The Success of E-Commerce May Hinge on a Fundamental Human

Download Report

Transcript The Success of E-Commerce May Hinge on a Fundamental Human

Privacy and Business:
Go Beyond Compliance to
Competitive Advantage
Ann Cavoukian, Ph.D.
Information & Privacy
Commissioner/Ontario
Rotman School of Management
Executive MBA Program
March 18, 2005
Information and Privacy Commissioner/Ontario, © 2005
Impetus for Change
•
Growth of Privacy as a Global Issue.
(EU Directive on Data Protection)
•
Exponential growth of personal data
collected, transmitted and exploited.
•
Convergence of growth in bandwidth,
sensors, data storage and computing
power.
•
Consumer Backlash; heightened
consumer expectations
Information and Privacy Commissioner/Ontario, © 2005
And then came 9/11
• U.S. Patriot Act and series of
anti-terrorism laws
introduced.
• Served to expand powers of
surveillance on the part of
the state, and reduce judicial
oversight.
Information and Privacy Commissioner/Ontario, © 2005
The Aftermath
•It’s business as usual:
– Clear distinction between public safety
and business issues – make no mistake
– NO reduction in consumer expectations
– Increased value of trusted relationships
Information and Privacy Commissioner/Ontario, © 2005
Consumer Attitudes
• Business is not a beneficiary of
the post-9/11 “Trust Mood”
• Increased trust in government has
not been paralleled by increased
trust in business handling of personal
information
Privacy On and Off the Internet: What Consumers Want
Harris Interactive, November 2001
Dr. Alan Westin
Information and Privacy Commissioner/Ontario, © 2005
Importance of
Consumer Trust
• In the post-9/11 world:
– Consumers either as concerned or more concerned
about online privacy
– Concerns focused on the business use of personal
information, not new government surveillance powers
• If consumers have confidence in a company’s
privacy practices, consumers are more likely to:
– Increase volume of business with company……....91%
– Increase frequency of business……………….…...
90%
– Stop doing business with company if PI misused…83%
Harris/Westin Poll, Nov. 2001 & Feb. 2002
Information and Privacy Commissioner/Ontario, © 2005
Information Privacy
Defined
• Information Privacy: Data Protection
– Freedom of choice; control;
informational self-determination
– Personal control over the collection,
use and disclosure of any recorded
information about an identifiable
individual
Information and Privacy Commissioner/Ontario, © 2005
What Privacy is Not
Security  Privacy
Information and Privacy Commissioner/Ontario, © 2005
Privacy and Security:
The Difference
•
•
•
•
Authentication
Data Integrity
Confidentiality
Non-repudiation
Security:
Organizational control
of information through
information systems
• Privacy; Data Protection
• Fair Information Practices
Information and Privacy Commissioner/Ontario, © 2005
Fair Information Practices:
A Brief History
• OECD Guidelines on the Protection of
Privacy and Transborder Flows of
Personal Data
• EU Directive on Data Protection
• CSA Model Code for the Protection of
Personal Information
• Canada Personal Information
Protection and Electronic Documents
Act (PIPEDA)
Information and Privacy Commissioner/Ontario, © 2005
Summary of Fair
Information Practices
•
•
•
•
•
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use,
Disclosure, Retention
• Accuracy
•
•
•
•
Safeguards
Openness
Individual Access
Challenging
Compliance
Information and Privacy Commissioner/Ontario, © 2005
The Ten Commandments
1.
Accountability
• for personal information designate an
individual(s) accountable for compliance
2.
Identifying Purposes
• purpose of collection must be clear at or
before time of collection
3.
Consent
• individual has to give consent to collection,
use, disclosure of personal information
Information and Privacy Commissioner/Ontario, © 2005
The Ten Commandments
4.
Limiting Collection
• collect only information required for the
identified purpose; information shall be
collected by fair and lawful means
5.
Limiting Use, Disclosure, Retention
• consent of individual required for all other
purposes
6.
Accuracy
• keep information as accurate and up-todate as necessary for identified purpose
7.
Safeguards
• protection and security required,
appropriate to the sensitivity of the
information
Information and Privacy Commissioner/Ontario, © 2005
The Ten Commandments
8.
Openness
• policies and other information about the
management of personal information should be
readily available.
9.
Individual Access
• upon request, an individual shall be informed of
the existence, use and disclosure of his or her
personal information and be given access to
that information, be able to challenge its
accuracy and completeness and have it
amended as appropriate.
10.
