Annual Privacy Report

ISAlliance develops quarterly deliverables on cutting edge information security topics in conjunction with our partners at Carnegie Mellon University CyLab. These deliverables may be in the form of a white paper, such as the Privacy Policy Trends, assessment tool like T-SQUARE and the SQUARE methodology, or other material designed for operational improvements in corporate security. 

    

This report is exclusive to members of the Internet Security Alliance.

 

PRIVACY 2008: LOCAL & GLOBAL RISKS
 

A new ISAlliance/CyLab Enterprise Risk Integration Program (EIP) Risk Perspective on Privacy will be presented in January 2008.

The privacy landscape has changed significantly over the past year.  Many new laws and regulatory requirements are creating new risks and compliance requirements which impact operations in numerous ways.  In addition, the U.S. has a number of privacy laws pending at the federal level, and the Federal Trade Commission has continued its enforcement role in the privacy arena.  The EU's advisory body on data protection, the Article 29 Working Party, has also been active and issued opinions and working documents on the concept of personal data and monitoring in the workplace.

This Risk Perspective will examine the legal and policy implications on both national and international levels.  It will explain resulting managerial and operational considerations and will address technical implications and new privacy risks, such as those caused by bots and peer-to-peer software.

This Perspective focuses on privacy (referred to as data protection in some jurisdictions) requirements and the
confusing array of laws and pending legislation regarding various privacy-related issues, including identity theft and the handling of personally identifiable information (PII). A series of “Inform-inars” (a combination of teleconference and web slides) follow each Perspective to enable CyLab and ISAlliance members to delve more deeply into the topic area and enhance their understanding of the covered risks. The events scheduled around this Privacy Risk Perspective are to be held on:

January 9 Privacy Legal PerspectiveGlobal Legal Framework & Legislative Activity
Jody Westby, Distinguished Fellow, CyLab
David Sohn, Staff Counsel, Center for Democracy & Technology

January 15, 2008 Privacy Policy PerspectivePrivacy Enforcement Risks
Jody Westby, Distinguished Fellow, CyLab, Moderator
Don Blumenthal, Sr. Principal, Global Cyber Risk LLC (former Internet Lab
Coordinator for FTC)
Francoise Gilbert, Managing Director, IT Law Group

January 22, 2008 Privacy Managerial/Operational Perspective:  Managing Privacy Risks
Jody Westby, Distinguished Fellow, CyLab
Christopher Rittweger, Partner, Baker & McKenzie, Munich

January 29, 2008 Privacy Technical Perspective: Privacy Technology Solutions
Robert Mannal, Senior Manager, Product Marketing & Management, Vericept Corp.
Chet Hosmer, Chief Technology Officer, WetStone Technologies, Inc.

The Privacy Risk Management White Paper is now available in the members only area - Click Here

 

 


Here is the Executive Summary from the 2007 Privacy Reportwhich is archived in the Members Only area

    In this report we examine the state of online privacy at the end of 2006 through the lens of website privacy policies. We look at three main areas: privacy practices of the most popular websites as compared with a random sample of websites that post privacy policies, privacy policies of websites in the US financial industry, and trends in the adoption of the Platform for Privacy Preferences (P3P).

    In our first section, Comparison of Popular Websites to Random Websites, we contrast the privacy practices of the most-visited websites to the rest of the web. We see how privacy protections differ between the most popular websites and a random selection of websites. Popular sites are still more likely to provide privacy policies than random sites. However, while the percentage of random sites with privacy policies has improved from 77% in 2001 to 88% in 2006, popular sites fell slightly from 99% in 2001 to 96% in 2006. At the highest level, the most popular sites collect more data and share it widely. However, the randomly selected sites provide fewer ways for customers to contest errors. We also demonstrate that privacy policies still require a college education to understand.

    In our second section, Focus on Financial Industry, we take an in depth look at the effect of the Gramm-Leach-Bliley Act (GLB) on the financial industry. We find the information available to consumers about financial institution privacy practices is more concrete, with fewer uncertainties since GLB went into effect. Unfortunately, those practices have not improved – and data sharing is even more widespread today than before the law was enacted. We also find that while privacy policies still require a college education to understand, institutions switched from using an industry standard privacy policy to a sample FCC privacy policy. This suggests future outcomes could be improved by providing better sample policies.

    In our third section, Platform for Privacy Preferences, we look at P3Penabled websites. We find the most popular sites are more likely to have P3P than less popular websites and that P3P has world-wide acceptance. P3Penabled websites in the European Union are more privacy protective than non-EU P3P-enabled websites. We discuss differences between privacy practices by industry segment (shopping, government, news and media, computers, banking, business to business, adult, blogs, and education). We show that P3P deployment continues to increase. Finally, we present an analysis of errors in P3P policies. While we found 73% of P3P policies have errors, only 5% of those are critical errors.