Firms Held to Privacy Pledges

Push for enforcement could spur litigation

Washington—Federal and state governments are marching companies into courtrooms for breaking their own data privacy pledges. And private lawsuits may not be far behind.

Enforcement actions "will perhaps have a larger impact than legislation" has had on companies thus far, said Zoe Strickland, chief privacy officer at the U.S. Postal Service, during a privacy conference here last week.

Just last month, for example, the Federal Trade Commission settled its first security-related privacy case against Eli Lilly and Co. after the Indianapolis company released nearly 700 customers' e-mail addresses collected through its Prozac.com Web site. In addition, Toys R Us Inc. in Paramus, N.J., paid $50,000 to settle a complaint by the New Jersey attorney general about its privacy practices.

In each settlement, the companies were required to make changes to their business practices, impacting security in Eli Lilly's case and the privacy practices of Toys R Us.

There are some worries that privacy laws, particularly in the health care and financial sectors, may encourage private litigation.

"Enforcement is an issue for us," said Richard Rosenhagen, privacy officer at Good Samaritan Hospital Medical Center in West Islip, N.Y., particularly through litigation. "We don't know what kind of risks we're going to be dealing with."

The FTC is clearly emphasizing enforcement. The Bush administration has brought a philosophical shift to bear on the agency's approach to privacy matters.

During the Clinton administration, the FTC focused on corporate data collection practices and sought privacy legislation, whereas the Bush administration is targeting the misuse of data.

Accountability, Trade-offs

Howard Beales, the FTC's consumer protection chief, said at the International Association of Privacy Officers conference here last week that there are worthwhile trade-offs in corporate data management practices, but companies should be held accountable for their stated privacy policies.

"Information-sharing poses some risk, but it also offers enormous benefits," such as consolidated statements, instant credit approval and lower business costs for transaction processing, said Beales. "Such benefits should not be sacrificed needlessly."

The FTC will step in when needed but not necessarily in every instance, he said. In deciding what course of action to take, Beales said, the FTC will ask a company two questions: Did you have a system in place that was appropriate to the sensitivity of the information, and did you follow your procedures?

Along with regulatory action, companies may face private lawsuits. There have been few lawsuits so far because it's difficult to show damages from privacy violations, said Larry Ponemon, CEO of Privacy Council Inc. in Richardson, Texas. "But I think it's coming," he said.

Although there are several federal privacy bills pending, there's skepticism among observers about whether either Congress or the White House is ready to deal with this issue.

Chris Israel, a U.S. Department of Commerce official, said the administration is monitoring legislation in Congress and continues to "remain engaged with industry," but it hasn't taken any stand on pending bills.

Not everyone at the FTC agrees with this approach. Mozelle Thompson, a commissioner at the FTC, said at the conference that while he supports enforcement, he still believes that there's a benefit to having some kind of legislative privacy baseline.

1by1.gif

Politics of Privacy

Legislation: Privacy bills are still pending in Congress, but there are doubts about whether lawmakers are ready to take action. One incentive: Businesses want federal preemption of state privacy laws.

Federal approach: Bush is aggressive on privacy law enforcement but has shown little interest so far in privacy legislation.

Lawsuits: A threat, but showing damages is difficult.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon