sign in sign up
<<
Home , Scroogled

THE DIGITAL AGE

THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Securing privacy and profi t in the era of hyperconnectivity and big data Booz Allen Hamilton – Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate; Agatha O'Malley, Senior Associate; Jaqueline Cooney, Lead Associate; and Waiching Wong, Associate

Companies increasingly use consumer data, including personal information, to stay competitive; this includes the capability to analyze their customers’ demographics and buying habits, predict future behaviors and business trends, and collect and sell data to third-parties. Consumers’ willingness to share their data centers on trust, however, and 91% of adults believe that they have lost control over how their personal information is collected and used (2014 Pew Research Center). So how do companies effectively manage consumer data while simultaneously building trust? It has been said that you cannot have good privacy without good security. A fi rst step is to build an effective security program while also better understanding what privacy means and how it can be a strategic business ena- bler in our era of hyper-connectivity and “big data”.

■ Why does this matter? The data economy The power and insights driven by consumer data has changed the corporate landscape. This has created the

91%

of adults “agree” or “strongly agree” that consumers have lost control over how their personal information is collected and used by companies

1 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

data economy—the exchange of digitized ■ Privacy defi nitions vary information for the purpose of creating “Privacy” may have different meanings to insights and value. Companies are building stakeholders due to factors such as the con- entire businesses around consumer infor- text, prevailing societal norms, and geo- mation, including building data-driven graphical location. There is no consensus products and monetizing data streams. This defi nition of privacy, which makes it chal- is a supply-driven push made possible by lenging to discuss, and act upon, a need for widespread digitization, ubiquitous data privacy. However, an important central storage, powerful analytics, mobile technol- concept regarding privacy recurs, which is, ogy that feeds ever more information into the appropriate collection, use, and sharing the system, and the Internet of Things. This of personal information to accomplish busi- also has a demand-driven effect as more ness tasks. Determining what appropriate consumers expect their products to be and limited means for your customer is key “smart” and their experiences to be target- to gaining trust and unlocking the potential ed to delight them on an individual basis. of the data economy. The data economy goes beyond the tech industry. For example, many supermarkets ■ What is personal data? now record what customers buy across their Personal information comes in variations stores and track the purchasing history of such as: (1) self-reported data, or information loyalty-card members. The most competitive people volunteer about themselves, such as companies will sift through this data for their email addresses, work and educational trends and then, through a joint venture, sell history, and age and gender; (2) digital the information to the vendors who stock exhaust, such as location data and browsing their shelves. Consumer product makers are history, which is created when using mobile often willing to purchase this data in order to devices, web services, or other connected make more informed decisions about prod- technologies; and (3) profi ling data, or per- uct placement, marketing, and branding. sonal profi les used to make predictions about The enabler of the data economy is data individuals’ interests and behaviors, which itself. Individuals generate data. They do are derived by combining self-reported, digi- this every time they “check in” to a location tal exhaust, and other data. According to through a mobile app, when they use a loy- research, people value self-reported data the alty card, when they purchase items online, least and profi ling data the most (2015 and when they are tracked through their Harvard Business Review). For many compa- Internet searches. Companies gain consum- nies, it is that third category of data, used to ers’ trust and confi dence through transpar- make predictions about consumer needs, that ency about the personal information that truly provides the ability to create exciting, they gather, providing consumers control thrilling products and experiences. However, over uses and sharing of such information, that same information is what consumers and offer fair value in return. value the most and seek to protect.

Every minute

Facebook users share nearly 2.5 million pieces of content.

Twitter users tweet nearly 300,000 times.

YouTube users upload 72 hours of new video content.

Amazon generates over $80,000 in online sales.

■ 2 SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA

Privacy is very often confl ated with security. While privacy is about the appropriate collec- tion, use, and sharing of personal information, security is about protecting such information from loss, or unintended or unauthorized access, use, or sharing.

