Data Privacy and SecurityProf Sunil Wattal

Consumer Analytics

Analytics with consumer data to derive meaningful insights on actions and behaviors of consumers

Generally with the intention to offer products and services in a targeted manner.

What could be wrong with that:

Target

Doubleclick

Facebook Beacon

The dark side of data analytics

List instances of information about you being collected and stored

Invisible Information Gathering

Examples:

800- or 900-number calls.

Loyalty cards.

Web-tracking data; cookies.

Warranty cards.

Purchasing records.

Membership lists.

Web activity.

Change-of-address forms.

GPS

Cell Phones

Smart Phones

Using Consumer Information

Data Mining & Targeted Marketing

Trading/buying customer lists.

Telemarketing.

Data Mining.

Mass-marketing.

Web ads.

Spam (unsolicited e-mail).

Credit Records

Privacy

What is privacy?

Freedom from intrusion (being left alone)

Control of information about oneself

Freedom from surveillance (being tracked, followed, watched)

Why are some things free?

If a service does not charge you money, then you are paying in other ways

Marketing and Advertising

Privacy

Facebook has 1 Billion monthly active users

Revenues for Q2’12: $1.18 Billion, 84% from ads

Linkedin Marketing Solutions: $63.1 Million

Twitter uses Promoted Tweets based on you

Consumer Protection Costly and disruptive results of errors in databases

Ease with which personal information leaks out

Consumers need protection from their own lack of knowledge, judgment, or interest

Uses of personal information

Secondary Use Using information for a purpose other than the one for which it was obtained. A few

examples: Sale (or trade) of consumer information to other businesses. Credit check by a prospective employer. Government agency use of consumer database.

Privacy Policies

Have you seen opt-in and opt-out choices? Where? How were they worded?

Were any of them deceptive?

What are some common elements of privacy policies you have read?

Self Regulation

What are the roles of formal laws vs. free operation of the market?

Supporters of self-regulation stress the private sector’s ability to identify and resolve problems.

Critics argue that incentives for self-regulation are insufficiently compelling and true deterrence will not be achieved.

Analytics with global data

Privacy Regulations in the European Union (EU):

Privacy is a fundamental right

Data Protection Directive

In Europe, there are strict rules about what companies can and can't do in terms of collecting, using, disclosing and storing personal information.

Governments are pushing to make the regulations even stronger.

EU Privacy Laws

Personal information cannot be collected without consumers’ permission, and they have the right to review the data and correct inaccuracies.

Companies that process data must register their activities with the government.

Employers cannot read workers’ private e-mail.

Personal information cannot be shared by companies or across borders without express permission from the data subject. 

Checkout clerks cannot ask for shoppers’ phone numbers. 

Data Security

Data Security

Stolen and Lost Data

Hackers

Physical theft (laptops, thumb-drives, etc.)

Requesting information under false pretenses

Bribery of employees who have access

Have you heard of Thumbsucking??

Furious Constituents Negative Publicity Tarnished Reputation Public Embarrassment Investigations Lawsuits, Fines and Penalties Financial Losses Waste of Valuable Resources

Implications for companies

Examples

Availability

Data needs to be available at all necessary times

Data needs to be available to only the appropriate users

Need to be able to track who has access to and who has accessed what data

Authenticity

Need to ensure that the data has been edited by an authorized source

Need to confirm that users accessing the system are who they say they are

Need to verify that all report requests are from authorized users

Need to verify that any outbound data is going to the expected receiver

Integrity

Need to verify that any external data has the correct formatting and other metadata

Need to verify that all input data is accurate and verifiable

Need to ensure that data is following the correct work flow rules for your institution/corporation

Need to be able to report on all data changes and who authored them to ensure compliance with corporate rules and privacy laws.

Confidentiality

Need to ensure that confidential data is only available to correct people

Need to ensure that entire database is security from external and internal system breaches

Need to provide for reporting on who has accessed what data and what they have done with it

Mission critical and Legal sensitive data must be highly security at the potential risk of lost business and litigation

Implement Technological Solutions

Adopt “Soft” IT Security Approaches

Change the Corporate Culture

Can you think examples of these practices at Temple or elsewhere

Approaches to Data Security

Next steps

Inclass Exercises