Part 1 of this Article introduces the need for companies in all industries to conduct a privacy and information security risk assessment, and identifies some of the preliminary steps for this assessment. Part II of this Article will identify the remaining steps necessary for a thorough and effective assessment.
Privacy and security must be critical areas of concern for any company that maintains personal information about customers or employees. New laws are being created by the states on a weekly basis. Federal regulators are issuing new rules routinely. Congress continues to debate new federal legislation. Various business groups are releasing "best practices" guidelines or developing binding contractual commitments concerning privacy and security. And courts are being flooded with new kinds of privacy/security claims, all trying to cash in on the almost constant publicity surrounding security breaches, identity theft and privacy concerns.
These developments all point in the same direction - the privacy and security environment is becoming more complicated, more risky and more regulated, and is having a substantial impact on virtually every company. For some companies - those in the healthcare and financial services industries for example - these concerns are not new (although the overall complexity is growing). For many others, it is now time to realize that these problems are real, that the risks are significant, and that it is time to get a good understanding of the full range of privacy and security issues affecting your company.
So, what can you do to get started? What you need is a privacy and security assessment, one that permits your company to evaluate its primary areas of legal obligation and to identify those areas that are most likely to create risk.
This assessment is not designed to answer all of your privacy and security questions - but it is a good starting point to consider areas of primary concern for your company. The key to an assessment is to identify how your company gathers, stores and discloses personal information about customers, employees and others. If you are an "unregulated" company - a typical retailer, for example - the goal will be to meet a reasonable baseline of privacy and security standards, as set by the Federal Trade Commission, numerous state laws and a variety of best practices that apply to personal information, largely independent of business context. If you're a tax preparer, a cell phone company, a bank or a health care company, you will have additional requirements and concerns specific to your business. But, for any company that creates, maintains or discloses personal information about customers and/or employees, you need to have an approach to dealing with each of the areas identified by this assessment, to allow you not only to identify and manage risk, but also to take reasonable - and sometimes surprisingly easy - steps to reduce your overall exposure.
Conducting An Effective Privacy And Security Assessment
The key goal of a privacy and security assessment is to understand where data exists within a company, where and how it is being gathered, where it is stored, and what is done with this data. Many of the publicized security breaches from the past few years result in widespread head scratching; why did the government employee take 26 million social security numbers home with him at night? Why did the regional manager have so many employee records on a laptop? Why were social security numbers provided to a vendor in order to run a consumer satisfaction survey? When companies conduct these assessments, they can understand what kinds of information exist within their companies and what is done with it. This assessment - which should focus on all personal information about customers and employees - will provide a baseline for assessing not only what laws and regulations are relevant, but also for creating an integrated, overarching approach to data protection. Until you know what data you have and what is done with it, you cannot have effective privacy and security compliance.
So, what are the key areas to evaluate in your assessment?
While privacy came out of the box first, concerns about information security now dominate the landscape for the protection of personal information. And, despite the enormous publicity about security breaches and the increased regulation of security practices, visible security failures are almost constant. This means that increasing and improving security protection for sensitive personal information must be at the top of the priority list - for any company, encompassing retailers, online merchants, banks, schools, health care entities and the rest of corporate America . The challenge of the security component of your assessment is to identify current practices and, more significantly, define gaps where security procedures are not appropriately focused on responding to regulatory obligations and practical risks.
This assessment effort needs to focus on two broad categories of activities. First, companies need to recognize the increasing regulation of information security practices - from the Federal Trade Commission's "best practices" to the new standards imposed for any company that accepts credit cards. Companies need to review these requirements, and implement appropriate security practices to meet these standards. Remember - security perfection is not required, but failures based on inadequate practices will be visible, prominent and attacked by a wide variety of constituencies. Also, if your company accepts credit cards, be aware of the new "PCI" (Payment Card Industry) security standards and the increased contractual commitments your bank and credit card company likely will seek from you with respect to your security practices.
