Ways businesses can protect customer privacy

Growing numbers of Americans are making demands on corporate America to treat their personal information with secrecy. According to a Harris Poll sponsored by Microsoft, 60 percent of Americans said they've decided not to support a store because of doubts about that store's privacy protections.

What is surprising is that it isn't just marketers that are trying to access personal information. The government has drafted private industry for "data collection duty" in the war on terrorism.

So how can businesses keep customers' personal information under wraps when the U.S. Patriot Act allows the government to collect copious amounts of this sort of information? Jacqueline Klosek, an attorney and a certified information privacy professional, advises clients on issues related to data privacy and security. She believes private industry faces a precarious balance, trying to simultaneously maintain consumer privacy while also complying with governmental demands for information.

"This issue is not going to just disappear," said Klosek. "The war on terror has reduced privacy rights in the United States and around the world. The bottom line is whether the feds are leaning on your company for records or you've suffered a security breach by hackers, your reputation is at stake and you've lost your customers' trust."

Klosek routinely advises businesses to follow all privacy measures required by law. In addition to these measures, she offers her clients the following additional tips:

•Conduct an internal audit. Before a company can inform its consumers about its privacy policies and practices, employees must first understand what they are. Businesses should conduct an internal audit to understand what data they are collecting, how they are using that data, with whom they are sharing that data, how that data is being protected and related issues.

•Develop a privacy policy. Once the company's policies and plans for collecting and using customer information are clarified, these policies should be communicated to customers and clients through a privacy policy which clearly states how the company can be contacted in regards to information and the types of third parties that will have access to such information. Also, be sure to follow all laws and legal requirements in this regard.

•Be broad. When drafting the consumer privacy policy, it is smart to be as broad as possible. This will give the company greater latitude if forced by the government to hand over data or are faced with other potentially unanticipated events such as corporate restructuring, mergers and acquisitions.

•Plan ahead and be prepared for the inevitable. Anticipate the fact that the company could face a government subpoena demanding personal information records of clients. By understanding that this can happen, a company can suitably prepare its policies in order to set clients' and customers' expectations regarding the privacy of their personal information. This may help the company avoid making a strong privacy promise to consumers that governmental demands will not allow.•

Seek prior consent. It's a smart idea to obtain prior consent from consumers/clients about potential personal data transfers that could be subpoenaed by the government. The same holds true for other types of transfers, including transfers to business partners and service providers.

•Conduct due diligence when outsourcing. Examine the thirdparty service provider's experience with privacy and data security. Investigate any privacy complaints the service provider has faced and make sure the company is complying with all U.S. and foreign laws when outsourcing.

•Protect websites. It's good practice to implement a web monitoring program that automatically runs privacy scans to ensure that the site hasn't been compromised and that privacy measures remain intact.