SOCIETY for INFORMATION MANAGEMENT FAIRFIELD

1
SOCIETY for INFORMATION MANAGEMENTFAIRFIELD
WESTCHESTER CHAPTER Privacy, IT, and the
Changing Landscape A Panel Discussion with
Bill Bandon - Wiggin Dana, LLP Indy Crowley
Yale University Ruth Nelson PricewaterhouseCoope
rs LLP Eran Marom Tory Ventures Pete Petrusky
PricewaterhouseCoopers LLP (Moderator)
Doral Arrowwood Rye Brook, New York April 15, 2004
2
Agenda
FAIRFIELD WESTCHESTER CHAPTER SOCIETY
for INFORMATION MANAGEMENT

• Introductions
• Privacy Fair Information Principles
• Privacy Security
• Privacy Legislation
• U.S. Perspectives Enforcement Activity
• International Privacy Landscape
• Privacy Business
• Why It Is a Hot Topic
• Privacy Incidents
• Panel Discussion
• QA
• Appendices
• Privacy Best Practices
• Reference Sites

3
What is Privacy?

• An individuals right to
• Know how their information is handled
• Control the information collected about them
• Control what that information is used for
• Control who has access to the information
• Amend, change delete their personal information

4
Fair Information Principles

• Collection
• Data quality
• Purpose specification
• Use limitation

• Security safeguards
• Openness
• Individual participation
• Accountability

5
Privacy vs Security
Privacy vs Security

• PRIVACY
• Involves the whole information lifecycle
• Is about more than just protecting personal
  information
• Most privacy legislation includes security as one
  aspect

• SECURITY
• Is a core component of good privacy practice
• Is a key instrument for executing privacy
  policies
• Viewed as a technology enabler, supporting
  policies, access controls, individual choice and
  3rd party sharing

6
The US Perspective Jigsaw Regime
Financial Services Modernization
Gramm-Leach-Bliley Act (GLBA)
Childrens Online Privacy Protection Act (COPPA)
Health Insurance Portability and Accountability
Act (HIPAA)

• FTC SAG Enforcement
• CAN SPAM Act
• Patchwork of State Laws

US Safe Harbor
7
The Global Picture

• Sample of Data Protection Laws Around the World

• The EU Data Protection Directive comparable
  privacy legislation by 15 member states
• Switzerland Federal Act on Data Protection
  (1992)
• Hungary Protection of Personal Data and
  Disclosure of Data of Public Interest (1992)
• Czech Republic Act on Protection of Personal
  Data (2000)
• Norway Personal Data Registers Act of 2000
• Canada Personal Information Protection and
  Electronic Documents Act (2000)
• Argentina Personal Data Protection Act (2000)
• Chile Law for the Protection of Private Life
  (1999)
• Australia Privacy Amendment (Private Sector)
  Act (2001)
• Hong Kong The Personal Data (Privacy) Ordinance
  (1996)
• New Zealand Federal Privacy Act (1993)and more

Recent privacy legislation (Australia, Hong Kong,
Canada) trending toward EU-style privacy
regulation and away from U.S. sectoral/data
elements-based models
8
Privacy BusinessQuestion What keeps you up at
night?

• CEOs and Boards of top e-Businesses
• Customer Loyalty
• Burn Rate/Profitability
• Privacy
• Sustainable Growth
• New Regulations
• Competition
• Staffing/Leadership

• CEOs and Boards of Fortune 500s
• Shareholder Value
• Market Convergence
• Privacy/Data Integrity
• New Regulations
• Customer Loyalty
• Global Competition
• Technology Change

Top 7 concerns for CEOs and Directors based on
recent research by the Personalization Consortium
9
Privacy Business

• Privacy Failures Can Have Major Consequences
• Damage to brand and reputation
• Loss of customers/increased costs for acquiring
  new ones
• Loss of revenues and new business opportunities
• Regulatory Action/Penalties for non-compliance
• Litigation
• International enforcement actions
• Disruption of cross-border data flows

10
Devices Locate Children, Create Privacy Issues
Would You Sell Your Secrets for Free Internet
Service?
TiVo criticized by privacy group - TV service
secretly collects info about viewers
What are people talking about?
Are consumers really concerned?
Missouri Privacy Suit
AOL Time Warner in Privacy Dilemma
RealNetworks in Real trouble
TravelocityPrivacy Violation
Ikea exposes customer information on catalog site
Hotmail glitch exposesemail addresses
AmEx, EDS May Face European Privacy Lawsuits
ATT customers privacy left blowing in the wind
Privacy Suit Charges Sites with Misrepresentation
Over Placing of Cookies on Users Drives
Amazon's Wish No More Bad PR
Activists charge DoubleClick Double Cross
Lack of Notice Snags e-service
Report Labels Internet Privacy Policies A Joke
Yahoo sued over use of cookies
CreditCards.com database stolen
Hackers bust Telecom NZ security compromising
privacy
11
Managing Website PrivacyCurrent On-line Privacy
Compliance Challenges

• Web team knows about the corporate privacy policy
  and local legislative requirements
• Web team is not using technologies or methods
  that breach the policy
• Appropriate and adequate links to the privacy
  policy are maintained on every site
• New or specific website transactions and
  functionality have been assessed for privacy risk
• Back of house procedures have been developed to
  support the websites privacy disclosures

Assumes
Problem Websites are not static and are large in
nature

• Sites are growing and changing on a daily basis
• Challenge to monitor and ensure new content and
  new sites are in compliance with the privacy
  policy
• Too many privacy issues spread across too many
  web pages
• Difficult and labor intensive to measure current
  and ongoing compliance
• Costly to manage using existing tools and
  techniques
• Many individuals responsible for site creation
• Increases the risk of privacy glitches
• Privacy compliance becomes reactive rather than
  proactive

12
Panel Discussion
13
Questions?
14
Privacy Red Flags

• Lack of an adequate privacy statement
• Privacy statement does not accurately reflect
  practices
• Back of house procedures do not support the
  policy disclosures
• Lack privacy awareness throughout the company
• Marketing, IT, web developers, business
  development
• New legislation and regulations which impact the
  business
• Existing transborder dataflows to the US
• Use of third parties and new technologies
• Failure to maintain adequate security
• Websites or businesses operating in regulated
  regions

15
Where to Begin

• Mobilize appropriate resources
• Designate privacy champions and project
  governance team
• Determine privacy work that has previously been
  performed
• Communicate project needs and goals
• Assess privacy compliance requirements and
  drivers
• Develop the overall privacy vision and strategy
• Determine current level of privacy compliance
  based on existing procedures
• Determine high risk areas or areas that need
  specific focus

16
Benefits of Good Privacy Practices
Responsible Privacy Practices
17
Maintaining Privacy Compliance

• Designate a privacy subject matter expert
• Continue to educate, train and raise awareness
  throughout the company
• Stay abreast of legislative and industry
  developments
• Build processes to manage changes to your Website
• Review information handling practices
  periodically
• Assess new third parties and partners practices
• Assess information disclosures third-party data
  sharing
• Disclose any changes in your policy
• Perform periodic compliance reviews
• Regular audits

18
Conclusions

• Enhances trust and consumer confidence
• Increases customer loyalty
• First mover advantage competitive
  differentiation
• Aim for positive media, not negative
• Promotes shareholder value
• Reduces barriers to International trade
• Avoids litigation and regulatory action

19
Selected sites for topical research concerning
information privacy

• International Association of Privacy
  Professionals www.privacyassociation.org.
• Federal Trade Commission Site for Consumers
  http//www.ftc.gov/.
• U.S. Department of Commerce Site for Safe Harbor
  http//www.export.gov/safeharbor/.
• Privacy Foundation http//www.privacyfoundation.o
  rg/.
• Truste Privacy Seal Program http//www.truste.org
  .
• BBBOnline Privacy Seal Program
  http//www.bbbonline.org.
• Electronic Privacy Information Center
  http//www.epic.org.
• Online Privacy Alliance http//www.privacyallianc
  e.org.
• Draft Commission Decision on Standard
  Contractual Clauses on the Web.
  http//www.europa.eu.int. March, 27, 2001.
• ICRT Comments on Binding Corporate Rules
  http//www.icrt.org/pos_papers/2003/030930_EE.pdf.
  
• Guidelines on the Protection of Privacy and
  Transborder Flows of Personal Data.
  http//www.oecd.org.
• Hong Kong Data Protection Act Summary.
  http//www.privacyexchange.org.
• Privacy and Human Rights 2000.
  http//www.privacyinternatinal.org.
• Proposed/Pending National Legislation.
  http//www.privacyexchange.org.
• Recent Developments in Latin American Privacy
  Laws. http//www.haledorr.com.
• Standardization A business Tool for Data
  Privacy. CEN/ISSS Open Seminar.
  http//www.cenorm.be.