Information Privacy: The Other Side Of The E-commerce Coin

Over the course of a number of articles on security here at EC Outlook, you learned about the importance of developing - and enforcing - information security policies to protect data while it''s in transit. You also learned about the consequences of inappropriate information handling policies while data is stored within your computing resources.

As an e-business owner or manager who''s charged with collecting private information through the daily course of operations, it''s your moral duty - and increasingly, your legal responsibility - to respect your customer''s privacy.

The following checklist from Beth Givens, director of the Privacy Rights Clearinghouse, will help you to develop internal policies for responsible information handling practices throughout your company. Here you''ll find case studies, examples, and questions to contemplate as you''re developing your own security policies and practices.

The Privacy Rights Clearinghouse (PRC) was established in 1992 with the goal of helping people learn how to effectively protect personal privacy, especially in today''s ultra-wired world. The PRC is a consumer information and advocacy program, and it provides a wealth of information on multiple informational privacy issues and lots of tips on safeguarding personal privacy. PRC is grant-funded and is affiliated with the San Diego-based non-profit Utility Consumers'' Action Network.

Responsible Information Handling
This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization. The checklist can be used by private, public and not-for-profit organizations alike.

Not all points will be relevant to your organization. And some situations may require you to take more stringent steps than those listed here, for example, if you deal with the confidentiality requirements of medical records.

The checklist is divided into two sections:

• Section I lists the major issues to consider when drafting privacy principles to safeguard the personal information of your clients, users, members, etc.
• Section II includes considerations for the development of intra-organizational privacy policies concerning employee records, electronic monitoring, and electronic mail.

  Section I. Development Of Privacy Policies To Guide Customer/Client Relations
  A. Organizational Policies
  Does your organization/company/agency have policies that outline its privacy practices and expectations for handling the personal information of your clients, customers, users, members and/or listees?

  Are your organization''s privacy policies communicated regularly -- in employees'' initial training sessions, in regular organization-wide training programs, in employee handbooks, on posters and posted signs, in brochures available to clients?

  Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff?

  B. Privacy Principles
  The major components of effective privacy policies are listed here, adapted from the fair information practices developed by the Organization for Economic Cooperation and Development (OECD) in 1980. Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations.

  • Openness. There should be a general practice of openness about practices and policies with respect to personal information. Means should be available to establish the existence and nature of personal information and the main purposes of its use.
  • Purpose specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes.
  • Collection limitation. The collection of personal information should be obtained by lawful and fair means and with the knowledge and consent of the subject. Only that information necessary for the stated purpose should be collected, nothing more.
  • Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law.
  • Individual participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual.
  • Quality. Personal information should be accurate, complete and timely, and be relevant to the purposes for which it is to be used.
  • Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Access to personal information should be limited to only those within the organization with a specific need to see it.
  • Accountability. Someone within the organization, i.e., the Chief Information Officer or an information manager, should be held accountable for complying with its privacy policy. Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs.

  C. Data and Network Security
  Security of personally identifiable information, whether stored in electronic, paper or micrographic form, is the topic of many books, journals, trade magazines, and conferences. Only the major points are listed here. For additional information, consult professional and trade associations, resources on the Web, as well as libraries and your nearest technical bookstore.

  • Do you have staff specifically assigned to data security? Do staff members participate in regular training programs in order to keep abreast of technical and legal issues?
  • Is physical access restricted to computer operations and paper/micrographic files which contain personally identifiable information? Do you have procedures to prevent former employees from gaining access to computers and paper files?
  • Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?
  • Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?
  • Do all employees follow strict password and virus protection procedures? Are employees required to change passwords often, using "foolproof" methods?
  • Is encryption used to protect extremely sensitive information (a particularly important measure when transmitting personally-identifiable information over public networks such as the Internet)?
  • Do you regularly conduct "systems penetration tests" to determine if your systems are "hacker" proof?
  • If your organization is potentially susceptible to "industrial espionage," have you taken extra precautions to guard against leakage of information?

  D. Additional "Common Sense" Security Practices
  Case: A medical office photocopied more of a car accident victim''s record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman''s child, given up for adoption 30 years ago, eventually became part of the court record, i.e. a public document.

  • When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information which has no relevance to the transaction is either removed or masked (the process of "redacting" or "severing" the record)?
  • Are employees trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use password-activated screen-saver programs?
  • Are all employees who handle personal information -- including temporary, back-up and contract staff -- trained to be able to detect when they are being "pumped" for personal information by unauthorized and unscrupulous persons? "Pretext" interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled.

  E. Records Retention and Disposal
  Case: An automobile dealer did not shred its loan applications before tossing them into the garbage. A "dumpster diver" retrieved one and used the financial information to commit thousands of dollars of fraud against someone who had applied for a car loan.

  • Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or magnetic/ electronic (computer) media?
  • When disposing of computers, diskettes, magnetic tapes, hard drives and any other electronic media which contain personally identifiable materials, are all data erased (with an "initialize" process) and/or is the hardware destroyed?
  • When disposing of waste and recycling paper, are all documents which contain personally identifiable information placed in secure padlocked containers or shredded?
  • Does your recycling company certify its disposal/destruction methods?

  F. Facsimile Transmission
  Case: A medical doctor who was filing for bankruptcy faxed a financial document to his attorney. He entered the wrong telephone number, and the document was instead transmitted to the local newspaper.

  • Is the fax machine in a supervised area, off limits to unauthorized persons? Is use restricted to authorized personnel only?
  • Is the fax machine used exclusively for sending non-confidential materials?
  • When sending documents, do all users complete a cover sheet which indicates the sender''s and receiver''s names, addresses and telephone numbers?
  • When confidential materials are sent, is notice of their confidential nature indicated on the cover sheet?
  • Do users always check the receiver''s telephone number before transmitting documents? Do users compare the number displayed with number being called to check for errors? Do users check the transmission report after the fax has been sent?
  • When transmitting confidential materials, is the recipient notified in advance that the document is being sent? Does the sender check with the receiver to make sure the document has been received?

  G. Answering Machines
  Case: Message left on the wrong answering machine when the phone number was misdialed: "Hello Mrs. Weaver. This is Judy from the County Parole Office. You called earlier about your daughter Crystal? She has already been taken to the California Youth Authority [juvenile detention center]."

  • Are precautions taken for situations when confidential and highly sensitive messages are expected to be left on answering machines? Is the number of the call recipient verified for accuracy? Is permission asked of the intended call recipient to leave confidential messages on the machine? Are non-specific messages left when prior permission has not been obtained from the call recipient?

  H. Cellular and Cordless Telephones
  Case: As people stood in line to enter the theater, the cellular phone conversation of one theater-goer was overheard by those nearest her. It soon became obvious that the woman was a medical doctor, talking about the care of a patient.

  Conversations on cellular and cordless phones are vulnerable to eavesdropping because the signals are transmitted over radio waves. Anyone with a radio scanner can listen to your conversations unless you use newer digital telephones that can "scramble" the signals.

  • Are cellular and cordless phones strictly forbidden for conversations involving confidential information in which personal names are revealed, for example, a patient''s medical care or a law suit? Are "wireless" phone users cautioned to talk out of earshot of others nearby who might hear their half of the conversation?
  • Are all "wireless" transmissions containing confidential information "scrambled?"

  I. Portable Computers and Work-at-Home Situations
  

  • Does the organization have policies and procedures for safeguarding personally identifiable information when transported outside of the office by portable computers?
  • For employees who work at home, including temporary and contract staff, does the organization have policies, procedures and training programs which emphasize responsible information-handling practices?
  • Is the network connection between home and work secure?

  J. Social Security Numbers (SSNs) and the Use of Personal Identifiers
  Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee, listing all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information.

  The use of SSNs for record keeping purposes and personal identifiers should be strongly discouraged, and preferably prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, gaining access to one''s banking and credit accounts.

  • If the organization uses the SSN as a record keeping number, does it offer its clients and/or employees the option of using an alternative number?
  • Does the organization have a strict policy prohibiting the display of SSNs on any documents that are widely seen by others, for example, time cards, parking permits, employee rosters and mailing labels?
  • If the organization requires an access code for certain transactions (i.e., ATM cards, security system codes, building access cards, passwords), does it prohibit the use of SSNs, or any part of the SSN such as the last 4 digits, as personal identifier numbers?

  K. List Security Guidelines
  Case: Before departing the singles dating service office, a fired employee stole a computer diskette containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area.

  • Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does your organization make its lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA''s "Fair Information Practices Checklist." The use of the word "customer" below can be altered to fit your specific situation; it can apply to "clients," "members" and "users" alike.

  Opt-out program
  

  • Does your organization offer its customers name removal options? Are they effectively communicated?
  • Do you subscribe to the DMA''s name removal services, the Mail Preference Service (MPS) and/or its Telephone Preference Service (TPS)? Are MPS and TPS names removed prior to list rentals or exchanges?

  Security practices
  

  • Is someone in your organization responsible for list security? Is someone responsible for keeping up to date on current laws and regulations regarding fair information practices? Is someone responsible for keeping up to date on current laws and regulations Are your lists physically secure? Is someone responsible for keeping up to date on current laws and regulations Are there sufficient restrictions on your employees to protect against unauthorized access, [for example, audit trails, strict penalties for violation]? Is someone responsible for keeping up to date on current laws and regulations Does your organization instruct its employees that customer data are confidential [in initial employee orientations and ongoing training programs]? Is someone responsible for keeping up to date on current laws and regulations Does the organization have adequate security to prevent remote access to your lists via computer? Is someone responsible for keeping up to date on current laws and regulations?
  • Does your organization ensure that list recipients employ sufficient safeguards?
  • Does your organization make sure that security measures are in place during the transfer of lists?
  • Do you ensure the secure and timely return or destruction of lists used by other entities?
  • Do you use a monitoring system to track list usage [such as the use of decoy names]?

  Use of marketing data
  

  • Is your organization collecting only those consumer data that are pertinent and necessary for the purpose at hand?
  • Are you sensitive to a consumer''s expectation that some personal information may be considered confidential and should not be used for marketing?
  • If your organization contributes customer data to a cooperative database, are you satisfied about the database''s security?

  Data accuracy
  

  • Does your organization have the means to update its customer data?
  • Are customer data reviewed/revised by your organization on a regular basis?
  • Are customer inquiries regarding data accuracy answered promptly and to the customer''s satisfaction?

  Additional tips
  The Privacy Rights Clearinghouse suggests these additional list security guidelines:

  • Do you disclose up-front the intended uses of the data that are collected?
  • Do you allow the data subjects to inspect and correct data held about them?
  • Section II. Development Of Privacy Policies To Guide Employee Relations

  A. In-house Organizational Privacy Policies
  Does your organization/company/agency have policies for handling the personal information of your employees? Such policy statements typically concern hiring procedures, personnel records, medical records, discipline procedures, electronic mail usage and electronic monitoring.

  This document focuses on the technology-related workplace privacy issues: electronic mail/voice mail and electronic monitoring.

  B. Electronic Mail (E-Mail) and Voice Mail Systems
  Case: Charles was absent from work for a month on disability leave. Upon his return, he was shocked to discover that his supervisor had changed his password and listened to his voice mail messages.

  • Does your organization have a policy regarding the privacy expectations of its employees, as well as any third party users (i.e., clients, customers), who use the e-mail and/or voice mail systems?
  • Are those policies effectively communicated to all employees and third-party users?

  Points to include in your policy:
  

  • The purpose for which the system is to be used (business only? personal matters allowed? no trade secrets discussed?)
  • Penalties for misuse
  • Who is authorized to access e-mail/voice mail messages; the disposition of e-mail/voice messages when the employee is on temporary but extended leave;
  • The retention/purge schedule for files, including retention procedures for possible use as legal evidence;
  • Expectations for privacy (none? only in files marked "private"?)
  • Password creation/change procedures
  • The use of encryption (prohibited? allowed? required for sensitive communications?)
  • Safeguards concerning copying and forwarding messages, especially messages containing personally identifiable data;
  • How the policy is communicated; employee notice and training programs.

  C. Electronic Monitoring
  An increasing number of employers are using a variety of employee monitoring practices: telephone systems which allow supervisors to listen to telephone calls, computer keystroke monitoring systems which can determine work productivity, video monitoring systems, Internet usage tracking, and locational detectors.

  • Does the organization have a policy which states the types of monitoring being conducted and the uses made of monitoring data? Does the policy include procedures to safeguard sensitive personal information encountered in the process of monitoring? Is this policy communicated to all employees at time of hiring?
  • If telephone monitoring is being conducted, does the organization provide telephones that are not monitored which can be used for personal calls (at least pay-phones)?