Protecting Customers’ Privacy Through

Consistent Development Practices

Peter Cullen

As consumers increasingly rely on the Internet forshopping, banking, e-government and other activities,privacy has become both a major public concern and

a barrier to the growth of Internet services and online com-merce. Widely publicized data breaches, alarming statisticsabout privacy incidents and fear of identity theft all threatento erode trust in the Internet. In fact, RSA Security’s 2006Internet Confidence Index found that nearly half of U.S. con-sumers have “little or no confidence” that organizations aretaking sufficient steps to protect their personal data. At thesame time, consumers are more frustrated with software and Web sites that do notclearly communicate the potential impact to their privacy, or do not consistentlyoffer them controls over how their personal information is used.

The software industry can help address these issues by establishing a high barfor respecting customer privacy. However, there are currently no industry-wide prac-

Ever since the notewor-thy ChoicePoint databreach of 163,000

consumer account profileslast year, public concern forpersonal information privacyhas been steadily growing.Companies have beenscrambling to protect theironline systems from hacking,and deploying laptop securitysolutions to help prevent adata breach in the event of device theft.Much attention has been paid to pro-tecting consumers through strongerauthentication and data security, but

what about via email?As we continue to learn

about new breach incidents inthe media, unauthorizedaccess to customer informa-tion, intellectual property orother valuable information canpotentially damage an organi-zation’s brand. Possible leak-age via email should not beoverlooked.

What is an Email Breach?

An email breach can be defined asthe unauthorized disclosure of informa-tion via email that compromises the

security, confidentiality, or integrity ofpersonally identifiable information suchas name and address, Social Securitynumber, date of birth, health care infor-mation, bank account information, cred-it card number, etc. Various privacy lawsand industry guidelines such as HIPAA,CA-SB 1386 and the PCI Data SecurityStandard all contain requirements forprotecting against such a breach.

How Can an Email Breach Occur?

When you think about what mightconstitute an email breach, what’s the

See Secure Webmail 101, page 3

November 2006 • Volume 6 • Number 11

Editor: Kirk J. Nahra

This Month

Secure Webmail 101: Communicating Securely with

the Consumer Base

Steve Duncan

See Privacy Through Consistency, page 5

Steve Duncan

Peter Cullen

J. Trevor Hughes on the

IAPP Privacy Academy 2006 ...................Page 2

IAPP Academy Coverage........................ Page 7

The Chapell View .................................... Page 12

Networking Central: IAPP Networking: Does it Really Work? .............................. Page 13

IAPP in the News ................................... Page 14

Interview with Author Don Tapscott ..... Page 16

Privacy News ......................................... Page 17

Privacy Classifieds ................................ Page 17

Calendar of Events ................................ Page 20

The pace of the IAPP’s privacy events and the enormously successful Academy conference in Torontolast month are indicative of the demand in the

marketplace for privacy pros and the IAPP’s role as the leadingprofessional organization for our growing global ranks. TheIAPP Privacy Academy 2006, our first conference outside theU.S., served as the backdrop for the launch of our new CIPP/Cprogram for Canadian privacy pros. The Toronto conference,which attracted 750 attendees, was our most successful Academyin our 5-year history.

The Academy also gave us an opportunity to recognize some of this past year’sprivacy leaders during a memorable member reception held at the Hockey Hall of Fame.Open exclusively for Academy attendees, the Hockey Hall of Fame exuded an aura ofgreatness and stellar achievement, serving as the perfect setting to recognize the highachievers in our own profession.

I would like to thank Deloitte for sponsoring the IAPP/Deloitte & ToucheVanguard Award, which recognizes the privacy professional of the year. This year’s awardwas given to a dedicated privacy leader, Chris Zoladz of Marriott, a member of the IAPPBoard of Directors who also is the past president. I want to extend my personal congratulations to Chris, who is more than deserving of this recognition for his ongoingcontributions to our profession.

Also delivered during a lively presentation in the NHL Legends hall were the IAPPInnovation Awards, given annually to recognize privacy leadership in the public, privateand technology sectors. I also would like to recognize the four companies that won thisyear’s award: Royal Philips Electronics and General Electric Corp., which tied in theLarge Organization category; ATB Financial, which won in the Small Organization cate-gory; and Voltage IBE, which won the second annual Technology award.

No sooner were the Toronto boxes unpacked when it was time to crank on theremainder of our whirlwind of fall activity. Most notably, we proudly hosted The IAPPPrivacy Dinner in Washington, D.C., which gathered Federal Trade CommissionChairman Deborah Platt Majoras, top CPOs, regulators, attorneys and consultants. Thefirst-ever privacy dinner provided a rare opportunity to network and share a meal withleading members of the privacy community. Held Nov. 6 at The Willard Hotel, theevent was a notable complement to the Federal Trade Commission’s Tech-ade hearings.

All the while, we already are deep into the planning stages for the IAPP PrivacySummit 07 in Washington, D.C. The IAPP also will soon announce an exciting initiative to help in our commitment to provide the most relevant and best educationalopportunities to our members. I am proud to announce that we will soon unveil themembership of our new Education Advisory Board, which will assist us in developingstrong programming for the profession in the months and years ahead.

Thank you for the contributions you make that propel the success of our profession. We will continue to help you thrive in your career as we look to you to fulfillyour duty to serve the profession through the IAPP.

J. Trevor Hughes, CIPPExecutive Director, IAPP

November • 2006

Notes from the Executive Director

2

THE PRIVACY ADVISOREditorKirk J. Nahra, CIPPWiley Rein & Fielding, LLPknahra@wrf.com+202.719.7335

Managing EditorAnn E. Donlan, CIPPann.donlan@privacyassociation.org+207.351.1500 X109

Publications DirectorJackie Jonesjackie.jones@privacyassociation.org+207.351.1500

The Privacy Advisor (ISSN: 1532-1509 ) is publishedmonthly by the International Association of PrivacyProfessionals and distributed only to IAPP members.

ADVISORY BOARD

Elise Berkower, CIPP, Executive Vice President ofPrivacy Strategy, Chapell & Associates

Keith P. Enright, Director, Customer InformationManagement, Limited Brands, Inc.

Philip L. Gordon, Shareholder, Littler Mendelson, P.C.

Brian Hengesbaugh, Partner, Privacy/InformationTechnology/E-Commerce, Baker & McKenzie LLP

Todd A. Hood, CIPP, Director, Regional Privacy,The Americas, Pitney Bowes Inc.

Ben Isaacson, CIPP, Privacy & Compliance Leader,Experian & CheetahMail

Jacqueline Klosek, CIPP, Senior Associate in theBusiness Law Department and member of IntellectualProperty Group, Goodwin Procter LLP

Lydia E. Payne-Johnson, CIPP, LPJohnson Consulting, LLC

Billy J. Spears, CIPP/G, Senior Manager of Privacyand Information Protection, Dell, Inc.

Harry A. Valetk, CIPP, Director, Privacy Online,Entertainment Software Rating Board

To Join the IAPP, call:+800.266.6501

Advertising and Sales, call:+800.266.6501

PostmasterSend address changes to:IAPP266 York StreetYork, ME 03909

Subscription PriceThe The Privacy Advisor is a benefit of membership to the IAPP. Nonmember subscriptions are a vailable at $199 per year.

Requests to ReprintAnn E. Donlanann.donlan@privacyassociation.org+207.351.1500 X109

Copyright 2006 by the International Association ofPrivacy Professionals.

All rights reserved. Facsimile reproduction, includingphotocopy or xerographic reproduction, is strictly

3

first thing that comes to mind? If you’re like most people, you might

think about an employee accidentallysending out an email containing sensi-tive information about its customers oremployees — and in the blink of an eye— the company is faced with an unwant-ed disclosure affecting thousands ofpeople. Or you might think about anemployee hitting reply-all to a particularmessage instead of reply, and therebyexposing sensitive information to a muchwider audience than intended or permit-ted by the corporate policy. You mightask, just how frequent are email errorsmade by an organization’s own staff?

Frequent enough. According to The New York Sun (Oct. 11, 2006), justlast month, a political staff member accidentally addressed an email contain-ing a list of some of the party’s topdonors, along with their Social Securitynumbers, dates of birth, and race. As aresult, it found its way into a Gmail Web-based email account and themedia had a frenzy over why such information was being sent unprotectedwithin email. As referenced by thePrivacy Rights Clearinghouse (www.privacyrights.org), in July, the per-sonal information of more than 8,000 ofNew York City‘s homeless was leakedaccidentally in an email. In April, theUniversity of South Carolina reportedthat the Social Security numbers of asmany as 1,400 students were mistakenly emailed to classmates whenan employee attached a database file to

an email. And, back in February, Blue-Cross, Blue Shield of Florida experienced a breach when one of itscontractors emailed names and SocialSecurity numbers of approximately27,000 current and former employees,vendors and contractors to his homecomputer, violating a company policy —just six months after the company experi-enced a similar disclosure via direct mail.

The Many Faces of Email Breach

When it comes to communicatingelectronically with consumers, there aremany ways for a breach to occur. Usererror, as in the employee misuse casesdescribed above, is not the only sourceof worry.

Combating Phishing Emails

Phishing is one of the most com-mon ways in which hackers attempt togain unauthorized access to online bank-ing or other types of user accounts. Thehacker sends a consumer a fake,‘spoofed’ email that appears to be com-ing from the service provider (such as abank), asking for the input of personalaccount information. The unassumingconsumer may not realize the email hasnot actually been sent from his or herbank. In this case, it’s not the user whoprovides the threat of breach, but rather,the hacker. The bank needs a mutual wayof sending a secured email to the con-sumer to convince him or her of thebank’s integrity, as well as a way for theconsumer to securely reply back to thebank. But how can the bank do thiswhen it doesn’t know what kind of emailapplication the user has installed on hisor her home PC, or whether the applica-tion will be able to accept encryptedemails? The bank certainly doesn’t wantto have to train the user to install andmanage a personal digital certificate todecrypt, read and reply to emails fromthe bank. Though this method of “one-off” email encryption has been aroundfor a long time, it has really only beenadopted by the most technical emailusers, such as consultants and thoseworking directly in the IT field.

Secure Webmail 101continued from page 1

THE PRIVACY ADVISOR

266 York StreetYork, ME 03909Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: information@privacyassociation.org

The Privacy Advisor is the official monthly newsletter of theInternational Association of Privacy Professionals. All activeassociation members automatically receive a subscription toThe Privacy Advisor as a membership benefit. For detailsabout joining IAPP, please use the above contact information.

BOARD OF DIRECTORSPresidentKirk M. Herath, CIPP/G, Chief Privacy Officer, AssociateGeneral Counsel Nationwide Insurance Companies,Columbus, Ohio

Vice PresidentSandra R. Hughes, CIPP, Global Privacy Executive, Procter& Gamble, Cincinnati, Ohio

TreasurerBecky Burr, CIPP, Partner, Wilmer Cutler Pickering Hale andDorr LLP, Washington, D.C.

SecretaryDale Skivington, CIPP, Chief Privacy Officer, AssistantGeneral Counsel, Eastman Kodak Co., Rochester, N.Y.

Past PresidentChris Zoladz, CIPP, Vice President, Information Protection,Marriott International, Bethesda, Md.

Executive DirectorJ. Trevor Hughes, CIPP, York, Maine

Jonathan D. Avila, Vice President - Counsel, Chief PrivacyOfficer, The Walt Disney Company, Burbank, Calif.

John Berard, CIPP, Managing Director, Zeno Group, San Francisco, Calif.

Agnes Bundy Scanlan, Esq., CIPP, Counsel, Goodwin Procter LLP, Boston, Mass.

Peter Cullen, CIPP, Chief Privacy Strategist, Microsoft Corp., Redmond, Wash.

Dean Forbes, CIPP, Global Privacy Officer,Schering-Plough Corp., Kenilworth, N.J.

Kimberly Gray, CIPP, Chief Privacy Officer, Highmark, Inc., Pittsburgh, Pa.

Jean-Paul Hepp, CIPP, Corporate Privacy Officer, Pfizer Inc., New York, N.Y.

David Hoffman, CIPP, Group Counsel and Director of Privacy & Security, Intel Corp., Germany

Barbara Lawler, CIPP, Chief Privacy Officer, Intuit,Mountain View, Calif.

Kirk Nahra, CIPP, Partner, Wiley Rein & Fielding LLP,Washington, D.C.

Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader andSenior Counsel, General Electric Company, Washington, D.C.

Harriet Pearson, CIPP/G, Vice President Corporate Affairs,Chief Privacy Officer, IBM Corporation, Armonk, N.Y.

Jules Polonetsky, CIPP, Chief Privacy Officer, Senior VicePresident, Consumer Advocacy, America Online, Inc., Dulles, Va.

Lauren Steinfeld, CIPP, Chief Privacy Officer, University of Pennsylvania, Philadelphia, Pa.

Zoe Strickland, CIPP/G, Vice President, Chief Privacy Officer,Wal-Mart

Amy Yates, CIPP, Chief Privacy Officer, Hewitt Associates, Lincolnshire, Ill

See Secure Webmail 101, page 4

“ Much attention has been paid to protectingconsumers throughstronger authenticationand data security, butwhat about via email?”

Protecting Against the Unsolicited

Sensitive Customer Request

Many retailers offer online shop-ping services with a proper shoppingcart transaction system protected viaSecure Sockets Layer (SSL) security, socredit card data is encrypted as it issubmitted by customers for processing.However, what about protecting againstconsumers voluntarily emailing cus-tomer support team with specificrequests pertaining to account details,or worse yet, submitting an order man-ually and sending credit card data to aconsumer in an unprotected email?Consumers likely have encounteredseveral Web sites with an infamous dis-claimer posted saying things like thefollowing,“Please do not include anyconfidential information in your mes-sage (such as account numbers or cred-it card numbers),” or “No messagescontaining requests about your personalaccount information will be dealt withvia email.” However, experience showsthat it’s inevitable that customers willsend emails containing this sensitivedata. By offering users a secure way tosend and receive email communica-tions, organizations will be encouragingcustomers to do business in the waythey feel most comfortable, while put-ting an automatic measure in place toprotect the company’s brand from apotential leakage. Secure email can givecustomers choice, without compromis-ing their security.

The Value of Protecting Emails

for Consumers

Consumers are not restricted toone particular email technology, applica-tion, or even Web browser. Not wantingto force users to download and installany specific applications, institutionsthat need to communicate securely withtheir consumers are usually limited todirect mail, which is not only costly, butalso slow and one-directional.Consumers are demanding real-timeservice, and enabling electronic commu-nication with them provides the best

solution, but at what potential cost tothe organization?

Secured email can provide not onlypeace of mind for privacy protection, butalso productivity enhancement, byenabling organizations to move moresensitive and higher value transactionsonline, as well as enabling electronicdelivery of regular communications withcustomers (such as billing and accountstatements, insurance claims and appli-cation processing documents).

Messages that were previously lim-ited to more traditional methods of com-munication, because of concerns aboutinformation security, can now be movedonline with a similar level of assuranceof confidentiality as before. However, inorder to take advantage of the benefitsof online communication with con-sumers, security and trust are essential.

Consumer Email Security Gaining

Momentum

The “lowest common denominator”of online consumer security is SSL-pro-tected Web sites. SSL security is oftenverified by a site seal placed prominent-ly in view on the service provider’s Website to let consumers know the site canbe trusted for secure transaction pro-cessing. Though all providers of credibleonline services such as banks and retail-ers have SSL security deployed on theirWeb sites, not many offer secure email.

But that is changing. Citibank, plaguedby the threat of phishing, has risen tothe security challenge by offering its reg-istered users an online secure mailboxwhich they can utilize to communicatewith the bank. As part of Citibank’sonline security practices described onits Web site (web.da-us.citibank.com),Citibank will notify users by email whenthere is a message waiting for them inthe online inbox, and the email sent canbe verified using something they referto as the “Email Security Zone” containing the user’s first and lastname, and the last four digits of theirATM/debit card.

Protecting Email for Your

Consumer Base: Secure Webmail

to the Rescue

Powered by a gateway or boundaryemail server placed at the edge of acompany’s network, email messagescoming from a typical enterprise mailclient, such as Microsoft Outlook, cannow be encrypted for mass consumerusers, without knowing what kind ofemail application they are using toaccess their messages. This can beachieved using a boundary email security solution that supports secureWeb-enabled mail delivery.

Boundary Email Security

Boundary email security solutionsare easier to install and manage sincethey do not require that client softwarebe installed on user desktops. Sendersneed not worry about manually choosingto encrypt or not encrypt a message fora particular user, as the server does thatfor them. When setting up the boundarysolution, the company can set policiesfor encrypting messages automaticallybefore they leave the corporate net-work, such as “encrypt all messages,” or“encrypt all messages going to a certaintype of domain,” or “encrypt all mes-sages coming from a particular set ofusers.” This automation means an organ-ization doesn’t have to worry about apotential email disclosure of sensitiveinformation because all messages willbe encrypted without relying on usersto take any specific action.

November • 2006

Secure Webmail 101continued from page 3

4

“ The list is long and the possibilities are wide for how Secure Web-enabled mail forconsumers can helptransform the onlineworld into one of trustas well as one of greater efficiency.”

tices to help standardize the user experi-ence for privacy-oriented software fea-tures, or to address privacy issues andconcerns in the software developmentprocess. To help establish a startingpoint for these efforts and open anindustry dialogue about privacy guide-lines for development, Microsoft hasreleased an extensive set of public pri-vacy guidelines for developing softwareproducts, Web sites and services. Theseguidelines draw from the company’sexperience incorporating privacy into itsdevelopment processes and addresscustomers’ expectations about privacyas well as privacy legislation in effectworldwide. For example, they reflect thecore concepts of the Organization forEconomic Cooperation andDevelopment (OECD)’s Fair InformationPractices and privacy laws such as theEuropean Union Data ProtectionDirective, the Children’s Online PrivacyProtection Act of 1998 (COPPA), and theComputer Fraud and Abuse Act.

The Privacy Guidelines for DevelopingSoftware Products and Services can befound in the “Related Links” section ofwww.microsoft.com/privacy.

Privacy concerns are easy to under-stand in principle, but challenging toaddress in practice, particularly in thedevelopment of software. Similar guidelines have helped Microsoft’sdevelopers to better understand andaddress privacy issues. Our hope isreleasing a public version of the guide-lines can promote an ongoing industrydialogue on protecting privacy throughconsistent development practices.

The public Privacy Guidelines forDeveloping Software Products andServices are based on the internal priva-cy practices incorporated in theMicrosoft Security DevelopmentLifecycle (SDL), a process that helpsensure that the company’s products andservices are built from the ground upwith security and privacy in mind. TheSDL implements a rigorous process of

THE PRIVACY ADVISOR THE PRIVACY ADVISOR

5

Secure Web-enabled systems useSSL-based protocols in the delivery ofsecured messages. There are two pri-mary models for secure Web mail mes-sage delivery — pull and push. Withinpull models, a notification messagealong with a URL, is sent to the recipi-ent to pull the user back to a Web portalwhere a secure inbox is displayed. Therecipient can then view the securedmessage using a common browserauthenticated via a SSL session.According to Gartner, “Secure emailsolutions using a ‘pull’ approach arebest for business-to-consumer (B2C)communications.” (Gartner”Differentiators of Leading Secure E-Mail Architectures”, Eric Ouellet, Feb.28, 2006) Within push models, asecured message is delivered to a recipient, pushed as an attachmentalong with executable code, for users todecrypt and display the message direct-ly in their Web browsers. Decryptionkeys for the push methodology aremanaged by the sending organizationand delivered to recipients through anauthenticated SSL connection.

A good boundary email solution isone that enables flexibility in the deliv-ery of encrypted messages. It will dothe heavy lifting for the sender, bydetermining which delivery format isrequired for each particular recipient,based on their domain, and deliver itaccordingly — in other words, users ofWeb-based email services such asHotmail and Yahoo! will be pushed orpulled to access secure messages viathe Web-enabled delivery method, whileusers with mail clients that support tra-ditional encrypted email formats such asSMTP or PGP, will be able to read andreply to the messages within their exist-ing mail clients. This integration withpre-existing email security systemssuch as those driven by Public KeyInfrastructure solutions, and transparen-cy to users, are both critical factors for asuccessful secure email deployment.

Who Can Benefit From Secure

Web Mail?

Banks. Insurance Companies.Healthcare providers. Utilities such as

gas, electric and water serviceproviders. Telephone and cable companies. ISPs. The list is long andthe possibilities are wide for howSecure Web-enabled mail for con-sumers can help transform the onlineworld into one of trust as well as one of greater efficiency.

Sealing the Electronic Envelope:

Things to Consider

So, if a company could benefitfrom communicating securely with itsconsumer base, boundary email securi-ty could be the answer. However, it’simportant to keep the following inmind. Email security has to be threethings for users (and consumers, inparticular) to adopt: easy to use, confi-dence-inspiring and rewarding. Itshould not require a user to make anymore effort to send a secured emailthan is required to send a regularemail, and the communication methoditself should reassure the customerthat the system is secure and can betrusted to protect his or her personalidentity. Lastly, the process of sendingand receiving secure emails with theservice provider should offer the con-sumer some value or reward for doingso, be it time or cost savings fromdoing things online that the user wouldnot have otherwise been able to do,such as file and submit an insuranceclaim or request changes to theirmonthly mortgage payments. SecureWeb mail can open the door to astronger customer relationship, andhelp close the door to fraud.

Steve Duncan is a Senior ProductManager with Entrust. With more than20 years of experience in technologymarketing and sales, Duncan is respon-sible for driving the InformationProtection Security Solutions portfolioat Entrust. He and his team arefocused on creating a well integratedportfolio of solutions designed to pro-tect customer's intellectual propertyand sensitive information. Duncan canbe reached at +613.270.3406 or byemail at steve.duncan@entrust.com. See Privacy Through Consistency, page 6

Privacy Through Consistencycontinued from page 1

November • 2006

6

secure design, coding, testing, reviewand response for all Microsoft productsdeployed in an enterprise, that are routinely used to handle sensitive orpersonal information, or that regularlycommunicate via the Internet.

The guidelines cover a wide rangeof topics, including:

• Definitions of different types of customer data, including personallyidentifiable information (PII) such asthe user’s name and email address,sensitive PII such as credit card orSocial Security numbers, and anony-mous or pseudonymous data.

• Guidelines and sample mechanismsfor notifying users that their personaldata may be collected, and offeringthem ways to consent (or not) to thecollection of this data.

• Guidelines for making disclosures tothe users about how their personalinformation may be used.

• Reasonable steps to protect PII fromloss, misuse or unauthorized access,including access controls, encryption,physical security, disaster recoveryand auditing.

• Control mechanisms for users toexpress their privacy preferences, tak-ing into account the needs of systemadministrators, as well as specialguidelines for shared computers.

• Strategies to prevent data leakage byminimizing the amount of personalinformation that needs to be collected.

To set the proper foundation, thefirst half of the guidelines is devoted to general concepts and definitions. Thesecond half lays out specific rules forcommon scenarios that can affect a customer’s privacy, such as transferringPII to and from the customer’s system,installing and updating software on thecustomer’s system, storing and process-ing customer data over the Internet, andtransferring customer data to third par-ties. The guidelines also provide addi-tional requirements for deploying Web

sites, for software targeted or attractiveto children, and for server productswithin an enterprise (including measuresto help system administrators protectthe privacy of their end users).

One example scenario covers thedevelopment and policy guidelines fordeploying a public Web site. Accordingto the guidelines, the site must providea link to a company-approved privacystatement on every page, regardless ofwhether PII is collected on that page.The link should not be smaller thanother links on the page, such as legalnotices, and it should be in a consistentlocation, such as the page footer. Thisrule also applies to pop-up windows thatcollect PII. For lengthy or complex priva-cy statements, the site should adopt a“layered notice” format, which includesa single-page summary of the state-ment that provides links to more detail.Additionally, the privacy statementshould be compliant with the Platformfor Privacy Preferences (P3P) standardsfor machine-readable statements, and, ifappropriate, certified by an independentorganization such as TRUSTe.

The site also should avoid theunnecessary use of persistent cookieswhen a session cookie, which isretained only for the duration of thebrowser session, would be adequate.When using persistent cookies that

store PII, the site should get explicit opt-in consent from the user and store thePII in an encrypted form.

If a site collects any form of PIIfrom the user, it must adhere to specificguidelines for notice and consent, secu-rity and data integrity, and customeraccess and control. If it stores persist-ent data on the customer’s system, incookies or any other form, it mustadhere to a number of additional guide-lines, including appropriate user noticeand consent for storing PII, usingencryption where relevant and othermethods that help secure data in stor-age such as file permissions, as well asa consistent means to give users theopportunity to view and delete their PII,or prevent it from being stored at all.

Finally, if the site is directed at children, it should adhere to evenstricter guidelines across the board, to empower parents to supervise and control their children’s browsing experience as well as comply with legislation such as COPPA.

For several years, a number of prod-uct groups at Microsoft have been fol-lowing similar privacy guidelines as partof the SDL. For example, developmentof the recently released MicrosoftPhishing Filter included a number of keydesign decisions to help reduce theimpact on our customers’ privacy,including not storing IP addresses withthe other data collected by the PhishingFilter (Web site addresses to bechecked) to avoid potential correlation.Other decisions included having thePhishing Filter only send the domainand path of the Web sites to Microsoft(removing search terms) and sendingthe Web site addresses to Microsoft viaSSL. We invited Jefferson Wells, anindependent third-party auditor, to runtwo separate audits on the technology,which validated and confirmed ourclaims regarding how we handle customer data with the service.

Similarly, when customers run thecurrent version of Windows MediaPlayer for the first time, their privacyexperience directly reflects our internal

Privacy Through Consistencycontinued from page 5

See Privacy Through Consistency, page 20

“ No single company has all the answerswhen it comes to privacy. Addressingthese issues requiresbroad collaborationamong software developers, governments and industry organizations.”

THE PRIVACY ADVISOR THE PRIVACY ADVISOR

7

Ann E. Donlan

The IAPP Privacy Academy 2006 inToronto served as the debut forthe IAPP’s new certification cre-

dential, the CIPP/C, the first professionalcredential for Canadian privacy profes-sionals, and showcased the IAPP’s commitment to serve its domestic andinternational members with educationalcontent tailored for Canada’s privacyscheme and laws.

Privacy professionals from acrossCanada and around the world gatheredlast month for four days of lively paneldiscussions, networking forums, workinggroups and featured keynotes from toppolicy makers and corporate leaders inthe privacy industry.

Canadian privacy officials, includingPrivacy Commissioner Jennifer Stoddart,raised the profile of the event even morewith their keynotes during the IAPP’sthree-day event at Toronto’s WestinHarbour Castle, on the scenic shores ofLake Ontario. The Canadian media,including Canada’s cable news channel,CTV NEWSNET, covered the Academyand newsworthy announcements madeduring the event. Ontario’s Informationand Privacy Commissioner, Dr. AnnCavoukian, held a news conference atthe Academy with Microsoft toannounce the 7 Laws of Identity: TheCase for Privacy-Embedded Laws ofIdentity in the Digital Age. In additon,

Microsoft released The PrivacyGuidelines for DevelopingSoftware Products andServices, an extensive setof privacy guidelines fordeveloping software prod-ucts, Web sites and servic-es, which coincided with anAcademy panel on the closingday, “Privacy in ProductDevelopment.”

Attendees count on the IAPP to fos-ter effective networking events to helpthem connect with their peers, researchcareer opportunities and have fun withfellow privacy pros. The Academy offeredattendees a selection of networking ven-ues — everything from the small, infor-mal dinner with fellow privacy pros inspecific industries to an exclusive recep-tion at Toronto’s venerable Hockey Hall ofFame — even a competition to test thenetworking prowess of attendees for thetitle of king or queen of networking. Thenetworking dinners — a new, but popu-lar way of connecting with peers — wasa welcome addition to the offerings.

“I thought the sign-up dinners werea phenomenal addition to the overallexperience,” remarked one happy participant.

CIPP, CIPP/G, CIPP/C Trainings,

Preconference Sessions Kick

Off Academy

Before the Academy was in full

swing, students participating inthe Oct. 17 trainings for

CIPP/C, Part I, and CIPP/Gtraining, were intensely preparing for their examina-tions, scheduled later in

the week. Bright and earlythe next day, CIPP/C training

continued for those studentstaking Part II. A separate class

devoted the entire day to training for theCIPP exam.

While students were focused onexam preparations, attendees eager for in-depth training on particular topics,including the ever-popular PrivacyProfessional Bootcamp, spent the afternoon engrossed in PreconferenceSessions. Besides the bootcamp,Preconference Sessions were held onPayment Card Industry (PCI) DataSecurity Standard — A Workshop; RIM Council: An Introduction to theResponsible Information ManagementFramework; and Outsourcing and Trans-Border Data Flows: Privacy andPublic Policy in Transition.

That evening, the invite-onlySpeaker Dinner, sponsored byPricewaterhouseCoopers, gave guestsand dignitaries the chance to mingle atDowntown Toronto’s Far Niente, wherethey enjoyed a salmon dinner, featuring a delectable dessert.

The IAPP Hosts More Than 750 Privacy Pros, Speakers in

Toronto for First Conference Outside the U.S.

See IAPP Toronto Conference, page 8

November • 2006

8

Day One: Opening Plenary,

Break-Out Sessions, Chopper in

the Exhibit Hall

IAPP Board President Kirk M.Herath, CIPP/G, welcomed more than750 attendees who jammed the WestinHarbour Castle’s Metro Ballroom for theOpening Session and Keynotes.

