Should You Publish a Privacy Policy?
Security consultant Robert Weingarten explains why publishing a privacy statement may be more harmful than not publishing one.
By Robert Weingarten
September 25, 2006 — CSO —
In the spring of 2000, Eli Lilly and Company launched Medi-messenger, an e-mail service associated with the companyâ¬"s Prozac® website. Interested subscribers enrolled in the program at Prozac.com, and subsequently received their own personalized e-mail reminder regarding their medication. At the time of enrollment, subscribers were invited to view the Prozac.com privacy statement, which said that the privacy and confidentiality of the personal information subscribers provided would be protected.
In mid-2001, Eli Lilly decided to discontinue the Medi-messenger program. An Eli Lilly employee created an e-mail message using the Medi-messenger enrollment information and sent a single message addressed to all 669 subscribers, stating that the service was being terminated.
The Federal Trade Commission (FTC) contended that by making visible the e-mail addresses of all its Medi-messenger subscribers in a single message, Eli Lillyâ¬"s claims of protecting subscribersâ¬" privacy constitutes unfair or deceptive acts or practices because inadequate measures were implemented to protect Medi-messenger usersâ¬" provided private information. Although Eli Lilly unintentionally disclosed private information, it did not admit to violating any laws; yet it agreed to provide more internal security measures to protect end user privacy, and to provide yearly written reviews by qualified persons of its security measures.
This case demonstrates a complication relating to companiesâ¬" claiming that they have security measures to protect their end usersâ¬" privacy. Large, established companies, like Eli Lilly, understand this issue but may still have problems ensuring compliance to their privacy policy. But many emerging companies immediately post their claimed privacy policies on their company websites. These companies often fail to assess the potential risks, burdens and liabilities associated with publishing a privacy policy. They do not realize that publishing a privacy statement may be more harmful than not publishing one.
When a Privacy Policy Is a Deceptive Practice
The FTC initiated the Eli Lilly case based on the companyâ¬"s having inadequate security measures to support its stated privacy policy. The FTC is not the only government agency pursuing deceptive, misleading and/or unsupported privacy policies. By year-end 2005, 15 states had enacted privacy laws that outline what actions should be taken when a breach of private information occurs. Other states, such as New York, use general business laws to handle breaches of private information.
New York State considers a companyâ¬"s privacy policy as part of the â¬Scontract⬠between the company and its website end users. If a company states in its privacy policy that it protects private information and then fails to do so, the company can be held liable for deceptive practices.
In 2002, New York State alleged that Ziff Davis, a multimedia company, violated the state General Business Law, Article 22-A, dealing with protecting end-user privacy. Article 22-A does not deal directly with Internet privacy policy issues
The Ziff Davis situation began in November 2001, when the company ran a promotional offer for a free magazine subscription. The offer included an option that allowed consumers to continue their subscription after the initial free period by submitting a credit card number that would be charged automatically for the continuation of the subscription. Twelve thousand users signed for the free subscription with 50 providing a credit card to be used to continue a paid subscription. Five days after the promotional offer commenced, Ziff Davis noticed that its subscription file was accessible by Internet users. Although Ziff Davis took immediate action to correct this situation, it was too late for five subscribers who received fraudulent credit card charges.
New York State alleged that the Ziff Davisâ¬"s privacy policy stated the company had reasonable precautions in place to keep personal information secure, yet thousands of individuals and dozens of credit card numbers were exposed. According to New York State, the Ziff Davis privacy policy was deceptive because the company did not have adequate security measures to protect subscribersâ¬" personal information. The case was settled when Ziff Davis agreed to additional security measures as well as financial restitution.
Emerging companies need to be careful as well. State and federal agencies are stepping up efforts to identify and charge organization that breach privacy claims. Emerging companies should not publish a privacy policy without considering what they are claiming to protect. They should not publish a privacy policy without having security measures in place to protect stated private information. They should not publish a privacy policy without knowledge of how their partners or third party providers handle their user private information since they are responsible for the information. They should not publish a privacy policy without having action plans in place to handle any breaches that may occur.
How to Proceed with Caution
Is privacy an ally of security, next of kin, or something else? These articles dig into the hows and whys of data privacy and data protection, and its relationship to enterprise security efforts.
6 ways we gave up our privacy
The effect of social networks, web 2.0 technologies, and other privacy-shaking developments
7 Firefox plugins for data privacy
Plug data-leaking holes in your web browsing
4 signs of an easy victim on social networks
Scammers and hackers of all kinds scour social sites for personal data
Potential privacy 'gotchas' in cloud computing
How to respond to a data breach notification
5 things to know about the Chief Privacy Officer
- Understand Your Data: The Future of Backup and Archiving
- What You Need to Know About APTs
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
