Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business "Privacy: the Biggest IT Challenge Yet?" Stephen Cobb, CISSP Senior Vice President.

Published byKelly Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business "Privacy: the Biggest IT Challenge Yet?" Stephen Cobb, CISSP Senior Vice President."— Presentation transcript:

1 cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business "Privacy: the Biggest IT Challenge Yet?" Stephen Cobb, CISSP Senior Vice President Research & Education The Learning Center at Miami Valley Research Park Greater Dayton IT Alliance Breakfast Forum, 9/18/02

2 ©Stephen Cobb, 2003 www.cobbassociates.comPage 2 of 19 Privacy for Business Agenda The privacy challenge—how we got here Privacy imperatives—what you have to do COPPA, FTCA, HIPAA, GLB, Torts, AGs “No New Privacy Laws” = more FTC privacy prosecutions? What happens when companies make privacy mistakes? Eli Lilly, Ziff Davis, Microsoft, Doubleclick, Eckerd Drug 4 Way Privacy Pressure = 4 X Privacy Risk 3-step privacy program: Target, Treat, Train The Chief Privacy Officer and the Privacy Team The IT challenge and the Privacy Pay-off Sources of assistance

3 ©Stephen Cobb, 2003 www.cobbassociates.comPage 3 of 19 The Privacy Challenge — How We Got Here Remember when cars were the greatest thing? – Then came smog, the oil crisis, etc. Remember when computers were the greatest? – Then came security holes and the privacy crisis Amount of information computerized in last 5 years is staggering, and connectivity has exploded Not everyone is happy with all the uses to which those data have been put, particularly the way some companies have used personally identifiable information (PII) for marketing purposes

4 ©Stephen Cobb, 2003 www.cobbassociates.comPage 4 of 19 Privacy Concerns Are Clearly Increasing Fundamentalists want more privacy rules. Pragmatists favor self- regulation. Survey of 1500 consumers by Privacy and American Business

5 ©Stephen Cobb, 2003 www.cobbassociates.comPage 5 of 19 Privacy Was Front Page News Before 9/11

6 ©Stephen Cobb, 2003 www.cobbassociates.comPage 6 of 19 Business Has Responded, But Slowly So far only 51% of companies privacy policies, even though 97% have Web sites and 53% use those sites for e-commerce – Weak sectors (retail, healthcare, manufacturing) – Stronger sector (banking, transportation) Computer Economics Institute, March 2002 Barely half of companies post privacy notices on their Web sites 60% don’t monitor their Web sites to make sure they deliver the privacy that’s promised Watchfire/PWC

7 ©Stephen Cobb, 2003 www.cobbassociates.comPage 7 of 19 Privacy Imperatives: What You Have to Do The Laws: – COPPA (kids on the Web) – HIPAA (covers a lot of health care organizations) – G-L-B (covers many finance-related companies) – FTCA? FTC’s mandate to act on “deceptive practices” Torts—Established right of private privacy action – Yesterday Tammy, today Prozac in the mail box – Class action privacy lawsuits are on the increase States Attorneys General—No downside for them – New York AG Spitzer particularly aggressive

8 ©Stephen Cobb, 2003 www.cobbassociates.comPage 8 of 19 “No New Privacy Laws” = Many More Cases Familiar argument: We don’t need any more laws, we need enforcement of existing laws So the FTC is enforcing the law against “deceptive business practices” For example, if you promise consumers you will protect their PII but PII is exposed, you deceived consumers and sought unfair advantage See: Microsoft Passport case, Eli Lilly case, etc. Note that breaking of promises does not need to be intentional to be judged deceptive

9 ©Stephen Cobb, 2003 www.cobbassociates.comPage 9 of 19 When Companies Make Privacy Mistakes Eli Lilly – Prozac email incident, FTC settlement, states Microsoft Passport – FTC settlement, like Lilly, lasts 20 years – Fines if broken ($11K per incident) DoubleClick – Class action, FTC, $400K states Ziff Davis – Exposed credit cards on Web, identity theft resulted, $125K states Eckerd Drug – Prescription drug signature sheets used as permission to market to patients—settled with Florida AG at a cost of $1 million (endows a university chair in Ethics) Consider the Fallout: Stock price takes a hit Press goes negative Brand tarnished Resources diverted Opportunity costs mount (e.g. Marketing Lobbying

10 ©Stephen Cobb, 2003 www.cobbassociates.comPage 10 of 19 4 Way Privacy Pressure 4 X Privacy Risk Compliance FTC State AGs Civil Suits 4 Way Privacy Pressure = 4 X Privacy Risk

