Simon Davies: Privacy's New Image

America's new rules of privacy are coming from the Old Country. Here's how Europeans like Simon Davies are getting America to rethink privacy.

Experts note that no overt actions have been taken against U.S. companies to date, and privacy officers such as Fong have had no bad experiences with the European information commissioners. But Fong does note that the relationship with the European authorities is one that GE has carefully cultivated. "We make an effort to get to know them and to learn what their priorities and concerns are. Just as with any other relationship, it's important to develop open lines of communication," says Fong. Innoculation against international mood swings could be a very smart policy.Homegrown HindrancesAs if continental mudslinging weren't bad enough, corporate privacy practices are also on the defensive at home. The FTC has long been the government agency most closely associated with the issue of privacy in the United States. But even with niche regulations like COPPA (Children's Online Privacy Protection Act), HIPAA (Health Insurance Portability and Accountability Act) and GLBA (Gramm-Leach-Bliley Act), the FTC's role has been more of an educator than an enforcer.

But recently the FTC has taken a much more active role in calling companies to account for privacy violations. When Eli Lilly violated its own privacy policy by accidentally releasing 669 customer addresses in the "to" field of an e-mail from its Prozac.com website, the FTC filed a complaint that accused the company of failing to protect customer information, of inadequately training its employees, and providing insufficient oversight for the employee who sent out the e-mail. The complaint was settled last year.

Westin notes that the decision was important because it reinforced with high-profile action the FTC's stated position. "If you make promises about privacy, you have to take adequate or reasonable measures to implement [those assurances]," Westin says. "Every security officer should have a copy of that ruling because it sets the standard for website security and confidentiality."

The settlement requires Eli Lilly to establish a four-tiered information security program with the physical, technical and administrative safeguards necessary to guard against a similar breach in the future. Specifically, the company must designate appropriate personnel to coordinate and oversee the program, identify and address internal and external risks to the security of personal information, conduct an annual written review of the program to monitor and document compliance, and adjust the program in the future based on the review's findings and recommendations. With its punitive actions, the FTC has basically become an active participant in Eli Lilly's security programcreating a cautionary tale for other companies that might be inclined to accidentally or purposely disregard their own privacy policies.