« My Son the Spam Copywriter... | Main | Really, what IS enough? »

March 30, 2005

It's like insurance or data backups...

You don't think you need it - until you need it. Privacy Compliance. Often considered by many or most corporations as a major pain in the rear - until there is a major privacy or security issue to deal with. Security breaches. Stolen data. Corporate espionage. Class action law suits. There is a lot to be wary of.

I ran across this article at ComputerWorld in my IAPP Daily email alert - Regulations should be Impetus for Standardization - now, it is really more of an "infomercial" or advertisement written like a news story, but I think the lead in characterizes the problem space well:

Privacy and data security regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley (SOX) are viewed unfavorably by many who perceive them as inefficient business cost centers. But the various industries affected by these regulations should take the opportunity to standardize business practices around the regulations in order to create greater business efficiencies and enhance compliance.

Most industries have some US federal regulations or legislation that must be adhered to as a cost of doing business. Don't forget the numerous state level statues regulating privacy and security issues. If you are a global company, you are dealing with much stricter standards already - mostly in Europe. If you are a smaller corporation or company anywhere, even one not in a highly regulated industry - just having customer and employee data puts you at risk.

The bottom line - pay some attention, alot if you can. If you can't pay a lot, a little may not be enough - but is better than nothing.

If you can, elect a privacy officer. Make it someone's job to be the internal watchdog. Embrace this "cost center" and make it an efficient entity in your business.

If you can't hire someone explicity to cover privacy for your organization, at least designate some combined coverage for oversight at a minimum. A "privacy council" could work - a few representatives from key areas in your staff: legal, operations, IT, HR, and Sales.

Privacy touches all aspects of an organization - so make sure your owner and/or privacy team has access to those groups or reflects that diversity.

Privacy issues for businesses today are only going to become more prevalent. Technogical advancements at nearly alarming pace have ushered in an age where individuals are being serviced online or wirelessly in already ubiquitous manners. Email, IM, Blackberrys, Tivos, Cellphones, Treos, PalmPilots, Sidekicks. As Peter Hoskins recently reported:

• There are now over 500,000,000 Java enabled phones in the world
• The majority of the world will first experience the internet through their mobile phones
• There were a BILLION wireless devices sold last year, and around 100 million PC's

Just think of the service industries and businesses taking advantage o the market opportunities there. Then think of the hackers, phishers, and other bad actors also targeting their customers. Protecting those customers from harm must be actively managed in a measured fashion.

Oh, and don't forget traditional, offline business models and data storage. Just because you may not be an online business, doesn't mean you aren't a target.

The business world changes fast and it can be hard to keep up. This is especially true with protecting your customer data and assets - and the importance of privacy and security can be easily overlooked.

Don't get caught in a privacy mess, just because compliance is a pain, or an extra cost. The one time (or next time) you have an issue, being prepared could be the thing that saves your business. You only get one privacy mulligan in the court of public opinion (if you are lucky). Try not to need it.

Posted by gcrgcr at March 30, 2005 8:55 PM

Comments

Excellent post!

You may well have already seen it, but Bruce Schneier recently posted (again) on just this very topic:

http://tinyurl.com/18r

From Schneier's post: "Many people innocently believe that they're safe from credit card fraud and identity theft in the brick and mortar world. Nothing could be farther from the truth. The vast majority of incidents can be traced to skimming, dumpster diving, and just plain stupidity among those who "own" our personal data."

This also points to one of the creepier privacy issues around these days, brought into sharp relief by the Choicepoint upheaval: you don't "own" your own data, and the companies that do generally have little, if any, obligation to you regarding whether they keep that data, how they store it, or what they do with it.

Posted by: whit at March 31, 2005 6:18 AM

Post a comment