11 ©Stephen Cobb, 2003 www.cobbassociates.comPage 11 of 19 3-step privacy program: Target, Treat, Train Target – Find current privacy exposures and prioritize – (Talk to department heads, map data flows, ask questions, especially of marketing) Treat – Make necessary changes and then institute policies and procedures to prevent recurrence Train – Make sure everyone understands the importance of privacy, especially anyone who touches PII – (This goes a lot further than customer service, e.g. contracts, programming, product development)

12 ©Stephen Cobb, 2003 www.cobbassociates.comPage 12 of 19 Privacy Incident Cost Containment Model Identify biggest risk in key areas of the business Fix these first Move on to the lesser risks While developing policy, procedures, training Faster, cheaper risk reduction than “assess-then-amend” Time Risk PICC Assess/Amend

13 ©Stephen Cobb, 2003 www.cobbassociates.comPage 13 of 19 Training for All Employees Who Touch PII Web-based training is very cost- effective

14 ©Stephen Cobb, 2003 www.cobbassociates.comPage 14 of 19 General and Compliance Courses Third-party endorsed training is good due diligence

15 ©Stephen Cobb, 2003 www.cobbassociates.comPage 15 of 19 Chief Privacy Officer and the Privacy Team Appointing a CPO shows that your company takes privacy seriously Great way to focus energy on privacy programs But CPO quickly swamped, needs support team CPO/Team must be inter-disciplinary (legal, technical, PR, marketing, management) CPO has both internal and external roles – Riding herd on privacy policies, procedures, questions – Lobbying, networking, evangelizing, building brand differentiation based on privacy leadership

16 ©Stephen Cobb, 2003 www.cobbassociates.comPage 16 of 19 The IT Challenge Use IT security tools to serve customer interests as well as company interests Security is about how you control access to data Privacy is about who has access to data – And what they are allowed to do with it Applies internally and externally: – What can marketing do with this data? – How do we keep this data from unauthorized outsiders? – While allowing authorized outsiders access to this data? – How do we track and respect customer privacy preferences?

17 ©Stephen Cobb, 2003 www.cobbassociates.comPage 17 of 19 Privacy Positives Consumer response to trust seals shows privacy efforts do have a pay-off More people buy when a Web site displays a trust seal Recent tests of a trust stamp in email show that the model extends beyond the Web Trust stamped email produced: 28% more opens 42% more click-thrus

18 ©Stephen Cobb, 2003 www.cobbassociates.comPage 18 of 19 Millions of Dollars Are at Stake Royal Bank of Canada calculates that the shareholder value of its consumer and retail business is $9 billion (that’s US) RBC has taken a privacy positive stance, has re- engineered its IT systems to track customer privacy preferences, insuring they are respected by all bank departments, affiliates, partners RBC has determined that privacy drives 7% of demand for the bank’s consumer/retail business That values privacy at $630 million!

19 ©Stephen Cobb, 2003 www.cobbassociates.comPage 19 of 19 Thank You! — For More Information Email Stephen Cobb – sc at cobbassociates dot com Check out: IAPO – International Association of Privacy Officers – www.privacyassociation.org – Privacy and Security Academy Chicago October 16-18 November 13 Executive Briefing “Privacy for Business” The Learning Center

Download ppt "Cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business "Privacy: the Biggest IT Challenge Yet?" Stephen Cobb, CISSP Senior Vice President."

Similar presentations

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.

Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Consumer Powers and Protections

Consumer Powers and Protections
MARKETPLACE FRAUD How the Assistance Network can Prevent, Detect, and Report suspected fraud.

MARKETPLACE FRAUD How the Assistance Network can Prevent, Detect, and Report suspected fraud.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.

4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.

Fraud, Scams and ID Theft …oh my! Deb Ramsay ESD 101 Chief Information Officer Technology Division.
F.O.C.U.S. on my Abilities! Keith P. Wiedenkeller, SPHR

F.O.C.U.S. on my Abilities! Keith P. Wiedenkeller, SPHR
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
The Business of Empowering Women November 18, 2009 Presentation at the World Bank’s GAP Event Working Women: Better Outcomes for Growth CONFIDENTIAL AND.

The Business of Empowering Women November 18, 2009 Presentation at the World Bank’s GAP Event Working Women: Better Outcomes for Growth CONFIDENTIAL AND.

Similar presentations

Ads by Google