Recent high-profile data breaches with Epsilon (the total number of exposed name and e-mail addresses is unknown but it has already been called the “biggest data breach in history”) and the Texas Office of the Comptroller (3.5 million records) have created consumer anxiety that has prompted government response.
On March 16 the Obama administration called on Congress to pass a “Consumer Privacy Bill of Rights.” Lawrence Strickling, assistant secretary of commerce for communications and information, who appeared before the Senate Commerce Committee, said the administration would like to see a bill that was “broad and flexible enough to allow consumer privacy protection and business practices to adapt as new technologies and services emerge.”
The U.S. Senate responded almost immediately by introducing a bill co-sponsored by Sens. John Kerry and John McCain. The Commercial Privacy Bill of Rights Act of 2011 was introduced in the Senate April 12. The bill covers almost every kind of business, contains provisions for fines up to $3 million in civil penalties and authorizes the Federal Trade Commission to promulgate rules to enforce provisions following passage. The following day, Rep. Cliff Stearns introduced the Consumer Privacy Protection Act of 2011.
As an industry, what can we do to prepare for this latest wave of privacy legislation? Establishing clear policies and procedures for the safe handling of client information is an essential step. Training employees on the importance of maintaining strict control of client information assets and the risks to the business if practices are not maintained is another. Implementing adequate physical and technological safeguards to protect information assets is a third. Employees must realize the costs associated with unauthorized disclosure or breach of client information are more expensive than losing boxes full of money or gold. Any business or training approach should drive that point home.
In previous reports, the Federal Trade Commission has seemed open to industries imposing their own internal certification programs, as long as they are effective in meeting information security goals. To this end, PRISM International began working on a self-certification program for members at the beginning of 2011. The certification also will involve the use of related employee training materials and supporting documents to help small businesses achieve compliance goals related to safe information handling practices. Development of this certification will continue through 2011, with an eye toward introducing the certification program to PRISM International members in late 2011 or early 2012.
PRISM International is committed to assisting members as they work toward developing programs, policies, services and strategies to adjust to these new market realities. For more information, please e-mail staff@prismintl.org.
Jim Booth is executive director of PRISM International, Garner, N.C.
Association Viewpoint
Regulating Privacy