Archives
Overview
September 2008
August 2008
July 2008
Online Strategies Summer 2008
June 2008
May 2008
Online Strategies Spring 2008
April 2008
March 2008
February 2008
January 2008
Online Strategies Winter 2008
December 2007
November 2007
Online Strategies Fall 2007
October 2007
September 2007
August 2007
Online Strategies Summer 2007
July 2007
June 2007
Perspective: Europe 2007
May 2007
April 2007
Perspective: Asia 2007
March 2007
February 2007
January 2007
Perspective Latin America 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
Perspective Europe 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004

Protecting Consumer Information Is Good Business

By Stuart Ingis

Privacy and security of personal information is an important part of doing business as well as establishing and maintaining customer trust in the Internet and information age. Developments in the law and policy of data privacy in the past two years have been driven by--and focus on-- so-called data security "breaches."

In dozens of incidents over the past two years, companies have suffered negative public and customer attention resulting from such breaches. In most cases, the breaches are a result of bad actors who exploit a company's data security vulnerabilities. Unfortunately, companies that have not fully and regularly assessed their data security and privacy practices are prime targets for these bad actors. Even the most reputable companies with the best of practices still can be vulnerable and have been victims of breaches.

Thirty-four states have passed laws requiring notification to individuals when certain information--usually social security numbers, driver's license numbers or financial account information--is breached. As these laws have been enacted and companies have suffered breaches, there are frequent questions as to whether data has been "accessed" or "acquired"such that individual notification is required. Much of this debate occurs because most of the data breaches resulted in little or no identity theft. Recent studies have shown very limited correlation between data breaches and identity theft. Notification in these instances may, therefore, be over-reacting, and could result in negative public relations and consumer mistrust of the company.

In order to avoid this negative public and customer relations, there are a number of steps that companies can take now, learning from the experiences of businesses that have had publicly disclosed breaches.

Evaluate data security for sensitive personally identifiable information. Retailers should regularly analyze the types of sensitive personal information that they possess and how such information is handled. Retailers should consider encryption or similar technologies that make information unreadable and, therefore, unusable by perpetrators of identity theft. Increasingly, businesses are deploying such technologies across their information systems. The use of technologies such as these also has the benefit of affording companies an exemption from the consumer notification requirements in the event of a breach under the state laws that have been enacted in this area.

Develop an incident response plan. No company is immune to the sorts of data breaches that have occurred in recent years. Computer hackers and wrongdoers are in technological "wargames" with legitimate companies that provide goods and services that consumers desire. Companies that are best prepared to respond to data breaches are those that have developed comprehensive plans to deal with such incidents. The creation and implementation of response plans should span companies' divisions, and should include representatives of the business' management, information security, legal, PR, HR and other teams, depending on the nature of the business.

Companies have found that strong security and privacy practices are critical to successful consumer offerings.

Stuart Ingis is a partner at Venable LLP. He can be reached at (202) 344-4613, or via e-mail at singis@venable.com.

 
Copyright © 2008 Electronic Retailer. All rights reserved. Privacy Policy | Subscriber Services
Home | The Gold Book Directory | Archives | Subscribe | News & Events | Media Kit | About Us | Contact Us
Powered by MindFire