copyright 2001 brett j. trout security concerns with e-commerce bretttrout.com
TRANSCRIPT
Copyright 2001 Brett J. Trout
Security Security Concerns with e-Concerns with e-
CommerceCommerceBretttrout.comBretttrout.com
Copyright 2001 Brett J. Trout
Electronic Communications Electronic Communications Privacy Act and Employers Privacy Act and Employers
(ECPA)(ECPA) Enacted in 1986Enacted in 1986 Amends Omnibus Crime Control ActAmends Omnibus Crime Control Act
Copyright 2001 Brett J. Trout
ECPAECPA
Prohibits interception of e-mailProhibits interception of e-mail Prohibits access to stored e-mailProhibits access to stored e-mail Allows Employers to monitor Allows Employers to monitor
employeesemployees Applies to bothApplies to both
Accessing databaseAccessing database Capturing keystrokesCapturing keystrokes
Copyright 2001 Brett J. Trout
ECPA Title IIECPA Title II
Prohibits intentional access of an Prohibits intentional access of an electronic communication service electronic communication service
Relates to any Relates to any storedstored electronic electronic communication communication
EmailEmailFaxFaxetc.etc.
Copyright 2001 Brett J. Trout
ECPA Title II ExceptionsECPA Title II Exceptions
Provider of the service Provider of the service AOLAOL EmployerEmployer Etc.Etc.
Anyone with authorizationAnyone with authorization ExpressExpress Implied.Implied.
Copyright 2001 Brett J. Trout
ECPA Title IIIECPA Title III
Prohibits intentional Prohibits intentional interceptioninterception of any electronic of any electronic communicationcommunication
Makes it a crime to capture Makes it a crime to capture email while enrouteemail while enroute
Copyright 2001 Brett J. Trout
ECPA Title III ExceptionsECPA Title III Exceptions
Employee consented Employee consented impliedly impliedly expressly expressly employment agreement employment agreement email policyemail policy
Employer interception must be in Employer interception must be in the ordinary course of businessthe ordinary course of business
Copyright 2001 Brett J. Trout
ECPA Take HomeECPA Take Home
Employer can Employer can Monitor stored e-mail Monitor stored e-mail Intercept e-mailIntercept e-mail
Give Employees express notice Give Employees express notice employment agreement employment agreement email policyemail policy
Monitor only in ordinary course of Monitor only in ordinary course of businessbusiness
Stop reading if e-mail is personalStop reading if e-mail is personal
Copyright 2001 Brett J. Trout
Computer Fraud and Computer Fraud and Abuse ActAbuse Act
Enacted in 1984 to stem computer crimeEnacted in 1984 to stem computer crime Amended in 1996 (National Information Amended in 1996 (National Information
Infrastructure Protection Act) to Infrastructure Protection Act) to criminalize:criminalize: Threats to computer networksThreats to computer networks Release of viruses or wormsRelease of viruses or worms Hacking Hacking HijackingHijacking Destructive ecommerce activityDestructive ecommerce activity
Copyright 2001 Brett J. Trout
CFAA Makes it Illegal CFAA Makes it Illegal
To knowingly access a computer To knowingly access a computer without authorization without authorization For fraudulent purposesFor fraudulent purposes To access confidential informationTo access confidential information To access financial informationTo access financial information To cause damage to a computer To cause damage to a computer
system system
Copyright 2001 Brett J. Trout
Economic Espionage ActEconomic Espionage Act
Enacted in 1996Enacted in 1996 18 U.S.C. section 1831 et seq.18 U.S.C. section 1831 et seq. Makes it illegal to take or receive Makes it illegal to take or receive
trade secretstrade secrets Enacted to curb economic and Enacted to curb economic and
industrial espionageindustrial espionage
Copyright 2001 Brett J. Trout
EEAEEA
Civil PenaltiesCivil Penalties InjunctionInjunction Forfeiture of profits and instrumentalities Forfeiture of profits and instrumentalities
to governmentto government Criminal PenaltiesCriminal Penalties
Injure or benefit - 10yr/250K/5MInjure or benefit - 10yr/250K/5M Benefit foreign power – 15yr/500K/10MBenefit foreign power – 15yr/500K/10M
Copyright 2001 Brett J. Trout
HackingHacking
According to PriceWaterhouseCooper According to PriceWaterhouseCooper Hacking cost United States Hacking cost United States
companiescompanies$1.5 trillion in 2000$1.5 trillion in 2000
World Trade Center insurable loss World Trade Center insurable loss $50 billion$50 billion
One year of hacking equals 30 Trade One year of hacking equals 30 Trade Center attacks.Center attacks.
Copyright 2001 Brett J. Trout
Types of HackingTypes of Hacking
Denial of Service AttackDenial of Service Attack Packet SniffingPacket Sniffing SpoofingSpoofing Keystroke Monitoring Keystroke Monitoring VirusesViruses CrackingCracking Exploiting HolesExploiting Holes DiddlingDiddling
Copyright 2001 Brett J. Trout
Denial of Service AttackDenial of Service Attack
Any action to prevent server from Any action to prevent server from functioningfunctioning
Usually enlists unsecure computers Usually enlists unsecure computers to bombard server with requeststo bombard server with requests Floods serverFloods server Prevents normal functioningPrevents normal functioning Difficult to track down Difficult to track down
Copyright 2001 Brett J. Trout
Packet SniffingPacket Sniffing
Internet information travels in packets Internet information travels in packets with “header”with “header”
Sniffer software searches for packets Sniffer software searches for packets containing these headerscontaining these headers
Used to audit and identify network packet Used to audit and identify network packet traffictraffic
Can uncover passwords and/or usernamesCan uncover passwords and/or usernames Easy to do Easy to do Difficult to detectDifficult to detect
Copyright 2001 Brett J. Trout
SpoofingSpoofing
Pretending to be another userPretending to be another user IncludesIncludes
Deceptive sender information Deceptive sender information (spam)(spam)
Deceptive use of username Deceptive use of username and/or passwordand/or password
Copyright 2001 Brett J. Trout
Keystroke Monitoring Keystroke Monitoring
Inexpensive softwareInexpensive software Installed on computerInstalled on computer Hardwired to computerHardwired to computer
Allows Allows Reconstruction of user’s activityReconstruction of user’s activity Identification of usernames/passwordsIdentification of usernames/passwords
Illegal Illegal
Copyright 2001 Brett J. Trout
VirusesViruses
Software that Software that Modifies other softwareModifies other software Replicates itselfReplicates itself Sends itself on to other computersSends itself on to other computers
TypesTypes ReplicationReplication DOSDOS Data destruction Data destruction
Copyright 2001 Brett J. Trout
Virus PreventionVirus Prevention
Virus protection softwareVirus protection software Only works if it is turned onOnly works if it is turned on Constantly updateConstantly update
Keep apprised of latest virusesKeep apprised of latest viruses Do not open attachments from Do not open attachments from
unknown sendersunknown senders
Copyright 2001 Brett J. Trout
Virus PreventionVirus Prevention
Do not open files with extensions:Do not open files with extensions: .exe.exe .vbs.vbs .pif.pif
Use Eudora, rather than OutlookUse Eudora, rather than Outlook
Copyright 2001 Brett J. Trout
CrackingCracking
Defeating copy-protectionDefeating copy-protection Determining passwords/usernamesDetermining passwords/usernames Typically illegalTypically illegal
Copyright 2001 Brett J. Trout
Exploiting Security HolesExploiting Security Holes
Microsoft XP e-walletMicrosoft XP e-wallet Unauthorized users could get credit Unauthorized users could get credit
card informationcard information Microsoft OutlookMicrosoft Outlook
Vulnerable to virusesVulnerable to viruses Keep abreast of Keep abreast of
New developmentsNew developments PatchesPatches
Copyright 2001 Brett J. Trout
DiddlingDiddling
Obtaining unauthorized access Obtaining unauthorized access totoModifyModifyDeleteDeleteSet time bomb Set time bomb
Copyright 2001 Brett J. Trout
InsuranceInsurance
Typically very expensiveTypically very expensive Very good exercise to identify and Very good exercise to identify and
address problemsaddress problems
Copyright 2001 Brett J. Trout
InsuranceInsurance
The number of companies who cited The number of companies who cited their Internet connection as a frequent their Internet connection as a frequent point of attack has increased steadily point of attack has increased steadily from 47% in 1998 to 70% in 2001.from 47% in 1998 to 70% in 2001.
Marsh Advantage AmericaMarsh Advantage America
Leisa FoxLeisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
InsuranceInsurance
78% of companies acknowledged 78% of companies acknowledged financial losses due to computer financial losses due to computer breachesbreaches
37% of companies are willing or able to 37% of companies are willing or able to quantify their financial lossesquantify their financial losses
The most serious financial losses occur The most serious financial losses occur through theft of proprietary information.through theft of proprietary information.
