What about your customers' personal information? As a business leader, you use it to build your profits and you protect it to build your customers’ trust. You want your company to be both a sales and privacy leader, but how do you measure that leadership? In sales, you measure leadership by receipts. If you sell the most, you’re the sales leader. But, in privacy, there is no single objective measurement, so you must look for other types of evidence of success, like whether or not your company has experienced privacy-related problems and complaints. Unfortunately, three “no’s” – no privacy related breaches, no consumer complaints, no lawsuits –don’t make a “yes, we’re a leader”. The best that you can say is that you’re doing okay – for now.
Another way of measuring possible leadership is to document what your company has done to protect your customers’ privacy. If your company has taken reasonable steps to secure your IT systems, let your customers or clients know what you are doing with their information in your site’s privacy policy and/or terms and conditions, and, perhaps most importantly, put in place a policy for the secure disposal of your customers’ information, you may think that you are a leader or at least doing a good job. Indeed, you would think that your risks are well-managed. However, every day you read about big companies, that you thought were privacy leaders or at least doing a good job, but then an unanticipated privacy problem emerged and they suffered significant legal costs and reputation damage.1 So, where does your company stand?
Whether your company is a privacy leader or on track to becoming a privacy leader will depend on your commitment to making customer privacy your policy and reducing risk. To help you determine whether you’re on the right track, we encourage you to answer the three simple questions below. Then, based on your responses, check out the New York State Department of State Division of Consumer Protection privacy resources to learn more about the privacy and security issues important to your company.
QUESTION 1: LOST OR STOLEN LAPTOPS
You’ve just read that one out of three customer data breaches is the result of a lost or stolen laptop, mobile phone or other portable device.2 You’ve also read about a study of 28 U.S. companies conducted by the Ponemon Institute, which claims that the estimated average cost to the company of a lost or stolen laptop is approximately $50,000, including the cost of the breach, investigation expenses, loss of productivity and other factors.3 Any customer information on your company laptops may be at risk for identity theft and your company may be at risk for significant customer and financial losses.4 How should you respond?
Should you: (a) do nothing until there is a problem; (b) make a note to figure out whether there is any customer information on any of your company laptops; or (c) make sure now that you are setting strong passwords for login, backing up all data and fully encrypting all laptops? Correct answer ___.
QUESTION 2: CUSTOMER NOTICE AND CONSENT
You’ve heard that Sears was recently investigated by the Federal Trade Commission (FTC) for inviting Internet users visiting www.sears.com and www.kmart.com to download research software that would track their “online browsing” presumably on Sears’ sites.5 According to the FTC, Sears did not disclose upfront the full extent of the tracking it actually performed included tracking the consumer's visits to other companies’ sites, even during secure sessions, as well as the contents of their customers’ shopping carts, online bank statements, drug prescriptions, movie rentals and library borrowing records. A more detailed explanation was provided by Sears in a long-form agreement which was made available to the consumer at the end of the sign-up process. However, the failure to provide prominent and robust notice upfront meant that Sears, to settle the case, would have to destroy all the data it had collected through the software installation, provide customers with instructions on how to uninstall the software, and follow a strict customer disclosure standard for all similar situations in the future.
In light of the Sears case, how should you view your own site?
Should you: (a) do nothing and take the risk that you might be violating the law as a “cost of doing business”; (b) continue to keep all the “legalese” in a long-form policy or agreement somewhere out of the way on your site to avoid distracting from the “seamless customer experience”; (c) check out whether your consumer data collection notices are robust, easy to find, written in plain language, and provide consumers with clear choices about whether and how to consent to the collection and use of the types of data identified in the notice? Correct answer ____.
QUESTION 3: DATA RETENTION AND DISPOSAL
$2.25 million. That’s the amount of the fine assessed by the Department of Health and Human Services against CVS Caremark (CVS) after receiving reports that CVS pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names and medication instruction sheets with personal information, employment applications with Social Security numbers, and credit card and insurance card information, including, in some cases, account numbers and driver's license numbers.6
In a related government action, the FTC complained that despite the CVS privacy policy statement that “(n)othing is more central to our operations than maintaining the privacy of your health information,” the company “failed to: (1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal; (2) adequately train employees to dispose securely of such information; (3) use reasonable measures to assess compliance with its established policies and procedures for the disposal of such information; or (4) employ a reasonable process for discovering and remedying risks to such information.7
In light of the CVS case, how should you view your own data retention and disposal policies?
Should you: (a) do nothing and assume that everyone in your company is doing the right thing; (b) check to make sure that your data retention and disposal policies are accessible to all employees but otherwise defer to the lawyers on content; or (c) make sure that your data retention and disposal policies are: (i) detailed, specific and easy for employees to understand; (ii) supported by annual employee education programs, and (iii) monitored by regular, scheduled audits? Correct answer______.
YOUR SCORE?
If you answered “c” to all of the above, congratulations, you are committed to thinking strategically about your customers’ privacy and planning for the long-term. You are making customer privacy your policy and mitigating your company’s risk. If you chose any answer other than “c”, you have commitment issues. You think of privacy as a short-term, tactical issue better to be avoided until there is a “real need” or problem. Why not adjust your privacy goals rather than avoid them? If, for example, cost prevents you from upgrading protection on current laptops, address the issue on a going forward basis with future laptop purchases. Becoming a privacy leader means changing your view, from short-term tactical to long-term strategic, and upgrading your commitment from consumer-sensitive to consumer-centered. It also means communicating these principles to your employees. The payout? Lower business risk, higher customer loyalty, and more effective employee understanding and management of privacy issues. For further information on business privacy and security issues, please visit the Division’s privacy resources.
1 See, e.g., “Court Certifies Class Action Against Sears for Alleged Sale of Customers’ Private Information” to Pay Millions in Privacy Settlement”; “TJX to Pay States $9.75M in Data Breach Settlement”; “Calif. Lawsuit Targets Facebook”
2 See “Laptop Theft Breach Statistics - 2008”at www.laptoptheft.org.
3 See “Lost Laptop Costs $50,000 on Average” at www.itbusinessedge.com/blogs/mah.
4 See “”Surviving a Stolen Laptop at www.itbusinessedge.com/blogs/mah.
5 See “FTC Bust Sears in Behavioral Tracking Case” at http://www.baerbizlaw.com/category/blog/ftc-busts-sears-in-behavioral-tracking-case/
6 See “CVS Spanked over Privacy Failures” at http://www.networkworld.com/community/node/38684.
up7 See FTC Complaint at http://www.ftc.gov/os/caselist/0723119/090623cvscmpt.pdf.