4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.
Post on 16-Dec-2015
213 Views
Preview:
Transcript
4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur,
Malaysia
Bright Ideas on Business Privacy
Stephen Cobb, CISSPCobb Associates
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 2 of 13
Open
Want tight controls over their personal data at all times
Don’t ever care who has
access to their personal data
May share some of their data
sometimes
Will share most of their data most of
the time
Closed
(Note: There is no “correct” rating)
The Privacy Meter
What’s Your Privacy Rating?
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 3 of 13
Personally Identifiable Information
• Information that relates to an individual who can be identified, directly or indirectly, from the data, particularly by reference to an identification number or aspects of his or her physical, mental, economic, cultural, or social identity.
• Which one or two of the following are your greatest concerns over the next century?– Loss of privacy 29%– Overpopulation 23%– Terrorist acts 23%– Racial tensions 17%– World War 16%– Global warming 14%– Economic depression 13%
• NBC News/ WSJ - Sept. 1999
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 4 of 13
The Privacy Challenge
• Remember when cars were the greatest thing?– Then came smog, the oil crisis, etc.
• Remember when computers were the greatest?– Then came security holes and the privacy crisis
• Amount of information computerized in last 10 years is staggering, and connectivity has exploded
• Not everyone is happy with all the uses to which those data have been put, particularly the way some companies have used PII– personally identifiable information
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 5 of 13
Privacy Was Front Page News Before 9/11
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 6 of 13
Privacy Concerns Are Clearly Increasing
Fundamentalists want more privacy rules.
Pragmatists favor self-regulation.
Survey of 1500 consumers by Privacy and American Business
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 7 of 13
Eli Lilly Case
• As part of prozac.com, individual email reminders to 700 people who used their reminder service
• Lilly discontinued the service and notice was sent to the entire list, using “cc” and not “bcc” thus revealing addresses of recipients to all
• FTC investigated as an “unfair or deceptive trade practice” because customers had been led to believe that their identities would be kept secret.
• Incident was not “intentional” but occurred because of a lack of privacy awareness and poor security practices in programming department
• Settlement requires 10 years of FTC oversight and annual security review by third-party (CISSP)
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 8 of 13
Cost of “A Privacy Blowout”
- Forester Research, Feb 2001 Report (www.forrester.com)
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 9 of 13
Millions of Dollars Are at Stake
• In 2006, data breaches cost an average of $182 per compromised record - Ponemon Institute
• Royal Bank of Canada calculated shareholder value of consumer and retail business at $9 billion
• RBC took a privacy positive stance, re-engineered its IT systems to track customer privacy preferences, respected by all bank departments, affiliates
• RBC determined that privacy drives 7% of demand for the bank’s consumer/retail business
• That values privacy at $630 million!
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 10 of 13
Seven basic privacy principles
1. Notice: Organizations must notify individuals about the purposes for which they collect and use information about them.
2. Choice: Organizations must give individuals the opportunity to choose (opt out)
3. Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles.
4. Access: Individuals must have access to personal information... and be able to correct, amend, or delete that information where it is inaccurate
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 11 of 13
Seven basic privacy principles
5. Security: reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
6. Data integrity: data must be relevant for the purposes used...and reliable for its intended use, accurate, complete, and current.
7. Enforcement: to ensure compliance, there must be (a) readily available and affordable independent recourse
mechanisms;(b) procedures for verifying that the commitments to the
safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to
comply with the principles.
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 12 of 13
3-step privacy program
• Target– Find current privacy exposures and prioritize– Talk to department heads, map data flows, ask
questions, especially of marketing
• Treat– Make necessary changes and then institute policies and
procedures to prevent recurrence
• Train– Make sure everyone understands the importance of
privacy, especially anyone who touches PII – This goes a lot further than customer service, e.g.
contracts, programming, product development
Cobb Associatescobbassociates.com
Copyright 2007Stephen Cobb
Slide 13 of 13
Thank you!
• Stephen Cobb• cobbassociates.com• sc at cobbassociates dot
com
top related