Privacy Advisor

The IAPP Hosts More Than 750 Privacy Pros, Speakers in Toronto for First Conference Outside the U.S.

November 1, 2006

Ann E. Donlan

The IAPP Privacy Academy 2006 in Toronto served as the debut for the IAPP's new certification credential, the CIPP/C, the first professional credential for Canadian privacy professionals, and showcased the IAPP's commitment to serve its domestic and international members with educational content tailored for Canada's privacy scheme and laws.

Privacy professionals from across Canada and around the world gathered last month for four days of lively panel discussions, networking forums, working groups and featured keynotes from top policy makers and corporate leaders in the privacy industry.

Canadian privacy officials, including Privacy Commissioner Jennifer Stoddart, raised the profile of the event even more with their keynotes during the IAPP's three-day event at Toronto's Westin Harbour Castle, on the scenic shores of Lake Ontario. The Canadian media, including Canada's cable news channel, CTV NEWSNET, covered the Academy and newsworthy announcements made during the event. Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, held a news conference at the Academy with Microsoft to announce the 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. In additon, Microsoft released The Privacy Guidelines for Developing Software Products and Services, an extensive set of privacy guidelines for developing software products, Web sites and services, which coincided with an Academy panel on the closing day, "Privacy in Product Development."

Attendees count on the IAPP to foster effective networking events to help them connect with their peers, research career opportunities and have fun with fellow privacy pros. The Academy offered attendees a selection of networking venues - everything from the small, informal dinner with fellow privacy pros in specific industries to an exclusive reception at Toronto's venerable Hockey Hall of Fame - even a competition to test the networking prowess of attendees for the title of king or queen of networking. The networking dinners - a new, but popular way of connecting with peers - was a welcome addition to the offerings.

"I thought the sign-up dinners were a phenomenal addition to the overall experience," remarked one happy participant.
   
CIPP, CIPP/G, CIPP/C Trainings, Preconference Sessions Kick Off Academy     
Before the Academy was in full swing, students participating in the Oct. 17 trainings for CIPP/C, Part I, and CIPP/G training, were intensely preparing for their examinations, scheduled later in the week. Bright and early the next day, CIPP/C training continued for those students taking Part II. A separate class devoted the entire day to training for the CIPP exam.

While students were focused on exam preparations, attendees eager for in-depth training on particular topics, including the ever-popular Privacy Professional Bootcamp, spent the afternoon engrossed in Preconference Sessions. Besides the bootcamp, Preconference Sessions were held on Payment Card Industry (PCI) Data Security Standard - A Workshop; RIM Council: An Introduction to the Responsible Information Management Framework; and Outsourcing and Trans-Border Data Flows: Privacy and Public Policy in Transition.

That evening, the invite-only Speaker Dinner, sponsored by PricewaterhouseCoopers, gave guests and dignitaries the chance to mingle at Downtown Toronto's Far Niente, where they enjoyed a salmon dinner, featuring a delectable dessert.

Day One: Opening Plenary, Break-Out Sessions, Chopper in the Exhibit Hall
IAPP Board President Kirk M. Herath, CIPP/G, welcomed more than 750 attendees who jammed the Westin Harbour Castle's Metro Ballroom for the Opening Session and Keynotes.
Herath was followed by IAPP Executive Director J. Trevor Hughes, an Ontario native and CIPP, who said he was honored that the IAPP was in Toronto to hold its first conference outside the U.S. Hughes added that the enthusiasm in Toronto for the IAPP was evident in the size of the KnowledgeNet chapter - which is the second largest of the IAPP's more than 20 networking groups.

Hughes revealed for the first time publicly that the IAPP is planning to expand its certification programs by offering credentials in other parts of the world. The success in the marketplace of the IAPP's certification programs is evident in the sheer number of graduates who have successfully passed the CIPP exam - 1,000 in the two years since the program's launch.

"We are certainly building a profession," Hughes told attendees. "And there are many of us doing that building right now," added Hughes, who noted that the IAPP membership has grown to 2,800 members in 23 countries.

Hughes elaborated on the critical role of today's privacy professionals. "There is a need for guardians of trust - for guardians of that data," he said. "I'd like to suggest that we are those guardians, that we are those guardians of the information economy."

In his concluding remarks, Hughes stressed the role of leadership in serving as guardians of the data. "The risks associated with the information economy create a real need for leaders."

