Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan [NOOK Book]


The First Step-by-Step Guide for Ensuring Corporate Privacy­­In Today's Wide-Open eBusiness Environment

Privacy­­more specifically the protection of privacy­­is one of today's hot-button business issues. Whether safeguarding the personal information of their customers, or keeping e-intruders from ...

See more details below
Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$13.99 price
(Save 43%)$24.95 List Price


The First Step-by-Step Guide for Ensuring Corporate Privacy­­In Today's Wide-Open eBusiness Environment

Privacy­­more specifically the protection of privacy­­is one of today's hot-button business issues. Whether safeguarding the personal information of their customers, or keeping e-intruders from accessing vital company information, organizations have begun to realize the necessity of an effective, organization-wide privacy plan.

Net Privacy shows you how to design and implement a corporate privacy program that safeguards valuable customer and company data while protecting your ability to use that data to compete successfully. Encompassing both the business and technology sides of the privacy issue, this timely book covers:

  • Strategies to mine and utilize customer data without compromising the relationship

  • Problems and solutions behind business-to-business privacy issues

  • Explanations of the technology behind effective privacy plans

In today's cost-conscious business environment, information is gold. Let Net Privacy­­written by two of today's most influential computer security thought leaders­­provide you with innovative solutions to address corporate data privacy concerns, and give you hands-on guidelines to establish a strong, comprehensive information protection program­­at every level of your organization.

"Organizations need to develop privacy policies that maximize the benefit of reusing information in as many ways as possible while minimizing the risks associated with potential privacy violations."

­­From the Introduction

Names, addresses, and purchase patterns of customers are legal tender, as valuable to marketers as they are to competitors. At the same time, these and other indispensable internal information are often protected behind paper-thin corporate firewalls­­barriers that stand little chance against sophisticated computer hackers looking to compromise systems and steal information.

Net Privacy shows executives, consultants, technology designers, and other decision makers how to protect information privacy in today's competitive business arena. This important book provides:

  • Checklists and procedures for evaluating privacy needs

  • Practical procedural steps for establishing a privacy task force

  • Guidelines for combining various technologies­­from information and storage systems to data centers and Intranets­­to provide maximum protection

  • A proven process for formulating privacy policies and procedures

  • Examples for implementing and testing privacy procedures

  • Strategies to continuously monitor and modify privacy protection in the future

  • A governance framework adaptable for virtually any organization

With over 90 percent of Internet users still uncomfortable sending personal information across the Web, and savvy computer hackers regularly making headlines with high profile forays into sensitive customer and corporate records, corporate privacy is an issue that won't go away. Let Net Privacy show you how to conduct an audit to determine your organization's privacy requirements, develop policies and guidelines to ensure a successful privacy plan, then implement and monitor that plan­­ensuring privacy today, tomorrow, and well into the 21st century

Read More Show Less

Product Details

  • ISBN-13: 9780071381116
  • Publisher: McGraw-Hill Education
  • Publication date: 4/1/2001
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 318
  • File size: 3 MB

Meet the Author

Michael Erbschloe is a world-renowned information technology consultant, author, and educator. The vice president of research for Research for Computer Economics, an influential technology think tank, Erbschloe has authored more than 2,200 articles for leading publications and his research work has appeared in Fortune, The Wall Street Journal, U.S. News & World Report, The Washington Post, and many others.

John Vacca is an information technology consultant and author of more than 29 books and 37 articles on topics including Internet security, programming, and systems development. Vacca previously served as the computer security specialist for NASA's space station program and the International Space Station Program. His books include Internet Security Secrets, The Cabling Handbook, - Satellite Encryption, and Virtual Reality. Vacca was also one of the security consultants for the MGM movie AntiTrust."

