In his last column [www.infosecnews.com/opinion/2002/05/15_04.htm], Bill Van Emburg discussed the urgent requirement for companies to address the privacy of their customers' data.
In this article, he describes three easy steps to achieve this.
1. Security
Security and privacy can and should be addressed at the same time. Good security will protect the consumer's privacy and ensure that there are no unintended leaks of personal information. However, security has to be pervasive throughout your entire organization and that of your business partners and vendors. People at every level in each organization that services your customer must understand their personal role in protecting the company, and its customers. It is very difficult to do this, so dedicate full-time resources to the effort, and consider involving outside assistance. You need to work with firms who focus on security and privacy concerns full time. Consider outsourcing infrastructure tasks to companies that can demonstrate a thorough integration of security into their entire service offering.
Consider internal security risks, not just the external risks. More than half of all security breaches originate from inside a company. Implement a policy of "minimum privilege," where information is made available only to those within your organization who have a need to know. If you are careless about information controls, then even without a security breach, consumer privacy can be adversely affected. For example, without the proper security measures in place, you might make a customer's private information available to parties within your own company that don't have a need to know. This increases the odds that someone will abuse that access and use the information in an inappropriate manner. The same is true when you expose information to vendors and partners. Limit third parties to the information that they must have to meet the customer's needs. Do not simply transfer all information about your customers, even though it may be easier to do so.
At Quadrix Solutions, we instruct our staff "any information you don't need to see, you don't want to see." This means that, even when there is no specific security control in place to prevent access to a particular piece of information, we have created a culture that understands the personal role each individual plays in protecting our customers' corporate information. That protects us from the appearance, or reality, of inappropriate activity or inadvertent disclosure.
You should also log all access to personal information so you can document that no inappropriate access has taken place, and identify violations of privacy if they have occurred. It is important to audit these logs regularly, to protect your customer's privacy and uncover security breaches or unnecessary access to information.
Authentication is one of the toughest security issues. It is extremely difficult to ensure that all parties in a transaction, whether it is electronic, phone or in person, are accurately reflecting their true identities. A computer can easily generate all possible four-digit PIN numbers, thereby stealing the customer's identity. This is further complicated by the unimaginative passwords most people choose. You need to engage an expert to ensure that the security steps you take are adequate and appropriate for the service you are providing.
Finally, carefully consider the consequences of the products and services your company offers. Identity theft is one of the fastest growing crimes worldwide. The ability to correlate information from multiple databases, and the continued deployment of new services that expose even more data, make it much cheaper and easier for cyber criminals to steal someone's identify. Often, these criminals don't break into a company's systems. Rather, they leverage information that companies readily make available to anyone who will pay. Nonetheless, the increased online availability of information does create more points of entry for breaking into company systems, and this makes the criminal's job easier. Since there is no such thing as 100 percent security, companies need to make a substantial, ongoing commitment to security.
2. Opt-In
"Opt-in" means that a customer actively requests that their information be used for the purposes for which it is actually used. Avoid default subscriptions wherever possible, and make sure the customer can plainly see what you intend to do with their information. Relying on opt-in mechanisms ensures that a customer's information will be used solely for its intended purpose. A verifiable opt-in enables companies to confirm that customers really did request to be included in the company's marketing outreach. This benefits the company, because customer complaints are reduced, and it increases the effectiveness of the campaign, because the recipients are more likely to have an interest in the offer.
To help companies deal with consumer privacy complaints, they need to explain, in every marketing message, how and why customers received this information, and what customers can do if they no longer wish to accept future mailings.
A company should clearly state how the consumer's information would be used. Don't rely on a complex privacy policy statement! While this will protect you legally, the "assumption" that the customer wants to opt-in, without any other action on their part, won't make them happy.
Successful, customer-focused companies that strive to protect the consumer's privacy, rely solely on opt-in, and provide clear, easy to understand information on how they will use a customer's information, have much happier customers.
3. Business Partners and Vendor Relationships
Another key piece of the puzzle is a company's business partners and vendors. You must continually evaluate the security measures of your business partners and vendors, ensuring that the customer's privacy is protected. Beyond the legal protection you have, vis-à-vis the contractual business relationship, you need to audit the privacy statement and security measures that your business partners and vendors employ. Unfortunately, the scope of the audits that many companies perform may not adequately validate that privacy controls match the requirements of the company. Companies must make certain that business partners and vendors neither put the customer information at risk, nor use the customer information inappropriately.
Summary
Companies should take the high moral ground on privacy to quell the frustration that consumers have over their lack of privacy, and to enhance the value of their communications and marketing programs. Industry should lobby lawmakers to prevent additional pieces of legislation that companies need to monitor, document and address. There should in the United States be one federal law that makes compliance easier and delivers value to those it is trying to protect. Existing regulations do not achieve these simple objectives, and therefore waste dollars that could be better spent.
Bill Van Emburg is COO of Quadrix Solutions (www.quadrix.com), a custom systems integrator and managed co-location solutions provider.