Business in Focus, Challenges of Global Privacy Compliance - Essay Example

Academia-Research Business in Focus Introduction In today's information society, processing of personal data has become a part of everyday life. It means that privacy is increasingly under threat. Conventional approaches to privacy have intensified the problem because these systems store personal and private data, such as name and address, date of birth, mother's maiden name, and credit details online. Privacy of personal information has become big issue largely due to publicity on the use of unauthorized information by government and business, topics of identity theft, theft of credit card numbers, dissemination of medical history and so on. (Hatch n.d., Mitchell, 1998). US Laws protect citizens against any misuse of tax records and information sharing if not having support proper authorization (Hatch n.d.). In spite of such provision of protection according to Gregory Shaffer (2000), personal information is traded and transferred about each U.S. citizen very frequently. There are privacy breaches ranging from very serious identity theft incidents to marketing solicitations. Data unlike a physical object can be sold and distributed with relative ease in today's electronic society. Medical and financial records could be used in hiring decisions. Social security numbers could be used in case of identity theft and financial fraud. One's address could be used to conduct a hate crime. Terrorists and anti-government groups can use government security information to attack nuclear plants and other government targets. The U.S. legislation on national scale is not comprehensive on privacy legislation. Their numerous privacy statutes protect personal privacy in a piecemeal fashion. The Privacy Act of 1974 gives individuals the right to access and correct information held by the federal government but did not cover private entities and state and local governments. The financial Modernisation Act also known as the Gramm-Leach-Bliley Act (GLB passed in November 2000 eased the state and federal restrictions among financial institutions in USA. The law allowed sharing of information, non-public for specific purpose and in specific situation. This raised the issue of privacy and it was demanded for notification to consumers about the institution's privacy policy and is given a chance to opt -out of information sharing with non-affiliated third parties. The survey confirmed about the widespread use of non-public information by joint marketers and affiliated institutions. Protection of non-public personal information (NPI) is must because it might lead to fraud by companies for unauthorised use. The following important legislation in USA on Consumer Privacy: 1. Fair Credit Reporting Act of 1970- in which credit agencies are required to make their records available, provides procedures for the correcting of information, and permits disclosure to authorized parties. 2. Cable Communications Policy Act of 1984- cable services are required to inform subscribers of the nature of personally identifiable information collected and the use of such information. The law restricts the collection and disclosure of such information by cable services. 3. Electronic Communication Privacy Act of 1986- The law extends Title III protections and requirements to new forms of voice, video data, and communications such as cellular phones, electronic mail, computer transmissions, and voice and display pagers. 4. Electronic Freedom of Information Act (1996) - The law allowed any person the right to obtain federal agency records unless the records are protected from disclosure by any of the nine exemptions contained in the law. 5. Health Insurance Portability and Accountability Act 1996- The law requires healthcare facilities to implement security policies and systems to protect patient confidentiality. HIPAA only covers the security of the information and does not address information sharing. 6. Children's Online Privacy Protection Act (1999)- The law prevents personal information from being collected online from children younger than 13 years old without parents' consent via email, mail, fax, telephone, and/or credit card 7. Financial Services Modernization Act (2000)- Banks are required to offer "opt-out" of the disclosure of individual's personal information to unaffiliated entities; allows the sharing of medical information between banks and insurance companies without individual's knowledge and consent. 8. Safe Harbour Principles (March 2000)- Under this law Tentative agreement between the U.S. and the E.U. is done. U.S. self-regulatory system abides by the rules of the E.U.'s Privacy Directive. E.U. citizens are allowed access to their personal data for review and correction. U.S. companies cannot sell personal data without the permission of the E.U. citizen. Europeans are to havemore privacy protection than Americans enjoy, yet less than Europeans enjoy in their home countries. 9. Driver's Privacy Protection Act (1994- The law lets motorists to "opt-out" of allowing the state to sell or give their personal identifiable information; recently upheld by the Supreme Court as a thing of interstate commerce that can be regulated by Congress EU directive 95/46/EC2, 97/46/ EC2 and Federal Communication Commission in USA are important legislations toward protection of privacy of consumers and in relation with Telecommunication. Tipton Harold F., Micki Krause 2007, Information Security Management Handbook P 2406 Google Book Search Outsourcing business is booming in USA in order to reduce costs and increase efficiencies of American firms. Indian firms receive a large chunk of outsourcing business to process various tasks. Thousands of US tax returns are being filled in India requiring NPI access. There is always a likelihood that private information thus tracked by these foreign firms may not be protected as in United States and the legal system can't impose sanctions on misuse by a foreign organisation.