Privacy Advisor

2008 Predictions

January 1, 2008

The Privacy Advisor asked leading privacy experts to provide their insights on the privacy issues and challenges that will dominate in 2008. The following are contributions from selected experts in diverse sectors and disciplines.

The Digital Data Explosion Fallout


By Fred H. Cate

The privacy horizon for 2008 will continue to reflect the dominant theme connecting most of the privacy developments of 2007: the proliferation and accessibility of digital data.
This is at the heart of the continuing saga of data security breaches and hundreds of other stories involving the private sector; as well as the government's apparently insatiable appetite for personal data that has dominated privacy headlines of the past year. These stories highlight not only the volume of personal data out there, but also the extent to which those records are linked, shared and stored, often without the individual consumer's knowledge or consent.

They also focus attention on the ease with which the government accesses personal digital data through industry, thanks to the Supreme Court's longstanding view that the Fourth Amendment does not apply to data disclosed to or held by third parties. As a result, there is no constitutional requirement that government seizures of private information held by third parties be reasonable, based on a warrant, or subject to judicial oversight.

Always problematic, in today's digital environment in which our every activity is captured by a digital record held by numerous third parties, this exception means that the government has exceptional access to data that are extraordinarily revealing of an individual's lifestyle, health, employment, associates, behavior, activities and beliefs.

In 2008, continuing revelations about private-sector storehouses of intimate data, combined with a growing awareness of the government's unbridled access to these data and the need to address mounting privacy-based regulatory barriers to multinational data flows, will lead to increased pressure on Congress, state legislatures and regulators to act.

Government officials in neither party seem likely to restrict government access or use. In fact, most recent privacy enactments, such as Gramm-Leach-Bliley (GLB) and HIPAA, are noteworthy for the extent to which they facilitate, rather than restrict, government access to business records containing personal data. But the private sector could face new restrictions on the collection and use of personal data.

In the face of a presidential election and crises over Iraq, terrorism, credit and the economy, I suspect that little of substance will happen concerning information privacy or security. Instead, we will continue to fiddle while the few remaining protections against government intrusion into our personal privacy burn.


Fred H. Cate is a Distinguished Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, and a Senior Policy Advisor to the Center for Information Policy Leadership at Hunton & Williams. He is a member of the National Academy of Sciences Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National Goals; a member of Microsoft's Trustworthy Computing Academic Advisory Board; and reporter for the American Law Institute's project on Principles of the Law on Government Access to and Use of Personal Digital Information. He may be reached at fcate@indiana.edu.

2008 Forecast

By Jim Halpert

2007 was in many ways the year of data security. This trend should continue in 2008, as the stream of data breaches continues, PCI fines and other sanctions become more common, credit union lawsuits against entities suffering breaches of credit card data come to a head, and one or more other states follow Minnesota's lead in passing a law imposing strict liability to financial institutions for data breaches of payment card data.

Massachusetts will engage in a data security rulemaking that could have significant implications if it diverges from the GLB Safeguards rule. On the plus side, the continued focus on data security will spur greater attention to data security. Sophisticated companies increasingly will adopt robust, broad-based data management strategies that better protect not only personal information, but other important data assets such as trade secrets and confidential client data.

On the legislative front, there is a significant chance that federal Social Security number privacy legislation more restrictive than any state law will be enacted. Data custodians, meanwhile, will continue to reduce non-essential retention of Social Security numbers. New regulation of electronic health records and uses of RFID technologies are a possibility. Skirmishing over privacy implications of social networking sites and occasional risks they pose to minors will continue and may result in privacy legislation in one or more states, but online privacy and regulation of behavioral advertising both remain very unlikely.

In the EU, the Spanish data protection authority (DPA), the most aggressive in Europe, is on the verge of releasing a significant proposed expansion in the Spanish data protection regulation to cover non-electronic data. Breach notice obligations will be considered in member states and may be extended to apply beyond the network operator context. The Article 29 Working Group of DPAs is likely to pursue more coordinated investigations of compliance in particular industry sectors (as it did last year in the health insurance industry). Several of the DPAs who are supportive of binding corporate rules (BCRs) may move to allow self-certification filings, speeding consideration in those member states — although not solving the problem of DPAs in countries such as Portugal resisting or refusing to recognize BCRs. Greater harmonization of data protection requirements across Europe, alas, will wait for another year.