■ Privacy and security intersect through service scans emails in order to target breaches and tailor advertising to the user. In 2013 Although privacy and security are two sepa- ran TV ads that claim that “your rate concepts, the importance of these two privacy is [Microsoft’s] priority.” ideas intersect for the consumer if personal Companies are also competing to be pri- information is not safeguarded. In a nut- vacy champions against government surveil- shell, consumers are more likely to buy from lance. For the last few years, the Electronic companies they believe protect their privacy. Frontier Foundation has published the “Who Large-scale security breaches, such as the Has Your Back” list—highlighting compa- recent theft of credit card information of nies with strong privacy best practices, par- 56 million Home Depot consumers (2015) ticularly regarding disclosure of consumer and 40 million Target shoppers (2013), pro- information to the government. vide consumers with plenty to worry about. Breach-weary consumers need to know who ■ Challenges and trends to trust with their personal information, to Maintaining compliance ensure that only the company that they pro- Beyond the moneymaker of the data econo- vided the information to can use it. Risk my, there is also a need to comply with a management for data privacy and security swirl of confl icting regulations on privacy. of that data should guard against external For global companies, this task is made more malicious breaches and inadvertent internal diffi cult as privacy regulations vary by region breaches and third-party partner breaches. and country. Although international accords often serve as the basis of national laws ■ Privacy is linked to trust—differentiate and policy frameworks,1 the local variations with it complicate compliance. For example, the Trust, and the data that it allows companies May 2014 ruling of the European Court of to have access to, is a critical strategic asset. Justice on the “right to be forgotten” set a Privacy issues that erode trust can disman- precedent for removing information from tle the goodwill that a brand has spent dec- search results that are deemed to be no ades building with consumers. Forward- longer relevant or not in the public interest leaning companies are already moving by affi rming a ruling by the Spanish Data toward proactively gaining the trust of their Protection Agency. Countries across Europe customers and using that as a differentiator. have applied the ruling at a national level, Learning from its issues with the lack of which means that they are not exactly the security on iCloud, Apple now markets all same.2 Compliance with this decision has yet of the privacy features of their products and to be fully understood. has fi elded apps. With an eye toward the desires of its about 120,000 requests for deletions and customers, the iPhone’s iOS 8 is encrypted granted approximately half of them.3 by default. This makes all “private” infor- Compliance is costly and complicated. mation such as photos, messages, contacts, Beyond technical issues (which were easier reminders, and call history inaccessible to solve), Google’s main issue with compli- without a four-digit PIN and numeric pass- ance was administrative—forms needed to word. In 2012 Microsoft launched its “Don’t be created in many languages, and dozens get Scroogled” campaign as a direct attack of lawyers, paralegals, and staff needed to on its rival, Google, by highlighting that its be assembled to review the requests. Issues

3 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

remain, such as the possibility of removing conduct, along with a clearly defi ned means links from Google.com as well as from of enforcement. Externally, this means country-specifi c search engines. building privacy considerations into the Compliance with established laws in the products and services offered to customers. U.S. is often topic- and industry-specifi c. For Some of the ways to do this include the example, Congress has passed laws prohib- following. iting the disclosure of medical information (the Health Insurance Portability and Create easy-to-understand consumer-facing policies Accountability Act), educational records The average website privacy policy averages (the Buckley Amendment), and video-store more than 2,400 words, takes 10 minutes to rentals (a law passed in response to revela- read, and is written at a university-student tions about Robert Bork’s rentals when he reading level.6 No wonder half of online was nominated to the Supreme Court).4 Americans are not even sure what a privacy policy is.7 Writing clear, easy-to-understand Growing data = growing target for hackers consumer-facing policies can help you As data availability increases, the attractive- increase the number of people who will ness of datasets for hackers increases as well. actually read them, and you will gain the Companies in all sectors—health care, retail, trust of your consumers. No company has a fi nance, government—all have datasets that perfect solution, but many organizations are attractive to hackers. Just a few of the con- have come closer. Facebook has recently fi rmed cyberattacks that targeted consumer rewritten its privacy policy for simplicity information in 2014 include: eBay, Montana and included step-by-step directions for Health Department, P.F. Chang’s, Evernote, users.8 To increase trust, privacy policies Feedly, and Domino’s Pizza.5 should clearly state the following:

Beyond personal information 1. the personal information that you will Personal information (PI) is described in collect privacy and information security circles as 2. why data is collected and how it will information that can be used on its own or be used and shared with other information to identify, contact or 3. how you will protect the data locate a single person, or to identify an indi- 4. explanation of consumer benefi t from the vidual in context. With the advent of rich collection, use, sharing, and analysis of geolocation data, and powerful associative their data. analysis, such as facial recognition, the extent of PI is greatly expanded. Regulations Additionally, companies should give a clear are struggling to keep up with the changes, and easy opt-out at every stage and only use and companies can maintain consumer con- data in the ways stated. To ensure that the fi dence by collecting, using, and sharing data is used in the ways stated, develop clear consumer data with privacy in mind. internal data use and retention guidelines across the entire enterprise, limit internal ■ What to do? Build consumer trust access to databases, create a procedure for To unlock the data economy, companies will cyberattacks, and link it directly to the con- need to tune in to their customer’s needs sumer privacy policy. and move quickly to earn and retain cus- tomer trust. Privacy can be a competitive Go “privacy by design” differentiator for your business—and this The concept of “privacy by design” is inte- goes beyond lip service. Appropriate privacy grating and promoting privacy require- policies are needed internally, this means ments and/or best practices into systems, building privacy considerations into busi- services, products, and business processes ness operations and expected employee at the planning, design, development, and

■ 4 SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA

implementation stages, to ensure that busi- Building consumer trust includes keeping nesses meets their customer and employee information safe from hackers, creating easy- privacy expectations, and policy and regula- to-understand consumer-facing policies, tory requirements. The approach is a market and applying the principle of “privacy by differentiator that is intended to reduce default”. Companies that reframe these privacy and security risks and cost by actions as business enablers instead of busi- embedding relevant company policies into ness costs will thrive—and fi nd it easier to such designs. As such, privacy settings are comply with an increasingly complex web of automatically applied to devices and ser- regulations. Finally, communicating your vices. Privacy by design and default is good work to consumers will elevate the recognized by the U.S. Federal Trade profi le of your organization as a trusted part- Commission as a recommended practice for ner, and pave the way for future gains. protecting online privacy, and is considered for inclusion in the European Union’s Data References Protection Regulation, and was developed 1. https://www.eff.org/issues/international- by an Ontario Information and Privacy privacy-standards. Commissioner. 2. http://www.hitc.com/en-gb/2015/07/ 07/facebook-questions-use-of-right-to-be- Communicate your good work forgotten-ruling/. Privacy policies and actions are more than 3. http://www.newyorker.com/magazine/ legal disclosure; they are marketing tools. 2014/09/29/solace-oblivion. All the actions you take to protect consum- 4. http://www.newyorker.com/magazine/ ers’ privacy should be communicated so 2014/09/29/solace-oblivion. they know you can be trusted. The Alliance 5. http://www.forbes.com/sites/ of Automobile Manufacturers, representing jaymcgregor/2014/07/28/the-top-5-most- companies such as Chrysler, Ford, General brutal-cyber-attacks-of-2014-so-far/. Motors, and Toyota, publicly pledged more 6. http://www.computerworld.com/ transparency about how they will safe- article/2491132/data-privacy/new- guard data generated by autonomous vehi- software-targets-hard-to-understand- cle technologies. Many groups have pub- privacy-policies.html. lished data principles that communicate 7. http://www.pewresearch.org/fact-tank/ how data is gathered, protected, and 2014/12/04/half-of-americans-dont- shared.9 know-what-a-privacy-policy-is/. 8. https://www.washingtonpost.com/ ■ Conclusion blogs/the-switch/wp/2014/11/13/ Our current data economy brings exciting facebook-rewrites-its-privacy-policy-so- opportunities for companies to grow by that-humans-can-understand-it/. enhancing their products and services. These 9. https://fortunedotcom.files.wordpress innovations rely on consumers to trust your .com/2014/11/privacyandsecurity organization with their personal information. principlesforfarmdata.pdf.

