Presentation Material (Powerpoint)


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Presentation Material (Powerpoint)

  1. 1. Looking Ahead Privacy, Laws, & Technology ____________________________________________ J. Trevor Hughes International Association of Privacy Professionals
  2. 2. Emerging Regulatory Issues <ul><li>Privacy </li></ul><ul><ul><li>ID Theft </li></ul></ul><ul><ul><li>SSNs </li></ul></ul><ul><ul><li>Spam </li></ul></ul><ul><ul><li>Telemarketing </li></ul></ul><ul><ul><li>GLBA </li></ul></ul><ul><ul><li>FCRA </li></ul></ul><ul><ul><li>HIPAA </li></ul></ul><ul><ul><li>Patriot Act </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>The Ugly Stepchild </li></ul></ul><ul><li>A Look Ahead </li></ul><ul><ul><li>Emerging Technology </li></ul></ul><ul><ul><li>Biometrics </li></ul></ul><ul><ul><li>Data Fluidity </li></ul></ul><ul><ul><li>Data Aggregation </li></ul></ul>
  3. 3. The Privacy Strata Technology Standards Self Regulatory Standards US Government SSNs GLB HIPPA The States (Legislatures, DOIs and AGs) The Rest of the World EUROPE Canada
  4. 4. Show me the harm... Harm to Public Marketing Telemarketing SPAM Identity Theft
  5. 5. Identity Theft <ul><li>FTC Complaints: </li></ul><ul><ul><li>2000: 31,000 </li></ul></ul><ul><ul><li>2001: 86,000 </li></ul></ul><ul><ul><li>2002: 162,000 </li></ul></ul><ul><ul><li>Top consumer fraud complaint in 2002 </li></ul></ul><ul><ul><li>30% growth predicted going forward </li></ul></ul><ul><li>Average impact: </li></ul><ul><ul><li>$1500 </li></ul></ul><ul><ul><li>175 hours of clean up </li></ul></ul><ul><ul><li>credit disruptions </li></ul></ul><ul><li>42% of complaints involve credit card fraud </li></ul>Identity theft coverage now available
  6. 6. Social Security Numbers <ul><li>California: </li></ul><ul><ul><li>Correspondence to residential addresses cannot include a SSN </li></ul></ul><ul><ul><li>(Simitian bill) employers cannot use SSN for purposes other than taxes </li></ul></ul><ul><li>Feds: </li></ul><ul><ul><li>Proposals to limit use as college ID </li></ul></ul><ul><li>Looking ahead: </li></ul><ul><ul><li>Restrictions on the use of SSNs as internal identifiers </li></ul></ul><ul><ul><ul><li>May be used for verification of identity, accessing medical files and credit reports </li></ul></ul></ul><ul><ul><ul><li>May not be used as an account number </li></ul></ul></ul>
  7. 7. SPAM <ul><li>Hotmail – 80% unsolicited bulk email </li></ul><ul><li>31 billion per day (2002) </li></ul><ul><li>60 billion per day(2006) </li></ul><ul><li>Dial up concerns (EU local call problems) </li></ul><ul><li>Work productivity/liability concerns </li></ul><ul><li>Deliverability concerns </li></ul><ul><li>Channel viability concerns (the “900” phenomenon) </li></ul>
  8. 8. Killing the Killer App? <ul><li>Legal Responses: </li></ul><ul><ul><li>26 states with anti-spam legislation </li></ul></ul><ul><ul><li>Can Spam Act in Senate </li></ul></ul><ul><ul><li>Commerce/Judiciary efforts in House </li></ul></ul><ul><ul><li>EU opt-in requirements </li></ul></ul><ul><li>Tech Responses </li></ul><ul><ul><li>Blacklists </li></ul></ul><ul><ul><li>Filtering by ISPs </li></ul></ul><ul><ul><li>Solution providers </li></ul></ul><ul><ul><ul><li>Habeus </li></ul></ul></ul><ul><ul><ul><li>Trusted Sender </li></ul></ul></ul><ul><ul><ul><li>IronPort </li></ul></ul></ul><ul><ul><ul><li>Brightmail </li></ul></ul></ul>Aggressive filtering results in “false positives” ( legitimate email being blocked )