Canada's Privacy Commissioner Urges Privacy Pros to 'Speak Out'   
Stoddart, the next Canadian to take the podium, echoed Hughes' call of duty to privacy professionals.

"Privacy professionals cannot serve as mere technocrats who secure corporate compliance with data protection rules," Stoddart said. "You are privileged in your understanding of privacy issues. Your profession gives you a unique insight into the operation of data protection rules, and into the risks to privacy that flow from inadequate rules, inadequate policies, inappropriate practices, and information-hungry governments. If you don't speak out about broader privacy issues that confront our society, who else can have an effective voice?"

Stoddart also addressed some of the privacy challenges Canadians face in the areas of proposed legislation, global efforts to fight terrorism and trans-border issues.

"Canadians do not want personal information about them that is being held in Canada to be vulnerable to disclosure under the laws of any other country," Stoddart said. "We have designed our own privacy standards for Canada, and those are the rules that must govern the handling of personal information within our borders."

Stoddart added, "But fears of terrorism must not become a convenient excuse for the wholesale destruction of the right to privacy."

Canadians continued to take the center state adorned with banners bearing the IAPP signature colors and mission: Network, Educate, Certify.

Ontario's Privacy Commissioner Explains Need for 'Single Identity Metasystem'
Dr. Cavoukian then used her plenary remarks as a platform to build upon her public announcement the day before. During a well-covered news conference, Cavoukian - joined by Kim Cameron, Chief Identity Architect, and Peter Cullen, CIPP, Chief Privacy Strategist, both of Microsoft. Corp. - explained to the media the genesis of the 7 Laws of Identity, which Cavoukian touted as a tool to "profoundly shape the architecture and growth of a universal, interoperable identity system needed to enable the Internet to evolve to the next level of trust and capability."

In her prelude to her plenary PowerPoint presentation, Cavoukian said e-commerce is in "a state of crisis," which prompted the need for a system that will reduce online fraud, help to verify online identities and foster trust among users who are increasingly wary of conducting business online.

"Online fraud is growing at an alarming rate," Cavoukian told the crowd. "… Companies' reputations and brands are being impacted dramatically by these deceptive online practices."

Improved user control is the answer, Cavoukian said.

"The growing identification requirements on the Internet are posing enormous privacy problems," she said. "Trust is at an all-time low."

Cavoukian added, "The future of privacy revolves around identity, so what can we do?"

Cavoukian described her plan, developed through Cameron's
leadership, as "a single identity metasystem … that empowers users to manage their own digital identities." (More information is available at www.ipc.on.ca)

In her concluding remarks, Cavoukian warned, "There never has been a more strategic time to ensure that privacy interests are built onto the new architecture of identity."

Author Don Tapscott: 'This Ain't Your Father's Internet'   
Tapscott took attendees on a tour of the Internet, a journey he said is no longer "your father's Internet." Demonstrating Web sites that create online profiles of users - some of which may be inaccurate - Tapscott led attendees to various sites to demonstrate the trail of "digital crumbs" left by users as they surf the Web.

"These sites and capabilities are not necessarily bad," he said. "They just pose a huge challenge for us as individuals." The sites "can collect dossiers of each of us which are beyond the capabilities of any secret police in history."

Tapscott described a "fundamental change in the nature and capability of the Internet" on a number of fronts, with "billions and trillions of inert objects in our world that (have) become smart communication devices."

Doorknobs. House keys. Toasters. Dishwashers. "All of this stuff talks to itself," Tapscott joked. "In five years the shirt will be talking to the washing machine."

On a more serious note, he continued, "The physical world is becoming smart and inter-connected, and this is a really big change. Now all of these things have something called an IP address."

Another change is mobility - and the ability to track individuals, whether it be children, friends, celebrities or criminals.

After a demonstration of a number of Web sites to prove his mobility point, Tapscott focused on the profound changes in the Internet's next generation.

"What is happening is that the Web is changing from a medium to present information to becoming a giant computer," he said. "When you go onto the Web and you do anything, you are reprogramming this giant global computer."

Deliberate attempts to falsify an individual's information and inaccurate information can damage reputations, Tapscott said, as he demonstrated some sites that allow users to post personal information about professors or past lovers.

