Federal Trade Commission is using its muscle to enforce corporations' security, privacy policies.
Enforcement of security and privacy is reaching deeper and deeper into corporations. Gramm-Leach-Bliley regulates banks’ protection of customer’s private information; Sarbanes-Oxley requires public companies to improve their IT and accounting processes; VISA makes all credit card merchants – large and small – comply with its new security requirements. Many states, including Washington, have passed their own "security breach customer notification" laws. And the Federal Trade Commission (FTC) is doing its part to ensure that U.S. companies are doing things right.
What can the FTC do that these laws cannot?
The FTC is enforcing the Gramm-Leach-Bliley Act (GLBA), the Electronic Communications Privacy Act (ECPA), and other laws by forcing companies to comply with their own published security and privacy policies. In the past few years, many U.S. companies including Alexa (a subsidiary of Amazon.com), Microsoft, and Tower Records have been hung with their own rope: in each case, the FTC found that these companies had been violating their own published privacy or security policies by engaging in practices that were contrary to their policies.
As the Internet plays an ever-increasing role in commerce, enforcement of both "traditional" and online practices laws will increase in order to keep companies (and consumers) honest and sound.
It is our experience that companies often develop privacy policies without the involvement of information technology (IT) and information security staff. Sometimes we even see privacy policies being developed by marketing departments that lack knowledge about how the company actually collects, processes, and distributes information from its present and potential customers. This case of "the right hand not knowing what the left hand is doing" has resulted in many companies' publishing privacy policies that are little more than a pipe dream. And when consumers take notice, the FTC (and, sometimes, other branches of government at the federal, state, and local level) get involved.
The next section in this newsletter discusses a strategy for developing a practical privacy policy.
BUILDING YOUR INFORMATION SECURITY PROGRAM
Part of a multi-part series
Part 6, Building your Privacy Policy
Any formally written and approved policy document that a company makes becomes a standard for that company's behavior. A policy becomes a company's marching orders, as well as its own code of conduct.
A privacy policy should define the following practices (whether or not that organization engages in them or not):
- From whom is information collected
- How is the information collected
- For what purpose is the information collected
- How is the information protected
- How is the information used
- Who has access to the information
- How long is the information retained
- To whom is the information distributed
- When is the information destroyed
- Who is responsible for all of the above
- How can a customer contact this person or department
- How can a customer opt out
This can be quite a lot to figure out, but companies that collect personal information from customers must figure out all of these details. The consequences of failure are just too great to take this lightly.
A business that is considering collecting customers’ personal information should ask the following questions:
- Is collecting customers’ personal information necessary?
- How long must customers’ personal information be
retained?
- Is the benefit derived from customers’ personal information
worth the trouble of protecting it?
If you are certain that you can derive value from customer personal information, then you can develop your privacy policy, as well as the procedures necessary to carry it out correctly.
TERM OF THE MONTH
Platform for Privacy Preferences Project (P3P): A well-known standards body, the World Wide Web Consortium (W3C) has been developing P3P, a data security standard that may revolutionize how customers think about their privacy. If implemented, P3P will give web site owners a way of automating their privacy policy in a way that a customer's browser will be able to understand. For instance, if a person is concerned about companies that share their private information with other organizations, P3P will automatically alert them when they visit the web site. This will help customers to more easily know when they are visiting a web site that crosses the line in terms of what they consider acceptable privacy practices.
SUBSCRIPTION INFORMATION
Subscribe to Security Directions
Unsubscribe from Security Directions
Please allow 48 hours to process all subscription requests.
Contact us via e-mail at info@vantagepointsecurity.com or call us at 425.454.5455.