5 Things CIOs Need to Know About Privacy Policy

Technology and government policies and regulations are constantly in flux. Here are 5 tips to help CIOs stay in compliance and avoid getting into hot water with the FTC like MySpace did.

1. You must revisit policies regularly. “Criminals are getting enormously sophisticated,” says Lisa Sotto, head of the global privacy and information security practice at Hunton and Williams. “If you fix your systems based on today’s vulnerability, you won’t address tomorrow’s.” Technology and government regulations are constantly in flux, but your own policies need to remain clear, concise and transparent. Take MySpace’s recent troubles with the FTC. Inconsistencies between information it shared with third parties and the rules laid out in its privacy policy left the company subject to audits for the next 20 years. According to Jay Cline, president of Minnesota Privacy Consultants, it’s safer and more cost-effective to blend security and compliance policies into a single, integrated framework.

2. Consumerization could create risk. Having a bring-your-own-device policy means data no longer resides solely behind corporate barriers, so it’s “a test for how well CIOs know their company culture and where it draws the line between risk and convenience,” Cline says. Sotto emphasizes the importance of knowing which company documents may be under a legal hold–in other words, an employee must not destroy them. “It’s hard to control that when it’s the employee’s own device,” she says.

3. Employee education is critical. Cline says training is the best way to mitigate risk, but it “doesn’t move the needle of employee comprehensive behavior until it becomes meaningful to specific roles in the company.” Sotto agrees, saying, “It’s important to tailor your training to your organization. Educating consumers is a difficult task, and one I would say is daunting.”

4. Regulations are evolving in the U.S. President Obama has backed the Digital Advertising Alliance process, which would allow consumers the freedom to create their own privacy preferences. The FTC has also suggested privacy principles for companies to adopt that address consumer choice, policy promotion and transparency. Sotto suggests consulting a lawyer on how to deal with new or updated government policies like Do Not Track. “Implement best practices now so you don’t have retrofit your systems later,” she says.

5 …and in Europe. Sotto says CIOs need to keep in mind that in Europe, privacy is a fundamental right, whereas in the United States, it’s a consumer right. In the EU, “you’re not allowed to transfer data to a non-adequate jurisdiction,” which Sotto says forces you to ask, “When you store data in the cloud, where is that cloud?” Cline suggests taking webinars to stay updated.