Calendar of Events Weather Traffic and Transportation Message Board Directory
for on This Site All the Web Google
 

 

Law & Technology

Law and Technology

Privacy Policies and Fair Information Practices

By Deborah Pierce

Jan 03, 2002 --

How well do companies protect the personal information they collect from you?



Fourth in a series

How careful is a web site--or any other data collector--with regard to the information that has been collected about you? Do they use adequate security in protecting the information they have stored in their databases? Do they use encryption? Have they undergone any internal audits to review their data practices?

This article will discuss the "Security" provision of Fair Information Practices. The sidebar has links to web sites with more information including (for those who missed previous issues) the core elements of Fair Information Practices (Notice, Choice, Access, Security, and Enforcement).

Security

Most companies realize the importance of safeguarding the personal information that they've collected about their customers and potential customers and have procedures in place to attempt to protect that information. However, security people often say that a company never achieves complete data security; instead, security is a continuous and complex process.

Accidental data spills due to security failures are an all too common result. Here is a recent sampling of accidental data spills--all pulled from published news stories:

  • On December 8, the Boston Globe reported a security flaw in the credit card Web site of FleetBoston Financial. The flaw could be exploited to obtain personal information about the thousands of users. In the case, the information included social security numbers, annual income, and places of employment.

  • On November 20, CNET news reported that Playboy.com has alerted customers that someone hacked their site and compromised customer information, including credit card numbers. The hacker sent email messages to customers informing them that their information had been compromised and that they should cancel their credit card numbers--numbers the hacker included in the email messages.

  • On November 8, NewsFactor Network reported that the University of Montana accidentally put psychological and other personal information of some 60 children and teenagers on their Web site. The information included the "names and diagnoses of children and teenagers being treated for such conditions as schizophrenia, retardation and depression."

  • On November 5, the Associated Press reported that Microsoft is making repairs of the e-wallet feature of its Passport technology. There was a serious design flaw in the system that might have allowed hackers to get credit card numbers and other stored personal information of the 200 million people who have signed up for Passport accounts.


In order to help ensure that the company is doing what it can to protect privacy and security, some of the larger companies have hired Chief Privacy Officers (CPOs). The CPO will review and set data practices, privacy audits, and report to other executive staff. This certainly helps keep privacy and security in the forefront of the company's operations; but as the examples above show, it's not a complete solution.

The ramifications to you vary from the merely inconvenient to the serious. Canceling your credit card may be inconvenient, but if a hacker gets a few key pieces of personal information--social security number, birth date, mother's maiden name--you could find yourself a victim of identity theft.

What can you do?

Read the privacy policies of companies before you shop online. Look to see if there is anything in the policy about how they safeguard your information. You might consider doing an online search of the company to see if they've received any unfavorable press about their security practices. You can also call the company and ask to speak with someone in charge of data practices. Do they use strong encryption? Who has access to your information, all staff or only those on a "need to know" basis? If they don't know what you're talking about, or are hazy on some of the details, consider doing business elsewhere.

If a company you do business with has suffered from a security breach, act proactively: cancel affected credit cards, install necessary patches, etc. Make sure you check your credit report once every year. For more information about ways to prevent identity theft, visit Privacy Rights Clearinghouse at www.privacyrights.org.

Deborah Pierce is the founder and executive director of privacyactivism.org, which has its headquarters in Bellevue. She spent the last four years as a staff attorney at the Electronic Frontier Foundation, www.eff.org. To contact her, send e-mail to editor@seattlepress.com, attention Deborah Pierce.


Reader Comments

Discuss this article in the forums!

Ben Clement Apr 15, 2004 Australia storeman
   What are companies currently doing to ensure credit security for their customers and what may be used in the future?

 

© 2008 Seattle Press on Line.

Powered by JournalMaker.