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
MisconceptionsMisconceptions
I have staff in place who are keeping me I have staff in place who are keeping me safesafe
I have a firewall, so I’m protectedI have a firewall, so I’m protected Our network is password protected, so I’m Our network is password protected, so I’m
doing all I can.doing all I can. Our contracts transfer liability, so I have Our contracts transfer liability, so I have
nothing to worry aboutnothing to worry about My employees would never do anything to My employees would never do anything to
jeopardize my companies datajeopardize my companies data
Copyright 2001 Brett J. Trout
RisksRisks
Legal RisksLegal Risks Credibility RisksCredibility Risks Security RisksSecurity Risks Financial RisksFinancial Risks
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Legal RisksLegal Risks
Defense Costs - exaggerated because of the lack of Defense Costs - exaggerated because of the lack of current case lawcurrent case law
Inability to determine value of Intellectual PropertyInability to determine value of Intellectual Property Copyright/Trademark InfringementCopyright/Trademark Infringement Libel/Slander & DefamationLibel/Slander & Defamation PlagiarismPlagiarism D&O suit for insufficient security measuresD&O suit for insufficient security measures Regulatory CostsRegulatory Costs
Copyright 2001 Brett J. Trout
Security RisksSecurity Risks
Digital TerrorismDigital Terrorism Internal CrimeInternal Crime External CrimeExternal Crime Virus AttacksVirus Attacks
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Credibility RisksCredibility Risks
Organizations that experience security Organizations that experience security breaches keep them quiet.breaches keep them quiet.
A breach can do grave damage to a A breach can do grave damage to a company’s reputation.company’s reputation.
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Financial RisksFinancial Risks
Prior risks translate into costs:Prior risks translate into costs: Business Income LossBusiness Income Loss Reconstruction of lost dataReconstruction of lost data Investor RelationshipsInvestor Relationships Defense CostsDefense CostsMarsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
SolutionsSolutions
Identify & Prioritize the risksIdentify & Prioritize the risks Consider Technology SolutionsConsider Technology Solutions Consider Process/Policy SolutionsConsider Process/Policy Solutions Transfer or Eliminate Risks that are to costly Transfer or Eliminate Risks that are to costly
to retainto retainMarsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Key PeopleKey People
The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’sThe C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s Human ResourcesHuman Resources ITIT MarketingMarketing Legal CounselLegal Counsel Risk Manager/Insurance AgentRisk Manager/Insurance Agent
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
MisconceptionsMisconceptions
I have coverage under my package policyI have coverage under my package policy I have an E&O Policy that covers itI have an E&O Policy that covers it I have an EDP PolicyI have an EDP Policy
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Policies CoverPolicies Cover
Policies may include coverage for:Policies may include coverage for: Virus AttacksVirus Attacks Data reconstructionData reconstruction Business Income LossBusiness Income Loss Disaster RecoveryDisaster Recovery Defense Costs, etc.Defense Costs, etc.
Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
CostsCosts
Pricing varies greatly based on exposures.Pricing varies greatly based on exposures. Third party policies are vastly more affordable Third party policies are vastly more affordable
than First party policies. than First party policies. You can expect to pay anywhere from $7,500 to You can expect to pay anywhere from $7,500 to
$100,000 for a Cyber Risk Policy.$100,000 for a Cyber Risk Policy.Marsh Advantage America-Leisa FoxMarsh Advantage America-Leisa Fox
www.netsecuresite.comwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Internet PrivacyInternet Privacy
You have zero privacy anyway Get over it.
