4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.

4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur,

Malaysia

Bright Ideas on Business Privacy

Stephen Cobb, CISSPCobb Associates

Cobb Associatescobbassociates.com

Copyright 2007Stephen Cobb

Slide 2 of 13

Open

Want tight controls over their personal data at all times

Don’t ever care who has

access to their personal data

May share some of their data

sometimes

Will share most of their data most of

the time

Closed

(Note: There is no “correct” rating)

The Privacy Meter

What’s Your Privacy Rating?



Slide 3 of 13

Personally Identifiable Information

• Information that relates to an individual who can be identified, directly or indirectly, from the data, particularly by reference to an identification number or aspects of his or her physical, mental, economic, cultural, or social identity.

• Which one or two of the following are your greatest concerns over the next century?– Loss of privacy 29%– Overpopulation 23%– Terrorist acts 23%– Racial tensions 17%– World War 16%– Global warming 14%– Economic depression 13%

• NBC News/ WSJ - Sept. 1999



Slide 4 of 13

The Privacy Challenge

• Remember when cars were the greatest thing?– Then came smog, the oil crisis, etc.

• Remember when computers were the greatest?– Then came security holes and the privacy crisis

• Amount of information computerized in last 10 years is staggering, and connectivity has exploded

• Not everyone is happy with all the uses to which those data have been put, particularly the way some companies have used PII– personally identifiable information



Slide 5 of 13

Privacy Was Front Page News Before 9/11



Slide 6 of 13

Privacy Concerns Are Clearly Increasing

Fundamentalists want more privacy rules.

Pragmatists favor self-regulation.

Survey of 1500 consumers by Privacy and American Business



Slide 7 of 13

Eli Lilly Case

• As part of prozac.com, individual email reminders to 700 people who used their reminder service

• Lilly discontinued the service and notice was sent to the entire list, using “cc” and not “bcc” thus revealing addresses of recipients to all

• FTC investigated as an “unfair or deceptive trade practice” because customers had been led to believe that their identities would be kept secret.

• Incident was not “intentional” but occurred because of a lack of privacy awareness and poor security practices in programming department

• Settlement requires 10 years of FTC oversight and annual security review by third-party (CISSP)



Slide 8 of 13

Cost of “A Privacy Blowout”

- Forester Research, Feb 2001 Report (www.forrester.com)



Slide 9 of 13

Millions of Dollars Are at Stake

• In 2006, data breaches cost an average of $182 per compromised record - Ponemon Institute

• Royal Bank of Canada calculated shareholder value of consumer and retail business at $9 billion

• RBC took a privacy positive stance, re-engineered its IT systems to track customer privacy preferences, respected by all bank departments, affiliates

• RBC determined that privacy drives 7% of demand for the bank’s consumer/retail business

• That values privacy at $630 million!



Slide 10 of 13

Seven basic privacy principles

1. Notice: Organizations must notify individuals about the purposes for which they collect and use information about them.

2. Choice: Organizations must give individuals the opportunity to choose (opt out)

3. Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles.

4. Access: Individuals must have access to personal information... and be able to correct, amend, or delete that information where it is inaccurate



Slide 11 of 13

Seven basic privacy principles

5. Security: reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

6. Data integrity: data must be relevant for the purposes used...and reliable for its intended use, accurate, complete, and current.

7. Enforcement: to ensure compliance, there must be (a) readily available and affordable independent recourse

mechanisms;(b) procedures for verifying that the commitments to the

safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to

comply with the principles.



Slide 12 of 13

3-step privacy program

• Target– Find current privacy exposures and prioritize– Talk to department heads, map data flows, ask

questions, especially of marketing

• Treat– Make necessary changes and then institute policies and

procedures to prevent recurrence

• Train– Make sure everyone understands the importance of

privacy, especially anyone who touches PII – This goes a lot further than customer service, e.g.

contracts, programming, product development



Slide 13 of 13

Thank you!

• Stephen Cobb• cobbassociates.com• sc at cobbassociates dot

com

http://www.cobbassociates.com/

4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.

Documents

stephen cobb slide

business privacy stephen

cissp cobb associates

identifiable information

privacy rating

privacy crisis

privacy concerns

thirdparty cissp slide