  9. 10. The Value of Email Spam Value to Recipient Permission Acquisition Permission Retention Relational Messages: Transactional, personal, paid service, permission-based non-marketing
  10. 11. ISPs and False Positives NetZero 27% Yahoo 22% AOL 18% Compuserve 14% Hotmail 8% MSN Earthlink BellSouth Average Non-Delivery for Top ISPs: 15% Assurance Systems, Feb. 2003
  11. 12. Employee Privacy <ul><li>Blurring of work/home boundaries </li></ul><ul><li>30% of ecommerce sales generated from the workplace </li></ul><ul><li>Extensive use of company email for personal use </li></ul><ul><li>Issue: employer monitoring? </li></ul><ul><li>European v. US approaches </li></ul>
  12. 13. Telemarketing <ul><li>The “must have” legislation for every up-and-coming AG </li></ul><ul><li>TCPA – allows for single vendor opt-out </li></ul><ul><li>FTC’s gift to consumers: a national do not call registry (just signed) </li></ul><ul><li>Telemarketing will diminish as a sales vehicle </li></ul>
  13. 14. Fair Credit Reporting Act <ul><li>Reauthorization in 2003 </li></ul><ul><li>Big issues: </li></ul><ul><ul><li>Expand consumer privacy protections? </li></ul></ul><ul><ul><li>Sunset state preemption? </li></ul></ul><ul><ul><ul><li>NAAG says “YES!” </li></ul></ul></ul><ul><ul><ul><li>Business community says “please, no!” </li></ul></ul></ul><ul><li>For insurers: beware of scope creep in FCRA reauthorization (Sen. Shelby – GLBA did not go far enough; wants opt in for third party transfers) </li></ul>
  14. 15. Layered Privacy Notices
  15. 16. The Technology Policy Machine New, Little Understood, Technology Introduced Policy and Standards Vacuum Self Reg, New Technology and Education Create Trust 1 3 2
  16. 17. Cookies <ul><li>Small strings of code written to a special file on your hard drive </li></ul><ul><li>Usually anonymous, may be associated with PII </li></ul>
  17. 19. The NAI Principles <ul><li>Members will: </li></ul><ul><ul><li>Never profile on sensitive data (financial, medical, sexual) </li></ul></ul><ul><ul><li>For PII: </li></ul></ul><ul><ul><ul><li>Never merge PII with previously collected clickstream without affirmative consent </li></ul></ul></ul><ul><ul><ul><li>Provide consumers with robust notice and choice (opt-out) for the merger of PII with prospective clickstream </li></ul></ul></ul><ul><ul><li>For Non-PII: </li></ul></ul><ul><ul><ul><li>Provide clear and conspicuous notice and choice (opt-out) </li></ul></ul></ul>
  18. 21. P3P with Cookie Management WEB SITE P3P HEADER BROWSER P3P Agreement P3P Setting Cookie Cookie Cookie P3P Agreement
  19. 26. If Richard Smith Says it is Okay, it MUST Be Okay... <ul><li>“My first reaction was, ‘Oh, they’re terrible!’ Over the last year and a half as I’ve looked at the Internet and how it works, it would be very difficult to have the Internet without them (cookies).” </li></ul><ul><ul><li>NY Times; Sept. 4, 2001 </li></ul></ul>
  20. 27. Security The Ugly Stepchild of Privacy
  21. 32. Security <ul><li>Security Audit </li></ul><ul><ul><li>Quickest, easiest way to get a snapshot of your security issues </li></ul></ul><ul><li>Develop a “Security Portfolio” </li></ul><ul><ul><li>Internet/Acceptable use policies </li></ul></ul><ul><ul><li>E-mail policies </li></ul></ul><ul><ul><li>Remote access policies </li></ul></ul><ul><ul><li>Special access policies </li></ul></ul><ul><ul><li>Data protection policies </li></ul></ul><ul><ul><li>Firewall management policies </li></ul></ul><ul><ul><li>Cost sensitive, appropriate architecture </li></ul></ul><ul><li>Reassess, Audit, Revise </li></ul>Defense In Depth!
  22. 33. Security <ul><li>Protect Internally and Externally </li></ul><ul><ul><li>IIS Survey (2000) – 68% of attacks are internal </li></ul></ul><ul><li>Protect Network AND Data </li></ul><ul><ul><li>Data is usually the target of an attack, not the “network” </li></ul></ul>
  23. 36. Security – What to do? <ul><li>Standards Emerge! </li></ul><ul><ul><li>Data encryption to the column level </li></ul></ul><ul><ul><li>Role-based access control to the row level </li></ul></ul><ul><ul><li>Role-based access for DBAs </li></ul></ul><ul><ul><li>Transaction auditability </li></ul></ul><ul><li>Pay now, or Pay Later! </li></ul>
  24. 37. A look ahead...
  25. 38. Emerging Dynamics <ul><li>Data Fluidity </li></ul><ul><ul><li>Personalization </li></ul></ul><ul><ul><li>Persistent Surveillance </li></ul></ul><ul><ul><li>Biometrics </li></ul></ul><ul><li>Data Aggregation </li></ul><ul><ul><li>Targeted messaging </li></ul></ul><ul><li>Geo Privacy </li></ul>
  26. 39. Data Friction and Fluidity FRICTION FLUIDITY Stone Tablets Paper Printing Press Digital Data Data Velocity
  27. 40. Personalization <ul><li>As data becomes more fluid, personal targeting becomes possible </li></ul><ul><li>Privacy issues prevail </li></ul><ul><li>.NET (Microsoft), Liberty Alliance (Sun) </li></ul><ul><ul><li>Never entering your name, password, address and credit card again </li></ul></ul><ul><li>Do we really want this? </li></ul><ul><li>The rise of GUIDs </li></ul>
  28. 42. Personlization Today Hello John Anderton...
  29. 44. Data Fluidity for Healthcare <ul><li>Smart Cards </li></ul><ul><ul><li>Genome </li></ul></ul><ul><ul><li>Entire Medical Record </li></ul></ul><ul><li>HIPAA code sets </li></ul><ul><li>CRM across all lines/interaction points </li></ul><ul><li>Single interface solutions for customers </li></ul>
  30. 45. Biometrics Everywhere <ul><li>Biometric Attestations </li></ul><ul><ul><li>Faceprints, eyeprints, fingerprints, hand geometry, voice recognition, vein patterns, gait recognition, odor... </li></ul></ul>
  31. 46. Face Recognition <ul><li>2001 Superbowl </li></ul><ul><li>Airports </li></ul><ul><li>Urban hot spots </li></ul><ul><li>Business campus </li></ul>
  32. 47. Iris/Fingerprint Recognition <ul><li>Airports (Vancouver and Toronto) </li></ul><ul><li>Signatures </li></ul><ul><li>High security buildings </li></ul>
  33. 48. Persistent Surveillance <ul><li>“ He’s been idented on the Metro...” </li></ul>
  34. 49. Data Aggregation Data Silos Aggregation Core Data Inferred Data Meta Data Derivative Data Personalization and Velocity
  35. 51. Geo Privacy <ul><li>e911 </li></ul><ul><li>Geo Targeted Wireless Services </li></ul><ul><ul><li>“ Smell that coffee? Come in for a cup!” </li></ul></ul>
  36. 52. Lessons to be Learned <ul><li>Data Becomes Much More Fluid </li></ul><ul><li>Data Management Becomes Much More Difficult </li></ul><ul><li>Data Moves More Quickly </li></ul><ul><li>Smart Companies will Harness the Power of Data Fluidity to Reduce Costs and Improve Their Value Propositions </li></ul>
  37. 53. <ul><li>The International Association of Privacy Professionals </li></ul><ul><li>is the nation’s leading association for privacy and security </li></ul><ul><li>professionals. It helps its members build and maintain privacy </li></ul><ul><li>programs while effectively navigating rapidly changing </li></ul><ul><li>regulatory and legal environments. </li></ul><ul><li>Mission of IAPP </li></ul><ul><ul><li>To promote privacy programs and safeguards – their introduction, development and maintenance.  </li></ul></ul><ul><ul><li>To provide a forum for interaction and information exchange for our members. </li></ul></ul><ul><ul><li>To create high quality educational opportunities for those involved with privacy issues. </li></ul></ul>Phone: 800-266-6501 [email_address]
  38. 54. <ul><li>THANKS! </li></ul><ul><ul><ul><li>J. Trevor Hughes </li></ul></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul><ul><ul><ul><li>207 351 1500 </li></ul></ul></ul>