Challenging Compliance
• ability to challenge all practices in accord with
the above principles to the accountable body in
the organization.
Information and Privacy Commissioner/Ontario, © 2005
Public Sector
Privacy Laws
• Privacy Act (federal)
• Access to Information Act, (federal).
• Freedom of Information and Protection of
Privacy Act (Ontario).
• Municipal Freedom of Information and
Protection of Privacy Act, (Ontario).
Information and Privacy Commissioner/Ontario, © 2005
Private Sector: PIPEDA
• As of January 1, 2004, the federal
Personal Information Protection and
Electronic Documents Act applies to:
 all personal information collected,
used or disclosed in the course of
commercial activities by provincially
regulated organizations
 unless a substantially similar
provincial privacy law is in force
Information and Privacy Commissioner/Ontario, © 2005
Provincial Private-Sector
Privacy Laws
Québec: Act respecting the protection of
personal information in the private sector
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection
Act
Ontario: Personal Health Information
Protection Act
Information and Privacy Commissioner/Ontario, © 2005
The Bottom Line
Privacy should be viewed
as a business issue, not
a compliance issue
Information and Privacy Commissioner/Ontario, © 2005
The Promise
 Electronic Commerce projected to reach
$220 billion by 2001 WTO, 1998
Estimates revised downward to
reflect lower expectations
 Electronic Commerce projected to reach
$133 billion by 2004
Wharton Forum on E-Commerce, 1999
Information and Privacy Commissioner/Ontario, © 2005
The Reality
United States: e-commerce sales
were only 1.6% of total sales -$54.9 billon in 2003.
-U.S. Dept. of Commerce Census Bureau, November 2004
Canada: Online sales were only
0.8% of total revenues -- $18.6
billion in 2003
Statistics Canada, April 2004
Statistics Canada, April 2003
Information and Privacy Commissioner/Ontario, © 2005
Lack of Privacy =
Lack of Sales
“Consumer privacy apprehensions
continue to plague the Web. These
fears will hold back roughly $15
billion in e-commerce revenue.”
Forrester Research, September 2001
“Privacy and security concerns could
cost online sellers almost $25 billion
by 2006.”
Jupiter Research, May 2002
Information and Privacy Commissioner/Ontario, © 2005
The Business Case
• “Our research shows that 80% of
our customers would walk away if
we mishandled their personal
information.”
CPO, Royal Bank of Canada, 2003
• Nearly 90% of online consumers
want the right to control how their
personal information is used after it
is collected.
Information and Privacy Commissioner/Ontario, © 2005
ISF Highlights Damage
Done by Privacy Breaches
• The Information Security Forum reported
that a company’s privacy breaches can
cause major damage to brand and
reputation:
– 25% of companies surveyed experienced
some adverse publicity due to privacy
– 1 in 10 had experienced civil litigation, lost
business or broken contracts
– Robust privacy policies and staff training were
viewed as keys to avoiding privacy problems
The Information Security Forum, July 7, 2004
Information and Privacy Commissioner/Ontario, © 2005
How the Public
Divides on Privacy
Privacy
Unconcerned
10
64
Feb 2003
(%)
26
0
20
40
60
Privacy
Pragmatists
Privacy
Fundamentalists
80
The “Privacy Dynamic” - Battle for the minds of
the pragmatists — Dr. Alan Westin
Information and Privacy Commissioner/Ontario, © 2005
It’s All About Trust
“Trust is more important than
ever online … Price does not
rule the Web … Trust does.”
Frederick F. Reichheld, Loyalty Rules:
How Today’s Leaders Build Lasting Relationships
Information and Privacy Commissioner/Ontario, © 2005
The High Road
“When customers DO trust an online
vendor, they are much more likely
to share personal information. This
information
then enables the company to
form a more intimate relationship
with its customers.”
Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders
Build Lasting Relationships
Information and Privacy Commissioner/Ontario, © 2005
Lack of Trust on
the Web
“In 70% of instances where Internet
users were asked to provide
information in order to access an
online informational resource, those
users did not pursue the resource
because they thought their privacy
would be compromised.”
Narrowline Study, 1997
Information and Privacy Commissioner/Ontario, © 2005
Trust and Privacy Policies
Fully 50% of online users said they
would leave a Web site if they were
unhappy with a company’s privacy
policy.
Customer Respect Group, February 2004 survey
Information and Privacy Commissioner/Ontario, © 2005
Falsifying Information
on the Web
“42.1% have falsified information
at one time or another when
asked to register at a Web site.”
