The privacy policy problem, Part 2: Controlling business partners

The long view of security strategies for your network.

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

First of all, if one of the sites which you are paying is selling or otherwise sharing the names and contact information of people who enquire specifically about your products, programs, and services to your competitors, you may want to discuss their practices with them. On economic grounds alone, such behavior may be counterproductive; worse, it may tarnish your reputation as an institution of integrity or erroneously give prospects and clients the impression of improper behavior. Therefore, your organization should periodically audit sites marketing information about you on the Web.

For example, in researching this question I found sites whose privacy policies do little to protect visitors’ privacy. Some of these policies state that information collected on the site may be shared with business partners, service providers, sweepstakes and promotions organizers, subsidiaries, law enforcement, and non-affiliated companies.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

First of all, if one of the sites which you are paying is selling or otherwise sharing the names and contact information of people who enquire specifically about your products, programs, and services to your competitors, you may want to discuss their practices with them. On economic grounds alone, such behavior may be counterproductive; worse, it may tarnish your reputation as an institution of integrity or erroneously give prospects and clients the impression of improper behavior. Therefore, your organization should periodically audit sites marketing information about you on the Web.

For example, in researching this question I found sites whose privacy policies do little to protect visitors’ privacy. Some of these policies state that information collected on the site may be shared with business partners, service providers, sweepstakes and promotions organizers, subsidiaries, law enforcement, and non-affiliated companies.

One text about non-affiliated companies would raise concerns for anyone. The policy begins reassuringly, “We do not share Information with any non-affiliated third party except: (1) in select circumstances when Our business partner refers you to Us and you give Us permission to share specific Information, such as your name and e-mail address, with such business partner on your order form.”

Unfortunately, it continues with “or (2) when Our business partner provides a product or service that We feel may be of interest to you.” That second part makes the assurance meaningless. The statement means that the company will share personally identifiable information with anyone it chooses to do business with – or more bluntly, to whom it will sell prospects’ names for profit. Give them enough money and I’m sure that practically anything will seem interesting.

The lesson I draw from this cursory investigation is that no one can afford to do business with people who do not use the same strict policies of privacy protection as their own organization. Readers should perform a systematic audit of all their organizations’ links to third parties to verify that deviations from their privacy policies do not lead to embarrassment and legal liability.

The unacceptable site I located includes methods for opting out of the unwanted advertising and sharing of personally identifiable information; that topic is the subject of the third article in this series.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.