Herath was followed by IAPPExecutive Director J. Trevor Hughes, anOntario native and CIPP, who said he washonored that the IAPP was in Toronto tohold its first conference outside the U.S.Hughes added that the enthusiasm inToronto for the IAPP was evident in thesize of the KnowledgeNet chapter —which is the second largest of the IAPP’smore than 20 networking groups.

Hughes revealed for the first timepublicly that the IAPP is planning toexpand its certification programs byoffering credentials in other parts of theworld. The success in the marketplace of the IAPP’s certification programs isevident in the sheer number of gradu-ates who have successfully passed theCIPP exam — 1,000 in the two yearssince the program’s launch.

“We are certainly building a profes-sion,” Hughes told attendees. “And thereare many of us doing that building rightnow,” added Hughes, who noted thatthe IAPP membership has grown to2,800 members in 23 countries.

Hughes elaborated on the criticalrole of today’s privacy professionals.“There is a need for guardians of trust— for guardians of that data,” he said.“I’d like to suggest that we are thoseguardians, that we are those guardiansof the information economy.”

In his concluding remarks, Hughesstressed the role of leadership in serv-ing as guardians of the data. “The risksassociated with the information econo-my create a real need for leaders.”

Canada’s Privacy Commissioner

Urges Privacy Pros to ‘Speak Out’

Stoddart, the next Canadian to takethe podium, echoed Hughes’ call of dutyto privacy professionals.

“Privacy professionals cannot serveas mere technocrats who secure corpo-rate compliance with data protectionrules,” Stoddart said. “You are privilegedin your understanding of privacy issues.Your profession gives you a uniqueinsight into the operation of data protection rules, and into the risks toprivacy that flow from inadequate rules,inadequate policies, inappropriate practices, and information-hungry gov-ernments. If you don’t speak out aboutbroader privacy issues that confront our society, who else can have an effective voice?”

Stoddart also addressed some ofthe privacy challenges Canadians face inthe areas of proposed legislation, globalefforts to fight terrorism and trans-border issues.

“Canadians do not want personalinformation about them that is beingheld in Canada to be vulnerable to disclosure under the laws of any othercountry,” Stoddart said. “We havedesigned our own privacy standards forCanada, and those are the rules thatmust govern the handling of personalinformation within our borders.”

Stoddart added, “But fears of terrorism must not become a convenientexcuse for the wholesale destruction ofthe right to privacy.”

Canadians continued to take thecenter state adorned with banners bearing the IAPP signature colors andmission: Network, Educate, Certify.

Ontario’s Privacy Commissioner

Explains Need for ‘Single Identity

Metasystem’

Dr. Cavoukian then used her plenaryremarks as a platform to build upon herpublic announcement the day before.During a well-covered news conference,Cavoukian — joined by Kim Cameron,Chief Identity Architect, and PeterCullen, CIPP, Chief Privacy Strategist,both of Microsoft. Corp. — explained tothe media the genesis of the 7 Laws ofIdentity, which Cavoukian touted as atool to “profoundly shape the architec-ture and growth of a universal, interop-erable identity system needed to enablethe Internet to evolve to the next level

of trust and capability.”In her prelude to her plenary

PowerPoint presentation, Cavoukian saide-commerce is in “a state of crisis,”which prompted the need for a systemthat will reduce online fraud, help to ver-ify online identities and foster trustamong users who are increasingly waryof conducting business online.

“Online fraud is growing at analarming rate,” Cavoukian told thecrowd. “… Companies’ reputations andbrands are being impacted dramaticallyby these deceptive online practices.”

Improved user control is the answer,Cavoukian said.

“The growing identification requirements on the Internet are posingenormous privacy problems,” she said.“Trust is at an all-time low.”

Cavoukian added, “The future ofprivacy revolves around identity, sowhat can we do?”

Cavoukian described her plan,developed through Cameron’s leadership, as “a single identity metasystem … that empowers users to manage their own digital identities.”(More information is available atwww.ipc.on.ca)

In her concluding remarks,Cavoukian warned, “There never hasbeen a more strategic time to ensurethat privacy interests are built onto thenew architecture of identity.”

Author Don Tapscott: ‘This Ain’t

Your Father’s Internet’

Tapscott took attendees on a tour ofthe Internet, a journey he said is no

IAPP Toronto Conferencecontinued from page 7

Jim Halpert, Co-Chair of the Communications, Electronic Commerce & Privacy Practice at DLA PiperU.S., LLP, shares dinner and conversation with Canada’sPrivacy Commissioner Jennifer Stoddart during theSpeaker Dinner.

THE PRIVACY ADVISOR

9

THE PRIVACY ADVISOR

longer “your father’s Internet.”Demonstrating Web sites that createonline profiles of users — some ofwhich may be inaccurate — Tapscott ledattendees to various sites to demon-strate the trail of “digital crumbs” left byusers as they surf the Web.

“These sites and capabilities are notnecessarily bad,” he said. “They justpose a huge challenge for us as individu-als.” The sites “can collect dossiers ofeach of us which are beyond the capabil-ities of any secret police in history.”

Tapscott described a “fundamentalchange in the nature and capability ofthe Internet” on a number of fronts,with “billions and trillions of inert objectsin our world that (have) become smartcommunication devices.”

Doorknobs. House keys. Toasters.Dishwashers. “All of this stuff talks toitself,” Tapscott joked. “In five years theshirt will be talking to the washingmachine.”

On a more serious note, he contin-ued, “The physical world is becomingsmart and inter-connected, and this is areally big change. Now all of thesethings have something called an IPaddress.”

Another change is mobility — and theability to track individuals, whether it bechildren, friends, celebrities or criminals.

After a demonstration of a numberof Web sites to prove his mobility point,Tapscott focused on the profoundchanges in the Internet’s next generation.

“What is happening is that the Webis changing from a medium to presentinformation to becoming a giant comput-er,” he said. “When you go onto the Weband you do anything, you are reprogram-ming this giant global computer.”

Deliberate attempts to falsify anindividual’s information and inaccurateinformation can damage reputations,Tapscott said, as he demonstratedsome sites that allow users to post per-sonal information about professors orpast lovers.

Tapscott concluded his remarks witha warning about “digital conglomerates”of Internet companies that really up theante “with the whole question of whatwe do with information — not just cor-

porate information, but personal information.”

The author of the soon-to-bereleased book, Wikinomics: How MassCollaboration Changes Everything, saidas companies become more inter-con-nected and global, they share all types ofinformation. He urged companies toembrace transparency, which hedescribed as “a force in the economy.”He added, “Fitness is no longer anoption. If you’re going to be naked, youbetter be buff.” Values have to be builtinto an organization’s DNA, he said.“When you open up with customers,you build trust,” Tapscott said.

Tapscott then wound up his remarkswith an inspirational challenge for privacypros.

Privacy, he said, once used to be“on the sideline of corporate strategy.There’s a fundamental change. Privacy iscoming into the heart of business strate-gy. … It’s a leadership opportunity foryou. Companies that take the old route,the future is going to be bleak. There’s anew route. As a profession, you did what

was possible and you saw the stormclouds and you got organized. But nowit’s possible to go forward. The time hascome for us to get a grip with this issue.The time has come for each of you tofind the leader in you to help your com-panies do the right thing.”

The IAPP’s Assistant Director, PeterKosmala, CIPP, then told attendeesbefore the refreshment break in theExhibit Hall that the number of people atthe plenary was the largest Academyattendance in the IAPP’s five-year history.

Wildside Chopper in the Hall

All revved up from the inspiringkeynotes and the first hour of BreakoutSessions, attendees then shared a networking lunch, which also offered the opportunity to admire PrivacyEngineering’s 2006 Wildside Chopper,parked in the Exhibit Hall, which servedas a prop for a giveaway.

However, there was a catch. Thewinner who had the random key to startthe stunning bike did not drive away intothe Toronto sunset with a brand new$50,000 custom Canadian chopper. Theholder of the key to turn over the bike’sengine won a different kind of ride intothe sunset — a trip to the Bahamas. Thewinner was Symantec’s ConstantineKarbaliotis, who rattled more than a fewattendees when his key started up thethundering machine — inside the ExhibitHall. Congratulations Constantine!

Privacy Awards Given During

Memorable Hockey Hall of Fame

Reception

After the afternoon BreakoutSessions, the crown jewel of networkingevents, the Networking Reception, washeld at Toronto’s revered Hockey Hall ofFame. During an exclusive event memo-rable for its delicious h’ors doeuvres andthe opportunity to take a slapshot or donthe gear of a NHL goalie, attendees wan-dered around the Hall to view the mem-orabilia of hockey’s greatest, eventuallymaking their way to the pinnacle display,the awe-inspiring Stanley Cup.

See IAPP Toronto Conference, page 10

Constantine Karbaliotis of Symantec poses with PrivacyEngineering's 2006 Wildside Chopper, after he randomlyreceives a key to start the monster hog. Karbaliotis wona trip to the Bahamas.

Attendees of the IAPP’s Networking Reception atToronto’s Hockey Hall of Fame mingle and take in hock-ey’s legends and storied hockey teams.

November • 2006

10

What better way to recognize theprivacy profession’s 2006 award winnersthan to hold the ceremony in the NHLZone for honored members. Accented inpolished black granite and stainlesssteel, the NHL Zone was the perfectvenue for privacy pros to recognize theirown distinguished members.

The ceremony honored the winnerof the IAPP/Deloitte & Touche VanguardAward, which recognizes the privacy pro-fessional of the year, and the recipientsof the IAPP Privacy Innovation Awards,an annual recognition of privacy leader-ship in the public, private and technologysectors. (See page 14 for more coverage.)

In the Large Organization category(more than 5,000 employees), RoyalPhilips Electronics and General ElectricCorp. tied for their entries on BindingCorporate Rules (BCR) as a mode of com-pliance for cross-border data transfers.

The winner in the SmallOrganization category (less than 5,000employees), was ATB Financial, whichwon the award for its privacy programcommunications plan.

