TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks can be very beneficial to all. Here is what you can learn from Facebook:

Lessons from the Facebook settlement (even if you're not Facebook)

By Lesley Fair

December 2, 2011 - 1:16pm

The terms of the FTC's proposed settlement apply only to Facebook. But to paraphrase noted legal scholar Bob Dylan, companies that want to stay off the law enforcement radar don't need a weatherman to know which way the wind blows. What practical pointers can your business take from the Facebook case and other recent FTC actions dealing with consumer privacy?

The business of the lawyer, CPA and Doctor can learn these lessons. An auto dealer can learn these lessons. A small business reseller of high technology products should heed these lessons learned. Why? Because the cost of a data record lost to ID Theft and other facets of "Transnational Organized Crime" (TOC) is now an economic risk most prudent business executives can not ignore any longer. One only has to look at what has been happening in the health care sector as one example:

By George V. Hulme

December 01, 2011 — CSO —

Security breaches among healthcare organizations are soaring. That's the conclusion of the Second Annual Benchmark Study on Patient Privacy and Data Security conducted by the Ponemon Institute and sponsored by ID Experts.

A total of 72 healthcare organizations where surveyed, and, on average, the cost of data breaches to these organizations rose $183,526 to $2,243,700 from 2010. The absolute number of breaches are also increasing: up 32 percent year over year, with 96 percent of those providers surveyed reporting at least one data breach in the past 24 months.

Also see: Why healthcare IT security is harder than the rest

Extrapolating the study to the entire healthcare industry, Ponomon estimates that data breaches could be costing the U.S. healthcare industry between $4.2 billion and $8.1 billion a year, or an average of $6.5 billion.

The majority of these breaches weren't caused by sophisticated hacks or so-called advanced persistent threats. No. Most of the breaches, the survey found, were the result of employees losing or having their IT devices stolen or other unintentional, but ill-advised, employee action according to 49 and 41 percent of respondents. Shoddy security from partners and providers, including business associates, according to 46 percent of participants, was another significant reason.

Beyond the cost of a breach of data, Operational Risk professionals understand that human behavior is the reason behind many of these incidents. Employees not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the management of information itself is the place to begin. Information Governance and the steps that are utilized to ingest or acquire and process that information is paramount.

Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and the U.S. government (USG) has started to realize the threat. Combined with other factors associated with legitimate business operations, organized crime syndicates have infiltrated the country and is costing it billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy is enabled:

Action

• Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
• Prevent or disrupt criminal involvement in emerging and strategic markets.
• Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
• Develop a mechanism that would make unclassified data on TOC available to private sector partners.
• Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
• Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
• Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
• Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
• Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
• Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is working on settlements with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public Private partnerships are a start and are making some progress. Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at your own peril!

operational risk