Analysis of Corporate Privacy Practices

1
Analysis of Corporate Privacy Practices
Presentation by Dr. Larry Ponemon CEO, Privacy
Council Workshop on the Relationship between
Privacy Security Carnegie-Mellon University,
May 29, 2002
2
Proposed Agenda

• The drivers to privacy
• The impact of 9/11 on corporate privacy
  compliance initiatives
• Review of corporate privacy management practices

3
A Right to Privacy?
Do You Have a Right to Control information
collected about you and your family? Control how
that information is being used? Have access to
review your personal information? Have the
ability to change incorrect information?
4
How Bad Does it Get?

• Story In Arizona, about 100 members of a
  retirement community were given free personal
  computers, full access to the Internet and a
  basic hands-on training program.
• Sounds too good to be true?
• Real deal is about providing significant
  information about yourself and your immediate
  family (children, grandchildren and so forth).
• So, who has the choice now? What recourse do
  these people have. And, how about our relatives
  who had their privacy violated?

5
Fact . . .

• A recent analysis of major organizations show
  that less than 24 of companies in the United
  States are in reasonable compliance with their
  stated Internet privacy policy.
• Far fewer companies would be able to comply with
  the provisions of new regulations,laws and
  standards around the world.

6
Why is Privacy a Hot Issue?

• Post 9/11 Surveillance society
• Growing misuse of personal (sensitive
  information)
• Exponential growth in identity theft
• Increased regulatory oversight
• Press and media coverage
• Aggressive advocacy

7
Review The Ethical Principles
Notice and Awareness Information collection
practices Usage and sharing Choice and
Consent Opt-in and opt-out policies and
methods Access and Accuracy Right to view,
modify or delete relevant information Reasonable
Security Ensuring the integrity and protection
of data Redress and Enforcement Including
dispute resolution mechanism
8
Post 9/11 Impact on Privacy and Surveillance

• Authentication has become major focus
• Something that the company has about you usually
  in the form of individuated data (mothers maiden
  name)
• Something that your carry in your wallet,
  computer or PDA (smart card)
• Something that defines you such as a finger
  print, and facial scan, (biometrics)

Better authentication reduces both privacy and
security risks, but only if the credentialing
process is nearly perfect.
9
Post 9/11 Impact on Privacy and Surveillance

• Security has become dominant over privacy
• The focus on stopping the bad guy from getting
  inside the critical infrastructure or gaining
  access to assets
• Privacy rights are still important, but not at
  the cost of diminishing security and public
  safety
• New surveillance methods draw upon multiple
  sources of customer-centric information creating
  a potential privacy blow-up if this personal
  information is not protected or managed properly.

10
Factors Increasing Post 9/11 Privacy Risks

• Growing use for personal information
• Over-reliance on new biometric and surveillance
  technologies (increasing misclassification risk,
  false positives)
• Lax controls over personal information used for
  surveillance
• Increased information sharing practices among
  organizations, without proper control or
  consistent application
• Limited or fragmented regulatory enforcement of
  privacy
• Lack of awareness, understanding or general
  complacency about the continued need for privacy

11
The New Surveillance Society

• Growing concerns for most people
• Who is watching me?
• Who is watching the watchers?
• Do individuals have a choice?
• How will surveillance data (negative data) be
  used and/or shared?
• What are the long-term consequences to our rights
  to privacy (and what are the costs to business)?

12
Regulations and Industry Initiatives

• Financial Services Gramm-Leach-Bliley Act (GLBA)
• Health Care - Health Insurance Portability and
  Accountability Act (HIPPA)
• Childrens Online Privacy Protection Act - COPPA
• Federal Trade Commission
• EU Data Protection Directive
• New Canadian Regulations - PIPEDA
• Proposed Bills for Internet, Government and
  Financial Services
• Over 400 State bills (including recent
  legislation in Vermont)

13
Beyond Regulation

• Consumer concerns are costing business in terms
  of lost sales, market value and potential
  litigation
• Strong and well funded advocacy groups have major
  impact on corporate reputation
• Privacy concerns are not independent of national
  boundary and culture
• Privacy regulation is creating large demand for
  privacy enabling technology such as P3P
• Privacy issues create real social and ethical risk

14
Consequences . . .

• Many companies have become paralyzed by the
  proverbial privacy storm.
• Privacy advocates and regulators are quickly
  turning their attention to off-line companies
  with respect to the sale of personal (sensitive)
  information.
• The largest area for potential abuse concerns
  telephony and the wireless web, which many take
  years to get off the ground because of regulatory
  groundswells.
• But, most companies are still complacent about
  privacy risk

15
What Makes a Privacy Policy Work?
16
Setting the Tone of the Program

• Understanding your business and data management
  environment
• Focus program on identified risk areas
• Avoid the CYA orientation
• Avoid too much control over behavior
• Get commitment from senior executives and the
  Board
• Get input and buy-in from all key stakeholders
• Avoid the one size fits all syndrome
• Privacy policy needs to fit corporate culture
• Decentralized environment may require separate
  policies
• Make sure that you walk-the-talk