Jim Halpert is co-chair of the Communications, E-Commerce and Privacy practice of DLA Piper LLP, a global law firm. He practices in the firm's D.C. office. Halpert counsels software developers, e-commerce companies, service providers, financial services companies, IT and content companies on a broad range of legal issues relating to new technologies, including Internet gambling, privacy, spyware/adware, cyber-security, government surveillance standards, consumer protection, intellectual property protection, spam, Internet jurisdiction, online contract formation, content regulation and First Amendment law. He may be reached at jim.halpert@dlapiper.com.

Credit Crunch Impacts Widespread

By Chris Jay Hoofnagle


In 2007, the excesses of the sub-prime mortgage market created global financial disruption. In 2008, the now $920 billion in revolving consumer debt also will cause disruption. Consumers will fail to pay minimum balances, incur fees and interest that will increasingly be viewed as usurious, and feel the pinch of a stricter, less forgiving bankruptcy law. This will bring heightened attention to credit marketing practices, and new regulations to give consumers more control over the 5 billion credit card solicitations sent to American households. Particular attention will be paid to high-pressure sales techniques (such as in-store discounts), and to credit card marketing to students and young people.

Adding to this pressure will be greater public understanding of the link between instant credit and identity theft. The miracle of instant credit gives credit grantors financial incentives to ignore warning signs of fraud, and thus impostors can easily commit identity theft. Under a recent federal court decision (Wolfe v. MBNA American Bank, 485 F.Supp. 874 (W.D. Tenn. 2007)), credit grantors can be liable to customers and non-customers alike for negligence in screening applications for fraud. 2008 will be the year of the "negligent enablement of identity theft" suit, where many victims of this crime will bring suit successfully against banks for their role in facilitating identity theft. This, in turn, will drive the adoption of more identity theft "red flags," and as a result, we will experience a decline in new account identity theft.


Chris Jay Hoofnagle is Senior Staff Attorney to the Samuelson Law, Technology & Public Policy Clinic and Senior Fellow with the Berkeley Center for Law & Technology. His focus is consumer privacy law. Among his recent academic publications are "Putting Identity Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors" in Securing Privacy in An Internet Age (forthcoming 2007), "A Model Regime of Privacy Protection" in the University of Illinois Law Review (with Daniel J. Solove, 2006) and "Identity Theft: Making the Known Unknowns Known," in the Harvard Journal of Law and Technology (forthcoming 2007). He is admitted to practice law in California and the District of Columbia. He may be reached at choofnagle@law.berkeley.edu.

Privacy Continues to Mature

By Sandra Hughes, CIPP

When I look on the horizon for 2008, I anticipate a year of transition with regard to privacy issues and legislation.

Privacy protection programs and the profession itself have experienced astronomical growth, primarily since the use of the Internet for direct-to-consumer marketing in the mid-90s. Many companies like Procter & Gamble had privacy programs before that, but they focused primarily on employee privacy. The Internet opened a whole new world of opportunity, but also valid concerns and issues, which responsible companies like P&G have addressed by creating appropriate policies and compliance programs.

Policymakers also reacted to the concerns and issues by creating legislation and regulations. As the use of this new approach grew, so did the number and strength of companies with programs and commitment to bringing aboard privacy professionals, as well as countries introducing or considering legislation. Consumer outrage and media reports, as well as regulator enforcement, have helped to raise awareness of what good privacy protection requires.

Now we are facing Web 2.0 — the "Internet of Things," social networking, ubiquitous computing — whatever you want to call it, technology and what can be done with it, are going to be on a totally different plane in the future.This requires companies like P&G to "think out of the box" about how to use it, but also how to broaden the reach and depth of our privacy compliance programs internally. This is a challenge that only increases the importance of the profession! Information flows are increasingly global, where a consumer in one country can access services and information easily in another country without ever knowing it. Policymakers and regulators also are viewing the new technology horizon with healthy skepticism. The Asia Pacific Economic Community data protection organizations, together with industry and consumer advocacy input, have created a privacy framework for which cross-border data transfer processes will be created and piloted in 2008. In recent meetings of the International DPAs, the EU-U.S. Conference on Cross Border Data Flows and the Organization for Economic Cooperation and Development, the concept of international standards has been broached and will continue to develop over the next years. As the U.S. is facing a new administration, general federal privacy legislation will most likely be a future development.

Who knows what 2008 will hold? Only through effective collaboration—industry, policymakers/regulators and consumer advocates working together—will we create a future where we all can flourish.


