Fact Sheet 12:
Checklist of Responsible Information-Handling Practices


Send to PrinterSend to Printer

Copyright © 1994-2009
Privacy Rights Clearinghouse / UCAN
Posted January 1995
Revised April 2009

Case: A credit bureau mailed a credit report to a man who had requested it, and mistakenly included the credit report of a woman who had no connection to him. To make matters worse, the woman's credit report had been "flagged" by the credit bureau for security purposes.*

         * All case studies reported in this Fact Sheet are true stories taken from the PRC hotline log.

Introduction

When we think about data breaches, we often worry about malicious-minded computer hackers exploiting software flaws or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is more complicated than that.

Hardly a week goes by without a news story about some firm or government agency losing control over vast quantities of customer or client information. In fact, the Privacy Rights Clearinghouse reported more than 100 million personal records to have been improperly exposed from 2005 through 2006. www.privacyrights.org/ar/ChronDataBreaches.htm

So what is causing this massive, unauthorized release of personal records? In many cases, it’s “shortcomings in people, process and policy” as well as flaws in technology, according to one top security-industry official. www.appsecinc.com/news/pr/2006_12_14_100MILLION.shtml

Thus, a critical starting point for preventing future security breaches (and the identity theft that can follow) is developing ironclad policies and practices for handling personal information from within the workplace. In the past, security often was dealt with by trying to protect sensitive data from outside intrusion. But in today’s reality, that leaves far too much room for internal errors, carelessness, and wrongdoing by those who handle personal information. Responsible data-handling practices begin with the development of workplace privacy policies and the implementation of regular training programs for employees.

A Business Issue

The proliferation of office printers, copiers, fax machines, email, laptop computers, personal digital assistants (PDAs), and portable storage devices (even including consumer gadgets such as the iPod) has allowed for dissemination — accidental or intentional — of information in quantities never before imagined. Thus, the challenge for organizations is not just in keeping track of the ever-growing mountain of new information being produced each year, but also monitoring and managing the archives. Putting clear policies in place is essential.

Privacy is increasingly a business issue. Data breaches can cost companies millions of dollars per incident in direct costs such as notifying victims. Corporate reputations also can suffer. Twenty percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study by the Ponemon Institute. [21].  www.ponemon.org

What’s more, lawsuits against firms for negligent handling of personal information are becoming more common. Many states have passed laws requiring companies to inform their customers if their personal information has been stolen or possibly compromised. And some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures.

Many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure. Workers found violating security policies are being disciplined, or even dismissed. So whether or not a company is cracking down on computer security, employees should consider protecting themselves. Experts say it’s wise to check your company’s policy or urge such policies be adopted or clarified.

Using This Checklist

This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization. The checklist can be used by private, public and not-for-profit organizations alike. Not all points will be relevant to your organization.

Some situations may require you to take more stringent steps than those listed here. For example, medical records may necessitate extraordinary steps. (See [1] under “Resources” at the end of this checklist for more details on medical security. Similar bracketed citation numbers refer to other references in that list of Resources.)

The checklist is divided into two sections. Section I suggests issues to consider when drafting privacy principles to safeguard the personal information of your clients and customers. Section II concerns privacy policies affecting your employees, such as personnel records, electronic monitoring, and email.

Understand that this is not an issue you can address once and have solved forever. Threats will change, technology will change, and employees will change. So your plans and processes should change along with them. Updates are crucial.

No one is immune. While some companies have data collection as their core business, all firms collect information on their clients, customers, and employees. Don’t wait until a computer goes missing to think about what actions to take. Develop a complete checklist now.


I. DEVELOPING PRIVACY POLICIES TO GUIDE CUSTOMER / CLIENT RELATIONS

A. Organizational Policies

  1. Does your organization have policies that outline its privacy practices and expectations for handling the personal information of its clients, customers, users, members and/or listees? [10] [13] [15] [17]

  2. Are your organization's privacy policies communicated regularly? Opportunities include in employees’ initial training sessions, in regular organization-wide training programs, in employee handbooks, on posters and posted signs, on company intranet and Internet Web sites, in brochures available to clients. Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff?

  3. Is your organization familiar with and has it adopted International Standards Organization (ISO) security standards, known as ISO 27001? www.iso.org  For a guide to ISO 27001, visit www.iso27001security.com/index.html . [14] The Web site for the ISO 27001 User Group is www.17799.com . The progress of the 27000 standards is being tracked at the Web site of the ISO 27001 and ISO 27002 Directory: www.27000.org .