Now in its second year, the IAPPPrivacy Innovation Technology Awardwent to Voltage Security, Inc., forVoltage Identity-Based Encryption™technology incorporated into its dataprotection solutions.

The 2006 recipient of the IAPP/ Deloitte & Touche Vanguard Awardwas Chris Zoladz, CIPP, Vice President,Information Protection, MarriottInternational.

Day 2:Three Exams, Working

Groups, Closing Plenary, Encore

Sessions

The morning of Oct. 20 was tense

as nervous examinees prepared to takethe CIPP, CIPP/G and CIPP/C tests. Byday’s end, 175 examinees sat for allthree IAPP credentialing exams in theFrontenac Ballroom.

For others, the Friday WorkingGroups provided an opportunity to net-work in their area of expertise: FinancialServices; Consumer Marketing;International; Human Resources;Government; Healthcare/Pharma; andHigher Education.

A two-hour seated lunch in theMetro Ballroom then set the stage forthe Closing Plenary, featuring Dan Fortin,President, IBM Canada; Dr. LarryPonemon, Chairman and Founder of ThePonemon Institute; Dr. Eric Johnson,Norman Eig Professor of Business,Columbia University; and Dr. MarthaRogers, Founding Partner, Peppers &Rogers Group.

Big Blue’s Commitment to Privacy

Fortin detailed some of the structur-al changes IBM has made to accommo-date advances in technology. “Our pro-fessional services businesses used tohave multiple teams in regions,” Fortinsaid. “Today we manage it as one asset.

IAPP Toronto Conferencecontinued from page 9

Above: Duncan de Chastelain, General Counsel and ChiefPrivacy Officer, General Electric-Canada is joined byJeroen Terstegge, Corporate Privacy Officer & SeniorCounsel, Royal Philps Electronics, to receive the IAPPPrivacy Innovation Award in the Large OrganizationCategory, at the Hockey Hall of Fame.

André Breau, Manager, Information Management andPrivacy, Freedom of Information Management andPrivacy Office, Ontario Ministry of Labour, amid the silverand gold at the Hockey Hall of Fame.

From L to R: J. Trevor Hughes, ExecutiveDirector of the IAPP, celebrates withKevin Leusing, Vice President ofProfessional Services, Voltage Security,after the company won the IAPP PrivacyInnovation Technology Award. Alsoshown are IAPP Board Member JulesPolonetsky, Chief Privacy Officer andSenior Vice President ConsumerAdvocacy, America Online, Inc. and IAPP Board President, Kirk M. Herath,Chief Privacy Officer, Associate GeneralCounsel, Nationwide InsuranceCompanies.

From L to R: J. Trevor Hughes, ExecutiveDirector of the IAPP, joins Sandra Smith-Frampton, Senior Risk Manager, Privacyand Information, Operational RiskManagement, ATB Financial, whichreceived the IAPP Privacy InnovationAward (Small Organization Category),during an exclusive NetworkingReception at Toronto’s Hockey Hall ofFame. Also shown are Dr. AnnCavoukian, Information and PrivacyCommissioner of Ontario, and IPP BoardPresident, Kirk M. Herath, Chief PrivacyOfficer, Associate General Counsel,Nationwide Insurance Companies.

THE PRIVACY ADVISOR THE PRIVACY ADVISOR

11

… The work can be moved around, nottied to a local market.”

He also discussed the prevalence ofoutsourcing, which Fortin says allowscompanies to specialize in one area thatsets them apart in the marketplace.“Corporations are moving work basedon expertise,” Fortin explained.

Fortin touted IBM’s commitment to privacy, noting that it was the first corporation to implement global privacypolicies in the 1960s. Last year, the company revised its policies to preventthe use of genetic testing results in per-sonnel decisions.

“Most importantly, you as privacyprofessionals are vital to issues liketrust,” Fortin said. It is essential that cus-tomers will receive a “consistent andquality experience time and time again,”which springs from trust, he added.

The 2006 Salary Survey Results

Dr. Ponemon gave a presentation onthe results of the 2006 salary survey,which found that while there have been“salary increases in almost every area,”a gender gap remains, although it is lessthan when measured four years ago.

“But we have a ways to go as a profession,” Ponemon acknowledged.

IAPP certification is a proven way to boost a privacy pro’s salary, Ponemonsaid.

“CIPPs earn more money,”Ponemon said.

Ninety percent of the survey’srespondents were from the U.S., butPonemon said he expects to “seemore and more non-U.S. respondentsas the IAPP seeks to become moreinternational.”

Professor Johnson Captivates

Audience — Fire Alarm Sounds, But

No One Moves

Johnson started his presentationwith a provocative question: “How dopeople make decisions about privacy?”His answer: “They don’t.”

Much of his presentation — whichwas interrupted at least twice by anannouncement about a fire alarm thatultimately turned out to be false —focused on decision-making and defaults.

“People have strong preferencesbut they don’t think about those prefer-ences as they conduct their lives,”Johnson said. “A default is what hap-pens when there is an opportunity foryou to make an active decision and youdon’t. Most privacy decisions have adefault option.”

Johnson stressed that “defaultshave a big effect on privacy and commerce,” and he urged the audienceto study the issue and use the knowledge wisely.

Dr. Rogers Thrills the Audience with

Engaging Style, Captivating Message

Dr. Rogers closed the plenary session with a lively presentation thatimpressed many attendees.

Rogers talked about her company’sReturn On Customer strategy, and usingprivacy as a company growth strategy.

“All of our revenue comes from thecustomers that we have today and theones that we will have tomorrow — andthat’s it,” Rogers said. “That’s the onlychance we have at growing our compa-nies as well.”

Rogers said companies mustembrace the concept of “the potentialvalue of our customers tomorrow” as away to hold managers accountable fortheir performance.

Companies are limiting their growthby “operating on the false premise” thatthe manufacture of more products, oroffering more services, is the way to makemore money. “There’s one thing we can’tmake more of. … The one thing that is inshort supply for every company, the onething that limits our companies, is payingcustomers. We can clone sheep, but wecan’t make another human being that isready and willing to buy our products.”

The key, she said, is to look at achiev-ing the “greatest return on customers.”

Left: Is this a Team IAPP Quorum? From L to R: IAPPBoard members: IAPP Board Secretary Dale Skivington,Chief Privacy Officer, Assistant General Counsel,Eastman Kodak Corp., and Vice President and “IAPPAssistant Captain” Sandra R. Hughes, Global PrivacyExecutive, Procter & Gamble, share a moment of teamstrategy at the Hoockey Hall of Fame with “IAPPCaptain” Kirk M. Herath, Chief Privacy Officer, AssociateGeneral Counsel, Nationwide Insurance Companies.

Bottom left: A Show of Strength: Don’t Mess With Team IAPP!

Right: Alan Charles Raul,Partner, Sidley Austin, LLP,and Vice Chairman of thePrivacy and Civil LibertiesOversight Board, inspect-ing the Stanley Cup, themost coveted NHL trophy,which is proudly dis-played in the MCI GreatHall, known as “ACathedral to the Icons ofHockey.”

Above: Netminder in a Suit: Brooks Dobbs, VicePresident of Data Protection & Government Relations,DoubleClick Inc., tests his goalie skills as onlookerscheer him on during the Networking Reception.

See IAPP Toronto Conference, page 15

Photography by J. Trevor Hughes and Mike Adaskaveg

November • 2006

1212

As with many businessenvironments, direct

marketing thrives on cus-tomer trust. Maybe cus-tomers don’t always knowwhy they trust a business— the products are better,or more reliable, or theyfeel more secure — butcustomer trust helps drivelong term profitable rela-tionships. One element oftrust that we’re hearing more aboutthese days, especially as the promiseof ‘personalized’ marketing develops, ishow information is collected and used.And with such increasing informationuse comes an increased set of privacy-related challenges, issues — and yes,opportunities.

As much as customer privacy getstalked about these days, what do mar-keters think about privacy concepts?There’s probably not one conciseanswer to this question. But a coupleof recently released studies help toshed light on how some companies areapproaching customer privacy.

Increased Collection

A key component of customer privacy is the idea of providing customers notice and choice aboutyour data practices. At the end ofAugust, the Customer Respect Group,a Massachusetts-based research firm,released the results of its ThirdQuarter 2006 Online CustomerRespect Study of Retailers. The reportdetailed how online retailers stackedup when it came to privacy, communication, and marketing to their customers.

While the Customer Respect Studyfound that online retailers are improv-

ing their efforts to effec-tively communicate withcustomers, it also notedan increase in the typesand amount of collecteddata. More than a quarterof online retail sites, theCustomer Respect Groupfound, required customersto log in or register beforethey are allowed to viewproducts or prices. And 20percent of the companiessurveyed required cus-

tomers to provide more than 10 differ-ent pieces of information about them-selves — such as addresses, phonenumbers, and so on — when submit-ting a question.

As we all know, information is akey ingredient in most effective marketing outreach programs.Unfortunately, the report found thatsome online retailers did not consis-tently ask their customers’ permissionbefore using collected data for marketing purposes. Of the companiessurveyed, 15 percent used collectedcustomer data for internal marketingwithout explicit authorization — and 43 percent shared such data with business partners or other third partieswithout first getting explicit customerpermission.

A Hindrance to Marketing?

These results are supported byanother recent study. The PonemonInstitute just released the results of areport, What Marketing ProfessionalsThink about the Value of Privacy toConsumers, sponsored by marketingstrategy firm ZOOM Marketing. Thestudy optimistically noted that nearlythree quarters of marketers are awareof their company’s privacy policies, andhave reviewed how these policies

affect marketing initiatives. But it alsofound that most of those surveyedview privacy as a hindrance to theircampaigns.

According to the Ponemon Study,51 percent of marketers said that theirorganization’s privacy policies made itharder to market to consumers. Threemajor reasons were cited: fewer cus-tomers to contact, increased costs andthe inability to use personalizationtechnology. And a majority of respon-dents felt that customer privacy wasonly ‘somewhat’ important — if at all.

