Download presentation
Presentation is loading. Please wait.
Published byKelly Gilbert Modified over 9 years ago
1
cobbassociates.com Copyright, 2002, Stephen Cobb Privacy for Business "Privacy: the Biggest IT Challenge Yet?" Stephen Cobb, CISSP Senior Vice President Research & Education The Learning Center at Miami Valley Research Park Greater Dayton IT Alliance Breakfast Forum, 9/18/02
2
©Stephen Cobb, 2003 www.cobbassociates.comPage 2 of 19 Privacy for Business Agenda The privacy challenge—how we got here Privacy imperatives—what you have to do COPPA, FTCA, HIPAA, GLB, Torts, AGs “No New Privacy Laws” = more FTC privacy prosecutions? What happens when companies make privacy mistakes? Eli Lilly, Ziff Davis, Microsoft, Doubleclick, Eckerd Drug 4 Way Privacy Pressure = 4 X Privacy Risk 3-step privacy program: Target, Treat, Train The Chief Privacy Officer and the Privacy Team The IT challenge and the Privacy Pay-off Sources of assistance
3
©Stephen Cobb, 2003 www.cobbassociates.comPage 3 of 19 The Privacy Challenge — How We Got Here Remember when cars were the greatest thing? – Then came smog, the oil crisis, etc. Remember when computers were the greatest? – Then came security holes and the privacy crisis Amount of information computerized in last 5 years is staggering, and connectivity has exploded Not everyone is happy with all the uses to which those data have been put, particularly the way some companies have used personally identifiable information (PII) for marketing purposes
4
©Stephen Cobb, 2003 www.cobbassociates.comPage 4 of 19 Privacy Concerns Are Clearly Increasing Fundamentalists want more privacy rules. Pragmatists favor self- regulation. Survey of 1500 consumers by Privacy and American Business
5
©Stephen Cobb, 2003 www.cobbassociates.comPage 5 of 19 Privacy Was Front Page News Before 9/11
6
©Stephen Cobb, 2003 www.cobbassociates.comPage 6 of 19 Business Has Responded, But Slowly So far only 51% of companies privacy policies, even though 97% have Web sites and 53% use those sites for e-commerce – Weak sectors (retail, healthcare, manufacturing) – Stronger sector (banking, transportation) Computer Economics Institute, March 2002 Barely half of companies post privacy notices on their Web sites 60% don’t monitor their Web sites to make sure they deliver the privacy that’s promised Watchfire/PWC
7
©Stephen Cobb, 2003 www.cobbassociates.comPage 7 of 19 Privacy Imperatives: What You Have to Do The Laws: – COPPA (kids on the Web) – HIPAA (covers a lot of health care organizations) – G-L-B (covers many finance-related companies) – FTCA? FTC’s mandate to act on “deceptive practices” Torts—Established right of private privacy action – Yesterday Tammy, today Prozac in the mail box – Class action privacy lawsuits are on the increase States Attorneys General—No downside for them – New York AG Spitzer particularly aggressive
8
©Stephen Cobb, 2003 www.cobbassociates.comPage 8 of 19 “No New Privacy Laws” = Many More Cases Familiar argument: We don’t need any more laws, we need enforcement of existing laws So the FTC is enforcing the law against “deceptive business practices” For example, if you promise consumers you will protect their PII but PII is exposed, you deceived consumers and sought unfair advantage See: Microsoft Passport case, Eli Lilly case, etc. Note that breaking of promises does not need to be intentional to be judged deceptive
9
©Stephen Cobb, 2003 www.cobbassociates.comPage 9 of 19 When Companies Make Privacy Mistakes Eli Lilly – Prozac email incident, FTC settlement, states Microsoft Passport – FTC settlement, like Lilly, lasts 20 years – Fines if broken ($11K per incident) DoubleClick – Class action, FTC, $400K states Ziff Davis – Exposed credit cards on Web, identity theft resulted, $125K states Eckerd Drug – Prescription drug signature sheets used as permission to market to patients—settled with Florida AG at a cost of $1 million (endows a university chair in Ethics) Consider the Fallout: Stock price takes a hit Press goes negative Brand tarnished Resources diverted Opportunity costs mount (e.g. Marketing Lobbying
10
©Stephen Cobb, 2003 www.cobbassociates.comPage 10 of 19 4 Way Privacy Pressure 4 X Privacy Risk Compliance FTC State AGs Civil Suits 4 Way Privacy Pressure = 4 X Privacy Risk
11
©Stephen Cobb, 2003 www.cobbassociates.comPage 11 of 19 3-step privacy program: Target, Treat, Train Target – Find current privacy exposures and prioritize – (Talk to department heads, map data flows, ask questions, especially of marketing) Treat – Make necessary changes and then institute policies and procedures to prevent recurrence Train – Make sure everyone understands the importance of privacy, especially anyone who touches PII – (This goes a lot further than customer service, e.g. contracts, programming, product development)
12
©Stephen Cobb, 2003 www.cobbassociates.comPage 12 of 19 Privacy Incident Cost Containment Model Identify biggest risk in key areas of the business Fix these first Move on to the lesser risks While developing policy, procedures, training Faster, cheaper risk reduction than “assess-then-amend” Time Risk PICC Assess/Amend
13
©Stephen Cobb, 2003 www.cobbassociates.comPage 13 of 19 Training for All Employees Who Touch PII Web-based training is very cost- effective
14
©Stephen Cobb, 2003 www.cobbassociates.comPage 14 of 19 General and Compliance Courses Third-party endorsed training is good due diligence
15
©Stephen Cobb, 2003 www.cobbassociates.comPage 15 of 19 Chief Privacy Officer and the Privacy Team Appointing a CPO shows that your company takes privacy seriously Great way to focus energy on privacy programs But CPO quickly swamped, needs support team CPO/Team must be inter-disciplinary (legal, technical, PR, marketing, management) CPO has both internal and external roles – Riding herd on privacy policies, procedures, questions – Lobbying, networking, evangelizing, building brand differentiation based on privacy leadership
16
©Stephen Cobb, 2003 www.cobbassociates.comPage 16 of 19 The IT Challenge Use IT security tools to serve customer interests as well as company interests Security is about how you control access to data Privacy is about who has access to data – And what they are allowed to do with it Applies internally and externally: – What can marketing do with this data? – How do we keep this data from unauthorized outsiders? – While allowing authorized outsiders access to this data? – How do we track and respect customer privacy preferences?
17
©Stephen Cobb, 2003 www.cobbassociates.comPage 17 of 19 Privacy Positives Consumer response to trust seals shows privacy efforts do have a pay-off More people buy when a Web site displays a trust seal Recent tests of a trust stamp in email show that the model extends beyond the Web Trust stamped email produced: 28% more opens 42% more click-thrus
18
©Stephen Cobb, 2003 www.cobbassociates.comPage 18 of 19 Millions of Dollars Are at Stake Royal Bank of Canada calculates that the shareholder value of its consumer and retail business is $9 billion (that’s US) RBC has taken a privacy positive stance, has re- engineered its IT systems to track customer privacy preferences, insuring they are respected by all bank departments, affiliates, partners RBC has determined that privacy drives 7% of demand for the bank’s consumer/retail business That values privacy at $630 million!
19
©Stephen Cobb, 2003 www.cobbassociates.comPage 19 of 19 Thank You! — For More Information Email Stephen Cobb – sc at cobbassociates dot com Check out: IAPO – International Association of Privacy Officers – www.privacyassociation.org – Privacy and Security Academy Chicago October 16-18 November 13 Executive Briefing “Privacy for Business” The Learning Center
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.