GMCC Media Room
Privacy and Information Security - Why Care? - Part 1 of 3
January 28, 2010
This article series is also featured in the GMCC Business Beat (Part 1, Part 2, Part 3)
Why care about information security and privacy issues? There are three reasons:
1. Privacy and information security best practices offer competitive advantages to your company including improved customer assurance, market differentiation and fraud prevention;
2. Lax privacy and security practices expose your company to many risks and liabilities including penalties and lawsuits; and
3. You and your company have an ethical and legal responsibility to protect sensitive information entrusted to you by your customers and employees.
Privacy and Information Security
Handling sensitive information appropriately goes beyond the use of the Internet. Information is shared and made accessible through electronic storage devices, paper records, fax machines, telephone conversations and meetings.
Inappropriate sharing of information through gossip, email or social networking can result in lawsuits against the organization and employees that mishandled information.
Business executives and employees need to understand best practices and the risks of handling sensitive information.
Safeguards in the workplace should protect against unauthorized access and sharing of sensitive information through any medium. Sensitive information moves in and out of the workplace via laptops, thumb drives, brief cases and the human memory.
When information is compromised, it may violate an individual’s right to privacy or be used to commit identity theft, business espionage or other fraud.
Consumer privacy advocates campaign, industry groups regulate and most levels of government legislate for tougher privacy and information security to protect consumers.
Today, organizations such as yours are held financially, legally and morally responsible, when there is a privacy or information breach.
Identity Theft and Fraud
Identity theft is a growing crime that feeds on the surfeit of ill-guarded sensitive information accessible via the Internet, digital storage devices and paper records. Over 50% of identity theft originates in the workplace.
Identity theft and other types of fraud capitalize on weakness in workplace security practices. Thieves use social engineering to manipulate consumers and employees to give out sensitive information. Victims of identity theft include both consumers and businesses.
Whenever a consumer becomes a victim of identity theft, one or more businesses or other organizations become a victim of fraud— through the fraudulent use of the victim’s identity.
Various types of workplace fraud may also involve the theft and misuse of financial, business and personal information.
For example, organizations enable employees to embezzle tens of thousands of dollars by lax security practices and by allowing them access to more information than necessary to perform their job.
Risk
There are numerous local, state and federal laws with stiff penalties and prohibitions that mandate privacy and information security practices for most organizations.
There are many other potential risks and liabilities to lax privacy and information security practices. These include legal liability, regulatory investigations, penalties, fines, restitution, forensic expenses, loss of consumer confidence, disruption of operations, lost work time, lost opportunity and decreased financial viability.
Competitive Advantage
Even with the many legal and financial threats, managers may find that the most compelling reasons to secure information in the workplace are competitive advantages.
Today, consumers are concerned about identity theft and how their personally identifiable information is handled. Surveys show that more and more consumers are reading privacy statements before they do online business.
Consumers expect that privacy statements are not mere platitudes. When they are, businesses can be prosecuted for unfair and deceptive trade practices. If your organization says it protects information, the law expects that you do so through a documented best practices program.
Businesses that embrace privacy and information security best practices can use their commitment to differentiate their business from the many that do little or nothing to protect the sensitive information that their customers and employees entrust to them.
It is analogous to “going green.” Some consumers preferentially do businesses with green and environmentally-friendly organizations. Some consumers will select businesses that are “privacy friendly.”
Ethical Responsibility
As GMCC members, we understand the obligation we have to our customers and community to operate with the highest standards. Putting our customers, employees or business partners at risk because of lax privacy and information security is not indicative of top-notch organizations.
Is my business covered?
Most every organization—businesses, local governments, schools, religious organizations and other non-profits are obligated to comply with multiple identity theft, privacy and information security laws.
For example, the Red Flags Rule applies to more than 15 million organizations in all sectors (See “Red flags—if you bill your customers,” Business Beat, Vol. 39, Issue 9, September 2009, page 12. Link to PDF version provided below.)
In the absence of specific laws, customers, patrons and employees have legal recourse if mishandling of their information results in a financial or emotional hardship.
Any organization’s credibility can be tarnished with the slightest publicity that it has been remiss with regard to safeguarding sensitive information.
Controlling information and assuring privacy in the small-business workplace is not expensive. It requires education on privacy and information security best practices, applicable laws, employee education and training.
Coming in the March Business Beat - Part II of this series summarizes the most common privacy and information security laws.
Red Flags - If You Bill Your Customers
Business Beat, Vol. 39, Issue 9, Page 12
PDF Link: www.greatermadisonchamber.com/files/sept09_bb.pdf
Privacy and Information Security — Why Care?
