more on New Year's Privacy Resolutions for Businesses: The Other Side of the Coin

[David Farber <dave () farber net>]

------ Forwarded Message
From: "Prof. Jonathan Ezor" <jezor () tourolaw edu>
Date: Tue, 28 Dec 2004 16:40:52 -0500
To: <dave () farber net>
Subject: RE: [IP] New Year's Privacy Resolutions for Businesses: The Other
Side of the Coin

Dave,

Thanks for forwarding EPIC's consumer resolutions.  In response and in
connection with a book I'm working on, here are 10 resolutions for
businesses
and organizations that want to be responsible about privacy:

1. Prioritize privacy.  Even if your organization is not in a field
covered by explicit privacy laws (at least here in the US), such as health
care (HIPAA) or financial services (Gramm-Leach-Bliley), being responsible
with customer and employee information should matter to you.  It certainly
does to regulators and the people whose information you have.  Just ask Mrs.
Fields Cookies ($100,000 fine in 2003 for violating Children's Online
Privacy
Protection Act by launching Web-based birthday clubs for kids without
getting
verifiable parental consent) or Tower Records (FTC settlement in 2004 for
violating its own privacy policy).

2. Make it someone's responsibility.  Appoint a Chief Privacy Officer or
at least add oversight of privacy issues to the duties of someone within
your
organization.  Make sure the person given that duty also has the time,
training and resources to do the job right.

3. Draw yourself a map.  Do an organization-wide survey to identify each
way that personally-identifiable information comes in, is moved within and
may move out again, and what information you are actually collecting.
Consider not only your Web site but e-mail, snail mail, faxes, 3rd party
databases and research, telephone calls, business partners, service
providers, etc.  Be expansive in your investigation.  Repeat every few weeks
or months as your business processes may change.

4. Fact-check your privacy policy (if you have one).  Saying "we won't
share your information with third parties" may be comforting to customers,
but it's generally incorrect.  Everyone from your Web host to UPS and FedEx
may get customer information from you in the ordinary course, which isn't
necessarily bad, except that it could violate your own public statements on
privacy.  That's where you can get into trouble.

5. Don't trust your own data about how you use others' data.  Ask a
privacy professional or knowledgeable attorney to do a privacy audit of your
organization.  An outsider, particularly an experienced one, will likely
find
something you miss.

6. See the world.  Remember that, in the Internet age, most
organizations are international even without intending to be.  Read up on
privacy laws of other nations (if you're in the U.S., pay particular
attention to the EU Data Protection Directive and the related Safe Harbor at
<http://www.export.gov/safeharbor/>).  Consider how you or your employees
might be held liable in some other country for something you do (or don't
do)
where you are (see the recent eBay India employee case for a parallel
example).

7. Lock the doors.  Make sure that you have both physical and electronic
security in place for any collections of customer or employee information.
Make sure that your hosting company or other offsite storage providers do
likewise (e.g. encrypt stored credit card records).  Remember little things
like open wireless nodes that may offer malicious hackers access into your
network (such as Lowe's Hardware suffered earlier this year).

8. If problems arise, deal with them openly and quickly.  Customers and
law enforcement officials alike expect that, if the worst happens and
private
information is accessed without permission, the company will take quick
action in terms of notification and closing the open holes.  California
expressly requires this
(<http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_200209
2
6_chaptered.html>).

9. Create a privacy-friendly culture.  Make sure every employee
understands the need to protect personal information, and the risks to the
organization of failing to do so.  Hopefully, this will help you avoid
situations like the August 19, 2004 conviction of a hospital employee
convicted of HIPAA violation for stealing a cancer patient's identity
(<http://www.usdoj.gov/usao/waw/press_room/2004/aug/gibson.htm>).

10. Don't ask for more than you need.  If you want a numeric identifier
for customers, don't ask for a Social Security number unless you truly need
it for its intended use.  Don't have your cashiers ask for home phone
numbers
merely to have the info., since many customers will balk and the cashiers
will punch in random numbers, invalidating the collection anyway.

{Jonathan}

-------------------
Prof. Jonathan I. Ezor
Assistant Professor of Law and Technology
Director, Institute for Business, Law and Technology (IBLT)
Touro Law Center
300 Nassau Road, Huntington, NY 11743
Tel: 631-421-2244 x412  Fax: 516-977-3001
e-mail: jezor () tourolaw edu
BizLawTech Blog: http://iblt.tourolaw.edu/blog






------ End of Forwarded Message


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/