Consumers expect their personal information will be used in a manner that does not surprise them. This article provides best practices to process consumer data by the standard of due care. Sanctions and consequences can be severe in the event of a data breach or misuse of consumer data.
I. Consequences of a privacy breach
The Federal Trade Commission will investigate when a consumer privacy violation or data breach occurs in the United States. If the privacy policy provides strong assurances of protection, the FTC may cite the company for deceptive trade practices. Otherwise, they cite unfair trade practices instead. Either way, reputational damage is incurred as the FTC's findings circulate through mainstream media. The FTC also typically requires independent privacy assessments over 20 years. This equates to falling under scrutiny of a new regulator. There is a cost to maintaining that relationship as well.
Class action lawsuits may be filed for privacy violations. Facebook recently incurred a $9.5 million settlement over its Beacon program. It displayed users' activities from other websites in their Facebook news feed, including what they bought on shopping sites[i].
States may levy fines for privacy violations. California recently enacted a law requiring mobile privacy policies to be "conspicuously" posted, with a penalty of $2,500 per downloaded application. Delta Airlines was cited for non-compliance[ii]. The court case has not concluded yet.
Failure of privacy controls can have consequences too. While investigating improper access to contact data without consent, the FTC discovered Path allowed some users to register for accounts in violation of the Children's Online Privacy Protection Act (COPPA). That resulted in a fine of $800,000[iii].
Microsoft is using privacy as a competitive advantage. Here is a quote from the "Scroogled" website: "Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy. Outlook.com is different - we don't go through your email to sell ads."[iv]
II. Privacy laws and regulations
Privacy requirements are decentralized. Disclosure laws vary by state and country. They all require companies to give notice to consumers and to keep their data secure. The FTC provides five core principles of privacy protection: Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security and Enforcement/Redress[v].
Privacy laws evolve monthly in response to changes in technology. The advent of facial recognition and Big Data has privacy implications[vi]. 'Do Not Track' functionality is being implemented in browsers to enable consumers to declare their privacy preferences. There is a proposal in the European Union to allow individuals to have their personal information deleted at their request. A privacy attorney can help navigate applicable laws and how they apply to your organization. Seek advice from an attorney that holds a privacy certification such as the CIPP or CIPM.
III. Privacy policies
Disclose how consumer data is collected in terms of use and privacy policies. Policy language should be clear and concise so an average person can understand how the company is using and protecting their personal information[vii].
Disclose significant changes to privacy practices conspicuously versus concealing the change in policy language and merely asking the consumer to acknowledge it. When there are changes, obtain consent the next time the consumer interacts with the business such as logging into the web site[viii]. An attorney should be used to ensure privacy policies are appropriate.
IV. Implement controls to honor consumer preferences
There is risk in transition. Risk exists when consumer data is passed between applications. Inventory privacy data elements present in each application and track how consumer preferences are honored. There is typically strong focus on high profile data such as payment card numbers, account numbers and social security numbers. Be mindful that Personally Identifiable Information (PII) must be closely safeguarded as well.
NIST 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."[ix]
Privacy risk follows when consumer data is shared with a supplier. If registration occurs in your organization, pass meta data to supplier hosted applications to ensure consumer data use preferences are known.
There is risk in complexity. Diagrams help us break complex systems to components we can understand. Watch for risk when crossing swim lanes in process diagrams. Failure Mode and Effects Analysis can be used to identify how privacy controls can fail in a given scenario.
Privacy risk exists wherever consumer data is present. Be particularly careful where data is aggregated and data analytics is conducted. Innovation can also incur privacy risk. Control how consumer data is shared between business units and lines of business. Ensure strict access controls exist over consumer data repositories such as databases and data warehouses.
V. Mobile Applications
Privacy implications for mobile devices include whether physical location is shared and whether the application has access to stored content. The FTC recently released a list of recommendations in their Mobile Privacy Disclosures report[x]:
· Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;
· Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;
· Consider developing a one-stop "dashboard" approach to allow consumers to review the types of content accessed by the apps they have downloaded;
· Consider developing icons to depict the transmission of user data;
· Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;
· Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores;
· Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.
The report also includes guidance for application developers and advertising networks and other third parties.
VI. Privacy Program
The FTC recommends establishing a "comprehensive privacy program" as a best practice. They also require it after citing an organization for a consumer privacy incident. Traditional roles may not adequately address privacy. Watch for coverage gaps between attorneys reviewing privacy policies and IT professionals focused on computer security.
A privacy program distills laws and regulations into actionable requirements. All personnel should receive role-based privacy training. Engage an attorney to evaluate privacy policies. Track consumer data where it is stored, processed or transmitted. Control how it is used. Incorporate privacy requirements into IT standards. Establish processes to dispose of consumer data when it is no longer required. Assign privacy professionals to provide oversight over project requirements and design. Test to ensure privacy controls are implemented as intended. Conduct annual assessments to ensure they remain in place.
Privacy falls into the category of business risk, similar to fraud. Have at least one person dedicated to it. Treat your customers fairly and equitably. When it comes to privacy, actions define your brand.
About the author:
Gideon T. Rasmussen is a Charlotte-based Information Security Risk Manager with over 15 years experience in corporate and military organizations. His website is www.gideonrasmussen.com. The opinions expressed here are those of Gideon Rasmussen and do not necessarily represent those of his current or past employers.
Originally published by RiskCenter (April, 2013)