10th WWW User Survey, October 1998
Information and Privacy Commissioner/Ontario, © 2005
Hot Topics
Information and Privacy Commissioner/Ontario, © 2005
CIBC
• West Virginia scrap yard operator reported that
since 2001, his telephone system has been
deluged with confidential CIBC customer data
(e.g. SIN, account information, client signature).
• Bank acknowledges reports of the misdirected
faxes dating back to February 2002.
• Scrap yard operator filed a lawsuit against CIBC
claiming his business was ruined. CIBC filed a
court action accusing him of deliberately leaking
customer data.
Information and Privacy Commissioner/Ontario, © 2005
Identity Theft
•
The fastest growing form of consumer fraud in North America.
•
Identity theft is the most frequently cited complaint received by
the F.T.C. — 10 million new victims, and $50 billion in losses
every year.
•
According to PhoneBusters, fraud has now become one of the
most pervasive forms of white-collar crime, costing Canadians
$40 million since 1995.
– November 2004 — ChoicePoint: Identity theft involving 145,000
persons.
– December 2004 — Bank of America: 1.2 million records misplaced.
– January 2005 — T-Mobile: Illegal access to 16.3 million records.
– January 2005 — HSBC: 180,000 MasterCard records stolen.
– March 2005 — LexisNexis: Identity theft involving 32,000 records.
– March 2005 — DSW Inc: Hacker theft of 103 credit card numbers.
– March 2005 — Boston College: Hacker theft of 120,000 alumni
donor records
Information and Privacy Commissioner/Ontario, © 2005
ChoicePoint
• A data aggregation and clearinghouse
company that maintains databases of
background information on virtually
every U.S. citizen.
• 19 billion public records in its database:
motor vehicle registrations, license and
deed transfers, military records, names,
addresses and Social Security numbers.
• ChoicePoint routinely sells dossiers to
police, lawyers, reporters and private
investigators.
Information and Privacy Commissioner/Ontario, © 2005
ChoicePoint:
Gateway for Identity Thieves
• In a plot twist taken from a Hollywood
movie, criminals were creating false
identities to establish accounts with
ChoicePoint and then using those accounts
to commit identity theft.
• In response, ChoicePoint:
– Notified 35,000 Californians as required
by California law, SB1386.
– Will notify an additional 145,000 persons
that “unauthorized third parties” had
obtained their personal information.
• Los Angeles police believe that the actual
number of persons affected could be
500,000 or more.
Information and Privacy Commissioner/Ontario, © 2005
ChoicePoint:
Fallout and Cost
• ChoicePoint will re-screen and recredential 17,000 customers to verify that
they are legitimate businesses.
• Since early February, ChoicePoint’s stock
value has dropped by more than 23%.
• February 2005, Lawsuit filed by identity
theft victim.
• March 2005, suspension of sales to small
businesses — loss of 5% of annual revenue
or $900 million.
• March 2005, class action lawsuit filed by
shareholders.
Information and Privacy Commissioner/Ontario, © 2005
Make Privacy a
Corporate Priority
• An effective privacy program needs to be
integrated into the corporate culture
• It is essential that privacy protection
become a corporate priority throughout
all levels of the organization
• Senior Management and Board of
Directors’ commitment is critical
Information and Privacy Commissioner/Ontario, © 2005
Good Governance
and Privacy
“Privacy and Boards of Directors:
What You Don’t Know Can Hurt You”
– Guidance to corporate directors faced with
increasing responsibilities and expectation of
openness and transparency
– Privacy among the key issues that Boards of
Directors must address
– Potential risks if Directors ignore privacy
– Great benefits to be reaped if privacy included
in a company’s business plan
Information and Privacy Commissioner/Ontario, © 2005
Privacy Diagnostic Tool
• Simple, plain-language
tool (paper and eversions)
• Free & selfadministered
• CSA model code to
examine an
organization’s privacy
management practices
• www.ipc.on.ca/PDT
Information and Privacy Commissioner/Ontario, © 2005
Final Thought
“Anyone today who
thinks the privacy issue
has peaked is greatly
mistaken…we are in the
early stages of a
sweeping change in
attitudes that will fuel
political battles and put
once-routine business
practices under the
microscope.”
Forrester Research,
March 5, 2001
Information and Privacy Commissioner/Ontario, © 2005
How to Contact Us
Commissioner Ann Cavoukian
Information & Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone:
Web:
E-mail:
(416) 326-3333
www.ipc.on.ca
[email protected]
Information and Privacy Commissioner/Ontario, © 2005