680 likes | 848 Views
Monitor. Assess. Implement. Plan / Design. Build. ePrivacy Assurance October 6, 2001 9:00 am – 10:30 pm. PERSONAL INFORMATION PRIVACY. ePrivacy Assurance. ROBERT PARKER Partner Deloitte & Touche rparker@deloitte.ca (416) 601-5927. ePrivacy Assurance.
E N D
Monitor Assess Implement Plan / Design Build ePrivacy Assurance October 6, 2001 9:00 am – 10:30 pm
PERSONAL INFORMATION PRIVACY ePrivacy Assurance ROBERT PARKER Partner Deloitte & Touche rparker@deloitte.ca (416) 601-5927
ePrivacy Assurance Personal Information Privacy and the various legislation, regulations and guidance thereon raise complex issues. This presentation is designed to provide a general overview of some of the issues in addressing privacy in an eBusiness environment. It is not intended to provide professional advice. Participants should obtain professional advice for specific issues. Neither The Conference Organizers, The University of Waterloo, The CICA, Deloitte & Touche LLP or the presenter can accept responsibility for reliance on the contents of this presentation.
Concerns Increase PERSONAL INFORMATION PRIVACY
Privacy Trends • eBusiness • Global sites - Global exposures • Extraterritorial nature of legislation • Information Economy • Business value of information • Knowledge is Power • Business use of personal information • Marketing • Research • Sellit!
eBusiness • Privacy (trust) is considered key to the digital economy (eBusiness) • Privacy Advocacy Groups • Public Awareness and Concern • Governments establishing public sector policies, creating a similar expectation of business
User Trust • Amazon.com sued over privacy invasion • Relayed personal information to its subsidiary Alexa • Suit claims information transfer violated • U.S. Electronic Communications Privacy Act • U.S. Computer Fraud and Abuse Act • California Business and Profession Code “ ” Information Week - February 28, 2000 Informationweek.com/773/privacy.htm
amazon.com • Amazon.com, is changing its privacy policy and can – at its own discretion – make customer information available to partners and others. • According to the policy, Amazon: “might sell or buy stores or assets. In such transactions,customer information generally is one of the transferred business assets. Also, in the unlikely event that Amazon.com Inc., or any substantially all of its assets are acquired, customer information will of course be one of the transferred assets.” • Some observers did laud the fact that at least Amazon actively chose to alert customers about the change.
Royal Bank TORONTO, Sept. 14 (2000) /CNW/ - A new corporate benchmark for safeguarding Canadians' personal consumer information was established today as Royal Bank named Peter Cullen its corporate privacy officer. Cullen ranks among the first in the financial services industry to hold a position that deals exclusively with the use and protection of clients' personal information. "THIS IS THE WAY TO DO BUSINESS IN THE NEW ECONOMY. WE'RE BUILDING ON THE TRUST THAT IS A CORNERSTONE OF BANKING IN CANADA.” (Peter Cullen – Corporate Privacy Officer)
New York Life “THIS ISN'T JUST A LEGAL COMPLIANCE ISSUE FOR US. WE CONSIDER THE PRIVACY ISSUE TO BE AN OPPORTUNITY TO REINFORCE OUR BRAND IMAGE” (Tom Warga – Chief Privacy Officer)
Privacy is a Global Issue GLOBAL LEGISLATION AND REGULATIONS
EU-FTC Safe Harbor Gramm-Leach-Bliley EU Model Contract Privacy is a Global Issue PIPEDA Council of Europe Convention OECD Guidelines EU` Directive 95/46/EC UN Guidelines
Privacy is a Global Issue • Privacy Legislation • Countries are adopting privacy legislation for social and competitive reasons • Internet is a driver • United Nations and OECD Guidelines/Policies • EU Directive: Article 25 • The Global Perspective • Over 50 countries and counting: legislation • Alternative approaches: self-regulation; technology • Privacy seals
EU Data Protection Directive EU Data Protection Principles • Adequate, relevant and not excessive • Fairlyand lawfully processed • Processed for limited purposes • Accurate and Secure • Not kept longer than necessary • Not transferred to countries without adequate protection • Processed in accordance with the data subject's rights We have experience assisting our clients addressing the EU regulations.
