Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 25th, 2012 in Privacy by Simply Security | Be the first to comment | Tags: Privacy

Understanding FTC's new consumer privacy protection guidelines (Op-ed)

In the internet age, data has become king. With most consumers now using mobile devices and social media to complete personal and work tasks, enterprises are leveraging these platforms to collect, store and share an abundance of information about prospective and existing customers. The information explosion may cause headaches for IT departments and data center managers, but it also enables most businesses to better understand their customer base and provide advertisers with a more accurate representation of their customers' interests.

Although this data may help your company develop products and services that meet your customers' needs, a business must still account for consumer privacy. The U.S. government, specifically the Federal Trade Commission (FTC), has made it a priority to protect consumer privacy during a period of technological innovation. On March 26, the FTC published its final report regarding best practices for businesses to protect consumer data, while still gaining some of the advantages associated with collecting and analyzing such information. The report, titled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, calls for Congress to consider devising legislation related to privacy, data security and breach notification.

"If companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy," said Jon Leibowitz, Chairman of the FTC. "We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don't."

The FTC's latest recommendations build on its preliminary staff report issued in December 2010. This version calls for several privacy-related considerations, which could alter how a company gathers, manages, secures and shares sensitive consumer data.

According to the commission, enterprises must enact a policy of privacy by design, meaning they should implement privacy considerations at every stage of product development. Additionally, it's important for organizations to promote an atmosphere of privacy protection by giving consumers the ability to decide what personal data is shared or opt out completely through a Do Not Track feature. The FTC also urges companies to become more transparent regarding their collection and use of consumer information.

"Simply put, your computer is your property; no one has the right to put anything on it that you don’t want," Leibowitz said. "So we also urge industry to continue to move forward with a Do Not Track system that would let consumers choose what information is collected about them online and how it's used."

The final report has multiple changes compared to the FTC's preliminary outline. First, the original guidelines applied to all commercial organizations that collect or use consumer data that can be traced to an individual person, computer or device. The commission's new recommendations expect to help small businesses cope with the burden of protecting customer data, as the new framework does not apply to enterprises that collect and do not transfer only non-sensitive information from fewer than 5,000 consumers a year.

Although the FTC report is only a collection of guidelines and recommendations, it's important for businesses to consider the impact that potential privacy and data security legislation could have on organizational policies and ability to meet regulatory requirements.

Congress has already shown it's serious about making privacy protection a government priority. Earlier in March, House Representatives Henry Waxman and G.K. Butterfield asked Apple to brief the House Energy and Commerce Committee about the technology firm's mobile privacy policies. This comes after the representatives wrote a letter to Apple CEO Tim Cook in February asking him to detail the company's application developer policies and a privacy concern regarding Path, a mobile social media app that allegedly collected users' address book information without their consent.

Whether a small business or a massive corporation, the time to improve data security and privacy policies is now. With data loss on the rise and Congress expected to crack down on companies with lax security and privacy practices, all types of organizations must advance their strategies to reduce risk, avoid costly fines and prevent reputation-damaging breaches. It can be difficult to implement business-enhancing technology while striving to meet today's compliance standards, but there are several ways for IT departments or security teams achieve both. Many enterprises are experiencing compliance success through the adoption of modern data encryption and real-time monitoring solutions, allowing businesses to manage sensitive customer data and eliminate the risk of exposing consumer information.

Collecting consumer data across multiple channels has become vital to the success of some businesses, and that won't change anytime soon. However, the importance of only gathering critical information and ensuring that it's secured beyond a reasonable doubt is more important than ever.