Privacy in a paperless world

As chief privacy officer (CPO) for E-LOAN Inc., Koleczek must ensure that the online lending giant properly safeguards corporate assets, customer information and employee data.

"Ultimately, we're in the business of trust," says Koleczek. "If customers lose faith in our privacy practices, we're in trouble."

As last year's parade of publicly disclosed customer data breaches has shown, privacy problems can make or break a business as it moves from traditional paper trails to electronic documents. Organizations that develop, clearly communicate and enforce their privacy practices will gain a leg up on the competition, according to Kokeczek.

Anecdotal data proves her point. E-LOAN is known for publicizing its privacy policies, and the company uses a mix of encryption and enterprise rights management (ERM) technology to safeguard information within its systems. Those efforts are paying rich dividends. Indeed, E-LOAN has emerged as one of the 20 most trusted companies for privacy in America, according to TRUSTe ( and The Ponemon Institute (, two organizations that promote best practices for information and privacy management. Not by coincidence, E-LOAN has originated and sold more than $26.7 billion consumer loans from its 1997 inception through June 2005.

Peace of mind

In the age of ecommerce and corporate compliance, it is essential for organizations to manage, control and archive their electronic documents safely. Equally important, companies must be able to retrieve specific electronic files when regulators, lawyers and other third parties make inquiries, notes Sanjay Anand, author of the best-selling book, The Sarbanes-Oxley Guide for Finance and Information Technology Professionals.

With these business requirements in mind, a lengthy list of companies -- including Adobe Systems Inc., Authentica Inc., Liquid Machines Inc. and Microsoft Corp. -- are developing enterprise rights management (ERM) solutions.

Plenty of companies are lining up to embrace these offerings. H&R Block Inc., for instance, will use Adobe's Intelligent Document Platform this spring to automate the employment application process for more than 100,000 seasonal tax pros. The solution combines Adobe's Portable Document Format (PDF) technology with the business logic and data capabilities of eXtensible Markup Language (XML). As a result, H&R Block can ensure document integrity and security as information moves within the enterprise and across third-party systems, according to Neil Shaw, chief architect for H&R Block in Kansas City, Mo.

Meanwhile, Microsoft continues to develop solutions that safeguard electronic documents. Three noteworthy technologies in this area include Windows Rights Management Services (RMS), Encrypting File System (EFS) and BitLocker, according to Dan Schiappa, Microsoft's general manager for Windows Security.

RMS, which is built into Windows Server, enforces policies that safeguard documents during all stages of creation or editing. It also protects content when it is in transit on a network. EFS protects files and folders on shared machines, whether they are local or remote. And BitLocker, which will ship with the forthcoming Windows Vista release, is a new encryption offering designed to protect notebooks, branch office servers and single-user systems.

RMS, in particular, is designed to enforce organizational policies digitally. Indeed, RMS allows users to determine who can open, modify, print, forward and/or take other actions with specific Office 2003 documents. RMS also protects data inside and outside the firewall, enforcing user policies regardless of where the document resides.

"It can also establish an audit trail to track who accesses, or attempted to access, rights-protected information," says Schiappa.

Meanwhile, independent software developers are building on Microsoft's RMS platform. In November, Liquid Machines of Waltham, Mass., for one, shipped a gateway that extends RMS secure-messaging capabilities to Research In Motion Limited's BlackBerry wireless platform. The gateway allows users to send and receive RMS-protected messages from BlackBerry wireless devices. Moreover, the software empowers users to set specific parameters for each message they send. For instance, senders can stop a message from being forwarded, printed or copied.

Authentica, Lexington, Mass., has also made a splash with ERM. The company develops software that safeguards Microsoft Office documents, Adobe PDFs, and content within email, both within and beyond the enterprise perimeter. The company's Active Rights Management platform allows users to change entitlements after a document's delivery.

"That's a critical capability," says Ed Golod, president of Revenue Accelerators Inc., a consulting firm that serves sales executives in New York. "If someone is promoted or demoted, their assigned rights to specific documents should change to reflect their increased or reduced responsibilities."

Authentica adopters include Riverview Hospital of Noblesville, Ind. The county-owned healthcare provider earlier this year chose Authentica's software to assist its efforts to comply with HIPAA (Health Insurance Portability and Accountability Act) and other privacy regulations.

"We're deploying Authentica's software to ensure that electronic [information] doesn't go where it's not supposed to go," says Michael Mover, chief technology officer at Riverview. "Authentica's solution will help us with HIPAA compliance, but it will also be useful as other security and privacy requirements under Sarbanes-Oxley or JCAHO (Joint Commission on Accreditation of Healthcare Organizations) audits begin to crystallize."

Longer term, vendors are developing software that allows multiple companies to easily share documents based on trusted relationships between users. Microsoft, for one, is developing federated identity management software for Active Directory. The technology is expected to ship in late 2006 or 2007.

In theory, federated identity management will allow users to input their name and password once to access multiple trusted services -- for instance, an online airline site and an online car rental site. The service providers, in turn, will be able to share secure documents and data pertaining to each customer across their respective enterprise networks.

In practice, however, federated identity management has had limited success in the marketplace. The Liberty Alliance, a consortium representing organizations from around the world, launched in 2001 to define standards for federated identity management. However, only a few federated identity management projects have gone live.

In the meantime, companies such as E-LOAN continue to ensure document privacy by leveraging the appropriate people, processes and technologies. CPO Koleczek, for instance, speaks weekly with the company's chief information security officer. She also works closely with other E-LOAN departments, such as HR, legal and finance, to ensure the company's privacy practices remain up to date.

"We all fear picking up the Wall Street Journal and reading about data that fell into the wrong hands," concludes Koleczek. "But we've decided to take a proactive approach, and I firmly believe our privacy practices are a differentiator in the marketplace."

-Joseph C. Panettieri has covered Silicon Valley and the business of technology since 1992.

There are lots of terms that define enterprise rights management. Here are a few worth noting:
Digital content protection (DCP): Cryptographic techniques that ensure data is accessible only via a trusted client.
Rights enforcement: Client software that grants access to protected data only to authorized users, and only with the approved mode (or modes) of access for a particular user.
Rights management: An administrative capability by which usage policies are translated into access rules, which are in turn used as the basis for rights enforcement.
Document security: A catch-all term for DRM protection that provides portable access control. In this context, portability means that the same access controls apply to copies of a document as to the original.
Protected electronic documents: These documents can be copied, but copies are no more accessible than the original. In contrast, unprotected documents can be re-distributed in unprotected form by any legitimate recipient.

Source: John Sebes, chief technology officer, Solidcore Systems, Inc.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.