Incorporating Ethics Into Your Credit Union's Data Protection Practices November 18, 2015 Sponsored by Affinion Benefits Group

Sheila Colclasure, Chief Privacy Officer Acxiom

Vanessa Stanfield, Client Program Director Affinion Benefits Group

Regulatory Guidance Sources • Gramm-Leach-Bliley Act • NCUA Letter No. 02-CU-02 - Privacy of Consumer Financial Information • Federal Financial Institutions Examination Council - Information Security IT Examination Handbook

2

Consumer Financial Privacy – Information Security Objectives • • • • •

Availability Integrity of data Confidentiality of Data Accountability Assurance

3

PRIVACY Points to Ponder…

4

Acxiom Pillar… Ethical Data Use • Mature Program • Continuous Evolution • Designed Around Ethics • Accountability & Measurement

5

Navigating New Issues History of Data and Privacy • • • • • •

Top of Mind for Decades Active collection Consent based uses PII and Aggregate Batch enabled Industry way ahead of regulation

Big Data = Big Changes • • • • • •

Volume, Velocity, Variety and Analytics PII, DII, Pseudo anonymous, De-identified Passive vs active collection Passive vs active sharing Definition of “sensitive data” evolving New harms

Sensor enabled world…

6

Recognize Different Data Types • Personal Data (PII)

− Personally Identifiable

• Non-Personal Data (Non-PII) − Device Identifiable

• De-identified Data

− Data with personal/device IDs removed

• Aggregate Data

− Data about a number of people or devices

7

PII vs. Anonymous - Definitions Covered Information Choice

PII

DII

Personally Identifiable Information

Device Identifiable Information

SANI

De-ID

XDe- X

Identified Information

AGI Aggregate Information

/Pseudo-/

anonymous

PII Personal 100% 0% Ease

SANI Pseudoanonymous

ANI

Anonymous

of Technical Re-identification

8

Sensitive Data Evolving New Harms

Identification Finances

Historically Sensitive Commercial Data » Identification, Financial. Medical, Children •

Medical

New Categories of Sensitive Commercial Data » Precise geo-location » At-risk populations (children & elderly) » Teens – 0-12, 13-17 » Elderly = over 60

» Social network information (public & non-public) » Biometrics & Facial recognition » Modeled Data

Traditional Harm

Facial Recognition

Biometrics

Location

Social Networks

» Financial, Physical

New Harms » Social Harms, Emotional, Reputational

At Risk Populations

9

International Rules Different in Every Country • • • • • •

Social and cultural norms Laws: collection, use, sharing Different Definitions: PII, Anonymous, De-identified Use Specific Laws Data Available: less data, different data, no data Regulatory and Enforcement Approach

Global Data Transfer Requirements • Forced Localization

10

Threading the Needle Law and Regulation

• GLBA, HIPAA, HITECH, FCRA, ECOA, VPA, COPPA, CFaAA • FTC, CFPB, HHS, State AGs,

Co-Regulation

• DMA, DAA, NAI, ESPC, MMA,

Company Rules

• Best Practices • Support Brand • Extrapolate for New Capabilities

Measurement and Accountability • Brand Trust – Affinity, Loyalty, Longevity • Operationally • Sustainability

11

Attitudes About Big Data 20 Years of Consumer Attitudes

60% Pragmatist 30% Fundamentalist 10% Unconcerned

Examples of Big Data individuals can understand… Search is Big Data for consumers. Digital Advertising is Big Data for consumers.

12

Brands Care…a lot JPMorgan Hack Hitting 76 Million Homes: After J.P. Morgan breach, should customers move their money? TARGET Local shoppers react to Target security breach SNAPCHAT Settles FTC Charges That Promises of Disappearing Messages Were False SNAPCHAT Transmitted Users’ Location and Collected Their Address Books Without Notice Or Consent FACEBOOK Sued, Customer Privacy Issues Revisited FACEBOOK "Furious" Arguments, "Major Implications" in Facebook Case: Facebook "illegally scans private messages for content it can use for targeted advertising," GOOGLE must mediate privacy claims: enter into mediation with consumers who claim that the search giant transferred their names and contact information to third parties after they downloaded or purchased apps. SEARS sued over privacy breach: Class-action lawsuit seeks damages after making purchase history of customers public on its managemyhome.com web site. ATTORNEY GENERAL Jepsen Talks Privacy Enforcement, FTC Collaboration: Attorneys general are increasingly becoming de facto privacy regulators. HOME DEPOT: AGs Probing Home Depot Breach The attorneys general (AGs) of Connecticut, Illinois and California are leading a multi-state probe

13

Privacy By Design / Privacy Engineering • Privacy strategy and implementation: company initiative • Privacy and data protection: embedded throughout the entire life cycle of technical development from the onset of design through deployment and use. • Google’s Red Team • Yahoo’s Paranoid Team • MIT program, Harvard program • (computer) Code is Conduct

14

eMail Sending and CAN-Spam

15

The CAN SPAM Act

– Effective January 2004 (preempts most state laws) – Can-Spam provides a single, Federal standard for commercial email • Regulates the sending of commercial email

– Ie. The primary purpose of promoting goods or services

• Regulates the form, but does not regulate permission level/quality or quantity (with two exceptions) • Sets minimum requirements on transactional messages • Preempts state laws that deal explicitly with permission, but does not preempt state laws that deal with fraud • ISPs, FTC and States’ Attorney Generals can bring charges

– Law subject to amendments by the Federal Trade Commission (FTC) • The FTC regulates general business practices and commercial trade

16

Levels of Compliance

3

2

1

1 7

Third Party Blacklist Sites •Spamhaus, Spamcop

Receivers/ISP’s •MSN •Google •Comcast

Best Practices •Permission •Cadence guidelines •Attrition rules

Can-Spam & Related Legislation

Marketer Responsibilities

4

The most stringent and conservative based on their own rules and interpretation of permission CONSEQUENCES: Broad blocks on multiple ISP/Receiver More stringent that deals with content of the message, permission of the consumer and reputation CONSEQUENCES: Domain block of all email sends

Greater than the law requirements and can be vertical focused CONSEQUENCES: Unengaged consumers, brand equity

Minimum compliance standard that spans all verticals and business types CONSEUQENCES: Monetary fines

17

Main Requirements 1. Don’t use false or misleading header information 2. Don’t use deceptive subject lines. 3. Identify the message as an ad. 4. Tell recipients where you’re located 5. Tell recipients how to opt out of receiving future email from you 6. Honor opt-out requests promptly 7. Monitor what others are doing on your behalf

18

Transactional Emails under Can-Spam – The following email types are usually transactional:

Complete/confirm a commercial transaction Provide warranty/product safety information Account status/subscription notifications Employer-offered benefits, even those sent by a 3rd party • Product or service recipient is entitled to receive • Legally mandated notifications/announcements • • • •

19

Privacy Implications for Email Appends & List Rental – Email addresses collected with proper consent

• Email addresses must be provided with consent (opt-in or opt-out) to allow data vendor to share addresses with 3rd parties for marketing purposes – The FTC settled a lawsuit with Datran Media for fraudulently using email addresses in violation of the privacy policy it was collected under

• Email addresses cannot be automatically generated, harvested from websites, or sourced from suppression files • Email addresses registered to wireless domains with the FCC must be suppressed

– Clients SHOULD use reputable data vendors for email append services

• Failure to do so could result in client-side commercial email and corporate domain blocks • Clients should request to data vendor what the list hygiene strategies are

– In most cases, newly acquired addresses do not override previous opt-outs

20

Accountability & Measurement Client Credentialing: Legitimate entity, legitimate interests • on-site inspection possible

Vendor Screening and Accountability Program • You are your vendors keeper

Line of business accountability

• Leadership required to be accountable for the operational compliance of their products, solutions, services

Individual employee accountability

• Achieve excellence - each employee accountable for applying rules, issue spot, report problems, assigned education

Assurance Reviews -

Fair Information Practices – annually Functional Area/Line of Business Audits

Privacy Impact Assessment

• Understanding and applying the rules to business processes is complex – yet critical • Computer Code is the Conduct

21

Industry Groups and Self-Regulatory Groups w/ Codes of Conduct U.S. and Canada  International Association of Privacy Professionals (IAPP — a worldwide organization)  Direct Marketing Association  Digital Advertising Alliance  Interactive Advertising Bureau  Email Sender and Provider Coalition  Coalition for Sensible Public Record Access  Policy and Economic Research Council  National Business Coalition for Ecommerce & Privacy  US Chamber of Commerce  California Chamber of Commerce  Arkansas Chamber of Commerce  Conference of Western Attorneys General  Mobile Marketing Association  Information Accountability Foundation

Asia/Pacific and Latin America  Asia Digital Marketing Association (ADMA)  Asia Chapter of the American  Chamber of Commerce (AMCHAM)  Ad:Tech Asia  Hong Kong Direct Marketing Association (HKDMA)  Direct Marketing Association of Singapore (DMAS)  Australian Association for Data - Driven Marketing & Advertising  New Zealand Marketing Association (NZMA)  Brazilian Direct Marketing Association (ABEMD)  Brazilian Chapter of the American Chamber of Commerce (AMCHAM)  Brazilian Interactive Advertising Bureau

22

Europe

Industry Groups and Self-Regulatory Groups w/ Codes of Conduct

 International Chamber of Commerce (ICC)  Federation of European Direct and Interactive Marketing Associations (FEDMA)  European Privacy Advisory Group (EPAG)  French National Syndicate of Direct Marketing (SNCD: Syndicat National de la Communication Directe)  French Privacy Offi cers’ Association (AFCDP: Association Française des Correspondants Données Personnelles)  Interactive Advertising Bureau France  German Direct Marketing Association (DDV: Deutsche Direktmarketing Verband)  German Federal Association of Digital Economy (BVDW: Bundesverband Digitale Wirtschaft)

 German Association for Data Protection and Data Security (GDD: Gesellschaft für Datenschutz und Datensicherheit)  Dutch Association of Data Protection Offi cers (NGFG: Nederlands Genootschap van Functionarissen voor de Gegevensbescherming)  Polish Direct Marketing Association (SMB: Stowarzyszenie Marketingu Bezposredniego)  Polish Information Security Administrators Association (SABI: Stowarzyszenie Administratorów Informacji)  Interactive Advertising Bureau Poland (Związek Pracodawców Branży Internetowej IAB Polska)  UK Direct Marketing Association (DMA)  Interactive Advertising Bureau UK

23

AboutTheData

About The Data Launched 9/4/13

• • • • •

# of visitors: 750K % returning users: 17% % opt out: 2% % creating accounts 37% % editing:12%

24

Big Data Ethics Unified Ethical Framework Part B – Contextual Interrogation Worksheet •

Characterizing the Project: Purpose, Sources, Preparation, Accuracy, Insights, Accountability, Stakeholders

•

Beneficial: Benefits, Risks/Mitigations, Risk/Benefit Analysis

•

Progressive: Outcomes

•

Sustainable: Sources, Insights

•

Respectful

•

Fair

25

Improving Global Dialogue Ethical Marketing Forum Series

• FTC Commissioners, Consumer Advocates, Think Tanks, Company Leaders, UK, FR, DE, CN

Grant to IAF

• fund research & development of Global Unified Ethical Framework: methodic, deliberate governance approach accounting for uses of data, data involved, all stakeholder groups impacted, potential harms to each, values to each and achieving fair balance

Data4Good BBB Digi-IQ for Consumers CEO Scott Howe’s Marketing Data Doctrine AboutTheData.com/ and ItsUpToMe • Consumer Voice and Choice

Good Relationship with Our Regulators • FTC • State AGs

26

Digital Future – Ethical Data Use • Notice and Choice won’t work with 3-Vs •

Digital Patient, Smart Car, Smart Phone

•

Wearables, Ingestibles

• Privacy by Design/ Privacy Engineering •

Extremely careful in digital build-out

•

Bright-line between 1st and 3rd party data

•

Stay in sync w/ policy and compliance

• Can’t have Privacy without Security •

Security Technology must evolve

•

Privacy is Data Use – Must Evolve

• Must be part of the innovation and tech stack

27

Acxiom Ethical Data Use Team aka Privacy

28

Any Questions?

Thank you!

29