Scott McNeally, Sun Microsystems CEO Wired News (March 11, 1999)
Copyright 2001 Brett J. Trout
Internet Privacy PolicyInternet Privacy Policy
ComponentsComponents Notice of Data Collection – How, What, Notice of Data Collection – How, What,
Why Why Choice – Partial or total “opt out” Choice – Partial or total “opt out” Access to Data – Option to modify or Access to Data – Option to modify or
deletedelete SecuritySecurity
Copyright 2001 Brett J. Trout
Internet PrivacyInternet Privacy
Privacy PolicyPrivacy Policy Develop one todayDevelop one today Follow itFollow it
Designate IT privacy czarDesignate IT privacy czar Audit your policy - regularlyAudit your policy - regularly
Copyright 2001 Brett J. Trout
Consumer Privacy Consumer Privacy Protection ActProtection Act
Pending legislationPending legislation Mandates privacy collection Mandates privacy collection
proceduresprocedures Private Right of ActionPrivate Right of Action
$50,000 statutory damages$50,000 statutory damages Punitive damagesPunitive damages Attorney feesAttorney fees
Something like this will become lawSomething like this will become law
Copyright 2001 Brett J. Trout
CookiesCookies
A computer science term A computer science term An opaque piece of data held by an An opaque piece of data held by an
intermediary intermediary
Copyright 2001 Brett J. Trout
What is a Cookie?What is a Cookie?
HTTP headerHTTP header Text-only string Text-only string Associated with your browserAssociated with your browser Unique identifierUnique identifier
Cannot be used as a virusCannot be used as a virus Cannot access your hard drive. Cannot access your hard drive.
Copyright 2001 Brett J. Trout
DoubleclickDoubleclick
Doubleclick used cookies to Doubleclick used cookies to aggregate user informationaggregate user information
Users suedUsers sued SDNY Court held 3/28/2001SDNY Court held 3/28/2001
No violationNo violation
Copyright 2001 Brett J. Trout
Children’s Online Privacy Children’s Online Privacy Protection ActProtection Act
Requires the Federal Trade Requires the Federal Trade Commissioner to issue and Commissioner to issue and enforce regulations which enforce regulations which
regulate the ability of Websites regulate the ability of Websites to collect personal information to collect personal information from children under the age of from children under the age of
13.13.
Copyright 2001 Brett J. Trout
COPPACOPPA
Passed into Law October 21, 1998Passed into Law October 21, 1998 Covers personal information Covers personal information
collected after April 21, 2000collected after April 21, 2000 COPPA applies to COPPA applies to
Web sites and online services Web sites and online services Targeted to, or know they areTargeted to, or know they are Collecting dataCollecting data From children under 13.From children under 13.
Copyright 2001 Brett J. Trout
COPPA RequirementsCOPPA Requirements
Post a privacy policy Post a privacy policy ConspicuousConspicuous What data you collectWhat data you collect What you do with it. What you do with it.
Obtain verifiable consent from the child's Obtain verifiable consent from the child's parent parent Before you collect any data. Before you collect any data.
ImportantlyImportantly Change in policy requires new consentChange in policy requires new consent
Copyright 2001 Brett J. Trout
COPPA RequirementsCOPPA Requirements
Give option to revoke consentGive option to revoke consent Allow parents to review data Allow parents to review data
collectedcollected Ensure security and integrity of the Ensure security and integrity of the
data you collect.data you collect.
Copyright 2001 Brett J. Trout
Gramm-Leach BlileyGramm-Leach Bliley
Subjects “financial institutions” to Subjects “financial institutions” to certain reporting and disclosure certain reporting and disclosure requirements intended to ensure requirements intended to ensure
the personal and financial the personal and financial privacy of customersprivacy of customers
Copyright 2001 Brett J. Trout
““Financial Institution”Financial Institution”
Lending, exchanging, transferring, Lending, exchanging, transferring, investing for others, or safeguarding investing for others, or safeguarding money or securities;money or securities;
Issuing or selling instruments Issuing or selling instruments representing interests in pools of representing interests in pools of assets which a bank can hold directly;assets which a bank can hold directly;
Engaging in any activity … so closely Engaging in any activity … so closely related to banking or managing … as related to banking or managing … as to be a proper incident thereto.to be a proper incident thereto.
Copyright 2001 Brett J. Trout
GLB Data DisclosureGLB Data Disclosure
Opt out Opt out Prohibits disclosure by financial Prohibits disclosure by financial
institution, without allowing consumer institution, without allowing consumer to opt out. to opt out.
Third party disclosureThird party disclosure Allowed for the purpose of permitting Allowed for the purpose of permitting
third party to perform services for the third party to perform services for the financial institution. financial institution.
Copyright 2001 Brett J. Trout
GLB Data DisclosureGLB Data Disclosure
Prohibits third party from disclosing Prohibits third party from disclosing nonpublic personal information nonpublic personal information Unless disclosure would be lawful if Unless disclosure would be lawful if
made directly to such other person by made directly to such other person by the financial institution.the financial institution.
