Privacy policies, privacy notices or privacy statements have become ubiquitous on websites. They tend to follow the same format, use the same wording, which usually follows samples published on the Internet by numerous organizations. Occasionally, it is clear that an online privacy policy was copied from another company’s website, as indicated by inadvertent errors, such as failing to remove the other company’s name or contact information…

Website privacy policies represent the tip of an iceberg that may lead companies to serious legal exposure if not addressed with the adequate scrutiny and understanding of the numerous legal issues and technical implications. There are many different types of privacy policies, from those that apply to online data, to those that apply to data collected by financial institutions, those that pertain to interaction with children under 13, those that apply to individuals protected by certain foreign laws, etc. Of course, there is not a “one size fits all.”

Developing an Enterprise Privacy Program is complex. Typically, a company will need to address privacy in many different aspects of its operation. The website, the marketing department prospect database, the pro-bono charity that involves the children’s club in town, the data received from its Italian distributor, and many other activities. The creation of the Enterprise Privacy Program usually requires the top-down cooperation of the many players in an enterprise. The C-level executives will set the tone and approve funding for the project. The midlevel managers will develop the details of the online and offline policies and procedures, different from one department to another. The staff will be trained on, and apply the policies and procedures.

The development process and ongoing maintenance of the privacy policies and procedures will require a thorough understanding of the company’s data management practices, the technical capabilities of its computer systems. It will also require knowledge of the legal issues and restrictions imposed by a myriad of federal, state, -- and sometimes foreign -- laws, regulations, agency rulings, on the collection, use, transfer, and protection of personal data by or on behalf of the enterprise.

This article presents an overview of the strategies and activities, and different phases, in the development of an Enterprise Privacy Program.

WHY DOES YOUR COMPANY NEED AN ENTERPRISE PRIVACY PROGRAM?

There are many reasons why a company should, or would want to implement an Enterprise Privacy Program. While in a few cases, the need may merely come out of peer pressure -- to compete with others in the same market place --, generally, however, there are actual laws and government rulings that may compel a company to pay serious attention to its personal data collection and use practices.

In the past few years, numerous information privacy and information security laws were enacted and are now in effect. As a result, companies are compelled to develop a Privacy Program to comply with the requirements placed on their industry. For example, the HIPAA Privacy Rule requires certain “covered entities” which include health plans, healthcare providers, and healthcare clearinghouses to have a privacy policy, and to communicate it to the patients. This law not only affects these covered entities, but also, as well, any company that does business with a covered entity. The HIPAA Privacy Rule places on business associates of these covered entities obligations that are almost as comprehensive as those for covered entities.

There are also state laws, which complement or supplement federal laws. For example, California has just passed a law that will require any company that does business in California and operate a website, to display a privacy policy on its website. In addition, effective January 2005, California will require any company that discloses a customer’s personal information to a third party for direct marketing to provide the customer, upon request, with the names and addresses of the recipients of that disclosure, and details of what was disclosed.

Privacy policies might also be needed to respond to clients’ requirements in service contracts. For example, companies doing business with financial institutions subject to the Gramm Leach Bliley Act may have to enter into written agreements pursuant to which the subcontractor commits to comply with specific privacy and security requirements for the confidential personal financial information it receives from the financial institution.

Similarly, companies established in foreign countries, for example countries member of the European Union, will not transfer data to the United States without written commitments from their US counterpart. The US Company must agree in writing to protect the privacy, confidentiality, and security of the personal information it receives. In addition, it must agree to offer the data subjects the same rights of access, amendment, and accounting as they obtain under their local laws.

Another incentive for developing a well thought through Enterprise Privacy Program might be to avoid prosecution by the Federal Trade Commission and State Attorney General. In the past few years, several companies were prosecuted for failing to comply with their published privacy policy. Most consent orders issued as a result of these investigations placed stringent requirements on the companies at fault. They frequently require the company to submit to period audit and reporting to the federal or state agency on its privacy and security compliance for 20 years. As a result, companies have come to realize they must ensure that the representations made in a published privacy policy be truthful and accurate, and followed, internally, by the appropriate procedures. This can only be accomplished through the development and implementation of an appropriate Enterprise Privacy Program.

WHAT KIND OF PRIVACY PROGRAM?

An Enterprise Privacy Program would need to address the many different aspects of a company’s activities. For example, while website privacy policies are very popular, other policies are just as important.

Companies collect and process personal information of their personnel as part of their Human Resources functions. These may include salary, promotion, or healthcare data of each individual employee, and frequently similar information about the employee’s spouses and children. The company’s marketing, sales, and accounting department do collect personal information about clients, prospects, and subcontractors. For example, in addition to the name and professional address of a client, the marketing and sales group may also have collected names of client’s children and spouses invited to company function, or the personal taste (e.g. theater v. golf v. sailing) of clients for entertainment purposes.

For companies operating in certain markets, the Privacy Program must address the specific requirements of the laws governing that market. For example, financial institutions must develop Privacy Programs that comply with the Gramm Leach Bliley Act and related financial privacy laws. Companies with global operations would have to incorporate the requirements of the local foreign laws where their clients or employees operate, because these individuals are likely to be protected under these foreign laws.

In addition, most states have enacted numerous privacy laws that directly affect the content of privacy policies and privacy compliance programs. A company doing business in a specific state would have to develop a program that takes into account these recent laws.

DEFINING AN ENTERPRISE PRIVACY PROGRAM

An Enterprise Privacy Program should be based on actual operations of the company. It first requires an assessment of the companies practices to ensure that the representations that will be made in the published policy will adequately reflect how the company handles personally identifiable information it collects, and the rights is provides to the data subjects. To limit risks of exposure to legal action or litigation, the Enterprise Privacy Program should take into account the numerous legal requirements to which the company is subject. It should, as well incorporate standards, best practices that are in effect in comparable institutions.

Further, the Enterprise Privacy Program should include technology considerations, such that the information systems are programmed to respond to the privacy promises. The development plan for an Enterprise Privacy Program should also allocate time for relations with data subjects and the personnel, to explain the program and communicate it to the personnel. It should, as well, anticipate the need for communications with all data subject, those individuals whose data are collected or stored by the company.

As a result, the development of an enterprise Involves multi-disciplinary approach, and top to bottom participation, as all divisions, departments of a company are concerned. In addition, subcontractors, outsourcers, and other third parties that may have access to the personal data collected by the company should as well be consulted, and participate in the program.

PLAN, POLICIES AND PROCEDURES

The program must be comprised of a plan that defines the activities required. It is an overall strategic document that serves as the company’s business plan for protecting personally identifiable information of customers, employees, and other individuals.

The privacy policy is a high-level statement of the company’s commitment to privacy. It provides a framework of expected activities, defines what information the company will collect, how it will use it, update it, destroy it, protect it.

Privacy procedures are a detailed statement of how the policy will be implemented: what is collected and how, access rights, uses, security measures used to protected the confidential data.

DEVELOPING A PLAN OF ACTION

The first step in the development of an Enterprise Privacy Program is to create a plan of action. The process will require the involvement of several layers of management. It is essential that the decision makers, president, chief executive officers participate. They will set the tone, and establish the general direction to be taken. They will also approve the plan.

Providing for funding of the different activities will be crucial. Since the development of an Enterprise Privacy Program requires numerous activities and players, it will inevitably cost time and money. Before initiating the activities required for the establishment of an Enterprise Privacy Program, the company must ensure that sufficient funds are allocated to compensate for the time invested internally by company personnel, as well as to pay for the fees of the consultants and legal counsel involved, and, eventually, the cost of additional software licenses or equipment needed to implement the policies and procedures.

Once the general direction has been defined, and appropriate funds allocated, the definition of an Enterprise Privacy Program should start with the identification of the types of data that are collected, used, needed. This would involve the participation of all major departments and divisions of the company, such as Human Resources, Sales, and even the Research and Development group, which may have a stake in the data collection and processing. They may need the information, for example, to develop new products and offering for the company that would require a knowledge of needs or profile of the potential customers.

Legal considerations also need to be taken into account. The company may be subject to specific laws, such as the Gramm Leach Bliley Act, HIPAA, COPPA, or CAN SPAM. There may be additional restrictions in contracts, such as Confidentiality Agreements or Business Associates agreements, which may dictate how certain information is handled. The company’s document retention program may also need to be revised to be consistent with the information privacy and security program.

Finally, technical considerations are also very important. What kind of technology the company uses, what programs are available to filter data, or to implement opt-in or opt-out decisions by the data subjects. The company needs to have a clear understanding of its technical capabilities before it can attempt to make decisions on the way personally identifiable information will be handled, collected, or processed.

ASSESSMENT AND ANALYSIS

To be able to evaluate the current practices of the company, there should be first a thorough, honest assessment of the company’s current practices, and possibly, as well, those of its affiliates, subcontractors, or outsourcers. The investigation should determine what personally identifiable information is needed, by whom, for what purposes.

There may be different types of information needed, for different uses. For example, the Human Resources department may need detailed personal information about the personnel, to be able to provide healthcare insurance. However, the details should remain confidential to the Human Resource department, -- or rather, to specific individuals in the HR department.

On the other hand, some of the information collected by the Human Resources department would also be necessary to the accounting department, which will issue pay checks. The operations group, as well, may need contact information to establish a directory of personnel, so that employees may be contacted outside of business hours, in case of an emergency. Access would have to be limited to specific personal contact information, rather than to other personal information, such as name of spouse or domestic partner.

The assessment of the company’s operations should also include a determination of how the information is obtained or collected. For example, there may be information collected on a website, or information collected by the accounting department, to process invoices. Certain information may be obtained after patient consultation has been completed, and the physician’s notes are collected and input in the hospitals medical files. Does the company need all information that it collects, or are there questions that are not relevant to the primary purpose of the inquiry? For example, is a social security number needed when all the customer wants is to purchase equipment?

Of importance, as well would be how the data is stored. On the company computer systems? On laptops? On Blackberries and other portable PDAs? Is there a daily backup of all devices? Are some devices never backed up?

Knowledge and understanding of the company’s document management, retention and destruction practices are important to avoid discrepancies with legal requirements. For example, the HIPAA rules require companies to keep certain records for 6 years. There are other requirements in litigation for the use of documents as electronic evidence.

The use of the email systems and other company’s practices for marketing, email marketing, or telemarketing would also have to be examined. Compliance with the CAN SPAM act and other commercial marketing laws has become an essential component of an Enterprise Privacy Program.

Most companies outsource certain operations to affiliates or third party subcontractors. These outsourcers may be located within the company’s premises, or elsewhere, even in other countries. The company should understand who among its affiliates or third parties might have access to personally identifiable information. On websites, there might be framing, which may allow a third party to collect data unbeknownst to the users. Alternatively, there may be a link to a third party website, to which users are transferred. That other site may have different practices, of which the users should be made aware.

The assessment of the company’s practices should also provide a clear picture of the different uses of the information. Who has access to what? Who needs access to what? For which purposes is the information used? Are users requested to provide more data than actually needed for a specific activity, because the data collector hopes to be able to use it for other purposes? Is the information transferred to third parties, affiliates, or outsiders?

LEGAL CONSIDERATIONS

There is an increasing number of privacy and security laws in the United States. Some are federal laws, such as the Gramm Leach Bliley Act, the CAN SPAM Act, or the Children Online Privacy Protection Act. Others have been adopted by states, to complement the federal laws. These laws regulate companies’ activities in certain markets. For example, HIPAA Privacy and Security Rules limit how the covered entities can share personal health information with third parties. COPPA defines how companies may collect information from children under 13. Each of these laws also requires the implementation of security measures to protect the confidential data collected.

Most important, each of these laws also affects the myriad of companies that do business with these regulated entities. For example, HIPAA requires each covered entity to enter into specific contracts with each of its business associates. The Privacy Rule defines specific commitments required from the business associates. Each business associate must commit to protect the privacy of the protected health information to which it may have access. It must also agree to respect privacy rights of each individual patient, such as by responding, or assisting the covered entity in responding to, patients’ requests for accounting of data disclosures, or for amendment of erroneous data.

Any company that is a “business associates” or a subcontractor of a regulated entity, and that has executed a contract that includes information privacy or security promises, would have, in turn, to implement an adequate Privacy Program. The Privacy Program would allow the company to put in place the necessary measure that ensure that the promises made in these contracts are fulfilled.

At the State level, numerous laws do supplement the existing federal laws. For example, in California, state laws place on pharmaceutical companies requirements similar to those placed on health plans and healthcare providers with respect to the handling of patients’ personal information. Other laws extend the restrictions on the use of patient information for marketing.

In addition, recently, many states have introduced bills that would restrict companies’ ability to use outsourcing services locate off shores, in an attempt to ensure the protection of the privacy and security of critical information. An Enterprise Privacy Program would have to take into account these bills if they become laws, to ensure that no restricted data is provided to third parties in a violation of the law.

In addition to laws, the company should also assess and understand the obligations that may stem from recent jurisprudence resulting from class action or government agency actions. For example, recent FTC or State Attorney General actions have focused on ensuring that companies have in place adequate security procedures that are consistent with the promises made on their website privacy policies. Other legal actions have addressed companies’ ability to transfer databases to third parties as part of bankruptcy proceedings.

Beyond the legal requirements imposed by the legislature and the judiciary, the company should also understand the promises and commitments made in its contracts such as non-disclosure agreements, confidentiality agreements or services agreements. There may be other restrictions established through company’s employee manuals or other pre-existing company policy.

TECHNICAL CONSIDERATIONS

The third prong of the assessment of the company’s practices should include an evaluation of the networks, software, and equipment used by the company. These are the crucial components to the collection, processing and handling of the protected data. Some applications may not be totally integrated with the remainder of the operations. This may be a blessing, and may prevent sharing information outside a particular division. On the other hand, this may be a curse, because all requirements and constraints -- such as implementing opt-it or opt-out decisions -- might have to be duplicated, to operate as well on the non-integrated systems.

The company should also understand its use of third party subcontractors in connection with the entry and processing of data. Who else, outside of the company, may have access to the protected data? Data entry personnel located in India? Data processing services obtained through a service provider in another state? Data received from an affiliate located in the European Union? Hosting or communications services?

ELEMENTS OF PRIVACY PROGRAM

With all this information in hand, the company should have adequate knowledge of its operations to begin defining its Privacy Policy. Then, the remainder of the program would include, completing an acceptable compliance privacy policies, incorporating these concepts in the creation or updating of the companies procedures. Once these two documents are completed and approved, at the company level or division level, it will be necessary to ensure the implementation. This would include the creation of collateral materials, training, and rollout for communications with third parties, subcontractors, and clients.

Once the program is in place, there should be additional training, enforcement, and audit of the practices. In addition, there should be a periodic evaluation of the company’s evolving needs, as well as the additional restrictions created by new laws or contracts.

MAIN COMPONENTS OF A PRIVACY POLICY

Privacy policies generally address the same types of concepts. Numerous organizations have published sample privacy policies. However, this is not an excuse for plagiarizing another company’s privacy statement. Not only this is a copyright violation, but it also foolish, because it assumes that both companies operate in the same market, with the same clients, are subject to the same laws, and have the same internal procedures. Of course, this seldom happens. There is no “one size fits all” model.

The company should defined and draft its own policy. The policy should contain at least the following information:

• What is collected by the company, by third parties?

• How is the information used

• With whom the information is shared

• What choices data subjects have about limiting the collection, use, distribution of information (opt-in, opt-out, etc.)

• Whether data subjects may have access to the information collected about them

• How data subjects may correct any inaccuracy in the information

• What measures the company takes to protect the information under its control

• How the company will ensure compliance with the policy

• How data subjects can contact the company for complaints, questions, enforcement of the policy

• How changes to the policy will be announced and implemented

ADDITIONAL PRECAUTIONS

In addition, depending on specific situations, additional disclosure may be necessary, for example, when data subject may be outside the company’s jurisdiction, or when information may be shared with third parties with different privacy policies. Different procedures and policies may needed for different uses or different parts of the company or the website. Specific disclosure may be required on website privacy policies if cookies linked to a name or other specific identifier.

Consider also addressing the marketing functions of the company, such as defining rules and procedures for email marketing or telemarketing, to provide directions on the implementation of the CAN SPAM Act, Do Not Call lists, and other recent legal requirements. There may also be aspects of the company’s document management and documents retention program that would need to be clarified, to address new legal requirements.

SECURITY

There is no privacy without adequate security measures. The company should take the necessary precautions to protect all personal information it collects, using industry standard security protocols to secure sensitive data during transmission and while stored. In addition, a number of security laws or regulations have recently been enacted (e.g. under the Gramm Leach Bliley Act) or will shortly become effective (e.g. under HIPAA). These laws and regulations contain specific requirements for the security of personally identifiable information.

The company should use appropriate security procedures to avoid misuse of information, including for example, authentication protocols for user identification, passwords, and methods to challenge customers when passwords are forgotten.

In addition, a thorough Privacy Program should include appropriate measures to respond to breach of security, to comply with California’s SB 1386, when personal data pertaining to California residents might be lost through a breach of security.

While most website privacy policies include representations about the security measures taken to protect personal information collected, frequently, companies do not have adequate security measures that are consistent with the representations made. Companies have been prosecuted when their security measures were ineffective or contrary to the representations made. For example, the Federal Trade Commission has completed actions against Guess; Microsoft and Eli Lilly related to defects in these companies’ security measures. Similarly, State Attorney Generals have prosecuted companies, such as Ziff Davis, or the ACLU when holes in security measures were uncovered. In each case, the government determined that the company’s security measures were not consistent with the representations made on the website privacy policy.

DISPUTES AND PROBLEMS

A complete privacy protection programs should also include procedures and recourse when problems arise. Several laws already require that the company identify in its privacy policy a contact for customers or employee complaints and requests. When such situations arise, the company should take immediate action. The privacy policy and procedures should anticipate these events, and define as necessary the nature of the response to breach of security and loss of data. Further, companies doing business with California residents should incorporate in their procedures the methods and actions necessary to ensure compliance with California’s SB 1386.

WEBSITE ISSUES

Since most companies have a web presence, their privacy policies and procedures should also take into account problems and issues specific to Internet business, such as the data collected and processed through shopping carts and payment systems. The policies should as well clearly disclose the uses of “snooping” technologies such as cookies, web bugs, and web beacons, or software feedback loops, which may result in the collection of information about users.

Websites present additional issues in connection with privacy when they include links to other sites, such as in co branded sites or when framing is used. Further, special precautions and attention will be needed when chat rooms or list serv are used.

PROCEDURES

Once the privacy policy has been approved by the company’s management, it is necessary to establish the detail procedures that will be used to implement the policy. There should be detailed day-to-day operational procedures, specifying each stage of the data collection, use, transfer, storage, and security.

What data can be collected? By HR? By Accounting? By R&D? By the division that is located in Oklahoma.

Who has access to what? What can be disclosed, to whom? What may be transferred outside the company?

What precautions are needed before transferring data to third parties? How to respond to a request or a complaint from a data subject?

What security measures will be taken? How to handle a breach of security?

What contract, releases, non-disclosure agreement, or other agreement should be used with different types of subcontractors?

What language should be used when spending emails that may be restricted under the CAN SPAM Act?

And so on.

The procedures must be sufficiently detailed to address the multiple facets of the company’s business. It must answer most questions that the staff may have on a daily basis, or occasionally, on what to do with specific data under specific circumstances.

The company privacy policy cannot become effective and cannot be published before there are in place adequate procedures to support the representations made in the policy.

IMPLEMENTATION & MAINTENANCE

Once the policies and procedures completed, the company must then implement these procedures so that the policy can be published and launched. This will require that the privacy practices, policy band procedures be communicated to the entire company. Crucial to the process will be the training of the personnel, both before roll out, and again, later, periodically.

For clients, users outside the company, notices and other communications should be distributed to the individuals, to inform them of the new policy. In addition, as may be required by laws, there should be a system in place to ensure that updates and annual reminder notices are distributed.

A crucial component of the policy is its enforcement. The enterprise needs to have in place the necessary mechanisms and checks to monitor compliance by the personnel. In addition, periodic audits and reviews at the global level should be made to ensure that every piece of the puzzle is operating as expected.

Of course, do not forget the policy on a shelf. It is a living document that needs to be updated. Only twenty percent of the job is done after the initial policy and procedures are drafted. The day-to-day application, the continued relevancy of the Privacy Program is essential to its success. Further, practices change, laws change. The documents and related procedures must be modified frequently to adapt to changes.

BEYOND CURRENT PRACTICES

If the company determines that its current practices need improvement, it should be careful not to “put the cart before the horses.” Beware of wishful thinking. Do not write in the policy activities or promises that are beyond the current company’s practices and capabilities. To improve on current practices, make sure first that this is feasible, and that all relevant divisions of the company agree to the change, such as human resources and marketing/ sales department. In addition, as for the initial steps, there should be adequate financial resources and funding for the new project, assurance that the company has the adequate technical capabilities to implement the “better” policy, and that these additional features and commitments are in compliance with laws and contracts. Additional training before rollout would, of course, also be required.

GOLDEN RULES

The development of an Enterprise Privacy Program is a complex endeavor that requires time, money, resources, and attention. At the conclusion of the effort, there will be published one or several policies that represent the company’s commitment to privacy protection. This is a flagship project. It engages the reputation of the entire company. Therefore, it should be handled carefully.

There are a few Golden Rules:

• Say what you do. Be honest and accurate

• Say it clearly

• Make it easy to find

• Do what you say. Practice what you represent in the policy

• Ensure consistency among company policies

• Think globally

• Revise your policy and procedures periodically

• Train, train, train

• Audit your personnel’s compliance

Failure to observe these rules could cause great harm to the company. While a company’s products or services may be the most inventive, creative, or useful, a “little glitch” could cause public relations disaster. If there is a privacy or security breach, and personal data is disclosed or lost, or if the company is accused by a disgruntled employee to have violated privacy laws, the information will make the first page of the local newspaper, and from there the news will spread to cause great harm to the company’s reputation, or possibly class action suits or government agency investigations.

CONCLUSION

The creation and development of a company wide Privacy Program is a complex endeavor that requires a great financial and time investment. The collaboration of the entire enterprise is necessary to achieve the development of a privacy policy that makes sense, and is consistent with the company’s practices, expectations, and goals. To achieve such a complex goal, patience and honesty are required. There must be a complete and thorough investigation of the company’s practices and actual needs. Complex legal issues are involved. They cannot be resolved by the mere use of a form. Each company has its own culture and needs.

A company’s most important assets are its personnel and its customers. To survive and be competitive, an enterprise needs to invest the resources necessary to indicate its respect for the privacy of personal information pertaining to them. This can only be achieved through a well thought out, comprehensive, Enterprise Privacy Program.