1. Privacy by Design Discussions Dr. Marilyn Prosch, CIPP Arizona State University September 22, 2009

2. Privacy by Design Change made retroactively always cost more!

3. What are the costs associated with changes Time Resources Morale Possibility of ultimately inferior output

4. Consider Facebook Member of the Canadian federal Privacy Office spent 30 days at Facebook’s office investigation Facebook has committed to using its best efforts to roll out the permissions model by September 1, 2010. In the meantime, Facebook will oversee the applications developers’ compliance with contractual obligations. Since the conclusion of the investigation, Facebook has provided us with detailed information on its oversight activities, and I am satisfied that it will be a useful means of monitoring developers’ compliance with Facebook’s Statement of Rights and Responsibilities, in the interim. Facebook has also agreed to a test of the model by an expert third party, prior to its implementation, to ensure that the new model meets the expectations of our report and the company’s subsequent undertakings. http://www.priv.gc.ca/media/nr-c/2009/let_090827_e.cfm

5. 5 Maturity Model Organizations may be in different implementation phases of their privacy program An objective assessment of the maturity level of the program is a key step in assessing if the organization is ready to undergo a privacy audit (either internal or external) Organizations at a low maturity level most likely will lack the foundations needed, and will be better served by developing the existing privacy infrastructure

6. 6 Privacy Maturity Model The AICPA and CICA Privacy Task Force is developing a Privacy Maturity Model The model is based on the U.S. Department of Defense Software Engineering Institute’s CMM model The six levels are: ◦ Non-Existent – Management process are not applied at all ◦ Ad Hoc – Processes are ad hoc and disorganized ◦ Repeatable – Processes follow a regular pattern ◦ Defined – Processes are documented and communicated ◦ Managed – Processes are monitored and measured ◦ Optimized – Best practices are followed and automated

7. 7 Privacy Maturity Model

8. We are interested in conducting rigorous and useful research Let’s consider the following model and discuss what areas concern you and/or your organization about privacy and what we can do to move organizations along the privacy maturity model

9. ProgramsGoals Resource Allocations Corporate Culture Fiscal Viability Expectations Compliance Community Involvement Environmental Improvements Economic Benefits Education Support Create a Privacy Culture, Cavoukian, 2008 Privacy Payoff, Cavoukian & Hamilton, 2008 Customer Churnrate, Ponemon 2007 Privacy Cultural Lag Theory, Prosch 2008 FTC Sanctions State Attorney Generals EU Safe Harbor Privacy Policies Chief Privacy Officer Privacy Enhancing Technologies Privacy Audit Privacy Maturity Lifecycle, Prosch 2008 Privacy Payoff, Cavoukian & Hamilton, 2008 Reducing data pollution: Reducing identify theft risk, Unnecessary workplace Monitoring, cyberbullying, etc. Educating customers/employees Rights & obligations in process Allowing constituents a “voice” in privacy design Nehmer & Prosch 2009 Model of Privacy Corporate Responsibility Based on Dillard & Layzell’s 2008 Model

10. Discussion