Title: Privacy and Business: Go Beyond Compliance to Competitive Advantage
1Privacy and BusinessGo Beyond Compliance to
Competitive Advantage
- Ann Cavoukian, Ph.D.
- Information Privacy Commissioner/Ontario
- Designing for Privacy Privacy Fundamentals and
Competitive Strategies - HP Online Privacy Summit
- December 9, 2004
2Impetus for Change
- Growth of Privacy as a Global Issue
- EU Directive on Data Protection
- Increasing amounts of personal data collected,
consolidated, aggregated - Consumer Backlash heightened consumer
expectations
3Privacy After 9/11
- Introduction of anti-terrorism statutes world
wide - U.S Patriot Act
4Anti-Terrorism Laws Why be Concerned?
- General Issues
- Expanded scope of domestic surveillance
- Lack of justification
- Weakening Judicial Controls
- Lack of Oversight
5Importance of Consumer Trust
- In the post-9/11 world
- Consumers either as concerned or more concerned
about online privacy - Concerns focused on the business use of personal
information, not new government surveillance
powers - If consumers have confidence in a companys
privacy practices, consumers are more likely to - Increase volume of business with
company.... 91 - Increase frequency of business.... 90
- Stop doing business with company if PI
misused83 - Harris/Westin Poll, Nov. 2001 Feb. 2002
6Information Privacy Defined
- Information Privacy Data Protection
- Freedom of choice control informational
self-determination - Personal control over the collection, use and
disclosure of any recorded information about an
identifiable individual
7What Privacy is Not
8Privacy and Security The Difference
- Authentication
- Data Integrity
- Confidentiality
- Non-repudiation
- Privacy Data Protection
- Fair Information Practices
- Security
- Organizational control of information
through information systems
9Fair Information PracticesA Brief History
- OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data - EU Directive on Data Protection
- Canada Personal Information Protection and
Electronic Documents Act (PIPEDA) - US Safe Harbour Agreement
- Private sector privacy laws in multiple
jurisdictions
10OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
11United StatesSafe Harbor Privacy Principles
- Notice
- Choice
- Onward Transfer
- Security
- Data Integrity
- Access
- Enforcement
12The Bottom Line
- Privacy should be viewed as a business issue, not
a compliance issue
13The Promise
- Electronic Commerce projected to reach 220
billion by 2001 WTO, 1998
Estimates revised downward to reflect lower
expectations
- Electronic Commerce projected to reach 133
billion by 2004 - Wharton Forum on E-Commerce, 1999
14Privacy is affecting E-Commerce
- United States e-commerce sales were only 1.6 of
total sales -- 54.9 billion in 2003 - -U.S. Dept. of Commerce Census Bureau, February
2004 - Canada Online sales were only 0.6 of total
revenues -- 13.7 billion in 2002 - Statistics Canada, April 2003
15Lack of Privacy Lack of Sales
- Consumer privacy apprehensions continue to
plague the Web. These fears will hold back
roughly 15 billion in e-commerce revenue. - Forrester Research, September 2001
- Privacy and security concerns could cost online
sellers almost 25 billion by 2006. - Jupiter Research, May 2002
16ISF Highlights Damage done by Privacy Breaches
- The Information Security Forum reported that a
companys privacy breaches can cause major damage
to brand and reputation - 25 of companies surveyed experienced some
adverse publicity due to privacy - 1 in 10 had experienced civil litigation, lost
business or broken contracts - Robust privacy policies and staff training were
viewed as keys to avoiding privacy problems - The Information Security Forum, July 7, 2004
17How The Public Divides on Privacy
The Privacy Dynamic - Battle Dr. Alan
Westin for the minds of the pragmatists
18Its all about Trust
- Trust is more important than ever online Price
does not rule the Web - Trust does.
- Frederick F. Reichheld, Loyalty Rules
- How Todays Leaders Build Lasting Relationships
-
19The High Road
- When customers DO trust an online vendor, they
are much more likely to share personal
information. This information then enables the
company to form a more intimate relationship with
its customers. - Frederick F. Reichheld, Loyalty Rules How
Todays Leaders - Build Lasting Relationships
20Lack of Trust on the Web
- In 70 of instances where Internet users were
asked to provide information in order to access
an online informational resource, those users did
not pursue the resource because they thought
their privacy would be compromised. - Narrowline Study, 1997
21Trust and Privacy Policies
- Fully 50 of online users said they would leave a
Web site if they were unhappy with a companys
privacy policy. - Customer Respect Group, February 2004 survey
22Privacy and Customers
- The 11 enterprise, operating in an interactive
environment, relies not just on information about
customers, but on information from them. - It is absolutely imperative for the 11
enterprise to take into account the issue of
protecting individual customer privacy. - Enterprise One to One Tools for
Competing in the - Interactive Age Don Peppers and Martha
Rogers, Ph.D.
