Embed Size (px)
Citation preview
Ignorant, under-resourced and up against powerful enemies -- we need to shift our thinking from compliance to risk management.
IT security at a tipping point
Technological innovation relies on personal information but consumers are increasing uncomfortable
Privacy is emerging as tension grows
The Web We Want Project (https://webwewant.mozilla.org)
Privacy is top issue around the world
The Web We Want Project (https://webwewant.mozilla.org)
Privacy is the top issue around the world
Facebook’s anonymous login, privacy dinosaur, enhanced controls, etc.
Privacy as a value proposition
Microsoft’s Scroogled (http://scroogled.com)
Privacy as a competitive differentiator
Silent Circle Blackphone (https://www.blackphone.ch)
Privacy as the main value proposition
"Notice and consent is the practice of requiring individuals to give positive consent to the personal data collection practices of each individual app, program, or web service. Only in some fantasy world do users actually read these notices and understand their implications before clicking to indicate their consent.”
- President’s Council of Advisors on Science and Technology
Notice and consent does not workReport to the President: Big Data and Privacy (http://www.whitehouse.gov)
President’s Council of Advisors on Science and Technology consider notice and consent a fantasy
“Only in some fantasy world…”
FTC vows to sue companies that collect large amounts of data and misuse it
Regulators respond to demand
Of the top 10 privacy lawsuits in history, 2013 registered 4 of them. Source: Jay Cline Among the 130 significant Safe Harbor enforcement actions since 1999, 60% were after 2011. Source: Jay ClineAmong the 50 data security cases since 2000, half came after 2010. The FTC had begun to deliberately strengthen its foray into holding businesses accountable for specific data security inadequacies through its unfairness power. Source: IAPP
Prior to 2011 the FTC brought ~3 legal actions/year for violations of consumers’ privacy rights, or those that misled consumers by failing to maintain security for sensitive information. Between 2011 and 2013 there were ~5 such cases/year. Source: FTC
Trend: Increasing regulatory actionFTC setting model the rest of the world will likely follow
Privacy regulations are an issue being addressed in every corner of the globe
It’s a global issue
The enterprise is being held accountable. It is no longer just the responsibility of the consumer
The responsible enterprise
What sensitive data is being collected, where is it being stored, how is it being stored, who has access to it, and for what purposes?
Responsible for privacy risk mitigation
We need to move from a checkbox compliance culture to one that focuses more on risk management and assessment
Due care, knowing provenance of your data
Knowledgeable: Know where your sensitive data is located.
Predictable: Have reliable assumptions about the rationale for the collection of personal information and the data actions to be taken with that personal information. Predictability is accomplished with clear, up-to-date and enforceable policies in place.
Manageable: Provide the capability for authorized modification of personal information, including alteration, deletion, or selective disclosure of personal information.
Secure. Preserve authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Guide posts
Train key business stakeholders (data owners)
Keep the department up-to-date on laws, regulations, and trends
Work closely with the general counsel, external affairs and businesses to ensure both existing and new services comply with privacy and data security obligations.
Monitor information security and privacy technology advances
Develop and coordinate a risk management and compliance framework for privacy
Review of the company’s data and privacy projects and ensure they are consistent with corporate privacy and data security goals and policies
Continually monitor systems development and operations for security and privacy compliance
Required responsibilitiesA role or multiple roles need to handle the following
