Harvard Privacy LectureJune 3, 2005

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information and Privacy Commissioner/Ontario

The Economics of Privacy:Go Beyond Compliance to Competitive Advantage

Security/PrivacyVulnerabilities

asNegative

Externalities

Security Vulnerabilitiesas an Externality

•Vulnerabilities are a negative externality:

– Polluters will go on producing pollution until the costs to the polluter outweigh the benefits;

– Those who abuse personal data will go on until the costs to the abuser outweigh the abusing benefits;

– Secure systems offer positive externality.

– Dr. Jean Camp, November 6, 2004

Privacy Infringement as an Externality

• Violations of privacy can be viewed as an external cost – a negative externality;

• An external cost is essentially a cost produced by one entity but borne by another.

— Ann Cavoukian and Tyler Hamilton, The Privacy Payoff.

Who Should be Responsible…

Companies or Consumers?

• Placing the burden on companies to prevent privacy violations would increase their operating costs;

• Placing the burden on consumers, however, would be prohibitive;

• In both cases, externality exists regardless of who bears the costs.

Cost of Business

• The burden should be placed where the cost is the least,— (“Lowest cost strategy” Ronald Coase)

• It would follow that, in the case of privacy, companies should bear the cost for remedying this externality.

• Businesses, not consumers, create privacy externalities through their misuses of their customers’ personal information.

• It would be far more costly for individuals to prevent, or attempt to remedy, abuses of their personal information.

• Strong incentive for consumers to go to a competitor who does bear the cost of this externality.

Proactive or Reactive?

• How should those costs be handled?– Proactive? Privacy practices built in up front– Reactive? Regime of liability risk – litigation

• Proactive privacy practices are ultimately less expensive and more socially desirable; they may also lead to a competitive advantage.

“The cost of a privacy PR blowout can range from tens ofthousands to millions of dollars, depending on the company’ssize and the visibility of its brand, and this does not includelost business and damage to reputation.”

— Surviving the Privacy Revolution, February 2001, Forrester Research.

Proactive Example: Microsoft

An Ounce of PreventionApril 2005:

• Microsoft filed 117 'John Doe' lawsuits in the U.S. against suspected “phishers” hoping to catch some of the biggest offenders.

• Microsoft stated that the accused have been trying to con people out of personal information, such as bank details, passwords, and social security details, by using fake MSN, Hotmail and Web sites, and mass e-mail and pop-up ads.

• Because there is no specific anti-phishing legislation in the U.S., the lawsuits were filed in the U.S. District Court in Seattle under the Lanham Act. This is a federal trademark protection law that carries a maximum of US$1 million fine per violation.

Reactive Example: Choicepoint Too Little, Too Late

• A data aggregation and clearinghouse company that maintains databases of background information on virtually every U.S. citizen.

• 19 billion public records in its database: motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers.

• ChoicePoint routinely sells dossiers to police, lawyers, reporters and private investigators.

Choicepoint: Unraveled

• In a plot twist taken from a Hollywood movie, criminals were creating false identities to establish accounts with ChoicePoint and then using those accounts to commit identity theft.

• In response, ChoicePoint:– Notified 35,000 Californians as required by California

law, SB1386. – Will notify an additional 145,000 persons that

“unauthorized third parties” had obtained their personal information.

• Los Angeles police believe that the actual number of persons affected could be 500,000 or more.

ChoicePoint:The Fallout …

Security breach announced to

the public.

First lawsuit filed.

Dollars

per

sh

are

($47.95)

($36.35)

www.nyse.com

Choicepoint:… and the Cost

• ChoicePoint will pay to re-screen, and re-credential, 17,000 customers to verify that they are legitimate businesses.

• Suspension of contract with New York State — other states pending.

• March 2005, suspension of sales to small businesses — loss of 5% of annual revenue or, $900 million.

• Three separate lawsuits filed:1. Victim of I.D. theft2. Class action by individuals3. Class action by shareholders

• There is now pending legislation in 36 U.S. states targeting identity theft at various levels.

— Center for Democracy and Technology Conference, March 9, 2005

The Unpredictable Cost:Litigation

Privacy & American Business, Consumer Privacy Litigation Report, 2004

• Since 2000, 182 cases of consumer privacy litigation have been brought against 234 corporate defendants, with $160 million paid out in damages.

•$52.5m to the Federal Trade Commission•$39.7m to state regulators•$32.3m to private individuals•$28.4m to private class action• $6.9m to various federal agencies

Damage to brand and reputation cannot be measured!

Assuming the Risk

• Some organizations may debate whether to take out fire insurance, or save costs by assuming the risks

• This approach is ultimately doomed to backfire:1. Individuals, consumer groups, lawyers and politicians,

have become much more active on the issue of privacy resulting in increasing enforcement, litigation, and legislation.

2. It is impossible to predict the costs of dealing with consequences, creating an unattractive atmosphere of uncertainty that turns away both creditors and shareholders.

3. The organization that forfeits the opportunity to plan for, and identify costs that will be incurred, is courting disaster with no contingency planning.

Implementing Privacy

• Depending on the size and complexity of the organization, there are varying degrees of implementing a privacy program:

– Small/Simple: Internal project — retail software

– Medium/Moderate complexity: Hire external consultants — custom software

– Large/Complex: Chief Privacy Officer —information management systems

Self-Regulation

• Privacy is not just about one department, one division, one project, one product, or one database.

• Any organization should analyze and regularly assess privacy risks across its entire operation:

• Marketing• Human Resources• Sales• Online operations• All Facilities, divisions, departments, and subsidiaries

• Communications• Information Technology• Online operations

• All organizations should also establish a cross-functional privacy team from a diverse group of individuals across the entire spectrum of its operations.

Develop a corporate culture of privacy!

Diagnosing Privacy

• Begin with a self-administered test — a voluntary assessment of how privacy-friendly your information management practices really are.

• A good starting point:– IPC/Ontario: Privacy diagnostic tool

18

IPC:Privacy Diagnostic Tool

• The PDT is free and can be self-administered.

• Simple, plain-language tool (paper and e-versions).

• CSA model code to examine an organization’s privacy management practices.

• www.ipc.on.ca/PDT

The Coming Privacy Storm

• Legislation is currently being considered that would ban the sale of Social Security numbers without the permission of the owner, except when needed by law enforcement.

• As of April 2005, 39 bills, (pending in 19 states), are modeled after California’s SB1386.— The Problem of Data Security, Emily Hackett, Internet Alliance, April 25, 2005.

• A federal version of SB1386, is also under consideration.

• "If you're in business and you think that one party, [Democrat or Republican], is going to help you on this issue [privacy] . . . I think you are sorely mistaken.“

— Steve Emmert, Reed Elsevier PLC — Lexis-Nexis

20

• California’s law has had a substantial impact on business practices. The California Office of Privacy Protection recently surveyed California companies and found that:

• 76% changed their communications polices as a result of the new law;

• 50% changed the way they used social security numbers;

• 33% changed security procedures.

SB1386

21

Impetus for Change

• Growth of Privacy as a Global Issue.(EU Directive on Data Protection)

• Exponential growth of personal data collected, transmitted and exploited.

• Convergence of growth in bandwidth, sensors, data storage and computing power.

• Consumer Backlash; heightened consumer expectations

22

Consumer Attitudes

• Business is not a beneficiary of the post-9/11 “Trust Mood”

• “Increased trust in government has not been paralleled by increased trust in business handling of personal information.”

Privacy On and Off the Internet: What Consumers Want Harris Interactive, November 2001

Dr. Alan Westin

23

Importance of Consumer Trust

• In the post-9/11 world:– Consumers either as concerned or more concerned

about online privacy– Concerns focused on the business use of personal

information, not new government surveillance powers

• If consumers have confidence in a company’s privacy practices, consumers are more likely to:– Increase volume of business with company…….... 91%– Increase frequency of business……………….

…………..90%– Stop doing business with company if PI misused..83%

— Harris/Westin Poll, Nov. 2001 & Feb. 2002

24

What Privacy is Not

Security Privacy

25

• Authentication• Data Integrity• Confidentiality• Non-repudiation

• Privacy; Data Protection• Fair Information Practices

Privacy and Security: The Difference

Security:Organizational control of information through information systems

26

Fair Information Practices(CSA Code Model)

1.Accountability• For personal information designate an

individual(s) accountable for compliance.2.Identifying Purposes

• Purpose of collection must be clear at or before time of collection.

3.Consent• Individual has to give consent to collection,

use, disclosure of personal information.

27

FIPs (Cont’d)

4.Limiting Collection• Collect only information required for the

identified purpose; information shall be collected by fair and lawful means.

5.Limiting Use, Disclosure, Retention• Consent of individual required for all other

purposes.6.Accuracy

• Keep information as accurate and up-to-date as necessary for identified purpose.

