James Ewing, Gerald Kral and Krista Young
Reputational Risk Is An Increasing Danger To Business
Information is no doubt the most significant asset of many companies. Our global economy and expansion of multinationals has led to the dramatic increase in information flow within entities and across geographic borders. This flow of information is currently the subject of great debate in the state and federal regulatory arenas regarding the challenges of safeguarding employee, customer and vendor data.
Businesses that neglect to consider and implement privacy requirements are subject to enforcement actions, seven-figure lawsuits, penalties and fines – but consequences can be small in comparison to the loss of public trust that businesses suffer when individuals discover that their private information has been compromised. The media’s attention to data privacy breakdowns and the ease at which private information can be used for inappropriate and harmful purposes magnifies the inherent risk to corporate reputations. Well known companies such as ChoicePoint, LexisNexis and Bank of America have each had to endure unwanted media attention when potential breaches of private information were surfaced.
According to a 2004 Harris Interactive study, more than 80% of consumers said they would stop doing business entirely with companies that misuse information, while over 50% say they would buy more frequently and in higher volume from companies perceived to have sound privacy practices. These results clearly demonstrate both the financial risk that can accompany a privacy breach and the financial opportunity for organizations that can earn customer confidence with their privacy practices and commitments.
The EU is leading the world in setting a regulatory framework for managing sensitive data. For entities operating in Europe, the European Union Data Protection Directive, sets a standard for companies to comply. Efforts in the U.S. are quickly gaining steam. Since the California Privacy Act, legislation has been enacted in 17 states requiring compulsory notification to consumers that have been affected by security breaches of personal information. This development, coupled with 35 different privacy bills pending before Congress1 has set the stage for the United States to enact a comprehensive data privacy initiative. However, businesses that are proactive in building their compliance programs will not only be prepared for increased legislation, but will also have a unique opportunity in the marketplace to shape the way privacy compliance should be framed.
How To Address These Concerns?
Our approach to compliance, as detailed in the July 2005 issue of The Metropolitan Corporate Counsel, uses a comprehensive framework for proactive risk identification and mitigation. Our view is that the compliance program is not merely a response to regulation, but a commitment from executive leadership to engrain compliance into all facets of the organization. How do corporations address privacy concerns using our approach? We suggest that privacy risks be mitigated using the six steps of our framework: (1) identify and evaluate compliance risk; (2) set compliance policy; (3) embed compliance policy; (4) monitor; (5) investigate; and (6) report.
Identify And Evaluate Compliance Risk. The first step in addressing data privacy concerns is to gain a very clear understanding of privacy risk facing the organization. There are two clear drivers of this risk. First is the external environment that the company operates within. For most multinationals, the environment is tremendously complex. As noted above, privacy regulation is rapidly evolving and the obligations facing organizations will differ significantly depending on where the company does business. Of course, the regulatory component is only part of the environment. The reputational risks facing organizations are significant, and this is leading many companies to try to stay ahead of the regulatory curve, imposing privacy obligations on themselves beyond what the statutes demand. In this regard, many companies are looking to bring some uniformity to privacy practices that would otherwise not be required by the myriad of disparate local rules that a typical multinational faces.
The second driver is the internal environment. Companies must understand what protected data exists, how it is maintained and how it moves through and outside of the organization. This is no easy task. We typically recommend that the company name a Champion to lead the organization through this effort. The Champion may benefit from establishing a steering committee, including representatives from all facets of the organization, to work together to gain a detailed understanding of this internal protected data environment.
All protected data must be identified, along with how that data moves through labyrinth of systems. Examples of protected data include names, addresses, social security numbers, driver’s license numbers, details about family and lifestyle, race or ethnic origin, physical or mental health conditions, education and training, criminal records and consumer habits to name a few. Regardless of what data is captured, it will generally fall into three basic categories: client, employee or vendor. Using flowcharts and other schematics, the goal is to gain a comprehensive view of protected data repositories and flow as the data passes from system to system.
Set Policy. Policies should be developed to cover the collection of data, handling the data as it moves through systems, storage of data, dissemination to third parties and procedures for escalation in the event of an infraction. Data privacy policies take many forms, for example:
Collection: Corporations should specifically communicate end-user terms to address data protection issues. This includes limiting the collected data to only that which is critical to service the client and disclosing how the data is utilized.
Storage: Corporations have various options for protecting stored data both in electronic and physical form. For example, electronic data can be protected from unauthorized access via internal and external firewalls, virus and spyware protection programs, data retention schedules, off-site storage for backups, user authentication through passwords and IDs, SSL (secure socket layer) and PKI (public key infrastructure). To ensure security in physical locations, corporations may rely on key card access for restricted areas, closed circuit televisions to monitor restricted areas and locked cabinets for physical data held in these restricted areas.
Dissemination: Corporations should also consider establishing the specific terms and conditions upon which said data is transmitted to third parties, and providing an “opt-out” option for sharing of data with third-parties where applicable.
Escalation: Employees should be encouraged to use appropriate channels such as the company’s hotline or “ombudsman” program to report infractions as soon as possible. Additionally, the policy should include the company’s response procedures.
Breach: Corporations should make known the details of the specific actions that the company will take if a breach occurs. Of course, these actions will and should differ depending on what type of data is compromised but should include such concepts as notice to impacted individuals and remediation activities.
Embed Policies. Once policies are set, they must be internalized within a business. It is important to foster a culture that recognizes the importance of data privacy. This occurs through education, communication, establishing and maintaining accountability and incorporating data privacy considerations in technology implementations.
Organizational education is a critical link between an outstanding compliance program and the success of that program. Education must be specifically targeted to each department or function within the industry and incorporate their respective roles in the flow of data within the organization. Tiered training systems, in which a general company-wide program is used in conjunction with different curriculums for various departments (i.e., Information Technology, Human Resources, etc.), are an effective mechanism to provide the requisite training. Instructor-led training, combined with clearly defined escalation procedures for issues and concerns, handbooks and frequently asked questions, must be tailored to each group within an organization.
For the existing infrastructure, controls may need to be put in place and business process may need to be re-engineered in light of the new policies. Technology can be used to regularly track and communicate potential data security threats and the resultant compliance issues and obligations with individuals throughout the organization. New initiatives naturally necessitate that business processes be redesigned in order to reflect the new data privacy policies in place, resulting in new documentation and creation of new controls.
Monitor. This includes both a long-term approach of active periodic monitoring of the overall program as well as day-to-day monitoring of the compliance environment. For privacy, monitoring includes both the actions of professionals who handle data as well as the reliability of systems through which it flows. Metrics must be developed to demonstrate achievement of expectations for professionals. Additionally, business processes and system controls will need to be periodically tested to ensure that the program is functioning properly. Further, new systems will require an evaluation to ensure that they are in compliance. It may be necessary to use a third party to review systems and processes to ensure an independent opinion.
Investigate Infractions. This is a continuous cyclical process that is used when monitoring identifies issues that require further scrutiny and possibly corrective actions or modifications. All policies and processes should have a clear escalation process, and all infractions and related investigations should be documented. Another resource to enable a corporation to be proactive is to keep a watchful eye on external developments. Identifying the breaches that have plagued a corporation’s peers provides tremendous insight to the vulnerabilities of your own program and how to take steps to correct these vulnerabilities before they become your own infractions.
Report. Reporting allows stakeholders to evaluate the overall success of their data privacy compliance program and identify opportunities for improvement. Reporting is critical to ensure that significant issues are uncovered and identifies the status of implementations and new risks. Elements should include metrics that stakeholders rely upon, for example, identification of data flow between systems, the security of those systems and to identify possible new initiatives and progress on current initiatives.
Turning The Framework Into Reality
Implementing and maintaining a privacy compliant organization requires cooperation and communication among all business units, as well as a solid commitment in both time and resources from senior executives. In our experience, organizations that have the most successful programs are those who dedicate an individual, such as a Chief Privacy Officer (“CPO”), to act as a Privacy Champion and drive change from within. In this role, a CPO can oversee all of the functions related to the development, implementation, maintenance and adherence to the organization’s privacy policies and procedures. Some of the common responsibilities of a CPO include:
being the public masthead for the company’s privacy initiatives;
coordinating privacy activities with senior management, a privacy oversight committee, and legal counsel;
providing guidance and assistance on the formulation and implementation of privacy policies and procedures;
collaborating with other functions and business units to ensure that the organization maintains the appropriate privacy and confidentiality consent vehicles; and
reviewing information security plans through the organization’s network to ensure alignment with privacy practices and act as a liaison to the Information Systems department.
While it is always challenging to point directly to the positive financial effects of good compliance programs, such as increased revenue or decreased costs, there can be no doubt that a proactive approach to maintaining data privacy protections will lead to a myriad of positive effects. Aside from avoiding costly litigation and regulatory fines, businesses exhibiting good privacy practices will benefit from increased consumer confidence and trust. Furthermore, a proactive approach to data privacy compliance will avoid a disruption in commerce that could likely stem from a reactive response to new legislation or enforcement action.