Manage Learn to apply best practices and optimize your operations.

Online privacy: New rules for melding e-commerce and information

E-commerce has redefined individual privacy, and compliance and security officers need to practice some viral marketing to convince users online privacy is serious business.

The economics of the Internet have redefined the value of privacy to the ordinary individual. Most people these days gladly sell some of their personal information for what some would say is scant return and others would call valuable services. Of course, people are opposed to having information about themselves disclosed without their permission in a way that might harm them. This is an important point; what they seem to be against is the harm, not the disclosure itself.

Online privacy, pro …

Compliance and information security professionals seem to think there is a societal consensus in favor of privacy. In support of this view, they point to privacy requirements in state and federal laws; according to Privacy Journal there are more than 700 laws regarding privacy and surveillance. For a few examples, the Privacy Act of 1974 limits what the federal government can do with the data it collects. The Financial Modernization Act of 1999 (better known as the Gramm-Leach-Bliley Act, or GLBA, after its sponsors) includes provisions to protect consumers' personal financial information held by financial institutions. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, does the same for health care and health insurance data subjects.

… And con

Others argue that privacy is not important. If one has nothing to hide, so this argument goes, there is no need for privacy. Online information is by nature public, not private, according to one argument against privacy. Moreover, it's claimed routine breaches of privacy are a necessary component of e-business, and commerce on the Web would shrivel and die without data collection.

It is the confluence of commerce and information that raises the issue of online privacy, though the average Internet user rarely thinks of it: The payment for public information is access to a website and a service. If one wants to have an account to use free email, listen to online radio or view videos, a person has to provide some information, such as his gender and age. People freely provide personal, professional and educational histories on social networking sites.

It is for the individual to decide whether the value received is commensurate with the value paid. What is important to information security generally, and the protection of privacy rights particularly, is the prevalent attitude toward the value of information, personally identifiable and otherwise.

Personal information and game scores

It is not just personal information that is being given away. Many people use their computers at work for personal purposes, such as (mea culpa) following the fortunes of their favorite baseball team. Perusing the privacy policy of just one such club (that has disappointed so much and so many this year that looking over the privacy policy could not hurt), one finds that in order to obtain unspecified personal services one might be asked for his "full name, street address, email address, telephone number(s) (e.g., home, work, mobile and/or fax) and birth date."

The team promises not to sell, lease or share this information, with the notable exceptions of its service providers, other baseball teams (even the crosstown Lords of Wickedness) and other partners that it may from time to time designate. The team then lets fans know its site will place cookies and Web beacons on their computers and collect all sorts of information. So, with all that, the Mets know who their fans are, where they work, when they are not working but checking out the ball scores, and the equipment they are using.

Many would say "So what?" to all of this. And that indeed is the argument against privacy altogether. No harm is done; the visitor receives something he presumably values, and there is nothing shameful in the information disclosed.

But this argument debases the value of information, including most importantly the value of the information that companies and individuals do feel is worth protecting. It is akin to saying that taking a dollar or two out of the cash drawer is no big deal. How much money is too much? How sensitive must data be to be too sensitive to disclose?

Lessons to be learned

There are significant lessons for those whose job it is to ensure compliance with privacy rules and legislation.

  • The same employees who are insouciantly using company-owned systems to view seemingly harmless websites are creating a culture that undervalues information. This attitude must be combated with clear statements of what is and is not acceptable in regards to use of company systems and information about the company and its employees.

    People will, to be sure, still follow the fortunes of their favorite teams, but if they are urged to check privacy statements and understand what they are doing, security and privacy overall will be enhanced. They should be taught to look for terms like cookies, Web beacons or third parties and be given a simple explanation of what those things are and why they are important.
  • This need not be a wholesale awareness program. Many companies use content filters to prevent employees from surfing dangerous, immoral or resource-consuming websites. If, on a random basis, the filter were tuned to look for more innocuous sites (such as baseball team websites), individuals could be identified and spoken to. The objective of reaching out to individuals is not to chastise them (tone is all-important) but to educate. The message should be that management is concerned not about a few innocent minutes spent on the Web but about the security and privacy of information. That word will get around: Information security and compliance professionals should learn to use viral marketing.

  • These same professionals should educate themselves on the scope of this very particular form of data leakage. The scope of the information being freely disclosed about their personnel and, by extension, their organizations, should cause some investigation, if not alarm. It is impractical to ban all external Internet access and it is likewise impossible to track the business nature of every website accessed. But they can be on the lookout for indications that some information has fallen into the wrong hands. These signs might include certain employees receiving unsolicited recruiting calls, vendors targeting specific managers or, worst of all, information about individual employees being used without their approval.

  • Finally, everyone should give some serious thought to the value they receive by blithely giving away personal information. How many social networks, blogs or email services is one too many? If each person had to spend actual money on a Web service, would he or she pay it? And if so, how much?

Steven J. Ross, MBCP, CISSP, CISA, is founder and principle of Risk Masters Inc. Write to him at

Dig Deeper on Industry-specific requirements for compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.