Privacy has become a strategic and fundamental issue among organizations today. It has grown from an internal part of corporate policy to a subject studied by governments and scrutinized by the news media. When handled properly, customer information is a valuable resource for organizations. If this
information is mishandled, it can be a tinderbox of bad press and potentially costly lawsuits.
Many companies are in the process of creating, re-evaluating or reinforcing policies surrounding privacy in an attempt to comply with newly imposed standards. While some of these standards apply to particular verticals or industries, all organizations are touched by the gravity of mishandling information.
Some of the most prominent standards surrounding privacy include the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA), the European Privacy Directive, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
Failure to protect personal information that has been gathered online and manage it appropriately once captured puts organizations into a vulnerable and potentially liable situation.
According to Privacy & American Business, the U.S. court system had presided over $50-million worth of settlements in regards to privacy-related violations by the year 2000. In the last two and half years alone, that number has increased to upwards of $111-million, with millions of dollars of yet uncompleted cases in the works. In today’s economic climate, both private and public sector organizations are recognizing quickly that privacy violations are not to be taken lightly.
Companies such as Mrs. Fields Cookies, Hershey Foods and Eli Lilly all faced the Federal Trade Commission in 2002 for violating privacy standards and received negative public scrutiny.
Mrs. Fields and Hershey Foods were both charged with not adhering to COPPA standards by collecting personal information from children without first obtaining the proper parental consent, and had to pay civil penalties. Eli Lilly faced charges for the unauthorized disclosure of sensitive personal information collected from consumers on its Prozac.com and Lilly.com Web sites. In May 2002, the FTC ordered the company to establish a security program to protect its consumers. In addition, Eli Lilly agreed with state attorneys general to pay damages.
Most companies recognize that this is a concern that is not going away, and that privacy is not an issue where shortcuts can be taken. However, many organizations face the problem of simply not knowing whether they are in compliance with all of these standards and don’t know where to start on the path to compliance. Organizations today certainly do not want to find data leakages in their Web privacy policies via a lawsuit or the news media.
Knowledge is power
As compliance deadlines for many of these standards loom, many enterprises are appointing C-level executives to oversee privacy issues. Chief Privacy Officers are becoming the norm in corporate boardrooms. The mere presence of a privacy executive does not mean that breaches never occur.
The first step in preventing such privacy violations is to gain control of the Web site. By taking a proactive approach to privacy and becoming familiar with all of a Web site’s privacy touch points, organizations will find it easier to curb violations and manage information.
A powerful solution for concerned organizations is the use of Web quality management software that monitors a Web site 24/7 and provides detailed reports of any potential issues. With Web sites increasing in size and importance, it is imperative that site scanning is automated to provide the coverage and timeliness required in the dynamic Web world.
Vendors should created tools that are designed to scan and test Web sites for privacy breaches to ensure the compliance of each Web page for the standards that apply to the organization’s industry and the type of information that is acquired. For example, a medical center’s Web site must meet all standards outlined in HIPAA, whereas a toy company’s site geared to children should adhere to COPPA’s standards. The same solution can be customized for each organization based on its needs and requirements and the type of information that is collected online.
Companies can also monitor their Web sites to ensure the presence of privacy links and P3P compacts policies, highlight pages with Web beacons and identify pages that are collecting information without the proper security.
An enterprise-sized seatbelt
While the number of honest and legitimate companies collecting information vastly outnumbers their nefarious counterparts, it is important that all organizations take action in reducing the mismanagement of information. Installing solutions such as Web quality central type software can serve as a kind of insurance policy by taking a proactive step in reducing the mismanagement of information. Breaches in compliance will be addressed immediately and employees will understand that privacy is being taken seriously. Ignoring privacy laws is like ignoring the seatbelt law: it’s only a matter of time before one is either caught or seriously injured.
Paul Saunders is the president and CEO of Coast Software Inc.