Global Privacy Legislation • OECD Guidelines - September 1980 • Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data • United Nations Guidelines - December 1990 • Guidelines Concerning Computerized Personal Data Files • European Directive 95/46 • Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data • The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
UNITED STATES The European Union is taking an aggressive position to protect the Privacy Rights of their citizens Source: USA Today June 7, 2000 D-1
SAFE HARBOUR PRINCIPLES • NOTICE: an organization must inform individuals of the purposes for which it collects and uses their information, how to contact it with inquiries and complaints, the types of third parties to which it discloses the information and the choices and means it offers for limiting the use and disclosure of their information • CHOICE: individuals must be given the opportunity to choose (opt-out) whether and how their information is disclosed to a third party or used for purposes incompatible with the original purposes • ONWARD TRANSFER: disclosure of personal information must be consistent with the principles of notice and choice • SECURITY: reasonable precautions must be taken to protect personal information from loss, misuse and unauthorized access, disclosure, misuse and alteration • DATA INTEGRITY: personal information should be relevant for the purposes for which it was collected. An organization should take reasonable steps to ensure that data is reliable for the intended use, accurate, complete and current • ACCESS: individuals must have access to personal information held and be able to correct, amend or delete it where it is inaccurate (exceptions exist) • ENFORCEMENT: mechanisms must be put in place for assuring compliance with the principles, for recourse for individuals affected by non-compliance and for consequences for non-compliance
SAFE HARBOR PRINCIPLES • The European Commission and the US Department of Commerce announced on March 15, 2000 that they had reached agreement on the Safe Harbor principles. However, the EU Parliamentary Committee on Citizens’ Freedoms and Rights produced a report that criticized the Safe Harbor as a weak, voluntary regime lacking the force of law. • The European Parliament contested the Commission’s decision that protection for personal data provided by the Safe Harbor system is adequate. • Parliament did not find that the Commission exceeded its legal powers in developing the agreement with the US Commerce Department and this means that the deal remains in place. • Came into effect November 2000.
Acurian, Inc. Acxiom Corporation Adar International, Inc. ArvinMeritor Inc. Audits & Surveys Worldwide Baxter International Inc. Berkshire Information Systems, Inc. CapitalVenue Cendant Data Service, Inc. ClientLogic Operating Corporation and its subsidiaries Crew Tags International Cybercitizens First Data Services, Inc. Database Marketing Concepts Davis Direct WorldWide Decision Analyst, Inc. Digital Impact, Inc. e-Dialog E-lection.com (LDE Inc.) e2 Communications, Inc Electronic Arts, Inc. enfoTrust networks Entertainment Software Rating Board eTapestry.com, Inc. Exult, Inc. Genesee Survey Services, Inc. Genetic Technologies, Inc. Global-Z International, Inc. Global Intelligence Network, LLC Global Market Insite, Inc. (GMI) Global Medical Management, Inc. Gold Systems, Inc. Hanover Direct, Inc. HCI Direct Inc. HealthMedia, Inc. Hewlett Packard Intel Intelligence-Net Office InterGen Lebensart Technology Arizona, Inc. Level 3 Communications, LLC, and i-structure and Orygen subsidiaries Market Measures Interactive, L.P. Mediamark Research, Inc. MesageMedia, Inc. Current Safe Harbor Registration August 13, 2001
Microsoft Corporation MonteGen Naviant Marketing Solutions, Inc. NOP Automotive, Inc. Numerical Algorithms Group, Inc. Oak Technology Opt2Opt, Inc. Optimization Zorn Corporation Pharmaceutical Product Development, Inc. PPG Industries, Inc. Privacy Leaders Procter & Gamble Company & US affiliates Qpass Inc. Rehab Tool.com Responsys Roush Industries, Inc. Salesforce.com Seagate Technology LLC Software 2010 LLC SonoSite, Inc. Strategic Marketing Corporation The BMW Group, Inc. The Catastrophe Risk Exchange, Inc. (CATEX) The Dun & Bradstreet Corporation The EMMES Corporation The USERTRUST Network L.L.C. Time Customer Service, Inc. TruSecure Corporation TRUSTe TRW Inc. & U.S. subsidiaries United Information Group (c/o ASW) USERFirst USERTrust Inc. USinternetworking, Inc. Vality Technology Incorporated Vedanta Press Virage, Inc. WellMed Inc. Wireless Facilities World Research, Inc. dba Survey.com WorldChoiceTravel.com, Inc. Wunderman Yamaha Music Interactive, Inc. Current Safe Harbor Registration August 13, 2001