Beyond these overall compliance requirements, companies next need to focus on practical employee training and developing an effective overall security program. This security program needs to recognize that security is not just about controlling your computer network - security breaches encompass a wide range of problem areas, certainly including hackers, but also encompassing paper files, lost data tapes and a variety of physical security measures. Since many of these areas are outside the domain of an information technology department, the first challenge for many companies is figuring out who should run an overall information security program.
In addition, beyond these programmatic efforts, individual behavior can greatly affect information security. Whether it is enforcing password requirements, dictating new practices for the protection of laptops or simply teaching your employees how to protect information - and how to stay away from sensitive information that is not legitimately part of their work - effective and practical training can go a long way towards reducing security risk.
Core Privacy Issues
Beyond many of these security practices, there are a wide variety of substantive privacy laws that restrict how specific kinds of personal data can be used and disclosed. The health care privacy rules (HIPAA) and the financial services rules (from the Gramm-Leach-Bliley Act) are two of the most prominent. In addition to these industry-specific legal requirements, there are an emerging array of "best practices" for the collection, use and disclosure of personal information across industries, which are supplemented by a variety of additional context-specific requirements. Your privacy assessment should be designed to help your company identify the primary uses and disclosures of personal information, so that you can concentrate on the relevant rules and best practices applicable to your business.
One of the key areas of concern for many businesses relates to how customer information is used for marketing purposes, both by the company that initially collected the information and by others to whom this information is disclosed. Accordingly, while the standards vary somewhat by industry, most companies conduct marketing activities that require compliance with, and awareness of, the numerous marketing-related privacy rules. In many ways, a desire to restrict marketing activities has been driving many of the most prominent privacy rules. Furthermore, Congress and federal regulators (along with their state counterparts) continue to struggle with what the dominant privacy principles should be. Nonetheless, companies need to assess their marketing activities to determine whether they trigger compliance obligations under any of these privacy principles.
The most prominent marketing rule is the "Do Not Call" list, enforced primarily by the Federal Trade Commission and the Federal Communications Commission. This highly visible and supported rule creates substantial compliance obligations for any company that conducts telemarketing activities of any kind, encompassing not only the overall Do Not Call list, but also the development of a "company specific" Do Not Call List for existing customers. The law requires significant monitoring and training of company agents as well, whether telemarketing firms or others that may be selling your products for you. There have been substantial fines for violations.
There are separate rules related to email marketing and fax marketing. The fax marketing rules are still under development, with regulators struggling to evaluate whether to allow fax marketing to pre-existing customers. On the email front, in recognition (so far) of the fact that a "do not email" list will likely be unsuccessful, the rules essentially permit "one free email" - but require companies to provide an ability for consumers to opt out of future marketing emails. Companies must make sure they have a means of receiving and policing these "opt-outs."
Beyond these core provisions, there are various other marketing-related principles. The COPPA rules apply if companies collect information online from children for use in connection with marketing or for any other purpose. This rule requires specific permission from parents (and documentation of this permission) before children's information can be collected. This is a high-risk area - be very cautious if your company has any dealings with the online collection of information about children.
Also, be aware that the Federal Trade Commission enforces privacy commitments made on company websites. This enforcement has the potential to affect a greater number of businesses since more companies operate websites and use them to conduct business than conduct regulated marketing activities. If you make commitments on your website or in your company policy about how you will use personal information, whether in the marketing context or otherwise, you need to make sure that you follow through on these commitments.
On the whole, the privacy side of this assessment needs to (1) identify the kinds of information collected from customers, employees and others; (2) assess what happens to this information once it has been collected; and (3) evaluate the channels and purposes for disclosure of this information, to business partners, vendors and others.
Kirk J. Nahra heads the Privacy Practice at Wiley Rein LLP in Washington DC. He is a Certified Information Privacy Professional, and is the Chair of the Confidentiality, Privacy and Security Workgroup, of the American Health Information Community (AHIC). He can be reached at (202) 719-7335.
© Wiley Rein LLP. This article was previously published in the summer 2008 issue of the Journal of Communications Technology in Higher Education.