Privacy Advisor

Notes from the Executive Director

August 1, 2006

Soon after the story broke that AOL had inadvertently released search data for research purposes, it was clear that there would be swift and certain consequences. From mainstream media to the trade publications, AOL took it on the chin for releasing 20 million search queries of more than half a million members - search terms that led reporters, in some cases, directly to the door of specific users.

AOL moved quickly to counter the gathering storm. The company immediately apologized when the disclosure went public, and characterized it as mistake.

But the damage was done.

A Congressman used the incident as fresh fodder for seeking action on his pending bill that would force Internet companies to destroy old electronic data as well as data that could be used to individually identify consumers. Three employees lost their jobs because of the disclosure. Amid the criticism, AOL announced it would create a panel to examine how long the company should save data and make recommendations to improve its privacy policy and practices, including privacy training for employees at all levels.

AOL's mishap should serve as a reminder for privacy pros that bad things do happen to good companies. The IAPP and members of the privacy community know AOL to be a conscientious company heavily focused on consumer protection. We know many other companies that have suffered security breaches despite a commitment to privacy protections and a track record for not knowingly risking customer data.

We know other companies that have failed to understand that privacy can deliver a competitive advantage and foster trust with customers, both of which have proven to boost the bottom line. And there are still other companies that have a blatant disregard for safeguarding personal information and deliberately seek to profit from a database teeming with personal data.

The AOL experience raises the question - so what is a privacy pro to do? We know the importance of incident response plans. Your organization may be one breach away from the next debacle that fuels the ugly headlines. If you are new to your
company, or have been there a while, it is essential that you immediately launch a company inventory of where the data "lives" in your organization. You have to know what data your company has and where it is stored to proactively prevent its disclosure or leakage. For each type of personally identifiable information, inventory the location of the data, who owns and controls it, its level of sensitivity and protection and data flow across the company and with vendors or partners.

For those of you who are Certified Information Privacy Professionals, you have been schooled on this exercise. For those of you who have yet to study and sit for this chief privacy credential in the marketplace, it would be a worthwhile investment.

These proactive approaches may not always be enough. But it's better to have engaged in these efforts beforehand. In the aftermath of a breach, the failure to fulfill these steps of due diligence will leave you and your company exposed for the full wallop of likely consequences.

J. Trevor Hughes, CIPP
Executive Director