Presentation Material (Powerpoint)

2,997 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,997
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 05/12/10
  • 05/12/10
  • 05/12/10 International: 50 countries with Privacy & Data Protection Law US – In 2003 numerous privacy related laws were passed including: Telemarketing Sales Rule; Fair and Accurate Transactions Act (FACT); California Security Breach Information (SB 1386) and Financial Information Privacy (SB1) Acts; and Federal CAN SPAM and International Anti-SPAM legislation. US Federal Level: Since 1998 passed over 15 federal statutes . They include USA Patriot Act, Cable TV Privacy Act of 1984, Communications Assistance for Law Enforcement Act of 1994, Counterfeit Access Device and Computer Fraud Abuse Act of 1984, Driver’s Privacy Protection Act, Electronic Communications Privacy Act, Privacy Act of 1974, Right to Financial Privacy Act, Telecommunications Act of 1996, Telephone Consumer Protection Act of 1991, Video Privacy Protection Act of 1998, COPPA, HIPAA, FCRA, EFTA, GLBA, Safe Harbor. US State Level : Since 1998 passed 50 assorted privacy related laws . Key themes include: medical, financial, email, data security, telephone, workplace/employee privacy issues
  • 05/12/10 Virtually every communications channel has or will be impacted: Telemarketing - Telemarketing Sales Rule creates restrictions and a Federal Do-Not-Call List (changes effective 10/1/03); New changes require updating suppression list every 31 days (effective 1/1/05) Fax – Telephone Consumer Protection Act (TCPA) requires verifiable consent for fax advertisements (changes effective 1/1/05; some states require consent now) E-Mail – CAN-Spam Act facilitates opt-out; empowers FTC to create Do-Not-Email List (effective 1/1/04); International Anti-Spam legislation (eg EU, AU) Web - CA Online Privacy Law requires a privacy policy for sites that collect personal information online from Californians (effective 7/1/04) Wireless – TCPA prohibits using automatic dialing system to call any device when the called party is charged, unless that called party has given prior, express consent; TRUSTe and DMA have guidelines for wireless marketers Global – Privacy and Electronic Communications Directive (2002/58/EC) requires prior consent before using recorded messages during telemarketing or sending unsolicited e-mail and faxes (effective 10/31/03) Financial Services Specific Privacy and Data Protection Legislation GLBA requires opt-out of sharing or selling customer data to third parties; states have required opt-in Fair and Accurate Credit Transactions Act of 2003 (FACT Act) – enables opt-out of information sharing among affiliated entities for marketing purposes (effective 12/31/03, 3/31/04, 12/1/04 and later dates); challenges companies to accurately understand all affiliate relationships, dataflows and information usage. FFIEC proposed Federal guidance (and CA 1386 effective 7/1/03) requires security safeguards and disclosure of breaches with certain exemptions. CA Financial Information Privacy Act (SB1) requires opt-in for third-party sale/sharing of customer data (effective 7/1/04); challenges companies to accurately understand all third-party relationships. Exercising due diligence in selecting, contracting and monitoring service providers Compliance with Interagency Guidelines for Safeguarding Customer Information for service provider contracts entered into on or before March 5, 2001 (was grandfathered until 7/1/03 for financial institutions and 6/24/04 for FTC Safeguards Rule), enforcements likely this summer. Other US Security/Privacy Legislation Enacted Laws Electronic Signatures in Global and National Commerce (2000) Virginia Computer Crimes Act (Final), Other States as well Pending Laws and Rules US Notification of Risk to Personal Information Act (SB 1350) Reporting on Cybersecurity by SEC registered corporations Congressional (House Committee on Technology, Information Policy) Department of Homeland Security Corporate Information Security Accountability Act of 2003 BREAK California State Law SB1386/AB700 (Final) Disclosure of Personal Information Act Requires companies to notify their customers of computer security breaches Virginia Computer Crimes Act (Final) Provides criminal penalties for those who use computers to commit crimes US Notification of Risk to Personal Information Act (Pending) Requires Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information. Reporting on Cybersecurity by SEC registered corporations (Proposed) Requires public companies to report their Cybersecurity efforts in their filings with the U.S. Securities and Exchange Commission Corporate Information Security Accountability Act of 2003 (Proposed) Requires public companies to include an assessment of their information security conducted by a third party. Foreign Encryption Laws (U.S., Canada, France, Israel, Russia, China, etc.) EU Directive 95/46/EC - The Data Protection Directive (1995) Germany Federal Data Protection Law (1997) Switzerland Federal Law on Data Protection (2000) Canada Personal Information Protection & Electronics Documents Act (2000) Australia Privacy Amendment (Private Sector) Act (2000) United Kingdom Financial Services Authority – Systems & Controls (2002) Japan Personal Data Protection Law (2003) Ireland Data Protection Act (1998 revised 2003) BREAK Foreign Encryption Laws (U.S., Canada, France, Israel, Russia, China, etc.) - Mechanisms for controls around the import, export and use of encryption technologies. EU Directive 95/46/EC - The Data Protection Directive (1995) - Implementation of measures to protect personal data against destruction, alteration, loss, and unauthorized disclosure or access. Germany Federal Data Protection Law (1997) - Controls to monitoring retrieval of personal data. Switzerland Federal Law on Data Protection (2000) - Use of organizational and technical means to protect personal data from unauthorized use. Canada Personal Information Protection & Electronics Documents Act (2000) - Use of physical controls to protect personal information against loss, theft, and unauthorized access, use, modification or disclosure. Australia Privacy Amendment (Private Sector) Act (2000) - National privacy principles regarding data security and storage of personal information. United Kingdom Financial Services Authority – Systems & Controls (2002) - Regulated firms must take reasonable care to establish and maintain systems and controls Japan Personal Data Protection Law (2003) - Regulations pertaining to collection, storage and use of personal information. Ireland Data Protection Act (1998 revised 2003) - Data protection for information transferred out of the European Economic Area (EEA).
  • 05/12/10
  • 05/12/10 Privacy Compliance - New Organizational Focus and Responsibilities The Chief Privacy Officer is a senior management position granted with an appropriate level of authority and oversight to effectively coordinate the development, implementation and maintenance of a corporate privacy compliance vision and strategy. Typical Chief Privacy Officer responsibilities include: Developing a privacy compliance strategy and obtaining senior management commitment to it; Designing and implementing privacy policies that reflect the organization’s privacy compliance strategy and privacy compliance requirements; Monitoring privacy compliance activities across the organization on an ongoing basis and incorporating privacy compliance into the overall strategy and culture of the organization; Continually reviewing strategic business decisions such as new marketing strategies, technology solutions, product initiatives and business partnerships to assess the privacy compliance implications; Remaining current with privacy technology, legislative and industry developments; Addressing new privacy compliance concerns as they emerge; Overseeing the creation and implementation of privacy training programs; Overseeing enforcement-related activities such as the organization’s response to subject access requests, complaints, claims and official communications from regulators; Communicating and interacting with a diverse cross-section of the organization in an educative, advisory and enforcement capacity, as necessary; and Providing the public face of the organization’s privacy compliance strategy. This may require the Chief Privacy Officer to participate in lobbying for privacy issues within the organization, as well as championing privacy causes externally through industry initiatives and external forums. Whilst, as a senior management position, Chief Privacy Officers may have a number of personnel who report to them and manage the day-to-day operational activities that support implementation of the tasks outlined above, the ultimate responsibility for the achievement of these tasks lies with the Chief Privacy Officer.