Prohibits sharing of account number Prohibits sharing of account number information for marketing purposesinformation for marketing purposes
Different requirements for different Different requirements for different levels of relationships. levels of relationships.
Copyright 2001 Brett J. Trout
Health Insurance Health Insurance Portability and Portability and
Accountability ActAccountability Act
Forces health providers and Forces health providers and insurers to use technology in a insurers to use technology in a more uniform, less proprietary more uniform, less proprietary
mannermanner
Copyright 2001 Brett J. Trout
HIPPA GoalsHIPPA Goals
StandardizationStandardization SecuritySecurity PrivacyPrivacy
Copyright 2001 Brett J. Trout
Areas of FocusAreas of Focus
Technical Security ServicesTechnical Security Services User authorization and authenticationUser authorization and authentication Access control and encryption Access control and encryption
Administrative ProceduresAdministrative Procedures Formal security planningFormal security planning Record maintenance and audits Record maintenance and audits
Physical SafeguardsPhysical Safeguards Security to buildingSecurity to building Privacy for workstations handling Privacy for workstations handling
patient information patient information
Copyright 2001 Brett J. Trout
HIPPAHIPPA
Can apply to both health care and non-Can apply to both health care and non-health care entitieshealth care entities
Forces covered entities to uniformly Forces covered entities to uniformly transmit and receive certain data transmit and receive certain data electronically electronically
Requires the use of standard identifiers Requires the use of standard identifiers (rather than proprietary codes) to (rather than proprietary codes) to identify health care providers, identify health care providers, employers, health plans and patientsemployers, health plans and patients
Copyright 2001 Brett J. Trout
EmployersEmployers
Must have written policies and notify Must have written policies and notify employees of HIPPA policiesemployees of HIPPA policies
Must get consents to the release of Must get consents to the release of certain information in certain certain information in certain circumstancescircumstances
Must give employees access to their Must give employees access to their medical recordsmedical records
Must have contacts in place with Must have contacts in place with providers to insure that they safeguard providers to insure that they safeguard informationinformation
Copyright 2001 Brett J. Trout
EmployersEmployers
Identify stored health information Identify stored health information and who has access to it and who has access to it
Identify how the information is used Identify how the information is used and its flow and its flow
Correlate all privacy policies Correlate all privacy policies Standardize all relevant third-party Standardize all relevant third-party
provider contractsprovider contracts
Copyright 2001 Brett J. Trout
European Union European Union Directive on PrivacyDirective on Privacy
Effective 25 October 1998Effective 25 October 1998 Every EU must enact national law Every EU must enact national law
consistent with the Directiveconsistent with the Directive Many EU countries had privacy laws Many EU countries had privacy laws
before the Directivebefore the Directive
Copyright 2001 Brett J. Trout
EU DirectiveEU Directive World-wide standard World-wide standard Enforcement has begun in the U.S.Enforcement has begun in the U.S.
Copyright 2001 Brett J. Trout
ComplianceCompliance
The Safe HarborThe Safe Harbor Specific contracts blessed by Specific contracts blessed by
European Data Protection European Data Protection AuthoritiesAuthorities
Exceptions or derogations to the Exceptions or derogations to the
DirectiveDirective
Copyright 2001 Brett J. Trout
Safe HarborSafe Harbor
Seven privacy principles issued by Seven privacy principles issued by US Department of Commerce on July US Department of Commerce on July 21, 2000 for “personal data” 21, 2000 for “personal data” collectioncollection
Copyright 2001 Brett J. Trout
Seven ProvisionsSeven Provisions
NoticeNotice Opt inOpt in Opt outOpt out SecuritySecurity Maintain Integrity of DataMaintain Integrity of Data Procedure for Data CorrectionProcedure for Data Correction Data TransferData Transfer
Copyright 2001 Brett J. Trout
NoticeNotice
Clear LanguageClear Language Purpose of Collection Purpose of Collection Contact information for inquiries Contact information for inquiries
or complaintsor complaints To whom you disclose information To whom you disclose information Options for limiting use and Options for limiting use and
disclosure of the information.disclosure of the information.
Copyright 2001 Brett J. Trout
Opt in/Opt outOpt in/Opt out
Opt outOpt out Disclosed to third partyDisclosed to third party Used for new purposeUsed for new purpose
Opt inOpt in Sensitive informationSensitive information
Race, health, union membership, sexual Race, health, union membership, sexual preferencepreference
If disclosed to third partyIf disclosed to third party If used for new purposeIf used for new purpose
Copyright 2001 Brett J. Trout
SecuritySecurity
LossLoss MisuseMisuse Unauthorized accessUnauthorized access DisclosureDisclosure Alteration Alteration Destruction. Destruction.
