SOCIETY for INFORMATION MANAGEMENT FAIRFIELD WESTCHESTER CHAPTER

SOCIETY for INFORMATION MANAGEMENT FAIRFIELD & WESTCHESTER CHAPTER “Privacy, IT, and the Changing Landscape” A Panel Discussion with Bill Bandon - Wiggin & Dana, LLP Indy Crowley – Yale University Ruth Nelson – Pricewaterhouse. Coopers LLP Eran Marom – Tory Ventures Pete Petrusky – Pricewaterhouse. Coopers LLP (Moderator) Doral Arrowwood Rye Brook, New York April 15, 2004 0

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Agenda § Introductions § Privacy & Fair Information Principles – Privacy & Security § Privacy Legislation – U. S. Perspectives & Enforcement Activity – International Privacy Landscape § Privacy & Business – Why It Is a Hot Topic – Privacy Incidents § Panel Discussion § Q&A § Appendices – Privacy Best Practices – Reference Sites 1

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT What is Privacy? An individual’s right to: § Know how their information is handled § Control the information collected about them § Control what that information is used for § Control who has access to the information § Amend, change & delete their personal information Privacy, IT, and the Changing Landscape 2

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Fair Information Principles Collection Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability Privacy, IT, and the Changing Landscape 3

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Privacy vs Security PRIVACY SECURITY § Involves the whole information lifecycle § Is a core component of good privacy practice § Is about more than just protecting personal information § Is a key instrument for executing privacy policies § Most privacy legislation includes security as one aspect § Viewed as a technology enabler, supporting policies, access controls, individual choice and 3 rd party sharing Privacy, IT, and the Changing Landscape 4

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT The US Perspective – Jigsaw Regime Children’s Online Privacy Protection Act (COPPA) Financial Services Modernization – Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) US Safe Harbor § FTC & SAG Enforcement § CAN SPAM Act § Patchwork of State Laws Privacy, IT, and the Changing Landscape 5

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT The Global Picture Sample of Data Protection Laws Around the World § The EU Data Protection Directive & comparable privacy legislation by 15 member states § Switzerland – Federal Act on Data Protection (1992) § Hungary – Protection of Personal Data and Disclosure of Data of Public Interest (1992) § Czech Republic – Act on Protection of Personal Data (2000) § Norway – Personal Data Registers Act of 2000 § Canada – Personal Information Protection and Electronic Documents Act (2000) § Argentina – Personal Data Protection Act (2000) § Chile – Law for the Protection of Private Life (1999) § Australia – Privacy Amendment (Private Sector) Act (2001) § Hong Kong – The Personal Data (Privacy) Ordinance (1996) § New Zealand – Federal Privacy Act (1993) and more… Recent privacy legislation (Australia, Hong Kong, Canada) trending toward EU-style privacy regulation and away from U. S. sectoral/data elements-based models Privacy, IT, and the Changing Landscape 6

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Privacy & Business Question: What keeps you up at night? CEOs and Boards of top e-Businesses CEOs and Boards of Fortune 500 s § Customer Loyalty § Shareholder Value § Burn Rate/Profitability § Market Convergence § Privacy/Data Integrity § Sustainable Growth § New Regulations § Customer Loyalty § Competition § Global Competition § Staffing/Leadership § Technology Change Top 7 concerns for CEOs and Directors based on recent research by the Personalization Consortium Privacy, IT, and the Changing Landscape 7

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Privacy & Business § Privacy Failures Can Have Major Consequences – Damage to brand reputation – Loss of customers/increased costs for acquiring new ones – Loss of revenues and new business opportunities – Regulatory Action/Penalties for non-compliance – Litigation – International enforcement actions – Disruption of cross-border data flows Privacy, IT, and the Changing Landscape 8

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Ti. Vo criticized by Devices Locate Would You Sell Your privacy group - TV service secretly collects info about viewers Real. Networks in Real trouble Am. Ex, EDS May Face European Privacy Lawsuits Yahoo sued over use of cookies What are people talking about? Children, Create Secrets for Free Internet Are consumers really concerned? Service? Privacy Issues AOL Time Warner in Missouri Privacy Suit Privacy Dilemma AT&T customers’ privacy left blowing in the wind Privacy Suit Charges Sites with Misrepresentation Over Placing of Cookies on Users Drives Lack of Notice Snags e-service Privacy Violation Ikea exposes customer information on catalog site Hotmail glitch exposes email addresses Amazon's Wish: No More Bad PR Travelocity Activists Re p charge Pr ort iv ac Labe y Double. Click Po ls I li ci nter es Double n ‘A et Jo ke Cross Credit. Cards. com ’ Hackers bust Telecom NZ security compromising privacy database stolen Privacy, IT, and the Changing Landscape 9