  • 05/12/10
  • 05/12/10 Foreign Encryption Laws (U.S., Canada, France, Israel, Russia, China, etc.) - Mechanisms for controls around the import, export and use of encryption technologies. EU Directive 95/46/EC - The Data Protection Directive (1995) - Implementation of measures to protect personal data against destruction, alteration, loss, and unauthorized disclosure or access. Germany Federal Data Protection Law (1997) - Controls to monitoring retrieval of personal data. Switzerland Federal Law on Data Protection (2000) - Use of organizational and technical means to protect personal data from unauthorized use. Canada Personal Information Protection & Electronics Documents Act (2000) - Use of physical controls to protect personal information against loss, theft, and unauthorized access, use, modification or disclosure. Australia Privacy Amendment (Private Sector) Act (2000) - National privacy principles regarding data security and storage of personal information. United Kingdom Financial Services Authority – Systems & Controls (2002) - Regulated firms must take reasonable care to establish and maintain systems and controls Japan Personal Data Protection Law (2003) - Regulations pertaining to collection, storage and use of personal information. Ireland Data Protection Act (1998 revised 2003) - Data protection for information transferred out of the European Economic Area (EEA).
  • IMPLICATION OF EU Non-Compliance Fines Italy: Up to $3,000 per offense Germany: Up to $225,000 per offense Spain: Up to $600,000 per offense Criminal sanctions, including imprisonment Seizure of files and data; Injunctive measures such as the blocking of dataflows and cessation of certain data processing Other DPAs (e.g., UK, France) tend to engage in cooperative dialogue with companies, rather than levying fines
  • 05/12/10 International: 50 countries with Privacy & Data Protection Law US – In 2003 numerous privacy related laws were passed including: Telemarketing Sales Rule; Fair and Accurate Transactions Act (FACT); California Security Breach Information (SB 1386) and Financial Information Privacy (SB1) Acts; and Federal CAN SPAM and International Anti-SPAM legislation. US Federal Level: Since 1998 passed over 15 federal statutes . They include USA Patriot Act, Cable TV Privacy Act of 1984, Communications Assistance for Law Enforcement Act of 1994, Counterfeit Access Device and Computer Fraud Abuse Act of 1984, Driver’s Privacy Protection Act, Electronic Communications Privacy Act, Privacy Act of 1974, Right to Financial Privacy Act, Telecommunications Act of 1996, Telephone Consumer Protection Act of 1991, Video Privacy Protection Act of 1998, COPPA, HIPAA, FCRA, EFTA, GLBA, Safe Harbor. US State Level : Since 1998 passed 50 assorted privacy related laws . Key themes include: medical, financial, email, data security, telephone, workplace/employee privacy issues All large, multi-national corporations are grappling with privacy and data protection issues, regardless of their domains of operation. Differing legislative regimes and transborder dataflows make managing compliance complex. Companies are moving to decrease costs and increase efficiencies through centralization and global system implementations. These provide unprecedented ability to access and use personal information globally, and have substantial privacy consequences. Consistent privacy policy frameworks that adapt to brands, cultures, jurisdictions and co-existing legislation are difficult to build, manage and enforce.
  • 05/12/10 Privacy Strategy Spectrum The Privacy Strategy Spectrum is a graphical representation of the relationships between the different aspects of managing privacy risk (e.g., cost) and the value that can be realised through the appropriate management of this risk. The three levels shown on the Privacy Strategy Spectrum are: Organizations that operate in the lowest part of the spectrum may treat privacy risk as a compliance issue and focus on minimising the risks associated with actions such as legal liability, fines and penalties for non-compliance or being the subject of adverse publicity due to privacy breaches; Organizations that operate in the middle part of the spectrum may undertake improvements in their personal information management practices to ensure that business activities are not disrupted but are unlikely to use their personal information management activities to promote their reputation or for competitive advantage; and Organizations that operate in the top part of the spectrum may develop and promote a proactive position in relation to privacy risk. The proactive management of privacy risks is regarded as a source of strategic advantage and is used as a market differentiator.
  • 05/12/10 Included interviews with 19 Chief Privacy Officers, or other individuals responsible for privacy, Mainly Fortune 500 companies in the financial services, pharmaceutical, technology and consumer products industries. Conducted over a 2 week period. Companies selected based on: Significance in the privacy arena; Presence of complex and/or international practices; and Willingness to participate in an hour-long survey process.
  • 05/12/10
  • 05/12/10
  • 05/12/10 Elements of Privacy Compliance The figure shows a data-centric view of the components of privacy compliance: Personal information is positioned as the centre of the privacy compliance structure; The second layer focuses on the personal information management activities of collection, use, transfer, access and quality; The third layer addresses how personal choices over these activities are achieved and maintained; The fourth layer represents the need to provide security over personal choices, collection, use, transfer, access and quality of personal information; The fifth layer identifies the need to create and maintain policies that formalise the Organization’s personal information management practices and communicate them by providing notices and making disclosures; and The sixth layer reflects the need to enforce and monitor compliance with the Organization’s privacy strategy and policies and it’s legal and regulatory obligations.
  • 05/12/10 Some Privacy Compliance Drivers The building blocks of privacy compliance that an Organization adopts and how it implements them are determined by the different privacy compliance drivers that it is subject to. A set of privacy compliance drivers is shown above. It is important to note that to manage privacy compliance appropriately, the personal information that the Organization manages must have ongoing integrity and must be secure from hacker attacks or other malicious events.
  • 05/12/10 Some Privacy Compliance Drivers Privacy Compliance drivers include: Rules which may include legislation , Industry regulation or standards , voluntary privacy schemes , international guidelines as well as corporate policies and standards adopted by an organization; Markets which may include pressures from globalisation and competitors. If an organization conducts business on the Internet or operates across international boundaries, the rules for privacy vary dramatically and a focus is required on all aspects of local compliance; Stakeholders who may include third parties/business partners , advocates and media , employees , customer and suppliers; and Technology - the emergence of the Internet, GPSs (Global Positioning Systems), wireless applications, enhanced monitoring and tracking tools and sophisticated data capture, manipulation and storage technologies has enabled both large scale data capture and new types of applications on a global scale. As a business enabler, technology has now become a driver for privacy compliance.
  • 05/12/10 A Framework for Privacy Compliance When building a privacy compliance program, it is important to understand the overarching foundation upon which the various components of the privacy compliance program should be built and maintained. How the framework is applied to an organization is determined by the impact of a number of factors including the business drivers that impact the organization, the business risks that the organization faces, strategic change initiatives that are underway or planned and the organization’s approach to privacy risk management. The framework foundations are comprised of: Privacy Vision and Strategy; Management Commitment; Privacy Governance Structure; and Training and Awareness Program. These foundation components are mutually re-enforcing and support the privacy compliance infrastructure components of: Risk Assessment; Privacy Policy; Privacy Standards and Procedures; and Administrative and End-User Policies and Procedures. The privacy compliance framework is enforced and aligned through the use of: Enforcement Mechanisms; Monitoring Processes; and Compliance and/or Audit Assessment. These components provide a means to monitor the effectiveness of the organization’s privacy compliance program, with gaps being addressed through feedback into risk assessment activities.
