Data Privacy What the CIO and CISO Should Know - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Data Privacy What the CIO and CISO Should Know

Description:

Are we facing an Orwellian future or some 'Brave New World' order? ... 'Brave New World', Aldous Huxley, ISBN 0060929871. A Few of Many Privacy Links. Regulatory ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 52
Provided by: eddiesc
Category:
Tags: cio | ciso | data | know | new | order | privacy | world

less

Transcript and Presenter's Notes

Title: Data Privacy What the CIO and CISO Should Know


1
Data Privacy What the CIO and CISO Should Know
  • The Black Hat Briefings
  • Las Vegas, July 2000

Presented by Eddie Schwartz, CISSP
2
Agenda
  • Whats All This About? The Privacy Landscape
  • Impacts
  • Responses

Disclaimer This presentation represents the
personal views of the presenter, and neither
represents the views of Nationwide nor describes
the current or intended practices of Nationwide
or its affiliates.
3
Whats This All About?
  • Everything on the Web is ultimately
  • about Trust
  • -- Nicholas Negroponte

4
Privacy in the Last 100 Years
  • There always have been invasions of our privacy
    neighbors, government, photographers, employers,
    etc. -- but it was hard work!
  • Time and distance created the escape
  • Today, distance is irrelevant, geography is
    history
  • Are we facing an Orwellian future or some Brave
    New World order?

You have zero privacy anyway. Get over
it! Scott McNealy, CEO, Sun
5
Consumer Surveys
  • 80 of consumers believe they have lost all
    control over privacy
  • U.S. consumers have moderate confidence in the
    insurance industry to protect privacy- 65 for
    health, 65 for PC, and 62 for life insurance
  • U.S. consumers place high value on privacy
    policies in the insurance industry- 82 for
    health, 75 for PC and 74 for life companies

We have reached a point in America where our
private lives are grotesquely public. Richard
Dreyfuss, Actor
6
Consumer Wishes
  • Convenience
  • Speed
  • Personalization or Anonymity (at times)
  • Control
  • Explicit and clear privacy T/C
  • Various trust and information assurance
    mechanisms
  • Data differentiation

Privacy is like oxygen. We really appreciate it
only when it is gone. Charles J. Sykes, The
End of Privacy
7
Consumer Dislikes
  • Complex, convoluted, unreadable privacy
    policies/notices
  • Unauthorized sharing/transfer of personally
    identifiable information with 3rd parties
  • Unsolicited information via e-mail, etc.
  • Lots of other stuff that is intuitive to all of
    us (phone calls, junk mail, etc.)

8
Consumer Fears
  • Protection of home and family
  • Disclosure of medical, genetic data
  • Discrimination, redlining and other bigotry
  • Disclosure of indiscretions, private lives, other
    personal secrets

9
The Information Economy
  • Privacy is now essential to successful e-business
    strategies
  • 56 of visitors to insurance websites have
    refused to provide personal information because
    of privacy concerns (IBM/Harris Survey)
  • The Federal Trade Commission has been reviewing
    website privacy practices, looking for
  • Real opt-out from marketing use of data
  • Real access by individuals to information about
    them
  • Real enforcement, including consumer recourse and
    some form of compliance verification
  • Offline regulatory protections can be expected to
    apply to online insurance and financial services

10
Basic Privacy Lexicon
  • Fair Information Practice Principles
  • Notice/Awareness Customers must be given notice
    before information is collected
  • Choice/Consent Customers must have options on
    whether and how information is collected and used
  • Security/Integrity Reasonable steps must be
    taken to assurance correctness and security
  • Enforcement/Redress Compliance mechanisms and
    sanctions for violators

11
Basic Privacy Lexicon
  • PII Personally Identifiable Information
  • Opt-Out A company is sharing your data, you ask
    them to stop
  • Opt-In A company is not sharing your data now,
    but would like to. You sign-up
  • No Sharing A company does not share your data

12
Regulatory Pressures
  • Gramm-Leach-Bliley
  • FTC
  • HIPAA
  • State Regulations
  • International Data Privacy Standards
  • Others

