Title: Analysis of Corporate Privacy Practices
1Analysis of Corporate Privacy Practices
Presentation by Dr. Larry Ponemon CEO, Privacy
Council Workshop on the Relationship between
Privacy Security Carnegie-Mellon University,
May 29, 2002
2Proposed Agenda
- The drivers to privacy
- The impact of 9/11 on corporate privacy
compliance initiatives - Review of corporate privacy management practices
3A Right to Privacy?
Do You Have a Right to Control information
collected about you and your family? Control how
that information is being used? Have access to
review your personal information? Have the
ability to change incorrect information?
4How Bad Does it Get?
- Story In Arizona, about 100 members of a
retirement community were given free personal
computers, full access to the Internet and a
basic hands-on training program. - Sounds too good to be true?
- Real deal is about providing significant
information about yourself and your immediate
family (children, grandchildren and so forth). - So, who has the choice now? What recourse do
these people have. And, how about our relatives
who had their privacy violated?
5Fact . . .
- A recent analysis of major organizations show
that less than 24 of companies in the United
States are in reasonable compliance with their
stated Internet privacy policy. - Far fewer companies would be able to comply with
the provisions of new regulations,laws and
standards around the world.
6Why is Privacy a Hot Issue?
- Post 9/11 Surveillance society
- Growing misuse of personal (sensitive
information) - Exponential growth in identity theft
- Increased regulatory oversight
- Press and media coverage
- Aggressive advocacy
7Review The Ethical Principles
Notice and Awareness Information collection
practices Usage and sharing Choice and
Consent Opt-in and opt-out policies and
methods Access and Accuracy Right to view,
modify or delete relevant information Reasonable
Security Ensuring the integrity and protection
of data Redress and Enforcement Including
dispute resolution mechanism
8Post 9/11 Impact on Privacy and Surveillance
- Authentication has become major focus
- Something that the company has about you usually
in the form of individuated data (mothers maiden
name) - Something that your carry in your wallet,
computer or PDA (smart card) - Something that defines you such as a finger
print, and facial scan, (biometrics)
Better authentication reduces both privacy and
security risks, but only if the credentialing
process is nearly perfect.
9Post 9/11 Impact on Privacy and Surveillance
- Security has become dominant over privacy
- The focus on stopping the bad guy from getting
inside the critical infrastructure or gaining
access to assets - Privacy rights are still important, but not at
the cost of diminishing security and public
safety - New surveillance methods draw upon multiple
sources of customer-centric information creating
a potential privacy blow-up if this personal
information is not protected or managed properly.
10Factors Increasing Post 9/11 Privacy Risks
- Growing use for personal information
- Over-reliance on new biometric and surveillance
technologies (increasing misclassification risk,
false positives) - Lax controls over personal information used for
surveillance - Increased information sharing practices among
organizations, without proper control or
consistent application - Limited or fragmented regulatory enforcement of
privacy - Lack of awareness, understanding or general
complacency about the continued need for privacy
11The New Surveillance Society
- Growing concerns for most people
- Who is watching me?
- Who is watching the watchers?
- Do individuals have a choice?
- How will surveillance data (negative data) be
used and/or shared? - What are the long-term consequences to our rights
to privacy (and what are the costs to business)?
12Regulations and Industry Initiatives
- Financial Services Gramm-Leach-Bliley Act (GLBA)
- Health Care - Health Insurance Portability and
Accountability Act (HIPPA) - Childrens Online Privacy Protection Act - COPPA
- Federal Trade Commission
- EU Data Protection Directive
- New Canadian Regulations - PIPEDA
- Proposed Bills for Internet, Government and
Financial Services - Over 400 State bills (including recent
legislation in Vermont)
13Beyond Regulation
- Consumer concerns are costing business in terms
of lost sales, market value and potential
litigation - Strong and well funded advocacy groups have major
impact on corporate reputation - Privacy concerns are not independent of national
boundary and culture - Privacy regulation is creating large demand for
privacy enabling technology such as P3P - Privacy issues create real social and ethical risk
14Consequences . . .
- Many companies have become paralyzed by the
proverbial privacy storm. - Privacy advocates and regulators are quickly
turning their attention to off-line companies
with respect to the sale of personal (sensitive)
information. - The largest area for potential abuse concerns
telephony and the wireless web, which many take
years to get off the ground because of regulatory
groundswells. - But, most companies are still complacent about
privacy risk
15What Makes a Privacy Policy Work?
16Setting the Tone of the Program
- Understanding your business and data management
environment - Focus program on identified risk areas
- Avoid the CYA orientation
- Avoid too much control over behavior
- Get commitment from senior executives and the
Board - Get input and buy-in from all key stakeholders
- Avoid the one size fits all syndrome
- Privacy policy needs to fit corporate culture
- Decentralized environment may require separate
policies - Make sure that you walk-the-talk
17Establishing Governance
- Establish privacy leader and organizational
sponsor - Assigned the title Privacy Officer
- High-level reporting responsibility to the CEO
- Establish cross-functional committee composed of
key stakeholders, including - Legal
- Marketing/CRM
- Human Resources
- Corporate Compliance
- Regulatory Affairs and Public Relations
- Information Technology
- Security
18Writing the Policy
- Start with pledge of the CEO and Board
- Define overarching principles
- Keep sections clear and concise
- If possible, avoid legalese
- Include examples and short cases
- Explain the redress process
- Define what is meant by personal accountability
19Five Typical Policy Components
- Requirements and process for fair disclosure and
proper notice - Opportunity to provide individuals with choice or
consent to data capture, secondary usage and
sharing - Pledge of reasonable security and data protection
efforts over all personal (private) information - Opportunity to access personal information (and
correct identified errors) - Pledge of reasonable redress and dispute
resolution process for individuals
20Vetting the Privacy Policy
- Get buy in from business unit leaders
- Hold workshops with groups of employees to
determine understanding and usefulness - Revise document based on legitimate issues and
concerns raised by stakeholders - Get finalized approval from the Board
- Send policy to all employees, contractors and
business partners - Think about external disclosure (on Web sites and
other public venues)
21Benchmark Results on Privacy Policy
Unpublished study of 181 corporations (all
Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs
used to determine the existence, coverage and
effectiveness of program efforts on a global basis
22Most people dont do what they believe in, they
just do whats most convenient -- and then they
repent.Source Bob Dylan.
Reality Check
23Privacy Management Process
24What is the Privacy Management Process?
A management process comprised of compliance
programs and systems designed to motivate,
measure, and monitor the organizations privacy
and data protection practices.
25The Privacy Management Process
Process Management Including performance-based
measurement, scorecards, external verification
and crisis management plan
Ongoing Monitoring Including formal process for
identifying privacy and information security risk
and vulnerability areas within core business units
Training Including classroom based training,
facilitated training, and e-learning programs for
all employees who handle sensitive personal
information
Communications Including policies, corporate
communications, employee handbooks, and
compliance procedures
Enforcement Including the formal mechanism and
due process for evaluating privacy and data
protection blow-ups
26Building an Effective Privacy Management Process
- PMP helps to identify and reduce the most salient
cases of privacy compliance and data protection
risks. - PMP helps to make policies real and meaningful to
employees and other key stakeholders. - PMP helps people to learn about their role in
managing privacy and in protecting sensitive
personal data within the organization. - PMP serves as a tool to foster feedback and
learning for employees and managers. - PMP fosters climate and cultural change with
respect to accountability and empowerment.
27Measuring the Effectiveness of the Privacy
Management Process
- Develop process performance benchmarks and
guidelines that can be verified (perhaps by
independent third-party). - Use drill-down approach to assess privacy and
data protection risk at the core business process
level. - Develop performance indicators that focus on the
antecedents to privacy and data protection risk. - Used balanced scorecard approach to measuring
improvements and establishing accountability.
28Performance Indicators for Privacy Management
Process
- Objective Measures
- Existence of PMP
- Training coverage
- Understanding and knowledge
- Compliance breaches
- Customer complaints
- Customer churn
- Litigation
- Perception Measures
- Quality of policy
- Beliefs about program
- Culture toward compliance
- Consumer trust
- Reputation
- Pressure to bend the rules
29What Companies are Doing Today
30What Companies are Doing Today
- Privacy policy with limited training or awareness
activity during rollout phase - Governance model using cross-functional committee
- Basic education program, often using e-learning
technology to disseminate information and test
understanding - Minimal downstream communication efforts
- Appointment of a high level executive as the
privacy officer often with unclear reporting
lines - Limited monitoring or assessment of
compliance-related risks
31Benchmark on Privacy Practices
Unpublished study of 181 corporations (all
Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs
used to determine the existence, coverage and
effectiveness of program efforts on a global basis
32Benchmark by Industry Classification
Unpublished study of 181 corporations (all
Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs
used to determine the existence, coverage and
effectiveness of program efforts on a global
basis. Companies in each industry category scored
yes to 4 or more benchmarks (of the 12 shown on
the previous slide).
33Best Practices for Global Corporations
- Integration with information security team
- High-level reporting to the CEO with periodic
reports to the Board - Use of enabling technologies such as P3P
- Empowering local privacy managers
- Real budget authority
- Black Belt training orientation
- Redress program with real powers to investigate
and enforce - Internal monitoring of privacy program (and mock
regulatory audits) - Third-party verification
- Good quality disclosure
- Greater use of choice (such as opt-in approach
for sensitive information) - Use of insurance to mitigate privacy and data
protection blow-ups - Balanced approach to data collection for
marketing and other uses
34Questions Answers
Presentation by Dr. Larry Ponemon CEO, Privacy
Council (972) 997 4016 Larry.ponemon_at_privacycounci
l.com