Read More Show Less

Read an Excerpt

5: Conducting A _Privacy-Needs Audit

Conducting a privacy-needs audit is phase two in the privacy policy development and planning process. Once there is a privacy task force and other necessary groups in place to tackle the privacy plan, the organization must begin to understand the many types of data and information it collects and uses. The privacy-needs audit helps the organization identify those data, determine where or whom it comes from, establish how and where it is used, and identify if and where it is disseminated. In addition, the audit process will identify laws, government regulations, and internal requirements that could possibly govern the collection, use, and dissemination of the data. Conducting the needs audit is a time-consuming task that will require the cooperation of all departments or business units in an organization.

This chapter provides a step-by-step approach to conducting a privacy-needs audit. It has divided the privacy-needs audit phase into 10 major steps that follow the first 10 steps of the organizing and researching process discussed in Chapter 4. The steps are illustrated in Figure 5-1.

Figure 5-1. Conducting a Privacy-Needs Audit: Phase 2 of Privacy Planning

In addition to describing the 10 steps for conducting a privacy-needs audit, this chapter covers the type of obstacles that an organization can encounter at each step. As in other chapters, these candid comments about obstacles are based on several decades of experience in working on organizational change using the task force approach to accomplish major enterprise initiatives.

Step 1: establishing a data _inventory system

To begin the privacy-needs audit, the organization needs to create a data inventory record system to help track and organize the information collected during the audit. A database is helpful in managing the information collected. The organization should collect as much information as possible on each piece of data in its enterprise and record it in its data inventory database. The minimal information collected about each piece of data will probably vary, depending on the organization. The following list provides a starting point for the information that an organization needs to collect:
  • Description of the data
  • Which department is responsible for the data
  • Source of the data
  • Which computer (or computers) the data reside on, if applicable
  • Where paper copies of the data are filed, if applicable
  • Where the data are used in-house
  • How the data are used in-house
  • Where the data are disseminated
  • How the data are disseminated
  • Any existing policies on using the data
  • Laws covering the use of the data
  • Previous incidents regarding privacy of the data
  • The position of advocacy groups toward the use of the data
  • Privacy task force notes on the data
The major obstacle when establishing a data inventory system is that the volume of work required can be very high in large enterprises. Therefore staff resources are needed to conduct the audit by department, to compile the information, and to keep the inventory updated over time. Another obstacle, which is closely tied to resource requirements, is resistance to thoroughness because of the cost and time involved. This data inventory step should be as thorough as possible. If the company does not take a comprehensive look at its data, it is not taking a comprehensive look at its vulnerability.

The objective of the privacy-needs audit and the entire privacy-_planning process is to reduce the organization's vulnerability when it comes to privacy. No organization should have a false sense of security about how vulnerable it is to privacy problems. Many organizations read the latest story in the newspaper about privacy issues that pertain to certain types of data, then take a brief look at their own in-house treatment of that particular type of data, and prematurely conclude that they are not vulnerable. Building a complete and thorough data inventory system to begin the privacy-needs audit will help reduce tendencies to take short cuts as the company develops and implements the privacy plan.

Step 2: conducting an inventory of data in the enterprise

Once a comprehensive data inventory system is in place, the organization should begin to populate the database with detailed information on the data that it controls. Each department must determine what data or information it collects, creates, or uses. Working with the department teams, the task force should catalog all of the data, their source, and their current use. This time-consuming process must be thoroughly executed. The central information technology department can be very helpful in this process. Well-organized data management operations usually have data dictionaries that describe all of the data fields in enterprise databases. In most cases, these data dictionaries are an excellent starting place to learn about the large quantities of data your organization collects, processes, or uses. The central information technology department, sometimes called the MIS department, can be assigned to assist with the data inventory process.

Companies should not, however, assume that the central information technology department is aware of all the data used by departments or business units. All too often databases and information systems have sprouted up around an organization. These databases can be standalone systems that departments have created, or they can be derivatives of centralized databases that have been extracted for specific data mining or data analysis tasks.

