Shop Talk: Managing Privacy Risks in a Mobile World

Companies are quickly realizing the many benefits of mobile computing, but they see, too, that the convenience comes with a catch.

THE PANELISTS

The following executives participated in the March 19 roundtable on how to manage risks in the era of the mobile, extended enterprise.

Bill Baumer,

Chief Risk Officer,

First Marblehead

Brett Celedonia,

Legal Counsel,

Re: Sources USA

Joanne Furtsch,

Director of Product Policy,

TRUSTe

Mitch Guziejka,

Chief Compliance Officer,

Pegasystems

Judy Kalisker,

VP of Compliance & Compliance Officer,

The MENTOR Network

Grace Liau,

SVP, Partnerships,

VivaKi Nerve Center

Gail McDermott,

Director of Risk Management & Audit Services,

Harvard University

Jim Rennie,

Senior Product Counsel,

TRUSTe

Aram Sogomonian,

Chief Ethics & Compliance Officer,

Edison Mission Energy

For More Information on Compliance Week Roundtables

Speed and agility bring with them unique privacy challenges that arise from putting sophisticated tools and vast amounts of data at the fingertips of employees.

Balancing these realities becomes more complex for companies with decentralized processes, and those operating on an international scale must contend with several complex—and sometimes competing—data privacy laws.

During an executive forum last month in Boston hosted by Compliance Week and online privacy solutions provider TRUSTe, compliance and risk professionals from a wide range of industries—including education, healthcare, and technology—discussed the benefits and the privacy risks that accompany mobile computing.

One of the biggest challenges companies encounter when it comes to mobile computing is that the adoption of new technologies in the workplace are evolving faster than the privacy rules and regulations themselves, says Joanne Furtsch, director of product policy for TRUSTe. “Companies want employees to take advantage of new technologies,” she says. “But how do you create privacy policies in the absence of regulations?”

To be sure, companies want to leverage emerging technology, but they also want controls. Grace Liau, senior vice president of partnerships for digital advertising solutions provider VivaKi, said the big question is: “How do we move forward when everything is still so nebulous—and how do you do that without quashing innovation?”

Even industries, such as healthcare, that have been dealing with privacy issues for years have yet to solve the many data security problems that arise. And new challenges, such as the compliance issues that surround a bring-your-own-device (BYOD) environment, continue to emerge.

The Health Insurance Portability and Accountability Act, for example, was created for the digital age—but the practicality of ensuring that all employees comply with all privacy mandates all the time isn't always realistic, forum participants suggested. Even when companies put privacy protections on mobile devices—such as encryption and password protections—they cannot always prevent employees from using those devices for unapproved uses, attendees said.

The core question is, as one executive put it: “How do we avoid the easy route of mitigating the risk, which would be to prohibit everything, and instead really leverage all that's out there—because there are some amazing tools that are out there.”

One alternative roundtable participants discussed is requiring employees to sign a user agreement, making them aware that if the mobile device gets lost or stolen, all data stored on it—personal or not—will be deleted. Regular training on privacy matters is also important, they said.

The inability of privacy laws to keep pace with today's ever-developing mobile computing work environment also places unique challenges on service providers. Any time you discourage a corporate client from engaging in certain privacy practices, they immediately want to know what law or enforcement action prevents them from doing so, said Jim Rennie, senior product counsel with TRUSTe. “Often, there isn't one.”

As long as the company believes that what it is doing is not illegal, it's sometimes difficult to get them to buy into best practices, added Rennie. Yet, just taking the minimum approach of abiding by privacy laws and not taking any proactive measures is risky, he said.

When companies are willing take to take external advice on privacy practices, sometimes even the service providers are forced to make educated guesses. As one executive said, “you can't always determine where the risks are.”

One of the suggested fixes is building privacy measures into the data architecture at the beginning of the process. “Too often privacy is more of an afterthought than a forethought,” said Furtsch. Even though some companies have “very structured privacy programs,” most tend to make privacy as part of somebody's job, as opposed to a core function. Then you have other organizations that, when you mention privacy to them, she said, they start talking about security, because they don't understand the differences.

Code Overload

Several attendees at the roundtable also shared the frustration of “code overload,” the idea that too many companies employ a check-the-box mentality when it comes to privacy audits. As one compliance officer lamented, “They're all checklist auditors.”

“As long as the company believes that what it is doing is not illegal, it's sometimes difficult to get them to buy into best practices,” said Jim Rennie, senior product counsel with TRUSTe.

Joanne Furtsch, director of product policy for TRUSTe, and Brett Celedonia of Re: Sources USA share a laugh during the forum.

If we send our privacy policy to a high-risk vendor, and they simply sign it and send it back, “we see that as a red flag,” said Bill Baumer, chief risk officer for First Marblehead, a provider of private student loan solutions for lenders, credit unions, and schools. “We want to know, do you really understand our objectives? That's a conversation; that's not a questionnaire.”

A common mistake companies make is that they don't first get a better grip on the privacy challenges they face before seeking advice. As a result, they don't always ask the right questions.

Dealing with sales reps can be especially difficult. Trying to educate a sales representative about the company's privacy risks and how they should be addressing them and then trying to get them to escalate those risks to the appropriate people in the company is a challenge, attendees agreed.

Privacy Risk Assessments

Forum participants also discussed the challenges of keeping track of all their third parties and how to ensure that they too are following the company's privacy practices. With decentralized processes, in particular, one challenge companies have is “how to connect all the dots to come up with a common policy or approach to address privacy challenges,” said Furtsch.

New tools in the marketplace are helping in this area somewhat. TRUSTe, for example, has a Website Tracker and Cookie Auditing tool that enables a company to keep track of what third parties it has on its Web page that are collecting data about site visitors. “Often times, companies are surprised by what we find,” said Furtsch.

William Baumer, chief risk officer for First Marblehead (right) discussed red flags in regard to privacy policies. Mitch Guziejka, chief compliance officer of Pegasystems (left).

In some cases, clients will come across third parties they thought they stopped doing business with years ago, Furtsch added. “Companies don't always know what they don't know, and that's always a challenge,” she said.

“We did a data-discovery tracking project a few months ago, and it was eye-opening; we discovered systems within the four walls of the company that no one knew existed,” said Baumer. Unless you have a data-discovery tool to track your third parties over time, he said, “You just don't know who has access to what.”

One way to minimize the chance of a breach occurring is to conduct a privacy risk assessment. First Marblehead, for example, looks at its highest revenue-generating areas of the business as a means to quantify the effects of a privacy breach.

“If something goes wrong with our operations relating to privacy, how much of that revenue stream might be at risk?” said Baumer. That's where we then focus our education and training, he said.

When it comes to BYOD, social media, and other new technologies in the workplace, no company is ever fully immune from a privacy breach—but having policies, procedures, and internal controls in place is the best defense in the event of one. “You can only control what you can control,” said one executive. “At some point, you have to be able to sleep at night and say you've done everything you can do.”