Corporate privacy policy concerns grow: at a time when corporate reporting and governance issues have been dominant, privacy has often been getting too low a priority, lawyers and other experts warn. (Privacy).Not too long ago, sensitive customer information was tucked away somewhere in an office, often stored securely in a file cabinet. With access restricted to only a handful of employees, such information was generally believed by customers to be "safe." In an age when that same information is now stored in electronic bytes, able to be shared or displayed to potentially millions of viewers with a click of the mouse, consumer attitudes about privacy have changed dramatically. Customers are growing skittish skit·tish adj. 1. Moving quickly and lightly; lively. 2. Restlessly active or nervous; restive. 3. Undependably variable; mercurial or fickle. 4. Shy; bashful. , and companies are being held to much higher standards for protecting the personal data they obtain. For example, Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) fines stemming from privacy violations can easily reach the seven-figure range, while careless treatment of consumer data can subject a company not only to huge legal headaches but a public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most nightmare. Consider the public, media and FTC scrutiny recently levied against a major drug manufacturer when it inadvertently posted the e-mail addresses of more than 600 users of the anti-depressant Prozac. And in a speech last year, FTC Chairman Timothy Muris cited the public's growing privacy concerns and announced a stepped-up agenda calling for a 50 percent increase in FTC resources dedicated solely to consumer privacy. Yet, strangely enough, says Alan Sutin, a partner at the Washington, D.C.-based international law firm of Greenberg Traurig Greenberg Traurig LLP is an international law firm with approximately 1,700 attorneys and governmental professionals in 29 locations in the United States, Europe and Asia. Its presence in Europe is supplemented by strategic alliances with Olswang (offices in London, United Kingdom , many corporate leaders still view privacy as a low priority. "They think it doesn't matter," says Sutin, co-chair of the firm's National Information Technology & E-Commerce Practice. That is, until they "get into trouble." Many corporations, Sutin adds, are subject to very specific statutes governing how they can use and share protected customer data. Yet even those companies that don't fall under regulatory umbrellas are still being held to increasingly strict privacy expectations. The challenge to corporations, whether regulated or not, is to ensure that their privacy policies are clearly stated, are thorough and followed to the letter. "A general approach that can keep a company safe (from potential liability) is to say what you do and to do what you say," advises Sutin. Companies must clearly tell the public what information is being collected, as well as how it's being gathered, used and ultimately protected. It's "ill-advised" for companies to remain silent about their privacy policies, he says. "The biggest mistake a company can make is to ignore the problem -- to adopt the head-in-the-sand mentality and assume the problem will go away," concurs Alan E. Brill Brill or Bril, Flemish painters, brothers. Mattys Brill (mä`tīs), 1550–83, went to Rome early in his career and executed frescoes for Gregory XIII in the Vatican. , senior managing director at Kroll Inc., a New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of City-based company providing risk consulting and mitigation services. Interestingly, he points out that many corporate executives pledged a stronger commitment to data privacy and security following the terrorist acts of September 11. Yet, when it came time to budget for these more proactive operations in 2002, many "balked balk v. balked, balk·ing, balks v.intr. 1. To stop short and refuse to go on: The horse balked at the jump. 2. ... they gave the issue lip service lip service n. Verbal expression of agreement or allegiance, unsupported by real conviction or action; hypocritical respect: but did not take any action." Brill maintains that the burden of creating, communicating and enforcing data privacy policies can be eased if approached holistically, with input from all company units and through a process overseen by a privacy officer. Analysis of collected information to validate the good business reasons for collecting it; ongoing investments into data security to close system "holes;" consistency between the privacy policies stated online and in print; and monitoring of all privacy policies for compliance can also go a long way, Brill believes. Experts likewise advise executives to first determine whether their privacy policies fall under regulatory guidelines. And while there are numerous statutes -- both state and federal -- that address consumer privacy and corporate activities, several key statutes merit special attention. One is the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition (GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999) GLBA Gay and Lesbian Business Association GLBA Great Lakes Booksellers Association GLBA Glacier Bay National Park and Preserve ) of 1999, which legislated sweeping changes within financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. sectors, among them the protection of non-public personal financial data. The legislation, which became effective in late 2000, required companies to issue their first privacy notices no later than July 1, 2001, to be followed by privacy notices once every year. "It is not all that clear" who falls under GLBA, cautions Patricia Faley, vice president, ethics and consumer affairs, at the Washington, D.C., office of the Direct Marketing Association. What is clear, however, is that GLBA's reach extends far beyond the obvious financial institutions, such as banks and credit unions." Any company that has a substantial financial component" is potentially bound by GLBA, says Faley, including direct marketers, automobile leasing companies, travel agencies, insurance companies, real estate agencies, securities brokers and retailers issuing their own credit cards. Experts point out that a cottage industry cottage industry: see sweating system. of consultants and software developers has emerged in recent years, poised to help companies establish and draft their privacy notices. The final product, says Faley, should be carefully reviewed by legal counsel and written at a level that can be understood by the majority of consumers -- ideally at a 9-10th grade reading level. Equally important, she adds, is implementation of a standardized procedure to respond to "opt-out" requests, in which consumers elect to be removed from marketing or solicitation lists. Whether such requests arrive at a company via an 800 number, e-mail, letter or fax, there must be some assurance that these opt-outs are being deleted from a marketing list. "Those employees who answer the phones or open the mail need to know what is a GLBA (opt-out) request and how it should be processed," she emphasizes. Besides financial data, companies must focus on the treatment of personal health data, says attorney Michael J. Wagner, a partner in the Chicago office of the law firm Baker & McKenzie. Although healthcare entities have already been alerted to relevant privacy rules following passage of the 1996 Health Insurance Portability & Accountability Act There are a number of piece of legislation known as the Accountability Act:
Specifically, Wagner stresses that any employer sponsoring a group health plan "should not consider themselves below the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS's) radar." In fact, he points out that virtually any employer who sponsors such a plan with 50 or more participants, or which is administered by a third party, must carefully evaluate its treatment of employees' "protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the " (PHI). In a memorandum distributed by Baker & McKenzie to clients, the firm identified key obligations em-ployers face as a result of the new statutes. First and foremost, companies sponsoring group health plans must identify which em-ployees need to access PHI to do their job. Also, in order for a group health plan, insurer or HMO HMO health maintenance organization. HMO n. A corporation that is financed by insurance premiums and has member physicians and professional staff who provide curative and preventive medicine within certain financial, to provide this information to the plan sponsor, the plan documents must be amended to: establish permitted and required uses and disclosures of PHI by the plan sponsor; limit the further use and disclosure of PHI by the sponsor and prohibit the use and disclosure of PHI for employment-related actions or in connection with other employee benefit plans. Wagner points out that although the HHS HHS Department of Health and Human Services. has not yet focused much of its regulatory effort on employer-sponsored plans, it has "clearly indicated concern" about the extent to which some employers use PHI for employment-related decisions. He advises all em-ployers to scrutinize scru·ti·nize tr.v. scru·ti·nized, scru·ti·niz·ing, scru·ti·niz·es To examine or observe with great care; inspect critically. scru their use and disclosure of PHI, warning that the HIPPA Hip´pa n. 1. (Zool.) A genus of marine decapod crustaceans, which burrow rapidly in the sand by pushing themselves backward; - called also bait bug ltname>. See Illust. under Anomura. itself has provided "significant civil and criminal penalties for violations." Companies also face potential liability arising out of the privacy requirements in the Children On Line Privacy Protection Act (COPPA COPPA Children's Online Privacy Protection Act of 1998 (FTC) ), passed in 1999. The legislation requires companies to establish and enforce certain controls over the use of information provided by children under 13, chief among them being parental consent Parental consent laws (also known as parental involvement or parental notification laws) in some countries require that one or more parents consent to or be notified before their minor child can legally engage in certain activities. . While COPPA has not been vigorously enforced, experts point to several high-profile COPPA cases. In one, a 12-year-old boy traded stock online through a major brokerage company. The boy lost thousands of dollars, and his parents sued, ultimately settling out of court. The negative publicity surrounding the case, warn experts, should be a wakeup call Wakeup Call is a morning radio program produced in New York City by the WBAI station of the Pacifica Radio Network. The program is hosted by Deepa Fernandes and airs Monday through Friday. to the dangers of anonymous Internet-based transactions and the data gleaned from them. One of the biggest challenges companies face is to assemble all of the privacy policies from different parts of the organization, believes attorney Kevin D. Lyles. Companies must establish and enforce a "corporate privacy policy" that is applied consistently across all of their operations, whether paper-based or online, Lyles advises. An added complication is that the privacy standard governing a corporation may not always be crystal clear, observes Lyles, a partner in the Columbus, Ohio Columbus is the capital and the largest city of the American state of Ohio. Named for explorer Christopher Columbus, the city was founded in 1812 at the confluence of the Scioto and Olentangy rivers, and assumed the functions of state capital in 1816. , law office of Jones, Day, Reavis & Pogue. When in doubt, he says, a company should identify the most stringent privacy standards affecting their operations, then use them as the bar for comparing all privacy policies. The bottom line, Lyles emphasizes, is that corporate executives must "understand the regulatory environment that their corporation is subject to, and understand how their company is collecting, using and disclosing this information. They need to make privacy a high-priority issue, in which policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental are drafted, approved and followed." RELATED ARTICLE: AREAS TO FOCUS ON: Potential FTC violations Strict compliance with internal codes Drafting policies consumers can understand Policies allowing "opt-out" requests Privacy of personal health data Controls on information use by children Privacy Policies: Questions to Ask Experts stress that there is no magic formula for creating a foolproof privacy policy. Instead, each company must carefully evaluate its business, customer base and the regulatory environment in which it operates as the foundation for building specific privacy policies. "It's not an easy task to get your arms around," concedes Dr. Larry Ponemon, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of the Privacy Council, a Richardson, Texas-based organization providing customized privacy-related consulting, technology and training to companies. Yet even though Ponemon believes there are "no absolutes" when crafting a company-wide privacy policy, he offers a number of questions to serve as a guide. For instance, what are the privacy risks that pertain to pertain to verb relate to, concern, refer to, regard, be part of, belong to, apply to, bear on, befit, be relevant to, be appropriate to, appertain to my company and what risks cause the greatest threat to my company's brand or image? Also, what are the costs of complying with new or emerging privacy regulations in the U.S. and abroad? In addition, he says, executive should ask if their company: * Has a high-level officer with responsibility to oversee privacy compliance. * Has a privacy policy, and communicates it clearly to all relevant stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. such as consumers and employees. * Provides training to key personnel who handle or use sensitive personal information. * Monitors compliance with the stated privacy policy. * Takes reasonable steps to secure personal information from unauthorized parties. * Assesses and attempts to mitigate privacy and data protection issues related to business partners and contractors. * Has a redress program for customers and employees to address issues and concerns about their personal data. * Strictly and consistently enforces violations throughout the company. "For several years now, businesses of all sizes have struggled to be responsible citizens with the data they collect. But today, the laws are so demanding, and the new technology so complex, that many companies are at a loss of where to begin," observes Ponemon. Exploring these questions with a willingness to devote the resources necessary to addressing them can be a strong first step. Barbara A. Morris is a freelance business writer in Oakland, N.J., who writes frequently about risk management subjects. She can be reached at barbara.morris@worldnet.att.net. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion