E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: BusinessWeek

Posted on April 15, 2010

In recent years, data privacy failures have harmed dozens of companies and become commonplace on the front pages of newspapers around the world. High-profile cases invite more regulatory activity, as well as scrutiny from customers and employees. In addition, companies face the challenge of managing a greater volume of sensitive information, created by increasing digitization of employee, health, financial, and other personal data.

In October 2009 alone, the Federal Trade Commission (FTC) collected more than $18 million in three settlements related to data breaches and inadequate compliance with data privacy-related laws. These three cases, following closely behind several recent Safe Harbor-related settlements, reflect the FTC's newly determined and rigorous enforcement procedures. More concerning are the ongoing compliance requirements and continued supervision over remediation efforts. One recent settlement included providing compliance updates to the FTC every two months, which can drain managers' time and attention. Moreover, the FTC is not alone—data protection authorities in the United Kingdom, Germany, and Australia are adopting more aggressive enforcement protocol than ever before.

The financial consequences of inadequate data privacy and protection continue to grow as well. According to Ponemon Institute research, the average cost of a customer data breach grew from $4.5 million in 2005 to $6.7 million in 2008. In 2008 alone, the total cost of data privacy breaches in U.S. corporations was $721 million.

Through its ongoing conversations with its members, Corporate Executive Board has identified four key best practices that companies should follow to help mitigate the potential of data breaches:

1. Identify and understand the basic laws and requirements for your company and the data you collect. For many companies, the most challenging part is making sense of the laws and regulations that apply to their business. With offices, stores, and factories around the world, and a Web site accessible anywhere, it's hard to identify which data you can and cannot collect and what you can and cannot do with this data. In the U.S., with its notorious "patchwork of regulations," a crucial early step is to develop a comprehensive understanding of where you do business, and from which states and municipalities, you collect, store, and process sensitive data.

2. Get your partners on board. Building and rolling out a comprehensive data privacy program involves educating and convincing functional partners in HR, Audit, business managers, etc. of the importance of complying with data privacy laws and requirements. Creating a data privacy compliance program is necessarily a cross-functional endeavor. Information security individuals should be involved to ensure the specifics of firewalls, encryption, and access protocols. As many laws also require regular program audits, internal audit will need to be part of the team. Strong data privacy teams typically include staff from HR, Information Security, Legal, Compliance, and Internal Audit.

3. Prepare in advance for data breaches. Developing and enforcing breach response protocols allow companies to pre-empt and quickly respond to the risks that can arise from data security breaches. Companies should plan in advance for potential breaches by developing a taxonomy of data breach incidents to establish appropriate controls and response plans; drafting data breach policies, including formal investigation procedures; creating a breach response management team to enable faster action; and conducting data breach 'rehearsals' to identify critical process gaps and ensure cross-functional coordination.

4. Don't take vendor compliance for granted. Many data privacy laws hold companies responsible for third-party data privacy failures. At a minimum, companies must take steps to ensure that their third parties are both familiar and compliant with the company's policies as well as all applicable laws and standards. In addition, companies should take steps to ensure that they know when a vendor loses its Safe Harbor certification during the period of the contractual agreement. Recommended steps to ensure vendor compliance include, comprehensive training, regular monitoring of third-party data-handling procedures and security controls, and right-to-audit clauses and termination rights in the contractual agreement.

A company's information provides vital insight and a significant advantage amongst its competition. By following the directives that are detailed above, managers can help keep its company's information private.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.