What responding marketers didfeel was important — especially whenit came to building customer trust —was the ability to personalize market-ing. Although the study didn’t ask why,we might surmise that by tailoringtheir outreach to the interests of eachcustomer, companies believe they willbe “giving something back” to customers in exchange for collecteddata. In that sense, marketers may see a company privacy policy as animpediment, insomuch as it limits thecollection of this valuable data.Companies clearly want their customers’ trust. However, some mayactually view privacy as inhibiting theirefforts to build that trust.

Privacy as Boon, Not Burden

Marketers and privacy profession-als agree, then — customer trust isgood, and so is using data to buildthat trust. Where they diverge, itseems, is how to best use collecteddata to develop trust. But I think bothgroups can learn something from eachother. Marketing professionals areright to recognize the value of cus-tomer trust — and customers certainlyrespond positively to personalizedmarketing.

On the other hand, this isn’t the

The Chapell View

Alan Chapell

Alan Chapell

Privacy Challenges Also Present Opportunities

THE PRIVACY ADVISOR

13

only reason customers have to trust a business. There’s also the questionabout what happens to informationonce it’s been collected. As ForresterResearch has reported, 86 percent of consumers are worried about providing their information to marketers because of privacy andsecurity concerns. Such fears can be a real impediment to customertrust and loyalty.

But the right privacy policies can help alleviate this barrier. “Toomany companies fail to understandthe strategic significance of privacy within the context of a successful,profitable marketing campaign,” saidDr. Larry Ponemon of The PonemonInstitute. “Privacy is still regarded asan inconvenience to the marketingcommunity, rather than an opportunity to build strong, long-lasting relationships.”

In a forthcoming white paper,edited by Chapell & Associates, ThePonemon Institute’s ResponsibleInformation Management Council will outline how businesses caneffectively institute customer privacyto further their marketing initiatives.In this paper and elsewhere, what isclear is that respecting a customer’sprivacy leads to increased loyalty andtrust. Applied properly, that trust canprovide a significant competitiveadvantage.

Alan Chapell, CIPP, is president ofChapell & Associates, a consultingfirm that helps direct marketers navigate the waters of consumer privacy and develop responsible andeffective marketing programs. Chapell has been instrumental in the development of emerging best practice standards for privacy andinteractive marketing. He may bereached at +212.675.1270, or via emailat achapell@chapellassociates.com.

IAPP Networking …

Does it Really Work?

In this business, we all seem towork flawlessly in our own separate

worlds. The majority of our interac-tions, socializations and communica-tions are through electronic means,such as email or telephone calls. Welive in a fast-paced environmentwhere issues swirl over our headslike a tornado waiting to make its firstcontact with the ground. If it weren’tfor events that draw us into the sameroom, we would never have a face thatmatches anyone’s emails or voices.

This year at the IAPP PrivacyAcademy 2006 in Toronto, I experi-enced a memorable networking interaction with a person I had onlytalked to through electronic meansbefore this conference. Let me setthe scene for you…

I was attending The PrivacyAdvisor’s networking reception andhad just ordered a drink when awoman came up and introduced herself to me. I reciprocated by intro-ducing myself and we shook handsas if it were the first time we hadever spoke. Almost immediately, thiswoman began asking me questionsabout why I was not submitting morearticles to publish in the Advisor. Forwhatever reason, I did not hear hername, but I knew I had submittedarticles to the editor on several occa-sions. All I heard was that I wasn’tsubmitting enough copy so …

I responded to this woman bytelling her that I had submitted arti-cles to the managing editor of ThePrivacy Advisor, Ann Donlan, and shewould not push my articles through

to print. I alsostated that Idid not under-stand why shewould not pub-lish them andthat she musthate me orsomething. Iam serious asa heart attack.Can any of youguess who I was speaking with?Ladies and Gentlemen, I was face to face with none other than AnnDonlan herself. As she and I clearedup the identity and technical issuessurrounding my article submissions,we had a great laugh together andhave become even better friends.Ann does not hate me and does nothave a grudge against my articles.

The moral of the story here isthat networking works. It is evidentby the relationships we all have madethrough our interactions with theIAPP. There are more than 1,000CIPPs worldwide and the numbersare growing stronger. You should bemaking contacts and networking withas many professionals as you can. Younever know who you are talking tounless you get their name first.

The views expressed are Spears’ and not necessarily those of Dell, Inc.Spears is a member of The PrivacyAdvisor’s Advisory Board.

Managing Editor’s Note: IAPPMembers will note that Billy Spearscan no longer claim that theManaging Editor blocks his Advisorsubmissions.

Networking Central

Billy J. Spears, M.B.A., CIPP/G, and Senior Manager, Privacy & InformationProtection, Dell, Inc., will author a new networking feature that will showcasethe art of networking — IAPP-style! Look for Spears’ occasional features,based on real-life experiences of IAPP members at networking events.

Billy J. Spears

November • 2006

14

IAPP In The News

IAPP Innovation Award Winners, Privacy Leader of The Year Receive

Trophies at Toronto’s Hockey Hall of Fame

The IAPP Privacy Innovation Awardsand the IAPP/Deloitte & Touche

Vanguard Award were presented Oct.19 during an exclusive member reception at the Hockey Hall of Fame in Toronto.

More than 30 individual organiza-tions participated in the 2006 InnovationAwards, the largest number of nomineesever in the four-year history of this distinguished awards program.

“We are delighted to recognizethese organizations for their leadershipin the development and delivery of privacy programs,” said J. TrevorHughes, Executive Director of the IAPP.“The depth and breadth of nominationsthis year is a testament to the continued growth of our field.”

Large Organization category

(More than 5,000 employees)

This award was presented jointly toRoyal Philips Electronics and GeneralElectric Corp., which tied for theirentries on Binding Corporate Rules(BCR) as a mode of compliance forcross-border data transfers.

General Electric is the first compa-ny in the world to pursue a BCR policythat assures employees that their datawill be handled using the highest andbest practices no matter where in theworld the employee or the data is locat-ed. The GE BCR has been approved inmore than a dozen countries to date —more than any other model — and isunder consideration in all EU countries.This BCR model governs the company’srelationship with its 350,000 employeesworldwide and is available in 27 lan-guages.

Philips publicly announced its BCR project at the International DataProtection Conference in Sydney in2003, when it was already in an

advanced drafting stage. The PhilipsPrivacy Code is currently movingthrough the final approval process in 22 European countries. The uniqueapproach taken by the Philips PrivacyCode is that it combines two existingconcepts of European data privacy law:the U.S./EU Safe Harbor Program andthe (sectoral) Codes of Conduct. ThePhilips Privacy Code is a self-regulatingdocument which, after endorsement byEuropean Data Protection Authorities,creates a “safe haven” for personal datawithin the worldwide Philips group.

Small Organization category

(Less than 5,000 employees)

The winner in this category was ATBFinancial, which won the award for itsprivacy program communications plan.Alberta, Canada-based ATB Financial isa full service financial institution that isthe largest deposit-taking institutionheadquartered in Western Canada.

ATB Financial's innovative privacyinitiative was both strategic and techno-logical, according to the InnovationAwards judges. It crossed multiple divi-sions of the organization and requiredextensive, planning, assessment andcoordination of cross-sectional businessunits. Rather than collect customer con-sent on separate forms, ATB Financialdesigned a system to direct customersto a single point of entry and aware-

ness. A privacy brochure enforced by apublicly available Customer PrivacyCode was also created and distributedto all existing customers to capture one,uniform consent for portfolio manage-ment. This complex and intricate effortresulted in the one of the first onlineopt-outs made available for customersof financial institutions in Canada.

“As an Alberta-based financial insti-tution, ATB Financial is very pleased tobe recognized by the IAPP for its inno-vative privacy approach,” said PrivacyOfficer Sandra Smith-Frampton, CRM.

IAPP Privacy Innovation

Technology Award

Voltage Security, Inc., won the technolo-gy award for its Voltage Identity-BasedEncryption™ technology incorporatedinto its data protection solutions. VoltageIBE protects information on PCs (lap-tops, desktops, mobile and wirelessdevices) and in email communications,and enables compliance with a broadrange of privacy guidelines and regula-tions, such as PCI, HIPAA, GLBA, PIPEDA and the Data Protection Act.

Voltage IBE solutions can be usedto protect the privacy of informationinternally within an organization, such asHR and financial information; externallywith business partners, brokers and thesupply chain to protect company confi-dential information, such as pricing andother trade secrets; as well as with cus-tomers to protect personally identifiableinformation, such as credit card, SocialSecurity and drivers license data.Voltage IBE solutions are in use by morethan 250 world-leading organizations,and by partners such as IntegroInsurance Brokers, Spheris, XL GlobalServices, Winterthur Life, Microsoft,NTT Communications, Symantec,Ciphertrust, Proofpoint and Tablus.

The IAPP and Deloitte & Touche LLP("Deloitte & Touche") proudly

presented Chris Zoladz, Vice President,Information Protection, MarriottInternational, with the IAPP/Deloitte &Touche Vanguard Award, which recog-nizes the privacy professional of 2006.

“Chris Zoladz is a pioneer of thenascent privacy profession,” said IAPPBoard President Kirk M. Herath,CIPP/G, President of the IAPP Board of Directors and Chief Privacy Officer,Associate General Counsel,Nationwide Insurance Companies.“He was the first CPO for Marriott and he was one of the first leaders ofthe IAPP. As a mentor to many privacyprofessionals, I can think of no onemore deserving for this year‘sVanguard Award.”

“Privacy is as much a key businessissue as top-line growth, cost reduc-tion, or tax optimization, and Deloitte &Touche is proud to recognize and sup-port excellence in the privacy profes-sion,” said Rena Mears, NationalPrivacy & DataProtection leaderin the Security &Privacy Servicespractice atDeloitte &Touche LLP, theco-sponsor ofthe VanguardAward. “We support theVanguard Awardand remaindeeply commit-ted to advancingthe privacy profession.”

Zoladz, alongtime com-mitted privacyleader for the

privacy industry and past president ofthe IAPP Board of Directors, was nominated in large part for his role aschairman of the Privacy Roundtable atMarriott, Hilton, Hyatt, Starwood andInterContinental. In this capacity,Zoladz spearheaded an initiative in thisgroup to develop privacy training forhotel employees.

Zoladz, a Certified InformationPrivacy Professional, brought togetherthis group of marketplace competitorsto embrace the importance of launching a gold standard privacytraining program for hotel employees.He not only had the vision, but alsocoordinated the logistics and arrangements with vendors for the program.

Lynn Goodendorf, Vice Presidentof Data Privacy at InterContinentalHotel Group, praised Zoladz for hisleadership.

“This effort led to a mandatorybrand standard in our company that all hotel employees must be trained

using this program,” saidGoodendorf, whonominated Zoladzfor the award.“We have nowdeployed thistraining to over2,500 hotels inthe U.S., Canadaand Mexico, inboth English andSpanish. It takesa special kind ofleadership to get fierce competitors to collaborate andChris did it.”

Marriott’s Chris Zoladz is Privacy

Professional of the Year

THE PRIVACY ADVISOR

15

Rogers added, “Customers createvalue for our companies in two ways:they pay us money today. They also cre-ate value for us in another way that isvery hard to measure and many compa-nies don’t bother.” Customers, she said,make decisions about whether they will do business with companies in the future.

Noting that companies often driveaway a customer by strident applicationsof its policies, Rogers stressed that thatapproach deprives an organization of itsmost precious resource.

“When we take a customer’s pointof view, it means treating different customers differently,” said Rogers.

“(Return On Customer) is also aphilosophy of doing business based onearning a customer’s trust,” said Rogers,who added that privacy and data security are “the most tangible manifes-tations” of trust.

Rogers left an impression on manyattendees, some of whom crowdedaround her after her presentation to askher questions.

“Dr. Rogers was excellent — shestole the show,” remarked one privacy pro.

Added another, “Martha does anexcellent job of engaging the audience.”

The Academy Comes to a Close

But the Summit Beckons

The Academy came to a close afterthe Encore Sessions, programming thatconsistently has attracted the highestnumber of attendees and received thebest ratings.

After leaving behind Toronto and ourmost successful Academy, the IAPPreturned to York, Maine, where the staffalready is deep into planning for ournext event, the IAPP Privacy Summit,March 7-9, in Washington, D.C.

The momentum is building for ournext conference, so don’t miss out onall that the IAPP consistently delivers tomembers and attendees. Stay tuned tothe Daily Dashboard and our Web site,at www.privacyassociation.org, for regis-tration and programming details.

IAPP Toronto Conferencecontinued from page 11

left: Rena Mears, National Privacy & Data Protection leaderin the Security & Privacy Services practice at Deloitte &Touche LLP, gives an introduction at the Hockey Hall of Famejust before announcing the winner of the IAPP/Deloitte &Touche LLP Vanguard Award, during an exclusive NetworkingReception at Toronto’s Hockey Hall of Fame. Deloitte &Touche is the co-sponsor of the award.

right: Chris Zoladz, Vice President, Information Protection,Marriott International, addresses the audience gathered atthe Hockey Hall of Fame to honor his achievement as the2006 recipient of the IAPP/Deloitte & Touche VanguardAward, which recognizes the privacy professional of the year.

November • 2006

16

The Privacy Advisor (TPA):

Can you explain how youbecame interested in thetopic of privacy?

Tapscott: As a social activistin the 1960s, I became awarethat the government kept a detailed file on me. I thought that was inappropriate because I wasnot a law-breaker.

TPA: In 1996, you and co-author, Dr. Ann Cavoukian,published, Who Knows:Safeguarding Your Privacy in aNetworked World. What are some of the unexpected privacyissues you anticipated well before these concerns becameevident in the marketplace?

Tapscott: In the early 1990s, I understood how the Net wasgoing to revolutionize society and it occurred to me that non-government threats to privacy might eclipse “Big Brother.”

TPA: What are some of the predictions you made about privacy threats that did not come to fruition?

Tapscott: The book Who Knows stands up remarkably well. I can’t say that about everything I’ve written.

TPA: In your book, you described “digital crumbs” as piecesof information, that when taken together, add up to a wholeindividual profile. In your view, what are the inherent risks ofthis practice and should they be minimized, and if so, how?

Tapscott: The solution is not to lay out or collect crumbs. The solution to safeguarding privacy is to have strict controls,voluntary and otherwise, regarding how those crumbs will be used.

TPA: It’s 2016. Given your track record for predictions aboutprivacy threats, give us a few examples of the emerging privacy threats you see over the next decade.

Tapscott: With the recent actions of the U.S. and other governments, it turns out that "Big Brother” may in fact beless benign that I’ve implied in the past.

TPA: How do you recommend that people protect their personal privacy online?

Tapscott: All the usual safeguards make sense. Don’t giveaway your birth date, Social Security number or other unnecessary information. Challenge vendors who want such.

TPA: Can you tell us, generally, what topic your next book will tackle?

Tapscott: The book is called Wikinomics: How MassCollaboration Changes Everything. Throughout history corporations have organized themselves according to stricthierarchical lines of authority. Everyone was a subordinate tosomeone else — employees versus managers, marketersversus customers, producers versus supply chain sub-con-tractors, companies versus the community. Today millions ofmedia buffs now use blogs, wikis, chat rooms, and personalbroadcasting to add their voices to a vociferous stream of dialogue and debate called the Blogosphere. Employees driveperformance by collaborating with peers across organizationalboundaries, creating what we call a wiki workplace.Customers become prosumers by getting engaged in co-creating goods and services rather than simply consumingthe end product. So called “supply chains” work more effectively when the risk, reward and capability to completemajor projects — including massively complex products likecars, motorcycles and airplanes — are distributed acrossplanetary networks of partners. Mass collaboration is beginning to change many aspects of the economy.

Privacy Advisor Catches up with Author Don Tapscott

The Privacy Advisor interviewed Don Tapscott, author of "The Naked Corporation: How the Age ofTransparency Will Revolutionize Business." Tapscott, an internationally renowned authority on thestrategic value and impact of information technology, is working on a new book, "Wikinomics: HowMass Collaboration Changes Everything." Tapscott was a keynote speaker at the IAPP PrivacyAcademy 2006 last month in Toronto.

Don Tapscott

“All the usual safeguards make sense. Don’tgive away your birth date, Social Securitynumber or other unnecessary information.Challenge vendors who want such”.

THE PRIVACY ADVISOR

17

Martha Rogers Joins Board of Directors

of Click Tactics

Recognized as one of the world’s leading expertson customer-based business strategies and

growing customer value, Peppers and Rogers Groupfounding partner Martha Rogers, Ph.D, has joined theBoard of Click Tactics, Inc., a leading multichannelmarketing services provider for Global 2000 companies.

Of this appointment, Click Tactics CEO, AndrewFrawley, said “Martha is one of the most influentialbusiness thought-leaders of our time, with an unwa-vering commitment to driving customer-centric con-cepts and practices forward. Her expertise and ener-gy will give our customers a significant advantage indeveloping programs focused on moving their customer relationships andbusiness growth to new levels.”

“Click Tactics is a company that is making enormous strides in winningthe battle against the slow, impersonal and largely irrelevant marketing pro-grams that have dominated the communications landscape for so long,” Dr. Rogers said. “Companies that have adopted the concept of one to onemarketing will find the Click Tactics solution an efficient way to execute andevolve those principles in the market. I’m looking forward to working with thistalented group to help their clients’ businesses grow.”

Business 2.0 magazine named Dr. Rogers one of the 19 most importantbusiness gurus of the past century. The World Technology Network recognizedher as “an innovator most likely to create visionary ripple effects.” Accenture’sInstitute for Strategic Change ranked her among the Global “Top 100 BusinessIntellectuals.”

With Don Peppers, Dr. Rogers has co-authored seven best-selling books,including: The One to One Future (Currency/Doubleday 1993), Enterprise Oneto One, One to One B2B and their newest book, Return on Customer (orROC) released in June 2005. Their textbook, Managing CustomerRelationships, has been adopted by dozens of universities around the world.The books have sold well over one million copies and appear in a total of 17 languages.

In August 2003, Peppers & Rogers Group joined Carlson MarketingWorldwide to provide clients with worldwide customer strategy, flawlesslyexecuted, for bottom-line impact. As an Adjunct Professor at the Fuqua Schoolof Business at Duke University, Dr. Rogers has helped to spearhead course-work at the MBA and Exec. Ed level on “Growing Your Business by Increasingthe Value of the Customer Base.” She is also the co-director of the DukeCenter for Customer Relationship Management. She is widely published inacademic and trade journals, including, Harvard Business Review, Journal ofPublic Policy and Marketing, Journal of Advertising Research and Journal ofApplied Psychology. She has been named International Sales and MarketingExecutives’ Educator of the Year and with Don Peppers, she has been namedDirect Marketer of the Year by DM Days New York.

Matha Rogers

Privacy News Privacy Classifieds

The Privacy Advisor is an excellentresource for privacy professionals researching career opportunities. For more information on a specific position, or to view all the listings, visit the IAPP’s Web site,www.privacyassociation.org.

SENIOR PROJECT MANAGER-PRIVACYWal-Mart Stores, Inc.Bentonville, AR

CHIEF PRIVACY OFFICERRoche PharmaceuticalsNutley, NJ

SENIOR PROJECT MANAGER –NATIONAL COMPLIANCEKaiser PermanenteOakland, CA

PRIVACY CONSULTANTSSamet Privacy, LLCLos Angeles, CA

DIRECTOR–PRIVACYGap, IncSan Francisco, CA

INFORMATION SECURITY ENGINEERLam ResearchFremont, CA

PRIVACY PROJECT COORDINATORErnst & YoungNew York, NY

PRIVACY SPECIALISTIron MountainBoston, MA

SENIOR ANALYST-COMPLIANCEPrudential FinancialNewark, NJ

November • 2006

18

AOL Names Jules Polonetsky Chief

Privacy Officer And Senior Vice President

Consumer Advocacy

AOL recently announced the appointment of their firstChief Privacy Officer. Jules Polonetsky, CIPP, will lead allof AOL’s activities related to privacy policies and proce-dures. He and his team will formulate and enforce stan-dards for a wide range of consumer issues, including pri-vacy, ad policy, accessibility, content guidelines, commu-nity practices, child safety and general online security. Tosupport AOL’s commitment to consumers and privacy,this team will also launch cross-corporate education andcommunications initiatives.Polonetsky, a Board Member of the IAPP, joined AOL in

2002 from DoubleClick as their Chief Privacy Officer. He previously served asthe New York City Consumer Affairs Commissioner for Mayor Rudolph Guiliani.

Privacy News

Shred-A-Thon Days Tackle ID Theft for

Westchester Residents

Westchester County Executive Andrew J. Spanoannounced the launch of a mobile shreddermachine to help residents combat identity theft.Allocated with recycling funds, the $60,000 shred-mobile has capacity to shred 150 pages at onetime and hold up to one ton of shredded paper.

County spokeswoman Susan Tolchin said,“[the truck] is raising public awareness and physically doing something to help our residentsprevent their identities from being stolen. Wedon’t want Westchester residents to have to gothrough the heartache, misery, aggravation andfinancial loss of having their identity stolen.”

This not-for-profit initiative is for residents onlyat household chemical clean-up day events held throughout the county

and will not be offered to businesses. Residents’ personalpapers will be shredded on-the-spot and recycled.

Jules Polonetsky

Left to right: Gary Brown, Westchester CountyDirector of Consumer Protection; Andy Spano,Westchester County Executive and AnthonyLandi, Westchester County Commissioner ofEnvironmental Facilities.

Photos by Wasfiyah Talib-Taylor of theWestchester County Executive’s Office

NASCIO Releases

Research Brief for

State CIOs

NASCIO’s Security and PrivacyCommittee has released its latest

research brief, “Keeping Citizen Trust:What Can a State CIO Do to ProtectPrivacy?” This research examines how privacy in the state government context has evolved as a defining issuein response to rapidly changing technological advances and the complexities of a fast-paced world. It further explores some initial areas inwhich a state CIO may encounter privacy issues and offers potential waysof addressing those issues.

“Privacy is a particularly dauntingchallenge for state governments,because citizens have an expectation ofopenness and transparency. Yet, at thesame time, states must foster citizens’trust by ensuring that their private information remains that way,” saidBrenda Decker, CIO, Nebraska, andNASCIO’s Security and PrivacyCommittee Co-Chair. “This brief starts us down the path of understanding howtechnology has changed the nature ofprivacy issues and how they can beeffectively addressed.”

“We feel that the brief will be ofassistance to state CIOs as theyencounter privacy issues in many different contexts — from the implemen-tation of new IT systems to the imple-mentation of new laws with technologycomponents. We then provide them witha wide-range of considerations for understanding how they can effectivelymanage and implement privacy protections and, ultimately, play a part inkeeping the citizen trust,” said MaryCarroll, CIO, Ohio, and NASCIO Securityand Privacy Committee Co-Chair.

This brief is available atwww.nascio.org/publications/researchBrief.cfm

Operator Anthony Delaney, aDepartment of EnvironmentalFacilities employee.

THE PRIVACY ADVISOR

19

Facebook Adds More Privacy Controls

As Facebook relaxes its enrollmenteligibility requirements to only a

valid email address, members cannow take advantage of the site’s industry-leading privacy controls.

Facebook’s latest expansion makes it possible for anyone with a valid emailaddress to join Facebook and interact with their friends and people in their region.New users are still required to prove affiliation to access an existing college orwork network, and are also asked to validate their mobile phone number to verifytheir account.

Consistent with Facebook’s unique network structure, people’s profiles are onlyaccessible to other people in the same network and to confirmed friends. With thisexpansion, Facebook has launched additional privacy controls that allow every userto: block other users in specific networks from searching for his or her name, pre-vent people in those networks from messaging, poking and adding him or her as afriend, and control whether his or her profile picture shows up in search results.

“We are expanding to respond to the requests of millions of people who wantto be part of Facebook, but haven’t been able to until (now)” said Mark Zukerberg,founder and CEO of Facebook. “About one-third of Facebook’s college users havealready graduated and are now interacting with more people outside of their schoolsand work environment.”

(See Calendar to register for Facebook audio conference on December 7, 2006)

The FTC has approved the publication of a Federal

Register notice announcing theextension of the public commentperiod on two proposed amend-ments to the Telemarketing SalesRule (TSR). The two proposalswere announced in a previousFederal Register notice onOctober 4, 2006. One proposalwould explicitly prohibit using prerecorded messages in telemarketing calls answered by aconsumer (unless the consumerhas given prior written consent toreceive such prerecorded message calls). The other proposal would change themethod of calculating the maximum allowable rate of callabandonment from a “per day per calling campaign” standard to a “per thirty days per callingcampaign” standard. The publiccomment period will now expireon December 18, 2006.

The privacy profession has seen a surge in its ranks as companies focus onproactive ways to prevent data breaches and improve data security, according

to attorney Joe Murphy who specializes in ethics and compliance, recently interviewed for the Courier Post Online.

The article describes a CPO’s daily duties and recommendations if your business is too small to afford a CPO and provides some additional privacyresources, among them a visit to the IAPP’s Web site.

Chief Privacy Officer Still a “Hot Job”Today

ChoicePoint Names Carol

DiBattiste General Counsel

and Chief Privacy Officer

Carol DiBattiste, former federal prosecutor and executivewith the U.S. Department of Justice, has been named

ChoicePoint’s General Counsel and Chief Privacy Officer,after having served as the company’s Chief Credentialing,Compliance and Privacy Officer since April 2005.

“Carol’s knowledge and experience make her well suited to addressing the broader opportunities ahead of us,”said ChoicePoint Chairman and CEO, Derek Smith.

Announcing

Extension of

Public Comment

Period Related to

Prerecorded

Telemarketing

Carol DiBattiste

privacy guidelines. The user is present-ed with a link to the privacy statementas well as a number of privacy-relatedoptions that govern how their data iscollected and used, including whetherdata about their music library is sent toMicrosoft in order to display additionalinformation (such as album art),whether licenses for protected contentare acquired automatically, or whetherthe player remembers the user’s view-ing and listening history. The user alsois asked whether he or she wishes tosend data about player usage and errorsto Microsoft as part of the company’sCustomer Experience ImprovementProgram.

With the release of the publicPrivacy Guidelines for DevelopingSoftware Products and Services,

Microsoft hopes to promote a broaderindustry discussion about developmentguidelines to help protect individual pri-vacy and ensure appropriate data gov-ernance. The benefits of such guide-lines are clear; not only do consistentuser experiences and developmentpractices help protect against misuseof data and other privacy violations,they also promote trust among cus-tomers and organizations. Additionally,a reputation for responsible privacy pro-tection has become a market differen-tiator for companies, attracting andretaining customers based on clearstandards and reliable experiences.

No single company has all theanswers when it comes to privacy.Addressing these issues requires broadcollaboration among software develop-ers, governments and industry organi-zations. In releasing these guidelines,our hope is that we can further the dis-

cussion on how consistent softwaredevelopment practices can make a dif-ference in protecting privacy and pre-serving public trust in computing.

As Microsoft’s Chief Privacy Strategist,Peter Cullen, CIPP, is directly responsi-ble for managing the development andimplementation of programs thatenhance the privacy of Microsoft products, services, processes and systems, both internally and worldwide.With more than a decade of privacy and data protection policy expertise, he serves as a leading advocate forstrong and innovative personal information privacy and data safe-guards, meeting regularly with globalindustry and public policy leaders andfrequently speaking at international conferences. Cullen is a member of the IAPP Board of Directors.

NOVEMBER

13 IAPP KnowledgeNet - Denver

John Amaral, Vice President of Researchand Development, Vericept Corporation“Using Technology to Protect AgainstPotential Threats Within an Organization”For more information or to RSVP, visitwww.privacyassociation.org

28 IAPP Certification Testing -

San Antonio,TX

Offering CIPP, CIPP/C, CIPP/G2 - 5 p.m. (Central Time)Ernst & YoungFrost Bank Tower – Suite 1800100 W Houston StreetRegister at www.privacyassociation.org

29 IAPP Certification Testing -

Dallas,TX

Offering CIPP, CIPP/C, CIPP/G2 - 5 p.m. (Central Time)Ernst & YoungRoom 15900-9012100 Ross AvenueRegister at www.privacyassociation.org

30 IAPP Certification Testing -

Houston,TX

Offering CIPP, CIPP/C, CIPP/G2 - 5 p.m. (Central Time)Ernst & Young5 Houston CenterRegister at www.privacyassociation.org

DECEMBER

7 IAPP Audio Conference

Facebook – What It Is, How It

Works, Why It Matters to You

Speakers: Chris Kelly, Chief PrivacyOfficer, Facebook; Tracy Mitrano, Directorof IT Policy and Computer Policy and LawPrograms, Adjunct Assistant Professor ofInformation Science, Cornell University1-2:30 pm ET (10-11:30 am (PT)For more information or to register, visitwww.privacyassociation.org

11 IAPP Certification Testing -

San Francisco

Offering CIPP, CIPP/C, CIPP/G2-5 pm PTErnst & Young

560 Mission Street – Suite 600Register at www.privacyassociation.org

11 IAPP Certification Testing -

Boston

Offering CIPP, CIPP/C, CIPP/G2-5 pm ETErnst & Young200 Clarendon Street – Conference Room ABCRegister at www.privacyassociation.org

21 IAPP Certification Testing -

New York City

Offering CIPP, CIPP/C, CIPP/G2-5 pm ETFive Times Square – 23rd Floor Room JRegister at www.privacyassociation.org

November • 2006

Calendar of Events

To list your privacy event in the The Privacy Advisor, email Ann E. Donlan at ann.donlan@privacyassociation.org.

Secure Webmail 101continued from page 6

20