B. Privacy Principles

The major components of effective privacy policies are listed below, adapted from the fair information practices developed by the Organisation for Economic Cooperation and Development (OECD). www.oecd.org [20]  Another useful compendium is the Canadian Privacy Code. [8]  Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations.

  1. Openness. A general practice of openness about practices and policies should exist. Means should be available to establish the existence and nature of personal information and the main purposes of its use.

  2. Purpose specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes.

  3. Collection limitation. Personal information should be collected by lawful and fair means and with the knowledge and consent of the subject. Only that information necessary for the stated purpose should be collected, nothing more.

  4. Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law.

  5. Individual participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual.

  6. Quality. Personal information should be accurate, complete and timely, and be relevant to the purposes for which it is to be used.

  7. Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Access to personal information should be limited to only those within the organization with a specific need to see it.

  8. Accountability. Someone within the organization, such as the chief privacy officer or an information manager, should be held accountable for complying with its privacy policy. Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs.

  9. There are many variations of fair-information principles. The industry group Online Privacy Alliance has developed a set of principles for use on Web sites. www.privacyalliance.com [18] Industry-oriented policies often lack key principles such as purpose specification, use limitation, and accountability.  See also Web site “seal” programs such as TRUSTe, BBBOnline, and WebTrust. [26]

C. Data and Network Security

Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form—is covered in many books, journals, trade magazines, and conferences. Only the major points are listed here. For additional information, consult professional and trade associations as well as libraries, your nearest technical bookstore, and the Web. Many such professional associations are listed in the Resources section at the end of this guide.  

  1. Do you have staff specifically assigned to data security? Do staff members participate in regular training programs to keep abreast of technical and legal issues?

  2. Have you developed a security breach response plan in the event that your company or organization experiences a data breach? [7]

  3. Have you developed security guidelines for laptops and other portable computing devices when transported off-site? [15]

  4. Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information? Do you have procedures to prevent former employees from gaining access to computers and paper files?

  5. Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?

  6. Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?

  7. Do all employees follow strict password and virus protection procedures? Are employees required to change passwords often, using "foolproof" methods?

  8. Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?

  9. Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof?

  10. If your organization is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information? [3]

D. Some Additional "Common Sense" Security Practices

    Case: A medical office photocopied more of a car accident victim's record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman's child, given up for adoption 30 years ago, eventually became part of the court record, a public document.

  1. When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information that has no relevance to the transaction is either removed or masked?

  2. Are employees trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use password-activated screen-saver programs?

  3. Are all employees who handle personal information—including temporary, back-up and contract staff—trained to detect when they are being "pumped" for personal information by unauthorized and unscrupulous persons? "Pretext" interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled.
  4. Do you perform background checks on prospective employees who will have access to personal information of customers, clients, or employees? [23]

  5. Have you inventoried the various types of data being stored and classified it according to how important it is and how costly it would be to the organization if it were lost or stolen?

E. Records Retention and Disposal

    Case: An automobile dealer did not shred loan applications before tossing them into the garbage. A "dumpster diver" retrieved one and used the financial information to commit thousands of dollars of fraud against someone who’d applied for a car loan.

  1. Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or magnetic/ electronic (computer) media? [1] [5]

  2. Customer records stored on computers or in paper files are a company asset, just like the furniture or the computers. Not only that, but customers’ personal information, unlike the furniture, is subject to a myriad of laws that dictate privacy protections, safeguarding measures, and proper disposal. Even in hard times, when a company has to close its doors, customer data should never be abandoned or left at the curb for the trash collector. Such actions could subject owners, even of a defunct business, to unwanted lawsuits by customers and government regulators.

    When disposing of computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other electronic media which contain personally identifiable information, are all data rendered unrecoverable by either physically destroying the device or by over-writing the data sufficiently to ensure destruction? If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction? Does it dispose of toxic materials properly?

    As an asset, customer data may be up for sale in the case of bankruptcy. However, all parties to a bankruptcy should be familiar with the Federal Trade Commission’s lawsuit brought against ToySmart under Section 5 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. § 45(a), for disclosing, selling or offering for sale personal customer information, contrary to the terms of the company’s privacy policy that personal information would never be disclosed to third parties. For more on this case, see www.ftc.gov/os/2000/07/toysmartconsent.htm

  3. When disposing of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your recycling company certify its disposal/destruction methods? Is it bonded?

