Incorporating Ethics Into Your Credit Union's Data Protection Practices November 18, 2015 Sponsored by Affinion Benefits Group
Sheila Colclasure, Chief Privacy Officer Acxiom
Vanessa Stanfield, Client Program Director Affinion Benefits Group
Regulatory Guidance Sources • Gramm-Leach-Bliley Act • NCUA Letter No. 02-CU-02 - Privacy of Consumer Financial Information • Federal Financial Institutions Examination Council - Information Security IT Examination Handbook
2
Consumer Financial Privacy – Information Security Objectives • • • • •
Availability Integrity of data Confidentiality of Data Accountability Assurance
3
PRIVACY Points to Ponder…
4
Acxiom Pillar… Ethical Data Use • Mature Program • Continuous Evolution • Designed Around Ethics • Accountability & Measurement
5
Navigating New Issues History of Data and Privacy • • • • • •
Top of Mind for Decades Active collection Consent based uses PII and Aggregate Batch enabled Industry way ahead of regulation
Big Data = Big Changes • • • • • •
Volume, Velocity, Variety and Analytics PII, DII, Pseudo anonymous, De-identified Passive vs active collection Passive vs active sharing Definition of “sensitive data” evolving New harms
Sensor enabled world…
6
Recognize Different Data Types • Personal Data (PII)
− Personally Identifiable
• Non-Personal Data (Non-PII) − Device Identifiable
• De-identified Data
− Data with personal/device IDs removed
• Aggregate Data
− Data about a number of people or devices
7
PII vs. Anonymous - Definitions Covered Information Choice
PII
DII
Personally Identifiable Information
Device Identifiable Information
SANI
De-ID
XDe- X
Identified Information
AGI Aggregate Information
/Pseudo-/
anonymous
PII Personal 100% 0% Ease
SANI Pseudoanonymous
ANI
Anonymous
of Technical Re-identification
8
Sensitive Data Evolving New Harms
Identification Finances
Historically Sensitive Commercial Data » Identification, Financial. Medical, Children •
Medical
New Categories of Sensitive Commercial Data » Precise geo-location » At-risk populations (children & elderly) » Teens – 0-12, 13-17 » Elderly = over 60
» Social network information (public & non-public) » Biometrics & Facial recognition » Modeled Data
Traditional Harm
Facial Recognition
Biometrics
Location
Social Networks
» Financial, Physical
New Harms » Social Harms, Emotional, Reputational
At Risk Populations
9
International Rules Different in Every Country • • • • • •
Social and cultural norms Laws: collection, use, sharing Different Definitions: PII, Anonymous, De-identified Use Specific Laws Data Available: less data, different data, no data Regulatory and Enforcement Approach
Global Data Transfer Requirements • Forced Localization
10
Threading the Needle Law and Regulation
• GLBA, HIPAA, HITECH, FCRA, ECOA, VPA, COPPA, CFaAA • FTC, CFPB, HHS, State AGs,
Co-Regulation
• DMA, DAA, NAI, ESPC, MMA,
Company Rules
• Best Practices • Support Brand • Extrapolate for New Capabilities
Measurement and Accountability • Brand Trust – Affinity, Loyalty, Longevity • Operationally • Sustainability
11
Attitudes About Big Data 20 Years of Consumer Attitudes
60% Pragmatist 30% Fundamentalist 10% Unconcerned
Examples of Big Data individuals can understand… Search is Big Data for consumers. Digital Advertising is Big Data for consumers.
