11:19 AM

Three Ways To Prepare For The IT Impact Of New Privacy Laws

In the wake of numerous high-profile customer-data breaches, companies that haven't previously been subject to information security and privacy regulation should expect new regulations to mirror elements from existing laws. For businesses that want to start planning now, there's no need to wait for implementation instructions on how to secure consumer data.

Plan For The Obvious
Companies that haven't previously been subject to information security and privacy regulation should expect new regulations to mirror elements from existing laws: Put someone in charge, analyze vulnerabilities, make a plan, implement policies and procedures that address technology as well as business processes, train, monitor your service providers, and circle back to evaluate and adjust your program on an ongoing basis.

These common and common-sense requirements appear in existing data-security regulations for companies subject to the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and, north of the border, the Canadian Personal Information Protection and Electronic Documents Act.

Businesses will have to be reasonably certain their service providers live up to the same standards. A company must wisely choose and monitor its service providers and cannot evade privacy liability by outsourcing. Even while Congress has been considering new regulations to control outsourcing, existing laws already require companies to police their service providers by building privacy provisions into contracts and monitoring vendor performance.

Some companies pondering the future of regulation may be unaware that a mandate of reasonable security already applies to them today. If a company is engaging in business-to-consumer transactions, it is regulated. Under the basic consumer-protection principles of Unfair and Deceptive Acts and Practices laws, the Federal Trade Commission and state attorneys generally already have established a data-security-enforcement history involving organizations that include the ACLU, Alta Vista, Barnes & Noble, Eli Lilly, Guess, Microsoft, Sony/InfoBeat, Tower Records, Victoria's Secret, Ziff Davis Media, and many others.

These cases targeted online practices, but the rules are the same in all data channels. Be assured that consumer-protection agencies are taking a hard look at offline and business-to-business transactions that expose consumer data. And take note, "consumer data" means more than hot-button data such as Social Security numbers, credit-card numbers, and medical data. It includes names, addresses, phone numbers, and Global Positioning System data.

2 of 4
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.