Privacy Protection

 < Day Day Up > 



Like so many other management challenges, planning for privacy is begun by determining needs and strategies. Organizations should consider information privacy something that will be threatened by corruption and theft. Start by using this simple model:

  • What are my information privacy needs?

  • What types of information exist in the organization?

  • What information assets are available to employees connecting from outside the organization?

  • What are the organization's legal and regulatory requirements?

  • What is going to be the composition of the information privacy team?

  • What business units must be represented on this team?

  • Who is going to lead this team?

  • Who is going to be the senior manager sponsoring the information privacy team?

  • What is going to be the team's line of authority and reporting?

  • What are the organization's information privacy assets?

  • What are the threats to those privacy assets?

  • What is the frequency of those threats?

  • What are the organization's privacy vulnerabilities?

  • What are the most feasible cost/benefit safeguards?

  • What policies need to be drafted and approved to address these assets?

  • Who is going to conduct employee training about information privacy?

  • What is going to be the frequency of privacy training?

  • Who is going to conduct internal compliance audits?

  • What is the frequency of those audits?

  • What is the level of intrusion of privacy audits?

  • What penalties are going to be assessed against policy/law violators?

Information Assets Inventory

Organizations must develop an inventory to identify, locate, classify, and prioritize information requiring privacy safeguards. Like other organizational efforts, it is a wise idea to form a privacy team with representatives from pertinent business units. Team composition and functions are discussed in previous chapters.

The privacy team should be tasked with collecting as much information as possible about information collected and stored in the organization and record it as part of their inventory. Inventories of this nature are going to be inventories of origins of data and the types of data, not the data itself. For example, the privacy team will survey the organization's business units to determine the types and nature of information they collect as well as the information they access outside the organization. The survey should be simple yet sufficiently comprehensive to include the origin of the data, degree of sensitivity, classification, use, storage, and disposal.

A data inventory should include the following components at a minimum:

  • Data description

  • Origin of data

  • Data ownership

  • Responsible business unit

  • Data classification or sensitivity

  • How data is used in business unit

  • To whom data is disseminated

  • Individuals having access to data

  • Authorization for access

  • Existing relevant polices

  • Current laws/regulations governing data

  • Current and past material events affecting this data

Technology Relevant to Privacy Protection

It is the responsibility of the privacy team to assess the organization's technology requirements to protect and preserve the privacy of its data. This assessment requires a serious understanding of the organization's mission, implemented technologies, risk program, policies and procedures, audit program, and critical incident response. The privacy team will not likely decide the specific technology to deploy, but it will decide the functional parameters of such technology as well as relevant policies and procedures.

All information systems have their strengths and weaknesses depending on their implementation and deployment. Regardless of the system, the weakest link in all systems is the people interacting with it. The fundamental aspect of safeguarding information privacy is controlling access to the system. (Remember that systems are composed of people, data, and physical facilities.)

Access controls exist on a variety of levels including privileges assigned to employees and groups, password protections, tokens and smart cards, and biometrics and onetime passwords. An alternate method of controlling data access is to set user privileges meaning who can delete, add, modify, or manipulate data. Significant information privacy challenges exist in ensuring that products are installed and configured correctly so that only intended employees have access and corresponding privileges.

Policies and Procedures

Regrettably, in most organizations, there is a serious lack of strong policies and procedures regarding the use of the Internet, e-mail, chat rooms, and messaging services such as Instant Messenger. Employees generally do not understand the depth or variety of vulnerabilities that these communications technologies and their unrestrained use pose to information privacy.

Team members can expect to have challenges in understanding types of data, how that data are being used and by whom, to whom data are being transmitted, the means by which data are being transmitted, and which of the data recipients is retransmitting data. With sufficient survey data collected, the team should have a good idea relative to the data transmission habits of the employees. Depending on the results, the team may recommend a widespread training program directed to deficiencies found in employee conduct. It is also quite possible that due to the sensitivity of the data and the employee's poor data-transmission habits, the team may recommend monitoring and filtering all transmissions for offending elements.

Experience Note 

Installing monitoring and filtering software for transmissions must not be considered the action of first resort. Like all privacy and security measures, it must be a total approach in achieving the best results. Enterprises may depend on monitoring and filtering software to solve their data-transmission behavior problems, but if they are dependent on this approach exclusively, malicious employees will find vulnerabilities circumventing filtering and monitoring software to the detriment of their information privacy program.