Sandra R. (Sandy) Hughes serves as the Global Privacy Executive (CPO) at the Procter & Gamble Company, where since August 2007 she also is responsible for the Global Ethics and Compliance organization. Hughes is a Certified Information Privacy Professional (CIPP) and President of the International Association of Privacy Professionals. She also is leader of the Privacy, Security and Technology working group of the US Council of International Business (USCIB), and serves on the State of Ohio Chief Privacy Officer Advisory Board. She is a founding member of the Public Policy Steering Committee of EPCglobal, a standards organization that utilizes Radio Frequency Identification (RFID). She has participated in multi-industry and consumer efforts to create EPC and RFID guidelines for responsible use of the technology for item level tagging. She is a chapter author in the book, "RFID: Applications, Privacy and Security" edited by Simson Garfinkel and Beth Rosenberg. Her career spans more than 30 years at the Procter & Gamble Company, with global, regional and local assignments in the U.S. (Ohio and Alabama), Germany and Belgium. She may be reached at hughes.sr@pg.com.

Healthcare Issues to Watch in 2008


By Kirk J. Nahra, CIPP

I'm watching two key issues in the healthcare industry — (1) the ongoing debate about electronic medical records and health information technology and (2) employer efforts to build effective wellness programs as a means of reducing employee healthcare costs.

At the big picture level, the ongoing development of health information technology presents an enormous challenge to the overall healthcare regulatory structure. The marketplace for health information technology is proceeding far faster than the ability of the regulatory system to keep pace. There are enormously complicated regulatory challenges — including some of the privacy and security issues that I am involved in through the American Health Information Community (AHIC) Confidentiality, Privacy and Security Work Group, but the need/difficulty of resolving these issues threatens to delay realistic progress in developing health information technology. There's also the real-world risk that a failure to act quickly enough from a regulatory framework will mean that the marketplace will effectively develop without appropriate regulatory controls. The primary challenge now is to find a realistic means of encouraging swift development and adoption of health information technology, while at the same time developing a realistic regulatory structure, even if it is not a perfect regulatory structure. At the same time, the privacy and security issues arising in the context of these records — mainly the question of whether we can develop appropriate privacy and security controls while still achieving the goals of an integrated health information exchange environment — are so significant, and raise so many questions about the current state of healthcare privacy laws, that this evaluation of privacy and security issues for electronic medical records and personal health records will drive a wholesale re-evaluation of the overall privacy and security rules for the healthcare system.

We also are seeing the push toward broader employee wellness plans that raise significant issues about the overall regulation of an employer's role in the healthcare system. It is clear that the current private healthcare system — where most of the private insurance is obtained through the workplace — is under fire. On the one hand, you have states, such as Massachusetts, that are forcing employers to be more involved in providing healthcare to employees. On the other hand, there are constant cost pressures, creating real economic tensions with many employers (even at the large level like the auto manufacturers, where healthcare costs are deal breakers with the unions). This seems to be a system that is facing chaos. On the privacy front, there are real legal issues arising with the ability of employers to do anything about actually controlling costs, through employee behavior. Employers are interested in wellness programs, for example, that promote better employee behavior, but there are real restrictions, from the privacy laws and otherwise, on how these programs can be effective. All of this seems to be putting pressure on the idea of the "one-size-fits all" employer-sponsored coverage, where all employees, within the range of choices, pay the same price. If there are realistic means of reducing costs by making employees with problematic behavior pay more, I think we will begin this year to see a real debate on whether employers can use health information to achieve these goals. I think the constant cost pressures coupled with the legal landmines in this area will lead to a revised debate and real pressure to permit employers to be more active in this area, as a means of attempting to preserve an employer-sponsored system that seems on the verge of collapse.


Kirk Nahra is a Partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling. He is chair of the firm's Privacy Practice. He serves on the IAPP Board of Directors and is the Editor of The Privacy Advisor. He is a Certified Information Privacy Professional. He is the Chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC). He may be reached at knahra@wileyrein.com.

