Published on March 3, 2014
The Customer and the Cloud: Protecting Customer Privacy With Your SaaS Solution Blair Reeves – IBM Digital Analytics Aurélie Pols – Mind Your Privacy © 2014 IBM Corporation
Today‟s Speakers Aurelie Pols Chief Visionary Officer, Mind Your Privacy @AureliePols Blair Reeves Product Manager, IBM Digital Analytics @BlairReeves @IBMEMM 1
Please note IBM‟s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. @IBMEMM @BlairReeves 2
Privacy in Context IBM Customer Experience Suite (content management) @BlairReeves @IBMEMM 3
Balancing Measurement Needs with Privacy Existing Private Sector Privacy Laws Emerging Private Sector Privacy Laws @IBMEMM @BlairReeves 4
Expectations: no legislation, promised! Source: http://www.jms-group.com/wp-content/uploads/2011/10/boring-conference.jpg @IBMEMM @aureliepols 5
My kids in the cloud, perfectly load balanced @IBMEMM @aureliepols 6
Confessions of a EU digital analyst (& Privacy geek) Grew up in the Netherlands, Dutch passport French mother tongue Most of my friends are bilingual at least Have Polish & Russian origins Set-up my 1st start-up in Belgium in 2003 Sold it to Digitas LBi (Publicis), in 2008 Moved to Spain in 2009 Created 2 other start-ups in Spain in 2012 – Mind Your Group, Putting Your Data to Work – Mind Your Privacy, Data Science Protected – Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with a bunch of lawyers @IBMEMM @aureliepols 7
European specificities vs. global Privacy 8
Privacy, a fundamental right in the EU European Convention of Human Rights (1953) – Section I, Rights & Freedoms, Article 8: Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Note the national security reference, we’ll get back to it! US: Samuel Warren and Louis Brandeis talk “the right to be left alone” in Harvard Law Review in 1890! @IBMEMM @aureliepols 9
Privacy, a Human Right? Global level The Right to Privacy in the Digital Age Draft resolution, crafted by Germany & Brazil Adopted without a vote December 18th 2013 Next steps UN High Commissioner Navi Pillay to submit a report on the Source: http://rt.com/news/germany-brazil-un-spying-resolution-394/ protection & promotion of the right to Privacy in the context of domestic & extraterritorial surveillance and/or interception of digital communications & the collection of personal data August 25th 2014 @IBMEMM @aureliepols 10
The Rule of Law is the basis for Democracy US & UK Common Law EU Continental Law Class actions Fines (by DPAs: Data Protection Agencies) Personal Data Protection Citizen focused: data belongs to the visitor/prospect/consumer/citizen Over-arching EU Directives & Regulations Privacy Business focused Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … PII varies per state APEC Continental law influenced Risk levels: low, medium (profiling), high (sensitive data), extremely high (profiling with sensitive data) @IBMEMM @aureliepols 11
PII list of variables & US states I Personal Information (based on the definition commonly used by most states) i Name, such as full name, maiden name, mother„s maiden name, or alias ii Personal identification number, such as social security number (SSN), passport number, driver„s license number, account and credit card number iii Address information, such as street address or email address iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) v Telephone numbers, including mobile, business, and personal numbers. Information identifying personally owned property, such as vehicle registration number or title number and related information Source: information based on current ongoing analysis (partial results) @IBMEMM @aureliepols 12
PII list of variables & US states II Medical information as PII Financial information as PII California Alaska North Carolina Arkansas Iowa North Dakota Missouri Kansas Oregon New Hampshire Massachusetts South Carolina North Dakota Missouri Vermont Texas Nevada Wisconsin Virginia New York* Wyoming Passwords information as PII Biometric information as PII Georgia Iowa Maine Nebraska Nebraska North Carolina Wisconsin Source: information based on current ongoing analysis (partial results) @IBMEMM @aureliepols 13
PII vs. Risk levels PII Risk level Extremely high (profiling of sensitive data) High (sensitive) Low Medium (profiling) Data type Information Security Measures @IBMEMM @aureliepols 14
Fines? Spain: responsible for 80% of data protection fines in the EU Source: http://www.mindyourpriva cy.com/download/privacyinfographic.pdf @IBMEMM @aureliepols 15
Total Privacy fines, penalties & settlements worldwide Just 6 weeks into 2014, the world total in Privacy damages has already reached half the level of last year‟s record: $74 million Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_priv acy_fines?taxonomyId=84&pageNumber=3 @IBMEMM @aureliepols 16
Data ownership? Dutch mobile, more B2B KPN is a Dutch Telco Operations are in the Netherlands, Belgium & Germany Brands: Hi, Simyo, Telfort & KPN, XS4ALL, EPlus & Base (sold to Telefonica) @IBMEMM @aureliepols 17
What are we working on in Europe? Exists today – EU Data Protection Directive (95/46/EC) – ePrivacy Directive 2002/58/EC (as revised by 2009/136/EC) Coming up #EUDataP Source: www.iabeurope.e u/files/8813/7882 /1681/IAB_Tuesd ay_Webinar_Dat a_Protection_FI NAL.pdf @IBMEMM @aureliepols 18
