Recently, the federal government has begun to focus more on the issues
of consumer privacy. The Federal Trade Commission has filed complaints
against a number of companies for failure to ensure the privacy of
information that is provided by their customers. State governments
have also begun to legislate issues of consumer privacy: California for
example passed fifteen privacy bills in 2003. This focus seems to
coincide with the burgeoning attention paid to data security issues,
especially in the payment services vertical. As a result, many
mistakenly believe that compliance with data security regulations and
good security practices (the difference between compliance and security
being detailed in an earlier article) are synonymous with good privacy
practices. The fact is that, while security is one aspect of privacy,
the two terms are not interchangeable. Privacy practices go far beyond
simply ensuring that personally identifiable information is protected
from unauthorized disclosure.
Almost all online activity leaves some traces. The traces may consist
of tracking cookies or spyware that is inadvertently downloaded to the
user�s computer. Regardless of the source of these traces, the
endpoint is the same: a user�s activities are transmitted back to a
person or organization that is attempting to divine the habits and
preferences of individual users. Furthermore, some websites request
that users supply personal information in order to register or log-in
to the site. The result is that every day, sometimes voluntarily and
sometimes unknowingly, users are transmitting personal data across the
web. In addition to website registration and tracking cookies, more and
more customers are becoming comfortable with commerce and banking over
the internet. Increasingly, sensitive information is being transmitted
via the internet. Rather reluctantly, companies are now responsible
for ensuring that the information that is transmitted is used in a
manner consistent with the wishes of their customers.
Plainly speaking the two concepts, security and privacy, are related
but not identical. As has been established in previous writings,
information or data security can be defined as �a measure or measures
taken to guard against a threat or vulnerability�. The objective of
security is to mitigate risk to an acceptable level. Privacy, in
contrast, has been defined by the International Association of Privacy
Professionals (IAPP) as �the appropriate use of personal information
under the circumstances�Also the right of the individual to control the
collection, use, and disclosure of personal information.� Based on
these definitions one can see that preventing unauthorized disclosures
of information (data security) is a component of privacy. However, as
the IAPP definition illustrates privacy practices entail much more.
The Federal Trade Commission (FTC) has developed some guidelines for
�Fair Information Practices.� Though the Practices are not mandated,
they do establish a baseline of privacy in an effort to standardize
Privacy Practices across businesses and industries. The Fair
Information Practices are comprised of five basic components: Notice
and Awareness, Choice and Consent, Access and Participation, Security,
and Enforcement.
�Notice and Awareness� is a relatively straightforward principle. It
indicates that consumers should be made aware that personally
identifiable information will be collected during their visit to the
website. Additionally, the company must inform the consumer of any
consequences of not providing personal information. For example, if
the consumer chooses not to fill out the enrollment form, they may not
be able to log-on to the website�s �Members Only� section. The length
and exhaustiveness of the notice will vary according to the specific
practices of the entity collecting the information. Among the
information that the FTC recommends that companies disclose are: the
identity of the company or entity that is collecting the information,
the use to which the information will be put, and what steps are taken
to ensure that the information remains confidential. Only after being
made aware of the need for the information and the consequences for not
providing the information, can the consumer make an informed decision
to disclose personal information.
The second principle of Fair Information Practices is the tenet of
�Choice and Consent.� This principle is related to the issue of
secondary use of personally identifiable information. A secondary use
of information is defined by the FTC as any use of personal information
beyond the completion of the immediate transaction. Such use may be
internal, such as analysis by the marketing department, or external,
such as the use of a direct marketing firm to send mass mailings to
customers. According to the Fair Information Practices, consumers
must be given the opportunity to decide whether or not their
information can be used for such secondary purposes.
The third principle is that of �Access and Participation.� Here the
FTC recommends that entities that collect personal data make provisions
allowing individuals to access that information. The access is granted
so that individuals can ensure that the information on file is accurate
and complete. If the information is inaccurate, the individual must
also be afforded the opportunity to correct the data. Access must be
given in a manner that does not impose undue burdens on the individual;
it must be timely and inexpensive.
The principle of �Security� is perhaps most often associated with the
notion of privacy. This is largely due to the notion that properly
implemented security measures will mitigate the risk of unauthorized
disclosure of information. Both technical and administrative technical
steps must be taken to satisfy the FTC�s security recommendations. The
security that is implemented should be consistent with industry best
practices and protect against commonly known vulnerabilities.
Unfortunately, this principle is also where some companies tend to
overextend themselves in their promises to customers. A popular
national pet store chain was recently cited by the FTC for making false
security promises in its privacy statement. The company offered users
of its website a ��100% Safeguard Your Shopping Experience Guarantee�
so you never have to worry about the safety of your credit card
information.� When that same company was attacked using a well-known
SQL injection, consumers� credit card numbers and other personal
information were revealed in clear text. It is imperative to ensure
that industry best practices regarding information security are
followed. It is extremely helpful to engage an information security
firm to help ensure regular security assessments that include tests for
the most up-to-date vulnerabilities are conducted, in addition to
achieving compliance with relevant industry and legislative mandates.
Lastly, companies must provide a method of �Enforcement and Redress� in
the event that customers feel that Privacy Policy is not being
practiced. Merely posting a privacy policy is not enough to ensure
that privacy is guaranteed. There are a number of methods of
enforcement recognized by the FTC; they include industry
self-regulation, legislation that creates private remedies for
consumers, and legislation that provides for civil and criminal
penalties for companies in violation of their privacy policies. As
with the Access principle, customers� access to enforcement mechanisms
must not create an undue burden on the customer. There must also be
some consequence for the company for not adhering to its own privacy
policy. A policy that carries no repercussions for non-compliance
carries little weight.
One key element to creating and implementing a robust privacy policy is
communication. In reviewing the complaints charged by the FTC in the
last several years, it becomes clear that many of the policies were
written either by the marketing department, or the legal department,
without input from other departments that either create or maintain the
website. The result is either an impossible guarantee, or a policy
filled with legal jargon neither of which reflects the technical or
administrative practices of the companies and its website.
Many companies are beginning to engage firms that specialize in privacy
and security to help them create and implement a privacy policy. In
addition, these companies are offering ongoing monitoring of websites
and policies to ensure that the company stays compliant with its own
policy. This serves two purposes. First, and most obviously, it
allows companies to monitor their own compliance and to take steps to
correct any issues that may preclude compliance and result in
unauthorized disclosure of personal information. Secondly, in the
event that such a disclosure does occur, despite the best efforts of
the company, enrollment in such a program may demonstrate to the FTC
due diligence on the part of the company in attempting to maintain the
privacy of the information collected.
As one might imagine, privacy policies are not of the one-size-fits-all
variety. Companies must determine what uses personal information will
serve for the company beyond the immediate completion of the
transaction. Some companies may decide that the liability associated
with collecting and/or sharing information outweighs the benefits.
Other companies may decide to strictly limit the uses of such
information to only aggregate data to be used by internal departments.
Such decisions should be made after conducting a thorough analysis of
internal resources, capabilities and needs.
|