The following article is part three of a three-part series (Part 1, Part 2, Part 3) on privacy and information security written by members of the GMCC Small Business Advisory Council (SBAC).This article series is also featured in the GMCC Business Beat (Part 1, Part 2, Part 3)
1. Privacy and information security best practices offer competitive advantages to your company including improved customer assurance, market differentiation and fraud prevention;
2. Lax privacy and security practices expose your company to many risks and liabilities including penalties and lawsuits; and
3. You and your company have an ethical and legal responsibility to protect sensitive information entrusted to you by your customers and employees.
Privacy and Information Security
Handling sensitive information appropriately goes beyond the use of the Internet. Information is shared and made accessible through electronic storage devices, paper records, fax machines, telephone conversations and meetings.
Inappropriate sharing of information through gossip, email or social networking can result in lawsuits against the organization and employees that mishandled information.
Business executives and employees need to understand best practices and the risks of handling sensitive information.
Safeguards in the workplace should protect against unauthorized access and sharing of sensitive information through any medium. Sensitive information moves in and out of the workplace via laptops, thumb drives, brief cases and the human memory.
When information is compromised, it may violate an individual’s right to privacy or be used to commit identity theft, business espionage or other fraud.
Consumer privacy advocates campaign, industry groups regulate and most levels of government legislate for tougher privacy and information security to protect consumers.
Today, organizations such as yours are held financially, legally and morally responsible, when there is a privacy or information breach.
Identity Theft and Fraud
Identity theft is a growing crime that feeds on the surfeit of ill-guarded sensitive information accessible via the Internet, digital storage devices and paper records. Over 50% of identity theft originates in the workplace.
Identity theft and other types of fraud capitalize on weakness in workplace security practices. Thieves use social engineering to manipulate consumers and employees to give out sensitive information. Victims of identity theft include both consumers and businesses.
Whenever a consumer becomes a victim of identity theft, one or more businesses or other organizations become a victim of fraud— through the fraudulent use of the victim’s identity.
Various types of workplace fraud may also involve the theft and misuse of financial, business and personal information.
For example, organizations enable employees to embezzle tens of thousands of dollars by lax security practices and by allowing them access to more information than necessary to perform their job.
Risk
There are numerous local, state and federal laws with stiff penalties and prohibitions that mandate privacy and information security practices for most organizations.
There are many other potential risks and liabilities to lax privacy and information security practices. These include legal liability, regulatory investigations, penalties, fines, restitution, forensic expenses, loss of consumer confidence, disruption of operations, lost work time, lost opportunity and decreased financial viability.
Competitive Advantage
Even with the many legal and financial threats, managers may find that the most compelling reasons to secure information in the workplace are competitive advantages.
Today, consumers are concerned about identity theft and how their personally identifiable information is handled. Surveys show that more and more consumers are reading privacy statements before they do online business.
Consumers expect that privacy statements are not mere platitudes. When they are, businesses can be prosecuted for unfair and deceptive trade practices. If your organization says it protects information, the law expects that you do so through a documented best practices program.
Businesses that embrace privacy and information security best practices can use their commitment to differentiate their business from the many that do little or nothing to protect the sensitive information that their customers and employees entrust to them.
It is analogous to “going green.” Some consumers preferentially do businesses with green and environmentally-friendly organizations. Some consumers will select businesses that are “privacy friendly.”
Ethical Responsibility
As GMCC members, we understand the obligation we have to our customers and community to operate with the highest standards. Putting our customers, employees or business partners at risk because of lax privacy and information security is not indicative of top-notch organizations.
Is my business covered?
Most every organization—businesses, local governments, schools, religious organizations and other non-profits are obligated to comply with multiple identity theft, privacy and information security laws.
For example, the Red Flags Rule applies to more than 15 million organizations in all sectors (See “Red flags—if you bill your customers,” Business Beat, Vol. 39, Issue 9, September 2009, page 12. Link to PDF version provided below.)
In the absence of specific laws, customers, patrons and employees have legal recourse if mishandling of their information results in a financial or emotional hardship.
Any organization’s credibility can be tarnished with the slightest publicity that it has been remiss with regard to safeguarding sensitive information.
Controlling information and assuring privacy in the small-business workplace is not expensive. It requires education on privacy and information security best practices, applicable laws, employee education and training.
Coming in the March Business Beat - Part II of this series summarizes the most common privacy and information security laws.
Red Flags - If You Bill Your Customers
Business Beat, Vol. 39, Issue 9, Page 12
PDF Link: www.greatermadisonchamber.com/files/sept09_bb.pdf