Public Pitfalls Of Privacy Policies

Not too many years ago, it was an open question whether your Internet site required a privacy policy. Now, you'd be hard-pressed to find a site without one. Your customers and clients simply demand it. Although users who actually read a privacy policy may be few and far between, you'll quickly hear from them should you fail to provide one.

So, what does a privacy policy mean for your organization in legal terms? In particular, in the midst of record numbers of personal data breaches, how does your privacy policy fit into the legal fallout following a breach?

Think of your privacy policy as a legally enforceable promise that you make to your customers. If you break that promise, not only do you face the obvious damage to your company's brand, reputation and good will, but you may also face legal action from federal and state agencies.

For example, the FTC has pursued companies that have violated the terms of their privacy policies under its "Section 5" authority that prohibits "unfair or deceptive practices." In a 2003 case, Guess.com violated the terms of its privacy policy that stated: "All of your personal information including your credit-card information and sign-in password are stored in an unreadable, encrypted format at all times." It wasn't true: The database tables were in cleartext. Worse, they were available to attackers through SQL injection manipulation.Seems like a clear violation, but was it intentional? Perhaps Guess was using a hosting company that changed its subcontractor, which falsely promised that the credit-card tables would be encrypted. Or maybe an in-house team substituted a database from a testing environment following a production hardware failure, forgetting to redeploy the requisite encryption. Regardless, the root cause was probably much more subtle than suggested by the damning claims made in the FTC complaint against Guess.com.

Guess.com didn't get hit by fines, but the pain was still real. Customer faith was shaken and the company is required to implement a rigorous security program and have third-party audits for the next 20 years.

How do you avoid Guess.com's fate? First, ensure that all key stakeholders help draft and periodically update the policy, including C-level executives, marketing, IT and legal counsel. The officers and marketing want to ensure that the privacy policy sends the appropriate message to all current and potential customers. Increasingly, companies see privacy as a competitive differentiator, with the privacy policy being the primary tool in developing a pro-privacy strategy. The importance of involving IT, especially security staff, as well as legal counsel to help draft and approve the policy, can't be overstated.

Second, realize that each word and phrase in the policy is legally significant. Draft each carefully. One pitfall most companies now successfully avoid is providing absolute promises of security. "Entering your credit-card number via our secure site is completely safe," claimed Petco.com, prior to the March 2005 complaint filed against it by the FTC. Although the thrust of the complaint was similar to the Guess.com case--false claims of encrypted information--unconditional promises, such as "you never have to worry about the safety of your credit-card information," also figured prominently.

Finally, support the privacy policy with the requisite underlying procedures and user training. The privacy policy is an ultra-high-level public document, summarizing your data privacy practices. It does not stand alone. Ensure that each promise you make is mapped to an appropriate procedure. Private policy development is a process: Review and update it--and the attendant procedures--at least annually. Letting a disconnect develop can take you down quickly. Such disconnects could result in a fate similar to that of Guess.com.Patrick R. Mueller, CISSP, is completing his law degree at the University of Wisconsin-Madison and will be joining the privacy compliance practice at Wildman Harrold Allen &Amp; Dixon, LLP, in Chicago. Write to him at [email protected].