  • 05/12/10
  • Presentation Material (Powerpoint)

    1. 1. Trends & Current Developments in Privacy for the CPO September 12, 2004 Ninth National HIPAA Summit The Leading Forum on Healthcare Privacy, Confidentiality, Data Security and HIPAA Compliance
    2. 2. Contact <ul><li>Kim P. Gunter, J.D., LL.M. </li></ul><ul><li>Senior Consultant, Privacy Practice </li></ul><ul><li>(267) 330- 4026 </li></ul><ul><li>[email_address] </li></ul>
    3. 3. Agenda <ul><li>Introduction & Background </li></ul><ul><li>Privacy Cross Industry Trends & Developments </li></ul><ul><li>PwC Governance Survey Results </li></ul><ul><li>What Others Are Doing . . . </li></ul><ul><li>Responsible Privacy Practices </li></ul>
    4. 4. Introduction & Background
    5. 5. Regulatory Risks, Heightened Enforcements & Financial Costs <ul><li>New Laws. </li></ul><ul><ul><li>Since 1998, over 65 privacy laws in over 50 countries were passed in areas of financial privacy, data protection, telemarketing/fax, spam/web, and security breaches. </li></ul></ul><ul><ul><li>Since January 1, 2003, over 10 new privacy laws in the US were promulgated impacting financial services, pharmaceutical, health care, technology/media and virtually all organizations. </li></ul></ul><ul><li>New Regulator Focus on Privacy & Data Protection. Regulators are active globally, and asking tougher questions of privacy, data management, information security and control environments. </li></ul><ul><ul><li>Enforcements. The FTC, FCC and state attorney generals all have all been aggressively inspecting and pursuing privacy breaches and lack or failure of safeguards. </li></ul></ul><ul><ul><li>Expensive Class Actions. The plaintiffs bar has begun using privacy as a new, fruitful area to pursue, in part, driven by a recent settlement of more than $60 million paid by a Fortune 500 retailer for allegedly inappropriately sharing customer information. </li></ul></ul>Breaches & Costs. Gartner projected that by 2006, 20-30% of Global 1000 will suffer exposure due to privacy mismanagement, and costs to recover from privacy mistakes will range from $5 -$20 million each.
    6. 6. Privacy & Business Question: What keeps you up at night?* <ul><li>CEOs and Boards of top e-Businesses </li></ul><ul><li>Customer Loyalty </li></ul><ul><li>Burn Rate / Profitability </li></ul><ul><li>Privacy </li></ul><ul><li>Sustainable Growth </li></ul><ul><li>New Regulations </li></ul><ul><li>Competition </li></ul><ul><li>Staffing/Leadership </li></ul><ul><li>CEOs and Boards of Fortune 500s </li></ul><ul><li>Shareholder Value </li></ul><ul><li>Market Convergence </li></ul><ul><li>Privacy/Data Integrity </li></ul><ul><li>New Regulations </li></ul><ul><li>Customer Loyalty </li></ul><ul><li>Global Competition </li></ul><ul><li>Technology Change </li></ul>* Top 7 concerns for CEOs and Directors based on research by the Personalization Consortium <ul><li>Privacy Impacts Bottom Line. A recent survey by Privacy & American Business of US consumers revealed that: </li></ul><ul><ul><li>83% of US consumers will stop doing business if they hear or read a company is using information improperly; </li></ul></ul><ul><ul><li>91% of US Consumers would do more business with companies that have their privacy policies independently verified. </li></ul></ul>
    7. 7. The Privacy Paradox <ul><li>Consumers: </li></ul><ul><li>Consumers want a personalized experience and multi-channel availability </li></ul><ul><li>But, they do not want to divulge personal information </li></ul><ul><li>Businesses: </li></ul><ul><li>Businesses want to target & personalize to drive sales and build deeper, more valuable relationships </li></ul><ul><li>But, that requires rich data profiles, and data collection raises privacy concerns </li></ul><ul><li>The Goal: </li></ul><ul><li>Respectfully reach customers at the very time and place they need your product or service </li></ul>
    8. 8. <ul><li>Consequences of the Paradox . . . </li></ul><ul><li>consumers lie, complain and buy less </li></ul><ul><li>Consumers lie </li></ul><ul><ul><li>67% of users admit providing false information </li></ul></ul><ul><li>They pressure legislatures </li></ul><ul><li>Consumers shy away if they’re unsure </li></ul><ul><ul><li>83% will stop doing business if they hear or read a company is using information improperly </li></ul></ul><ul><ul><li>68% consider privacy before doing business </li></ul></ul><ul><ul><li>58% would recommend companies who protect data </li></ul></ul><ul><ul><li>91% would do more business with companies that have their privacy policies independently verified </li></ul></ul>
    9. 9. Consumers Are Skeptical, Especially of Health Care <ul><li>Consumers don’t trust health care companies </li></ul><ul><ul><li>Only 12% trust pharmaceutical companies with PHI </li></ul></ul><ul><ul><li>Only 33% trust health plans & government programs to maintain confidentiality </li></ul></ul><ul><ul><li>20% believe a health care provider, insurance plan, government agency or employer has improperly disclosed PHI </li></ul></ul><ul><ul><ul><li>50% say it resulted in personal embarrassment or harm </li></ul></ul></ul><ul><li>Consumers don’t share </li></ul><ul><ul><li>67% never share health information </li></ul></ul><ul><ul><li>21% rarely share </li></ul></ul><ul><ul><li>10% sometimes share </li></ul></ul><ul><ul><li>Only 2% often share health-related information (e.g., medical history or prescriptions) on the Internet </li></ul></ul><ul><li>Healthcare must inspire trust -- 90% think it’s very important that </li></ul><ul><ul><li>Health care providers and pharmacies establish effective privacy policies and do what they promise </li></ul></ul><ul><ul><li>Privacy policies be reviewed by third parties </li></ul></ul>
    10. 10. For a consumer, “Privacy is What You Call It When You Do It Wrong” <ul><li>Privacy is an important means to build a “trusting” relationship, not just a compliance issue from Legal </li></ul><ul><li>Turn privacy into a competitive advantage and a long-term customer value </li></ul><ul><li>Learn from the mistakes of others </li></ul><ul><ul><li>Hindsight is 20/20 </li></ul></ul><ul><ul><li>Don't be a case study </li></ul></ul>
    11. 11. Privacy Cross-Industry Trends & Developments
    12. 12. Privacy Cross-Industry Trends & Developments <ul><li>New Laws; Marketing and Sales – many new domestic and international privacy laws dramatically impact financial services and circumscribe the use of telemarketing, email, faxes, the web and wireless devices for business-to-business and business-to-consumer communications. </li></ul><ul><li>Security – laws and new regulatory trends/enforcements affecting pharmaceutical companies and financial institutions require specific security administrative, technical and physical safeguards to protect sensitive information be put in place. </li></ul><ul><li>Globalization; Data Management – the recent effectiveness of several EU and other international privacy directives and the political attention paid to data protection and outsourcing practices has heightened the desire of many organizations to focus on international employee, customer, and vendor, privacy & data management. </li></ul><ul><li>Governance, Risk & Compliance – As privacy has become viewed as a cross-enterprise compliance issue impacting all business units, many companies are reconsidering how the privacy function within an organization is structured, staffed and funded to most effectively manage risks and ensure compliance. </li></ul>
    13. 13. The Last 2 Years in Privacy – Selected Enactments <ul><li>Virtually every communications channel has or will be impacted: </li></ul><ul><li>E-Mail – CAN-SPAM Act (effective 1/1/04); 2003 International legislation (e.g., EU, AU) </li></ul><ul><li>Web - CA Online Privacy Law (effective 7/1/04) </li></ul><ul><li>Wireless – TCPA; TRUSTe and DMA guidelines for wireless marketers </li></ul><ul><li>Telemarketing - Telemarketing Sales Rule (DNC & changes effective 10/1/03;1/1/05) </li></ul><ul><li>Fax – Telephone Consumer Protection Act (TCPA verifiable consent by 1/1/05; states) </li></ul><ul><li>Global – Privacy and Electronic Communications Directive (2002/58/EC) </li></ul><ul><li>Data Protection Legislation </li></ul><ul><li>California Information Practice Act (SB 1386; effective 7/1/03) </li></ul><ul><li>California Personal Information: Disclosure to Direct Marketers Act (SB 27; effective 1/1/05) </li></ul><ul><li>Pharmaceutical and Health Care Industry Specific Privacy and Data Protection Legislation </li></ul><ul><li>HIPAA Security Provisions (effective 4/05) </li></ul><ul><li>Various State prohibitions on pharmaceutical sales and marketing practices (TX SB 11; CA AB 715) </li></ul><ul><li>EU Clinical Research Directive (Directive 2001 / 20 / EC, implementation deadline 5/1/04) </li></ul><ul><li>Government Specific Privacy and Data Protection Legislation </li></ul><ul><li>eGov Act (effective 2/03; PIAs required 12/04) </li></ul><ul><li>Pending Laws and Rules </li></ul><ul><li>Jobs for America Act (Daschle/Kerry) </li></ul><ul><li>U.S. Workers Protection Act (Dodd) </li></ul><ul><li>Various US state proposed outsourcing laws (CA, NJ, others) </li></ul><ul><li>US Notification of Risk to Personal Information Act (SB 1350) </li></ul><ul><li>Interagency Guidance on Response Programs for Unauthorized Access to Customer Information </li></ul><ul><li>Reporting on Cybersecurity by SEC registered corporations </li></ul><ul><li>Congressional (House Committee on Technology, Information Policy); DHS </li></ul><ul><li>Corporate Information Security Accountability Act of 2003 </li></ul><ul><li>Foreign Legislation (4 years) </li></ul><ul><li>Foreign Encryption Laws (U.S., Canada, France, Israel, Russia, China, etc.) </li></ul><ul><li>EU Directive 95/46/EC - The Data Protection Directive (1995) </li></ul><ul><li>Germany Federal Data Protection Law (1997) </li></ul><ul><li>Switzerland Federal Law on Data Protection (2000) </li></ul><ul><li>Canada Personal Information Protection & Electronics Documents Act (2000) </li></ul><ul><li>Australia Privacy Amendment (Private Sector) Act (2000) </li></ul><ul><li>United Kingdom Financial Services Authority – Systems & Controls (2002) </li></ul><ul><li>Japan Personal Data Protection Law (2003) </li></ul><ul><li>Ireland Data Protection Act (1998 revised 2003) </li></ul>
    14. 14. Heightened Enforcement & Brand Peril Illustrative Enforcements, Penalties & Legal Actions <ul><ul><ul><li>FTC investigated drug industry advertising practices/privacy violations – targeted promotional letters sent by pharmacies to customers and paid for by pharma. </li></ul></ul></ul><ul><ul><ul><li>FTC - Web & Email – Needed safeguards to prevent unauthorized/unintentional disclosure of sensitive personal information collected from Prozac.com. </li></ul></ul></ul><ul><ul><ul><ul><li>FTC – Web/Information Mgmt – Must implement, test and monitor safeguards to control potential risks identified in a risk assessment. </li></ul></ul></ul></ul><ul><ul><ul><li>Data Management – $60+ million class action settlement for improper data sharing </li></ul></ul></ul><ul><ul><ul><ul><li>FCC & State AGs – Do Not Call -- Enforcements, in part for revenue. </li></ul></ul></ul></ul><ul><ul><ul><li>State AGs – Massive Vendor Data Leakage – multiple clients. </li></ul></ul></ul><ul><ul><ul><li>State AGs – Email Database Growth – E-append program mismanagement. </li></ul></ul></ul><ul><ul><ul><li>Private Action – Email – First of floodgate of actions under CAN-SPAM by IASPs. </li></ul></ul></ul><ul><ul><ul><li>Class Action – Marketing Practices -- Eli Lilly secured signed blank letters from doctors whose patient had taken Prozac. Walgreens mailed free trials. </li></ul></ul></ul><ul><ul><ul><li>Class Action – 3rd-Party Vendor - Weld v. CVS -- Wrongful disclosure of medical information by CVS to direct-marketing company in patient-compliance program. OCR/State AGs – HIPAA – Thousands of complaints; set to commence actions. </li></ul></ul></ul>
    15. 15. Liability Case Studies <ul><li>FTC Settlement with Eli Lilly </li></ul><ul><li>Private Rights of Actions </li></ul><ul><li>Predicted HIPAA Risk Areas </li></ul>
    16. 16. Eli Lilly Settles FTC Charges Concerning Security Breach <ul><ul><li>Unauthorized and unintentional disclosure of sensitive personal information collected from consumers through its Prozac.com and Lilly.com Web sites </li></ul></ul><ul><ul><li>Lilly to implement an information security program to protect consumers' privacy </li></ul></ul>
    17. 17. &quot;Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource.&quot; &quot;Our Web sites have security measures in place, including the use of industry standard secure socket layer encryption (SSL), to protect the confidentiality of any of Your Information that you volunteer; however, to take advantage of this your browser must support encryption protection (found in Internet Explorer release 3.0 and above). These security measures also help us to honor your choices for the use of Your Information.&quot;
    18. 18. Eli Lilly Email – We Are All Only One Email Away . . . <ul><li>Subject: Medi-Messenger </li></ul><ul><li>Dear Medi-Messenger User: </li></ul><ul><li>We're listening! This week Eli Lilly and Company relaunched Prozac.com with a new navigation and feel. Based upon feedback from consumers like you, we have discontinued our Medi-Messenger e-mail reminder service. We are appreciative of your comments, and hope this does not cause any inconvenience to those of you who were using this feature. </li></ul>From: Sent: To: [email_address] Wednesday June 27, 2001 8:37 PM @ aol.com , @hotmail.com , @yahoo.com, @juno.com , @earthlink.com , @lilly.com , @webtv.net, @hotmail.com , @gateway.net , @home.com , @dotnow.com, etc.
    19. 19. Eli Lilly settlement <ul><li>FTC complaint alleges: </li></ul><ul><ul><li>Lilly’s claim of privacy and confidentiality deceptive because company failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information </li></ul></ul><ul><li>According to the FTC, Eli Lilly failed to: </li></ul><ul><ul><li>provide appropriate training for employees </li></ul></ul><ul><ul><li>provide appropriate oversight and assistance </li></ul></ul><ul><ul><li>implement appropriate checks and controls on the process </li></ul></ul><ul><li>FTC Order: </li></ul><ul><ul><li>Bars misrepresentations </li></ul></ul><ul><ul><li>Requires Lilly to establish and maintain an information security program </li></ul></ul>
    20. 20. Demystifying an Information Security Program <ul><li>Information Security Program </li></ul><ul><ul><li>designate appropriate personnel to coordinate and oversee the program </li></ul></ul><ul><ul><li>identify reasonably foreseeable risks and address these risks in each relevant area of its operations </li></ul></ul><ul><ul><li>conduct an annual written review by qualified persons </li></ul></ul><ul><ul><li>adjust the program in light of any recommendations from reviews, findings from ongoing monitoring, or material changes </li></ul></ul><ul><li>Recommendations: </li></ul><ul><ul><li>Make sure you know what information your company collects, how it is stored, and how it is used, and write your policy accordingly </li></ul></ul><ul><ul><li>Use a team approach, including representatives from legal, marketing, IT, and Web design to: i) Determine current information practices; ii) Assess what laws may apply, and iii) Develop and draft a clear privacy policy </li></ul></ul><ul><ul><li>Educate your employees, develop training materials </li></ul></ul>
    21. 21. “ Litigation 101” Sensitivity of the information leads to emotionally-charged plaintiffs . . . which leads to high-stakes deterrence: $$$$$$$$$$$$$$$$$$$$$ … And then came along HIPAA!!
    22. 22. Avoiding Litigation and Trouble <ul><li>The Top HIPAA Threats </li></ul><ul><ul><li>Business Associates -- Medical data abuses or breaches by business associates </li></ul></ul><ul><ul><li>Broken Promises -- Failure to follow one’s own privacy policies and procedures </li></ul></ul><ul><ul><ul><li>E.g., Marketing Rules </li></ul></ul></ul><ul><ul><li>Security -- Inadvertent mass disclosure due to poor security </li></ul></ul>
    23. 23. Risk Area 1 -- Business Associates <ul><li>Does HIPAA “Directly” Apply to You? </li></ul><ul><li>Covered Entities </li></ul><ul><ul><li>Healthcare providers who transmit individually-identifiable health information in electronic form </li></ul></ul><ul><ul><li>Health plans (including self-funded health plans) </li></ul></ul><ul><ul><li>Healthcare clearinghouses </li></ul></ul><ul><li>Business Associates -- entities performing activities “on behalf of” covered entities “Provides legal, actuarial, accounting, consulting, data aggregation . . . management, administrative, accreditation, or financial services to or for such covered entity . . . involv[ing] the disclosure of individually identifiable health information from such covered entity . . . or from another BA.” </li></ul><ul><li>Hybrid Entities </li></ul>
    24. 24. <ul><li>Covered entities – to an extent, are their brother’s keeper </li></ul><ul><ul><li>Must obtain satisfactory assurances that the B.A. will appropriately safeguard the information </li></ul></ul><ul><ul><li>No automatic liability for violation by B.A., but C.E. can’t avoid responsibility by intentionally ignoring problems with B.A. </li></ul></ul><ul><li>Pre-HIPAA Example: Weld v. CVS </li></ul><ul><ul><li>Alleged wrongful disclosure of medical information by CVS to direct-marketing company in patient-compliance program. </li></ul></ul><ul><ul><li>CVS and Elensys Care Services Inc. sent refill reminders and drug ads to CVS pharmacy customers. </li></ul></ul><ul><ul><li>CVS scanned databases for drug company criteria. Mailings sent on CVS letterhead; paid for by the drug manufacturers. </li></ul></ul>Risk Area 1 – Obligations of/Breaches by Business Associates
    25. 25. <ul><li>HIPAA Requirements: </li></ul><ul><li>HIPAA requires covered entities to adopt policies and procedures governing the protection of patient privacy. </li></ul><ul><li>HIPAA also requires Notice of Privacy Practices be given and patient’s to have right to request restrictions on use and disclosure of their PHI. </li></ul><ul><li>Violations of a privacy policy likely to result in state law claims for: </li></ul><ul><li>(i) negligence, (ii) breach of contract or (iii) misrepresentation </li></ul><ul><ul><li>Aetna – Health insurance claim forms from Aetna blew out of a truck on the way to a recycling center and scattered on I-84 in East Hartford during the evening rush hour. The forms should have been shredded under company policy. </li></ul></ul><ul><ul><li>Arkansas Dept. of Human Services (DHS) – Confidential Medicaid records were disclosed during the sale of surplus equipment twice in 6 months violating document destruction policy. </li></ul></ul><ul><ul><ul><li>10/01 - DHS’s sale of surplus computer storage drives with Medicaid records. </li></ul></ul></ul><ul><ul><ul><li>4/02 - DHS sold a file cabinet with Medicaid files inside. </li></ul></ul></ul>Risk Area 2 – Failure to Follow One’s Privacy Policy/Procedures
    26. 26. Kentucky police told it's legal to name injured <ul><li>Kentucky attorney general ruled that HIPAA does not give police the legal authority to withhold from reports the names of people injured in accidents. </li></ul><ul><li>Official says records leak violated federal rules </li></ul><ul><li>Leaked patient records include information about seven patients recently treated by firefighter-medics. - The records detail instances of substandard care administered by firefighter-medics </li></ul><ul><ul><li>Open records laws </li></ul></ul><ul><ul><ul><li>If not a CE – do not have to follow HIPAA </li></ul></ul></ul><ul><ul><ul><li>If a CE & disclosure is mandated, may comply with law </li></ul></ul></ul><ul><ul><ul><li>If a CE & disclosure is permitted, then not required by law, not permissible </li></ul></ul></ul><ul><li>No Charges against doctor who refused to draw blood </li></ul><ul><ul><li>Doctor refused to take blood sample for blood-alcohol level from a homicide suspect without man’s consent in Minneapolis where suspect refused to voluntarily provide sample </li></ul></ul>
    27. 27. Risk Area 2 – Marketing Under HIPAA’S Privacy Rule <ul><li>HIPAA Requires: </li></ul><ul><li>Communication about a product or service that encourages recipients to purchase or use it - Must disclose remuneration to the covered entity from a third party </li></ul><ul><li>Patient authorization is required for use or disclosure of PHI for marketing, unless an exception is available </li></ul><ul><li>Exceptions : </li></ul><ul><li>Face-to-face encounters </li></ul><ul><li>Promotional gift of nominal value </li></ul><ul><li>Communications describing health benefits </li></ul><ul><li>Communications to further treatment, for case management or care coordination, or to recommend alternative treatments or providers Prescriptions and referrals; Disease management and wellness programs; Prescription reminders; Appointment notifications </li></ul><ul><li>Note: Under these exceptions, covered entity may market health-related products and services on behalf of third parties </li></ul>
    28. 28. Risk Area 2 – Hindsight is 20/20 <ul><li>Walgreens </li></ul><ul><ul><li>Unsolicited samples of Prozac were distributed, some in a hand-addressed manila envelope from Walgreens drugstore </li></ul></ul><ul><ul><li>Eli Lilly secured signed blank letters from doctors whose patient had taken Prozac (even if not currently taking it) </li></ul></ul><ul><ul><li>Walgreens mailed a one-month free trial of Prozac Weekly with a &quot;Dear Patient&quot; form letter -- &quot;Congratulations on being one step closer to full recovery&quot; </li></ul></ul><ul><li>Action </li></ul><ul><ul><li>A woman recipient filed a class-action lawsuit stating that Walgreens, a local hospital, three doctors, and Prozac maker Eli Lilly misused her patient information and medical records and invaded her privacy </li></ul></ul><ul><ul><li>Woman said she once took Prozac many, many years ago, but had a bad side effect and does not take currently; moreover, although she lives in and received the sample in Florida, original prescription was filled at a Walgreens in New England </li></ul></ul><ul><ul><li>But what about today? </li></ul></ul>
    29. 29. Privacy Rights Group Sues Albertsons for Illegally Selling Pharmacy Customers' Information <ul><li>The Privacy Rights Clearinghouse </li></ul><ul><li>Charging Albertsons, 2 nd largest supermarket chain & 5 th largest drugstore retailer in US, with violating the privacy rights of thousands customers by illegally selling their confidential prescription information to drug companies. </li></ul><ul><li>Aventis, Shering-Plough, AstraZeneca, TAP Pharmaceutical Products, Eli Lilly, Novartis, Wyeth, Proctor & Gamble, Teva Pharmaceutical, GlaxoSmithKline, Merck, Allergan, Bristol-Meyers Squibb, Pfizer, Galderma, and Otsuka America Pharmaceuticals. </li></ul><ul><li>California (other states) &quot;reminder&quot; communications are: 1) deceptive and false - conceal the true motive of raising increased revenue for the drug companies and pharmacies involved, and are not just a friendly reminder to refill a prescription; 2) communications violate California laws that specifically safeguard medical confidentiality absent written authorization from the customer; 3) practices ultimately violate state privacy laws by disregarding a citizen's right to just be left alone. </li></ul>
    30. 30. Risk Area 3 -- Security -- It's 10 o'clock, do you know where your data is? <ul><li>HIPAA Security standard requires reasonable and appropriate administrative, technical, and physical safeguards to: </li></ul><ul><ul><ul><li>ensure the integrity & confidentiality of information; </li></ul></ul></ul><ul><ul><ul><li>protect against any reasonably anticipated </li></ul></ul></ul><ul><ul><ul><ul><li>threats or hazards to the security or integrity of the information; and </li></ul></ul></ul></ul><ul><ul><ul><ul><li>unauthorized uses or disclosures of the information; and </li></ul></ul></ul></ul><ul><ul><ul><li>otherwise ensure compliance by officers and employees. </li></ul></ul></ul>
    31. 31. <ul><li>National Enquirer : “Singer Tammy Wynette needs liver transplant.” </li></ul><ul><ul><li>Information incorrect, and obtained illegally. Settled out of court. </li></ul></ul><ul><ul><li>Pittsburgh University Medical Center employee who faxed singer’s medical records to tabloid for $2,610 pleaded guilty to wire fraud and sentenced to six months in prison. </li></ul></ul><ul><li>University of Montana : Hundreds of psychological records of 62 children and teenagers were accidentally posted on UM web site for 8 days. </li></ul><ul><li>Medlantic Healthcare Group: Part-time, unauthorized employee accessed and discussed with co-workers a patient’s HIV status. $250,000 in damages. </li></ul><ul><li>Eli Lilly & Company. </li></ul>Risk Area 3 – Pre-HIPPA Security Breach Examples Oh, no! I hit “cc” instead of “bcc”
    32. 32. Risk Area 3 – Pre-HIPPA Security Breach Examples <ul><li>Means : </li></ul><ul><li>Managing new and complex legislative </li></ul><ul><li>and regulatory requirements </li></ul><ul><li>Addressing increased customer and </li></ul><ul><li>governmental scrutiny </li></ul><ul><li>Designing and implementing personal </li></ul><ul><li>information management practices that: </li></ul><ul><ul><li>differentiate the organization from its competitors </li></ul></ul><ul><ul><li>Enable new business processes, marketing channels and relationship-building techniques </li></ul></ul><ul><li>Goals : </li></ul><ul><li>Protecting a Trusted Brand </li></ul><ul><li>Managing Risks </li></ul><ul><li>Building Long-Term Value </li></ul>
    33. 33. SEATTLE MAN PLEADS GUILTY IN FIRST EVER CONVICTION FOR HIPAA RULES VIOLATION GIBSON admitted that he obtained a cancer patient's name, date of birth and social security number while GIBSON was employed at the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient's name. GIBSON also admitted that he used several of those cards to rack up more than $9,000 in debt in the patient's name. GIBSON admitted he used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries and gasoline for his personal use. GIBSON was fired shortly after the identity theft was discovered.
    34. 34. Identity Theft <ul><li>FTC Complaints: </li></ul><ul><ul><li>2000: 31,000 </li></ul></ul><ul><ul><li>2001: 86,000 </li></ul></ul><ul><ul><li>2002: 162,000 </li></ul></ul><ul><ul><li>2003: 214,000 </li></ul></ul><ul><ul><li>Top consumer fraud complaint in 2002 </li></ul></ul><ul><ul><li>30% growth predicted going forward </li></ul></ul><ul><ul><li>Estimated 9.9 million victims in 2002 </li></ul></ul><ul><li>Average impact: </li></ul><ul><ul><li>$1500 </li></ul></ul><ul><ul><li>175 hours of clean up </li></ul></ul><ul><ul><li>credit disruptions </li></ul></ul><ul><li>Cost to consumers = $5 billion </li></ul><ul><li>Cost to industry = $48 billion </li></ul><ul><li>42% of complaints involve credit card fraud </li></ul>Identity theft coverage now available
    35. 35. United States v. Richard Gibson <ul><li>Charge: Wrongful Disclosure of Individually Identifiable Health Information </li></ul><ul><li>Elements of Offense: </li></ul><ul><ul><li>Disclosed to another person IIHI relating to an individual </li></ul></ul><ul><ul><li>Made the disclosure knowingly; </li></ul></ul><ul><ul><li>Made disclosure for non-permitted purposes; </li></ul></ul><ul><ul><li>Made disclosures with intent to use IIHI for personal gain. </li></ul></ul><ul><li>Penalty </li></ul><ul><ul><li>Imprisonment of up to 10 years </li></ul></ul><ul><ul><li>Fine of up to $200,000 </li></ul></ul><ul><ul><li>Supervision of up to 3 years </li></ul></ul><ul><ul><li>Probation of up to 5 years </li></ul></ul><ul><ul><li>Penalty Assessment of $100 to be paid at or before sentencing </li></ul></ul><ul><ul><li>But who’s the covered entity? </li></ul></ul>
    36. 36. Security -- Challenges of Inclusion and Exclusion <ul><li>Increased: </li></ul><ul><ul><li>Identities </li></ul></ul><ul><ul><li>Control Requirements </li></ul></ul><ul><ul><li>Complexity </li></ul></ul><ul><li>Increased: </li></ul><ul><ul><li>Threats </li></ul></ul><ul><ul><li>Vulnerabilities </li></ul></ul><ul><ul><li>Complexity </li></ul></ul>
    37. 37. The Global Picture <ul><li>Sample of Data Protection Laws Around the World </li></ul><ul><li>The EU Data Protection Directive & comparable privacy legislation by 25 member states </li></ul><ul><ul><li>Based on -- OECD Organisation for Economic Cooperation and Development 7 principles </li></ul></ul><ul><ul><li>Notice, Choice, Onward Transfer, Security, Data Integrity, Access, Enforcement </li></ul></ul><ul><li>Foreign Encryption Laws (U.S., Canada, France, Israel, Russia, China, etc.) </li></ul><ul><li>Switzerland - Federal Act on Data Protection (1992) </li></ul><ul><li>Hungary - Protection of Personal Data and Disclosure of Data of Public Interest (1992) </li></ul><ul><li>Canada - Personal Information Protection and Electronic Documents Act (2000) </li></ul><ul><li>Argentina - Personal Data Protection Act (2000) </li></ul><ul><li>Chile - Law for the Protection of Private Life (1999) </li></ul><ul><li>Australia - Privacy Amendment (Private Sector) Act (2000) </li></ul><ul><li>Hong Kong - The Personal Data (Privacy) Ordinance (1996) </li></ul><ul><li>New Zealand - Federal Privacy Act (1993) </li></ul><ul><li>Japan Personal Data Protection Law (2003) </li></ul><ul><li>Ireland Data Protection Act (1998 revised 2003) </li></ul><ul><li>Czech Republic – Act on Protection of Personal Data (2000) </li></ul><ul><li>and more… </li></ul>Recent privacy legislation (Australia, Hong Kong, Canada) trending toward EU-style privacy regulation and away from U.S. sectoral/data elements-based models
    38. 38. EU Data Protection Directive Main Requirements <ul><li>Information processed lawfully & fairly </li></ul><ul><li>Legitimate, specified and explicit data processing </li></ul><ul><li>Information kept accurate and up to date </li></ul><ul><li>Individual rights to access their information </li></ul><ul><li>Confidentiality & security of information </li></ul>KEY IMPLICATION - Restricts the transfer of personal information to 3rd countries that do not have “adequate” protection. The US does not meet this “adequacy” requirement How will EU data be legally accessed, transferred and warehoused in the U.S.? Transborder Data Flows
    39. 39. EU Privacy Enforcement Actions <ul><li>May 2001 - Spanish government fined Microsoft for improperly transferring employee data from Spain to a web server located in the U.S. Microsoft was able to have fines reduced from several hundred thousand dollars to about $57,000 </li></ul><ul><li>April 2001 - Madrid court ruled against NCR for dismissing an employee on the basis of information obtained when the employee's computer was remotely accessed from the U.S. Besides violating the employee's privacy rights, the court found that the company had breached legal protections for union activities. </li></ul><ul><li>April 2001 - Four Spanish directors of Deutsche Bank faced imprisonment over Company's unlawful interception of employee e-mail. A worker fired by the bank on the basis of information contained in his e-mail had previously won a case overturning the dismissal, and was given the right to seek the prison sentences. </li></ul><ul><li>June 1997 – Telefonica paid $660,000 to the Spanish government to settle cases of data misuse because they provided information from their subscriber database to banks, direct marketing companies and Reader's Digest. </li></ul><ul><li>May 1995 - Swedish DPA instructed American Airlines to delete all health and medical details about Swedish passengers after each flight, unless &quot;explicit consent&quot; could be obtained. AA was also restricted from transferring customer information from Sweden to its SABRE reservation system in the United States. American Airlines lost the first round of its lawsuit challenging the law - the court also ruled that the U.S. didn't have adequate privacy protection. </li></ul><ul><li>Sweden reportedly prohibited the transfer of a credit registry database from Dun & Bradstreet's Swedish affiliate back to the D&B U.S. affiliate on the grounds that the registry contained financial information on Swedish citizens. According to reports, only after joining Safe Harbor did D&B guarantee uninterrupted data flow between its affiliated entities. </li></ul>
    40. 40. Globalization <ul><li>Global Data Management – the recent effectiveness of several EU and other international privacy directives and the political attention paid to data protection and outsourcing practices has heightened the desire of many organizations to focus on international employee, customer, and vendor, privacy & data management. </li></ul><ul><li>More Companies are considering international data transfer and Safe Harbor (or exceptions and alternatives), for several types of data: </li></ul><ul><li>The environment for conducting clinical trials is changing – Globalization & Increasing Outsourcing to CROs and Others </li></ul><ul><ul><li>The industry faces continued increasing pressure to manage costs, including compliance costs, and safely accelerate clinical trial completion to maximize patent value and exclusivity. </li></ul></ul><ul><ul><li>Increased delegation of study design and execution to outsourced service providers (i.e., CROs & SMOs). </li></ul></ul><ul><ul><li>Increased globalization of research conduct, especially given dearth of study subjects. </li></ul></ul><ul><ul><li>Data protection and integrity concerns must be mitigated as new technologies are adopted (electronic data collection (EDC), electronic submissions/validation, adverse event reporting). </li></ul></ul><ul><li>Unique privacy issues involved in the employer/employee relationship : </li></ul><ul><ul><li>Performance reviews, evaluation data - is this personal information as defined by law? </li></ul></ul><ul><ul><li>Employee choice over information handling - how much is too much? </li></ul></ul><ul><ul><li>Obtaining employee consent for use of data </li></ul></ul><ul><ul><li>Use of Social Security Number or other national identifiers </li></ul></ul><ul><ul><li>Access to health-related information through benefit plans, onsite medical facilities </li></ul></ul><ul><ul><li>Increased scrutiny over surveillance of employees in the workplace and employee email, Internet use, hard drives </li></ul></ul>
    41. 41. Joining the Safe Harbor <ul><li>Companies Include: </li></ul><ul><ul><li>Disney Consumer Products, Microsoft, General Motors, Bacardi, PepsiCo, Polo Ralph Lauren, Publishers Clearing House </li></ul></ul><ul><li>Safe Harbor Benefits </li></ul><ul><ul><li>All 25 Member States of the EU will be bound by EU Commission’s finding of adequacy; </li></ul></ul><ul><ul><li>Uninterrupted data flows & waiver of country data transfer pre-approval requirements; </li></ul></ul><ul><ul><li>Claims brought by EU citizens against US companies will be heard in the US subject to limited exceptions. </li></ul></ul><ul><ul><li>The safe harbor framework offers a simpler and cheaper means of complying with the adequacy requirements of the Directive. </li></ul></ul><ul><li>Safe Harbor Drawbacks </li></ul><ul><ul><li>Failure to comply with the Safe Harbor requirements could expose an organization to federal civil and criminal liability; </li></ul></ul><ul><ul><li>Safe Harbor companies must annually certify verification of ongoing compliance. </li></ul></ul><ul><li>Key Factor to Success </li></ul><ul><ul><li>Ongoing safe harbor compliance costs vary widely in part based on the soundness of the safe harbor infrastructure put in place originally. Transparency and sustainability are critical features to consider and install to ensure an effective compliance process exists in years and beyond. </li></ul></ul>
    42. 42. Other U.S. Responses to EU Data Directive <ul><li>Model Contracts </li></ul><ul><ul><li>do not require public registration </li></ul></ul><ul><ul><li>governed by individual Member State law </li></ul></ul><ul><ul><li>more restrictive around purpose </li></ul></ul><ul><li>Ad Hoc or Processor Contracts </li></ul><ul><ul><li>require DPA approval, including additional purpose </li></ul></ul><ul><ul><li>individually negotiated by country / exporter </li></ul></ul><ul><li>Consent </li></ul><ul><ul><li>requires “unambiguous” consent from employees / individuals </li></ul></ul><ul><ul><li>explicit consent for sensitive data, and data transfers outside EU </li></ul></ul><ul><li>Binding Corporate Rules </li></ul><ul><ul><li>alternative to other mechanisms allows for more appropriate rules based on organization structure </li></ul></ul><ul><ul><li>allows coordinated DPA approval </li></ul></ul>
    43. 43. Difficult Data Management Issues <ul><li>Enterprise and global approaches sought </li></ul><ul><li>New models promoting privacy, security, integrity, values-based culture and appropriate checks and balances </li></ul><ul><li>People, process and technology strategically aligned to achieve enterprise privacy governance, risk & compliance management objectives </li></ul><ul><li>Leveraging technology to manage complexity </li></ul><ul><li>Investigate these trend to drive more efficient and better controlled business processes (i.e., performance improvement). </li></ul><ul><ul><li>Enterprise Risk-Based Privacy Management Framework </li></ul></ul><ul><ul><li>Data Inventory, Flow Mapping & Risk Assessment </li></ul></ul><ul><ul><li>Enterprise-Wide/Global Privacy Principles, Policies, Controls, Resources & Training </li></ul></ul><ul><ul><li>Cross-Channel, Centralized, Enterprise-Wide Preference Management & CRM Strategies </li></ul></ul><ul><ul><li>Enterprise-Wide Compliance Assessment, Monitoring/Testing, Auditing & Benchmarking </li></ul></ul><ul><ul><li>3rd Party Sharing, Outsourcing and Vendor Management (Assessment/Monitoring & Contracting) </li></ul></ul><ul><ul><li>Privacy Impact Assessment Process </li></ul></ul><ul><ul><li>Data Tagging and Tracking (Auditing/Forensic Uses) </li></ul></ul><ul><ul><li>Need for a Data Tsar--US Version of EU Data Controller </li></ul></ul><ul><ul><li>Authentication and Identity Management </li></ul></ul><ul><ul><li>Privacy Governance/Infrastructure and Relationship to the Business, Legal/Risk Management, and Technical and Physical Security </li></ul></ul>Common Issues Requiring New Models & Enterprise-Wide Solutions
