Friday, July 10, 2009

What is a privacy policy, and what is an identity theft policy? What's the difference?

Good morning all. I have been noticeably absent from my column duties while I took care of some other projects, and fitting in a short vacation.

Very often when I speak with business owners especially in the small to mid-sized organizations I find that a lot of them either confuse a company privacy policy with identity theft, or believe that an identity theft policy is an outgrowth of a privacy policy or statement.
In very general terms the two are not the same and in fact address two different issues. A privacy policy deals with either company intellectual property or customer information. Any business that collects customer information in the course of doing business must have a privacy policy that informs the customer as to how their information is used and protected, and encryption procedures for transactions. That falls largely under the direction of the Payment Card Initiative, PCI DSS rules to protect the public from fraud resulting from purchase transactions. Also, customers are protected by other state and federal laws suchas the FTC Act and FCRA that prohibit companies from distributing personal information without regard to personal privacy without first notifying the client of their intent. That issue is being hotly debated again due to the proliferation of social networking websites. Another area of privacy policy is the protection of company secrets, proprietary information regarding how a business operates and its plans and strategies. While the distribution and misuse of personally identifiable information (PII) is highly regulated by consumer law, protecting company secrets are internal policies. Businesses engaged in technological and scientific research and development often have non-disclosure agreements with employees to protect that kind of information. Employees who violate those agreements are subject to termination, and possible prosecution as a breach of contract.

Identity Theft policy addresses the area of PII data loss, a definition of what is considered by the company to be PII, the various forms the company uses to store and use PII, and finally the procedure a company has put into place to respond to breaches and to protect the individuals who might be affected and are at increased risk of identity theft resulting from a company breach. This policy must address not only the data it keeps on its clients but also of the employees personnel records, and also must address the identity theft policies of any contractor or service provider who might have access to that information. Vendors can include not only outsourced HR, payroll, insurance and Benefits brokers, but also cleaning services, construction contractors, and even parking services, any business that has the potential of obtaining PII.

It isn’t my intention to delineate what the law is or provide legal advice in these areas but instead to provoke thought on the part of businesses. With new legislation such as GLB, FACTA, and now the Red Flags Rule under FACTA, the banking regulators and the FTC have made it clear that in order to stem the tide of identity theft and the company data breaches that result in the majority of identity theft, business needs to take certain steps proactively to prevent breaches and to respond quickly and effectively when they do occur.
Every company is different and therefore needs to take the steps that are most effective for that organization. It all begins with an honest risk assessment on the part of each company to find the weak links in information security, and to train the staff on their responsibilities. Establishing a clear identity theft policy is the roadmap every responsible business uses to lay out everyone’s duties, and how the business will handle data breaches. The FTC auditors investigating companies who have experienced these breaches are most interested in seeing what a business did to protect the information before the breach. A proactive identity theft policy is good policy, and good business.