Protect Privacy, Step by Step

A step-by-step process for protecting your company by guarding customer privacy.

A flurry of federal and state regulations and international laws is pushing data privacy management to the top of the business agenda. Companies that fail to comply with those laws will increasingly be exposing themselves to legal liability from their customers and from regulators.

Laws such as the Health Insurance Portability and Accountability Act and the USA Patriot Act have already established information privacy rules for companies in the health care and financial services industries. New this month is California's SB 1386 identity protection bill, and coming down the pike are other state and federal versions of the law. International rules such as those covering European Union nations and Canada are also forcing U.S. companies to confront privacy issues.

For a lot of companies, complying with such regulations will require a substantial effort from both a technology standpoint and a process standpoint, says Paul Paez, president of Privastaff Inc., a San Jose-based privacy consultancy.

Even so, the laws make it vitally important for companies to develop privacy policies, practices and procedures, says Charlene Brownlee, an attorney at Fulbright & Jaworski LLC in Austin. "A company's liability will be measured against what steps it took to protect data privacy," Brownlee says. "You are going to need to show what you did to be in compliance with industry standards."

That means clearly articulating a privacy policy and then taking the following technology and process measures to implement and manage it.

  • Assess what steps need to be taken in order to comply with privacy regulations relating to your business and with your company's privacy policies.

  • Audit how and why personal data is collected, used, shared, accessed, stored and protected.

  • Look at the manual and automated processes that are involved in this cycle and figure out which gaps need to be filled.

    As obvious as these measures may seem, this kind of gap analysis is a crucial first step to any privacy management effort, Brownlee says. Otherwise, there's simply no telling where or how personal information is embedded within your enterprise and how it needs to be protected.

  • Control who touches the data and why, says Arshad Noor, CEO of StrongAuth Inc., a Cupertino, Calif.-based identification management firm. Have formal processes for restricting physical and virtual access to confidential customer or employee data.

  • Secure the manual and automated processes by which data is copied, shared, backed up and stored. For instance, limit the number of people who have physical access to backup tapes or other storage media containing confidential information. Have strong user-authentication and access-control technologies to ensure that only authorized people have access to confidential information, Noor suggests.

  • Understand what permissions are associated with personal data used by applications -- especially ones such as CRM, ERP and supply chain, says Paez. A lot of the customer data may have been collected in a manner not consistent with new regulations or the company's privacy policy, he says. See whether the permissions need to be updated and new permission fields need to be added to these applications. Investigate and implement processes for tracking and storing user permissions and for seeing that the data is used in a consistent manner across all applications, Paez says.

  • Encrypt all confidential data when it's being transmitted and when it's at rest on storage media. That way, even if it gets hacked, the information is secure. Encryption might also provide some legal cover for companies that get hacked. Businesses that encrypt data are specifically exempt from California's SB 1386, for instance. It may also be a good idea to consider storing a user's name separately from other pieces of identifying information such as a Social Security or driver's license number.

  • Collect personal information only if it's absolutely needed, and don't store it for longer than you need it, Brownlee advises. Examine whether storing personally identifiable information, such as Social Security and driver's license numbers, is really key to your business.

    If not, are there alternatives to collecting and storing such information? The more personal data you collect, the greater your liability exposure, according to Brownlee.

  • Implement good configuration management, asset management and change management processes, Noor says. Make sure that the hardware, operating systems and networks that process personal data are hardened and locked down. Shut down all unnecessary functions, configuration settings and permission fields, he says. Stick the servers behind firewalls.

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon