7 Reasons Why Your Company Needs a Privacy Policy

Posted by Aaron Titus on March 9, 2010 · Leave a Comment

Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure

Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.

Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.

Filed under Blog, Security Catalyst Contributors · Tagged with Aaron Titus, compliance, Privacy Policies

How to Avoid a Legal 500 Error With Your Privacy Policy

Posted by Aaron Titus on February 12, 2010 · Leave a Comment

Avoid a Legal 500 Error. Debug your legal documents.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Filed under Blog, Security Catalyst Contributors · Tagged with Aaron Titus, Law, privacy, Privacy Policies

The Three Elements of Action

Posted by Aaron Titus on January 12, 2010 · 1 Comment

Yawn Your meeting was supposed to last just 45 minutes, but the first 35 have been devoted to the first agenda item. Most eyes have glazed over and you are the only one speaking. Just as tired as everyone else you say, “OK, so we all agree that we’re going to do that?” Hearing no objection, you move on to the next subject.

You are relieved to move on, but don’t be surprised when you have to rehash the same subject at the next meeting. Do not mistake movement for progress; your discussion was an utter failure because it lacked the fundamental element to any progress: An Action Item.

Every action item is comprised of three things:

A Person
A Deliverable
A Date

Absent one of these three things, a decision is not an action item. It is a wish. All would-be “action items,” “goals,” or “decisions” which fail to include one or more of these components were a waste of your breath and their time. Action items must be clear, measurable, and have accountability. Unless you want to rehash the same issue at the next meeting, never walk away without identifying a person, a deliverable and a date for each action item, regardless of the subject matter. Let’s analyze some would-be “action items” from actual meetings:

Assignment 1: “Development of a power point presentation to train staff.”

Person	None.
Deliverable	A powerpoint presentation. However, the subject matter of the presentation is not clear in this context.
Date	None. This presentation will never be late, because it’s never due.
Outcome	Inaction. This is a wish, not an action item.

Assignment 2: “Staff will take decisive action aimed within the next 30 days at having the new privacy policy ready to be trained upon.”

Person	Nobody, or more specifically, everybody. Note the excessive use of passive voice. An action assigned to everybody is nobody’s responsibility.
Deliverable	None. If you can tease a deliverable out of this, you deserve a raise. What exactly does “decisive action” and “ready to be trained upon” mean?
Date	30 Days. However, this date doesn’t mean much because there’s no deliverable or assignment.
Outcome	Inaction. This is a wish, not an action item.

Assignment 3: “Jane Davis should work with the Communications Department to discuss the issue of posting the entire training program on the website for free downloading to all visitors.”

Person	Jane Davis.
Deliverable	Hold a discussion with the Communications Department. Although they probably intend for Jane to post the training program, her only assignment is to have a discussion. It might have been written better, “coordinate with the Communications department to post the training program in by the end of the month.”
Date	None.
Outcome	Inaction. This is a wish, not an action item.

Assignment 4: “Kevin Jones will identify key end-users, such as educational and other relevant organizations, and develop a database of end-users, by the end of January.”

Person	Kevin Jones.
Deliverable	Database of end-users. Of course, with this responsibility, Kevin must also have the authority and resources to execute the assignment.
Date	January 31st.
Outcome	Action. This is an action item.

The three components of action are a person, a deliverable, and a date. Here’s your assignment: Next time you lead a meeting, don’t rest until you identify the three elements of action for every assignment. It’s the single most effective thing you can do to shorten meetings and avoid rehashing the same issue again in the future.

So let’s evaluate my assignment:

Person	You.
Deliverable	Require a person, deliverable, and a date for every assignment you make.
Date	Your next meeting.
Outcome	Shorter, more effective meetings, happier employees, and real action. This is an action item.

Filed under Blog, Security Catalyst Contributors · Tagged with Aaron Titus, action, catalyst, privacy

6 Things Every CEO Should Know About Privacy Policies

Posted by Aaron Titus on December 21, 2009 · 1 Comment

Privacy Policies and Practices are like Ying and Yang. Image under license from stock.xchange.

Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.

Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.

With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.

Be Honest

Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.

Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.

Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.

Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.

Be Complete & Conspicuous

Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.

A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.

Privacy Policy Must Reflect (Changing) Practices

Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”

Get it Right the First Time

Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers'] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.

That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.

If You Say it, Do it

We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.

Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.

For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and Petco.com to name a few.

If your privacy policy says it, then do it.

It’s Your Business

As a soon-to-be attorney, I can say * that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.

If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.

Take Charge

As a CEO, COO, or Managing Director, you should do three things:

First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.

* No bias, and a healthy dose of sarcasm. In this case the author wishes to think of his opinion on the lawyers as an expert opinion rather than a biased one. In the author’s experience, there is occasionally little difference between “expert” and “biased” opinions.

Filed under Blog, Security Catalyst Contributors · Tagged with privacy

Privacy Commons for Government

Posted by Aaron Titus on October 1, 2009 · 2 Comments

by Aaron Titus

“Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information. They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of GovLuv.org. If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.

