Data Privacy and SecurityProf Sunil Wattal

Consumer Analytics Analytics with consumer data to derive

meaningful insights on actions and behaviors of consumers

Generally with the intention to offer products and services in a targeted manner.

What could be wrong with that:

Target

Doubleclick

Facebook Beacon

The dark side of data analytics

List instances of information about you being collected and stored

Invisible Information Gathering

Examples: 800- or 900-number calls. Loyalty cards. Web-tracking data; cookies. Warranty cards. Purchasing records. Membership lists. Web activity. Change-of-address forms. GPS Cell Phones Smart Phones

Using Consumer Information

Data Mining & Targeted Marketing Trading/buying customer lists. Telemarketing. Data Mining. Mass-marketing. Web ads. Spam (unsolicited e-mail). Credit Records

Privacy

What is privacy? Freedom from intrusion (being left alone) Control of information about oneself Freedom from surveillance (being tracked, followed, watched)

Why are some things free?

If a service does not charge you money, then you are paying in other ways Marketing and Advertising Privacy

Facebook has 1 Billion monthly active users Revenues for Q2’12: $1.18 Billion, 84% from ads

Linkedin Marketing Solutions: $63.1 Million

Twitter uses Promoted Tweets based on you

Consumer Protection Costly and disruptive results of errors in databases

Ease with which personal information leaks out

Consumers need protection from their own lack of knowledge, judgment, or interest

Uses of personal information

Secondary Use Using information for a purpose other than the one for which it was obtained. A few

examples: Sale (or trade) of consumer information to other businesses. Credit check by a prospective employer. Government agency use of consumer database.

Privacy Policies

Have you seen opt-in and opt-out choices? Where? How were they worded?

Were any of them deceptive?

What are some common elements of privacy policies you have read?

Self Regulation

What are the roles of formal laws vs. free operation of the market?

Supporters of self-regulation stress the private sector’s ability to identify and resolve problems.

Critics argue that incentives for self-regulation are insufficiently compelling and true deterrence will not be achieved.

Analytics with global data

Privacy Regulations in the European Union (EU): Privacy is a fundamental right Data Protection Directive

In Europe, there are strict rules about what companies can and can't do in terms of collecting, using, disclosing and storing personal information.

Governments are pushing to make the regulations even stronger.

EU Privacy Laws Personal information cannot be collected without consumers’ permission, and

they have the right to review the data and correct inaccuracies.

Companies that process data must register their activities with the government.

Employers cannot read workers’ private e-mail.

Personal information cannot be shared by companies or across borders without express permission from the data subject. 

Checkout clerks cannot ask for shoppers’ phone numbers. 

Data Security

Data Security

Stolen and Lost Data Hackers Physical theft (laptops, thumb-drives, etc.) Requesting information under false pretenses Bribery of employees who have access

Have you heard of Thumbsucking??

Furious Constituents Negative Publicity Tarnished Reputation Public Embarrassment Investigations Lawsuits, Fines and Penalties Financial Losses Waste of Valuable Resources

Implications for companies

Examples

Availability

Data needs to be available at all necessary times Data needs to be available to only the appropriate users Need to be able to track who has access to and who has accessed what

data

Authenticity

Need to ensure that the data has been edited by an authorized source Need to confirm that users accessing the system are who they say they

are Need to verify that all report requests are from authorized users Need to verify that any outbound data is going to the expected receiver

Integrity

Need to verify that any external data has the correct formatting and other metadata

Need to verify that all input data is accurate and verifiable Need to ensure that data is following the correct work flow rules for your

institution/corporation Need to be able to report on all data changes and who authored them to

ensure compliance with corporate rules and privacy laws.

Confidentiality

Need to ensure that confidential data is only available to correct people Need to ensure that entire database is security from external and

internal system breaches Need to provide for reporting on who has accessed what data and what

they have done with it Mission critical and Legal sensitive data must be highly security at the

potential risk of lost business and litigation

Implement Technological Solutions Adopt “Soft” IT Security Approaches Change the Corporate Culture

Can you think examples of these practices at Temple or elsewhere

Approaches to Data Security

Next steps

Inclass Exercises