The title of this blog is typically heard amongst children while playing the game “Hide and Seek.” I use it now as a reference to companies hiding from Privacy Regulations or at the very least avoiding the application of the best practices available when it comes to Privacy Principles.
Why Do Companies Hide From Privacy Regulations?
The short answer is: there is not strong enough enforcement yet for them to care. Organizations do very little at actually securing your PII and practically do nothing in regards to other Privacy Principles such as Notice, Choice, Disclosure, Consent, etc. Do not get me wrong: the United States of America is the best country in theworld, but we are way behind the curve when it comes to comprehensive Privacy Regulation. With that being said, I do believe the FTC feels the same way and is taking steps to improve the problem of lackluster Privacy Regulations. They have shown focus on improvement through the report they released late last year, “Protecting Consumer Privacy in an Era of Rapid Change.” The FTC wants businesses to start adhering to the following philosophy which will also be the basis for future legislation:
- Privacy by Design – Companies should integrate Privacy Principles into their regular business operations.
- Meaningful Privacy Options to Consumers – Companies should offer consumers clear and prominently disclosed choices for data practices outside those needed to do business.
- Transparency – Companies should improve transparency for all data practices.
In other words, companies are running out of wiggle room when it comes to avoiding Privacy Principles and securing your PII.
What Should Companies Do Now?
Companies need a Privacy Gap Assessment performed. This type of assessment will identify data flows where PII is involved. Once the data flows are identified, a framework such as the Generally Accepted Privacy Principles (GAPP) should be applied to that specific business process. In addition, companies that do businesses in countries such as Europe, Canada, Mexico, etc. may have to adhere to Privacy Regulations imposed by those countries. Most of these Privacy Regulations apply to trans-border flow of information from these countries to the United States and other countries not deemed to have adequate Privacy Laws. Most states now have Data Disclosure Laws that organizations must adhere to following. All these laws require disclosure and some even require an Information Security Program.
Finally, in my experience, company employees who are responsible for privacy within an organization are overconfident in their Privacy Regulations. I hear more times than not while talking to companies about privacy, “We are already compliant with Privacy Regulations. Let’s talk about something important like PCI.”
When I hear this response my immediate counter is to white board out all business processes that deal with PII. It typically does not take much more than that to expose their privacy issues. If you don’t know what processes take PII, there is no way of knowing what type of PII you are taking. If you don’t know what PII you are taking, then you don’t know what Privacy Regulations with which you must adhere. If you do not know what Privacy Regulations you need to adhere to then you certainly will not know what controls are required. If you do not know what controls are required, then how is it possible to protect our information?