  4. When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion?

  5. When dealing with another company or government agency, do you ask about its security protocol regarding personal information? Do you inquire whether it shares that information with anyone? Do you find out if it does background checks on employees with access to your personal information?

  6. Contracts with outside service providers as well as employee agreements should specify that customer data is the company’s exclusive property and should only be used as necessary to carry out contractor or employment duties. Such contracts and agreements should also incorporate the company’s privacy and data security policies.

F. Facsimile Transmission

    Case: A medical doctor, who was filing for bankruptcy, faxed a financial document to his attorney. He entered the wrong telephone number, and the document was instead transmitted to the local newspaper.

  1. Is the fax machine in a supervised area, off-limits to unauthorized persons? Is use restricted to authorized personnel only?

  2. Is the fax machine used exclusively for sending nonconfidential materials?

  3. When sending documents, do all users complete a cover sheet that indicates the sender's and receiver's names, addresses and telephone numbers?

  4. When confidential materials are sent, is notice of their confidential nature indicated on the cover sheet?

  5. Do users always check the receiver's telephone number before transmitting documents? Do they compare the number displayed with number being called to check for errors? Do they check the transmission report after the fax has been sent?

  6. When transmitting confidential materials, is the recipient notified in advance that the document is being sent? Does the sender check with the receiver to make sure the document has been received?

For additional tips, read Guidelines for Facsimile Transmission Security, by the Information and Privacy Commissioner of Ontario. Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf  [19]

G. Answering Machines and Voice Mail Systems

    Case: Message left on the wrong answering machine when the phone number was misdialed: "Hello, Mrs. Weaver. This is Judy from the County Parole Office. You called earlier about your daughter Crystal? She has already been taken to the California Youth Authority [juvenile detention center]."

  1. Are precautions taken in situations where confidential and highly sensitive messages are expected to be left on answering machines or voice mail systems? Is the number of the call recipient verified for accuracy? Is permission asked of the intended call recipient to leave confidential messages? Are non-specific messages left when prior permission has not been obtained from the call recipient?

H. Wireless Communications

    Case: As people stood in line to enter the theater, the cellular phone conversation of one theatergoer was overheard by those nearest her. It soon became obvious that the woman was a medical doctor talking about the care of a patient.

Conversations on cellular and cordless phones are vulnerable to eavesdropping because the signals are transmitted over radio waves. Anyone with a radio scanner can listen to your conversations unless you use newer model digital devices that use encrypted data transmission and/or a transmission technology that cannot be deciphered by common radio scanners.

  1. Are wireless phones strictly forbidden for conversations involving confidential information (for example, a patient's medical care or a lawsuit) unless secure digital models are used?
  2. Are wireless phone users cautioned to talk out of earshot of others nearby who might hear their half of the conversation?

  3. Has your organization adopted privacy guidelines for wireless communications? [27]

I. Portable Computers and Work-at-Home Situations

  1. Does the organization have policies and procedures for safeguarding personally identifiable information when transported outside of the office by portable computers and hand-held personal organizers? Such information should be encrypted, not just password-protected, to reduce the impact if it’s lost or stolen. [15]
  2. For employees who work at home, including temporary and contract staff, does the organization have policies, procedures and training programs that emphasize responsible information-handling practices?
  3. Is the network connection between home and work secure?

J. Social Security Numbers (SSNs) and the Use of Personal Identifiers

    Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee that listed all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information.

The use of SSNs for record-keeping purposes and personal identifiers should be strongly discouraged, and, preferably, prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, obtaining credit card accounts in another person’s name. (See the Privacy Rights Clearinghouse identity theft publications, Web: www.privacyrights.org/identity.htm.  [23]. See also California Office of Privacy Protection, Recommended Practices for Protecting the Confidentiality of Social Security Numbers. Web: www.privacy.ca.gov/recommendations/ssnrecommendations.pdf  [7])

  1. If the organization uses the SSN as a record-keeping number, does it offer its clients and/or employees the option of using an alternative number?
  2. Does the organization have a strict policy prohibiting the display of SSNs on any documents that are widely seen by others—for example, time cards, parking permits, employee rosters, mailing labels, paycheck stubs, health insurance cards?
  3. If the organization requires an access code for certain transactions (e.g., ATM cards, computer access, phone banking, security system codes, building access cards, passwords), does it prohibit the use of SSNs, or any part of the SSN such as the last four digits, as personal identifier numbers?

K. Guidelines for Security of Lists

    Case: Before departing the singles dating-service office, a fired employee stole a computer diskette containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area.

Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does it make those lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA's "Fair Information Practices Checklist." [10] The use of the word "customer" below can be altered to fit your specific situation, such as "client," "member" or "user."  Web: www.the-dma.org

1. Opt-out program

    a. Does your organization offer its customers name-removal options? Are those options effectively communicated?
    b. Do you subscribe to the DMA's name-removal services, the Mail Preference Service (MPS), and/or its E-mail Preference Service (EMPS)? Web: www.the-dma.org Are MPS and EMPS names removed prior to renting or exchanging lists? [10]
    c. If you are a telemarketer, do you subscribe to the Federal Trade Commission’s Do Not Call (DNC) Registry? Web: https://telemarketing.donotcall.gov25]      Are DNC numbers removed prior to renting or exchanging lists? [

2. Security practices

    a. Is someone in your organization responsible for list security? Is someone responsible for keeping up to date on current laws and regulations regarding fair information practices?
    b. Are your lists physically secure?
    c. Are there sufficient restrictions—such as audit trails and strict penalties for violation—on your employees to protect against unauthorized access?
    d. Does your organization instruct its employees in initial employee orientations and ongoing training programs that customer data are confidential?
    e. Does the organization have adequate security to prevent remote computer access to your lists?
    f. Does your organization ensure that list recipients employ sufficient safeguards? Does it make sure security measures are in place during the transfer of lists? Do you ensure the secure and timely return or destruction of lists used by other entities? Do you use a monitoring system to track list usage, such as the use of decoy names, called “seeding”?

3. Use of marketing data

    a. Is your organization collecting only those consumer data that are pertinent and necessary for the purpose at hand?
    b. Are you sensitive to a consumer's expectation that some personal information may be considered confidential and should not be used for marketing?
    c. f your organization contributes customer data to a cooperative database, are you satisfied about the database's security?

4. Data accuracy

    a. Does your organization have the means to update its customer data?
    b. Are customer data reviewed/revised by your organization on a regular basis?
    c. Are customer inquiries regarding data accuracy answered promptly and to the customer's satisfaction?

5. Additional tips

The Privacy Rights Clearinghouse suggests these additional security guidelines:

    a. Do you disclose up-front the intended uses of the data that are collected?
    b. Do you allow the data subjects to inspect and correct data held about them?

II. DEVELOPING PRIVACY POLICIES FOR EMPLOYEE RELATIONS

A. In-house Privacy Policies

  1. Does your organization have policies for handling the personal information of your employees? Such policy statements typically concern hiring procedures, personnel records, medical records, discipline procedures, email usage, electronic monitoring, and Internet access.

    This document focuses on email/voice mail and electronic monitoring.

B. E-Mail and Voice Mail Systems

    Case: Charles was absent from work for a month on disability leave. Upon his return, he was shocked to discover that his supervisor had changed his password and listened to his voice mail messages.

  1. Does your organization have a policy regarding the privacy expectations of its employees and any third party users (i.e., clients, customers), who use the email and/or voice mail systems? Are those policies effectively communicated to all employees and third-party users? [28]  Points to include in your policy:

    a. the purpose for which the system is to be used (business only? personal matters allowed? no trade secrets discussed?)
    b. penalties for misuse
    c. who is authorized to access e-mail/voice mail messages; the disposition of email/voice messages when the employee is on temporary but extended leave;
    d. the retention/purge schedule for files, including retention procedures for possible use as legal evidence
    e. expectations for privacy (none? only in files marked "private"?)
    f. password creation/change procedures
    g. the use of encryption (prohibited? allowed? required for sensitive communications?)
    h. safeguards concerning copying and forwarding messages, especially messages containing personally identifiable data
    i. how the policy is communicated, such as employee notice and training programs.

C. Electronic Monitoring

In addition to email monitoring, an increasing number of employers use a variety of employee-monitoring practices, such as telephone systems that allow supervisors to listen to telephone calls, computer keystroke monitoring systems that can determine work productivity, web-surfing monitoring, video monitoring systems, and locational detectors.

  1. Does the organization have a policy that states the types of monitoring being conducted and the uses made of monitoring data?

  2. Does the policy include procedures to safeguard sensitive personal information encountered in the process of monitoring?

  3. Is this policy communicated to all employees at time of hiring, as well as other times, at least annually?

  4. Does the policy include provisions for employees to appeal adverse decisions based on data collected by the monitoring system?
  5. If telephone monitoring is being conducted, does the organization provide telephones that are not monitored and can be used for personal calls (at least pay phones)?

SECTION III. Resources

  1. American Health Information Management Association, 233 N. Michigan Ave. #2150, Chicago, IL 60611. (312) 233-1100.  Web: www.ahima.org
     
  2. American Management Association (AMACOM). 1601 Broadway, New York, NY 10019. (212) 903-7976. Web: www.amanet.org
     
  3. American Society for Industrial Security, 1625 Prince St., Alexandria, VA 22314. (703) 519-6200. Web: www.asisonline.org
     
  4. Association for Computing Machinery, 2 Penn Plaza No. 701, New York, NY 10121. (800) 342-6626. Web: www.acm.org
     
  5. Association of Records Managers and Administrators, 13725 W. 109th St. No. 101, Lenexa, KS 66215. (800) 422-2762. Web: www.arm.a.org
     
  6. Better Business Bureau. Security & Privacy – Made Simpler. (2006) Web: www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf
     
  7. California Office of Privacy Protection, Recommended Practices on Notice of Security Breach Involving Personal Information. (2007) 1625 North Blvd. Suite N324, Sacramento, CA 95834. (916) 574-8180 Web: www.privacy.ca.gov
     
  8. Canadian Standards Association. Privacy Code. Web: www.csa.ca/standards/privacy/code
     
  9. Cassilly, Lisa H., and Clare Draper. Privacy in the Workplace: A Guide for Attorneys and HR Professionals. (Pike & Fischer, Inc., 2002) Web: www.pf.com/privacyWorkplacePD.asp
     
  10. Direct Marketing Association, 1120 Avenue of the Americas, New York, NY 10036-6700. (212) 768-7277. Web: www.the-dma.org
     
  11. Hubbartt, William S. The New Battle Over Workplace Privacy. (New York: American Management Assoc., 1998). Web: www.amacom.org
     
  12. Institute of Electrical and Electronics Engineers. (800) 678-4333. Web: www.ieee.org
     
  13. International Association of Privacy Professionals, 266 York St., York, ME  03909. (207) 351-1500. Web: www.privacyassociation.org
     
  14. International Organization for Standardization (ISO), Geneva, Switzerland.  Web: www.iso.org/iso/en/aboutiso/introduction/index.html
     
  15. LabMice.net. Laptop Security Guidelines. (December 10, 2003). Web: http://labmice.techtarget.com/articles/laptopsecurity.htm
     
  16. Lane III, Frederick S. The Naked Employee: How Technology is Compromising Workplace Privacy. (New York: American Management Assoc., 2003). Web: www.amacom.org
     
  17. Lotito, Michael J. and Lynn C. Outwater. Minding Your Business: Legal Issues and Practical Answers for Managing Workplace Privacy. (Society for Human Resource Management, 1997) Web: www.shrm.org
     
  18. Online Privacy Alliance, Hogan and Hartson, 555 13th St. NW, Washington, DC 20004. (202) 637-5600. Web: www.privacyalliance.com
     
  19. Ontario [Canada] Office of the Information and Privacy Commissioner. Guidelines on Facsimile Transmission Security. (2003) Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf
     
  20. Organisation for Economic Cooperation and Development. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Web: www.oecd.org
     
  21. Ponemon Institute (Dr. Larry Ponemon). (800) 887-3118.  Web: www.ponemon.org
     
  22. Privacy and American Business. Web: www.privacyexchange.org [NOTE: The organization is no longer active, but its Web site is operational.]
     
  23. Privacy Rights Clearinghouse. Web: www.privacyrights.org
  24. Society for Human Resource Management, 1800 Duke St., Alexandria, VA 22314. (800) 283-SHRM.  Web: www.shrm.org
     
  25. U.S. Federal Trade Commission.
  26. Web privacy seal programs: Web sites: www.bbbonline.org,  www.truste.org, and www.webtrust.org
     
  27. Truste.org. Wireless Privacy Principles and Implementation Guidelines. (2004) Web: www.truste.org/about/press_release/02_18_04.php
     
  28. Wood, Charles Cresson. Information Security Policies Made Easy: A Policy Construction Kit. Baseline Software.  This costly compendium contains over 1,300 already written policies in a printed manual and CD-ROM. (888) 641-0500. Web: www.informationshield.com
Tags:
Copyright © Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.