A question of privacy

No issue is more important to e-commerce enterprises than customer privacy and data security. Companies in the business of selling goods, services or information on the Internet – and that use technologies to track, evaluate and customise that experience for their clients – need a privacy strategy.

Privacy is a serious concern both for businesses and consumers. According to a study by Harris Interactive for IBM, 54% of those consumers questioned said they had made decisions not to purchase items online because they were concerned about how companies would use personal information collected on the Internet. If a company is not addressing this problem, potential revenue may be lost.

Today, perceived misuse of client data can seriously damage a company's relationships with its customers and business partners. Similarly, shoddy privacy policies can pose significant legal risks.

Until recently, Internet privacy policies – loosely covering policies on everything from customer database development to profiling and management – were primarily a question of business ethics, not legal matters. They were handled by Internet industry-led voluntary standards and certification organisations (such as TrustE, BBBOnline and Verisign). These organisations established standards, and lent their seal of approval to those who complied with those standards in the handling of personal information.

However, that environment has changed. Within the last year a number of high profile companies, some certified by these voluntary organisations as having trusted privacy policies, have incurred the wrath of both consumers and the courts...

Amazon.com is a prime example of this. Controversy was sparked by Amazon's listings of readers' habits based on post codes and their places of employment. The disclosure not only caused a furore, but also prompted dozens of law suits. In the States, Amazon.com was hounded in court by individuals and state attorney generals, and was allegedly the subject of an investigation by the Federal Trade Commission (FTC).

A strategy for data privacy
As a security manager, you may need to draw up a privacy policy, so what should you do? Based on thorough analysis, here are just a few of the ideas that Brodeur Worldwide's issues management team recommends:

Make privacy policy and data security a part of your daily operations. Within your organisation there needs to be clear lines of responsibility for the implementation and maintenance of your company's privacy policy. Security managers employed by e-commerce companies will also need a process to monitor how well privacy policies are being enforced, and must revise those policies as the company develops and new standards are created.

Establish a de-facto chief privacy officer (CPO). Whether it's purely in name or in function, companies involved in e-commerce should have a central point of contact for all privacy matters. According to the Association of Corporate Privacy Officers, the CPO's role includes: privacy policy-maker, watchdog and privacy policy enforcer, strategist on how to use your privacy policy to support the brand, ombudsman in fielding outside complaints and advisor to the CEO/managing director.

Know how to communicate your privacy policy, both internally and externally. Make sure that your company's privacy policies are not only understood by top management, but throughout the organisation. Have a clear idea on how you will present and explain your privacy policies to external audiences.

Know the privacy and data policies of your company's business partners. Your privacy policies may be terrific, but what about those set for your business, distribution and/or marketing partners? What standards have you set for them? If you are sharing information with them, how do you know that it's safe?

Make sure your privacy policy is in line with current UK law, including the Human Rights Act and the Lawful Business Practice Regulations. The OECD has produced the Privacy Policy Generator to guide companies in the development of policies that fit current international voluntary guidelines. This is well worth checking out.

Be prepared to make technological investments in order to maintain compliance with privacy standards. Current standards focus on three major areas: notice that data is being collected, choice on what information is collected and assurances that information will not be shared unless the user is notified.

Take another look at your company's/client's business model. If it relies on the use of consumer information to develop revenue, be aware that someone may have to defend it before venture capitalists and the stock market. The question is how the debate over privacy will affect a company's business model. The current privacy debate is a direct threat to any company that relies on sharing user information as a means of gaining revenue.

Involve yourself in one or more of the available privacy initiatives. There are several organisations and ad hoc coalitions involved in working through issues pertaining to privacy standards (see box story on 'Data privacy', below). E-commerce businesses should join one or more of these bodies, if only to better monitor progress and determine opportunities to make their own views known.

Data privacy: handy hints for the security manager

Security managers needing further information about data privacy and related issues would do well to take a look at the following Internet sites:

Association for Interactive Media (AIM), http://www.interactivehq.org/ This site offers a compilation of useful links to organisations active on the privacy issue

Better Business Bureau Online, http://www.bbbonline.org/
Read about the BBBOnline Privacy Program, and the benefits of being a participant

Electronic Frontier Foundation (EFF), http://www.eff.org/
The EFF works in the public interest to protect computer data and Internet site privacy. This site informs security managers about the ways in which their company may obtain relevant information on data privacy, and how they might then implement a privacy strategy