SecurityRoundtable.org 5 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

He holds a BS degree in Engineering from Widener University and an MS degree in Electrical Engineering from Drexel University. Booz Allen Hamilton 8283 Greensboro Drive DEAN FORBES Hamilton Building Senior Associate McLean, Virginia 22102 Email [email protected] Tel +1 703 902 5000 Dean Forbes is a Senior Associate at Booz Web www.boozallen.com Allen Hamilton and a leader in the Commercial Privacy Practice. He has 20 years of profes- sional experience advising on privacy and WILLIAM (BILL) STEWART security programs that enable multinational Executive Vice President companies to protect personal data and exe- Email [email protected] cute mission-critical business strategies. His William (Bill) Stewart currently leads the industry experience includes Financial Commercial Cyber Business for Booz Allen Services, Healthcare & Life Sciences, Hamilton. In this role he leads teams that Technology, Retail, and Education. Mr. Forbes develop strategies and implement solutions is the former Global Privacy Offi cer for for the most complex issues facing Private Schering-Plough and held senior privacy com- Sector Organizations. He has more than pliance roles at Merck and Johnson & Johnson. 25 years of professional experience building He also served as a prosecutor for the U.S. consulting and systems integration businesses. Federal Trade Commission. Mr. Forbes is a Mr. Stewart is responsible for providing former International Association of Privacy services that appropriately balance risk and Professionals (IAPP) Board member and is a resource expenditure. Current clients include Responsible Information Management Council C-suite executives as well as senior govern- Advisory Board member. ment offi cials. Mr. Stewart has extensive experience envisioning, designing, and AGATHA O’MALLEY deploying solutions that enhance business Senior Associate performance. He helps clients create cutting Email O’[email protected] edge strategies that optimize and secure Agatha O’Malley is a leader in Booz Allen critical business systems. Hamilton’s Commercial Privacy Practice. Mr. Stewart and his team help clients She was formerly the Head of Privacy at develop state-of-the-art cyber solutions, Shire Pharmaceuticals. Prior to joining Shire, including Threat Intelligence, Advanced Ms. O’Malley was a manager with about Adversary Hunt, Incident Response, Insider eight years of experience in PwC’s Privacy Threat, and Identity and Access Control. and Security Practice. Her experience Mr. Stewart also led Booz Allen Hamilton’s includes helping clients assess their current Cyber Technology Center of Excellence state and identifying gaps. She has con- (COE) with more than 3000 staff members, ducted numerous global, integrated privacy, and he built a large Technology Consulting security, and identity theft prevention and Integration Business focused on the assessments, and she has helped companies U.S. government. develop and implement corporate policy Before joining Booz Allen, Mr. Stewart documents relating to privacy, international worked for a major electronics fi rm, where he data transfers, and IT security. Ms. O’Malley developed communications security and key has negotiated numerous privacy contrac- management devices. He also served as a tual provisions and addenda and has exten- Signal Offi cer, Battalion Commander, Brigade/ sive experience in international data trans- Battalion S-3, and Company Commander in fer compliance mechanisms. the U.S. Army.

■ 6 SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA

JACQUELINE COONEY WAICHING WONG Lead Associate Associate Email [email protected] Email [email protected] Jacqueline Cooney is a Lead Associate and Waiching Wong is part of Booz Allen an attorney at Booz Allen with over 20 years Hamilton’s high-tech manufacturing practice, of experience in privacy, governance, risk, providing strategy, competitive analysis, pro- compliance, and public policy. Ms. Cooney cess improvement, organizational design, provides privacy and compliance analysis and project management support to commer- support as well as assisting on tasks related cial and government clients. Ms. Wong works to cyber security, regulatory compliance, and with clients to seize business opportunities Safe Harbor certifi cations. She is a key par- while navigating risks around connected ticipant in helping to develop privacy-related products and the data used to power them. methodologies and a frequent contributor to She holds a Masters degree in City and risk and compliance related engagements. Regional Planning from Cornell University Part of her duties have been to assist in and a BA in Political Economy from the developing comprehensive incident University of California, Berkeley. response procedures for client data spills, breaches, and incidents, and to develop training regarding data protection, PHI/PII handling, data breaches, and incident response. Previously, Ms. Cooney was an Adjunct Professor at Marymount University where she taught Legal Research and Writing, Advanced Legal Research and Writing, Public Law and Administrative Procedure, and Constitutional Law. As a practicing attor- ney, she advises clients regarding changes to and impact of federal privacy laws and regu- lations. She was also a Legislative Assistant on Capitol Hill. Ms. Cooney is a member of the Virginia Bar and has been an attorney for over 14 years.

7 ■