Privacy complexity has users confused

Corporations implementing data-privacy initiatives face complex business and technology issues relating to the access, use, storage and transmission of customer information, according to users.

Not only will such policies have to accommodate emerging domestic and international regulations, but they will also need to be backed by the right technology architecture and processes to ensure compliance, users say.

The biggest challenge is “to develop a clear understanding of the impact of a patchwork of international, federal and state privacy regulations” and to balance that with business and consumer needs, said Edward G. Schwartz, chief information security officer at Columbus, Ohio-based Nationwide Insurance Cos., during last week’s 27th annual conference of the Computer Security Institute in Chicago.

Doing that successfully requires having an accurate disclosure policy and deciding who owns the customer data, who makes decisions with respect to the use of customer data and who responds to privacy inquiries from customers and regulators, he said.

Similarly, on the technology side, companies need to look at where and how customer data is stored, secured, accessed and transported; what processes are followed with personally identifiable information; and who approves security policies, Schwartz added.

Just as important is the need to meet a “demonstrable” standard of due care, he said. This includes deploying technologies such as firewalls, intrusion detection, log-file monitoring and data encryption.

Such issues are coming to the fore at a time when data privacy is the target of increasing scrutiny. The U.S. Federal Trade Commission, for instance, is pushing for privacy regulations after a survey earlier this year showed that only 20 per cent of 355 Web sites sampled offered essential privacy protection.

More than two-thirds of the 50 states are also pushing for similar measures, while existing policies such as the Health Insurance Portability and Accountability Act of 1996 are being strengthened to include tough new privacy measures.

The impact such trends have on companies depends on the nature of the industry they’re in, said Josh Turiel, network manager at Holyoke Mutual Insurance Co. in Salem, Mass.

For example, insurance and health care companies in the U.S. are more likely to be immediately affected by some of the emerging privacy regulations than companies in other industries, he said.

One result is that Holyoke – which sells insurance through third-party independent agents – isn’t directly collecting information from its Web site. It could start doing so, but customers will have the choice of whether to share confidential information, Turiel said.

“We don’t want to put ourselves in a situation where we inadvertently misuse customer information. . . . We are absolutely paranoid about privacy,” Turiel said.

Atlanta-based LastMinuteTravel.Com Inc. has a privacy policy that includes feedback from the technical and marketing sides of the business. When it comes to dealing with customer concerns, the task is split between the marketing group and technology group, said Jay Ramadorai, the company’s chief technology officer.

“One of the biggest challenges is the constant push and pull between [business needs for sharing data] vs. the need to honor the privacy of our customers,” Ramadorai said.