13
Enforcement Pressure
  • FTC Online Privacy Enforcement
  • Consent decree with GeoCities over disclosures of
    subscriber data contrary to its privacy policy
  • Consent decree with Liberty Financial over
    collection and use of childrens data
  • State enforcement activities
  • Minnesota consent decree with US Bancorp over
    sharing customer data with telemarketer,
    conflicting online and offline privacy policies
  • New York consent decree with Chase over sharing
    customer data with telemarketer contrary to its
    own privacy policy

14
Enforcement Pressure
  • Litigation
  • First Union sues business partner over screen
    scraping and use of customer data
  • Advocacy groups file multimillion dollar suite
    against an online profiler

15
Impacts
  • Not content with snatching her body, Starrs
    deputies were now invading her mind. They had
    exposed her sex life and dissected her
    personality now they wanted to scrutinize her
    very soul. It was an invasion too far.
  • Monicas Story, Andrew Morton

16
Lots of Potential Impact
  • Regulatory/Legal
  • Brand Name
  • Internal Process
  • Financial
  • Domestic and International
  • Privacy Failure Consequences

17
Regulatory
  • Domestic corporations must meet online
    self-regulatory and regulatory privacy
    requirements
  • Global corporations must meet international data
    protection regulations
  • GLB privacy regulations affect all financial
    institution and insurance business units,
    marketing strategies, business relationships
  • Health privacy affects many organizations --
    Federal financial and health information privacy
    regulations do not preempt state law- could mean
    even worse patchwork than now

18
Brand Name Protection
  • A privacy failure, even a merely perceived
    failure to protect customer data, could result in
    loss of consumer trust, affect customer retention
    and cause significant damage to brand and company
    reputation- a potential disaster for a
    customer-focused business strategy
  • Internet businesses are directly affected by
    e-business privacy concerns and regulatory scope
    of the GLBA
  • Online privacy practices must be consistent with
    offline

19
Internal Process Impacts
  • Business units, affiliates and subsidiaries will
    require updated privacy statements, assurance of
    required practices
  • Privacy due diligence needed for all strategic
    marketing agreements and strategies, joint
    ventures, mergers and acquisitions
  • Back-end information management practices must
    support business unit privacy policies--
    practices must be consistent with content of
    privacy notice

20
Financial
  • Implementing defensible data privacy practices is
    not cheap.
  • Opt-out is the most expensive
  • Do not share is the cheapest
  • Bank One estimates an initial cost of 55MM to
    implement the privacy provisions of GLB, and
    annual costs in the 10s of millions (Source
    Gartner Group)

21
International Impacts
  • Global entities must quickly establish processes
    for international data protection regulations in
    Europe and Asia-Pacific
  • Any potential data export to the U.S. by Global
    entities could be interrupted under most
    international privacy regulations
  • Global corporations should consider preparing for
    a contractual solution for possible data
    transfers, or implementing practices consistent
    with Department of Commerce Safe Harbor
    Principles for its U.S. operations

22
Privacy Failure Consequences
  • Irreparable damage to brand, reputation, consumer
    retention and customer-focused business strategy
  • Loss of revenue and new business
  • Interruption of transborder data flows,
    applicable penalties in international
    jurisdictions
  • Possible federal, state enforcement actions-
    millions of dollars spent and loss of flexibility
    in marketplace to implement consent decrees,
    irreparable damage to key business initiatives
    such as eBusiness
  • Litigation from consumers, privacy advocates,
    business partners
  • Civil and criminal penalties for wrongful
    disclosure of protected health information

23
The Response
  • They say its the price you pay for fame. But
    the price tag keeps changing, and its gotten
    worse.
  • Christie Brinkley

24
The Privacy Policy
  • The Privacy Policy is where you start
  • Options short-sighted, or visionary
  • Opt-out is short-sighted
  • Opt-in is the visionary position
  • Do not share is the ideal, but not a pragmatic
    business position for some companies
  • The Privacy Policy should be a value-add
    proposition for customers and for companies

25
Who Clears On the Policy?
  • Short Answer Everyone
  • Better Answer
  • CEO
  • Business Units (Products and Operations)
  • General Counsel
  • Government Affairs
  • Information Security
  • I/T

