The internet age has revolutionized how organizations communicate, publish and find information. While this technology has created new opportunities for global communication and commerce, it has also created new challenges in risk management.
With the rush to put information online, many organizations have fallen prey to the exponential growth of web-based electronic information. The volume of information now available on corporate web sites, internal intranets and networks has increased dramatically, and is also provided by multiple content contributors in multiple forms and languages. This makes online risk management a critical component of any successful online business strategy.
For consumers, the privacy of their personal information is one of the most important technological issues they face today. Through online technology, consumers now have more personalized and customized services than ever before. With these services, however, the potential for misuse of personal data has increased. The fear of privacy loss has made many consumers reluctant to provide personal information online, and is hurting ecommerce globally. With poor online privacy practices, many companies will experience negative effects, not only on online sales, but also in off-line sales that shift to more privacy-sensitive competitors. How do you know if your organization is at risk? If your organization has a website that collects personal information from consumers, or provides online services to consumers, you are at risk.
Organizations must identify and manage online privacy and risk issues to ensure regulatory compliance, and to earn and retain customer trust. Failing to comply with regulatory requirements may result in massive negative media attention, large fines and penalties and have a negative effect on an organization's image and brand. While more and more companies are recognizing the importance of an online privacy risk management strategy, many of those companies get a sense of false security by scanning their websites for privacy issues once a year, or even worse, only when the site is first developed and implemented. Websites should be monitored continuously and automatically to ensure regulatory compliance 365 days per year.
The first step in a successful online privacy risk management strategy is to state exactly what methods you use to protect the personal information of a customer or visitor to the website. This is done through an organization's privacy policy. A privacy policy assists your visitors in understanding an organization's practices in capturing and distributing visitor and customer information that you may require site users to submit. Without a clearly documented privacy policy on your website, you may risk losing visitors wary of providing personal information, and you may also expose yourself to unnecessary risk of litigation.
While many organizations, both public and private, are mandated by privacy legislation that governs the collection, use, retention and distribution of personal information, this legislation varies greatly from country to country and can often be difficult to monitor and enforce. An online privacy best practices program provides a model that gives companies confidence in the proper collection, usage and protection of consumer's personal data, while also allowing consumers control over their personal data.
An online privacy risk management strategy should give an organization the ability to view policy implementation from a project management perspective, which will enable the allocation of resources appropriately across an organization and track site progress, as well as identify problem areas so action items can be assigned against them. A good privacy strategy should also provide the ability to integrate testing into any quality assurance and content delivery processes associated with existing web development and deployment practices. And finally, a user should be able to keep a historical view of their testing over time, which provides a great way to measure the progress of a project and set goals for the future.
An adequate privacy compliance program should consist of the following steps:
· Obtain commitment and support from senior management
· Delegate responsibility to a privacy official
· Conduct inventory of current privacy practices
· Develop privacy policies and procedures
· Educate employees on privacy policies and procedures
· Implement and monitor the privacy compliance program
· Automatically and continuously monitor web sites for privacy compliance
Organizations must perform regular self-assessment audits to verify that their privacy policy is accurate, comprehensive, prominently displayed, correctly implemented, communicated and accessible. Organizations should work with third-party testing programs that will provide oversight to the organization's privacy program. An effective privacy monitoring program should include detailed reporting capabilities that scan online properties continuously and automatically throughout the year, enabling organizations to better mitigate risk and more easily identify, assign and track privacy issues for remediation.
For organizations with large websites, ongoing scanning for privacy issues is essential, as web pages are updated constantly, sometimes by different business units or outsourced to web design agencies that may not have communication with each other. Large organizations can have millions of web pages, making manual compliance impossible. Many serious privacy breaches have occurred through poor website standards. A privacy breach is a disaster for any privacy manager. The price that organizations pay when a breach becomes public can be catastrophic. On average, companies lose 2.1 percent of their market value within two days of a breach, which means an average of a $1.65 billion loss in market capitalization per incident. This does not take into account the losses that result from damaged brand and reduced customer trust.
If not controlled properly, websites can provide a major privacy weak point that can have dire consequences for an organization. Continuous web monitoring for privacy issues provides an excellent illustration of due diligence on the part of an organization. By implementing an automated and ongoing privacy scanning solution, organizations will be able to mitigate risk and ensure compliant web properties, while also ensuring their website visitors and customers that they are taking the proper measures to ensure all personal information is kept secure and private.
-Kurt Mueffelmann is president and CEO of HiSoftware.
