Privacy Advisor

How Privacy Scanning Can Keep Your Company Out of the Regulatory Minefield

July 1, 2007

Kurt Mueffelmann

In a recent Jupiter Research report titled Online Privacy: Managing Complexity to Realize Marketing Benefits, Jupiter analysts advised companies to allocate budgets for consumer security and privacy education, and to treat online privacy as a strategic marketing differentiator, rather than a compliance exercise.

Jupiter estimates that as much as $24.5 billion in online sales were lost in 2006 — up from $5.5 billion in 2001. Online retail sales would have been approximately 24 percent higher in 2006 if consumers' fears about privacy and security were effectively addressed. Companies with poor online privacy practices can expect these negative effects to continue, not only in their online sales over the next several years, but also in off-line sales, as consumers shift to more privacy-sensitive competitors.

One of the more devastating effects of inadequate Web site standards is a serious privacy breach. The price that organizations pay when a breach becomes public can be catastrophic. According to one study, titled The Effect of Internet Security Breach Announcements on Market Value, companies lose an average 2.1 percent of their market value within two days of a breach, which means an average of a $1.65 billion loss in market capitalization per incident. (View the study at http://info.freeman.tulane. edu/ huseyin/paper/market.pdf.) This estimate does not take into account the losses that result from damaged brand and reduced customer trust.

Organizations must meticulously identify and manage online privacy and risk issues to ensure regulatory compliance and to earn and retain customer trust. Failing to comply with regulatory requirements could result in negative media attention, large fines and penalties, and have a negative effect on an organization's image and brand. Once an organization makes the commitment to a privacy program, it is obligated to monitor and maintain its Web site for privacy issues as stated in an online privacy policy.

Privacy scanning can offer an early indication of possible issues that might cause a breakdown in privacy standards and/or trigger further scrutiny from regulators. What might seem like a simple issue — for example not having a link to a privacy policy on a Web page that collects personally identifiable information — might raise a red flag for a regulator to dig a bit deeper into an organization's privacy practices. Demonstrating a lack of diligence on the external face of an organization's Web properties gives regulators a reason to question the level of control the organization maintains over its privacy program.

While more and more companies are recognizing the importance of an online privacy risk management strategy, many of those companies mistakenly create a false sense of security by scanning their Web sites for privacy issues once a year, or, even worse, only when the site is first developed and implemented. Web sites should be monitored continuously and automatically to ensure regulatory compliance 365 days per year.

Many organizations, both public and private, are mandated by privacy legislation that governs the collection, use, retention and distribution of personal information; however, this legislation varies greatly from country to country and can often be difficult to monitor and enforce. An online privacy best practices program, reinforced with a comprehensive privacy scanning program, provides a model that gives companies confidence in the proper collection, usage and protection of consumers' personal data, while also allowing consumers to maintain control over their personal information.

A well-designed online privacy risk management strategy should give an organization the ability to view policy implementation from a project management perspective, which will enable the appropriate allocation of resources across an organization and track site progress, as well as identify problem areas to address. A good privacy strategy also should provide the ability to integrate testing into any quality assurance and content delivery processes associated with existing Web development and deployment practices. And finally, the organization should be able to keep an historical view of its testing over time, which provides a great way to measure the progress of a project and set goals for the future.

An adequate privacy compliance program also should include features that identify issues that might be compliance triggers for regulators. By implementing an automated privacy scanning compliance solution, organizations are able to mitigate risk and ensure compliant Web properties, while also reducing the man hours spent on testing Web content and applications. Additional benefits include:

• Continuous, automatic monitoring of all company Web sites for privacy compliance.

• The ability to identify and enlist business teams responsible for Web content to ensure consistent enactment of privacy compliance policies and procedures.

• Scans and reports that identify Web content that can expose the organization to the maximum risk for privacy and accessibility violations to help prioritize projects and resources.

• Reports that provide the exact locations of errors, which will further reduce the time it takes to implement fixes and changes.

• The ability for business and policy owners to continuously monitor published Web sites, systems and applications to ensure they continue to conform.

Frequent self-assessment audits are imperative to verify that an organization's privacy policy is accurate, comprehensive, prominently displayed, correctly implemented, communicated and accessible. Organizations should work with third-party testing programs that will provide oversight to the organization's privacy program. An effective privacy monitoring program should include detailed reporting capabilities that scan online properties continuously and automatically throughout the year, enabling organizations to better mitigate risk and more easily identify, assign and track privacy issues for remediation.

A good privacy scanning solution will offer pricing models configured to a specific client's Web site and privacy requirements. Privacy scanning should not be a "one price fits all" solution, but instead should be based on the scale and complexity of the site. An effective scanning solution will allow users to configure it for an organization's specific needs, and will require minimal training and user interaction. For organizations with large Web sites, ongoing scanning for privacy issues is essential, as Web pages are updated constantly, sometimes by different business units or outsourced to Web design agencies that may not have communication with each other. Large organizations can have upwards of millions of Web pages, making manual compliance impossible.

If not controlled properly, Web sites can provide major privacy weak points that can have dire consequences for an organization. Continuous Web monitoring for privacy issues provides an excellent illustration of due diligence on the part of an organization. By implementing an automated and ongoing privacy scanning solution, organizations will be able to mitigate risk and ensure compliant Web properties, while also assuring their Web site visitors and customers that they are taking the proper measures to ensure all personal information is kept secure and private.

Kurt A. Mueffelmann is President and CEO of HiSoftware ( He is responsible for defining and directing HiSoftware's worldwide strategic direction, software development, sales and business development efforts, and market expansion activities. Mueffelmann also is a member of HiSoftware's board of directors. He may be contacted at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it