23Permission-Based MarketingThe Personal Touch
- Essential premise persuade consumers
- to volunteer their attention
- Puts control in the hands of consumers
- Makes consumers active recipients of marketing
information - Permission marketing is just like dating.
- Seth Godin
24Privacy and CRM
- Incorporating Privacy into Marketing and Customer
Relationship Management - Paper released in May, 2004
- The result of novel a novel partnership between
the Canadian Marketing Association and the IPC - CRM and marketing must include privacy to be
fully successful
25Hot Topics RFIDs
- Products are embedded with an RFID tag, which
includes a microchip and tiny radio antenna - The microchip may contain data about the product
(e.g., price, size, colour, manufacture date,
etc.) - Cases and pallets of products may also include
their own RFID tags
26Privacy and RFIDs
- RFID tags contain information about a product,
not an individual - Consumers perceive that RFIDs may facilitate
- The merger and linking of product information and
personal information without consent - The ability to track consumers who have purchased
a product - The establishment of a widespread surveillance
infrastructure
27Implementing RFIDs
- A failure to build privacy into the design and
implementation of RFIDs can produce a consumer
backlash - This can have an adverse impact on a companys
reputation and affect the bottom line
28Hot Topics Digital Entertainment
- TiVo gives viewers the ability to pause live
television, record shows by name, and watch
programs according to their own schedule - Real Networks Jukebox
- Windows Media Player
29Privacy Issues
- Ability to track users viewing, listening habits
and preferences - Data can be matched with customer data and
lifestyle data disclosed directly or indirectly
by the customer or obtained from other 3rd
parties - Disclosures to 3rd parties
30Addressing Privacy Issues
- Changes to user preferences (to provide more
control over information) - More privacy protective software default settings
- More robust notice mechanisms
- Greater use of opt-in consent
- Less use of unique identifiers
- Changes to back-end IM/IT information-handling
processes
31Hot Topics Workplace Privacy
- In the new millennium, surveillance seems to be
becoming an increasingly inescapable feature of
life - Technological innovation has made surveillance
easier, more affordable, and less visible than
ever before
32Why Employers Pry
- Suspicion of Theft
- Suspicion of Drug/Alcohol Abuse
- Workplace Discrimination, Abuse
- Interpret Employee Turnover
- Poor Work Performance
- Employee Misconduct
- Negligent Hiring Liability
- Unauthorized use of property
33How Employers Pry
- There are many monitoring tools available,
including - Key stroke monitoring software
- Web surfing
- E-mail
- Video
- Telephone
34Evidence of Adverse Impact
- 2004 report on The Future Role of Trust in Work
released by the London School of Economics and
Political Science (LSE) collated research from 15
major field studies done around the world over
the last three years. - Reveals that managers are using technologies such
as e-mail, mobile phones and Short Messaging
Service to keep tabs on employees when in
actuality they are reducing workers' productivity
and the amount of time that they spend serving
customers.
35Hot Topics Growth of Biometrics
- U.S. Border Security Enhancement Act
- International Civil Aviation Organization
approved facial recognition for travel documents - EU to implement biometrics in passports and visas
- CANPASS and INSPASS programs
- AAMVA Unique Identifier Working Group
36The Myth of Accuracy
- The problem with large databases containing
thousands (or millions) of biometric templates - False positives
- False negatives
37Biometric Applications
- Identification
- one-to-many comparison
- Authentication
- one-to-one comparison
38CIBC Privacy Breach
- West Virginia scrap yard operator alleges that
since 2001, his telephone system has been deluged
with confidential CIBC customer data (e.g. SSN,
account no., client signature) - Toll-free number was one digit different from an
internal bank fax number - Filed a lawsuit against CIBC claiming his
business was ruined - CIBC filed a court action accusing him of
deliberately leaking customer data
39CIBC Privacy Breach (contd)
- Bank acknowledges reports of the misdirected
faxes dating back to February 2002 - An e-mail message was sent to staff to check
their fax machines - The matter was not otherwise investigated or
escalated to senior levels - CIBC issued a formal apology and took remedial
action (e.g. notification of individuals fax
number taken out of service) - Federal Privacy Commissioner investigating
40IPCs Privacy Crisis Management Protocol
- It is critical to have procedures to immediately
address privacy breaches, starting with these
important steps - Containment
- Identify the scope of the breach and contain it.
- Notification
- Notify individuals whose privacy was breached
- Other action
- appropriate staff notified immediately internal
investigation address systemic issues
41Final Thought
Anyone today who thinks the privacy issue has
peaked is greatly mistakenwe are in the early
stages of a sweeping change in attitudes that
will fuel political battles and put once-routine
business practices under the microscope. Forreste
r Research, March 5, 2001
42How to Contact Us
- Commissioner Ann Cavoukian
- Information Privacy Commissioner/Ontario
- 2 Bloor Street East, Suite 1400
- Toronto, Ontario M4W 1A8
- Phone (416) 326-3333
- Web www.ipc.on.ca
- E-mail commissioner_at_ipc.on.ca