Security:  
PRIVACY
AND
SECURITY
ARE NOT THE SAME

MANY MISTAKENLY BELIEVE THAT COMPLIANCE WITH DATA SECURITY
REGULATIONS AND GOOD SECURITY PRACTICES (THE DIFFERENCE BETWEEN
COMPLIANCE AND SECURITY BEING DETAILED IN AN EARLIER ARTICLE)
ARE SYNONYMOUS WITH GOOD PRIVACY PRACTICES.
by Heather Randall

    Recently, the federal government has begun to focus more on the issues of consumer privacy. The Federal Trade Commission has filed complaints against a number of companies for failure to ensure the privacy of information that is provided by their customers. State governments have also begun to legislate issues of consumer privacy: California for example passed fifteen privacy bills in 2003. This focus seems to coincide with the burgeoning attention paid to data security issues, especially in the payment services vertical. As a result, many mistakenly believe that compliance with data security regulations and good security practices (the difference between compliance and security being detailed in an earlier article) are synonymous with good privacy practices. The fact is that, while security is one aspect of privacy, the two terms are not interchangeable. Privacy practices go far beyond simply ensuring that personally identifiable information is protected from unauthorized disclosure.
   Almost all online activity leaves some traces. The traces may consist of tracking cookies or spyware that is inadvertently downloaded to the user’s computer. Regardless of the source of these traces, the endpoint is the same: a user’s activities are transmitted back to a person or organization that is attempting to divine the habits and preferences of individual users. Furthermore, some websites request that users supply personal information in order to register or log-in to the site. The result is that every day, sometimes voluntarily and sometimes unknowingly, users are transmitting personal data across the web. In addition to website registration and tracking cookies, more and more customers are becoming comfortable with commerce and banking over the internet. Increasingly, sensitive information is being transmitted via the internet. Rather reluctantly, companies are now responsible for ensuring that the information that is transmitted is used in a manner consistent with the wishes of their customers.
    Plainly speaking the two concepts, security and privacy, are related but not identical. As has been established in previous writings, information or data security can be defined as “a measure or measures taken to guard against a threat or vulnerability”. The objective of security is to mitigate risk to an acceptable level. Privacy, in contrast, has been defined by the International Association of Privacy Professionals (IAPP) as “the appropriate use of personal information under the circumstances…Also the right of the individual to control the collection, use, and disclosure of personal information.” Based on these definitions one can see that preventing unauthorized disclosures of information (data security) is a component of privacy. However, as the IAPP definition illustrates privacy practices entail much more.
    The Federal Trade Commission (FTC) has developed some guidelines for “Fair Information Practices.” Though the Practices are not mandated, they do establish a baseline of privacy in an effort to standardize Privacy Practices across businesses and industries. The Fair Information Practices are comprised of five basic components: Notice and Awareness, Choice and Consent, Access and Participation, Security, and Enforcement.
    “Notice and Awareness” is a relatively straightforward principle. It indicates that consumers should be made aware that personally identifiable information will be collected during their visit to the website. Additionally, the company must inform the consumer of any consequences of not providing personal information. For example, if the consumer chooses not to fill out the enrollment form, they may not be able to log-on to the website’s “Members Only” section. The length and exhaustiveness of the notice will vary according to the specific practices of the entity collecting the information. Among the information that the FTC recommends that companies disclose are: the identity of the company or entity that is collecting the information, the use to which the information will be put, and what steps are taken to ensure that the information remains confidential. Only after being made aware of the need for the information and the consequences for not providing the information, can the consumer make an informed decision to disclose personal information.
    The second principle of Fair Information Practices is the tenet of “Choice and Consent.” This principle is related to the issue of secondary use of personally identifiable information. A secondary use of information is defined by the FTC as any use of personal information beyond the completion of the immediate transaction. Such use may be internal, such as analysis by the marketing department, or external, such as the use of a direct marketing firm to send mass mailings to customers. According to the Fair Information Practices, consumers must be given the opportunity to decide whether or not their information can be used for such secondary purposes.
    The third principle is that of “Access and Participation.” Here the FTC recommends that entities that collect personal data make provisions allowing individuals to access that information. The access is granted so that individuals can ensure that the information on file is accurate and complete. If the information is inaccurate, the individual must also be afforded the opportunity to correct the data. Access must be given in a manner that does not impose undue burdens on the individual; it must be timely and inexpensive.
    The principle of “Security” is perhaps most often associated with the notion of privacy. This is largely due to the notion that properly implemented security measures will mitigate the risk of unauthorized disclosure of information. Both technical and administrative technical steps must be taken to satisfy the FTC’s security recommendations. The security that is implemented should be consistent with industry best practices and protect against commonly known vulnerabilities. Unfortunately, this principle is also where some companies tend to overextend themselves in their promises to customers. A popular national pet store chain was recently cited by the FTC for making false security promises in its privacy statement. The company offered users of its website a “‘100% Safeguard Your Shopping Experience Guarantee’ so you never have to worry about the safety of your credit card information.” When that same company was attacked using a well-known SQL injection, consumers’ credit card numbers and other personal information were revealed in clear text. It is imperative to ensure that industry best practices regarding information security are followed. It is extremely helpful to engage an information security firm to help ensure regular security assessments that include tests for the most up-to-date vulnerabilities are conducted, in addition to achieving compliance with relevant industry and legislative mandates.
    Lastly, companies must provide a method of “Enforcement and Redress” in the event that customers feel that Privacy Policy is not being practiced. Merely posting a privacy policy is not enough to ensure that privacy is guaranteed. There are a number of methods of enforcement recognized by the FTC; they include industry self-regulation, legislation that creates private remedies for consumers, and legislation that provides for civil and criminal penalties for companies in violation of their privacy policies. As with the Access principle, customers’ access to enforcement mechanisms must not create an undue burden on the customer. There must also be some consequence for the company for not adhering to its own privacy policy. A policy that carries no repercussions for non-compliance carries little weight.
    One key element to creating and implementing a robust privacy policy is communication. In reviewing the complaints charged by the FTC in the last several years, it becomes clear that many of the policies were written either by the marketing department, or the legal department, without input from other departments that either create or maintain the website. The result is either an impossible guarantee, or a policy filled with legal jargon neither of which reflects the technical or administrative practices of the companies and its website.
    Many companies are beginning to engage firms that specialize in privacy and security to help them create and implement a privacy policy. In addition, these companies are offering ongoing monitoring of websites and policies to ensure that the company stays compliant with its own policy. This serves two purposes. First, and most obviously, it allows companies to monitor their own compliance and to take steps to correct any issues that may preclude compliance and result in unauthorized disclosure of personal information. Secondly, in the event that such a disclosure does occur, despite the best efforts of the company, enrollment in such a program may demonstrate to the FTC due diligence on the part of the company in attempting to maintain the privacy of the information collected.
    As one might imagine, privacy policies are not of the one-size-fits-all variety. Companies must determine what uses personal information will serve for the company beyond the immediate completion of the transaction. Some companies may decide that the liability associated with collecting and/or sharing information outweighs the benefits. Other companies may decide to strictly limit the uses of such information to only aggregate data to be used by internal departments. Such decisions should be made after conducting a thorough analysis of internal resources, capabilities and needs.