10 New Year’s privacy resolutions

A group of South Florida IAPP members braved the winter elements—blue skies, sunshine, warm temperatures—to attend a KnowledgeNet meeting in Miami in December. Jorge Rey led the interactive session on the apropos topic: Privacy Resolutions.

Although attendees represented a wide range of industries—pharma, banking, education, professional services, and more—all shared remarkably similar concerns and goals. Here are their top resolutions (in reverse order).

No matter the industry, all participants agreed that “knowing” is a critical part of the privacy battle. And while IT security weaknesses remain critical, good-ole fashioned social engineering is a major concern, especially in these difficult financial times. Rey, in particular, advised that simply testing employees and testing their compliance with security measures is critical. Will the help desk release passwords? Will a receptionist divulge critical employee names?

“People can violate privacy protocols just because they are eager to help and be service-oriented,” offered Linda Clark, CIPP, and director and senior corporate counsel at LexisNexis. “We teach employees to be aware of social engineering and provide guidance on how to respond in certain situations— something like ‘at Lexis we value privacy, and I can’t disclose the information that you are asking for’—to help them comfortably and politely refuse such requests.”

Like losing weight or eating right, this is one of those resolutions that everyone undertakes each year, but often finds nearly impossible to actually carry out to the level they would like. Odelin Fernandez, Jr. (Odie to his friends), who manages the vendor program as operations and technology risk supervisor at Mercantil Commercebank, noted that “making sure vendors’ contracts are up-to-date on changing requirements, auditing vendor requirements, plus conducting due diligence on potential vendors is time consuming and often frustrating, but it’s an absolutely essential compliance step. So often, vendors are the weak link.”

Two concerns drove this resolution: the evolving nature of behavioral marketing and the need to limit data intake. CAN-SPAM, behavioral marketing, and even the revised product endorsement guidelines concern South Florida privacy professionals. But for David Vance, senior director and compliance counsel for Noven Pharmaceuticals, avoiding unwanted data intake is critical.

“Noven does promote some prescription products direct to customers,” said Vance. “And even inadvertent intake of information can potentially subject the company to healthcare privacy laws and regulations. So, like other pharmaceutical companies, we maintain safeguards against consumers sending us personal medical information—even when we don’t ask for it. We also make sure that vendors that must use some personal medical information to administer patient assistance programs or co-pay voucher programs, do not share that information with us. If a consumer wants to report an apparent adverse event, however, we of course take that very seriously.”

It should come as no surprise given the current economic climate that all of the meeting’s participants are running very lean privacy programs. Yet many are tasked with handling a wider variety of responsibilities than they have in the past. “Everyone is happy to be employed these days, but it is equally important to have the right people in the right position,” noted one.

Thus this key resolution: Hire the right personnel to address critical problems. Perhaps an unspoken resolution is needed: Get more money and resources for privacy.

Sure, vendors sign contracts agreeing to comply with privacy laws and procedures, but are they really doing it? One attendee voiced a common concern: “Too often it seems as if vendors will say and agree to anything to get the business, but actual execution is another thing.”

Auditing and spot-checking are indispensible methods of making sure that vendors are in compliance. All attendees resolved to make this one of their top tasks for 2010.

Measuring performance is crucial to managing it, and privacy is no different. All participants agreed that living up to this resolution requires covering some audit basics, namely “what’s in scope, what’s not?”

But at perhaps the other extreme, simply creating some “self-checklists” to educate employees and raise privacy awareness is remarkably effective,” noted Todd Sussman, privacy officer for the Broward County Florida Public School System.

If it weren’t for budget constraints, this resolution would probably top the list. Be it e-mail encryption, electronic shredding, or data-leakage software, rolling out robust technology is something every privacy professional wants to do.

Like learning a new language or travelling abroad, this is another one of those resolutions that everyone makes but often struggles to carry out. Attendees noted resource constraints, especially, as part of the challenge. But work force resistance doesn’t help. “Training the C-Level is a big challenge,” noted one member. “They often present the greatest risk, but are the shortest on time and desire.”

Attendees resolved to focus on developing the “right” training, along with creative means for capturing

attention and attendance.

All attendees resolved to undertake a step-by-step analysis to identify all information assets, along with existing and desired resources, to defend them and keep them private. Once again, given resource constraints brought on by the economic recession, it is more important than ever to understand what’s at stake.

Everyone agreed that a new year calls for a fresh look at the “risk” programs. Having obtained a good inventory of information assets and defenses, a good risk analysis is the natural next step. “A good risk-management program is particularly essential in these lean economic times,” noted one participant. “Businesses need to get the biggest bang for their buck.”

On a personal level, each participating member resolved to take care of their own identities, too. Topping the “personal” resolutions were: shredding all mail and sensitive documents before they end up in the trash; getting a lock for the home mailbox; and signing up for fraud alerts.

Only time will tell whether these resolutions fall by the wayside in the face of limited resources, limited time, and competing demands. But the old saying is that “if you aren’t careful, you’ll end up exactly where you are headed.” So, if anything, setting resolutions is as much about correcting course as fully meeting each resolution.