Full Text

When it's done well, information privacy protection is part of an organization's policy and procedural infrastructure, working in the background like a silent sentinel that few realize is constantly on alert. When it's done poorly, it makes headlines and ripples through an organization from the cubicles to the board room.

Media reports tend to make privacy protection synonymous with cybersecurity, and some resources, such as the EDRM's Information Governance Reference Model, take the position that while business, legal, and records and information management (RIM) stakeholders have input, it is IT's responsibility to manage the information protection environment.

Protection, though, is as much about policy and procedural issues as it is about technology activities. Anti- hacking and anti-theftmeasures, for example, can exist only as the result of well-defined policies that are made in response to laws governing collection, storage, transfer, retention, and disposition of private information and the assignment of privacy protection responsibilities.

The Push for Privacy

The states of Massachusetts and Nevada have enacted tough privacy laws, and members of the U.S. Congress are moving forward with cybersecurity legislation aimed at protecting private information. Meanwhile, privacy experts are advocating that individuals have the right to control the collection and use of their personal data, an idea embodied in many European laws. Organizations, therefore, find themselves squeezed between pressures from lawmakers and customers.

Privacy breaches are expensive for business. According to the Ponemon Research Institute's "2014 Cost of Data Breach Study: Global Analysis," the average cost for each stolen or lost record containing sensitive or confidential information is $145 (U.S.). Considering that Verizon's "2012 Data Breach Investigations Report" showed that 95% of the 174 million records compromised worldwide in 2011 contained personal information, the total cost is significant. What's worse is the potentially irreparable harm to customer confidence in the breached organization and its impact on future business.

Privacy breaches can be costly for careers, too. In some cases, high-level executives have lost their jobs, and in the high-profile incidents at Wyndham Worldwide and Target, shareholdpriers brought lawsuits against their respective boards alleging that board members failed to take reasonable steps to maintain their customers' personal and financial information in a secure manner.

But, determining what "reasonable steps" are is a mammoth task in an...