Copyright 2001 Brett J. Trout
Maintain Integrity of DataMaintain Integrity of Data
Reliable for intended useReliable for intended use AccurateAccurate CompleteComplete Current.Current.
Copyright 2001 Brett J. Trout
Procedures For Procedures For CorrectionCorrection
Correct, amendCorrect, amend,, or delete inaccurate or delete inaccurate information information
Not necessary where:Not necessary where: Burden much greater than potential Burden much greater than potential
harmharm Would compromise confidential Would compromise confidential
information of othersinformation of others
Copyright 2001 Brett J. Trout
Data TransferData Transfer
Must includeMust include Notice ProvisionsNotice Provisions Choice ProvisionsChoice Provisions
Agent mustAgent must Subscribe to the foregoing principles; or Subscribe to the foregoing principles; or Enter into a written agreement requiring Enter into a written agreement requiring
agent provide at least the same level of agent provide at least the same level of privacy protection as providerprivacy protection as provider
Copyright 2001 Brett J. Trout
Safe HarborSafe Harbor
AccessAccess Individuals must have access to “their” Individuals must have access to “their”
informationinformation Ability to correct or remove inaccurate Ability to correct or remove inaccurate
informationinformation ““Disproportionate burden” exceptionDisproportionate burden” exception
EnforcementEnforcement Mechanisms for investigating and resolving Mechanisms for investigating and resolving
complaintscomplaints Procedures for verifying privacy statementsProcedures for verifying privacy statements Obligation to remedy problemsObligation to remedy problems
Copyright 2001 Brett J. Trout
EU DirectiveEU Directive
Enforcement by competitorsEnforcement by competitors Failure to comply could lead to cut-Failure to comply could lead to cut-
off in data and actions against off in data and actions against European partnersEuropean partners
Copyright 2001 Brett J. Trout
Falling Under Safe Falling Under Safe HarborHarbor
Self-certification on DOC websiteSelf-certification on DOC website Hard part - applying to business Hard part - applying to business
practicespractices
Financial services firms cannot join Financial services firms cannot join
Safe Harbor unless under the FTCSafe Harbor unless under the FTC
Copyright 2001 Brett J. Trout
EU DirectiveEU Directive
Over 40 countries now have Over 40 countries now have substantial privacy lawssubstantial privacy laws
Most either copy or comply with the Most either copy or comply with the EU Privacy DirectiveEU Privacy Directive
Copyright 2001 Brett J. Trout
EU DirectiveEU Directive
Compliance requirement is realCompliance requirement is real
Safe Harbor likely best but not only Safe Harbor likely best but not only optionoption
Don’t copy another company’s Don’t copy another company’s privacy policyprivacy policy
Copyright 2001 Brett J. Trout
What To DoWhat To Do
Audit current privacy practiceAudit current privacy practice Develop EU Directive conforming Develop EU Directive conforming
policypolicy Comport practice with policy Comport practice with policy Require Warranties & Indemnities Require Warranties & Indemnities
from third parties using your datafrom third parties using your data Encrypt data transmissionsEncrypt data transmissions
Copyright 2001 Brett J. Trout
Privacy Technology Privacy Technology
Establish FirewallEstablish Firewall Monitor Cookies – turn off as appropriateMonitor Cookies – turn off as appropriate Run Virus Detection SoftwareRun Virus Detection Software AnonymizerAnonymizer TRUSTe - will review your privacy policyTRUSTe - will review your privacy policy Asymmetric cryptographyAsymmetric cryptography Future technology Future technology
Platform For Privacy PreferencesPlatform For Privacy Preferences Defines exactly the level of information disclosedDefines exactly the level of information disclosed
Copyright 2001 Brett J. Trout
Additional StepsAdditional Steps
Security PoliciesSecurity Policies Rotate passwordsRotate passwords Monitor access and file transferMonitor access and file transfer Implement network vulnerability Implement network vulnerability
studystudy Implement a disaster recovery planImplement a disaster recovery plan Limit modification of workstationLimit modification of workstation Obtain insuranceObtain insurance
Copyright 2001 Brett J. Trout
Thank YouThank You