Filed under Blog, Security Catalyst Contributors · Tagged with Aaron Titus, Congress Camp, Government, privacy, Privacy Commons

Dear Legitimate Companies: Stop Acting Like Phishing Rings

Posted by Aaron Titus on September 8, 2009 · 3 Comments

Danger Wrong Way Turn Back by Aaron Titus

As a privacy and consumer advocate, it ruffles my feathers when otherwise legitimate companies force the public to disregard common-sense online safety practices in order to use their services. Among the many safety tips are:

Only give confidential personal information to people you affirmatively contact, never to anyone who spontaneously contacts you.
Don’t click on URLs in unsolicited e-mails.
If you want to click on an e-mail link, never click “dishonest” links – links that don’t match the displayed URL.

Bad Practices

American Student Assistance (ASA) is a non-profit organization which helps students keep track of their student loans. It’s also an example of a legitimate organization with some irresponsible privacy practices.

Earlier this year I received an unsolicited e-mail from the ASA. I had never heard of the ASA, but the e-mail insisted that they were “the guarantor of [my] federal student loans.” To this day my bank has not introduced me to the ASA. Of course, this spontaneous contact from an “authoritative” organization made me suspicious. Red Flag 1: Unsolicited e-mail claiming to be from an authoritative source.

The letter instructed me to follow a link to log in with my FAFSA PIN. I was also notified that I have a “Profile,” and was invited to Update my profile by clicking on a link. The link took me to an insecure and unbranded website which automatically filled out my name, e-mail address, and indicates that I have been opted-in to receive a newsletter. Red Flag 2: Unsolicited authoritative e-mail, requesting that you “log-in” using sensitive information on an unsecured, no-name server. Spam newsletters are a bonus.

But before clicking on the links, I moused over each of them to see where they led to. A link which purported to go to “www.amsa.com/bor” actually links through “http://click.email-asa.org/?qs=33c40ef691b275c8d3b7e7d0430ce34d0980241c6c7eb313b745465bb515d8d5″. In fact, each of the eight links in the e-mail were “dishonest,” in that the actual URL was different from the displayed URL. Red Flag 3: Dishonest links.

This e-mail screamed “Phishing Scam,” so I called the toll-free phone number listed in the e-mail. A woman answered the phone. She immediately asked for sensitive personal information. I gave her my first and last name, but refused to give her any additional information since they had contacted me and I had no way to verify who they were. Red Flag 4: Unsolicited third party requesting personal information over the phone.

ASA’s Privacy Policy contains the following promises:

We do not disclose any nonpublic personal information about you or our other current or former customers, except as permitted by law…. We restrict access to nonpublic personal information about you to our employees, contractors, and agents who need to know the information in order to provide service to you…. We maintain physical, technical, and administrative safeguards in compliance with federal regulations to safeguard your nonpublic personal information. (Accessed August 27, 2009.)

But ASA’s privacy policy didn’t translate to privacy practices. After I refused to share personal information the lady on the phone asked, “Is your name Aaron [X] Titus, or Aaron [Y] Titus?” Uncomfortable, I replied, “Aaron [X]…” She asked for my date of birth. When I refused to give it to her, she read it to me over the phone. When I refused to give her my address, she repeated my full address including street, number state and zip code. She told me which school I attended and that she had access to my social security number on her screen. Red Flag 5: A representative sharing sensitive personal information over the phone without first authenticating.

Since I had no idea who this organization was I asked, but never got a straight answer. She and her supervisor variously described the organization as a “government agency,” “not a government agency,” “a non profit government agency,” and a “non profit organization which receives federal funds.” They relied on some relationship with the federal government to gain credibility. Red Flag 6: A fishy and inconsistent story designed to earn your trust.

My Advice: Quit it

After filing a complaint with the company, I talked with ASA’s Privacy and Compliance Director, Betsy Mayotte. Ms. Mayotte was kind enough to apologize for the behavior of her organization, and convinced me that the ASA is a legitimate organization, albeit one with uneducated and dangerous privacy practices. Apparently the representative was re-trained. But they did not plan to change anything else.

The dishonest links were designed to measure click-throughs: A common marketing practice. The unbranded and insecure server which asked me to update my “profile” was the result of bad practices, laziness or poor training. The other blatant violations of their privacy policy and outrageous behavior by the representative was more of the same.

I wish I could say that this is an unusual event. But unfortunately I’ve seen similar behavior by my bank, and even former employers. When legitimate companies force consumers to be irresponsible, the online public becomes irresponsible. Forcing consumers to ignore common-sense safety practices may save you a buck in the short run, but they make your customers irresponsible and erode overall online public safety. So here’s my advice to legitimate companies who behave like phishing rings:

Quit it.

