Privacy Advisor

The IAPP's Privacy Academy 2005 Makes Headlines

November 1, 2005

In a year marked by repeated security breaches that compromised the personal information of millions of people and fueled identity theft crimes and concern, it is no coincidence that the IAPP's membership has increased 100 percent in 2005.

This connection, pointed out at the IAPP's Privacy Academy in Las Vegas by Executive Director J. Trevor Hughes, was noted in an article by Privacy & Security Law reporter Barbara Yuill, who attended the Oct. 26-28 event at the Green Valley Ranch Resort & Spa.

Hughes told hundreds of attendees that businesses "get it," a reference to the urgency that companies are placing on the importance of safeguarding personal data to stave off lawsuits, enforcement actions and bad publicity.

Furthermore, Hughes reminded the privacy pros that they are the "guardians of the brand and trust" for companies they represent.

Attendees were eager for updates and analysis on the legislative response to the troubling trend of data breaches. Yuill noted in her comprehensive coverage that the IAPP's session titled, "Legislative Response to Data Security," attracted an overflow crowd. Moderators Agnes Bundy Scanlan, the IAPP's former president of the Board of Directors and counsel at Goodwin Procter in Boston, said that 120 security breaches since the beginning of 2005 have affected more than 56 million Americans, prompting an " of state and federal legislation.

Yuill quoted Benjamin Robinson, president and CEO of Innovative Risk Solutions LLC, who told attendees that 22 states have some sort of data breach notification law. Federal legislation, he added, is imminent. Robinson challenged companies' preparedness, saying, "The question is, are you going to be ready for it?"

Yuill's coverage indicated that numerous attorneys expressed a similar view that Congress "will pass a federal data breach notification law that will trump the growing body of state breach notification law," but not before 2006.

However, no law is going to be enough to prevent one of the most simple, yet dangerously effective hacking techniques — manipulating employees, using social engineering techniques, to reveal confidential company information. Well-known former hacker and security specialist Kevin Mitnick — who successfully obtained valuable information from employees through deception and trickery — drew a curious crowd for his presentation on his past criminal hacking exploits.

Noting the effectiveness of social engineering, Mitnick, one keynote speaker during the Academy, said it is highly effective because "you can't download a patch for stupidity."

In other Academy coverage, Inside 1to1 Privacy reporter Elizabeth Clampet focused on the intersection of privacy and new product development.

Clampet highlighted the view held by Microsoft Corp. that privacy is an asset that will build consumer trust. Kim Cameron, Microsoft's chief identity architect and strategist, told attendees that "privacy has tangible benefits." Clampet noted that Cameron stressed that privacy features and a product's ease of use are essential for a successful outcome.

Another area Clampet highlighted was discussion about the impact of privacy on marketing. Susan Lyon, consumer marketing counsel at Dell, warned that a privacy policy often would fall short with a one-size-fits-all approach. Privacy issues, she said, may present specific issues to a particular department. While it is essential to "provide options for different parts of the company," Lyon stressed that it is essential "to be consistent, so customers know what they're getting across the board."