Consolidating: from national DPAs to WP29 Each country has it‟s own Data Protection Agency (DPA) – The French CNIL, the UK ICO, the Spanish AGPD, the 16 German länder, the Italians, the Dutch, … – And they all work differently, with different budgets and different rules The Article 29 Data Protection Working Party – Gives recommendations – Has no effective power but everybody listens: “an independent European advisory body on data protection and privacy”. – Opinion 05/2012 on Cloud Computing, adopted July 1st 2012 (p 20: Guidelines for clients & providers of cloud computing services) – Influences the current debate about the upcoming Personal Data Protection Regulation (horizon 2016) @IBMEMM @aureliepols 19
The Cloud 20
#EUDataP related to Cloud Article 4.3. of the EU Personal Data Protection Regulation distinguished between: – Service in the cloud – Storage in the cloud Recurrent Question: Does it apply to back-ups? – Yes, this has been specifically specified in the Regulation, following the WP29‟s 2012 recommendation Types of cloud computing: – Private, Public, Hybrid, Community Service types: IAAS, PAAS, SAAS @IBMEMM @aureliepols 21
Legal status of participants: controller vs. processor The customer as data controller – Determines whether to choose cloud computing (total or partial) – Determines the type of cloud computing (especially regarding International Data Transfers) – Determines the cloud computing service types Responsible for the processing of personal data – This can not be delegated The Cloud Certified Professional (CCP) as data processor – IBM data centers ISO-27001 & SSAE-16 certified + ITCS104 IBM security policy Consequences of the participants‟ legal status: – Applicable law: national law of controller/customer – Except national security @IBMEMM @aureliepols 22
Source: http://ec.europa.eu/justice/data-protection/datacollection/obligations/index_en.htm @IBMEMM @aureliepols 23
Shared accountability Source: http://cdn2b.examiner.com/sites/default/files/styles/image_content_width/hash/6e/54/6e 54dfaa644b1fe589e4462b6f2a20b7.jpeg?itok=OIAVYOR1 @IBMEMM @aureliepols 24
Typical personal data misconceptions Very often present in technology companies – We do not identify the user while using the data, so we have no issues with Privacy law – We only use the serial # of the users device, so the data is anonymous and we have no issues with Privacy laws – We encrypt the data so we are no longer using/sending/receiving personal data – We use hashes to replace all serial #, so the data is now anonymous and we have no issues with Privacy laws – We anonymize the data, so we are not using personal data – We can use the user‟s data for anything we want, as long as we keep the data to ourselves – Look: big name companies are doing the same, so we are ok Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013 @IBMEMM @aureliepols 25
Connected cars? TomTom profiles roads, not people Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013 @IBMEMM @aureliepols 26
Consent in Telcos, some go for very granular Slide borrowed from Stephen John Deadman from Vodafone Group Services Limited, IAPP congress Brussels, November 2013 @IBMEMM @aureliepols 27
Cloud: So where to start? Suggested line of thought: WP29‟s Security & Data Protection Goals Transparency Intervenability Availability Integrity Portability Confidentiality Isolation Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2012/wp196_en.pdf @IBMEMM @aureliepols 28
Data protection requirements in the clientprovider relationship(s) – WP29 1. Compliance with basic principles – Transparency – Purpose specification & limitation => consent, opt-in, opt-out – Erasure of data => anonymization, re-qualification 1. Contractual safeguards of the “controller-processor” relationship 1. Technical & organizational measures of data protection & data security – Isolation (purpose limitation) – Availability – Intervenability – Integrity – Portability – Confidentiality – Accountability @IBMEMM @aureliepols 29
Compliance with basic principles Transparency – Who is controller (data collector) & purpose of data collection (what are you using the data for exactly?) – This includes sub-contractors Purpose specification & limitation – Data collected for specified, explicit and legitimate purposes & not not further processed in a way incompatible with those purposes – Prior to data collection – Consent: opt-in, opt-out, don‟t ask Erasure of data – Legal data retention periods => customer re-qualification (average 30%) @IBMEMM @aureliepols 30
Trust & creepiness Consent is about a reasonable expectation of the use of data – There‟s a fine line between feeling charmed vs. feeling invaded – Create win-win situations: • Customers give company information • Customers get better service/value for money @IBMEMM @aureliepols 31
Information Security Measures Technical & organizational measures of data protection & security – Availability: • Timely & reliable access to personal data • Cloud provider: reasonable measures to cope with risk of disruption – Integrity: • No malicious or accidental alteration of the data during processing, storage or transmission – Confidentiality: • Encryption between transit, always & secure remote connections – Isolation: • Data storage, memory & networks is often shared => risk! – Intervenability: • No obstacles to data subject‟s right to access, rectification, erasure, .. – Portability @IBMEMM @aureliepols 32
Techno security is just one piece of the puzzle Technological security Processes Resources Data Collection @IBMEMM @aureliepols 33
Where to start? 34
Balancing Risks & Benefits in the Cloud Benefits – Price – Transfer of responsibility? – Availability (BYOD, strike, natural disaster, …) Risks – Cloud Provider PIA, (Privacy Impact Assessment) – Security evaluation of your own information – Nature of your own data Source: http://www.labeshops.com/image/cache/data/summitcollection/7918llady-justice-3-feet-statue-800x800.jpg @IBMEMM @aureliepols 35
From Compliance to Risk Assessment Achieving 100% compliance is chimera – Compliance is a journey, not a destination – Level of required compliance linked to • Sector • Personal internal management • Company risk profile Risk is a moving target – Risk of being fined – Risk of being breached – Brand perception => subjective @IBMEMM @aureliepols 36
Leading global reinsurer example Note: slides blurred for confidentiality reasons @IBMEMM @aureliepols 37
Metrics & KPIs to follow evolution Note: slides blurred for confidentiality reasons @IBMEMM @aureliepols 38
Typical set-up example, International Co Local subsidiary 1 Local subsidiary 1 Local subsidiary 2 Local subsidiary 3 Local subsidiary 4 Terms & Conditions Applicable Security Measures??? @aureliepols @IBMEMM 39
What to do? This is your check-list I 1. Know your information structure (cloud) – Can you exactly draw the previous slide? 2. Cloud inventory (PIA) – Provider (& sub-contractors) – Location • Cloud service HQ • Servers – Applicable law: our friend Snowden – Physical location: earthquakes? • Any incidents to report? • In-house control access (risk) • Terms & Conditions – Information Security measures – Related to Privacy @IBMEMM @aureliepols 40
What to do? This is your check-list II 3. Know your Data structure: data inventory (cloud) – (Do you know which data can be found where)? – Have you reviewed your information security measures? – What happens in case of a breach? 4. Authorization required? – Approval International Data Transfers (IDT) – Safe Harbor – Binding Corporate Rules (BCR) – User consent @IBMEMM @aureliepols 41
MYP Information Security Framework Organizational Data Security measures Risk classification Low/medium/high/extreme Data Lifecycle Integrity Availability Confidentiality Security @aureliepols Authentication Privacy @IBMEMM 42
Human errors cause most data breaches Source: http://www.cooldaily infographics.com/p ost/data-andsecurity-breaches @IBMEMM @aureliepols 43
Harmonizing Security & Privacy cultures Effective Privacy management depends upon a Risk driven approach that surpasses compliance needs – Prepare for legislative changes – Recognize that just because something is legal, it doesn’t mean it is a good idea – Consider how Privacy drives strategic advantage => USP? Skill requirements & interfaces between professionals – Identifying intersection and tackling conflict – Finding a common language – Developing a Privacy culture Source: http://www.rsaconference.com/writable /presentations/file_upload/grc-w07when-worlds-collide-harmonisinggovernance-between-security-andprivacy.pdf @IBMEMM @aureliepols 44
Even the IAB agrees… @IBMEMM @aureliepols 45
@IBMEMM @aureliepols 46
Thank you! Learn more: IBM.com/digitalmarketing @BlairReeves Learn more: www.MindYourPrivacy.com @AureliePols @IBMEMM 47
Thank you – Q&A 48
Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2014. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Please update paragraph below for the particular product or family brand trademarks you mention such as WebSphere, DB2, Maximo, Clearcase, Lotus, etc. IBM, the IBM logo, ibm.com, [IBM Brand, if trademarked], and [IBM Product, if trademarked] are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special 3rd party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others. @IBMEMM @aureliepols 49
Pulse Channels. Pulse ... SAP Cloud for Customers(C4C) Integration & Data ... scenarios are key to convince SAP customers to choose a SAP Cloud product ...
customers as a result of either system failures or data breaches. ... LOOKING TO THE CLOUD FOR BUSINESS CONTINUITY. Market Pulse 2015 IT Priorities
[Customers don't think this ... and the natural underworld Pulse. Final Fantasy Versus XIII is set in a ... Amazon Web Services Scalable Cloud ...
Cloud Platform ... Microsoft and WeWork are tackling this challenge by ... search-as-a-service that helps customers build sophisticated search ...
Improve customer service and manage your supply chain easily with Pulse. ... Welcome to Pulse. Welcome to Pulse, the first cloud ... their customers and ...
Pulse Channels. Pulse. Publish a post ... Making VMs available to customers with the physical hardware ... The final case, in which SDN and cloud computing ...
Final Fantasy XIII is the thirteenth installment in the ... (Final Fantasy XIII) or Gran Pulse. ... ↑ Cloud-powered Final Fantasy XIII hits ...
Cloud Choice; Technology and ... Consumer Products & Retail; ... For the latest in innovation: keep your finger on the pulse with our CTO Blog ...
iCustomer Pulse makes it easy for ... to your customers. The iCustomer Pulse API allows your company to ... The Oracle Monitoring Cloud Service ...