private Sector) Act (2001) Hong Kong – The Personal Data (Privacy) Ordinance (1996) New Zealand – Federal Privacy Act (1993)and more… The Global Picture Recent privacy legislation (Australia, Hong Kong, Canada) trending toward EU-style privacy regulation and away from U.S. sectoral/data elements-based models
CEOs and Boards of top e-Businesses Customer Loyalty Burn Rate/Profitability Privacy Sustainable Growth New Regulations Competition Staffing/Leadership CEOs and Boards of Fortune 500s Shareholder Value Market Convergence Privacy/Data Integrity New Regulations Customer Loyalty Global Competition Technology Change Privacy & BusinessQuestion: What keeps you up at night? Top 7 concerns for CEOs and Directors based on recent research by the Personalization Consortium
Privacy & Business • Privacy Failures Can Have Major Consequences • Damage to brand and reputation • Loss of customers/increased costs for acquiring new ones • Loss of revenues and new business opportunities • Regulatory Action/Penalties for non-compliance • Litigation • International enforcement actions • Disruption of cross-border data flows
Devices Locate Children, Create Privacy Issues TiVo criticized by privacy group - TV service secretly collects info about viewers Would You Sell Your Secrets for Free Internet Service? What are people talking about? Are consumers really concerned? Missouri Privacy Suit AOL Time Warner in Privacy Dilemma RealNetworks in Real trouble TravelocityPrivacy Violation Ikea exposes customer information on catalog site Hotmail glitch exposesemail addresses AmEx, EDS May Face European Privacy Lawsuits AT&T customers’ privacy left blowing in the wind Privacy Suit Charges Sites with Misrepresentation Over Placing of Cookies on Users Drives Amazon's Wish: No More Bad PR Activists charge DoubleClick Double Cross Lack of Notice Snags e-service Report Labels Internet Privacy Policies ‘A Joke’ Yahoo sued over use of cookies CreditCards.com database stolen Hackers bust Telecom NZ security compromising privacy
Managing Website PrivacyCurrent On-line Privacy Compliance Challenges Web team knows about the corporate privacy policy and local legislative requirements Web team is not using technologies or methods that breach the policy Appropriate and adequate links to the privacy policy are maintained on every site New or specific website transactions and functionality have been assessed for privacy risk Back of house procedures have been developed to support the websites privacy disclosures Assumes: Problem: Websites are not static and are large in nature Sites are growing and changing on a daily basis • Challenge to monitor and ensure new content and new sites are in compliance with the privacy policy Too many privacy issues spread across too many web pages • Difficult and labor intensive to measure current and ongoing compliance • Costly to manage using existing tools and techniques Many individuals responsible for site creation • Increases the risk of privacy glitches • Privacy compliance becomes reactive rather than proactive
Privacy Red Flags • Lack of an adequate privacy statement • Privacy statement does not accurately reflect practices • Back of house procedures do not support the policy disclosures • Lack privacy awareness throughout the company • Marketing, IT, web developers, business development • New legislation and regulations which impact the business • Existing transborder dataflows to the US • Use of third parties and new technologies • Failure to maintain adequate security • Websites or businesses operating in regulated regions
Where to Begin… • Mobilize appropriate resources • Designate privacy champions and project governance team • Determine privacy work that has previously been performed • Communicate project needs and goals • Assess privacy compliance requirements and drivers • Develop the overall privacy vision and strategy • Determine current level of privacy compliance based on existing procedures • Determine high risk areas or areas that need specific focus
Brand Protection Customer Trust & Confidence Customer Loyalty Shareholder value Responsible Customer Relationship Management Business Partner Confidence Differentiation from Competitors Litigation Reputation Damage Interrupted Data Flows Privacy Breach Case for Regulation Unwanted Attention Benefits of Good Privacy Practices Responsible Privacy Practices
Maintaining Privacy Compliance • Designate a privacy subject matter expert • Continue to educate, train and raise awareness throughout the company • Stay abreast of legislative and industry developments • Build processes to manage changes to your Website • Review information handling practices periodically • Assess new third parties and partners practices • Assess information disclosures & third-party data sharing • Disclose any changes in your policy • Perform periodic compliance reviews • Regular audits
Conclusions • Enhances trust and consumer confidence • Increases customer loyalty • First mover advantage – competitive differentiation • Aim for positive media, not negative • Promotes shareholder value • Reduces barriers to International trade • Avoids litigation and regulatory action
Selected sites for topical research concerning information privacy • International Association of Privacy Professionals www.privacyassociation.org. • Federal Trade Commission Site for Consumers http://www.ftc.gov/. • U.S. Department of Commerce Site for Safe Harbor http://www.export.gov/safeharbor/. • Privacy Foundation http://www.privacyfoundation.org/. • Truste Privacy Seal Program http://www.truste.org. • BBBOnline Privacy Seal Program http://www.bbbonline.org. • Electronic Privacy Information Center http://www.epic.org. • Online Privacy Alliance http://www.privacyalliance.org. • Draft Commission Decision on Standard Contractual Clauses on the Web. http://www.europa.eu.int. March, 27, 2001. • ICRT Comments on Binding Corporate Rules http://www.icrt.org/pos_papers/2003/030930_EE.pdf. • Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org. • Hong Kong Data Protection Act Summary. http://www.privacyexchange.org. • Privacy and Human Rights 2000. http://www.privacyinternatinal.org. • Proposed/Pending National Legislation. http://www.privacyexchange.org. • Recent Developments in Latin American Privacy Laws. http://www.haledorr.com. • Standardization: A business Tool for Data Privacy. CEN/ISSS Open Seminar. http://www.cenorm.be.