Should You Publish a Privacy Policy?

In the spring of 2000, Eli Lilly and Company launched Medi-messenger, an e-mail service associated with the companys Prozac® website. Interested subscribers enrolled in the program at Prozac.com, and subsequently received their own personalized e-mail reminder regarding their medication. At the time of enrollment, subscribers were invited to view the Prozac.com privacy statement, which said that the privacy and confidentiality of the personal information subscribers provided would be protected.

In mid-2001, Eli Lilly decided to discontinue the Medi-messenger program. An Eli Lilly employee created an e-mail message using the Medi-messenger enrollment information and sent a single message addressed to all 669 subscribers, stating that the service was being terminated.

The Federal Trade Commission (FTC) contended that by making visible the e-mail addresses of all its Medi-messenger subscribers in a single message, Eli Lillys claims of protecting subscribers privacy constitutes unfair or deceptive acts or practices because inadequate measures were implemented to protect Medi-messenger users provided private information. Although Eli Lilly unintentionally disclosed private information, it did not admit to violating any laws; yet it agreed to provide more internal security measures to protect end user privacy, and to provide yearly written reviews by qualified persons of its security measures.

This case demonstrates a complication relating to companies claiming that they have security measures to protect their end users privacy. Large, established companies, like Eli Lilly, understand this issue but may still have problems ensuring compliance to their privacy policy. But many emerging companies immediately post their claimed privacy policies on their company websites. These companies often fail to assess the potential risks, burdens and liabilities associated with publishing a privacy policy. They do not realize that publishing a privacy statement may be more harmful than not publishing one.

When a Privacy Policy Is a Deceptive Practice

The FTC initiated the Eli Lilly case based on the companys having inadequate security measures to support its stated privacy policy. The FTC is not the only government agency pursuing deceptive, misleading and/or unsupported privacy policies. By year-end 2005, 15 states had enacted privacy laws that outline what actions should be taken when a breach of private information occurs. Other states, such as New York, use general business laws to handle breaches of private information.

New York State considers a companys privacy policy as part of the contract between the company and its website end users. If a company states in its privacy policy that it protects private information and then fails to do so, the company can be held liable for deceptive practices.

In 2002, New York State alleged that Ziff Davis, a multimedia company, violated the state General Business Law, Article 22-A, dealing with protecting end-user privacy. Article 22-A does not deal directly with Internet privacy policy issuesit addresses consumer deceptive acts and practices.

The Ziff Davis situation began in November 2001, when the company ran a promotional offer for a free magazine subscription. The offer included an option that allowed consumers to continue their subscription after the initial free period by submitting a credit card number that would be charged automatically for the continuation of the subscription. Twelve thousand users signed for the free subscription with 50 providing a credit card to be used to continue a paid subscription. Five days after the promotional offer commenced, Ziff Davis noticed that its subscription file was accessible by Internet users. Although Ziff Davis took immediate action to correct this situation, it was too late for five subscribers who received fraudulent credit card charges.

New York State alleged that the Ziff Daviss privacy policy stated the company had reasonable precautions in place to keep personal information secure, yet thousands of individuals and dozens of credit card numbers were exposed. According to New York State, the Ziff Davis privacy policy was deceptive because the company did not have adequate security measures to protect subscribers personal information. The case was settled when Ziff Davis agreed to additional security measures as well as financial restitution.

Emerging companies need to be careful as well. State and federal agencies are stepping up efforts to identify and charge organization that breach privacy claims. Emerging companies should not publish a privacy policy without considering what they are claiming to protect. They should not publish a privacy policy without having security measures in place to protect stated private information. They should not publish a privacy policy without knowledge of how their partners or third party providers handle their user private information since they are responsible for the information. They should not publish a privacy policy without having action plans in place to handle any breaches that may occur.

How to Proceed with Caution

A new company needs to proceed cautiously. First, it should never publish a privacy policy simply copied from another website. Second, it should determine whether a privacy policy is required by law for its business segment. Third, it needs to determine whether having a posted privacy policy would have marketing benefits. Fourth, if it determines that it does require a published privacy policy, an emerging company should seek professional guidance to ensure that appropriate security measures are put in place. Emerging companies can turn to large consultancies and integrators, specialized consulting companies, a boutique consultancy or an individual consultant with a privacy focus that is a Certified Information Systems Security Professional (CISSP).

The Eli Lilly and Ziff Davis cases clearly illustrate that a business must be diligent about maintaining security measures to ensure that a its stated privacy policy is backed up by correct implementation, and that its claims that it can protect private information are true. Periodic review and revision of a privacy policy should be handled by professionals who understand the risks that can be introduced by new programs.

Having a policy to protect private information is key to good company governance, but having one that does not have security measures to support it is deceptive and irresponsible and could be expensive as well. A privacy policy can be an asset or a liabilityits your decision.

Robert A. Weingarten is a security and privacy consultant who designs and develops privacy statements and policies with appropriate security programs to ensure compliance. Weingarten is a certified CISSP professional, well-versed in U.S. and E.U. privacy laws. He can be reached at rwpostbox@yahoo.com.