Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001 Designed to Last: Building a Modern...

Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001

Designed to Last: Building a Modern Privacy ArchitectureNovember 1, 2001

Presented to: The Human Face of Privacy

Presented by: Stephanie Perrin, CPOZero-Knowledge Systems


My Talk Todayo Zero Knowledge Systems and our experience of Building in Privacy

• Freedom• Private Credentials• Enterprise Privacy Management

o Privacy Architecture• The CSA standard and the Canadian Experience• The ISO initiative• CEN/ISS• PETs

o Constituencies• Legal• Standards• Technology• Security• The CPO

o The Future


About Zero-Knowledge Systems

Founded: 1997

Offices: Montreal and San Francisco

Awards: PC Magazine 5/5 rating for Freedom®, PC World Internet Newcomer of the Year (2000), Yahoo! “Rolls Royce of Privacy Software”

Product Evolution: Tools for Consumers Consulting Businesses Tools for Enterprise = EPM

Zero-Knowledge Systems equips Global 2000 organizations with the software and expertise to manage the privacy and security of

customer, employee and corporate information assets in support of critical business initiatives.


Zero-Knowledge Product Lines

For Enterprise:

Enterprise Privacy Manager (EPM) product & services

Software and services for the private and secure management of customer and employee information within the enterprise

Enables businesses to define, implement and manage corporate privacy policies, building customer confidence, improving operational efficiencies and facilitating regulatory compliance.

For Consumers:

Award winning consumer software

Powerful personal firewall and flexible suite of applications enables consumers to secure against hackers and security threats, while protecting their personal information online

All information contained within is CONFIDENTIAL AND PROPRIETARY INFORMATION - © Zero Knowledge Systems Inc, <add month here>, 2000, Montreal, Canada. All rights reserved.

Stephanie Perrin, Chief Privacy OfficerZero-Knowledge Systems


What was Freedom Premium Services?

o Software solution that enables Internet users to:

• Regain control of their privacy

• Create their own identity

• Decide what they want to reveal to whom

• Protect themselves from being monitored and

profiled

o Freedom provides total Internet privacy for:

• www Surfing

• Email

• Internet Chat (IRC)

• Newsgroup posting

• Telnet

Nyms +

Encryption +

Network =

Total Internet

Privacy


Privacy in the enterprise

LegalIssuesLegalIssues

BusinessIssues

BusinessIssues

TechnologyIssues

TechnologyIssues

Business Challenges• Unlocking the business value of the data• Keeping promises of privacy to consumers• Collaborating successfully with legal and IT

Legal Challenges• Respecting the business issues• Grasping the data issues• Complying with complex regulations

and jurisdictions

CPO

Technical Challenges• Systems weren’t built for privacy• Lack of effective data management

tools

A collaborative, multi-disciplinary issue


Constituencies

o Legalo Policyo Government Relationso Marketingo Public relationso Consumero Civil Societyo Technologyo Standardso Securityo Law enforcemento Intelligence

WHO ARE YOU?


The Differences Between SecurityThe Differences Between Security & & PrivacyPrivacy

Protecting assets, including information

Controlling behaviour of individuals

Managing risk

Providing accountability

National Security needs

Information self-determination

The right to be let alone

Data minimization

Fundamental human rights

Public relations and Consumer Protection

SecuritySecurity PrivacyPrivacy


Some Differences Between Data Protection Some Differences Between Data Protection & & PrivacyPrivacy

traffic data, patterns, urls

information filled into forms

IP address

geographical data

Control of my own machine

Access by authorities

Fantasia: the new software

Extrapolation and human rights: discrimination, redlining

Personal InformationPersonal Information PrivacyPrivacy


Standards Activities

o The Canadian Standard, CSA Q 830o The ISO initiative for a management standardo CEN/ISS

• Set of best practices• No management standard• Audit practices• Criteria for PETS• Criteria for seals• Contract clauses• Ongoing technology brief• Consumer education


PETS and PETS: Standardization

How do we define a PET? Is it useful to distinguish between enhancing and enabling technologies?

What standardization activity would be useful? Do the Common Criteria Standards assist or add cost and confusion? Can we get some core criteria agreed?

Is each technology to be treated separately? Should the focus be on the potential for amending privacy

threatening technologies, such as face recognition, biometrics, authentication standards?

Who is watching all this? Can we all cooperate and share information?

www.cenorme.be/isss/Projects/DataProtection/IPSE


? $ ?


Who will have a Budget for privacy?

o Legalo Policyo Government Relationso Marketingo Public relationso Consumero Civil Societyo Technologyo Standardso Securityo Law enforcemento Intelligence

WHO IS THE CPO?


WHO is the CPO?

o Responsible for privacy complianceo Responsible for protection from litigation and liabilityo Coordinates between legal, IT, security, HR, PR,

marketing, government relations, etc.o Reports to the executive team on an issue that is

consistently top of consumer priorities, and has a direct impact on shareholder value

o Associations:• ACPO (international association of privacy officers, US)• Canadian CPO association• European privacy officers network (EPON)


Corporate Privacy Lifecycle

LawIndustryStandards

CustomerExpectations

BusinessRequirements

Audit Logs

Reporting

Training & Education

Rules & Procedures

Technology,Architecture & Planning

Data SourcesApplications

Reporting

Roles

Reporting

Modeling & Analysis

PolicyDevelop’t

PolicyDevelop’t

Practice/Enforcement


DataHandlingAssess’t


Compliance/Risk

Assess’t

Compliance/Risk

Assess’t

OngoingMonitoring &

Mgmt.

OngoingMonitoring &

Mgmt.


Need for privacy management tools

Managing privacy introduces additional complexity into everyday operations:

o Audits and compliance issueso Resource commitment: human resources, time,

moneyo Potential bottleneck to acting quickly on opportunitieso Collaboration across divisions, departmentso Employee Training


About Enterprise Privacy Manager

o Client-server application that allows an organization to model its data-handling rules and practices, and then analyze the gaps between current and future policy, practice, and regulation.

Server• Centralized data discovery• Collaboration server

Client• Policy creation• Activity modeling• “What-if” analysis• Reports


EPM analyses

o Policy-oriented• “Show me all the data that’s covered by this specific policy

statement.”o Data-oriented

• “Show me every policy which applies to this data field.”o Purpose-oriented

• “If I wanted to up-sell additional services, whichdata is okay to use?”

o Role-oriented• “Which data is okay to share with affiliates?

Which isn’t?”o Action-oriented

• “Can we produce a report which shows every group that collects data on one page and everyone who shares data with outside parties on another?”

Examining rules and practices from every angle


EPM

Regulatory compliance and risk management

Effective use of information assets

Building brand, consumer trust

PolicyDevelop’t

PolicyDevelop’t





Compliance/Risk

Assess’t

Compliance/Risk

Assess’t

OngoingMonitoring &

Mgmt.

OngoingMonitoring &

Mgmt.

EPMEPM

Efficient collaboration across the company

Creating digital policy is important at every stage


The Value of EPM

o Reduces cost of compliance o Improves operational efficiencies

• Save time, money; training tools

o Improves use of customer and employee informationo Simplifies audit needs

• Easy-to-use, accessible analytical tools

o Enables rapid response to opportunity analysis • Reduce bottlenecks in change management with “what-if”

analysis capability

o Decreases risk of brand damage or PR exposure• Timely, detailed reports on data handling

o Safeguards customer and employee trust


Privacy by Design Conference

o Extensive information on privacy and security technologies, products, legal, and business issues

o Comprehensive, technology-based solutions and strategies for managing privacy and customer information

Sponsors Select Speakers

• Axciom• Oracle • HP• IBM • Earthlink • Equifax • Sun

• Nokia • Tivoli• Bell Canada• Daimler

Chrysler • Lufthansa• DoubleClick

Join us December 3-5th 2001, in Montreal

Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001 Designed to Last: Building a Modern...

Documents

Transcript of Proprietary & Confidential © Zero-Knowledge Systems Inc., 2001 Designed to Last: Building a Modern...