EU Model Contracts • Work commenced in September 2000 • Target effective date 2001 • Would change focus from “country to country” to Inter-organizational • Would have audit abilities drafted into the contracts • Not limited to the United States
Notice. Organizations must inform individuals how collected information will be used. Choice. Individuals must be given a choice regarding certain information. Upstream transfer. Organizations must ensure that third parties receiving data also follow Safe Harbor principles. Security/Data Integrity. Access. Individuals must have access to information collected about them. Enforcement. Organizations must provide effective means for ensuring compliance with Safe Harbor principles. Canadian Privacy Legislation Safe Harbor Agreements EU Data Protection Act Comparison of Privacy Policies • Accountability. Appoint an individual who is accountable for organizational compliance. • Identifying Purpose. Identify purpose before information is collected. • Consent. Knowledge and consent of individuals required for collection and use. • Limiting Collection. Collected by fair and lawful means and limited to that necessary for the identified purpose. • Use, Disclosure and Retention. Used or disclosed only for the purpose for which it was collected • Accuracy Accurate, complete and up to date • Safeguards. Protected by appropriate security safeguards • Openness. Provide individuals with specific information about its policies and practices • Individual Access Upon request inform individuals if existence, use and disclosure of personal information and ability to challenge accuracy and completeness - amend • Challenge Compliance. Ability to address concerns with an individual from the organization. • Adequate, relevant and not excessive • Fairly and lawfully processed • Processed for limited purposes • Accurate and Secure • Not kept longer than necessary • Not transferred to countries without adequate protection • Processed in accordance with the data subject's rights
Common Fair Information Principles Data collection must be lawful and fair Must be collected for a specific, disclosed purpose Collection must be agreed with the individual Data must be accurate, timely and relevant for the purpose Data must not provide or be capable of being used to allow discrimination Data must be protected and secure The individual must have the right to access, rectify or delete his or her personal information Transborder data flow restrictions must safeguard the individual’s information Restrictions on future use and disclosure Restrictions on retention and destruction Identifiable person to contact Published information privacy policies and procedures
PERSONAL INFORMATION PRIVACY Privacy’s Growing Importance in the United States
PERSONAL INFORMATION PRIVACY United States Sectoral “regulatory frameworks” (rules, codes, regulations) • Health Care • Financial Services • Pension Industry • Human Resources
PERSONAL INFORMATION PRIVACY United States Examples of privacy legislation • Health Insurance Portability and Accountability Act of 1996 (HIPAA) (privacy effective early 2001) • Children's Online Privacy Protection Act of 1998 (effective April 2000) • Driver's Privacy Protection Act Of 1994 • HR 49 Postal Privacy Act of 1997 • HR 52. Fair Health Information Practices Act of 1997 • HR 103 Financial Information Privacy Act of 1999 • 7HR 341 Genetic Privacy and Nondiscrimination Act of 1997 • Gramm-Leach-Bliley Act of 1999 (effective July 2001)
PERSONAL INFORMATION PRIVACY United States The National Association Of Attorneys General (NAAG)’s summer public sessions in Seattle were devoted, for the first time, to privacy issues. This follows NAAG members’ decision to unify in order to gain victories over large corporations. The success of this approach has already been seen in the cases of “Big Tobacco” and Microsoft. Michigan’s Attorney General has already filed notice of planned action against DoubleClick in relation to its efforts to build detailed demographic profiles of Internet users.
PERSONAL INFORMATION PRIVACY United States Forrester predicts that the recent FTC report will generate sufficient momentum for privacy legislation in 2001. This will relate to practice, choice and security principles but will not extend to access rights. (Forrester Report, 23rd May 2000) Legal action has also been threatened against four companies in Michigan that have failed to disclose their privacy practices adequately. Washington State – Initiative 243: Privacy Over Profit, while being deferred, forces the State to accept proposed privacy language as law or face having the initiative put on the ballot in November 2001. (Requires consent before a private company could collect or disseminate personal information for a use different than what it was originally provided.)
