E-MAIL THIS 
PRINT THIS |
Privacy panel explores responsibilities and pitfalls associated
with the handling of consumer information
 |
Sharing their views on privacy issues,
panelists included (l to r) Barb Fitch, 2nd vice president,
market conduct and practices, National Life Insurance Company;
Kirk Herath, associate general counsel & chief privacy
officer, Nationwide; and Stefan Keller, president, Business
Information Group (BIG). |
One of the hottest issues facing business today is the question
of consumer privacy. In information-intensive areas such as insurance,
financial services and medicine, privacy has become a central concern
at the operational level – especially since violations can
carry a heavy price tag in terms of fines, lost customer confidence
and plain old bad press.
Understandably, the issue of protecting the privacy of our customers
was ripe for panel treatment at the 2005 Nashville Exchange. Panel
members included Stefan Keller, president, Business Information
Group (BIG); Kirk Herath, associate general counsel & chief
privacy officer, Nationwide; and Barb Fitch, 2nd vice president,
market conduct and practices, National Life Insurance Company.
Rich McGee, director, New York Life Insurance Company, moderated
the panel and helped to guide the discussion.
Navigating FCRA
 |
“Organizations should keep in mind
that your trash can be the source of your greatest vulnerability,” mentions
Keller. |
Keller, whose company consults on a broad range of consumer reporting
and privacy issues related to the financial services industry,
noted that the definition of a consumer reporting agency that would
fall under the jurisdiction of federal law can be broad indeed.
Any organization that collects and sells information is considered
a consumer reporting agency from a regulatory standpoint, including
credit bureaus, employee background checking firms and the like.
As such, these entities are subject to the regulatory oversight
and governance of the Fair Credit Reporting Act of 1970 (FRCA).
“The FCRA defines what can be collected and how long it
can be kept,” said Keller. “In addition, you need to
have a clear reason for requesting information, such as employee
background checks. The guidelines are very specific and they also
apply to companies doing background checks on potential agents,
even though agents are not technically employees.”
Under the FRCA, a number of conditions must be met in order to
comply with applicable rules:
- Notice and choice – The reporting agency
must obtain a release authorization and provide the individual
with a disclosure concerning what information is being collected
and how it will be used and that the information will be used
only for the purpose requested. The individual then has a right
to refuse the release of information, understanding, of course,
that this may have an impact on a job or credit application.
The end user who receives the information from the consumer reporting
agency must also certify that it will follow privacy regulations.
- Consumer access and dispute resolution – The
consumer must have the right to request a copy of the information
on file at any time, essentially ‘open access.’ Also,
prior to an adverse action decision, the consumer must be mailed
a copy of the report and contact information.
Another area that the FRCA does not directly address is security
and data integrity. However, other legislation – such as
the Gramm-Leach-Bliley financial services modernization law – does
require specific actions on behalf of organizations that gather
and deal in consumer information.
“Data security controls cover a range of issues involving
people contact with sensitive customer information,” said
Keller. “This can include mandatory confidentiality agreements
for all employees and vendors as well as limiting access to a carefully
controlled list of internal and external individuals. There also
needs to be a system of active auditing to ensure compliance, including
email monitoring and tracking audits.”
A number of physical (non-system) controls will also ensure the
security of sensitive information, including controlled access
to physical facilities, ‘clean desk’ policies, shredding
policies, visitor escorts and photo IDs for all employees.
“Organizations should keep in mind that your trash can be
the source of your greatest vulnerability,” Keller said. “You
would not believe the number of data security breaches that can
be traced back to someone ‘dumpster diving’ through
an organization’s trash.”
 |
Herath states, “Remember that auditing
and monitoring on an ongoing basis are the only ways you
can ensure the security of your data and compliance with
privacy regulations.” |
Audit and compliance tips
Kirk Herath of Nationwide offered some tips regarding privacy
audits and compliance monitoring.
“There are a variety of things you can do to assess how
well you are doing in the area of information management and security,” he
said. “You can do straight audits of your information security
process on a periodic basis. Keep in mind also that market conduct
exams can be very rich in data. At Nationwide we are also very
big on doing periodic self-assessments of how well we’re
doing. And, of course, third-party assessments are also an option.