The Private Sector Privacy Agenda — A ChoicePoint Perspective


By Aurobindo Sundaram and Tina Stow, CIPP


Sharply increasing trends in the number of breaches year over year signal that corporate America will continue to experience security breaches for the foreseeable future. These breaches include the loss or misplacement of — or unauthorized or fraudulent access to — sensitive information, particularly consumer sensitive personally identifiable information (SPII). However, several trends may drive the performance and success of privacy offices and functions even in the face of these great odds:

   1. Integration With Information Security (and Technology)
      Privacy offices have enormous synergies with information security, but rarely realize them because they are siloed within many corporate structures. In many cases, privacy and security report to different organizations (Legal and IT, respectively). As these two organizations work together, they will find that common requirements (confidentiality, privacy, authorized access) will drive tool and process consolidation, unified toolsets and efficiencies in management.
   2. Integration With Application Development
      Privacy offices, just like the security organizations before them, will be brought into the product management and application development cycle earlier for two reasons: (1) There are significant compliance directives influencing an organization today; and (2) Designing privacy policies and functions early in the process saves a lot of pain in the future. This integration will be slow in coming, but expect to see the early stages of it in 2008.
   3. Information Protection Focus
      Mature organizations will "follow the information," performing application inventories and periodic risk assessments (both qualitative and quantitative). They will then integrate these results into frameworks such as ISO 27002 and Generally Accepted Accounting Principles, thereby implementing a risk-based set of overlapping physical, technical and administrative controls to protect the organization's sensitive information. If this sounds familiar, it should be — information security has followed the same path.
   4. Metrics Creation and Measurement
      As privacy functions mature, the focus will move from compliance to business value creation and risk mitigation. More mature privacy organizations will create and measure simple metrics around risk mitigation that are often aligned with security (i.e., percentage of applications that mask sensitive information; number of emails with sensitive information that were sent unprotected).

In summary, despite the original role of the privacy officer as an incident management cop, more substantial, business-transforming initiatives are emerging in which the privacy offices of best-practice organizations must be involved.


Aurobindo Sundaram is the VP of Information Security at ChoicePoint, Inc. In this role, he has responsibility for creating business continuity, security and risk management policies, procedures and standards; coordinating with operations to implement these policies; and measuring and ensuring compliance with the company's information security framework. Sundaram is on the company's executive steering committee for information security governance, and the chair of the Security Working Group, a cross-functional group of security operations managers. He holds several information security certifications, including the CISSP, CISA, and CISM. He may be reached at aurobindo.sundaram@choicepoint.com.

Tina Stow is Assistant Chief Privacy Officer for ChoicePoint. In this role, Stow is responsible for communication with public and private sector stakeholders and ChoicePoint associates in regard to ChoicePoint's policies, procedures and public positions on matters of privacy, ethics and compliance as related to the company's business. She also develops outreach and education strategies, privacy and compliance policies and procedures and is responsible for reviewing and updating privacy policies for ChoicePoint's Web sites. She also responds directly to consumer inquiries relating to privacy and is responsible for performing any duties associated with the overall compliance with regulatory requirements and privacy policies. She may be reached at tina.stow@choicepoint.com.

Data Security in 2008

By Lisa J. Sotto

In the world of data breaches, last year's news will be next year's news. While we already have witnessed a number of significant data breaches, the worst is yet to come. Identity thieves have become extremely sophisticated in the last several years. There has been a significant change in the way these criminals operate. They are infiltrating corporate systems in ways that would have been inconceivable a few years ago. The malicious incidents that cause actual harm (as opposed to laptops that are stolen only for their hardware) are more egregious than ever. Similarly, the booty the criminals are targeting is more rewarding for them — and potentially more damaging for us. A year or two ago, criminals were satisfied with the theft of verifiable credit and debit card data. In the future, they won't stop at these limited-use vehicles. Instead, they will seek to whisk money directly out of financial accounts, resulting in actual losses that are orders of magnitude larger than anything we have seen to date.

The good news is that coupled with the increased danger comes increased awareness by corporate management of its obligation to protect data. This new high-level awareness has resulted in increased resources within organizations to try to prevent data compromises from occurring in the first place. The silver lining of data breach laws is that, in many cases, senior management is now paying attention to data security before an adverse event occurs and devoting appropriate resources to prevention. There is a subtle shift within companies as they have begun to understand that information security must evolve to meet the increasingly sophisticated methods of the fraudsters. This is not an area for ponderous, protracted decision making.

In light of recent events in the UK (with a data compromise there affecting 25 million Britons), there is likely to be vociferous demand for data breach laws in Europe, Canada and elsewhere. The challenge for multinational companies in 2008 will be to manage data security globally, ensuring the same high level of protection for data regardless of where in the world it resides. In the event of a data compromise, companies will need to look beyond the panoply of U.S. state breach notification laws. To maintain the trust of consumers around the world, companies that suffer a breach will need to consider how to handle breaches that affect residents in multiple jurisdictions in an even-handed manner, even where the legal obligations may differ.

