Printer Friendly Version

How Privacy Affects Your Intranet

It's a fact that some businesses and organizations do not take privacy very seriously. However, the truth is that privacy of confidential customer information is mandated by law — many laws, actually. There are more privacy laws than we can discuss here, but some of the more well-known laws that mandate privacy include:

• The Privacy Act of 1974 (5 USC 552a)
• Health Insurance Privacy and Portability Act (Public Law 104-91)
• Gramm-Leach-Bliley Act (GLBA)

The Privacy Act stipulates that U.S. federal agencies must keep records of individuals private and use them only for their stated purpose(s). U.S. federal agencies are not allowed to disclose individual records to other agencies, businesses, or organizations if that was not the documented reason for collecting the information in the first place.

President Clinton signed HIPAA into law on Aug. 12, 1996. HIPAA mandates that healthcare providers secure electronic records about patient information in the same manner that hardcopy records are secured. HIPAA protects patients against discrimination from insurance companies, discrimination from their employers, and nosy journalists who might want to print very personal information in tabloid newspapers.

The Gramm-Leach-Bliley Act (GLBA) was initiated by the Senate Banking Committee and signed into law on Nov. 4, 1999. GLBA requires that all banks, including online banks, disclose their privacy policy regarding disclosure of non-public personal information. Privacy policies of banks need to be disclosed from the outset at the time the bank first initiates a relationship with a potential customer. GLBA further stipulates that customers of financial institutions need to be given the opportunity to "opt-out" of sharing non-public personal information (like credit card and account numbers) with non-affiliated third-parties and partners.

If your company is a publicly traded company, you are required by the SEC to disclose the risks of investment to your shareholders. If you do not perform due diligence in regards to privacy, you are opening up your company to the risk of fines, litigation, and customer loyalty, all of which could hurt your company's bottom line and shareholders' investment. In today's world of online information, if confidential customer information is not protected with security and privacy controls, credit card numbers can be obtained by hackers using "sniffers" and later be used for unauthorized purchases. Responsible federal agencies, healthcare providers, and businesses take privacy seriously and conduct routine Privacy Impact Assessments to ensure that laws and regulations are not violated.

Conducting a Privacy Impact Assessment

A Privacy Impact Assessment (PIA) is a process that determines the current state of data privacy on your intranet. If conducted properly, a PIA will tell you if your business or organization is actually following and abiding by its privacy policy. Best-practice PIAs generate reports that enable your organization to take corrective action to ensure your data is in compliance with laws, regulations, and your privacy policy. Upon reviewing the PIA report, your organization should be able to put together a task list or agenda to improve the privacy of data on your intranet.

A PIA should be conducted at least once a year, or when any major changes are done to the systems that contain the private customer confidential information. Privacy is an IT problem. Privacy assessments are typically handled by the IT security or IT operations team. Though it is quite possible to perform a PIA in-house, clearly more objectivity can be gained by hiring an outside consulting firm to perform the audit.

Much of a PIA involves interviewing employees of the organization, and reviewing system diagrams and privacy policies. Some pieces of the PIA can be done using technology tools, but a large portion of it is a manual survey-driven research process. Once private information and systems have been identified, scanning tools can be used to find out if their information is vulnerable to cyber attacks. Scanning systems and intranets that contain private information is probably the only part of the PIA that can be done using automated tools. If vulnerabilities are found in the systems or networks containing private information, an agenda should be established to enlist corrective action.

A diagram depicting the flow of how personal information is collected, and where it is stored, should be included in every PIA. Privacy and security controls should be documented on the flowchart as appropriate. The PIA and flowchart should explain which users have access to which types of private and personal information. If a Web site is involved and cookies are transmitted and received, this type of information should be documented on the diagram.

The goal of the PIA is to generate a Privacy Impact Report (PIR) and the goal of the PIR is to assist the organization in understanding where their privacy weaknesses are for the purpose of correcting the weaknesses. Unless corrective action is taken, conducting a PIA and generating a PIR is surely a waste of time and resources.