There are a lot of providers and consultants out there who are
highly skilled at doing privacy and data security assessments”
Herath also suggested turning to the American Institute of Certified
Public Accountants (AICPA) Privacy Framework as a guidance model
for privacy management. The AICPA model encompasses 10 key principles:
- Management – A commitment
by the organization to assign accountability for maintaining
the security of sensitive information.
- Notice – The
entity must make a public notice of its privacy management policies.
- Choice and consent – The
entity clearly describes the options available to individuals
to opt in or out with regard to the collection, use and disclosure
of personal information.
- Collection – The
organization collects information only for the purposes identified
in the notice process.
- Use and retention – The organization
limits the use of personal information to the purposes described
to the individual and with the individual’s explicit awareness
and consent.
- Access – The entity provides
individuals with free access to their personal information.
- Disclosure – The entity discloses information
to third parties only for the purposes identified in its notice
process and with the individual’s explicit consent.
- Security – The organization protects
the individual’s information against unauthorized access
- Quality – The
organization maintains accurate, complete and relevant personal
information for the purposes identified in its notices.
- Monitoring and enforcement – The
entity monitors compliance with its privacy policies and procedures
and maintains procedures to respond to privacy complaints and
concerns.
“Part of the self-assessment process is knowing your business
units,” Herath said. “Know the singularly accountable
persons (SAP) in your business units and functions. Conduct business
unit self-assessments to gain granular insight into privacy practices.
Then, meet regularly with business unit SAPs to make sure you are
all on the same page.”
Herath also suggested broadening the data security structure by
forming partnerships with Internal Audit, Data Security, Compliance
and Customer Relations.
“Leverage the other work and knowledge of the business that’s
out there in your organization,” he said. “Remember
that auditing and monitoring on an ongoing basis are the only ways
you can ensure the security of your data and compliance with privacy
regulations.”
Surviving a privacy exam
 |
While discussing the production and management
of mandatory privacy notices, Fitch stresses, “Consolidate
them whenever possible so that you don’t have scores
of different notices all saying substantially the same things.” |
Barb Fitch offered some sage advice regarding how to survive a
privacy exam, based on her own company’s experience with
an intensive and invasive privacy survey process conducted by the
District of Columbia in 2002.
“This was a so-called ‘desk exam’ kicked off
in January 2002,” Fitch said. “D.C. was the lead jurisdiction,
but ultimately there were 18 states involved.”
Price-Waterhouse-Coopers conducted the actual exam, with more
than 200 companies participating. There were costs incurred by
each participant, with initial billings of $30,000 per company.
The tool was a 100-question survey questionnaire focusing on privacy
policies and procedures, not to determine whether the company was
in violation.
Central to the survey was the assessment of company response
and approaches to privacy management.
“What you need to do is pull together all appropriate parties
and read the documents very carefully,” Fitch said. “Look
at the IT certification programs your company has in place. Business
areas must write responses covering the management of sensitive
consumer information and those responses should be reviewed by
a non-IT person to ensure that they make sense. You need to at
the same time be both simple and detailed.”
Fitch offered other helpful privacy hints. One covered the production
and management of mandatory privacy notices, which can multiply
rapidly within organizations that have many functional units.
“Consolidate them whenever possible so that you don’t
have scores of different notices all saying substantially the same
things,” Fitch said. “Keep a chart to document the
different versions and distribution dates. And automate wherever
possible.”
Fitch also recommended having a good general understanding of
your company’s IT structure before an exam takes place. Allow
ample time to develop a response and expect a long wait to receive
a draft report from the examining agency, if at all. Check any
report you receive for errors or for information provided but not
acknowledged by the examining body.
“Finally, address any areas that you know or suspect may
be a potential risk before an exam happens, such as the potential
for employee security breaches or lack of encryption of your email
system,” Fitch said.
 |
Rich McGee, director, New York Life Insurance
Company, moderates the privacy panel. |
CONTACT INFO
Barbara Fitch
National Life Insurance Company
802.229.3112
Email: bfitch@nationallife.com
www.nationallife.com
Kirk Herath
Nationwide
614.249.4420
Email: herathk@nationwide.com
www.nationwide.com
Stefan Keller
Business Information Group (BIG)
800.369.2612, Ext. 2003
Email: skeller@bigreport.com
www.bigreport.com
Rich McGee
New York Life Insurance Company
212.576.6745
richard_e_mcgee@newyorklife.com
www.newyorklife.com
|
