Privacy issues a growing concern for business

WASHINGTON -- The threat of privacy enforcement from the federal government, states and private litigation, may be emerging as the leading concern of businesses in the year ahead. The signs are adding up.

The Federal Trade Commission is showing more aggressiveness. Last month, the FTC settled its first security-related privacy case against Eli Lilly and Co. in Indianapolis, which released nearly 700 customer addresses collected through its Prozac.com Web site last summer (see story). Also last month, Toys R Us Inc. in Paramus, N.J., paid $50,000 to settle a complaint by the New Jersey attorney general over its privacy practices.

In each action, the companies were required to make changes. In Lilly's case, it was a change in business practices effecting security. For Toys R Us, it was modifications to the company's privacy practices.

In fact, according to Zoe Strickland, chief privacy officer of the U.S. Postal Service, enforcement "will perhaps have a larger impact than legislation."

There are also fears that privacy laws, particularly in the health care and financial sectors, may encourage private litigation. "Enforcement is an issue for us," said Richard Rosenhagen, privacy officer at Good Samaritan Hospital in West Islip, N.Y., particularly through litigation. "We don't know what kind of risks we're going to be dealing with."

The FTC is clearly emphasizing enforcement. The Bush administration has brought a philosophical shift to the agency's approach on privacy. The FTC during the Clinton administration focused on corporate data collection practices and sought privacy legislation offering basic consumer protections. The Bush administration is targeting the misuse of data.

Howard Beales, the FTC's consumer protection chief, speaking at the International Association of Privacy Officers conference today, said there are worthwhile trade-offs in data corporate project practices. But he said companies should be accountable to their stated privacy practices.

"The events of Sept. 11 make it clear that privacy is not and cannot be an absolute right," said Beales. "We're all willing to make practical compromises between privacy and other goals such as security. The same is true in the commercial arena. Information-sharing poses some risk, but it also offers enormous benefits."

The FTC will step in when needed, but not necessarily in every case. Referring to the Lilly incident, Beales said regulators recognize that some "breaches are inevitable." In deciding what course of action to take, the FTC will ask company two questions: "Did you have a system in place that was appropriate to the sensitivity of the information, and did you follow your procedures?"

Along with regulatory action, companies may face private lawsuits over privacy actions. Those actions, however, have been slow in coming because it's difficult to show damages with privacy violations, said Larry Ponemon, CEO of Privacy Council Inc. in Richardson, Texas. "But I think it's coming," he said.

Although there are a number of privacy bills pending in Congress, there was skepticism among some at the conference about whether lawmakers are ready to deal with this issue -- and the White House doesn't seem to be pushing the issue.

Chris Israel, Department of Commerce official, said the administration is monitoring legislation in Congress, and continues to "remain engaged with industry." But it hasn't taken a stand on pending bills.

Not everyone at the FTC agrees with this approach. FTC Commissioner Mozelle Thompson said at the conference that while he supports an enforcement approach, he still believes there is a benefit to some kind of legislative privacy baseline.

Related stories:

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon