SOCIETY for INFORMATION MANAGEMENTFAIRFIELD & WESTCHESTER CHAPTER
“Privacy, IT, and the Changing Landscape”
A Panel Discussion with
Doral ArrowwoodRye Brook, New York
April 15, 2004
Bill Bandon - Wiggin & Dana, LLPIndy Crowley – Yale UniversityRuth Nelson – PricewaterhouseCoopers LLPEran Marom – Tory Ventures
Pete Petrusky – PricewaterhouseCoopers LLP(Moderator)
2
Agenda
Introductions
Privacy & Fair Information Principles– Privacy & Security
Privacy Legislation– U.S. Perspectives & Enforcement Activity– International Privacy Landscape
Privacy & Business– Why It Is a Hot Topic– Privacy Incidents
Panel Discussion
Q&A
Appendices– Privacy Best Practices– Reference Sites
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
3Privacy, IT, and the Changing Landscape
An individual’s right to: Know how their information is handled
Control the information collected about them
Control what that information is used for
Control who has access to the information
Amend, change & delete their personal information
What is Privacy?
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
4Privacy, IT, and the Changing Landscape
Fair Information Principles
Collection
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
5Privacy, IT, and the Changing Landscape
Privacy vs SecurityPrivacy vs Security
PRIVACY
Involves the whole
information lifecycle
Is about more than just
protecting personal
information
Most privacy legislation
includes security as one
aspect
SECURITY
Is a core component of good
privacy practice
Is a key instrument for
executing privacy policies
Viewed as a technology
enabler, supporting policies,
access controls, individual
choice and 3rd party sharing
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
6Privacy, IT, and the Changing Landscape
Financial Services Modernization –
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and
Accountability Act (HIPAA)
Children’s Online Privacy Protection Act (COPPA)
US Safe Harbor
FTC & SAG Enforcement
CAN SPAM Act
Patchwork of State Laws
The US Perspective – Jigsaw Regime
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
7Privacy, IT, and the Changing Landscape
Recent privacy legislation (Australia, Hong Kong, Canada) trending toward EU-style privacy regulationand away from U.S. sectoral/data elements-based models
The Global Picture
Sample of Data Protection Laws
Around the World
The EU Data Protection Directive & comparable privacy legislation by 15 member states
Switzerland – Federal Act on Data Protection (1992)
Hungary – Protection of Personal Data and Disclosure of Data of Public Interest (1992)
Czech Republic – Act on Protection of Personal Data (2000)
Norway – Personal Data Registers Act of 2000
Canada – Personal Information Protection and Electronic Documents Act (2000)
Argentina – Personal Data Protection Act (2000)
Chile – Law for the Protection of Private Life (1999)
Australia – Privacy Amendment (Private Sector) Act (2001)
Hong Kong – The Personal Data (Privacy) Ordinance (1996)
New Zealand – Federal Privacy Act (1993)and more…
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
8Privacy, IT, and the Changing Landscape
Privacy & BusinessQuestion: What keeps you up at night?
Top 7 concerns for CEOs and Directors based on recent research by the Personalization Consortium
CEOs and Boards of top e-Businesses
Customer Loyalty
Burn Rate/Profitability
Privacy
Sustainable Growth
New Regulations
Competition
Staffing/Leadership
CEOs and Boards of Fortune 500s
Shareholder Value
Market Convergence
Privacy/Data Integrity
New Regulations
Customer Loyalty
Global Competition
Technology Change
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
9Privacy, IT, and the Changing Landscape
Privacy & Business
Privacy Failures Can Have Major Consequences
– Damage to brand and reputation
– Loss of customers/increased costs for acquiring new ones
– Loss of revenues and new business opportunities
– Regulatory Action/Penalties for non-compliance
– Litigation
– International enforcement actions
– Disruption of cross-border data flows
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
10Privacy, IT, and the Changing Landscape
What are people talking about?Are consumers really concerned?
Hotmail glitch exposesemail addresses
Activists charge DoubleClick Double Cross
AT&T customers’privacy left
blowing in the wind
Yahoo sued over use of cookies
AmEx, EDS May Face
European
Privacy Lawsuits
Travelocity
Privacy
Violation
Would You Sell Your
Secrets for Free Internet
Service?
Report Labels Internet
Privacy Policies ‘A Joke’
Missouri Privacy Suit
RealNetworks in Real trouble
Lack of Notice Snags e-service
Hackers bust Telecom NZ
security compromising privacy
Ikea exposes customer information on catalog site
TiVo criticized by privacy group - TV
service secretly collects info about
viewers
Privacy Suit Charges Sites with Misrepresentation Over Placing of
Cookies on Users Drives
AOL Time Warner in Privacy Dilemma
CreditCards.com database stolen
Devices Locate
Children, Create
Privacy Issues
Amazon's Wish: No More Bad PR
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
11Privacy, IT, and the Changing Landscape
Problem: Websites are not static and are large in nature
1. Web team knows about the corporate privacy policy and local legislative requirements
2. Web team is not using technologies or methods that breach the policy
3. Appropriate and adequate links to the privacy policy are maintained on every site
4. New or specific website transactions and functionality have been assessed for privacy risk
5. Back of house procedures have been developed to support the websites privacy disclosures
Assumes:
Sites are growing and changing on a daily basis
Challenge to monitor and ensure new content and new sites are in compliance with the privacy policy
Too many privacy issues spread across too many web pages
Difficult and labor intensive to measure current and ongoing compliance
Costly to manage using existing tools and techniques
Many individuals responsible for site creation
Increases the risk of privacy glitches
Privacy compliance becomes reactive rather than proactive
Managing Website PrivacyCurrent On-line Privacy Compliance Challenges
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
12Privacy, IT, and the Changing Landscape
Panel Discussion
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
13Privacy, IT, and the Changing Landscape
Questions?
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
14Privacy, IT, and the Changing Landscape
Privacy Red Flags
Lack of an adequate privacy statement
Privacy statement does not accurately reflect practices
Back of house procedures do not support the policy disclosures
Lack privacy awareness throughout the company
– Marketing, IT, web developers, business development
New legislation and regulations which impact the business
Existing transborder dataflows to the US
Use of third parties and new technologies
Failure to maintain adequate security
Websites or businesses operating in regulated regions
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
15Privacy, IT, and the Changing Landscape
Where to Begin…
Mobilize appropriate resources
Designate privacy champions and project governance team
Determine privacy work that has previously been performed
Communicate project needs and goals
Assess privacy compliance requirements and drivers
Develop the overall privacy vision and strategy
Determine current level of privacy compliance based on existing procedures
Determine high risk areas or areas that need specific focus
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
16Privacy, IT, and the Changing Landscape
Responsible Privacy Practices
Brand
Protection
Customer
Trust &
Confidence
Customer
Loyalty
Shareholder
value
Responsible
Customer
Relationship
Management
Business
Partner
Confidence
Differentiation
from
Competitors
Litigation Reputation
Damage
Interrupted
Data Flows
Privacy
Breach
Case for
Regulation
Unwanted
Attention
Benefits of Good Privacy Practices
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
17Privacy, IT, and the Changing Landscape
Maintaining Privacy Compliance
Designate a privacy subject matter expert
Continue to educate, train and raise awareness throughout the company
Stay abreast of legislative and industry developments
Build processes to manage changes to your Website
Review information handling practices periodically
Assess new third parties and partners practices
Assess information disclosures & third-party data sharing
Disclose any changes in your policy
Perform periodic compliance reviews
Regular audits
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
18Privacy, IT, and the Changing Landscape
Conclusions
Enhances trust and consumer confidence
Increases customer loyalty
First mover advantage – competitive differentiation
Aim for positive media, not negative
Promotes shareholder value
Reduces barriers to International trade
Avoids litigation and regulatory action
FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT
19Privacy, IT, and the Changing Landscape
Selected sites for topical research concerning information privacy International Association of Privacy Professionals www.privacyassociation.org.
Federal Trade Commission Site for Consumers http://www.ftc.gov/.
U.S. Department of Commerce Site for Safe Harbor http://www.export.gov/safeharbor/.
Privacy Foundation http://www.privacyfoundation.org/.
Truste Privacy Seal Program http://www.truste.org.
BBBOnline Privacy Seal Program http://www.bbbonline.org.
Electronic Privacy Information Center http://www.epic.org.
Online Privacy Alliance http://www.privacyalliance.org.
Draft Commission Decision on Standard Contractual Clauses on the Web. http://www.europa.eu.int. March, 27, 2001.
ICRT Comments on Binding Corporate Rules http://www.icrt.org/pos_papers/2003/030930_EE.pdf.
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http://www.oecd.org.
Hong Kong Data Protection Act Summary. http://www.privacyexchange.org.
Privacy and Human Rights 2000. http://www.privacyinternatinal.org.
Proposed/Pending National Legislation. http://www.privacyexchange.org.
Recent Developments in Latin American Privacy Laws. http://www.haledorr.com.
Standardization: A business Tool for Data Privacy. CEN/ISSS Open Seminar. http://www.cenorm.be.