The privacy challenge

Opinion
May 30, 20053 mins

Here’s a new item for your to-do list: Craft a data privacy architecture for your organization.

Last week’s column closed with a quote from Bruce Schneier, noted cryptographer and security guru, about the challenges of ensuring privacy in the Information Age. It’s a nontrivial issue: Many key U.S. privacy laws predate the Internet, and courts have been contradictory at best when it comes to interpreting them in the context of electronic communications and presence technologies.

Moreover, although several regulations collectively govern data privacy and identity-information management in different geographies and industries, the U.S. (unlike Canada, the European Union and Japan) lacks an overall framework setting out the principles of privacy for all citizens.

This means that creating a data privacy architecture that passes regulatory muster is a major challenge. For one thing, you might not be aware of regulations that apply to your organization, as this happened to an IT executive I spoke with recently. The CTO for a large university in the Midwest, he was well aware of the Family Education Rights and Privacy Act (FERPA), which protects the privacy of student records. But he hadn’t been following California Database Security Breach 1386, which requires prompt notification of any privacy breaches affecting California citizens. The lapse is understandable, given that all university employees and faculty reside several states away from California.

But guess what? Many of his students are California residents, and therefore fall under the purview of CA SB 1386. That means this CTO has two choices: Ensure his school’s overall privacy-notification process is up to California standards, or treat the California students separately. Naturally, he’s going with the former.

For IT execs, the action items are clear.

The first step is to educate yourself. Healthcare organizations already know all about the Health Insurance Portability and Accountability Act (HIPAA), and financial firms are all over Gramm-Leach-Bliley (GLB), which respectively mandate the privacy of individual healthcare and financial data.

But don’t assume that because you’re up to snuff on HIPAA and GLB you’ve got chapter and verse on privacy. As noted, CA SB 1386 affects you if you have employees or customers who are California residents – which these days, includes practically everybody. Then there’s the Fair and Accurate Credit Transactions Act (FACTA), which requires companies to raise red flags if customers have potentially been victimized by identity theft; and it applies to any financial agency that stores and uses credit reports. If you have customers, employees or business partners outside the U.S., get up to speed on Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Europe’s EU Directive 95/46 and Japan’s Personal Information Protection Act.

You get the idea. Make sure your organization is up to speed on all the relevant rules and regulations. But don’t stop there. Once you’ve figured out what directives to comply with, you need to define the policies and processes to execute your privacy strategy – and determine who to task with the challenge. Finally, you’ll want to assess the tools and technologies that can help.