12
Brands Care…a lot JPMorgan Hack Hitting 76 Million Homes: After J.P. Morgan breach, should customers move their money? TARGET Local shoppers react to Target security breach SNAPCHAT Settles FTC Charges That Promises of Disappearing Messages Were False SNAPCHAT Transmitted Users’ Location and Collected Their Address Books Without Notice Or Consent FACEBOOK Sued, Customer Privacy Issues Revisited FACEBOOK "Furious" Arguments, "Major Implications" in Facebook Case: Facebook "illegally scans private messages for content it can use for targeted advertising," GOOGLE must mediate privacy claims: enter into mediation with consumers who claim that the search giant transferred their names and contact information to third parties after they downloaded or purchased apps. SEARS sued over privacy breach: Class-action lawsuit seeks damages after making purchase history of customers public on its managemyhome.com web site. ATTORNEY GENERAL Jepsen Talks Privacy Enforcement, FTC Collaboration: Attorneys general are increasingly becoming de facto privacy regulators. HOME DEPOT: AGs Probing Home Depot Breach The attorneys general (AGs) of Connecticut, Illinois and California are leading a multi-state probe
13
Privacy By Design / Privacy Engineering • Privacy strategy and implementation: company initiative • Privacy and data protection: embedded throughout the entire life cycle of technical development from the onset of design through deployment and use. • Google’s Red Team • Yahoo’s Paranoid Team • MIT program, Harvard program • (computer) Code is Conduct
14
eMail Sending and CAN-Spam
15
The CAN SPAM Act
– Effective January 2004 (preempts most state laws) – Can-Spam provides a single, Federal standard for commercial email • Regulates the sending of commercial email
– Ie. The primary purpose of promoting goods or services
• Regulates the form, but does not regulate permission level/quality or quantity (with two exceptions) • Sets minimum requirements on transactional messages • Preempts state laws that deal explicitly with permission, but does not preempt state laws that deal with fraud • ISPs, FTC and States’ Attorney Generals can bring charges
– Law subject to amendments by the Federal Trade Commission (FTC) • The FTC regulates general business practices and commercial trade
16
Levels of Compliance
3
2
1
1 7
Third Party Blacklist Sites •Spamhaus, Spamcop
Receivers/ISP’s •MSN •Google •Comcast
Best Practices •Permission •Cadence guidelines •Attrition rules
Can-Spam & Related Legislation
Marketer Responsibilities
4
The most stringent and conservative based on their own rules and interpretation of permission CONSEQUENCES: Broad blocks on multiple ISP/Receiver More stringent that deals with content of the message, permission of the consumer and reputation CONSEQUENCES: Domain block of all email sends
Greater than the law requirements and can be vertical focused CONSEQUENCES: Unengaged consumers, brand equity
Minimum compliance standard that spans all verticals and business types CONSEUQENCES: Monetary fines
17
Main Requirements 1. Don’t use false or misleading header information 2. Don’t use deceptive subject lines. 3. Identify the message as an ad. 4. Tell recipients where you’re located 5. Tell recipients how to opt out of receiving future email from you 6. Honor opt-out requests promptly 7. Monitor what others are doing on your behalf
18
Transactional Emails under Can-Spam – The following email types are usually transactional:
Complete/confirm a commercial transaction Provide warranty/product safety information Account status/subscription notifications Employer-offered benefits, even those sent by a 3rd party • Product or service recipient is entitled to receive • Legally mandated notifications/announcements • • • •
19
Privacy Implications for Email Appends & List Rental – Email addresses collected with proper consent
• Email addresses must be provided with consent (opt-in or opt-out) to allow data vendor to share addresses with 3rd parties for marketing purposes – The FTC settled a lawsuit with Datran Media for fraudulently using email addresses in violation of the privacy policy it was collected under
• Email addresses cannot be automatically generated, harvested from websites, or sourced from suppression files • Email addresses registered to wireless domains with the FCC must be suppressed
– Clients SHOULD use reputable data vendors for email append services
• Failure to do so could result in client-side commercial email and corporate domain blocks • Clients should request to data vendor what the list hygiene strategies are
– In most cases, newly acquired addresses do not override previous opt-outs
20
Accountability & Measurement Client Credentialing: Legitimate entity, legitimate interests • on-site inspection possible
Vendor Screening and Accountability Program • You are your vendors keeper
Line of business accountability
• Leadership required to be accountable for the operational compliance of their products, solutions, services
Individual employee accountability
• Achieve excellence - each employee accountable for applying rules, issue spot, report problems, assigned education
Assurance Reviews -
Fair Information Practices – annually Functional Area/Line of Business Audits
Privacy Impact Assessment
• Understanding and applying the rules to business processes is complex – yet critical • Computer Code is the Conduct
21
Industry Groups and Self-Regulatory Groups w/ Codes of Conduct U.S. and Canada International Association of Privacy Professionals (IAPP — a worldwide organization) Direct Marketing Association Digital Advertising Alliance Interactive Advertising Bureau Email Sender and Provider Coalition Coalition for Sensible Public Record Access Policy and Economic Research Council National Business Coalition for Ecommerce & Privacy US Chamber of Commerce California Chamber of Commerce Arkansas Chamber of Commerce Conference of Western Attorneys General Mobile Marketing Association Information Accountability Foundation
Asia/Pacific and Latin America Asia Digital Marketing Association (ADMA) Asia Chapter of the American Chamber of Commerce (AMCHAM) Ad:Tech Asia Hong Kong Direct Marketing Association (HKDMA) Direct Marketing Association of Singapore (DMAS) Australian Association for Data - Driven Marketing & Advertising New Zealand Marketing Association (NZMA) Brazilian Direct Marketing Association (ABEMD) Brazilian Chapter of the American Chamber of Commerce (AMCHAM) Brazilian Interactive Advertising Bureau
22
Europe
Industry Groups and Self-Regulatory Groups w/ Codes of Conduct
International Chamber of Commerce (ICC) Federation of European Direct and Interactive Marketing Associations (FEDMA) European Privacy Advisory Group (EPAG) French National Syndicate of Direct Marketing (SNCD: Syndicat National de la Communication Directe) French Privacy Offi cers’ Association (AFCDP: Association Française des Correspondants Données Personnelles) Interactive Advertising Bureau France German Direct Marketing Association (DDV: Deutsche Direktmarketing Verband) German Federal Association of Digital Economy (BVDW: Bundesverband Digitale Wirtschaft)
German Association for Data Protection and Data Security (GDD: Gesellschaft für Datenschutz und Datensicherheit) Dutch Association of Data Protection Offi cers (NGFG: Nederlands Genootschap van Functionarissen voor de Gegevensbescherming) Polish Direct Marketing Association (SMB: Stowarzyszenie Marketingu Bezposredniego) Polish Information Security Administrators Association (SABI: Stowarzyszenie Administratorów Informacji) Interactive Advertising Bureau Poland (Związek Pracodawców Branży Internetowej IAB Polska) UK Direct Marketing Association (DMA) Interactive Advertising Bureau UK
23
AboutTheData
About The Data Launched 9/4/13
• • • • •
# of visitors: 750K % returning users: 17% % opt out: 2% % creating accounts 37% % editing:12%
24
Big Data Ethics Unified Ethical Framework Part B – Contextual Interrogation Worksheet •
Characterizing the Project: Purpose, Sources, Preparation, Accuracy, Insights, Accountability, Stakeholders
•
Beneficial: Benefits, Risks/Mitigations, Risk/Benefit Analysis
•
Progressive: Outcomes
•
Sustainable: Sources, Insights
•
Respectful
•
Fair
25
Improving Global Dialogue Ethical Marketing Forum Series
• FTC Commissioners, Consumer Advocates, Think Tanks, Company Leaders, UK, FR, DE, CN
Grant to IAF
• fund research & development of Global Unified Ethical Framework: methodic, deliberate governance approach accounting for uses of data, data involved, all stakeholder groups impacted, potential harms to each, values to each and achieving fair balance
Data4Good BBB Digi-IQ for Consumers CEO Scott Howe’s Marketing Data Doctrine AboutTheData.com/ and ItsUpToMe • Consumer Voice and Choice
Good Relationship with Our Regulators • FTC • State AGs
26
Digital Future – Ethical Data Use • Notice and Choice won’t work with 3-Vs •
Digital Patient, Smart Car, Smart Phone
•
Wearables, Ingestibles
• Privacy by Design/ Privacy Engineering •
Extremely careful in digital build-out
•
Bright-line between 1st and 3rd party data
•
Stay in sync w/ policy and compliance
• Can’t have Privacy without Security •
Security Technology must evolve
•
Privacy is Data Use – Must Evolve
• Must be part of the innovation and tech stack
27
Acxiom Ethical Data Use Team aka Privacy
28
Any Questions?
Thank you!
29