26
Assess Privacy Policy Impact
Process
Corporate Privacy Policy
Organization
Technology
Compliance
Business Units
Operational Areas
27
The Work Plan Approach
  • Start by getting a working group together,
    perform an assessment
  • Inventory and map current privacy initiatives,
    practices, 3rd party sharing
  • Identify between current information
    practices/capabilities and target policy
  • Identify any international issues, particularly
    transborder data flow relationships

28
Working Group Members
  • General Counsel
  • Government Affairs Office
  • Product and Operational Leads
  • Information Security
  • Information Technology
  • Human Resources
  • Compliance Office
  • Internal Audits

29
Work Plan, Phase II
  • Understanding your new policy and the current
    gaps, develop a compliance strategy and an
    project plan that will mitigate these risk areas
  • Process
  • Organization
  • Technology
  • Compliance

30
Monitor Progress Closely
  • Appoint a Privacy Officer
  • Put someone in charge of the entire effort --
    hold them accountable, but give them some help
  • Use a common reporting tool
  • Track high risk areas
  • Report to a central location
  • There are many similarities the way Y2K projects
    were handled -- use that experience

31
Work Plan, Phase III
  • Execute the Phase II Plans and Roadmap --
    Actually close the gaps
  • Revise business processes, operational scripts,
    disclosures, etc.
  • Change systems, databases, web sites
  • Training get ready to handle customer service
    aspect
  • Document everything carefully

32
Do the Security Work
  • Guidelines
  • GLB Section 501(b) and recent FTC Advisory
    Committee on Online Access and Security Drafts
  • HIPAA/HHS Requirements
  • International Requirements (e.g., EU Data
    Protection Directive 95/46/EC)
  • More Information in Additional Slides

33
Security Bottom Line
  • The statutes are somewhat vague -- basically, you
    have to have a real security program in place
  • You need to meet a demonstrable standard of due
    care
  • If you dont already have support for your
    security program, add this fuel to the fire

34
Other Good Due Care Practices
  • Get serious about data classification and
    security certification of applications
  • Build Data Privacy compliance into due diligence
    and standard certification and marketing
    processes
  • Use a QA process (SSE-CMM)
  • Conduct audits once a compliance program is
    established

35
Other Good Due Care Practices
  • Typical security general controls, but the
    privacy issue lends more urgency
  • Require employees to sign confidentiality
    agreements
  • Maintain warning banners on application systems
  • Consider the value of 3rd party assurance
    (TrustE, Better Web, CPA Web Trust, etc.)

36
Privacy Assurance Expectations
  • ISO-type standards for certification of data
    privacy standards by 2002/3
  • Incorporation of Data Privacy Process Areas into
    the SSE-CMM
  • Privacy brokers and other electronic
    intermediaries
  • Third party assurance will become the norm
    especially for B2B relationships

37
Training
  • Deliver staff training on the issue
  • Legal and ethical requirements no one can
    opt-out!
  • Solicit feedback
  • Management involvement and clear sponsorship

38
Privacy Technology Landscape
  • P3P
  • Customer Life-Cycle Management
  • Anonymizer (et al)
  • One-Off Solutions
  • Cookie Pal
  • SiegeSurfer
  • WindowsWasher

39
Words to the Wise
  • Define roles and responsibilities up-front
  • Dont underestimate the work involved and the
    associated costs and time to complete
  • Use formal approaches for gap analysis, risk
    assessment, planning, and risk mitigation
  • Its time for management (especially I/T) to get
    serious about security
  • Budget, budget, budget
  • Training

40
Some Good Books
  • The Transparent Society, David Brin, ISBN
    020132802X
  • The Unwanted Gaze, Jeffrey Rosen, ISBN
    0679445463
  • The Hundredth Window Protecting Your Privacy
    and Security in the Age of the Internet, Charles
    Jennings, Lori Fena, ISBN 068483944X
  • For the Record Protecting Electronic Health
    Information, Computer Science and
    Telecommunications Board, ISBN 0309056977
  • 1984, George Orwell, ISBN 0451524934
  • Brave New World, Aldous Huxley, ISBN 0060929871

41
A Few of Many Privacy Links
  • Regulatory
  • GLBhttp//www.bog.frb.fed.us/BoardDocs/Press/Boar
    dActs/2000/20000621
  • FTChttp//www.ftc.gov/acoas/papers/finalreport.ht
    m
  • HIPAAhttp//aspe.hhs.gov/admnsimp/
  • EUhttp//europa.eu.int/eur-lex/en/lif/dat/1995/en
    _395L0046.html
  • General Info
  • http//www.privacyexchange.org
  • http//www.epic.org
  • http//www.privacyplace.com
  • http//www.eff.org
  • http//www.leglnet.com/libr-priv.htm
  • http//www.privacyalliance.org
  • http//www.healthcaresecurity.org

42
More Links
  • Technology and Services
  • http//www.w3.org/P3P/
  • http//www.pwcglobal.com/Extweb/service.nsf/docid/
    CCA86E5E9DF78C37852567A0006520E4
  • http//www.ibm.com/services/e-business/security.ht
    ml
  • http//www.truste.com
  • http//www.junkbusters.com/
  • http//www.anonymizer.com/index.shtml
  • http//www.siegesoft.com/products.shtml
  • http//www.kburra.com/cpal.html
  • http//www.privacyright.com

43
Questions?
  • eddie_schwartz_at_nationwide.com

44
Additional Slides
  • Regulatory Details (4 slides)
  • Security Requirements of GLB, FTC, HIPAA, and EU
    (3 slides)

45
Gramm-Leach-Bliley (S.900)
  • GLB Regulates privacy practices of financial
    institutions, including insurers
  • Requires institutions to have privacy policies
    and to disclose privacy and fair information
    practices
  • Requires institutions to provide notice and
    opt-out opportunity to individuals before sharing
    their personal data for marketing purposes with
    nonaffiliated third parties
  • Prohibits sharing account identifying information
    with nonaffiliated third parties for marketing
    purposes
  • Joint marketing agreements must require
    compliance by both parties
  • Does not preempt stronger state laws - states are
    already moving to adopt stronger regulations

46
International Regulatory Space
  • Global standards for privacy and fair information
    practices are being set
  • The Organization for Economic Cooperation and
    Development (OECD) Guidelines on the Protection
    of Privacy and Transborder Flows of Personal Data
  • The European Union Data Protection Directive-
    sets legislative floor for data protection laws
    in EU member states
  • Other non EU member states (e.g. Poland) have
    created similar regulation
  • Hong Kong has established its Personal Data
    (Privacy) Ordinance
  • Data protection activity is emerging in Australia
    Japan, Latin America, Canada and other
    jurisdictions

47
State Regulatory Activities
  • Recent activity in 17 states includes
  • Requiring opt-in for sharing name, address or
    phone number (New Hampshire)
  • Requiring opt-in before financial services share
    customer data (Massachusetts)
  • Private right of action against companies that
    sell personal data (Utah)
  • Restricting disclosure of personal data without
    consent or opt-in (California)

48
HIPAA
  • Mandated compliance
  • Establishes privacy rights, including notice of
    information practices, access and correction, and
    to an accounting of disclosures
  • Requires covered entities to maintain
    administrative and security safeguards to protect
    data
  • Requires written individual authorization for
    data sharing for purposes not related to
    providing treatment or payment for treatment
  • Requires covered entities to create a privacy
    office and document compliance procedures
  • Does not preempt stronger state laws

49
GLB and FTC Requirements
  • GLB
  • Identify and assess risks that may threaten
    customer information
  • Develop a written plan containing policies and
    procedures
  • Implement and test the plan
  • Adjust the plan on a continuing basis
  • FTC
  • Web sites should maintain a security program that
    applies to personal data it holds
  • The elements of the security program should be
    specified
  • The security program should be appropriate to the
    circumstances.

50
HIPAA
  • Organizations must protect information against
    deliberate or inadvertent misuse or disclosure.
  • Organizations must establish clear procedures to
    protect patients' privacy
  • Organizations must designate an official to
    monitor that system and notify their patients
    about their privacy protection practices.

51
EU Data Protection Directive
  • The controller must implement appropriate
    technical and organizational measures to protect
    personal data against accidental or unlawful
    destruction or accidental loss, alteration,
    unauthorized disclosure or access
  • Having regard to the state of the art and the
    cost of their implementation, such measures shall
    ensure a level of security appropriate to the
    risks represented by the processing and the
    nature of the data to be protected.
Write a Comment
User Comments (0)
About PowerShow.com