Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.

GUARDING CONSUMER PRIVACY ISN'T JUST THE LAW -- IT COULD KEEP YOUR E-BUSINESS FROM CRUMBLING

Posted on January 25, 2001

      Like many on-line entrepreneurs, Gerald Miller struggles with the thorny issue of how to protect consumer privacy on the Web.

      As a lawyer planning a site to help clients draw up wills and other legal documents, Mr. Miller is acutely aware of new legislation that forces many firms -- and virtually all e-businesses -- to erect privacy fences around all the personal data that they collect.

      He is also painfully conscious of how shaky such fences can be, since he was the victim of an error a year ago when visitors to a Web site were able to find his name, address, phone and credit card numbers, together with those of other subscribers to an Internet service provided by Toronto-based Look Communications Inc.

      "We have a real strong need for security and privacy protection, but we're struggling with how to do it and how far to take it," says Mr. Miller, a partner in the Toronto law firm Gardiner Blumberg.

      Protecting privacy is now a priority for e-businesses, not only because they are now legally obliged to do so, but also because it has become a key concern for a growing number of consumers, who are aware of the risks of sensitive information being disclosed on-line and wary of the numerous ways that technology can monitor and analyze their spending and surfing habits.

      "Public confidence is crucial to the success of all e-commerce and, at the end of the day, good privacy is good business," says Canada's privacy commissioner, George Radwanski. He is responsible for overseeing compliance with the federal government's new Personal Information and Electronic Documents Act, which took effect this month.

      The federal act lays down a comprehensive set of rules governing how organizations collect, use and manage personal information. It currently applies to organizations that transfer data from one province to another (a provision that applies to almost any e-business), as well as to federally regulated industries, such as telecommunications and financial services. In three years, all businesses will be covered, either by the federal legislation or comparable provincial laws. (Quebec has already implemented its own privacy legislation.)

      "The key point of the legislation is that your personal information cannot be collected, used or shared without your consent, and can only be used for the purposes for which your consent was given," Mr. Radwanski says.

      The principles of the new law seem very simple, but complying with them can be a daunting task for many e-businesses, according to Jane Dargie, a Toronto-based consultant with the management firm Deloitte and Touche.

      "Many organizations don't anticipate how much work is really involved in becoming privacy compliant," Ms. Dargie says.

      She says companies need to do a complete audit of their operations in order to understand what information they take in, who and where it comes from, what they use it for, who it is shared with, and where and how it is stored.

      They also have to design policies and procedures to ensure that customers' consent is obtained and that the information is only used for the purpose that customers have agreed to.

      Making sure that the information is accurate, secure and accessible for customers to review themselves is also a requirement laid down by the law, Ms. Dargie notes.

Y2K déjà vu

      Libby Gillman, a Toronto-based senior manager at the consulting firm Cap Gemini Ernst and Young, says the task of complying with privacy laws can be compared to Y2K compliance programs of the 1990s: it is a comprehensive and critical effort that involves entering into almost every aspect of a company's technology and operations to root out and fix potential misuses or mishandling of sensitive information.

      "It's not just a legal exercise. It transcends all of the operations of the company," she says.

      And it is not just one law that businesses have to worry about, particularly if they are on-line companies with presences in many different jurisdictions, says Rick Shields, a counsel at the Ottawa-based law firm McCarthy Tétrault and one of Canada's leading experts on privacy law.

      "There are torrents of privacy legislation all over the globe. The only way you really have any security is to pick the most strenuous regulation that's applicable to your business and then to apply that or even go one step better," Mr. Shields says. "You figure out what the highest ground is and then locate yourself there, not just for compliance purposes, but because the marketplace is becoming pretty unforgiving of privacy transgressions."

      What complicates matters even further, he says, is the fact that companies may be held accountable for information that they share with or pass on to business partners, clients and service providers. If you run afoul of privacy laws, he warns, "it may not necessarily be federal regulators that come knocking at your door, but a partner or client seeking compensation."

      Older databases can create additional problems, because new laws may require businesses to go back and seek consent from individuals in order to use personal information gathered in the past, Mr. Shields says.

      He notes that companies can sometimes run into major expenditures, if they find that concerns about privacy force them to change their technology in order to accommodate new ways of obtaining consent, or accessing or restricting access to information.

      David Parkes, president and chief executive officer of Look Communications Inc., says his company spent more than $750,000 last year on an eight-month program to upgrade privacy and security systems and "make sure we're in compliance with the legislation in every way."

      Yet complying with the law is just a starting point for many e-businesses, with competitive pressures and consumer demands upping the ante. "The legislation is just the cost of entry," says Peter Cullen, corporate privacy officer at Royal Bank. He says going several steps beyond the requirements set out in the law will help earn customers' long-term loyalty and give organizations a big competitive advantage. In concrete terms, he says, losing a customer's trust means losing that customer's business. That's especially important for an e-business, which can't count on a customer's personal relationship with its workers to backstop slip-ups by the firm.

      Mr. Cullen says his organization provides customers with educational material about privacy issues in order to make sure that they are always able to give informed consent when they agree to let the bank use personal data.

      He says senior executives from every one of the bank's business groups meet regularly in a committee that is responsible for making sure that privacy concerns are incorporated into all processes and procedures, as well as the design of new products and services.

      The company that runs the popular Air Miles loyalty program is another organization that prides itself on having gone the extra mile to secure the trust of customers. John Wright, senior vice-president responsible for Air Miles business programs at the Toronto-based Loyalty Management Group Inc., says his company has been incorporating privacy compliance in its practices for close to a decade and made sure that it met the requirements of the new legislation as soon as the federal government's draft policy papers on the issue were released in 1997.

      Mr. Wright says his company subjects its policies and procedures to an external audit in order to obtain a WebTrust certificate, through a program run under the auspices of the Canadian Institute of Chartered Accountants and the Institute of Certified Public Accountants in the United States.

      Bruce Seago, chief operating officer of on-line broker ETrade Canada, says his company also uses a WebTrust certificate as a way of demonstrating its commitment to privacy.

The 10 privacy commandments

The new federal privacy law lays out 10 precepts:

• Be accountable: Audit how your organization gathers information, establish policies and appoint an officer responsible for privacy

• Identify the purpose: Explain how information will be used

• Be accurate: Keep frequently used information up to date

• Be open: Inform customers about privacy policies

• Obtain consent: Make sure that people understand to what they're consenting

• Limit collection: Only gather information necessary to the identified purpose

• Limit use, disclosure and retention: Destroy data when it is no longer needed

• Use appropriate safeguards: Keep sensitive information secure and control who can access it

• Give individuals access: Make it easy for any customer to review his or her records Active compliance: Make it easy for customers to complain; then investigate and respond to complaints

E-CommerceALERT comment: Information regarding WebTrust Privacy can be obtained here: http://PrivacyDetective.com

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999