A comprehensive Federal law has been “looming” for years, but Congress has succumbed to the well-funded lobbyists.
So instead of investing in privacy, businesses have in large part sat on the sidelines, investing those compliance dollars elsewhere. The CPBR raises the visibility of privacy, but is it sufficient to finally persuade businesses to take action?
The EU Directive has been law for years; numerous other countries have adopted similar laws; and even Mexico recently enacted a comprehensive privacy law. So perhaps we have reached the tipping point. If a Federal law is on the horizon you can do one of the following:
a.) Wait until it is passed and retrofit your privacy program and data systems to comply with it. (This is costly, because it requires updating perfectly working systems, instead of building in privacy while making other modifications.)
b.) Begin implementing these concepts now. (This is possibly less costly, but there is a risk of implementing something that never becomes law, or miscalculating the requirements of the eventual law, requiring re-work.)
I contend the logical approach is to assume you will eventually have to comply with a Federal privacy law. Actually, you may already need to comply with a privacy law, due to international exposure.
A new U.S. Federal law would only escalate the need. So begin the process NOW. Implementing a process before being mandated to by law, provides more time to align the solution with corporate strategy; leverages “Privacy by Design” concepts; is less taxing on the workforce as multiple upgrades are not implemented concurrently; and ultimately – even without comprehensive legislation – is the right thing to do for your customers.
Steps Business Should Take Regarding Privacy:
1.) Update your business process data flows. What data is collected? Where is it stored? Who has access to it? Are there downstream manifestations including vendors? When is the data expunged?
2.) Determine what data is truly needed, and then either stop collecting the ancillary data, or at least document the business justification for capturing it.
4.) Continue to train your employees how to properly safeguard your business’s data.
5.) Create a process for consumers to review, challenge, and correct inaccurate data.
6.) Revisit your information security program. Is it appropriate for the sensitivity of the data?
If new legislation is passed, those who have already embraced these concepts will be well positioned to comply with it. Also, meeting these objectives will meet your clients’ expectations, including those detailed by the CPBR, creating a competitive advantage.
Either way, this is the right thing to do for your clients and something companies will eventually be compelled to conform to.
Consumer Privacy Bill of Rights Summary (full text: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf):
• INDIVIDUAL CONTROL – Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
• TRANSPARENCY – Consumers have a right to easily understandable and accessible information about privacy and security practices.
• RESPECT FOR CONTEXT – Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• SECURITY – Consumers have a right to secure and responsible handling of personal data.
• ACCESS AND ACCURACY – Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
• FOCUSED COLLECTION – Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• ACCOUNTABILITY – Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Brian Dean is a former senior vice president, chief privacy officer, HIPAA officer, and GLBA officer for one of the nation’s largest financial institutions. He now is the Privacy Officer with SecureState, providing consulting services to banks, the healthcare industry, and other businesses in the areas of privacy and security. For more information contact Brian at www.SecureState.com.