Privacy has become one of the most challenging issues facing the business sector. It is essential to building customers’ trust in the companies with which they do business. Nevertheless, as recent examples show, violations of that trust persist despite the importance many organizations place on privacy management. 

• At Georgia Tech, hackers invaded a computer and copied names, addresses and, in some cases, credit card information for fifty-seven thousand patrons of the Ferst Center for the Arts. 

• A Coca-Cola employee slipped into the company’s computer system without authorization and downloaded the salary information and Social Security numbers of 450 coworkers.

• Eli Lilly, manufacturer of the antidepressant drug Prozac, inadvertently sent an e-mail notice revealing the e-mail addresses of approximately six hundred registered Prozac users to a list of people who had opted to receive reminders and other news about the drug.

• The California State University’s $662 million computer system’s security flaw gave users access to student and employee Social Security numbers and other confidential data. University officials reportedly knew about the problem for years and told state auditors that they require employees to sign confidentiality agreements, promising to respect others’ privacy. 

Technology has made it possible for organizations to collect, store, transfer and analyze vast amounts of data about consumers. It is almost impossible to find a Web site that does not use cookie or Web beacon technology to gather information about visitors. This, along with the myriad subsequent uses of this personal information that technology makes possible, has raised public awareness and consumer concerns about online privacy.

The problem of protecting privacy lies with the enforcement of policies, including determining who is responsible for enforcement. This requires a shift in thinking. 

Privacy has been approached primarily from a policy perspective. Most organizations, however, lack the business processes, structure or appropriate identifiable personnel to fully monitor and implement compliance. In addition, commonsense interpretations of lengthy and confusing regulations must be provided to those who are actually implementing privacy policies. And since privacy is an ethical issue, corporate consciousness must go beyond minimal compliance—it must be integrated with the corporate culture. 

Finally, privacy management is not only a legal or information technology issue, but a risk management, records and information management issue as well. 

To date, professionals from these disciplines have been underutilized in the implementation and monitoring of privacy practices. To alleviate future privacy liability, organizations must foster a new partnership between risk management, records and information management and executive management functions. 

More Than a Policy Issue
Some argue that privacy is a systems security issue. To some extent this is true, since a solid cybersecurity program is necessary to safeguard information. Many recent privacy infringements are a result of improperly configured Web sites, insufficient firewall protections, unpatched holes in business applications or operating systems, or a failure to use standard security measures such as encryption of sensitive data in transit and storage.

Once the technology issues have been fixed, however, there must be systems—privacy policies—in place to prevent misuse of information due to simple human error, a rogue employee or an overzealous marketing department. Privacy policies, however, present a dilemma. Organizations that do not have a privacy policy risk noncompliance with regulations, exposure to lawsuits and potential loss of customers. If an organization has a privacy policy but does not follow it, exposure to the aforementioned risks also increases. Thus, the shape the policy takes must be carefully crafted and followed.

Privacy management starts by asking: what information is needed for business purposes and, ethically, what should even be collected. This, of course, runs counter to an organization’s impulse to learn as much as possible about its customers in order to serve them better. 

In the end, the privacy policy must be clear and easy to understand by all staff. Training cannot cover every possible problem or decision that may occur on the job. Rather, employees can only make decisions when they understand the ramifications of making the wrong choice. Privacy management must be logical, integrated into even the most fundamental business processes and monitored by professionals that are trained and oriented to following processes, procedures and regulatory requirements.

Who Is Responsible?
The collection of certain data, such as personal customer information, is the entry point for privacy practices. Who is deciding what data to capture? Who is creating and monitoring the business processes that capture, assimilate, distribute and destroy data and records? Are those responsible adequately knowledgeable of relevant state and national legislation to make a judgement call on the content of the data being collected? What data flow monitoring practices are in place? Are those responsible for these processes qualified or likely to determine whether they are involved in ethical information management practices?

Who in the organization is best suited to provide the structure, oversight and implementation of privacy practices? This responsibility falls within any number of departments, including information technology, legal and compliance, and privacy officers at the executive level. 

Although each of these positions has a piece of the privacy pie, they may not be the best choice for the job. For example, the perspective of many in the information technology department has changed significantly over the last couple of years, but there is still a tendency to focus on “Can we do it?” instead of “Should we do it?” IT professionals may understand the technology issues related to securing information, but they often require guidance and input on the broader process and policy issues of privacy. 

Ultimately, privacy is an ethical, legal, compliance, risk management, information management and customer service issue. That means a few new team members need to be added to the privacy management team. Risk managers, in particular, are often missing, yet they play a critical role in implementing, monitoring and auditing privacy policies and practices.

Role of Risk Managers
Because privacy has become both a political and consumer issue, it is a liability risk exposure for organizations. Security breaches that create privacy infringements, as well as outright invasions of privacy, are prime events that make headline news and result in costly legal battles over privacy policy violations or deceptive trade practices. 

In fact, a California law, enacted in July 2003, requires businesses to disclose to their customers any hacking incidents that may have exposed their personal information. A similar federal law has also been proposed. Failure to comply opens a company to civil lawsuits.

Organizations share private information on a daily basis, and the number of confidential transactions performed every hour is growing at an unprecedented rate. As the value of sharing data increases, corporate privacy policies must be both applied and consistently enforced across the entire IT infrastructure and business divisions. Risk managers must be able to assess how effectively their company is implementing, monitoring, enforcing and auditing their privacy and data management practices and policies.

From a practical standpoint, the risk manager will be needed to coordinate the efforts of internal leaders. For privacy-specific exposures this includes the chief privacy officer, internal legal counsel and the records and information manager or other business line manager responsible for nonpublic customer records and information (in paper or digital form). 

The risk management coordination focuses particularly on the identification of perils and the implementation of loss-mitigation measures. Rather than reacting after a loss or lawsuit has occurred, proactive risk managers will take a forward-thinking approach to risk control and safety. They will identify and correct existing hazards, such as a gap in their privacy management practices, and create a business model with improved data and records management processes, which ultimately helps reduce liability, threats and loss. Additional actions include:

• Reviewing the corporate computer security policy, including recently conducted third-party network security assessment and penetration tests. This gauges the level of vigilance and commitment of internal personnel in key roles. It will also verify that a baseline level of cybersecurity protection measures (e.g., firewalls, trained employees, hardened servers with fluid patch management processes, strong access controls and encryption) are in place to protect personal, nonpublic customer information being stored, collected or transmitted. 

• Reviewing the corporate privacy policy and its implementation to ensure that the organization’s handling of personal, nonpublic customer data mirrors any promises made on its Web site. (For example, “We do not sell or share your information”; “We secure your personal information with latest safeguards”; “We do not use cookies to track your online usage.”)

• Requesting that the Webmaster engage an annual privacy self-scan—an automated tool that searches the corporate Web site for activities that may violate the privacy policy or for new technologies that may need to be incorporated into the policy.

• Staying abreast of any new legal precedents developed in the area of privacy litigation. 

A Central Business Issue
This is only the beginning. As the amount of personal information captured continues to grow, privacy will remain a central business issue for all organizations. Consequently, the liability to organizations will also continue to increase, making this the opportune time for risk management professionals to play a more active role in the enforcement of their organization’s privacy policies and practices.

Susan Avery is the senior strategic advisor for ARMA International, in Lenexa, Kansas. Mark Greisiger is the founder and CEO of NetDiligence, a cybersecurity assurance services company located in Pennsylvania. He is a frequent contributor to RM on e-Risk and cybersecurity liability topics.