GRAMM-LEACH-BLILEY ACT United States • Generally prohibits financial institutions (‘fi’s) and their affiliates from disclosing customer non-public information to non-affiliated third parties • ‘Financial institution’ is defined as ‘any institution the business of which is engaging in financial activities as described in s4(k) of the bank holding company act. This encompasses a broad range of activities including: mortgage lenders, insurance companies, credit card and consumer finance companies, lenders and travel agencies, regardless of whether they are affiliated with a bank. • Private customer information may be provided to third parties where: • The customer does not ‘opt-out’ of such arrangements • Third parties perform services or functions, including marketing for the FI - full disclosure of this practice must be made • Particular non-marketing functions are involved, for example, servicing, maintaining or processing an account or financial service
HIPAA Title I Healthcare Portability Title II Administrative Simplification Titles III, IV, V Unique Health Identifiers Transaction Standards & Code Sets Privacy Legislation Security Standards Electronic Signature Standards Unique Health Identifiers HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) United States Privacy – Health and Human Services published proposed regulations in November 1999, received comments, issued the final rule in December 2000 to take effect on April 14, 2001. Two years to comply.
Adopted April 2000 Requires compliance over a 3 year period Federally Regulated – January 1, 2001 Health Care – January 1, 2002 All Others – January January 1, 2004 Canada
PERSONAL INFORMATION PRIVACY The Impact of eBusiness on Privacy
Consumer Concerns About e-Business • What are this site’s e-Commerce practices? • I am worried about security • Is it OK to give them may credit card information? • I would like to maintain anonymity • I do not like trace ability • What are they going to do with my information? • Who am I really doing business with? • I am afraid I will get scammed, and won’t get my stuff? • Will the products really be as advertised? • What is the recourse if something goes wrong?
IS THERE REAL CONCERN? • 40% said “Internet privacy and security concerns kept them from buying online” • 10% of “Internet users trusted computers to safeguard data” • source Harris Interactive and the Privacy Leadership Institution 2000 Survey – Darwin, August 2001, pp 60 • Cookies are disabled .68% of the time based on a review of 1 million pages (less that 1%) • source Web Audience Survey—Web Side Story 2001 Darwin, August 2001, pp 60 • Concern over misuse of personal information • 48% rated 9 or 10 • Concern over information provided to offline businesses • 35% rated 9 or 10 • source Wirthlow Worldwide—Darwin, August 2001, pp 60
eBUSINESS HAS: • Increased the awareness of privacy • Provided a global environment in which to promote privacy • Increased the cross-border privacy issues • In B2C, mandated – to an extent – payment instruments that provide for the easy capture of personal information • Obtained, recorded and created significant personal information required to execute a transaction
eBusiness Security and Privacy What Are The Risks?
Privacy Risks PERSONAL INFORMATION PRIVACY • Failure of written privacy policies and procedures to accurately reflect actual circumstances. • Failure of systems capabilities to achieve privacy objectives resulting in an individual violation of an entity’s privacy policy. • Inadequate systems protection and safeguard to meet the legislative and regulatory privacy requirements. • Inadequate training and monitoring of employee activities when using personal information. • Inadequate controls over third parties holding private information.
Privacy Risks PERSONAL INFORMATION PRIVACY Inability to effectively identify and manage personal information in an increasingly complex information technology environment. Inability of current systems to ensure compliance with the notice, consent, disclosure and security/safeguard requirements. Inability to establish due diligence over the release of personal information. How many of these are specific to eBusiness?
PERSONAL INFORMATION PRIVACY Other eBusiness Issues Exchanges Intranets Credit Card Data Profile Building—CRM Proprietary Information—Credit Point Scoring
PERSONAL INFORMATION PRIVACY Ten Items You Should Address Make Someone Responsible -Privacy Compliance Officer / Data Controller / Chief Privacy Officer. Create a Privacy Policy -Supported by privacy statements and privacy procedures Ensure Marketing Materials Meet Marketplace Privacy Experts Address Regulation Issues - profile for consent, disclosure opt-in, opt-out etc. Obtain Data Subjects consent Provide Access To Personal Information Ensure Effective Safeguards Ensure Accuracy of Personal Information Limit the Use Disclosure and Retention of Personal Information Train Personal Involved in Customer Activities
PERSONAL INFORMATION PRIVACY Preparing eBusiness to Meet Privacy Requirements Harden networks and Interfaces - Firewalls, DMZ, etc Monitor Websites Activity (Volume, Spam, etc.) Use Intrusion Detection Software Secure Personal Information Screen Inbound/Out Bound Messages For Viruses Use PKI/Digital Signatures Validate/Authenticate Requestors Identify Prior To Release Of Information Keep Up To Date On All Patches, Particularly Security, Viruses Etc. Deal With Known Organizations
eBusiness Security and Privacy Assurance
The WebTrustTMResponse A Unique Seal of Assurance • Provides assurance that a web site meets AICPA/CICA defined criteria for Principles relevant to: • Businesses and Consumers transacting business on-line, • Service Providers • Certification Authorities • Is designed to build customer confidence in electronic commerce • Up-front and ongoing independent third party verification • Ensures online disclosure of key practices and independently verifies that the business follows these practices WebTrustTM
The WebTrustTMResponse A Unique Seal of Assurance • Helps identify and reduce e-commerce business risks, including: • privacy breaches • security gaps • other systems affecting the customer interface • Provides a framework to assist e-commerce businesses in creating best practices • Will be able to demonstrate a web site’s compliance with the privacy laws of major industrial countries • Is a global seal that can be provided by qualified and licensed CPAs and CAs around the world WebTrustTM
Version 3.0 WebTrustTM Programs Online Privacy Business Practices / Transaction Integrity Security Availability • Four Categories: • Disclosures • Policies • Procedures • Monitoring confidentiality Non-Repudiation Customized Assertions
PERSONAL INFORMATION PRIVACY The WebTrust Privacy Principle[1] The entity discloses its privacy practices, complies with such privacy practices, and maintains effective controls to provide reasonable assurance that personally identifiable information obtained as a result of electronic commerce is protected in conformity with its disclosed privacy practices. [1] The WebTrust Principles meet or exceed the significant requirements of the European Union (EU) Privacy Directives and The Online Privacy Alliance (OPA) Guidelines as of October 1999, Canadian Privacy Law, C6, The OECD Guidelines, and the U.S. Safe Harbor Privacy Principles issued July 21, 2000. [1
PERSONAL INFORMATION PRIVACY A Disclosure • A1 Discloses information privacy practices • Kinds and sources of information collected, maintained, used etc, opt-in and opt-out consequences etc. • A2 Use of cookies • A3 Procedures used in case of breach in privacy • A4 Contact information • A5 Consumer recourse procedures • A6 Additional privacy disclosure • A7 Changes and updates to privacy • A8 Clear disclosure when visitor is leaving the site
PERSONAL INFORMATION PRIVACY B Privacy Policies, Goals and Objectives B1Entity’s Privacy Policies (List of items to be disclosed) B2 Employee awareness when handling private information B3 Accountability for privacy and related security assignments B4 Training and other support B5 Privacy and related security policies are consistent with disclosure and applicable laws and regulations
PERSONAL INFORMATION PRIVACY C Procedures and Technology Tools C1 Security procedures to establish new users C2 Identify and Authenticate new users C3 Allows users to change, update or delete their own user profile C4 Limits remote access to authorize personnel C5 Prevents access to other than the users own private or sensitive information C6 Limits access to personally identifiable information to authorized employees C7 Utilizes a minimum of 128-bit encryption to protect transmission of user authentication, verification, and sensitive or private information over the Internet C8 Maintains systems configuration and minimize security exposures.
PERSONAL INFORMATION PRIVACY C Procedures and Technology Tools (continued) C9 Private information only disclosed to parties essential to the electronic transaction C10 Private information obtained through eCommerce is used in ways associated by the business C11 Reasonable edit and validation checks of personally identifiable information C12 Assurance on the adequacy of protection over private information maintained by third parties C13 Customer permission is obtained before downloading files for storage or alteration C14 If privacy policy changed to be less restrictive, customers are contacted