( Lazarus,2003) Goliath Business News Countries around the world are concerned about comprehensive privacy and data protection laws. They enacted new laws based on the models introduced by the Organization for Economic Cooperation and Development, and the Council of Europe. These legislations are mainly geared toward remedying past violations under previous authoritarian regime, or to promote electronic commerce, or to ensure consistency of laws with that European Union to facilitate their smooth business with that economic region. Internet is the most versatile way to use it for information, banking, billing and so on. But it became the biggest source of electronic theft. Hackers were able to steal in what has become a regular occurrence. Companies, universities, and various government entities are collecting personal information through internet or directly and subsequently letting it fall into the hands of frauds. This is the personal information; name, address, Social Security number, credit card number, medical history, and more. Data theft has been a problem with several companies. TJX Cos. the operator of T.J. Maxx and Marshalls, disclosed that 45 million credit and debit cards were stolen by fraud. In 2006, Scott Levine of Boca Raton was sentenced to eight years in prison in a computer theft case involving 1 billion or more in records collected by data-management firm Acxiom Corp. In 2005, hackers got access to personal information of about 32,000 U.S. citizens in a database owned by Lexis Nexis. A live example of thieves hacking computers of TJX companies a clothing chain of stores with several outlets in Britain and stealing about 45.7 million debit and card personal information affecting a million of Britons. The company operates TK Maxx in Britain and Ireland, as well as TJ Maxx and Marshall's chains in North America. All the customers personal information was taken, including names, addresses, as well as other information. This was done for pretty long time without the knowledge of anyone. These card details were sold to frauds who used then for shopping and duping the actual users for million of pounds. Some of then approached court accusing the company of using their card for fake shopping. A large number of consumers lost their trust in that company. (TK Max Data theft) This is a serious illustration that when retailer systems are hacked the card details of customers in every country are at risk because of the way companies share and store information globally. One important result of these thefts of personal privacy is the losing of reputation by the company in the minds of consumers who would prefer running away from the outlet and shifting their loyalty to others who maintain the trustworthiness by being able to protect the private and personal information of clients. Websites like Google may get bad reputation if the theft is occurred through that site. Internet users use Google's search engine to search for desired information on the Internet. In this process he is likely to provide his personal information to the provider of information. People will come to know about these steals one day or other and would not trust Google or any other website involved. Tesco, the supermarket chain is very cautious in the matter of privacy of its consumers and takes extra caution about the information it collects from its shopping customers through Club card or through any other channel. The company assures it clients about nondisclosure of information about its members to third parties for marketing purpose. The company is ready to co-ordinate with any court, tribunal, regulatory body, police authorities in any investigation or proceedings concerning the of Tesco internet access. With this type of commitment to safeguard consumers' privacy the company could be able to earn trust of its customers and rise in business. 'Tesco Telecom' Tesco's loyalty card to a consumers who can use it as a form of identification when dealing with the retailer is a marketing game. By presenting the card, the purchaser is typically entitled to either a discount on the current purchase, or an allotment of points that can be used for future purchases. The card user usually provides minimal amount of identifying or demographic data such as name and address which can be used by company for market research. It is highly likely that consumer purchases are tracked with the help of RFID and analyzed towards more efficient marketing and advertising. Later consumer's bank information is also gained through. RFID is planned for further intensive use in consumer's behavioral purchase. Thus it is closely connected with consumers' privacy to a large extent. Tesco Club card online . A 2004 Privacy Trust Study of the U.S. Airline Industry found that a vast number of consumers were willing to share confidential and personal information with an airline and the federal government for small benefits, for example if this allowed them to get through airport security checkpoints faster. Airlines keep highly confidential information about fliers which is very personal including scanning of their faces. According to the study, that a privacy breach occurred would cause 80% of our respondents to switch to another carrier. Many prefer to contact with most trusted companies for further relationship. In contrast, companies least trusted for privacy were not preferred. Consumers actually withdrew their support for companies with poor privacy performance. Study also show the companies earning a customer's trust and confidence through better privacy practices may be in a better position to achieving a long-term and more profitable customer relationship. Bennet Gold The companies who collect and use personal information of an individual lose the trust of consumers. This is the result of a survey conducted for three years. Two-third of consumers responded about loss of trustworthiness of a company having privacy practice. This is a very challenging issue of privacy and therefore need close attention to maintain trustworthiness of the business. The ability for business to have dependable and predictable access to a consumer's personal information is vital for economic activity and the protection of an individual's information. ... Privacy and Identity Theft In UK anyone over 16 in the city of Manchester with a UK passport will be able to apply for an identity card. The objective of the ID cards will be to reduce fraud - thus saving money. ID cards will be vital to combating terrorism and organised crime. ID cards will deliver real benefits to everyone, including increased protection against criminals, and illegal immigrants. The government said one of the benefits would to enable to use the identity card to get personalised public services. The measure involves a big risk of privacy being on risk. BBC News/Politics Data warehousing is essential and strategic requirement in today's business. Unless adequate measures are taken to protect personal information data mining will meet obvious resistance from the public. If it becomes widespread this will pose serious threat to business and technology itself. Health information exchange has become essential today. A lot of information about health profile of persons is sent abroad for analysis and reporting for the purpose of reducing cost and decrease medical errors by American firms through use of information technology-Electronic medical records. While the objective of health information exchange is understandable it is very essential that individual health information is secure, and the private rights of the patients are protected. Certain personal health data was sent for research work by the Midland Health board and it was suspected that it was breach of the Data Protection Acts because prior consent was not taken. When personal data is held by the Controller for statistical or research purposes, it is exempt from a number of the normal data protection restrictions (by virtue of section 2(5)(a) of the Acts). In case the data need be disclosed to third parties even to doctors for another research purpose outside of the controller there is urgent need for explicit consent to be obtained. Data Protection Commissioner (Understanding Key Privacy Issues in the Health Information Exchange Environment, Privacy Summit 2009) The correct example of health information misuse is when bankrupt health information site Drkoop.com, co-founded by former U.S. Surgeon General C. Everett Koop, announced to sell its member list to a site aimed at marketing vitamins, Vitacost.com. The purpose was to earn some money out of that but it was hazardous for individual members and was therefore widely criticized. The site gave its users a last-minute chance to opt out of participation; but the strategy was unfair. Privacy summit 2009 Genomic/ Genetic research that is to revolutionise the practice of medicine maintain a huge repository of human biological samples for genotyping and further analysis. There is a deep concern from Bio-ethicists about the privacy implication of bio-banking of genomics and genetic research. DNA of a concerned person can be used to identify his historical background, family history, ancestry and his complete social identity. These are very personal information and can be misused by people concerned for private gains perhaps damaging the social interest and honour of the person concerned. (Genetics Research and Privacy: Evolving Ethical, Legal and Social Implications Privacy Summit 2009) Kids and teens have keen interest in social networking and mobile marketing. but it poses a challenge for creating safe environments, managing identity and meeting children's privacy obligations. The Children's Online Privacy Protection Act (COPPA) exists for maintaining anonymity or obtaining verifiable parental consent by establishing a subscription model may be the best options for the websites using children. The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent while using internet. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The main requirements of the Act that a website operator must comply with the essential of the law that include general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children. Some sites like Amazon.com do not sell products to children and claim that COPPA .is not applicable to them. The Challenges of Global Privacy Compliance, Privacy Summit 2009 The diverse legal, social and business cultures of different parts of the world pose distinct challenge for those with responsibility for privacy compliance and information management. The basic issue is to devise and implement a consistent, workable and lawful global privacy program in a cost-effective way. Everyone will be considering practical ways of simplifying global compliance from streamlining privacy filings across the EU, harmonising contractual arrangements with vendors that carry our data processing operations across jurisdictions. Privacy Summit 2009 With government initiatives such as HIPAA (the Health Insurance Portability and Accountability Act) for turning up the