Live blogged in Nashville. Any errors or bad jokes are my own. Any typos are purely the fault of the iPad.
by Peter Milla and Dave Christiansen
CASRO has seen an increase in requests from clients and regulators for data privacy and security compliance
– code of standards
– safe harbor program
COmpliance means confirming to a rule, like a policy or law. CLients want operational transparency.
COmpanies will require 50 percent less business process workers and 500 percent more digital business jobs. especially regulatory analysts and risk professionals. These jobs are generally only in larger companies. This includes privacy officers.
Privacy and security are symbiotic. This can be a crisis for MR. Privacy is appropriate use of the data. security is the confidentiality and integrity of data.
– you cant just destroy data. what about all the backups. the saved copies that everyone has from their piece of the work.
– availability of data could impact life or death in some cases
What drives compliance
– client wants it [i hope vendors want it too. why is because clients want it?]
– legislation or regulation like HIPPA GLB COPAA FTC PIPIDA. you could be accused of unfair trade practice for discontinuing a poor responder.
– gain a competitive advantage
[wow, typing on an iPad keyboard is quiet and completely unobtrusive when you lay it flat! But i cant put pictures or links easily. Sorry.]
ISO 27002 – you cant be certified, you can be compliant
HIPAA compliance case study
– business associates now face liability. Uses not in accordance with BAA. failure to limit PHI. failure to provide breach notification. failure to provide HHS access when required. failure to comply with security rule.
– many companies state one year but they keep it forever
– Protected Health Information PHI.
– employees don’t usually intend to make errors, they just don’t know
– no easy checklist of requirements
– does offer a set of principles. instruction is to take necessary steps to disclose minimum necessary information
– much is process based
HIPAA security rule compliance
– risk analysis – evaluate likelihood of risks, implement appropriate security measures, document those measures, maintaining continuous review and assessment, ensure access control and integrity control, ensure transmission security, keep documentation up to date
BLUE CROSS – just had a breach that affected 80 million US citizens, 25% of the population. names, SIN, birthdays. be sure to use your free annual credit report. Take advantage of free credit monitoring. monitor your children as well. be alert when filing your income taxes.
Top security trends
– cybercrime, privacy and regulation, third party provider threats and breaches, BYOx in the workplace – Bring Your Own Device [like i’m doing right now. are my office security systems on my personal tablet?]
[note to self and everyone. turn the GPS off all of your devices. it is not necessary that every software program knows where you are, where you live, where you work, where your kids live]
Advanced Persistent Threat – APT
– china and Russia and Iran have active cyber espionage, aligned in every industry to take whatever they can, causing information security bar to be raised
CLients expect all their information is safe. need a dedicated person or team. CISSP, CISM, CISA, ISO, SDLC. [we have this person. they went to every single office in every country over the last couple weeks to remind every single person just how serious security issues are.]
[everyone should have come to this session. i don’t care if you think you’re doing fine. you need persistent reminders of just how worried you really ought to be.]
Information security is not IT security. spans people processes and technology. its digital written and spoken. it’s being proactive. it’s an organizational discipline.
– best practice for information security, NIST, CSF, COBIT. can be audited and certified. Earth’s ‘best practice’ its the policies procedures and controls and training.
– it is not industry specific. it is federal, state, industry, contractual relevant.
– vulnerability assessment annually or quarterly, penetration testing, gap assessment, awareness training, internal audit, risk assessment.
[Annie’s free public service announcement – do an internal audit today. if it looks like spam, it probably is. if it doesn’t look like what I usually email to you, i probably didn’t email it to you.]
Welcome to the virtual MRIA 2011 annual conference! This post reflects my personal musings and interpretations of this presentation. It was written during the presentation and posted minutes afterward. Any inaccuracies and silliness are my own.
With David Stark (GfK), Brian Bowman (MRIA legal counsel) and Patrick Glaser (MRA). Moderated by Finn Raben, Director General: Esomar
- This was a GREAT session. Do read carefully and follow up with the panel yourself.
- Finn – The game is now changing and so are the rules. He introduced the superstars who will put the sex back into research.
- David – Social media listening and webscraping. Two main legal considerations – privacy and intellectual property. Canada must consider Canada’s PIPEDA act. Privacy Commissioner questions the view that information that is ‘out there’ is available for any kind of use. Does not mean it can be used for any purpose.
- What is public information? PIPIDA says public information is very narrow, contact information appearing in telephone books, business directories, magazines or books where individuals has provided the info. Is social media a publication? Letter of law says open web without notice or consent is unlawful. Perhaps PIPEDA just needs to be brought up to date and modernized. Need a broader definition of public information. We need the Kerry-McCain view of web data mining – widely, publicly available information where there is no access restrictions. Creating a false ID to login for research purposes is still inappropriate and wrong. Encourage privacy by design – screen out usernames.
- Brian – Where is the privacy line? Walking on the sidewalk? Walking on your lawn? Standing in your living room window where people can see you? Should you have privacy walking into a medical clinic? Walking into an adult entertainment store? (Finn – reminds us about putting the sex back into research.)
- Patrick – Behavioral tracking. Watching where a person clicks as they go from website to unrelated website. What if people searching for cancer information are charged higher insurance rates? Privacy advocates know this issue is here to stay. Market researchers have an extremely minimal voice related to tracking. Consumers and corporation and business groups have many more voices. (mmmm discussions of cookies) Cookies were created for privacy, passwords, permissions so they are a good thing. But we need a window of acceptance for this newer behaviour. Public is becoming more aware of trade-offs. You can download tracking prevention software but this may backfire when websites refuse free use of their site unless you permit tracking.
- Brian – Device IDs. Is this “personal information?” He is concerned that market researchers are starting to sound like lawyers. 🙂 IP addresses have been deemed personally identifiable and therefore has obligations.
- David – Researchers must explain and let survey panel members know they use digital fingerprinting. Some companies don’t want to say so that fraudsters can’t defeat the technology. It needn’t be lots of detail though. Privacy polices need to be simple.
- Brian – Do you REALLY need to collect all of that data? Will you use all of it to create a unique machine ID? Limit use of data to what you told the person you were going to use it for. Is use of this technology reasonable? Reasonable depends on the circumstances and differs by person and may not work in current framework.
- David – He paid for the use of the Dilbert cartoons. (That’s why I admire David.) Do panel members need meta data in photos, including the lat and long? Google and Apple were under fire for sharing information without permission, let’s not do the same. MAKE YOUR POLICIES SIMPLE particularly when people try to read it on their phone. Address the fees for participating in SMS research up front.
- Finn – 4.8 billion people have a mobile phone. 1.8 billion have internet.15% of US males admitted to interrupting sex to answer a mobile phone. (More sex talk from Finn, he’s on a role).
- Brian – 1) privacy advocates, don’t do surveys, don’t answer phone, hostile 2) privacy pragmatists, generally participate, 3) couldn’t’ care less, take pictures with geoloc that say I’m not home, rob me now. Most people are pragmatists. Teenagers expect companies to comply with legislation more than ever before. Head in the sand is at your own peril, it will affect their businesses.
- Patrick – Privacy laws develop out of necessity. Cheapness of storage, processing power, speed of transmission, these three things have changed tremendously in recent years. Foundation is notice and choice. Offer transparency or you will be steamrolled.
- David – Keep research and marketing separate. Tweeting and engaging is small scale social media research.
- Brian – Finishes up with a sex comment – Airport security can take naked pictures of us but they have created privacy around the process. It’s invasive but they created privacy by design.
- Finn – ESOMAR guidelines will be out in a couple weeks. This is not a forecast of doom and gloom. We don’t always know where the line is. We try to say “it wasn’t me” but one person impacts the entire industry. There is a panel in India where people must pay to join?!?!?! Some people are thinking the research industry is a scam because of that. Always ask questions.
- A Public Twitter Conversation about Privacy: Agree/Disagree/Other? (lovestats.wordpress.com)
- This is what research heaven is #MRIA2011 #MRX (lovestats.wordpress.com)
- Speed Networking + Reception + Dinner #MRIA2011 (lovestats.wordpress.com)
- Annie Pettit, Chief #MRIA2011 Blogger (lovestats.wordpress.com)