    44. 44. Privacy Strategy Spectrum Compliance and Prevention Operating Performance Stakeholder Value Enhancement REALIZATION OF POTENTIAL VALUE <ul><li>Act on Opportunity </li></ul><ul><li>Enhance and protect brand and reputation </li></ul><ul><li>Assure trust and confidence by consumer and business partners </li></ul><ul><li>Implement responsible customer relationship management </li></ul><ul><li>Avoid Risk </li></ul><ul><li>Legal liability </li></ul><ul><li>Fines/penalties </li></ul><ul><li>Reputation risk </li></ul><ul><li>Adverse publicity </li></ul><ul><li>Enhance Operations </li></ul><ul><li>Standardize Processes </li></ul><ul><li>Uninterrupted Data Flows </li></ul>RESOURCE INVESTMENTS 0
    45. 45. PwC Governance Survey Results
    46. 46. 1. CPO Position <ul><li>Maturation of the Privacy Officer Position </li></ul><ul><ul><li>83% of respondents indicated they hold the Chief Privacy Officer or equivalent position </li></ul></ul><ul><ul><ul><ul><li>The other titles included Chief Compliance Officer, Integrity Assurance and Information Protection. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The P&AB 10/2001 survey of privacy professionals noted 61% of respondents held a title of Chief Privacy Officer or an equivalent. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>In contrast, the 2003 CIO / PwC survey of IT professionals indicated only 27% of financial services companies and 18% of non-financial services companies employed a Chief Privacy Officer, Data Protection Officer or similar. </li></ul></ul></ul></ul>
    47. 47. 2. Reporting Structures <ul><li>Varying structures exist based on business model and culture: </li></ul><ul><ul><li>Legal 56%, Compliance 22%, Government Affairs 9% with other structures being split evenly. </li></ul></ul><ul><li>Greater Alignment with Information Security and the Business </li></ul><ul><ul><li>At least one-quarter discussed the idea of reorganizing the privacy function to better coordinate with information security function through either direct reporting, via cross-functional committees or indirect reporting between the two functions. </li></ul></ul><ul><ul><li>A number of CPOs acknowledged the need for closer/better relations with business units. </li></ul></ul><ul><li>Dual Reporting is an emerging trend </li></ul><ul><ul><li>27% had an existing dual reporting line that included various combinations of Legal/ Compliance/Risk Management/CIO and CFO. </li></ul></ul>
    48. 48. 3. Top Priorities Going Forward Identity Management Vetting and Monitoring Third Party Vendors Risk / Vulnerability Assessments Local and Global Regulatory Compliance Training Training Security Privacy
    49. 49. 4. Privacy Office & Budget Growth in Privacy FTE Headcount (and Consultants) Annual Project Budgets 0% 11% 10+ 16% 33% 5-9 40% 28% 2-4 37% 11% 1 7% 17% None FTE FTE Count P&AB (2001) CPO Survey (2003) 0% $10 – 500 million 11% $ 5 – 10 million 33% $ 1 – 5 million 22% $ 500,000 – 1 million 11% 0 – $ 500,000 23% No Response Privacy Budget Range
    50. 50. What Others are Doing . . .
    51. 51. What Others are Doing… <ul><li>Reconsidering and/or Assessing </li></ul><ul><ul><li>Sales & Marketing Communications </li></ul></ul><ul><ul><li>Clinical Privacy Compliance </li></ul></ul><ul><ul><li>Global Context -- EU Safe Harbor, Model Contracts </li></ul></ul><ul><ul><li>3 rd Party Vendor Assessments </li></ul></ul><ul><ul><li>Employee Privacy Policy & Data Management </li></ul></ul><ul><ul><li>Privacy Risk Scorecards (Risk Based Overview with Best Practices Benchmarked) </li></ul></ul><ul><li>Building an Effective and Efficient Compliance Framework </li></ul><ul><ul><li>Data Mapping, Diagramming Flows and Identifying Risk Trigger Points </li></ul></ul><ul><ul><li>Risk Assessment and gap analysis reporting </li></ul></ul><ul><ul><li>Building compliance and accountability into business units and shared services (e.g., IT, HR) </li></ul></ul><ul><ul><li>Compliance monitoring and audit </li></ul></ul><ul><li>Other Strategies </li></ul><ul><ul><li>Leverage tactical issues to invest strategic issues </li></ul></ul><ul><ul><li>Building internal privacy assessment and monitoring functions </li></ul></ul><ul><ul><li>Implement Enterprise-Wide Risk Management Framework </li></ul></ul><ul><ul><ul><li>Privacy & General Governance Study </li></ul></ul></ul>
    52. 52. Responsible Privacy Practices
    53. 53. Many Elements to Privacy Compliance
    54. 54. Some Privacy Compliance Drivers
    55. 55. Some Privacy Compliance Drivers <ul><li>Rules - legislation, regulation, guidance, industry standards/best practices, corporate policies across different jurisdictions </li></ul><ul><li>Markets - globalisation, competitors </li></ul><ul><li>Stakeholders - customers and suppliers, advocates and media, third party/business partners, employees </li></ul><ul><li>Technology - the use of the Internet and sophisticated data capture, storage and security technologies </li></ul><ul><li>Goals : </li></ul><ul><li>Protecting a Trusted Brand </li></ul><ul><li>Managing Risks </li></ul><ul><li>Building Long-Term Value </li></ul><ul><li>The drivers will vary dramatically for each organization and the different components that need to be analysed in detail include: </li></ul>
    56. 56. A Framework for Privacy Compliance
    57. 57. Benefits of Good Privacy Practices Responsible Privacy Practices Brand Protection Customer Trust & Confidence Customer Loyalty Shareholder value Responsible Customer Relationship Management Business Partner Confidence Differentiation from Competitors Litigation Reputation Damage Interrupted Data Flows Privacy Breach Case for Regulation Unwanted Attention
    58. 58. Questions? Kim P. Gunter, J.D., LL.M. Senior Consultant, Privacy Practice (267) 330- 4026 [email_address]
    59. 59. PwC – The Leader in Privacy © 2004 PricewaterhouseCoopers LLP. All rights reserved. &quot;PricewaterhouseCoopers&quot; refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, other member firms of PricewaterhouseCoopers International Ltd., each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP. IDC, the premier global market intelligence and advisory firm in the information technology and telecommunications industries ranked PwC as an &quot;Outperformer&quot; with respect to their service offerings and growth potential, according to the IDC report, The Shifting Landscape: U.S. Information Security Services, 2003. PricewaterhouseCoopers is ranked as the leading professional services firm providing information security and data privacy services to Global 2000 organizations. IDC, The Shifting Landscape: U.S. Information Security Services, 2003. PricewaterhouseCoopers has an extensive privacy consulting practice (Forrester, Market Overview: Privacy Management Technologies, February, 2003)

    ×