pressure to protect customer data, organizations have recognized the need to rank privacy ahead of almost all other issues. For example, Carl Ascenzo, CIO at Boston-based health insurance provider Blue Cross Blue Shield of Massachusetts, believes that the aggressive inclusion of privacy-oriented strategy must be part of nearly every move he makes'. "Privacy is a critical part of our infrastructure," Romano said. "Carl and I have worked to build these policies into the very fabric of everything that we do, from an IT standpoint and beyond."" Communication around customer data privacy and security issues has become an essential piece of everything we do in IT," he said. "I only expect this to increase, and we get an extreme level of support around this from our senior leadership down." www.searchcio.techtarget.com/news/article/0,289142,sid182_gci887780,00.html - 53k - In an article published on August 2002 Matt Hines, News Writer had a direct hit with the caption 'Protect privacy or Jeopardise CRM' Scott Nelson, analyst in a research firm states that 'business need to walk a fine line between protecting privacy and running a successfully CRM effort' 'There are wide range of customers out there with differing preference as to how they are approached using CRM and how their information is leveraged. Privacy is very serious issue that can foil CRM and force customers to desert the business. It is therefore important to understand each customer's need and expectation and building business strategies to create stronger relationship with clients through CRM. Matt Hines, News Writer Concern about privacy characterized by a pragmatic technology-supporting norm in which risks to privacy considered unavoidable can be tolerated.. There are several ways by which privacy might be threatened are identified, including: intentional identify theft, disclosure and misuse of information by insurance companies, mismatch of medical records data with personal health records accidental mixing-up of records and their contents, and attempts by health professionals to track or follow-up on outcomes of former patients and co-workers. The grave potential of stealing or breaching of privacy could result in serious harm such as threats posed to insurability or denial of employment or care. The possibility of an audit check may prove the most reassuring and accessible options for safeguarding privacy and building confidence. The issue of privacy has become central today because of very advanced way to do business, research, outsourcing, data mining and many other activities. The electronics world of today makes it more sensitive issue and carries it beyond the country. It is matter of grave deliberation and requires legislation by every sensible country to have control on privacy of common man and consumers. Journal of Medical Internet Research Developing consistent and effective private policies is as crucial as building successful customer relationship and interactions. How a particular business will be using or intend to use information collected from its customers is outlined clearly in the customer private policy of the company. This policy is determined by experts, counsel and legal experts of the company. Ensuring data protection and privacy compliance is a matter of operating within the law; and also about how to handle effectively the personal information and respecting the interests of the customers. Bibliography 1.American Airlines www.aa.com/aa/i18nForward.dop=/footer/privacyPolicy.jsp - 79k 1.a. BBC News- politcs,news.bbc.co.uk/1/hi/uk_politics/8035002.stm - 64k visited on 10th May 09- 2..Everyday computers http://www.dailymail.co.uk/news/article-445551/TK-Maxx-card-hackers-target-45m-customers-biggest-heist.html 3. COMMERCEALERT - News Article www.e-commercealert.com/article655.shtml - 19k 4. Daily Mail, www.dailymail.co.uk/news/article-445551/TK-Maxx-card-hackers-target-45m-customers-biggest-heist.html - visited on 10th May o9 5.Data Protection Commissioner www.dataprotection.ie/viewdoc.aspDocID=268 - 34k 6. Goliath Business News www.goliath.ecnext.com/coms2/gi_0199-4601852/Current-issues-in-consumer-privacy.html - 40k retrieved on 8th April 09, Current issues in Consumer Privacy policies 7. Matt Hines, News Writer 12 Aug 2002 | Search CRM' 'Protect Privacy or jeopardize CRM' www. books.google.co.in/booksisbn=1420013580... visited on 8th May 09 8.Tipton Harold F., Micki Krause 2007 Information Security Management Handbook (Information Security Management Handbook)P 2406 Google Book Search 8a. Tesco Clubcard online forums.moneysavingexpert.com/showthread.htmlt=1634457 - 75k - 8C. TK Max Dada Theft www.itpro.co.uk/109208/tk-maxx-data-theft-uk-shoppers-at-risk 9. Privacy Submit 2009 Genetics Research and Privacy: Evolving Ethical, Legal and Social Implications 10. Privacy Submit 2009 Understanding Key Privacy Issues in the Health Information Exchange Environment 11. Privacy Summit 2009 Key issues including transparency, customer control, privacy protections and value ..... ICANN's New TLD Business Model, Cloud Computing and Online Fraud ... www.privacysummit.org/index.phpoption=com_content&task=view&id=6&Itemid=14 12. Privacy and Identity theft www.aif.com/governmental_key_issues.shtm visited on 9th May 09 .13 http://www.itpro.co.uk/security/news/109208/tk-maxx-data-theft-uk-shoppers-at-risk.html. (30/03/07) 14.. Tesco Telecom | http://www.tesco.net/privacy.asp 15 Virgin Blue, www.virginblue.com.au/Holidays/Privacy/index.htm - 52k 16. Journal of Medical InternetResearch,www.securecomputing.net.au/News/119600,new-breach-laws-invoke-mixed-reactions.aspx attended on 10th May 09 17. www.itworld.com/legal/61810/industry-giants-weigh-us-privacy-laws Read More