Although many privacy policies may look the same, the riskiest ones fail to reflect what the company actually does. These can expose the organization to potential regulatory audits, fines, lawsuits, and reputational harm. To reduce the risks associated with such disconnects, businesses should spend more time thinking about -- and operationalizing -- their protection of sensitive data.
However, many organizations don't take their privacy policies seriously enough, as evidenced by the growing number of data breaches and the increasing amount of regulatory oversight.
[ What's your disaster response plan? Read Crisis Response: 6 Ways Big Data Can Help. ]
"If the regulators fined everyone for failing to follow certain regulated procedures, they'd have to fine everybody because nobody does it right," said Walter O'Brien, in an interview. He's founder and CEO of Scorpion Computer Services, the real-life company (with a real live person) upon which CBS's Scorpion TV show is based. "They'd be fining 99% of the industry, and there would be an uproar," said O'Brien. "There should be an uproar. You don't sue Wells Fargo every time it gets hacked."
Toothless privacy policies are common. In June 2015, the Online Trust Alliance (OTA) audited the security, privacy, and consumer protection practices of approximately 1,000 companies, all of which are the leading organizations in their respective industries. They included the top Internet retailers, banks, US federal government sites, social networking and sharing sites, news and media companies, Internet of Things providers, and OTA members. Forty-five percent failed to protect consumers and their data from harm and online threats. Forty-four percent made OTA's "Honor Roll" because they achieved a weighted score of 80 or better on a scale of 1–100, based on 50 different data points. When the OTA audited the top 23 presidential candidates in September 2015, it found that 74% failed because of their privacy policies.
"The FTC has been very aggressively prosecuting companies that don't really do what they say or say what they do," said Jim Adler, in an interview. "Where companies go sideways is not so much what they say, but whether they can live up to what they're saying." Adler is chief security officer at big data analytics company Metanautix and member of The Department of Homeland Security Data Privacy and Integrity Advisory Committee.
To minimize your own company's risks, consider these nine pointers.