Privacy Practices | Privacy & Free Speech: It's Good for Business

Do we have a solid security plan and take all necessary steps to safeguard user data?

Creating a solid data security plan is important both to protect user privacy and to safeguard your company's bottom line. Data breaches can be disastrous, leading to lawsuits, fines, and lost user trust. California law requires that all businesses maintain reasonable security procedures to protect the personal information of Californians from unauthorized access, destruction, use, modification, or disclosure. The Federal Trade Commission has also made official recommendations for businesses to take stock of information they collect, minimize that collection where possible, secure the information that is maintained, and plan for the future. Working with attorneys and security professionals to implement these recommendations will help protect you and your users from threats to the safety of their data.

Conduct a risk assessment. List every type of information that your company collects and stores. Determine which types can be used to identify people individually, such as names, addresses, Social Security numbers, debit/credit card numbers, or account information. For each type of information you collect, evaluate its sensitivity and the procedures that will most effectively safeguard it.
Collect data securely. Secure every method of collecting data—whether over the phone, by mail, through email, via Web forms, or from affiliates or other third parties—against snooping and data theft.
Store data securely. Data on your servers, on laptops, or in paper form should all be equally secure. Remember, identity theft can involve high-tech methods such as hacking and phishing, but also decidedly low-tech methods such as rooting in dumpsters and stealing from mailboxes. Make sure that all places where information enters and exits your business are secure.

ChoicePoint: Data broker ChoicePoint paid with its capital, its stock price, and its reputation in 2005 when it failed to secure the personal data of 163,000 individuals and identity thieves obtained this information. As a result of its poor privacy practices and the security breach, the company was slapped with a $15 million fine by the Federal Trade Commission, spent $2 million notifying victims of the breach, and incurred $9.4 million in legal fees. The company's stock price also plunged more than 9%. In the end, ChoicePoint's failure to take sensible precautions to protect its users' privacy ended up costing it more than $25 million, not to mention a lifetime's worth of bad publicity.

Protect data with encryption. Encrypt personally identifiable user data wherever feasible, particularly before storing it on backup tapes and removable storage devices (including employee laptops). In addition to this being a good way to protect your users, it is a great way to protect your company.
Limit and monitor access to data. Allow employees access only to the information they actually need to perform their jobs. Thoroughly train individuals who handle user information in your privacy and security practices. Log all data access and review these logs regularly.

Facebook: Users were outraged and the company's reputation was tarnished in 2007 when it came to light that the company had very poor internal security measures. Users demanded change when it was widely reported that the company was not properly safeguarding the private profiles of its users from employee misuse and that employees could view users' private profiles and track which users were viewing particular profiles.

Respond to security risks. Researchers or members of the public may discover a flaw in your system that could be exploited. If this happens, do not try to silence the criticism. Acknowledge the problem and take prompt action to fix it.

Cisco: In 2005, the company's reputation suffered after it threatened to sue the BlackHat security conference and a researcher for a presentation discussing flaws in the company's Internet router software. The researcher had discovered that the flaw could potentially be exploited by hackers to seize control of a router and monitor, intercept, delete, or misdirect communications. Although the conference and researcher ignored the legal threats and the presentation went on as planned, Cisco's reputation in the technology world was heavily tarnished for trying to silence information about security threats.