Data security is still a nascent area. But we are learning, and we are bound to learn more in 2008 than ever before. The identity thieves will make sure of it.


Lisa J. Sotto is a Partner in the New York office of Hunton & Williams, LLP. She heads the firm's Privacy and Information Management Practice, and recently was voted the number one U.S. privacy expert in Computerworld's 2007 survey. Sotto was appointed by U.S. Homeland Security Secretary Michael Chertoff as Vice Chair of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. She also serves as Co-chair of the International Privacy Law Committee of the New York State Bar Association and Chair of the New York Privacy Officers Forum. Sotto has testified before Congress and Executive Branch agencies on privacy and data security issues. She may be reached at lsotto@hunton.com.

Behavioral Targeting: Consumers Should Have Control

By Peter Swire

The Federal Trade Commission (FTC) held its Town Hall on behavioral profiling in November. The intersection of privacy and online advertising will be an even bigger issue in 2008.
Based on my experience in government and the private sector, I think there is a common-sense baseline for how this issue will turn out — individuals should have a realistic way to choose not to be profiled when they go online.

For cookies that keep track of an individual's visits to multiple Web sites, I don't think we're there yet. At the Town Hall I spoke with one FTC attorney who had spent nearly an hour online the night before. She had tried without success to opt-out of cookies used by companies such as DoubleClick. If it's too hard for smart attorneys, trying to opt out as part of their job, then it's not a good enough system.

When I worked on privacy in the White House, it was a huge help when we could say that individuals had a choice. With GLB in 1999, individuals gained the choice not to have their personal information sent to outside marketers. In 2000, when there was a cookie problem on the White House site, we created a policy that persistent cookies would be set only with the choice of the surfer.

On a political level, these measures worked — the administration could explain that individuals had a realistic choice about how their data would be handled. These measures also worked at least pretty well at the level of policy — the people who cared a lot about their privacy now had a way to say no to certain practices.

People in the advertising industry, understandably, want the maximum number of surfers to see the more profitable, targeted ads. They emphasize that profiling is benign because it only determines which ads get served to the desktop.

There are two problems with that position, however. First, in our post-Patriot Act world, records can easily end up in government hands under National Security Letters, Section 215 orders or other procedures. Second, in part due to this concern about government surveillance, millions of Americans don't want to have detailed and permanent profiling of their search requests and other surfing habits.

So there are good reasons for leaders in technology and e-commerce to find realistic ways for consumers to have a choice. I personally think, for instance, that search engines should have an option not to link my current search with previous searches.

Many consumers won't mind the profiling, or will even prefer it. But the media and the political system, in the long run, are likely to push back whenever detailed profiling becomes a mandatory part of surfing the Web.


Peter Swire is the C. William O'Neil Professor at the Moritz College of Law of the Ohio State University. He is Senior Fellow at the Center for American Progress and a consultant to Morrison & Foerster, LLP. From 1999 to early 2001 he served as Chief Counselor for Privacy in the U.S. Office of Management & Budget. He is Faculty Editor of the "Privacy Year in Review" of "I/S: A Journal of Law and Policy for the Information Society," which is distributed to all IAPP members. He is also lead author of "Information Privacy: Official Reference for the Certified Information Privacy Professional." He may be reached at swire@osu.edu.

Electronic Discovery in 2008

By Lucy L. Thomson, CIPP/G

A significant privacy risk on the legal scene for 2008 involves the vulnerability of sensitive data and information in electronic discovery. Electronic discovery has changed the way lawyers practice law. The days of paper documents are soon to be long gone — instead of exchanging boxes of documents ready for easy retrieval, attorneys receive digital files on electronic media, often from complex networked information systems that are difficult to visualize, and in formats that cannot easily be read and are expensive to process.

To make matters worse, the contents of these digital files are often unknown to the parties to the lawsuit. Companies or other organizations involved in a lawsuit may provide documents in discovery they have not reviewed — emails and their attachments may contain sensitive and personally identifiable information, such as Social Security numbers, financial records, medical records, trade secrets, and other confidential and privileged content. The receiving party is often unaware of the nature of the documents as well — on both sides, the sensitivity of the documents has not been assessed.

