11:55 AM
John Soat
John Soat

Privacy: The Problem That Won't Go Away

Your privacy mistakes can easily become everyone's business. Here's how to keep your company--and your career--out of the spotlight.

Everybody knows privacy is important. Every company has a privacy policy, or should (You have one, right? And you've read it, right?), and more and more companies are appointing chief privacy officers to ensure compliance with government regulations and company standards.

So why do privacy problems continue to plague large and small companies, government agencies, and nonprofit organizations? Because a privacy policy and honcho are only the table stakes in a global, online, real-time business world. Now that data is currency and network access ubiquitous, there's more to making privacy work than a wink and a nod. Privacy must go deeper into a company's culture, until it's part of how a company thinks and acts with its customers, partners, and the public.

Getting there isn't a mystery, even if it's hard work. The many failures have shown what needs to be done. Here are nine truths about privacy that companies must live.

It's A Strategy, Not Just A Policy
"The worst thing a company can do is post a privacy policy that says they do certain things to protect privacy, then they don't do them," says Gary Laden, director of the Better Business Bureau's BBBOnLine privacy program. Sound advice. Except these days, you must understand more than the letter of your policy. You must understand what your customers expect.

Facebook, the popular social networking site for students, thought it was offering its users a cool new feature when it introduced News Feed in September. News Feed automatically updates Facebook users about changes to the pages of people in their social networks, such as someone adding a friend or posting to a discussion group. CEO Mark Zuckerberg was unprepared for the howls of protest from Facebook users who, instead of seeing a new networking opportunity, saw the shadow of Big Brother. In an Internet posting on Sept. 5 prompted by an increasingly hostile user community, Zuckerberg defended the new product: "We didn't take away any privacy options. ... The privacy rules haven't changed." Zuckerberg was out of touch with his own community. In a posting three days later, he was forced to admit: "We really messed this one up." Facebook reworked News Feed, offering users new ways to control their personal data, such as the ability to nix the broadcast of specific updates and to remove the time stamp many found particularly onerous.

InformationWeek Download

Companies must watch the letter of their privacy policies as well. They're legal contracts between a company and its customers, so violations can lead to litigation. AOL is being sued by three unidentified individuals who claim the Web portal violated its privacy policy last July when, to aid academic researchers, AOL posted on one of its sites 20 million search queries from more than 650,000 users. The data didn't contain users' names, which had been stripped out and replaced with identifier numbers, but it did contain the personal data typical to search queries--addresses, phone numbers, medical conditions--so that it was possible to tie it to individuals.

AOL apologized for the gaffe immediately after it was discovered ("This was a screwup, and we're angry and upset about it," a spokesman said), and there were career consequences: It fired the researchers responsible, and its chief technology officer resigned shortly afterward.

Privacy Laws Will Change--Often
Customers aren't the only ones who might come back at you for privacy lapses. Last month, a federal jury awarded CollegeNET $4.5 million in its claim of unfair competition against rival XAP. CollegeNET and XAP are Web sites that help students apply to colleges online. CollegeNET sued XAP for creating an unfair marketplace advantage by violating its privacy policy when it turned over student data to loan agencies. CollegeNET said the opt-in lang- uage XAP used to obtain permission was unclear and misleading. XAP president Liz Dietz said in a statement that the disputed practices "all occurred in the past." The judge will decide the actual monetary damages early next year.

"California puts privacy laws into effect every week," says Parry Aftab, only partly tongue- in-cheek. Aftab's a privacy lawyer and executive director of WiredSafety.org. "I can't stay on top of them," she says.

But you must. More than half the states have laws that require organizations to notify consumers if their personal data is involved in a security breach. At the federal level, several privacy bills are percolating through both houses of Congress, though the feds have shown no real urgency to act on those bills.

Smart companies don't just stay on top of privacy legislation, they also seek to influence it. Kirk Hareth, chief privacy officer for Nationwide Insurance, served as an industry lobbyist for several years in the 1990s. He helped draft HIPAA, the Health Insurance Portability and Accountability Act. Hareth keeps in touch with Nationwide's lobbyists to stay current with pending legislation.

Case in point: On Oct. 13, President Bush signed a bill, S. 2856, that includes a provision that requires financial institutions to make their privacy statements "comprehensible to consumers, with a clear format and design." The Federal Trade Commission has 180 days after enactment of the bill to develop the new privacy model and will seek input from financial institutions.

Nationwide's privacy statement already complies with the new regulation, Hareth says. "We've gotten ours to an eighth-grade reading level," he says. That's because California law requires that all public documents be written below a ninth-grade reading level, and insurance companies are regulated by the states. Dealing with federal and state regs is a constant juggling act. "You need to have time to do that reconciliation," Hareth says.

1 of 5
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.