17
Establishing Governance

• Establish privacy leader and organizational
  sponsor
• Assigned the title Privacy Officer
• High-level reporting responsibility to the CEO
• Establish cross-functional committee composed of
  key stakeholders, including
• Legal
• Marketing/CRM
• Human Resources
• Corporate Compliance
• Regulatory Affairs and Public Relations
• Information Technology
• Security

18
Writing the Policy

• Start with pledge of the CEO and Board
• Define overarching principles
• Keep sections clear and concise
• If possible, avoid legalese
• Include examples and short cases
• Explain the redress process
• Define what is meant by personal accountability

19
Five Typical Policy Components

• Requirements and process for fair disclosure and
  proper notice
• Opportunity to provide individuals with choice or
  consent to data capture, secondary usage and
  sharing
• Pledge of reasonable security and data protection
  efforts over all personal (private) information
• Opportunity to access personal information (and
  correct identified errors)
• Pledge of reasonable redress and dispute
  resolution process for individuals

20
Vetting the Privacy Policy

• Get buy in from business unit leaders
• Hold workshops with groups of employees to
  determine understanding and usefulness
• Revise document based on legitimate issues and
  concerns raised by stakeholders
• Get finalized approval from the Board
• Send policy to all employees, contractors and
  business partners
• Think about external disclosure (on Web sites and
  other public venues)

21
Benchmark Results on Privacy Policy
Unpublished study of 181 corporations (all
Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs
used to determine the existence, coverage and
effectiveness of program efforts on a global basis
22
Most people dont do what they believe in, they
just do whats most convenient -- and then they
repent.Source Bob Dylan.
Reality Check
23
Privacy Management Process
24
What is the Privacy Management Process?
A management process comprised of compliance
programs and systems designed to motivate,
measure, and monitor the organizations privacy
and data protection practices.
25
The Privacy Management Process
Process Management Including performance-based
measurement, scorecards, external verification
and crisis management plan
Ongoing Monitoring Including formal process for
identifying privacy and information security risk
and vulnerability areas within core business units
Training Including classroom based training,
facilitated training, and e-learning programs for
all employees who handle sensitive personal
information
Communications Including policies, corporate
communications, employee handbooks, and
compliance procedures
Enforcement Including the formal mechanism and
due process for evaluating privacy and data
protection blow-ups
26
Building an Effective Privacy Management Process

• PMP helps to identify and reduce the most salient
  cases of privacy compliance and data protection
  risks.
• PMP helps to make policies real and meaningful to
  employees and other key stakeholders.
• PMP helps people to learn about their role in
  managing privacy and in protecting sensitive
  personal data within the organization.
• PMP serves as a tool to foster feedback and
  learning for employees and managers.
• PMP fosters climate and cultural change with
  respect to accountability and empowerment.

27
Measuring the Effectiveness of the Privacy
Management Process

• Develop process performance benchmarks and
  guidelines that can be verified (perhaps by
  independent third-party).
• Use drill-down approach to assess privacy and
  data protection risk at the core business process
  level.
• Develop performance indicators that focus on the
  antecedents to privacy and data protection risk.
• Used balanced scorecard approach to measuring
  improvements and establishing accountability.

28
Performance Indicators for Privacy Management
Process

• Objective Measures
• Existence of PMP
• Training coverage
• Understanding and knowledge
• Compliance breaches
• Customer complaints
• Customer churn
• Litigation

• Perception Measures
• Quality of policy
• Beliefs about program
• Culture toward compliance
• Consumer trust
• Reputation
• Pressure to bend the rules

29
What Companies are Doing Today
30
What Companies are Doing Today

• Privacy policy with limited training or awareness
  activity during rollout phase
• Governance model using cross-functional committee
• Basic education program, often using e-learning
  technology to disseminate information and test
  understanding
• Minimal downstream communication efforts
• Appointment of a high level executive as the
  privacy officer often with unclear reporting
  lines
• Limited monitoring or assessment of
  compliance-related risks

31
Benchmark on Privacy Practices
Unpublished study of 181 corporations (all
Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs
used to determine the existence, coverage and
effectiveness of program efforts on a global basis
32
Benchmark by Industry Classification
Unpublished study of 181 corporations (all
Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs
used to determine the existence, coverage and
effectiveness of program efforts on a global
basis. Companies in each industry category scored
yes to 4 or more benchmarks (of the 12 shown on
the previous slide).
33
Best Practices for Global Corporations

• Integration with information security team
• High-level reporting to the CEO with periodic
  reports to the Board
• Use of enabling technologies such as P3P
• Empowering local privacy managers
• Real budget authority
• Black Belt training orientation
• Redress program with real powers to investigate
  and enforce
• Internal monitoring of privacy program (and mock
  regulatory audits)
• Third-party verification
• Good quality disclosure
• Greater use of choice (such as opt-in approach
  for sensitive information)
• Use of insurance to mitigate privacy and data
  protection blow-ups
• Balanced approach to data collection for
  marketing and other uses

34
Questions Answers
Presentation by Dr. Larry Ponemon CEO, Privacy
Council (972) 997 4016 Larry.ponemon_at_privacycounci
l.com