Data Privacy What the CIO and CISO Should Know

1
Data Privacy What the CIO and CISO Should Know

• The Black Hat Briefings
• Las Vegas, July 2000

Presented by Eddie Schwartz, CISSP
2
Agenda

• Whats All This About? The Privacy Landscape
• Impacts
• Responses

Disclaimer This presentation represents the
personal views of the presenter, and neither
represents the views of Nationwide nor describes
the current or intended practices of Nationwide
or its affiliates.
3
Whats This All About?

• Everything on the Web is ultimately
• about Trust
• -- Nicholas Negroponte

4
Privacy in the Last 100 Years

• There always have been invasions of our privacy
  neighbors, government, photographers, employers,
  etc. -- but it was hard work!
• Time and distance created the escape
• Today, distance is irrelevant, geography is
  history
• Are we facing an Orwellian future or some Brave
  New World order?

You have zero privacy anyway. Get over
it! Scott McNealy, CEO, Sun
5
Consumer Surveys

• 80 of consumers believe they have lost all
  control over privacy
• U.S. consumers have moderate confidence in the
  insurance industry to protect privacy- 65 for
  health, 65 for PC, and 62 for life insurance
• U.S. consumers place high value on privacy
  policies in the insurance industry- 82 for
  health, 75 for PC and 74 for life companies

We have reached a point in America where our
private lives are grotesquely public. Richard
Dreyfuss, Actor
6
Consumer Wishes

• Convenience
• Speed
• Personalization or Anonymity (at times)
• Control
• Explicit and clear privacy T/C
• Various trust and information assurance
  mechanisms
• Data differentiation

Privacy is like oxygen. We really appreciate it
only when it is gone. Charles J. Sykes, The
End of Privacy
7
Consumer Dislikes

• Complex, convoluted, unreadable privacy
  policies/notices
• Unauthorized sharing/transfer of personally
  identifiable information with 3rd parties
• Unsolicited information via e-mail, etc.
• Lots of other stuff that is intuitive to all of
  us (phone calls, junk mail, etc.)

8
Consumer Fears

• Protection of home and family
• Disclosure of medical, genetic data
• Discrimination, redlining and other bigotry
• Disclosure of indiscretions, private lives, other
  personal secrets

9
The Information Economy

• Privacy is now essential to successful e-business
  strategies
• 56 of visitors to insurance websites have
  refused to provide personal information because
  of privacy concerns (IBM/Harris Survey)
• The Federal Trade Commission has been reviewing
  website privacy practices, looking for
• Real opt-out from marketing use of data
• Real access by individuals to information about
  them
• Real enforcement, including consumer recourse and
  some form of compliance verification
• Offline regulatory protections can be expected to
  apply to online insurance and financial services

10
Basic Privacy Lexicon

• Fair Information Practice Principles
• Notice/Awareness Customers must be given notice
  before information is collected
• Choice/Consent Customers must have options on
  whether and how information is collected and used
• Security/Integrity Reasonable steps must be
  taken to assurance correctness and security
• Enforcement/Redress Compliance mechanisms and
  sanctions for violators

11
Basic Privacy Lexicon

• PII Personally Identifiable Information
• Opt-Out A company is sharing your data, you ask
  them to stop
• Opt-In A company is not sharing your data now,
  but would like to. You sign-up
• No Sharing A company does not share your data

12
Regulatory Pressures

• Gramm-Leach-Bliley
• FTC
• HIPAA
• State Regulations
• International Data Privacy Standards
• Others

13
Enforcement Pressure

• FTC Online Privacy Enforcement
• Consent decree with GeoCities over disclosures of
  subscriber data contrary to its privacy policy
• Consent decree with Liberty Financial over
  collection and use of childrens data
• State enforcement activities
• Minnesota consent decree with US Bancorp over
  sharing customer data with telemarketer,
  conflicting online and offline privacy policies
• New York consent decree with Chase over sharing
  customer data with telemarketer contrary to its
  own privacy policy

14
Enforcement Pressure

• Litigation
• First Union sues business partner over screen
  scraping and use of customer data
• Advocacy groups file multimillion dollar suite
  against an online profiler

15
Impacts

• Not content with snatching her body, Starrs
  deputies were now invading her mind. They had
  exposed her sex life and dissected her
  personality now they wanted to scrutinize her
  very soul. It was an invasion too far.
• Monicas Story, Andrew Morton

16
Lots of Potential Impact

• Regulatory/Legal
• Brand Name
• Internal Process
• Financial
• Domestic and International
• Privacy Failure Consequences

17
Regulatory

• Domestic corporations must meet online
  self-regulatory and regulatory privacy
  requirements
• Global corporations must meet international data
  protection regulations
• GLB privacy regulations affect all financial
  institution and insurance business units,
  marketing strategies, business relationships
• Health privacy affects many organizations --
  Federal financial and health information privacy
  regulations do not preempt state law- could mean
  even worse patchwork than now

18
Brand Name Protection

• A privacy failure, even a merely perceived
  failure to protect customer data, could result in
  loss of consumer trust, affect customer retention
  and cause significant damage to brand and company
  reputation- a potential disaster for a
  customer-focused business strategy
• Internet businesses are directly affected by
  e-business privacy concerns and regulatory scope
  of the GLBA
• Online privacy practices must be consistent with
  offline

19
Internal Process Impacts

• Business units, affiliates and subsidiaries will
  require updated privacy statements, assurance of
  required practices
• Privacy due diligence needed for all strategic
  marketing agreements and strategies, joint
  ventures, mergers and acquisitions
• Back-end information management practices must
  support business unit privacy policies--
  practices must be consistent with content of
  privacy notice

20
Financial

• Implementing defensible data privacy practices is
  not cheap.
• Opt-out is the most expensive
• Do not share is the cheapest
• Bank One estimates an initial cost of 55MM to
  implement the privacy provisions of GLB, and
  annual costs in the 10s of millions (Source
  Gartner Group)

21
International Impacts

• Global entities must quickly establish processes
  for international data protection regulations in
  Europe and Asia-Pacific
• Any potential data export to the U.S. by Global
  entities could be interrupted under most
  international privacy regulations
• Global corporations should consider preparing for
  a contractual solution for possible data
  transfers, or implementing practices consistent
  with Department of Commerce Safe Harbor
  Principles for its U.S. operations

22
Privacy Failure Consequences

• Irreparable damage to brand, reputation, consumer
  retention and customer-focused business strategy
• Loss of revenue and new business
• Interruption of transborder data flows,
  applicable penalties in international
  jurisdictions
• Possible federal, state enforcement actions-
  millions of dollars spent and loss of flexibility
  in marketplace to implement consent decrees,
  irreparable damage to key business initiatives
  such as eBusiness
• Litigation from consumers, privacy advocates,
  business partners
• Civil and criminal penalties for wrongful
  disclosure of protected health information

23
The Response

• They say its the price you pay for fame. But
  the price tag keeps changing, and its gotten
  worse.
• Christie Brinkley

24
The Privacy Policy

• The Privacy Policy is where you start
• Options short-sighted, or visionary
• Opt-out is short-sighted
• Opt-in is the visionary position
• Do not share is the ideal, but not a pragmatic
  business position for some companies
• The Privacy Policy should be a value-add
  proposition for customers and for companies

25
Who Clears On the Policy?

• Short Answer Everyone
• Better Answer
• CEO
• Business Units (Products and Operations)
• General Counsel
• Government Affairs
• Information Security
• I/T

26
Assess Privacy Policy Impact
Process
Corporate Privacy Policy
Organization
Technology
Compliance
Business Units
Operational Areas
27
The Work Plan Approach

• Start by getting a working group together,
  perform an assessment
• Inventory and map current privacy initiatives,
  practices, 3rd party sharing
• Identify between current information
  practices/capabilities and target policy
• Identify any international issues, particularly
  transborder data flow relationships

28
Working Group Members

• General Counsel
• Government Affairs Office
• Product and Operational Leads
• Information Security
• Information Technology
• Human Resources
• Compliance Office
• Internal Audits

29
Work Plan, Phase II

• Understanding your new policy and the current
  gaps, develop a compliance strategy and an
  project plan that will mitigate these risk areas
• Process
• Organization
• Technology
• Compliance

30
Monitor Progress Closely

• Appoint a Privacy Officer
• Put someone in charge of the entire effort --
  hold them accountable, but give them some help
• Use a common reporting tool
• Track high risk areas
• Report to a central location
• There are many similarities the way Y2K projects
  were handled -- use that experience

31
Work Plan, Phase III

• Execute the Phase II Plans and Roadmap --
  Actually close the gaps
• Revise business processes, operational scripts,
  disclosures, etc.
• Change systems, databases, web sites
• Training get ready to handle customer service
  aspect
• Document everything carefully

32
Do the Security Work

• Guidelines
• GLB Section 501(b) and recent FTC Advisory
  Committee on Online Access and Security Drafts
• HIPAA/HHS Requirements
• International Requirements (e.g., EU Data
  Protection Directive 95/46/EC)
• More Information in Additional Slides

33
Security Bottom Line

• The statutes are somewhat vague -- basically, you
  have to have a real security program in place
• You need to meet a demonstrable standard of due
  care
• If you dont already have support for your
  security program, add this fuel to the fire

34
Other Good Due Care Practices

• Get serious about data classification and
  security certification of applications
• Build Data Privacy compliance into due diligence
  and standard certification and marketing
  processes
• Use a QA process (SSE-CMM)
• Conduct audits once a compliance program is
  established

35
Other Good Due Care Practices

• Typical security general controls, but the
  privacy issue lends more urgency
• Require employees to sign confidentiality
  agreements
• Maintain warning banners on application systems
• Consider the value of 3rd party assurance
  (TrustE, Better Web, CPA Web Trust, etc.)

36
Privacy Assurance Expectations

• ISO-type standards for certification of data
  privacy standards by 2002/3
• Incorporation of Data Privacy Process Areas into
  the SSE-CMM
• Privacy brokers and other electronic
  intermediaries
• Third party assurance will become the norm
  especially for B2B relationships

37
Training

• Deliver staff training on the issue
• Legal and ethical requirements no one can
  opt-out!
• Solicit feedback
• Management involvement and clear sponsorship

38
Privacy Technology Landscape

• P3P
• Customer Life-Cycle Management
• Anonymizer (et al)
• One-Off Solutions
• Cookie Pal
• SiegeSurfer
• WindowsWasher

39
Words to the Wise

• Define roles and responsibilities up-front
• Dont underestimate the work involved and the
  associated costs and time to complete
• Use formal approaches for gap analysis, risk
  assessment, planning, and risk mitigation
• Its time for management (especially I/T) to get
  serious about security
• Budget, budget, budget
• Training

40
Some Good Books

• The Transparent Society, David Brin, ISBN
  020132802X
• The Unwanted Gaze, Jeffrey Rosen, ISBN
  0679445463
• The Hundredth Window Protecting Your Privacy
  and Security in the Age of the Internet, Charles
  Jennings, Lori Fena, ISBN 068483944X
• For the Record Protecting Electronic Health
  Information, Computer Science and
  Telecommunications Board, ISBN 0309056977
• 1984, George Orwell, ISBN 0451524934
• Brave New World, Aldous Huxley, ISBN 0060929871

41
A Few of Many Privacy Links

• Regulatory
• GLBhttp//www.bog.frb.fed.us/BoardDocs/Press/Boar
  dActs/2000/20000621
• FTChttp//www.ftc.gov/acoas/papers/finalreport.ht
  m
• HIPAAhttp//aspe.hhs.gov/admnsimp/
• EUhttp//europa.eu.int/eur-lex/en/lif/dat/1995/en
  _395L0046.html
• General Info
• http//www.privacyexchange.org
• http//www.epic.org
• http//www.privacyplace.com
• http//www.eff.org
• http//www.leglnet.com/libr-priv.htm
• http//www.privacyalliance.org
• http//www.healthcaresecurity.org

42
More Links

• Technology and Services
• http//www.w3.org/P3P/
• http//www.pwcglobal.com/Extweb/service.nsf/docid/
  CCA86E5E9DF78C37852567A0006520E4
• http//www.ibm.com/services/e-business/security.ht
  ml
• http//www.truste.com
• http//www.junkbusters.com/
• http//www.anonymizer.com/index.shtml
• http//www.siegesoft.com/products.shtml
• http//www.kburra.com/cpal.html
• http//www.privacyright.com

43
Questions?

• eddie_schwartz_at_nationwide.com

44
Additional Slides

• Regulatory Details (4 slides)
• Security Requirements of GLB, FTC, HIPAA, and EU
  (3 slides)

45
Gramm-Leach-Bliley (S.900)

• GLB Regulates privacy practices of financial
  institutions, including insurers
• Requires institutions to have privacy policies
  and to disclose privacy and fair information
  practices
• Requires institutions to provide notice and
  opt-out opportunity to individuals before sharing
  their personal data for marketing purposes with
  nonaffiliated third parties
• Prohibits sharing account identifying information
  with nonaffiliated third parties for marketing
  purposes
• Joint marketing agreements must require
  compliance by both parties
• Does not preempt stronger state laws - states are
  already moving to adopt stronger regulations

46
International Regulatory Space

• Global standards for privacy and fair information
  practices are being set
• The Organization for Economic Cooperation and
  Development (OECD) Guidelines on the Protection
  of Privacy and Transborder Flows of Personal Data
• The European Union Data Protection Directive-
  sets legislative floor for data protection laws
  in EU member states
• Other non EU member states (e.g. Poland) have
  created similar regulation
• Hong Kong has established its Personal Data
  (Privacy) Ordinance
• Data protection activity is emerging in Australia
  Japan, Latin America, Canada and other
  jurisdictions

47
State Regulatory Activities

• Recent activity in 17 states includes
• Requiring opt-in for sharing name, address or
  phone number (New Hampshire)
• Requiring opt-in before financial services share
  customer data (Massachusetts)
• Private right of action against companies that
  sell personal data (Utah)
• Restricting disclosure of personal data without
  consent or opt-in (California)

48
HIPAA

• Mandated compliance
• Establishes privacy rights, including notice of
  information practices, access and correction, and
  to an accounting of disclosures
• Requires covered entities to maintain
  administrative and security safeguards to protect
  data
• Requires written individual authorization for
  data sharing for purposes not related to
  providing treatment or payment for treatment
• Requires covered entities to create a privacy
  office and document compliance procedures
• Does not preempt stronger state laws

49
GLB and FTC Requirements

• GLB
• Identify and assess risks that may threaten
  customer information
• Develop a written plan containing policies and
  procedures
• Implement and test the plan
• Adjust the plan on a continuing basis

• FTC
• Web sites should maintain a security program that
  applies to personal data it holds
• The elements of the security program should be
  specified
• The security program should be appropriate to the
  circumstances.

50
HIPAA

• Organizations must protect information against
  deliberate or inadvertent misuse or disclosure.
• Organizations must establish clear procedures to
  protect patients' privacy
• Organizations must designate an official to
  monitor that system and notify their patients
  about their privacy protection practices.

51
EU Data Protection Directive

• The controller must implement appropriate
  technical and organizational measures to protect
  personal data against accidental or unlawful
  destruction or accidental loss, alteration,
  unauthorized disclosure or access
• Having regard to the state of the art and the
  cost of their implementation, such measures shall
  ensure a level of security appropriate to the
  risks represented by the processing and the
  nature of the data to be protected.