7.Safeguards• Protection and security required,

appropriate to the sensitivity of the information.

28

FIPs (Cont’d)

8.Openness• Policies and other information about the

management of personal information should be readily available.

9. Individual Access• Upon request, an individual shall be informed of

the existence, use and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate.

10.Challenging Compliance• Ability to challenge all practices in accord with

the above principles to the accountable body in the organization.

29

The Bottom Line

Privacy should be viewed as a business issue, not a

compliance issue

30

The Promise

Electronic Commerce projected to reach $220 billion by 2001.

— WTO, 1998

Electronic Commerce projected to reach $133 billion by 2004.

— Wharton Forum on E-Commerce, 1999

Estimates revised downward to reflect lower expectations.

31

The Reality

United States: e-commerce sales were only 1.9% of total sales -- $69.2 billion in 2004.

-U.S. Dept. of Commerce Census Bureau, February 2005

Canada: Online sales were 0.8% of total revenues -- $28.3 billion in 2004.

Statistics Canada, April 2005

Clicks vs. Bricks

“e-tailers are not even coming close to replacing traditional stores, as some suggested they would a few years ago amid all the dot-com hype.”

Online commerce still accounts for less than 5% of worldwide retail sales.

— Bob Keefe, The Arizona Republic, January 3, 2005

33

Lack of Privacy = Lack of Sales

“Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.”

-Forrester Research, September 2001

“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”

-Jupiter Research, May 2002

“Online retail sales could be 25% higher by 2006 if consumer’s fears about privacy and security were addressed.”

-Jupiter Research, 2002

34

The Business Case

“Our research shows that 80% of our customers would walk away if we mishandled their personal information.”

— CPO, Royal Bank of Canada, 2003

“Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.”

— Forrester Research, 2003

Distrust and Profitability

• Distrust can have a potentially devastating impact on profitability:

• 45% of respondents said there is at least one retail business that they trusted at one time, but no longer trust.

• 94% said they spent less money with that company, resulting in an average 87% decrease in spending by that group.

— Yankelovich Study, June 2004

36

ISF Highlights Damage Done by Privacy Breaches

• The Information Security Forum reported that a company’s privacy breaches can, and often, do cause major damage to brand and reputation.

– 25% of companies surveyed experienced some adverse publicity due to privacy.

– 1 in 10 had experienced civil litigation, lost business or broken contracts.

– Robust privacy policies and staff training were viewed as keys to avoiding privacy problems.

— The Information Security Forum, July 7, 2004

37

It’s All About Trust

“Trust is more important than ever online … Price does not rule the Web …

Trust does.”

— Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

38

“It’s Just Like Dating”

“When customers DO trust an online vendor, they are much more likely to share personal information. This information then enables the company to form a more intimate relationship with its customers.”

— Loyalty Rules: How Today’s Leaders Build Lasting

Relationships, Frederick F. Reichheld

— Permission Based Marketing, Seth Godin

39

Trust First — Love Later

“In 70% of instances where Internet users were asked to provide information in order to access an online informational resource, those users did not pursue the resource because they thought their privacy would be compromised.”

— Narrowline Study, 1997

40

Don’t Come On Too Strong …

“Web consumers seem to be more than willing to upset the marketing apple cart. They refuse to cooperate: 94% have declined to provide personal information when asked; and they lie through their teeth.”

— Wired Magazine, May 1998

“42% have falsified information at one time or another when asked to register at a Web site.”

— 10th WWW User Survey, October 1998

41

… Or Else, it’s Dear John

“Fully 50% of online users said they would leave a Web site if they were unhappy with a company’s privacy policy.”

— Customer Respect Group, February 2004 survey

42

Make Privacy a Corporate Priority

• An effective privacy program needs to be integrated into the corporate culture.

• It is essential that privacy protection become a corporate priority throughout all levels of the organization.

• Senior Management and Board of Directors’ commitment is critical.

43

Good Governance and Privacy

“Privacy and Boards of Directors: What You Don’t Know Can Hurt You”

– Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency.

– Privacy among the key issues that Boards of Directors must address.

– Potential risks if Directors ignore privacy.– Great benefits to be reaped if privacy included

in a company’s business plan.

44

Final Thought

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

How to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario2 Bloor Street East, Suite 1400Toronto, Ontario M4W 1A8

Phone: (416) 326-3333Web: www.ipc.on.caE-mail: commissioner@ipc.on.ca