35mm slide presentation template
Download
Report
Transcript 35mm slide presentation template
Analysis of Corporate Privacy
Practices
Presentation by Dr. Larry Ponemon
CEO, Privacy Council
Workshop on the Relationship between Privacy & Security
Carnegie-Mellon University, May 29, 2002
Proposed Agenda:
• The drivers to privacy
• The impact of 9/11 on corporate privacy
compliance initiatives
• Review of corporate privacy management
practices
A “Right” to Privacy?
Do You Have a Right to:
Control information collected about you and your family?
Control how that information is being used?
Have access to review your personal information?
Have the ability to change incorrect information?
How Bad Does it Get?
• Story: In Arizona, about 100 members of a retirement community were
given “free” personal computers, full access to the Internet and a basic
‘hands-on” training program.
• Sounds too good to be true?
• Real deal is about providing significant information about yourself and your
immediate family (children, grandchildren and so forth).
• So, who has the choice now? What recourse do these people have. And,
how about our relatives who had their privacy violated?
Fact . . .
• A recent analysis of major organizations show that less
than 24% of companies in the United States are in
“reasonable” compliance with their stated Internet
privacy policy.
• Far fewer companies would be able to comply with the
provisions of new regulations,laws and standards
around the world.
Why is Privacy a Hot Issue?
•
•
•
•
•
•
Post 9/11 – Surveillance society
Growing misuse of personal (sensitive information)
Exponential growth in identity theft
Increased regulatory oversight
Press and media coverage
Aggressive advocacy
Review: The “Ethical” Principles
Notice and Awareness:
Information collection practices
Usage and sharing
Choice and Consent:
Opt-in and opt-out policies and methods
Access and Accuracy:
Right to view, modify or delete relevant information
Reasonable Security:
Ensuring the integrity and protection of data
Redress and Enforcement:
Including dispute resolution mechanism
Post 9/11 Impact on Privacy and
Surveillance
• Authentication has become major focus
– Something that the company has about you usually in the
form of individuated data (mother’s maiden name)
– Something that your carry in your wallet, computer or
PDA (smart card)
– Something that defines you such as a finger print, and
facial scan, (biometrics)
Better authentication reduces both privacy and security
risks, but only if the credentialing process is nearly perfect.
Post 9/11 Impact on Privacy and
Surveillance
• Security has become dominant over privacy
– The focus on stopping the “bad guy” from getting inside
the critical infrastructure or gaining access to assets
– Privacy rights are still important, but not at the cost of
diminishing security and public safety
– New surveillance methods draw upon multiple sources of
customer-centric information creating a potential privacy
blow-up if this personal information is not protected or
managed properly.
Factors Increasing Post 9/11 Privacy
Risks
• Growing use for personal information
• Over-reliance on new biometric and surveillance technologies
(increasing misclassification risk, false positives)
• Lax controls over personal information used for surveillance
• Increased information sharing practices among organizations,
without proper control or consistent application
• Limited or fragmented regulatory enforcement of privacy
• Lack of awareness, understanding or general complacency about
the continued need for privacy
The New Surveillance Society
Growing concerns for most people:
• Who is watching me?
• Who is watching the watchers?
• Do individuals have a choice?
• How will surveillance data (negative data) be used
and/or shared?
• What are the long-term consequences to our rights to
privacy (and what are the costs to business)?
Regulations and Industry Initiatives
• Financial Services Gramm-Leach-Bliley Act (GLBA)
• Health Care - Health Insurance Portability and Accountability Act
(HIPPA)
• Children’s Online Privacy Protection Act - COPPA
• Federal Trade Commission
• EU Data Protection Directive
• New Canadian Regulations - PIPEDA
• Proposed Bills for Internet, Government and Financial Services
• Over 400 State bills (including recent legislation in Vermont)
Beyond Regulation
• Consumer concerns are costing business in terms of lost
sales, market value and potential litigation
• Strong and well funded advocacy groups have major
impact on corporate reputation
• Privacy concerns are not independent of national
boundary and culture
• Privacy regulation is creating large demand for privacy
enabling technology such as P3P
• Privacy issues create real social and ethical risk
Consequences . . .
• Many companies have become paralyzed by the proverbial
privacy storm.
• Privacy advocates and regulators are quickly turning their
attention to off-line companies with respect to the sale of
personal (sensitive) information.
• The largest area for potential abuse concerns telephony
and the wireless web, which many take years to get off the
ground because of regulatory groundswells.
• But, most companies are still complacent about privacy risk
What Makes a
Privacy Policy Work?
Setting the Tone of the Program
• Understanding your business and data management
environment
• Focus program on identified risk areas
– Avoid the “CYA” orientation
– Avoid too much control over behavior
• Get commitment from senior executives and the Board
• Get input and buy-in from all key stakeholders
• Avoid the “one size fits all” syndrome
– Privacy policy needs to fit corporate culture
– Decentralized environment may require separate policies
• Make sure that you “walk-the-talk”
Establishing Governance
• Establish privacy leader and organizational sponsor
– Assigned the title Privacy Officer
– High-level reporting responsibility to the CEO
• Establish cross-functional committee composed of key
stakeholders, including:
–
–
–
–
–
–
–
Legal
Marketing/CRM
Human Resources
Corporate Compliance
Regulatory Affairs and Public Relations
Information Technology
Security
Writing the Policy
• Start with pledge of the CEO and Board
• Define overarching principles
• Keep sections clear and concise
• If possible, avoid legalese
• Include examples and short cases
• Explain the redress process
• Define what is meant by personal accountability
Five Typical Policy Components
• Requirements and process for fair disclosure and proper
notice
• Opportunity to provide individuals with choice or consent to
data capture, secondary usage and sharing
• Pledge of reasonable security and data protection efforts over
all personal (private) information
• Opportunity to access personal information (and correct
identified errors)
• Pledge of reasonable redress and dispute resolution process
for individuals
Vetting the Privacy Policy
• Get buy in from business unit leaders
• Hold workshops with groups of employees to determine
understanding and usefulness
• Revise document based on legitimate issues and concerns
raised by stakeholders
• Get finalized approval from the Board
• Send policy to all employees, contractors and business
partners
• Think about external disclosure (on Web sites and other
public venues)
Benchmark Results on Privacy Policy
Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information
on their corporate ethics programs used to determine the existence, coverage and effectiveness of program
efforts on a global basis
Corporate Privacy Policies
Less than 10 printed pages
Identify all fair information practices
Contain letter from the CEO or Board
Contain examples & illustrations
Simple, easy to read language
Translated into multiple languages
Section on employee privacy issues
Explanation of redress process
Percent
72%
19%
21%
9%
8%
15%
24%
12%
Reality Check
“Most people don’t do what they believe
in, they just do what’s most convenient -and then they repent.”
Source: Bob Dylan.
Privacy Management
Process
What is the
Privacy Management Process?
“A management process comprised of
compliance programs and systems designed
to motivate, measure, and monitor the
organization’s privacy and data protection
practices.”
The Privacy Management Process
Process Management
Ongoing Monitoring
Including performance-based
measurement, scorecards, external
verification and crisis management
plan
Including formal process for
identifying privacy and information
security risk and vulnerability areas
within core business units
Training
Communications
Including classroom based
training, facilitated training, and
e-learning programs for all
employees who handle sensitive
personal information
Including policies, corporate
communications, employee
handbooks, and compliance
procedures
Enforcement
Including the formal mechanism and
due process for evaluating privacy and
data protection blow-ups
Building an Effective
Privacy Management Process
• PMP helps to identify and reduce the most salient cases of privacy compliance and data
protection risks.
• PMP helps to make policies real and meaningful to employees and other key stakeholders.
• PMP helps people to learn about their role in managing privacy and in protecting sensitive
personal data within the organization.
• PMP serves as a tool to foster feedback and learning for employees and managers.
• PMP fosters climate and cultural change with respect to accountability and empowerment.
Measuring the Effectiveness of the
Privacy Management Process
• Develop process performance benchmarks and guidelines
that can be verified (perhaps by independent third-party).
• Use drill-down approach to assess privacy and data
protection risk at the core business process level.
• Develop performance indicators that focus on the
antecedents to privacy and data protection risk.
• Used “balanced scorecard” approach to measuring
improvements and establishing accountability.
Performance Indicators for Privacy
Management Process
• Objective Measures
• Perception Measures
– Existence of PMP
– Quality of policy
– Training coverage
– Beliefs about program
– Understanding and
knowledge
– Culture toward
compliance
– Compliance breaches
– Consumer trust
– Customer complaints
– Reputation
– Customer churn
– Pressure to bend the
rules
– Litigation
What Companies are
Doing Today
What Companies are Doing Today
• Privacy policy with limited training or awareness activity
during rollout phase
• Governance model using cross-functional committee
• Basic education program, often using e-learning technology
to disseminate information and test understanding
• Minimal downstream communication efforts
• Appointment of a high level executive as the “ privacy officer”
often with unclear reporting lines
• Limited monitoring or assessment of compliance-related
risks
Benchmark on Privacy Practices
Privacy Management Practices
Privacy policy
Fully dedicated privacy officer
Formal budget authority
Formal training program for employees
Due diligence process
Formal monitoring program
Global focus
Formal dispute resolution process
Use of enabling technologies
Integration with information security team
Employee privacy program
Board-level involvement
Percent
91%
25%
32%
35%
21%
19%
13%
12%
15%
18%
20%
5%
Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing information on their corporate ethics programs used to
determine the existence, coverage and effectiveness of program efforts on a global basis
Benchmark by Industry Classification
Industry Analysis
Financial Services
Telecom/Communications
Health Care
Manufacturing
Retail
Percent
55%
47%
13%
11%
50%
Unpublished study of 181 corporations (all Fortune 1000 or Global 500 companies) containing
information on their corporate ethics programs used to determine the existence, coverage and
effectiveness of program efforts on a global basis.
Companies in each industry category scored “yes” to 4 or more benchmarks (of the 12 shown on
the previous slide).
Best Practices for Global Corporations
•
Integration with information security team
•
High-level reporting to the CEO with periodic reports to the Board
•
Use of enabling technologies such as P3P
•
Empowering local privacy managers
•
Real budget authority
•
Black Belt training orientation
•
Redress program with real powers to investigate and enforce
•
Internal monitoring of privacy program (and mock regulatory audits)
•
Third-party verification
•
Good quality disclosure
•
Greater use of choice (such as opt-in approach for sensitive information)
•
Use of insurance to mitigate privacy and data protection blow-ups
•
Balanced approach to data collection for marketing and other uses
Questions & Answers
Presentation by Dr. Larry Ponemon
CEO, Privacy Council
(972) 997 4016
[email protected]