Seriously, stop training the public to be irresponsible. If you want to track click-throughs for an e-mail marketing campaign, set up a virtual redirect on your main server. If you got sensitive personal information through a third party, make sure to have that third party introduce you to the customer. Don’t send unsolicited e-mail, and don’t cold-contact potential customers to request that they share personal information. Once and for all, encrypt your website. If your marketing department isn’t all that tech-savvy, hire someone who is. Train your customer service representatives never to give out personal information without first authenticating the identity of the person on the other end of the line.

Privacy policies are not just legal boilerplate which you can write and forget. Make sure that your privacy policy matches your privacy practices. This means that your customer service representatives should be as familiar with it as your general counsel.

Filed under Blog, Security Catalyst Contributors · Tagged with consumer advocate, security

Creative Commons for Privacy

Posted by Aaron Titus on July 7, 2009 · Leave a Comment

Privacy Bar Camp DC

Image based on Three Poppies by Federico Ferrari.

by Aaron Titus

In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda. Read more

Filed under Blog, Security Catalyst Contributors · Tagged with Aaron Titus, conference, privacy, privacy bar camp, Privacy Commons, Privacy Policies

Your Data Self

Posted by Aaron Titus on May 25, 2009 · 3 Comments

by Aaron Titus

Georges-Pierre Seurat was a 19th century French painter credited with starting Neo-impressionism and developing a painting technique called “pointillism.” His famous painting, La Parade, contains the detail on the right: A complicated series of blue, orange, pink, red, black, and yellow dots that together create a man’s profile.

This detail is the single best visualization of your “Data Self” I have seen. Your Data Self is a collection of your credit report, Facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Like pointillism techniques, which juxtapose contrasting dots to create vibrant masses of shaded tones, each piece of personal information is a single dot. Perhaps one is your address, your middle name, your pet’s name, or your favorite color. Maybe some represent your family, and others represent your friends or religious beliefs. Some represent your travels, magazine subscriptions, and purchase habits. Still others are intimate thoughts.

Taken individually or in small groups, they do not mean much- they may even seem to contrast or contradict one another. But all together they form your profile, or Data Self: A pretty good, but not 100% accurate representation of who you are. And this profile is exactly what data brokers, government actors, and marketers (among others) are trying to determine.

We leave trails of dots as we interact with others, especially online. As Gregory Conti, a computer science professor at the United States Military Academy at West Point, explained, “Free Web services aren’t free. We pay for them with micropayments of personal information.”

Since your Data Self is a digital alter-ego, with the power to enter contracts, grant access to your financial assets, have surgery, or commit crimes, you should actively shape and control access to your Data Self.

Hat tip: Daniel Solove

Filed under Blog, Security Catalyst Contributors · Tagged with Add new tag, Data, data self, security

Why You Have Something to Hide

Posted by Aaron Titus on April 20, 2009 · 1 Comment

by Aaron Titus

If you have nothing to hide, why do you need privacy? This question, famously attributed to the McCarthy era, has gained currency again in this era of terrorism and national security. The question implies that privacy is a form of dishonesty, that the things people want to hide are the very things others should know about.

I admit that I bristle every time I hear someone say, “You have nothing to worry about if you have nothing to hide.” Baloney. I have everything to hide! When someone says, “I have nothing to hide,” it’s simply not true. What he really means is, “I have nothing to be ashamed of,” which may be true. But shame is only one, limited reason for confidentiality. Confidentiality is not an admission of guilt.

I have much to hide, for one simple reason. I cannot trust people to act reasonably or responsibly when they are in possession of certain facts about me, even if I am not ashamed of those facts. For example, I keep my social security number private from a would-be criminal, because I can’t trust that he’ll act responsibly with the information. I’m certainly not ashamed of my SSN. Studies have shown that cancer patients loose their jobs at five times the rate of other employees, and employers tend to overestimate cancer patients’ fatigue. Cancer patients need privacy to avoid unreasonable and irresponsible employment decisions. Cancer patients aren’t ashamed of their medical status—they just need to keep their jobs.

A person may share intimate secrets with an ecclesiastical leader that they would keep private from parents, because they fear the parents may not act reasonably or rationally when presented with the same information. During World War II, the government acted unreasonably and irresponsibly with Census data about the location of Japanese-American citizens. Privacy from government entities is paramount.

In addition, can you imagine how much damage you would impose on innocent people if you spoke every thought that came into your head? Or if doctors, lawyers, and accountants disclosed everything they knew about you?

The need for privacy is the recognition that most individuals, organizations, or institutions cannot be trusted to act reasonably, responsibly, in the best interest of the person, or in the best interests of society, when in possession of certain types personal information. Humans are biased. We have limited cognitive and analytical abilities, and never know all of the facts. We are infamously poor judges of character. We change our minds, and come to conflicting conclusions. So, the next time someone asks whether you have something to hide, do not hesitate to say, “Yes, of course I do.”

Filed under Blog, Security Catalyst Contributors · Tagged with confidentiality, privacy, trust

The Security Catalyst