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Managing Website Privacy Current On-line Privacy Compliance Challenges 1. Web team knows about the corporate privacy policy and local legislative requirements 2. Web team is not using technologies or methods that breach the policy Assumes: 3. Appropriate and adequate links to the privacy policy are maintained on every site 4. New or specific website transactions and functionality have been assessed for privacy risk 5. Back of house procedures have been developed to support the websites privacy disclosures Problem: Websites are not static and are large in nature Sites are growing and changing on a daily basis § Challenge to monitor and ensure new content and new sites are in compliance with the privacy policy Too many privacy issues spread across too many web pages § Difficult and labor intensive to measure current and ongoing compliance § Costly to manage using existing tools and techniques Many individuals responsible for site creation § Increases the risk of privacy glitches § Privacy compliance becomes reactive rather than proactive Privacy, IT, and the Changing Landscape 10

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Panel Discussion Privacy, IT, and the Changing Landscape 11

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Questions? Privacy, IT, and the Changing Landscape 12

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Privacy Red Flags § Lack of an adequate privacy statement § Privacy statement does not accurately reflect practices § Back of house procedures do not support the policy disclosures § Lack privacy awareness throughout the company – Marketing, IT, web developers, business development § New legislation and regulations which impact the business § Existing transborder dataflows to the US § Use of third parties and new technologies § Failure to maintain adequate security § Websites or businesses operating in regulated regions Privacy, IT, and the Changing Landscape 13

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Where to Begin… § Mobilize appropriate resources § Designate privacy champions and project governance team § Determine privacy work that has previously been performed § Communicate project needs and goals § Assess privacy compliance requirements and drivers § Develop the overall privacy vision and strategy § Determine current level of privacy compliance based on existing procedures § Determine high risk areas or areas that need specific focus Privacy, IT, and the Changing Landscape 14

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Benefits of Good Privacy Practices Brand Protection Customer Trust & Confidence Customer Loyalty Shareholder value Responsible Customer Relationship Management Business Partner Confidence Differentiation from Competitors Responsible Privacy Practices Litigation Reputation Damage Interrupted Data Flows Privacy Breach Case for Regulation Unwanted Attention Privacy, IT, and the Changing Landscape 15

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Maintaining Privacy Compliance § Designate a privacy subject matter expert § Continue to educate, train and raise awareness throughout the company § Stay abreast of legislative and industry developments § Build processes to manage changes to your Website § Review information handling practices periodically § Assess new third parties and partners practices § Assess information disclosures & third-party data sharing § Disclose any changes in your policy § Perform periodic compliance reviews § Regular audits Privacy, IT, and the Changing Landscape 16

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Conclusions § Enhances trust and consumer confidence § Increases customer loyalty § First mover advantage – competitive differentiation § Aim for positive media, not negative § Promotes shareholder value § Reduces barriers to International trade § Avoids litigation and regulatory action Privacy, IT, and the Changing Landscape 17

FAIRFIELD & WESTCHESTER CHAPTER SOCIETY for INFORMATION MANAGEMENT Selected sites for topical research concerning information privacy § International Association of Privacy Professionals www. privacyassociation. org. § Federal Trade Commission Site for Consumers http: //www. ftc. gov/. § U. S. Department of Commerce Site for Safe Harbor http: //www. export. gov/safeharbor/. § Privacy Foundation http: //www. privacyfoundation. org/. § Truste Privacy Seal Program http: //www. truste. org. § BBBOnline Privacy Seal Program http: //www. bbbonline. org. § Electronic Privacy Information Center http: //www. epic. org. § Online Privacy Alliance http: //www. privacyalliance. org. § Draft Commission Decision on Standard Contractual Clauses on the Web. http: //www. europa. eu. int. March, 27, 2001. § ICRT Comments on Binding Corporate Rules http: //www. icrt. org/pos_papers/2003/030930_EE. pdf. § Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. http: //www. oecd. org. § Hong Kong Data Protection Act Summary. http: //www. privacyexchange. org. § Privacy and Human Rights 2000. http: //www. privacyinternatinal. org. § Proposed/Pending National Legislation. http: //www. privacyexchange. org. § Recent Developments in Latin American Privacy Laws. http: //www. haledorr. com. § Standardization: A business Tool for Data Privacy. CEN/ISSS Open Seminar. http: //www. cenorm. be. Privacy, IT, and the Changing Landscape 18