Portia Workshop on Sensitive Data in Medical, Financial and Content Distribution Systems A Financial Services Viewpoint

1. Portia Workshop on Sensitive Data in Medical, Financial and Content Distribution Systems A Financial Services Viewpoint Dan Schutzer, Citigroup July 8, 2004

2. This presentation is intended to discuss the following: • The Privacy Tussle in Financial Services • Requirements for Auditing and Tracking Access and Use of Sensitive Information • Requirements for Access Control and Information Protection • Requirements for Marketing and Customer Service • Research Challenges • Seven Key Design Hurdles

3. A Brief Simplified Review of Relevant Laws and Regulations • Sarbanes Oxley, Section 404 • Focus is to protect Corporation and Shareholders • Addresses the need to record transactions and provide timely detection and notification of unauthorized access or use • BS 7799 • Focus is to protect Individual and Corporation Sensitive Information • Addresses the need to ensure confidentiality, integrity and availability of vital corporate and customer data • GLB • Focus is to protect individual • Requires clear disclosure of privacy policy, need support for opt-out of sharing with non-affiliates • HIPAA • Focus is to protect Individual • Provides standards for privacy of individually-identifiable healthcare information • Patriot Act, Money Laundering Regulations, Homeland Defense • Focus is to protect Society • Freedom of Information Act (FOIA ) • Focus is to protect individual • Allows someone to request information in the Government’s Possession

4. Other Privacy Pressures • Legal Risk • Focus is to protect Corporation • Fear of class action lawsuits, private lawsuits, regulatory investigations • Business Risk • Focus is to protect Corporation • Concern to protect information assets (money, intellectual property, supply chain data, sensitive personal information, vulnerabilities) • Concern over lack of control over what happens to data once it leaves our company • Information and privacy needs of Society, Financial Institution and Individual is complex and often in conflict with one another

5. Information-sharing in the Financial Services Industry is defined by a number of evolving and conflicting interests • Concerns for customers privacy versus needs of industry and society/government, e.g. to detect and prosecute wrong-doing • Impediments to the sharing of information amongst financial services firms with themselves and the Government • Concern about spreading information about vulnerabilities before effective patches exist • Concern for protecting source of information • Concern about premature disclosure of information • State and International laws add to the confusion (often conflicting and overlap)

6. Requirements for Auditing and Tracking Access and Use of Sensitive Information • These privacy protection pressures coming from regulators, laws, and business risks and liabilities, result in the need to: • Control the access to and use of sensitive data • Enforce and track compliance with privacy promises • Detect and report unauthorized access or use • What makes this hard? • We have multiple organizations and systems maintaining overlapping data, often required by law • Data is often dirty and incomplete from system to system • Can’t always easily link a customer across systems • Often hard to reconcile overlapping privacy promises across systems and organizations • There is often a many-to-one and one-to-many relationships that makes it harder to audit and enforce privacy promises, opt-outs, etc. • A single telephone number can be shared by many family members, even though only one is a customer and/or opted out • A single customer may have many email addresses and we don’t necessarily know them all • Who controls access? – Corporation, Individual • On what basis – what information, for what purpose, who shared with? • Against fixed opt-in, opt-out rules, or on an event-by-event basis<

7. Requirements for Access Control and Information Protection • Need to classify information at the item level, to at least 3 classification levels keyed to the sensitivity and importance of the information • Unclassified • Confidential • Secret • Each level requires successively greater protections • Need to encrypt • Need to verify that data is authentic and has not been tampered with • Strength of authentication and access controls • Need to be able to detect and report unlawful access • Our customers need to be able to easily verify when they are talking to us in order to prevent unintentional disclosure through spoofing for all forms of communications as well as vice versa • Email • Website • telephone

8. Requirements for Marketing and Customer Service • Financial institutions would like to know what to sell you and how best to communicate with you • Allows us to better customize products, pricing and communications • Data derived from our modeling – should this be available to customer? • Who owns it? • It is only probabilistic in nature and not an absolute • It can be a trade secret • It would be great if we could do this without identifying who you are (personal attributes), but often this is the best indicator of what you would be most interested in? • Where you live, your income, your occupation, your interests, your assets are strong indicators of buying preferences • Your phone number, email address, physical address are usually needed to communicate with you • Shared secrets are usually needed to authenticate you. • Our customers need to be able to easily verify when they are talking to us in order to prevent unintentional disclosure through spoofing for all forms of communications as well as vice versa; e.g. e-mail, Website, telephone • Issue of Opt-in versus Opt-out • We would like to discourage blanket “opt-out”, this often involves need to get more narrowly-defined opt-in permissions • We need to keep track of opt-outs and opt-ins ensure compliance

9. Research Challenges • Could we design a system where all our marketing and customer service requirements could be satisfied without access to any sensitive information? • Could we implement a “Trusted Agent” who had access to all sensitive information and could provide us needed marketing and partner information without revealing any sensitive information • Can access and analyze sensitive data without fear of compromise • Can act as a go between, a trusted broker that finds interested partners and exchanges offers anonymously • Can act as a guard that only provides actual information, when approved by consenting parties or when can prove it is justified by law • How to best tag data it4ems so they can be tracked across multiple parties and systems • How best to embed enforcement engines to challenge access, sharing and use contrary to user wishes that are often expressed as multiple rules across many different channels and systems • Purposeful ambiguity of legal language versus preciseness of computers

10. Seven Key Design Hurdles • Affordable Justifiable Cost • Easy to Use • Compatible with commonly accepted behavior • Meets marketing and risk management needs • Preserves customer’s sense of privacy and control over personal information • Maintains trusted communications – secure, mutually authenticated between principles and third parties • Operates in the real world of buggy, vulnerable software