Educating employees is the best method to address data-transmission habits. They must understand the approved methods of communication and why these are approved. Included in these education sessions, must be the consequences for not complying with policies and procedures such as lost profits, lost market share, individual censure, dismissal, etc. Although many employees have excellent computer knowledge, they should glean from their training that their e-mail can be read, stolen, sent to unintended addressees, and retransmitted without their permission.

They should also understand their Internet browsing, e-mail, chat rooms, and instant messenger services may be monitored by their employer, government agencies, advertisers, and malicious individuals.

Auditing Privacy Practices

Tasking the organization's privacy team and audit unit, programs should be devised to test the viability of the privacy program. Audits should be unannounced, comprehensive, and conducted as if the future of the business depended upon their findings. In today's world, it might! Auditors should be included as valued members of the privacy team and must participate as policies and procedures are developed and approved. Audits of the developing privacy plan will identify flaws and weaknesses that can be addressed before they become policy. If the chapter in this book about auditing has not been read, now is a good time.

Web Site Privacy

Handling data collected through the company's Web site essentially falls into the following categories:

  1. Ensuring proper use of data collected through the Web site

  2. Ensuring the privacy of individuals using the Web site

  3. Ensuring the privacy of stored data

Privacy statements that can be read as part of the organization's Web site are complex legal and business processes. Most privacy statements displayed as part of the customer's Internet experience are fairly direct; however, there are Web sites that use circuitous or meaningless language leaving potential customers confused and bewildered (Exhibit 1).

Exhibit 1: Sample Web Site Privacy Statement

start example

The ABC Corporation is dedicated to your privacy and will not collect more information than is necessary to process your orders and provide a personalized shopping experience. For your privacy and peace of mind, we will not rent, sell, or trade your information with others.

How We Use Your Information.

When you place an order, we will ask for your name, e-mail address, mailing address, credit card number, billing address, CVV2 number, and credit card expiration date. This information permits us to expedite the order process and notify you of your orders status.

When you sign up for your Personalized Services we will send you information you have requested and we need only your e-mail address. When you selected the subjects listed under the Personalized Services, we will periodically provide updated information you requested. Through your Personalized Services, we will notify you of changes in our Web pages, www.ABCCorp.com we think you will find of value. These changes will include new products, services and sale items. You can modify or cancel this service at any time.

Information protection

When an order is placed through the www.ABCCorp.com Web site, a link with our secure server is made via Secure Sockets Layer, SSL, technology. All information exchanged between you and our Web site is encrypted for your security and protection. At all times, we safeguard your information against unauthorized access or use.

Cookies

Cookies are small pieces of text we place in your browser's storage so we may customize our Web site for you. Our cookies do not contain any personally identifying information about you but they enable us to provide Web site features such as personalized Web pages for you. It is not necessary to have our cookie on your computer to use our Web site services including browsing, shopping cart, purchases and shipping.

Summary

We are committed to your privacy and security while using the www.ABCCorp.com Web site. We use the information you provide to deliver your orders and provide a friendly and useful shopping experience. If for any reason you have any questions or you wish to review your information or its processing, please feel free to contact us at: <customerservice@abccorp.com> or

Joe Blow
Vice President
123 Elm Street
Anywhere, Anystate 11111
Tel: 111.555.2222

end example

Safeguarding, Processing, and Storing Privacy Data

Controls must be rigidly applied to the enterprise's data center, affecting employees with legitimate data access and those who would attempt unauthorized access. Information privacy procedures should include access to those individuals about whom the data is relevant. These are a few best practices relevant to data privacy:

  • Data collection must be lawful and fair. Information collected from individuals and business entities must be lawful in purpose and relevant to the function for which it is being collected.

  • There should be an established mechanism for individuals and organizations to discover what information is in the record, how it is being used, to whom it is being disclosed, and the ability to limit that disclosure and use. This process does not mean how it is intended to be used, rather it means how it is actually being used and distributed. There should be a mechanism for an individual to prevent information that was obtained for one purpose from being used or made available for other purposes without her informed consent. Also, there must be an avenue allowing individuals and organizations to correct, amend, or modify all relevant records. Any organization collecting, maintaining, storing, using, or disclosing records of personal data should ensure the reliability of data for their intended use and ensure adequate due diligence preventing misuse.

  • Consent. At the time data is being collected from persons and organizations, they should be advised about the purposes for which the data is being collected, the conditions under which the data is collected, and which other parties will have access to the data.

  • Quality. Organizations must take reasonable steps to ensure that collected data are accurate, relevant, and do not intrude into areas outside their stated purposes. In essence, it is a restatement of the "least privilege" concept. Organizations must not collect more information than is absolutely necessary to deliver their goods or services and this should be clearly stated in their privacy policy. Persons and entities providing data should be advised under which provisions they might access their data for the purposes of limiting access, uses, or making corrections.

  • Data disclosure. Organizations must not use personal or other proprietary data for purposes other than those stated in their policy. Organizations must not divulge protected information without the consent of the person/organization or authorized by law.

  • Privacy enforcement. Data being collected and transmitted to relevant entities must be constrained by stated policies and procedures. There must be vigorous steps to ensure that data are used in the fashion it is stated, and nothing more. Auditing steps should be taken ensuring compliance with these policies.

Nonconsent Information Use

Using or disclosing information about someone without their consent or knowledge is not necessarily a violation of their privacy. For example, if Alice buys a new car, a brand name 4×4 Zoomie, she registers the car at the Department of Motor Vehicles knowing those records are publicly available. Publicly, she is seen driving this 4×4 Zoomie on a daily basis. Does she have a reasonable expectation of privacy when the Zoomie dealership sells her name to advertisers targeting consumers of this genre of vehicles? No, she does not. However, if the dealership disclosed the financial data Alice provided in her credit application, then that would be a potentially unlawful act because she does have an expectation of privacy in her financial dealings. They are not public information. She does not display her financial status for public review; it is her business and she is entitled to keep her information private.

Using information that is public does not grant its use to others to inflict or threaten harm. Information use and disclosure can proceed to civil liability regarding its use. If Alice discovers facts about Bob, these facts do not grant her the right to know all facts. When individuals or organizations provide information to third parties in confidence, they have a right to expect that it be protected as private information.

In this vein, it is the responsibility of data receivers to determine which information is private and which is not. There may be facts that are available to the public or a significantly large portion of the public that preclude the need of privacy. Organizations can use and transmit information of this nature without the individual's consent or knowledge. In most settings, individuals have the right to know why their information is collected, how it is going to be used, make corrections, and limit to whom it is going to be disseminated. However, the property rights extended to this data may limit the owner's right to confidentiality depending on how much of the information is already in the public domain.

Employee Privacy Training

Training employees in the nature and risks surrounding privacy is critical to all organizations. Training programs targeting end users about existing policies and procedures will go a long way to providing a sound basis of understanding before granting them access to sensitive information. Refresher training serves to update employees, who already have access, with changes in policies, procedures, and the law. Such training provides the opportunity for situational role playing where they learn to deal with real-life problems in a controlled setting. Employees transferring to a new business unit should receive proper training before data access is granted ensuring continuity in privacy. Challenges facing trainers rest in the fashion they deliver their message. Using tired handouts and boring formal presentations and lectures to teach privacy policies can be tedious and unproductive. Educators should be innovative in their approaches by reaching and involving their audiences. Using case studies, group participation, and practical exercises can go a long way to holding trainees' attention while delivering the message.

Training can also take the form of informal or spontaneous chats between employees. Many organizations have initiated and developed training programs based on mentors and other knowledgeable persons who, through a process of socialization, share their experiences. There are a few pitfalls in this approach, although it is a gentler and kinder way to impart knowledge. Problems exist in documenting the fact that training has actually taken place, attendance at training sessions and the effectiveness of such training.

Another area of concern in the informal training arena is that of bad habits being passed from senior employees to others. Because there is not a test for the correctness of information being disseminated, it is possible that misinformation and poor policy understanding are made part of a new employee's orientation.

Privacy Training Best Practices

Here are some suggestions for privacy training best practices:

  • Deliver a basic summary of the organization's vision and mission. Include relevant but not overly detailed explanations of how privacy forms part of the organization's critical asset protection.

  • Provide succinct summaries of applicable laws, regulations, and the organization's policies and procedures. It is suggested that much of this material can be made available on the business' internal network (Intranet) that may be browsed by employees at their leisure. Acknowledgements are a good idea to collect from participating employees for future audits.

