Data Privacy and Security Prof Sunil Wattal

Consumer Analytics  Analytics with consumer data to derive meaningful insights on actions and behaviors of consumers  Generally with the intention to offer products and services in a targeted manner.

What could be wrong with that:  Target  Doubleclick  Facebook Beacon

 The dark side of data analytics

 List instances of information about you being collected and stored

Invisible Information Gathering  Examples:  800- or 900-number calls.  Loyalty cards.  Web-tracking data; cookies.  Warranty cards.  Purchasing records.  Membership lists.  Web activity.  Change-of-address forms.  GPS  Cell Phones  Smart Phones

Using Consumer Information  Data Mining & Targeted Marketing  Trading/buying customer lists.  Telemarketing.  Data Mining.  Mass-marketing.  Web ads.  Spam (unsolicited ).  Credit Records

Privacy What is privacy?  Freedom from intrusion (being left alone)  Control of information about oneself  Freedom from surveillance (being tracked, followed, watched)

Why are some things free?  If a service does not charge you money, then you are paying in other ways  Marketing and Advertising  Privacy  Facebook has 1 Billion monthly active users  Revenues for Q2’12: $1.18 Billion, 84% from ads  Linkedin Marketing Solutions: $63.1 Million  Twitter uses Promoted Tweets based on you

Consumer Protection  Costly and disruptive results of errors in databases  Ease with which personal information leaks out  Consumers need protection from their own lack of knowledge, judgment, or interest  Uses of personal information  Secondary Use  Using information for a purpose other than the one for which it was obtained. A few examples:  Sale (or trade) of consumer information to other businesses.  Credit check by a prospective employer.  Government agency use of consumer database.

Privacy Policies  Have you seen opt-in and opt-out choices? Where? How were they worded?  Were any of them deceptive?  What are some common elements of privacy policies you have read?

Self Regulation What are the roles of formal laws vs. free operation of the market? Supporters of self-regulation stress the private sector’s ability to identify and resolve problems. Critics argue that incentives for self-regulation are insufficiently compelling and true deterrence will not be achieved.

Analytics with global data Privacy Regulations in the European Union (EU):  Privacy is a fundamental right  Data Protection Directive  In Europe, there are strict rules about what companies can and can't do in terms of collecting, using, disclosing and storing personal information.  Governments are pushing to make the regulations even stronger.

EU Privacy Laws  Personal information cannot be collected without consumers’ permission, and they have the right to review the data and correct inaccuracies.  Companies that process data must register their activities with the government.  Employers cannot read workers’ private .  Personal information cannot be shared by companies or across borders without express permission from the data subject.  Checkout clerks cannot ask for shoppers’ phone numbers.

Data Security

Stolen and Lost Data  Hackers  Physical theft (laptops, thumb-drives, etc.)  Requesting information under false pretenses  Bribery of employees who have access  Have you heard of Thumbsucking??

 Furious Constituents  Negative Publicity  Tarnished Reputation  Public Embarrassment  Investigations  Lawsuits, Fines and Penalties  Financial Losses  Waste of Valuable Resources Implications for companies

Examples

Availability  Data needs to be available at all necessary times  Data needs to be available to only the appropriate users  Need to be able to track who has access to and who has accessed what data

Authenticity  Need to ensure that the data has been edited by an authorized source  Need to confirm that users accessing the system are who they say they are  Need to verify that all report requests are from authorized users  Need to verify that any outbound data is going to the expected receiver

Integrity  Need to verify that any external data has the correct formatting and other metadata  Need to verify that all input data is accurate and verifiable  Need to ensure that data is following the correct work flow rules for your institution/corporation  Need to be able to report on all data changes and who authored them to ensure compliance with corporate rules and privacy laws.

Confidentiality  Need to ensure that confidential data is only available to correct people  Need to ensure that entire database is security from external and internal system breaches  Need to provide for reporting on who has accessed what data and what they have done with it  Mission critical and Legal sensitive data must be highly security at the potential risk of lost business and litigation

 Implement Technological Solutions  Adopt “Soft” IT Security Approaches  Change the Corporate Culture  Can you think examples of these practices at Temple or elsewhere Approaches to Data Security

Next steps  Inclass Exercises