A striking reality of electronic discovery is that it often involves taking sensitive or confidential information from a protected environment — a secure system — and exposing it to an ad hoc, unstructured environment. Sensitive data is often exposed to insecure data transfers/exchanges, accessed by multiple parties, and stored in insecure environments. Stories are told in legal circles of data in discovery that is copied from PCs onto unencrypted thumb drives, CDs and laptops, combined with data from other sources, and transported by untrusted couriers to various destinations, often with inconsistent security practices. This data is then searched, reviewed, exchanged and stored among multiple parties to the litigation, including attorneys, experts, and the courts.

Numerous data breaches have underscored the need for procedures to ensure that sensitive information is protected appropriately from unauthorized access, theft and loss. The fact that discovery is legally compelled places a high burden on the parties to a lawsuit to ensure that the information is secure. An important role for privacy professionals clearly exists in the e-discovery arena. Legal teams requesting documents in electronic discovery must include information security in their litigation planning — information security that is comprehensive and effective.


Lucy Thomson, CIPP/G, is an attorney with extensive experience as both a litigator in complex federal civil and criminal cases and as an expert in electronic discovery and privacy and information security. During this past year, she served as Consumer Privacy Ombudsman in two federal bankruptcy cases to advise the Court on complex privacy issues and to oversee the sale of electronic consumer records. In her current position as Senior Principal Engineer and Privacy Advocate at Computer Sciences Corporation (CSC), a global IT company, she works on teams building modernized information systems for very large organizations. Ms. Thomson was awarded an M.S. degree from Rensselaer Polytechnic Institute (RPI) in 2001, and earned her J.D. degree from the Georgetown University Law Center. She may be reached at lthomson@csc.com.


The Privacy Landscape for 2008


By Brian Tretick, CIPP

Among the issues companies will face in 2008, privacy prevails as a critical compliance and business risk. Compliance with laws and regulations has become a key driver for industry's privacy management initiatives worldwide. Compliance risk — the risk related to not complying with relevant laws and regulations, or even contractual obligations over personal information — is accelerating with the increase in regulator inquiries, audits and other enforcement actions.

As the business risks related to privacy become increasingly important, the process of managing compliance with privacy and data protection standards is becoming more integrated with existing compliance initiatives such as records management, intellectual property protection, data governance and information security. Respondents to Ernst & Young's 2007 Global Information Security Survey cited the combination of privacy and data protection third on their list of top issues that have the most significant impact on information security practices, following the related drivers of complying with financial controls, regulations and supporting business objectives with technology.

As we look ahead to 2008, there are 10 business issues that need to be considered by management at the top levels.

   1. Identifying and classifying information — Refreshing traditional data classification approaches to address evolving privacy laws and risks.
   2. Data minimization — Limiting the collection, use, disclosure and retention of personal information to minimize risk.
   3. Portable media and devices —Securing personal information that travels via portable devices.
   4. Encryption — Implementing this influential tactic should be a standard operating practice on all portable devices.
   5. Managing third parties — Enforcing strict standards with third-party providers.
   6. Working remotely — Recognizing the need to ensure security for telecommuters.
   7. Incident management — Establishing and testing processes to manage events involving personal information.
   8. Globalization and harmonization — Using a privacy compliance toolbox to help enable global data flows and harmonize business processes.
   9. Monitoring tools and capabilities — Adapting technology and instilling process to monitor the perimeter, data transfers and applications.
  10. Internal audit — Recognizing the need to educate and train internal audit staff about privacy.

These issues need to be addressed as part of a comprehensive and deliberate management of privacy risk and compliance. An effective program relies on controls, monitoring, compliance activities and other assurances to help ensure an effective operation is in place.

Privacy is quickly becoming a mainstream business issue. We are witnessing a trend back to marketing and customer databases that drove the topic at the turn of the century and fueled the privacy debate throughout the emerging Internet economy. With the increasing use of interactive technologies, accelerations in customer relationship management systems, and emerging techniques for online behavioral tracking and advertising, we expect the resurgence of marketing as one of the key drivers in privacy concerns in 2008.


Brian Tretick is the Executive Director for Ernst & Young's Privacy Risk Advisory Services. He has more than 20 years of professional experience in information security, and has spent the past decade focused on privacy and data protection. He serves the IAPP as a regular member of the CIPP Faculty. He can be reached directly at brian.tretick@ey.com.


The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP.