Presentation is loading. Please wait.

Presentation is loading. Please wait.

4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.

Published byJoshua Burdin Modified over 9 years ago

Similar presentations

Presentation on theme: "4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates."— Presentation transcript:

1 4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates

2 cobbassociates.com Copyright 2007 Stephen Cobb Slide 2 of 13 Open Want tight controls over their personal data at all times Don’t ever care who has access to their personal data May share some of their data sometimes Will share most of their data most of the time Closed (Note: There is no “correct” rating) The Privacy Meter What’s Your Privacy Rating?

3 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 3 of 13 Personally Identifiable Information Information that relates to an individual who can be identified, directly or indirectly, from the data, particularly by reference to an identification number or aspects of his or her physical, mental, economic, cultural, or social identity. Which one or two of the following are your greatest concerns over the next century? –Loss of privacy 29% –Overpopulation 23% –Terrorist acts 23% –Racial tensions 17% –World War 16% –Global warming 14% –Economic depression 13% NBC News/ WSJ - Sept. 1999

4 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 4 of 13 The Privacy Challenge Remember when cars were the greatest thing? –Then came smog, the oil crisis, etc. Remember when computers were the greatest? –Then came security holes and the privacy crisis Amount of information computerized in last 10 years is staggering, and connectivity has exploded Not everyone is happy with all the uses to which those data have been put, particularly the way some companies have used PII –personally identifiable information

5 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 5 of 13 Privacy Was Front Page News Before 9/11

6 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 6 of 13 Privacy Concerns Are Clearly Increasing Fundamentalists want more privacy rules. Pragmatists favor self- regulation. Survey of 1500 consumers by Privacy and American Business

7 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 7 of 13 Eli Lilly Case As part of prozac.com, individual email reminders to 700 people who used their reminder service Lilly discontinued the service and notice was sent to the entire list, using “cc” and not “bcc” thus revealing addresses of recipients to all FTC investigated as an “unfair or deceptive trade practice” because customers had been led to believe that their identities would be kept secret. Incident was not “intentional” but occurred because of a lack of privacy awareness and poor security practices in programming department Settlement requires 10 years of FTC oversight and annual security review by third-party (CISSP)

8 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 8 of 13 Cost of “A Privacy Blowout” - Forester Research, Feb 2001 Report (www.forrester.com)

9 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 9 of 13 Millions of Dollars Are at Stake In 2006, data breaches cost an average of $182 per compromised record - Ponemon Institute Royal Bank of Canada calculated shareholder value of consumer and retail business at $9 billion RBC took a privacy positive stance, re-engineered its IT systems to track customer privacy preferences, respected by all bank departments, affiliates RBC determined that privacy drives 7% of demand for the bank’s consumer/retail business That values privacy at $630 million!

10 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 10 of 13 Seven basic privacy principles 1. Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. 2. Choice: Organizations must give individuals the opportunity to choose (opt out) 3. Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. 4. Access: Individuals must have access to personal information... and be able to correct, amend, or delete that information where it is inaccurate

11 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 11 of 13 Seven basic privacy principles 5. Security: reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. 6. Data integrity: data must be relevant for the purposes used...and reliable for its intended use, accurate, complete, and current. 7. Enforcement: to ensure compliance, there must be (a) readily available and affordable independent recourse mechanisms; (b) procedures for verifying that the commitments to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles.

12 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 12 of 13 3-step privacy program Target –Find current privacy exposures and prioritize –Talk to department heads, map data flows, ask questions, especially of marketing Treat –Make necessary changes and then institute policies and procedures to prevent recurrence Train –Make sure everyone understands the importance of privacy, especially anyone who touches PII –This goes a lot further than customer service, e.g. contracts, programming, product development

13 Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 13 of 13 Thank you! Stephen Cobb cobbassociates.com sc at cobbassociates dot com

Download ppt "4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates."

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.

Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
1 The Engineer as a Professional Privacy. 2 After reading the articles please answer the following questions. 1) Is privacy a concern that engineers have.

1 The Engineer as a Professional Privacy. 2 After reading the articles please answer the following questions. 1) Is privacy a concern that engineers have.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson

Per Anders Eriksson
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business Privacy: the Biggest IT Challenge Yet? Stephen Cobb, CISSP Senior Vice President.

Cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business "Privacy: the Biggest IT Challenge Yet?" Stephen Cobb, CISSP Senior Vice President.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,

Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler,

Similar presentations

Ads by Google