The privacy policy problem, Part 4: Reality hits home

In the last three columns, I’ve been looking at the complexities of protecting client or prospect privacy (personally identifiable information or PII) in an interconnected world.

The problem is greatly complicated by the web of relationships that can develop in the world of marketing. The relationships can involve remote firms that have contracts with your marketing division or contracts with firms that are one or more levels removed from direct interaction with your organization. Worse still, some sites may even be run by rogue organizations which have never had any contractual links whatever with you or with any of your legitimate agents. These facts make it almost impossible to prevent PII from visitors interested in your products, services or programs from being spread to other institutions.

You are left with a distasteful duty to warn all applicants that you can control the use of their PII only when they enter data into forms directly under the control of your own staff or of firms which have contractual obligations to follow your privacy policy. Examine your privacy policies to see if you should include explicit warnings that they apply only to your clients and not to people asking for information. It may make sense also to include a warning about the impossibility of your controlling privacy policies on Web sites outside your own domain.

In terms of response to complaints, you will have to continue being prepared to respond, basically, “Caveat emptor” (buyer beware). You can prepare general texts regretting (and repudiating) the impression that your organization has violated any privacy policy and explaining that anyone entering data on any Web site would do well to examine the local privacy policy for clarification of what degree of protection is offered for PII. If the privacy terms seem too loose, privacy-conscious individuals may decide to skip using those Web sites; instead, they can look for safer, more trustworthy alternatives that provide the same access to the desired information.

As mentioned above, an additional and probably intractable problem is that not everyone who uses your name and your logo necessarily has any business relationship with your organization at all. Phishing (using fake e-mail that looks like legitimate messages from well-known organizations) and pharming (using fake Web pages that look like legitimate Web sites belonging to well-known organizations), for example, are based on impersonation of business entities.

Someone could easily use your organization’s name and logo on a form claiming to be related to providing information about your organization, products, services or programs – and then simply use the collected PII for their own purposes. Failure to send the victim the requested information reflects badly on your perfectly innocent and unknowing organization; selling the PII to spammers makes you look terrible. And what are you going to do about it?

If someone is abusing your trademark or your servicemark, you can sue them for misappropriation – if you can find them. With fraudulent Web sites appearing and disappearing with lifetimes measured in hours or days, it is going to be hard to locate the criminals who are ruining your reputation.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.