Early last month, the employees of Pfizer Inc. received a letter from Lisa Goldman within Pfizer's privacy office stating that due to a security breach approximately 17,000 current and former employees had had their names, Social Security numbers, and, in some instances, their bonus information posted on the Web.
Goldman's letter was among the initial steps of a multipart effort to communicate and address the breach. For its part, Goldman's printed missive immediately helped quell some concerns by offering affected employees a $25,000 insurance policy to cover any costs resulting from the incident. Within the next few days, an initial investigation concluded that about 15,700 people had had their data accessed and copied and about 1,250 may have had their data compromised. Despite what appeared to be a quick response, Pfizer was unable to escape greater scrutiny as word of the breach spread.
"I am asking Pfizer … when the breach occurred, exactly what information was compromised, what steps it took after learning of the breach, and its policies for handling personal information and security compromises," explained Richard Blumenthal, attorney general for the State of Connecticut, who made known his concerns to Pfizer in a letter dated June 6.
The importance of protecting customer and employee information has escalated to mission-critical status for organizations in both the public and private sectors as data theft and fraud proliferate around the globe. No longer the domain of the IT function, privacy protection is now addressed holistically at companies aspiring to best practices in this critical area. The titles Chief Security Officer and Chief Privacy Officer have proliferated -- and finance executives are becoming increasingly invested in ensuring that their company excels in privacy program management.
The threat of data security breaches looms larger for companies in certain industries. Large financial services companies that keep extensive customer personal financial information and big retailers, for example, are potentially more lucrative targets for criminals than, say, a professional services firm that doesn't store substantial amounts of customer and employee information or transact much business online. But no organization can be totally invulnerable to problems arising from the loss or theft of personal information.
"Most businesses think about hacker risks, and these aren't really the biggest risks in terms of privacy issues," says David Paige, chief operating officer of DeWitt Stern Group, a niche risk advisory firm. Paige, a former attorney, has oversight of the firm's information security. "The biggest risk is simple negligence in many cases. Let's say that you're a trusted advisor, an attorney or accountant, who has confidential information in your server, say a series of emails that go back and forth with clients about upcoming transactions. You're at an airport and you turn around and your Blackberry is gone. A thief can go into the server and see private information. From a legal point of view, the information is not legally confidential anymore. Technically, it's been shared, and this can be used against you in a court case."
For its part, the Pfizer data breach also appears to have had little to do with hackers. Apparently, a female Pfizer employee using a laptop computer in her home triggered the breach by installing file-sharing software that permitted the employee data to be exposed to one or more third parties. "Our investigation is ongoing, and we are taking steps to prevent any further dissemination of these files and to determine the identity and location of any person(s) who may be reposting them," reads the Goldman letter (see details of Pfizer's response in the box below).
Meanwhile, consumers want to know that the companies they do business with have adopted practices to ensure reasonable protection and controls over their personal information against possible identity theft and other criminal activities. Employees are equally concerned about protecting their personal information, including the safeguarding of medical records. In response to those concerns, the U.S. government and some state governments are heightening efforts to develop stricter laws for privacy protection.
Leading companies are responding to existing and emerging privacy legislation and the demands of consumers and employees by creating comprehensive privacy management programs; they do so not just for fear of financial loss, but also because they value good privacy practices as a business differentiator and a competitive advantage. Many large companies have named an executive-level security leader and have included risk management, audit, and other non-IT elements in their security governance. In fact, some businesses are moving information security out of the IT department in the belief that IS should be a check on IT. However, many businesses continue to lag behind. According to Chief Security Officer (CSO) Magazine's 2006 Global Information Security Survey, co-sponsored by PwC, 64 percent of respondents have not created C-level security positions.
How Pfizer Responded to Privacy BreachContracted with Consumerinfo.com, an Experian company, to provide Pfizer employees with free credit monitoring. Supplied each employee a $25,000 insurance policy to cover any costs resulting from possible identity theft. Notified the office of the Attorney General within the states of residence of Pfizer employees. |
Telecommunications giant AT&T's information privacy function is multilayered. Ed Amoroso, chief security officer, runs a team that oversees the real-time protection of the company's vast network and computing infrastructure. "In addition, there exists a product management team that focuses on managed security products and services designed to assess and help customers protect their vital network infrastructure," says Amoroso. "We also have a chief privacy officer who is responsible for protecting our customers and employees."
AT&T is a member of a coalition to create a single resource of standards and guidelines that businesses and other organizations can use to prevent and respond to identity theft and fraud. Other members of the group, which was created last September, include ChoicePoint, Citi, Dell, Intersections, Microsoft, Staples, TransUnion, and Visa USA.
While corporate policies surrounding information privacy (which pertains to the intentional misuse of personal information) and data security (the inability to account for and protect information) are relatively new, best practices are slowly emerging. But best practices are perhaps more of a moving target than in any other area of business; companies are continually applying new safeguards to stay a step ahead of criminals. Information on specific company actions is scant because organizations don't want to divulge their tools and practices out of fear that making such information available to hackers and thieves could create problems and make attacks even harder to identify. Nearly one-third of the respondents in the CSO Magazine survey said that they don't know how many breaches or unauthorized access events occurred during the past year.
In a 2005 benchmark study sponsored by Vontu that covers the entire spectrum of privacy program management, Michigan-based Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, opens a window on the processes that leading companies are carrying out to protect information. Founder and Chairman Dr. Larry Ponemon, chairman of the Government Policy Advisory Committee and co-chair of the Internet Task Force for the Council of American Survey and Research Organizations, defines eight activities in privacy programs:
• privacy policy (which states how a company collects, uses, shares, and protects personal information about customers, consumers, and employees);
• privacy management (the structure of the organization surrounding the function and its leadership);
• data security (protecting information wherever it may reside within the enterprise);
• communications and training (ensuring that employees at all levels properly implement the privacy program);
• privacy compliance (methods for meeting privacy regulations);
• choice and consent (permissions for use of consumer information);
• global standards (meeting the requirements of jurisdictions beyond the U.S.); and
• redress and enforcement (correcting violations).
Information privacy experts warn that businesses must define and implement a privacy policy (or policies) that align with their business practices. Rushing to define privacy and data protection policy before acquiring an understanding of regulatory requirements, how a business operates as it relates to personal data, and how personal data flows through the organization can create serious problems.
According to Ponemon's benchmark study, 94 percent of respondents have formal controls over publishing revisions to their privacy policy, and over 93 percent say that their organizations attempt to align their policy with ethics or business conduct policies. But only a little more than half of responding companies try to align policy with the expectations of key stakeholders.
Many companies have multiple privacy policies for different business segments, divisions, units, or functions. Differences identified in data types and attributes, the flow of data, and associated requirements may trigger the need for multiple privacy and data protection policies. From a regulatory and legal requirements standpoint, in many situations it makes sense to have a separate employee privacy and data protection policy; oftentimes, the data collected and used for employee and human resources management is beyond the scope of customer data.
It's uncertain whether customers have a reasonable understanding of a company's privacy policy. While 85 percent of the respondents to Ponemon's study report that they have a process in place to disseminate privacy policy information to consumers and their customers, only 46 percent have a formal program to create awareness or educate new customers about their privacy policy.
The most typical approach to communicating privacy information to customers is simply to post the policy on the company's Web site, leaving it up to those who use the site to decide whether it's worth their time to read it. Consultants generally agree that if a company's strategy is merely to comply with their governing regulations, laws, and policies, and these do not require any additional communication, then simply posting a privacy notice may be sufficient to meet those requirements. But more communication is likely needed if their governance and regulatory environments require more and/or their customer, business partner, and HR strategies are focused on creating trusted relationships, transparency, and brand enhancement.
Another consideration would be indicated by Federal Trade Commission (FTC) consent agreements and regulatory requirements that call for programs, training, risk assessments, and communications of various types that indicate the need for broader communication through various methods. Communicating clearly and through multiple channels increases value adoption and facilitates compliance within an organization.
Ponemon's research indicates that companies are doing a reasonable job in communicating privacy procedures to employees, but it's unclear whether employees are given the appropriate training and support in order to apply privacy procedures to their job function.
"Employees operate much more effectively and take greater care with customer information when they know and understand the rules," says Kirk Herath, associate general counsel, chief privacy officer, Nationwide Insurance Companies. "Employee education and training initiatives are one of the most important functions for any privacy or information security department. At Nationwide, we have well-defined educational programs for both privacy and information security. We've developed general online privacy training, as well as separate online training for the Health Insurance Portability and Accountability Act, HIPAA. There are at least five separate online information security modules -- from the most general that everyone takes to more specialized training targeted at technical IT specialists, like systems architects. We also hold 'IT security day' brown bag lunches."
According to the survey report, a large proportion of security executives admitted that they're not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions -- even though some of those regulations, such as HIPAA, California's security breach law, and the EU's Data Privacy Directive, are nothing new.
According to the survey report, less than half of respondents use intrusion detection software or monitor log files (the two best methods that companies can employ to learn of negative security events), and even fewer use intrusion prevention tools. More than 20 percent don't even have the most basic security in place -- a network firewall.
Perhaps the most disturbing aspect of the CSO Magazine study represents a serious gap in security strategy. Clearly, CSOs are emphasizing technology fixes at the expense of a strategic plan. Only 37 percent of respondents have an overall strategic plan in place, and their "to do" list to improve security is largely tactical, focusing on technology fixes. Among the top five items on the list are some of the more routine and easy security measures, including data backup, network firewalls, application firewalls, and instituting user passwords.
Too many bells and whistles in technology can cause problems in and of themselves. AT&T's Amoroso warns that system complexity is the biggest threat to information security. "It's important to recognize that the more complex a system is, the more vulnerable it is. The main way to solve this problem is to create software with fewer features. This will reduce the need for constant software patching. Most network administrators spend the bulk of their time patching operating systems," he says.
Why is strategic planning for security an afterthought? The CSO Magazine report points toward several reasons: IS executives report that they're unsure of budgets, where attacks have come from, and where they will find people with the skills they need to address security on a strategic basis.
Even though most companies are still facing steep challenges in understanding and addressing a myriad of security risks and potential fixes, best practices are becoming more clearly defined. This May, Aberdeen published "Thwarting Data Loss: Best-in-Class Strategies for Protecting Sensitive Data." The survey, which canvassed more than 150 organizations, shows that best-in-class companies are four times more likely to use real-time notification of inappropriate data use than industry laggards; they train employees in appropriate data use and monitor and audit data use.
The use of automated discovery capability is one significant component of data loss prevention solutions -- a key differentiator evidenced in its use by best-in-class companies. Without automated discovery, the Aberdeen report states, organizations may never find where all their sensitive data resides.
Best-in-class companies surveyed view regulatory compliance as a top driver of data security efforts, which works to their benefit. According to the report, although compliance regulations are put in place to hold businesses accountable for protecting sensitive information, the organizations themselves benefit directly by suffering fewer breaches and less financial loss.
Some of the reasons why individuals trust certain companies more than others to protect their personal information are fuzzy and subjective. After all, the processes and tools that companies use to protect customer and employee information can be invisible except in the event of data breach notification.
What can companies do to increase trust among stakeholders? Ponemon identifies five best practices in privacy trust:
• Notice: Companies should clearly communicate their privacy policies and data practices to customers. These policies must be updated to reflect any changes in practices and policy.
• Choice or consent: Companies should respect customers' personal data and not share nonpublic personal data, except as permitted or required by law.
• Access and redress: Customers and employees should have reasonable access to their personal information as required by law and have the ability to correct any inaccuracies or misinformation held about them.
• Prudent security: Companies need to take reasonable measures to protect data and limit access by unauthorized parties.
• Data minimization and accuracy: Businesses should avoid collecting information they never will need or plan to use. While the cost of storage is nominal, the excess information creates data integrity, quality, and accuracy problems.
The most important best practice of all, however, may be putting in place a response plan to use in the event of a major data security breach that leads to massive theft of personal information and identity theft -- a blueprint for action and a crisis team to carry out the response plan. Then put it on a shelf, perhaps as Pfizer had done, and hope that it gathers dust.
The 90-Day Privacy Improvement PlanCompanies can step up their progress in protecting customer and employee information in the short term by taking the following five steps: Identify an internal privacy council composed of key stakeholders from across the organization, as privacy and data protection requirements and issues span the entire enterprise. The privacy council will help define the objectives and scope of the privacy program and make key decisions on privacy and data protection strategic direction, requirements, and implementation. Perform a privacy and data protection risk assessment to identify and prioritize business processes that collect and use personal information. Mapping and performing a detailed analysis of the flow of data across each business process is an overwhelming task. Performing a risk assessment helps in identifying a core sample of business processes for data mapping and analysis and allows you to focus resources on the areas of business that pose the greatest risk. Understand the privacy and data protection requirements for your organization and determine how these requirements will be organized and rationalized. Consider regulatory requirements, industry standards and guidelines, internal policies, and third-party contractual obligations, and identify a framework to consistently review each requirement and determine the common elements and key exceptions. Identify, assess, and coordinate current privacy initiatives. They may exist in pockets across the organization. Identifying the different initiatives and bringing them together will go a long way toward implementing a sustainable program. Be proactive about privacy incident response. Determine whether your organization has a formalized process for addressing breaches of personal information. Privacy incidents carry a high level of public visibility, and dealing with them can be complex. Appropriate resolution often requires a cross-functional team that includes legal, compliance, IT, security, public and investor relations, and senior executive leadership. |