  • Provide training about the data's life cycle: why specific data is collected, its processing, its storage, and its disposal.

  • Provide a relevant contact list so attendees know who to contact if they have a question.

Handling Privacy in Supply Chains

E-commerce companies frequently offer what appears to be one-stop shopping with ordering, shipping, and billing services. From the outside, the world sees that the Web site provides all these features, when in fact, many of these services may be actually performed by other companies under contract. For the purpose of understanding, networks of business that participate in such relationships are termed supply chains. In order to do business, companies are often required to pass along a customer's information to suppliers of goods or services so that orders can be placed and filled. Providers of those contracted goods and services are in turn responsible for the protection and security of information they receive during the course of business.

Good privacy procedures require organizations to ensure they collect only the minimum amount of information necessary to process transactions. Receivers of a customer's information are responsible to see how that information is transmitted to third parties and to ensure those third parties handle that data consistent with the original business' policies and procedures. Businesses that transmit client data to their partners must take appropriate steps ensuring that third parties take reasonable precautions to safeguard that data from misuse, unauthorized access, disclosure, modification, and destruction.

Sound business privacy practices will disclose to customers the types of information that are going to be disclosed to third parties and how that it is going to be used by them. In most cases, disclosing how the information will flow from one business to another in the supply chain would be considered prudent. As part of the working relationship between partners, an agreement is made ensuring that the data receivers will provide the same levels of privacy that the original receiver had. Of course, these agreements must be in the form of a contract and must be executed by the appropriate levels of senior management.

There are several areas of concern when making such agreements:

  • Within the participating business entities, what is the actual level of data privacy protection?

  • How are levels of privacy protection going to be audited? Who is going to conduct the audits? Are the results of these audits going to be made available to the other partners? What is the frequency of such audits?

  • Which of the business partners is going to bear the expense of legal action?

  • When a new supply chain participant enters, which of the partners is required to approve their admission to the supply chain?

Individual business partners should have the same levels of scrutiny that are applied to large supply chain systems regardless of the size and sponsorship. Agreements and contracts must detail a set of mutually agreed policies and procedures where the collection, processing, storage, and distribution of data are established. Each supply chain affiliate should provide a comprehensive report on data usage and data flow to all additional parties. Reports of data collection and distribution should be collected from all parties in the supply, even those that do not have a direct relationship with one another. This report becomes particularly important should a supply chain member use contractors. Tracking and documenting how all parties treat data might provide the basis for strong defense should legal action be pursued.

Ownership of business partners change often with mergers, acquisitions, closures, and bankruptcies. Supply chain members changing ownership or going out of business can have serious consequences on your ability to deliver goods and services and should be addressed by contingency plans. However, there are potential disasters when a company's structure changes and due diligence in handling data privacy is jeopardized. At this moment, financial risks, affecting all members of the supply chain, escalated. It should be the combined responsibility of the supply chain members to monitor ownership and the status of lawsuits, as these events may affect data privacy. For these reasons, data privacy agreements must be in the form of enforceable contracts applicable to all relevant third parties.

Auditing privacy management procedures might be accomplished by creating ghost personalities and accounts and placing orders that are going to be handled by the supply chain. Experienced auditors will direct their efforts to test goods and services that are delivered by all members of the supply chain and their subcontractors. Steps such as these will test and assess the internal processes and business practices. If an audit account is established and there is an increase of spam or unsolicited junk mail at the address designated as the receiver, it is likely that the account's data has been compromised. Using a bit of detective work and depending on the length of the supply chain, it is possible to locate a "leak."

Another audit technique employs social engineering; the audit contacts members of the supply chain and attempts to buy the customer list or other information. In order to ensure the integrity of data privacy, auditors should regularly test each member of the supply chain to determine if it will sell, rent, or trade data that should be kept private.

If problems are identified with supply chain members disclosing information, they should be immediately addressed in the manner detailed in the agreement or contract. Not surprisingly, it will likely be a matter for the legal unit to handle in consultation with other senior managers. Removing someone from the supply chain can have far reaching ramifications with risk management programs addressing such contingencies. However, if a customer files a legal action as a result of a violation of privacy, the potential results can devastate all members of the business chain.



 < Day Day Up > 



Critical Incident Management
Critical Incident Management
ISBN: 084930010X
EAN: 2147483647
Year: 2004
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net