Tapscott concluded his remarks with a warning about "digital conglomerates" of Internet companies that really up the ante "with the whole question of what we do with information - not just corporate information, but personal information."

The author of the soon-to-be released book, Wikinomics: How Mass Collaboration Changes Everything, said as companies become more inter-connected and global, they share all types of information. He urged companies to embrace transparency, which he described as "a force in the economy." He added, "Fitness is no longer an option. If you're going to be naked, you better be buff." Values have to be built into an organization's DNA, he said. "When you open up with customers, you build trust," Tapscott said.

Tapscott then wound up his remarks with an inspirational challenge for privacy pros.

Privacy, he said, once used to be "on the sideline of corporate strategy. There's a fundamental change. Privacy is coming into the heart of business strategy. … It's a leadership opportunity for you. Companies that take the old route, the future is going to be bleak. There's a new route. As a profession, you did what was possible and you saw the storm clouds and you got organized. But now it's possible to go forward. The time has come for us to get a grip with this issue. The time has come for each of you to find the leader in you to help your companies do the right thing."

The IAPP's Assistant Director, Peter Kosmala, CIPP, then told attendees before the refreshment break in the Exhibit Hall that the number of people at the plenary was the largest Academy attendance in the IAPP's five-year history.

Wildside Chopper in the Hall
All revved up from the inspiring keynotes and the first hour of Breakout Sessions, attendees then shared a networking lunch, which also offered the opportunity to admire Privacy Engineering's 2006 Wildside Chopper, parked in the Exhibit Hall, which served as a prop for a giveaway.

However, there was a catch. The winner who had the random key to start the stunning bike did not drive away into the Toronto sunset with a brand new $50,000 custom Canadian chopper. The holder of the key to turn over the bike's engine won a different kind of ride into the sunset - a trip to the Bahamas. The winner was Symantec's Constantine Karbaliotis, who rattled more than a few attendees when his key started up the thundering machine - inside the Exhibit Hall. Congratulations Constantine!

Privacy Awards Given During Memorable Hockey Hall of Fame Reception
After the afternoon Breakout Sessions, the crown jewel of networking events, the Networking Reception, was held at Toronto's revered Hockey Hall of Fame. During an exclusive event memorable for its delicious h'ors doeuvres and the opportunity to take a slapshot or don the gear of a NHL goalie, attendees wandered around the Hall to view the memorabilia of hockey's greatest, eventually making their way to the pinnacle display, the awe-inspiring Stanley Cup.

What better way to recognize the privacy profession's 2006 award winners than to hold the ceremony in the NHL Zone for honored members. Accented in polished black granite and stainless steel, the NHL Zone was the perfect venue for privacy pros to recognize their own distinguished members.

The ceremony honored the winner of the IAPP/Deloitte & Touche Vanguard Award, which recognizes the privacy professional of the year, and the recipients of the IAPP Privacy Innovation Awards, an annual recognition of privacy leadership in the public, private and technology sectors. (See page 14 for more coverage.)

In the Large Organization category (more than 5,000 employees), Royal Philips Electronics and General Electric Corp. tied for their entries on Binding Corporate Rules (BCR) as a mode of compliance for cross-border data transfers.

The winner in the Small Organization category (less than 5,000 employees), was ATB Financial, which won the award for its privacy program communications plan.

Now in its second year, the IAPP Privacy Innovation Technology Award went to Voltage Security, Inc., for Voltage Identity-Based Encryption™ technology incorporated into its data protection solutions.

The 2006 recipient of the IAPP/ Deloitte & Touche Vanguard Award was Chris Zoladz, CIPP, Vice President, Information Protection, Marriott International.

Day 2: Three Exams, Working Groups, Closing Plenary, Encore Sessions
The morning of Oct. 20 was tense as nervous examinees prepared to take the CIPP, CIPP/G and CIPP/C tests. By day's end, 175 examinees sat for all three IAPP credentialing exams in the Frontenac Ballroom.

For others, the Friday Working Groups provided an opportunity to network in their area of expertise: Financial Services; Consumer Marketing; International; Human Resources; Government; Healthcare/Pharma; and Higher Education.

A two-hour seated lunch in the Metro Ballroom then set the stage for the Closing Plenary, featuring Dan Fortin, President, IBM Canada; Dr. Larry Ponemon, Chairman and Founder of The Ponemon Institute; Dr. Eric Johnson, Norman Eig Professor of Business, Columbia University; and Dr. Martha Rogers, Founding Partner, Peppers & Rogers Group.

Big Blue's Commitment to Privacy
Fortin detailed some of the structural changes IBM has made to accommodate advances in technology. "Our professional services businesses used to have multiple teams in regions," Fortin said. "Today we manage it as one asset. … The work can be moved around, not tied to a local market."

He also discussed the prevalence of outsourcing, which Fortin says allows companies to specialize in one area that sets them apart in the marketplace. "Corporations are moving work based on expertise," Fortin explained.

Fortin touted IBM's commitment to privacy, noting that it was the first corporation to implement global privacy policies in the 1960s. Last year, the company revised its policies to prevent the use of genetic testing results in personnel decisions.

"Most importantly, you as privacy professionals are vital to issues like trust," Fortin said. It is essential that customers will receive a "consistent and quality experience time and time again," which springs from trust, he added.

The 2006 Salary Survey Results
Dr. Ponemon gave a presentation on the results of the 2006 salary survey, which found that while there have been "salary increases in almost every area," a gender gap remains, although it is less than when measured four years ago.

"But we have a ways to go as a profession," Ponemon acknowledged.

IAPP certification is a proven way to boost a privacy pro's salary, Ponemon said.

"CIPPs earn more money," Ponemon said.

Ninety percent of the survey's respondents were from the U.S., but Ponemon said he expects to "see more and more non-U.S. respondents as the IAPP seeks to become more international."

Professor Johnson Captivates Audience - Fire Alarm Sounds, But No One Moves
Johnson started his presentation with a provocative question: "How do people make decisions about privacy?" His answer: "They don't."

Much of his presentation - which was interrupted at least twice by an announcement about a fire alarm that ultimately turned out to be false - focused on decision-making and defaults.

"People have strong preferences but they don't think about those preferences as they conduct their lives," Johnson said. "A default is what happens when there is an opportunity for you to make an active decision and you don't. Most privacy decisions have a default option."

Johnson stressed that "defaults have a big effect on privacy and commerce," and he urged the audience to study the issue and use the knowledge wisely.

Dr. Rogers Thrills the Audience with Engaging Style, Captivating Message
Dr. Rogers closed the plenary session with a lively presentation that impressed many attendees.

Rogers talked about her company's Return On Customer strategy, and using privacy as a company growth strategy.

"All of our revenue comes from the customers that we have today and the ones that we will have tomorrow - and that's it," Rogers said. "That's the only chance we have at growing our companies as well."

Rogers said companies must embrace the concept of "the potential value of our customers tomorrow" as a way to hold managers accountable for their performance.

Companies are limiting their growth by "operating on the false premise" that the manufacture of more products, or offering more services, is the way to make more money. "There's one thing we can't make more of. … The one thing that is in short supply for every company, the one thing that limits our companies, is paying customers. We can clone sheep, but we can't make another human being that is ready and willing to buy our products."

The key, she said, is to look at achieving the "greatest return on customers."

Rogers added, "Customers create value for our companies in two ways: they pay us money today. They also create value for us in another way that is very hard to measure and many companies don't bother." Customers, she said, make decisions about whether they will do business with companies in the future.

Noting that companies often drive away a customer by strident applications of its policies, Rogers stressed that that approach deprives an organization of its most precious resource.

"When we take a customer's point of view, it means treating different customers differently," said Rogers.

"(Return On Customer) is also a philosophy of doing business based on earning a customer's trust," said Rogers, who added that privacy and data security are "the most tangible manifestations" of trust.

Rogers left an impression on many attendees, some of whom crowded around her after her presentation to ask her questions.

"Dr. Rogers was excellent - she stole the show," remarked one privacy pro.

Added another, "Martha does an excellent job of engaging the audience."

The Academy Comes to a Close But the Summit Beckons
The Academy came to a close after the Encore Sessions, programming that consistently has attracted the highest number of attendees and received the best ratings.

After leaving behind Toronto and our most successful Academy, the IAPP returned to York, Maine, where the staff already is deep into planning for our next event, the IAPP Privacy Summit, March 7-9, in Washington, D.C.

The momentum is building for our next conference, so don't miss out on all that the IAPP consistently delivers to members and attendees. Stay tuned to the Daily Dashboard and our Web site, for registration and programming details.