A Checklist of Responsible Information-Handling Practices

         * All case studies reported in this Fact Sheet are true stories taken from the PRC hotline log.

Introduction

When we think about data breaches, we often worry about malicious-minded computer hackers exploiting software flaws or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is more complicated than that.

Hardly a week goes by without a news story about some firm or government agency losing control over vast quantities of customer or client information. In fact, the Privacy Rights Clearinghouse reported more than 100 million personal records to have been improperly exposed from 2005 through 2006. www.privacyrights.org/ar/ChronDataBreaches.htm

So what is causing this massive, unauthorized release of personal records? In many cases, it’s “shortcomings in people, process and policy” as well as flaws in technology, according to one top security-industry official. www.appsecinc.com/news/pr/2006_12_14_100MILLION.shtml

Thus, a critical starting point for preventing future security breaches (and the identity theft that can follow) is developing ironclad policies and practices for handling personal information from within the workplace. In the past, security often was dealt with by trying to protect sensitive data from outside intrusion. But in today’s reality, that leaves far too much room for internal errors, carelessness, and wrongdoing by those who handle personal information. Responsible data-handling practices begin with the development of workplace privacy policies and the implementation of regular training programs for employees.

A Business Issue

The proliferation of office printers, copiers, fax machines, email, laptop computers, personal digital assistants (PDAs), and portable storage devices (even including consumer gadgets such as the iPod) has allowed for dissemination — accidental or intentional — of information in quantities never before imagined. Thus, the challenge for organizations is not just in keeping track of the ever-growing mountain of new information being produced each year, but also monitoring and managing the archives. Putting clear policies in place is essential.

Privacy is increasingly a business issue. Data breaches can cost companies millions of dollars per incident in direct costs such as notifying victims. Corporate reputations also can suffer. Twenty percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study by the Ponemon Institute. [21].  www.ponemon.org

What’s more, lawsuits against firms for negligent handling of personal information are becoming more common. Many states have passed laws requiring companies to inform their customers if their personal information has been stolen or possibly compromised. And some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures.

Many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure. Workers found violating security policies are being disciplined, or even dismissed. So whether or not a company is cracking down on computer security, employees should consider protecting themselves. Experts say it’s wise to check your company’s policy or urge such policies be adopted or clarified.

Using This Checklist

This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization. The checklist can be used by private, public and not-for-profit organizations alike. Not all points will be relevant to your organization.

Some situations may require you to take more stringent steps than those listed here. For example, medical records may necessitate extraordinary steps. (See [1] under “Resources” at the end of this checklist for more details on medical security. Similar bracketed citation numbers refer to other references in that list of Resources.)

The checklist is divided into two sections. Section I suggests issues to consider when drafting privacy principles to safeguard the personal information of your clients and customers. Section II concerns privacy policies affecting your employees, such as personnel records, electronic monitoring, and email.

Understand that this is not an issue you can address once and have solved forever. Threats will change, technology will change, and employees will change. So your plans and processes should change along with them. Updates are crucial.

I. DEVELOPING PRIVACY POLICIES TO GUIDE CUSTOMER / CLIENT RELATIONS

1. Does your organization have policies that outline its privacy practices and expectations for handling the personal information of its clients, customers, users, members and/or listees? [10] [13] [15] [17]
   
   
2. Are your organization's privacy policies communicated regularly? Opportunities include in employees’ initial training sessions, in regular organization-wide training programs, in employee handbooks, on posters and posted signs, on company intranet and Internet Web sites, in brochures available to clients. Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff?
   
   
3. Is your organization familiar with and has it adopted International Standards Organization (ISO) security standards, known as ISO 27001? www.iso.org  For a guide to ISO 27001, visit www.iso27001security.com/index.html . [14] The Web site for the ISO 27001 User Group is www.17799.com . The progress of the 27000 standards is being tracked at the Web site of the ISO 27001 and ISO 27002 Directory: www.27000.org .

B. Privacy Principles

The major components of effective privacy policies are listed below, adapted from the fair information practices developed by the Organisation for Economic Cooperation and Development (OECD). www.oecd.org [20]  Another useful compendium is the Canadian Privacy Code. [8]  Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations.

1. Openness. A general practice of openness about practices and policies should exist. Means should be available to establish the existence and nature of personal information and the main purposes of its use.
   
   
2. Purpose specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes.
   
   
3. Collection limitation. Personal information should be collected by lawful and fair means and with the knowledge and consent of the subject. Only that information necessary for the stated purpose should be collected, nothing more.
   
   
4. Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law.
   
   
5. Individual participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual.
   
   
6. Quality. Personal information should be accurate, complete and timely, and be relevant to the purposes for which it is to be used.
   
   
7. Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Access to personal information should be limited to only those within the organization with a specific need to see it.
   
   
8. Accountability. Someone within the organization, such as the chief privacy officer or an information manager, should be held accountable for complying with its privacy policy. Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs.
   
   
9. There are many variations of fair-information principles. The industry group Online Privacy Alliance has developed a set of principles for use on Web sites. www.privacyalliance.com [18] Industry-oriented policies often lack key principles such as purpose specification, use limitation, and accountability.  See also Web site “seal” programs such as TRUSTe, BBBOnline, and WebTrust. [26]

C. Data and Network Security

Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form—is covered in many books, journals, trade magazines, and conferences. Only the major points are listed here. For additional information, consult professional and trade associations as well as libraries, your nearest technical bookstore, and the Web. Many such professional associations are listed in the Resources section at the end of this guide.  

1. Do you have staff specifically assigned to data security? Do staff members participate in regular training programs to keep abreast of technical and legal issues?
   
   
2. Have you developed a security breach response plan in the event that your company or organization experiences a data breach? [7]
   
   
3. Have you developed security guidelines for laptops and other portable computing devices when transported off-site? [15]
   
   
4. Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information? Do you have procedures to prevent former employees from gaining access to computers and paper files?
   
   
5. Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?
   
   
6. Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?
   
   
7. Do all employees follow strict password and virus protection procedures? Are employees required to change passwords often, using "foolproof" methods?
   
   
8. Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?
   
   
9. Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof?
   
   
10. If your organization is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information? [3]

D. Some Additional "Common Sense" Security Practices

Case: A medical office photocopied more of a car accident victim's record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman's child, given up for adoption 30 years ago, eventually became part of the court record, a public document.

1. When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information that has no relevance to the transaction is either removed or masked?
   
   
2. Are employees trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use password-activated screen-saver programs?
   
   
3. Are all employees who handle personal information—including temporary, back-up and contract staff—trained to detect when they are being "pumped" for personal information by unauthorized and unscrupulous persons? "Pretext" interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled.
   
4. Do you perform background checks on prospective employees who will have access to personal information of customers, clients, or employees? [23]
   
   
5. Have you inventoried the various types of data being stored and classified it according to how important it is and how costly it would be to the organization if it were lost or stolen?

E. Records Retention and Disposal

Case: An automobile dealer did not shred loan applications before tossing them into the garbage. A "dumpster diver" retrieved one and used the financial information to commit thousands of dollars of fraud against someone who’d applied for a car loan.

1. Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or magnetic/ electronic (computer) media? [1] [5]
   
   
2. When disposing of computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other electronic media which contain personally identifiable information, are all data rendered unrecoverable by either physically destroying the device or by over-writing the data sufficiently to ensure destruction? If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction? Does it dispose of toxic materials properly?
   
   
3. When disposing of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your recycling company certify its disposal/destruction methods? Is it bonded?
   
   
4. When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion?
    
5. When dealing with another company or government agency, do you ask about its security protocol regarding personal information? Do you inquire whether it shares that information with anyone? Do you find out if it does background checks on employees with access to your personal information?

F. Facsimile Transmission

Case: A medical doctor, who was filing for bankruptcy, faxed a financial document to his attorney. He entered the wrong telephone number, and the document was instead transmitted to the local newspaper.

1. Is the fax machine in a supervised area, off-limits to unauthorized persons? Is use restricted to authorized personnel only?
   
   
2. Is the fax machine used exclusively for sending nonconfidential materials?
   
   
3. When sending documents, do all users complete a cover sheet that indicates the sender's and receiver's names, addresses and telephone numbers?
   
   
4. When confidential materials are sent, is notice of their confidential nature indicated on the cover sheet?
   
   
5. Do users always check the receiver's telephone number before transmitting documents? Do they compare the number displayed with number being called to check for errors? Do they check the transmission report after the fax has been sent?
   
   
6. When transmitting confidential materials, is the recipient notified in advance that the document is being sent? Does the sender check with the receiver to make sure the document has been received?

For additional tips, read Guidelines for Facsimile Transmission Security, by the Information and Privacy Commissioner of Ontario. Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf  [19]

G. Answering Machines and Voice Mail Systems

Case: Message left on the wrong answering machine when the phone number was misdialed: "Hello, Mrs. Weaver. This is Judy from the County Parole Office. You called earlier about your daughter Crystal? She has already been taken to the California Youth Authority [juvenile detention center]."

1. Are precautions taken in situations where confidential and highly sensitive messages are expected to be left on answering machines or voice mail systems? Is the number of the call recipient verified for accuracy? Is permission asked of the intended call recipient to leave confidential messages? Are non-specific messages left when prior permission has not been obtained from the call recipient?

H. Wireless Communications

Case: As people stood in line to enter the theater, the cellular phone conversation of one theatergoer was overheard by those nearest her. It soon became obvious that the woman was a medical doctor talking about the care of a patient.

Conversations on cellular and cordless phones are vulnerable to eavesdropping because the signals are transmitted over radio waves. Anyone with a radio scanner can listen to your conversations unless you use newer model digital devices that use encrypted data transmission and/or a transmission technology that cannot be deciphered by common radio scanners.

1. Are wireless phones strictly forbidden for conversations involving confidential information (for example, a patient's medical care or a lawsuit) unless secure digital models are used?
    
2. Are wireless phone users cautioned to talk out of earshot of others nearby who might hear their half of the conversation?
   
   
3. Has your organization adopted privacy guidelines for wireless communications? [27]

I. Portable Computers and Work-at-Home Situations

1. Does the organization have policies and procedures for safeguarding personally identifiable information when transported outside of the office by portable computers and hand-held personal organizers? Such information should be encrypted, not just password-protected, to reduce the impact if it’s lost or stolen. [15]
    
2. For employees who work at home, including temporary and contract staff, does the organization have policies, procedures and training programs that emphasize responsible information-handling practices?
    
3. Is the network connection between home and work secure?

J. Social Security Numbers (SSNs) and the Use of Personal Identifiers

Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee that listed all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information.

The use of SSNs for record-keeping purposes and personal identifiers should be strongly discouraged, and, preferably, prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, obtaining credit card accounts in another person’s name. (See the Privacy Rights Clearinghouse identity theft publications, Web: www.privacyrights.org/identity.htm.  [23]. See also California Office of Privacy Protection, Recommended Practices for Protecting the Confidentiality of Social Security Numbers. Web: www.privacy.ca.gov/recommendations/ssnrecommendations.pdf  [7])

1. If the organization uses the SSN as a record-keeping number, does it offer its clients and/or employees the option of using an alternative number?
    
2. Does the organization have a strict policy prohibiting the display of SSNs on any documents that are widely seen by others—for example, time cards, parking permits, employee rosters, mailing labels, paycheck stubs, health insurance cards?
    
3. If the organization requires an access code for certain transactions (e.g., ATM cards, computer access, phone banking, security system codes, building access cards, passwords), does it prohibit the use of SSNs, or any part of the SSN such as the last four digits, as personal identifier numbers?

K. Guidelines for Security of Lists

Case: Before departing the singles dating-service office, a fired employee stole a computer diskette containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area.

Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does it make those lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA's "Fair Information Practices Checklist." [10] The use of the word "customer" below can be altered to fit your specific situation, such as "client," "member" or "user."  Web: www.the-dma.org

1. Opt-out program

a. Does your organization offer its customers name-removal options? Are those options effectively communicated?
b. Do you subscribe to the DMA's name-removal services, the Mail Preference Service (MPS), and/or its E-mail Preference Service (EMPS)? Web: www.the-dma.org Are MPS and EMPS names removed prior to renting or exchanging lists? [10]
c. If you are a telemarketer, do you subscribe to the Federal Trade Commission’s Do Not Call (DNC) Registry? Web: https://telemarketing.donotcall.gov  Are DNC numbers removed prior to renting or exchanging lists? [25]

2. Security practices

a. Is someone in your organization responsible for list security? Is someone responsible for keeping up to date on current laws and regulations regarding fair information practices?
b. Are your lists physically secure?
c. Are there sufficient restrictions—such as audit trails and strict penalties for violation—on your employees to protect against unauthorized access?
d. Does your organization instruct its employees in initial employee orientations and ongoing training programs that customer data are confidential?
e. Does the organization have adequate security to prevent remote computer access to your lists?
f. Does your organization ensure that list recipients employ sufficient safeguards? Does it make sure security measures are in place during the transfer of lists? Do you ensure the secure and timely return or destruction of lists used by other entities? Do you use a monitoring system to track list usage, such as the use of decoy names, called “seeding”?

3. Use of marketing data

a. Is your organization collecting only those consumer data that are pertinent and necessary for the purpose at hand?
b. Are you sensitive to a consumer's expectation that some personal information may be considered confidential and should not be used for marketing?
c. f your organization contributes customer data to a cooperative database, are you satisfied about the database's security?

4. Data accuracy

a. Does your organization have the means to update its customer data?
b. Are customer data reviewed/revised by your organization on a regular basis?
c. Are customer inquiries regarding data accuracy answered promptly and to the customer's satisfaction?

5. Additional tips

The Privacy Rights Clearinghouse suggests these additional security guidelines:

a. Do you disclose up-front the intended uses of the data that are collected?
b. Do you allow the data subjects to inspect and correct data held about them?

II. DEVELOPING PRIVACY POLICIES FOR EMPLOYEE RELATIONS

A. In-house Privacy Policies

1. Does your organization have policies for handling the personal information of your employees? Such policy statements typically concern hiring procedures, personnel records, medical records, discipline procedures, email usage, electronic monitoring, and Internet access.

This document focuses on email/voice mail and electronic monitoring.

B. E-Mail and Voice Mail Systems

Case: Charles was absent from work for a month on disability leave. Upon his return, he was shocked to discover that his supervisor had changed his password and listened to his voice mail messages.

1. Does your organization have a policy regarding the privacy expectations of its employees and any third party users (i.e., clients, customers), who use the email and/or voice mail systems? Are those policies effectively communicated to all employees and third-party users? [28]  Points to include in your policy:

a. the purpose for which the system is to be used (business only? personal matters allowed? no trade secrets discussed?)
b. penalties for misuse
c. who is authorized to access e-mail/voice mail messages; the disposition of email/voice messages when the employee is on temporary but extended leave;
d. the retention/purge schedule for files, including retention procedures for possible use as legal evidence
e. expectations for privacy (none? only in files marked "private"?)
f. password creation/change procedures
g. the use of encryption (prohibited? allowed? required for sensitive communications?)
h. safeguards concerning copying and forwarding messages, especially messages containing personally identifiable data
i. how the policy is communicated, such as employee notice and training programs.

C. Electronic Monitoring

In addition to email monitoring, an increasing number of employers use a variety of employee-monitoring practices, such as telephone systems that allow supervisors to listen to telephone calls, computer keystroke monitoring systems that can determine work productivity, web-surfing monitoring, video monitoring systems, and locational detectors.

1. Does the organization have a policy that states the types of monitoring being conducted and the uses made of monitoring data?
   
   
2. Does the policy include procedures to safeguard sensitive personal information encountered in the process of monitoring?
   
   
3. Is this policy communicated to all employees at time of hiring, as well as other times, at least annually?
   
   
4. Does the policy include provisions for employees to appeal adverse decisions based on data collected by the monitoring system?
   
5. If telephone monitoring is being conducted, does the organization provide telephones that are not monitored and can be used for personal calls (at least pay phones)?

SECTION III. Resources

1. American Health Information Management Association, 233 N. Michigan Ave. #2150, Chicago, IL 60611. (312) 233-1100.  Web: www.ahima.org

2. American Management Association (AMACOM). 1601 Broadway, New York, NY 10019. (212) 903-7976. Web: www.amanet.org

3. American Society for Industrial Security, 1625 Prince St., Alexandria, VA 22314. (703) 519-6200. Web: www.asisonline.org

4. Association for Computing Machinery, 2 Penn Plaza No. 701, New York, NY 10121. (800) 342-6626. Web: www.acm.org

5. Association of Records Managers and Administrators, 13725 W. 109th St. No. 101, Lenexa, KS 66215. (800) 422-2762. Web: www.arm.a.org

6. Better Business Bureau. Security & Privacy – Made Simpler. (2006) Web: www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf

7. California Office of Privacy Protection, Recommended Practices on Notice of Security Breach Involving Personal Information. (2007) 1625 North Blvd. Suite N324, Sacramento, CA 95834. (916) 574-8180 Web: www.privacy.ca.gov

8. Canadian Standards Association. Privacy Code. Web: www.csa.ca/standards/privacy/code

9. Cassilly, Lisa H., and Clare Draper. Privacy in the Workplace: A Guide for Attorneys and HR Professionals. (Pike & Fischer, Inc., 2002) Web: www.pf.com/privacyWorkplacePD.asp

10. Direct Marketing Association, 1120 Avenue of the Americas, New York, NY 10036-6700. (212) 768-7277. Web: www.the-dma.org

11. Hubbartt, William S. The New Battle Over Workplace Privacy. (New York: American Management Assoc., 1998). Web: www.amacom.org

12. Institute of Electrical and Electronics Engineers. (800) 678-4333. Web: www.ieee.org

13. International Association of Privacy Professionals, 266 York St., York, ME  03909. (207) 351-1500. Web: www.privacyassociation.org

14. International Organization for Standardization (ISO), Geneva, Switzerland.  Web: www.iso.org/iso/en/aboutiso/introduction/index.html

15. LabMice.net. Laptop Security Guidelines. (December 10, 2003). Web: http://labmice.techtarget.com/articles/laptopsecurity.htm

16. Lane III, Frederick S. The Naked Employee: How Technology is Compromising Workplace Privacy. (New York: American Management Assoc., 2003). Web: www.amacom.org

17. Lotito, Michael J. and Lynn C. Outwater. Minding Your Business: Legal Issues and Practical Answers for Managing Workplace Privacy. (Society for Human Resource Management, 1997) Web: www.shrm.org

18. Online Privacy Alliance, Hogan and Hartson, 555 13th St. NW, Washington, DC 20004. (202) 637-5600. Web: www.privacyalliance.com

19. Ontario [Canada] Office of the Information and Privacy Commissioner. Guidelines on Facsimile Transmission Security. (2003) Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf

20. Organisation for Economic Cooperation and Development. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Web: www.oecd.org

21. Ponemon Institute (Dr. Larry Ponemon). (800) 887-3118.  Web: www.ponemon.org

22. Privacy and American Business. Web: www.privacyexchange.org [NOTE: The organization is no longer active, but its Web site is operational.]

23. Privacy Rights Clearinghouse. Web: www.privacyrights.org

• Fact Sheet 16b. Employment Background Checks: A Guide for Small Business Owners. Web: www.privacyrights.org/fs/fs16b-smallbus.htm
• Identity theft resources. Web: www.privacyrights.org/identity.htm

24. Society for Human Resource Management, 1800 Duke St., Alexandria, VA 22314. (800) 283-SHRM.  Web: www.shrm.org

25. U.S. Federal Trade Commission.

• FTC’s Identity Theft Site.  www.ftc.gov/bcp/edu/microsites/idtheft
• Do Not Call Registry subscription information, https://telemarketing.donotcall.gov 

26. Web privacy seal programs: Web sites: www.bbbonline.org,  www.truste.org, and www.webtrust.org

27.  Truste.org. Wireless Privacy Principles and Implementation Guidelines. (2004) Web: www.truste.org/about/press_release/02_18_04.php

28. Wood, Charles Cresson. Information Security Policies Made Easy: A Policy Construction Kit. Baseline Software.  This costly compendium contains over 1,300 already written policies in a printed manual and CD-ROM. (888) 641-0500. Web: www.informationshield.com

Copyright © 1995-2007. Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution of this fact sheet, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. This publication was originally developed under the auspices of the University of San Diego.

Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org