Looking Ahead Privacy, Laws,

1
Looking AheadPrivacy, Laws, Technology

• ____________________________________________
• J. Trevor Hughes
• International Association of Privacy
  Professionals

2
Emerging Regulatory Issues

• Privacy
• ID Theft
• SSNs
• Spam
• Telemarketing
• GLBA
• FCRA
• HIPAA
• Patriot Act
• Security
• The Ugly Stepchild
• A Look Ahead
• Emerging Technology
• Biometrics
• Data Fluidity
• Data Aggregation

3
The Privacy Strata
Technology Standards
Self Regulatory Standards
The Rest of the World
US Government
SSNs
GLB
HIPPA
EUROPE
The States (Legislatures, DOIs and AGs)
Canada
4
Show me the harm...
Harm to Public
5
Identity Theft

• FTC Complaints
• 2000 31,000
• 2001 86,000
• 2002 162,000
• Top consumer fraud complaint in 2002
• 30 growth predicted going forward

• Average impact
• 1500
• 175 hours of clean up
• credit disruptions
• 42 of complaints involve credit card fraud

Identity theft coverage now available
6
Social Security Numbers

• California
• Correspondence to residential addresses cannot
  include a SSN
• (Simitian bill) employers cannot use SSN for
  purposes other than taxes
• Feds
• Proposals to limit use as college ID
• Looking ahead
• Restrictions on the use of SSNs as internal
  identifiers
• May be used for verification of identity,
  accessing medical files and credit reports
• May not be used as an account number

7
SPAM

• Hotmail 80 unsolicited bulk email
• 31 billion per day (2002)
• 60 billion per day(2006)
• Dial up concerns (EU local call problems)
• Work productivity/liability concerns
• Deliverability concerns
• Channel viability concerns (the 900 phenomenon)

8
Killing the Killer App?

• Legal Responses
• 26 states with anti-spam legislation
• Can Spam Act in Senate
• Commerce/Judiciary efforts in House
• EU opt-in requirements

• Tech Responses
• Blacklists
• Filtering by ISPs
• Solution providers
• Habeus
• Trusted Sender
• IronPort
• Brightmail

Aggressive filtering results in false
positives (legitimate email being blocked)
9
(No Transcript)
10
The Value of Email
Value to Recipient
Relational Messages Transactional, personal,
paid service, permission-based non-marketing
Permission Retention
Permission Acquisition
Spam
11
ISPs and False Positives
Average Non-Delivery for Top ISPs 15
NetZero 27
Yahoo 22
AOL 18
Compuserve 14
Hotmail 8
Mall.com
MSN
USA.net
Earthlink
BellSouth
Assurance Systems, Feb. 2003
12
Employee Privacy

• Blurring of work/home boundaries
• 30 of ecommerce sales generated from the
  workplace
• Extensive use of company email for personal use
• Issue employer monitoring?
• European v. US approaches

13
Telemarketing

• The must have legislation for every
  up-and-coming AG
• TCPA allows for single vendor opt-out
• FTCs gift to consumers a national do not call
  registry (just signed)
• Telemarketing will diminish as a sales vehicle

14
Fair Credit Reporting Act

• Reauthorization in 2003
• Big issues
• Expand consumer privacy protections?
• Sunset state preemption?
• NAAG says YES!
• Business community says please, no!
• For insurers beware of scope creep in FCRA
  reauthorization (Sen. Shelby GLBA did not go
  far enough wants opt in for third party
  transfers)

15
Layered Privacy Notices
16
The Technology Policy Machine
Self Reg, New Technology and Education Create
Trust
New, Little Understood, Technology Introduced
1
Policy and Standards Vacuum
17
Cookies

• Small strings of code written to a special file
  on your hard drive
• Usually anonymous, may be associated with PII

18
(No Transcript)
19
The NAI Principles

• Members will
• Never profile on sensitive data (financial,
  medical, sexual)
• For PII
• Never merge PII with previously collected
  clickstream without affirmative consent
• Provide consumers with robust notice and choice
  (opt-out) for the merger of PII with prospective
  clickstream
• For Non-PII
• Provide clear and conspicuous notice and choice
  (opt-out)

20
(No Transcript)
21
P3P with Cookie Management
BROWSER
WEB SITE
P3P Agreement
P3P HEADER
P3P Setting
P3P Agreement
Cookie
Cookie
Cookie
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
If Richard Smith Says it is Okay, it MUST Be
Okay...

• My first reaction was, Oh, theyre terrible!
  Over the last year and a half as Ive looked at
  the Internet and how it works, it would be very
  difficult to have the Internet without them
  (cookies).
• NY Times Sept. 4, 2001

27
Security

• The Ugly Stepchild of Privacy

28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
Security

• Security Audit
• Quickest, easiest way to get a snapshot of your
  security issues
• Develop a Security Portfolio
• Internet/Acceptable use policies
• E-mail policies
• Remote access policies
• Special access policies
• Data protection policies
• Firewall management policies
• Cost sensitive, appropriate architecture
• Reassess, Audit, Revise

Defense In Depth!
33
Security

• Protect Internally and Externally
• IIS Survey (2000) 68 of attacks are internal
• Protect Network AND Data
• Data is usually the target of an attack, not the
  network

34
(No Transcript)
35
(No Transcript)
36
Security What to do?

• Standards Emerge!
• Data encryption to the column level
• Role-based access control to the row level
• Role-based access for DBAs
• Transaction auditability
• Pay now, or Pay Later!

37
A look ahead...
38
Emerging Dynamics

• Data Fluidity
• Personalization
• Persistent Surveillance
• Biometrics
• Data Aggregation
• Targeted messaging
• Geo Privacy

39
Data Friction and Fluidity
FRICTION
FLUIDITY
Digital Data
Printing Press
Paper
Stone Tablets
Data Velocity
40
Personalization

• As data becomes more fluid, personal targeting
  becomes possible
• Privacy issues prevail
• .NET (Microsoft), Liberty Alliance (Sun)
• Never entering your name, password, address and
  credit card again
• Do we really want this?
• The rise of GUIDs

41
(No Transcript)
42
Personlization Today

• Hello John Anderton...

43
(No Transcript)
44
Data Fluidity for Healthcare

• Smart Cards
• Genome
• Entire Medical Record
• HIPAA code sets
• CRM across all lines/interaction points
• Single interface solutions for customers

45
Biometrics Everywhere

• Biometric Attestations
• Faceprints, eyeprints, fingerprints, hand
  geometry, voice recognition, vein patterns, gait
  recognition, odor...

46
Face Recognition

• 2001 Superbowl
• Airports
• Urban hot spots
• Business campus

47
Iris/Fingerprint Recognition

• Airports (Vancouver and Toronto)
• Signatures
• High security buildings

48
Persistent Surveillance

• Hes been idented on the Metro...

49
Data Aggregation
Data Silos
Aggregation
Derivative Data
Meta Data
Inferred Data
Core Data
Personalization and Velocity
50
(No Transcript)
51
Geo Privacy

• e911
• Geo Targeted Wireless Services
• Smell that coffee? Come in for a cup!

52
Lessons to be Learned

• Data Becomes Much More Fluid
• Data Management Becomes Much More Difficult
• Data Moves More Quickly
• Smart Companies will Harness the Power of Data
  Fluidity to Reduce Costs and Improve Their Value
  Propositions

53

• The International Association of Privacy
  Professionals
• is the nations leading association for privacy
  and security
• professionals. It helps its members build and
  maintain privacy
• programs while effectively navigating rapidly
  changing
• regulatory and legal environments.
• Mission of IAPP
• To promote privacy programs and safeguards
  their introduction, development and maintenance. 
  
• To provide a forum for interaction and
  information exchange for our members.
• To create high quality educational opportunities
  for those involved with privacy issues.

Phone 800-266-6501 www.privacyassociation.orgin
formation_at_privacyassociation.org
54

• THANKS!
• J. Trevor Hughes
• jthughes_at_maine.rr.com
• 207 351 1500