A formal cataloging approach should be used in inventorying data and information. To move further into the planning assessment and planning process, the company needs a uniform and thorough description of all data and information. Setting up a database that is accessible by the entire privacy task force is a good way to facilitate the cataloging process. Expect the inventory process to take a considerable amount of time; it can take weeks and sometimes months to do a data inventory, depending on the size of the organization.

To find the data and information used in the enterprise, the privacy task force and the department teams need to look everywhere. For example, data may be found in the following locations:

  • Customer data files
  • Supplier data files
  • Channel partner records
  • Accounts payable files
  • Accounts receivable files
  • Web site registration records
  • Employee records
  • Research and development files
  • Subscription records for corporate newsletters
The major obstacle when actually conducting a data inventory is getting the cooperation of all departments or business units. Cooperation comes on two levels. The first is how nice people are about the detailed task of a data audit and how timely they respond. The second is how well they really cooperate and how much effort they really put into the process. Companies need to be very realistic in this phase and understand that departments and business units feel as if they have ownership of data, and in many cases, their performance ratings or compensation, especially for managers or sales people, may depend on exploiting a variety of data sources.

All the obstacles basically come down to what is referred to as cultural barriers to change. This defensiveness or fortress-building response has always been encountered in organizations that are faced with new threats, shifts in marketplaces, or social pressure. For example, heavy resistance to environmental protection requirements lasted for decades and still exists in some parts of the country and in many places around the world. Resistance to equal opportunity such as gender and racial equality in the workplace is something that has yet to be completely overcome. Progress has been made on both the environmental and equal opportunity fronts, but it has taken over 30 years.

Simply stated, companies should be warned against an observed tendency on the part of departments and business units to not fully cooperate with enterprisewide initiatives. Do not establish an environment of distrust and paranoia when dealing with departments or business units. Just take an approach of thoroughness during the data inventory step. A company's best weapon in the quest for thoroughness may not be lengthy forms for each supervisor to complete, but a softer awareness-building approach in which key supervisors or technical experts are polled about how data are being used.

To help achieve thoroughness and overcome potential resistance to the data inventory process, count on taking a three-prong approach. First, as pointed out in phase one, the organization and research phase, start an awareness campaign about the importance of privacy efforts and provide employees with a mechanism for giving feedback about potential vulnerabilities. Second, start the formal inventory process as outlined in this chapter. Third, create and distribute a survey to key personnel as a separate data collection effort to get their inputs on privacy vulnerability. The company can then triangulate the three sources of information and cross-check them as it builds the data inventory.

Step 3: determining existing privacy policies by data type

Once the data and information have been located in the enterprise, the organization needs to determine if it has any preexisting privacy policies and procedures related to each type of data. The data inventory database should include fields to track existing privacy policies. As the task force identifies data and their location, it can also inquire about any existing privacy policies related to the different data sets. These policies need to be recorded and evaluated. In the absence of a written policy or procedure, the privacy task force needs to determine what de facto or unwritten policies, if any, govern use of the data in question. For an existing policy, the task force needs to determine if it is adequate or appropriate for current activities. One of the roles of the task force is to examine any and all existing policies and procedures regarding the privacy of data. All written copies of existing policies should be collected for analysis by the task force at a later date.

The major obstacle during this step is the volume of documentation that may have to be pulled together. Existing privacy or data management policies may be difficult to sift through and actually determine what if any privacy management aspects they actually covered. In addition, some policies may not be labeled as policies that have governed past or present behavior toward privacy of data. Going through this process helps prevent new privacy policies and procedures from contradicting existing ones. The new privacy policy should not be seen as an overlay to existing policies or procedures. This means that all of the existing policies related to data privacy need to be reviewed to make sure they do not conflict with new policies. Contradictions in various types of policies will be eliminated in the policy development and implementation phase.

Step 4: reviewing laws, _government regulations

Following an examination of internal policies that may govern data use and collection, the next step in the audit process is to determine if any external laws or government regulations apply to each of the types of data that have been identified. This complex process will require assistance from legal counsel. Appropriate representatives from departments should be responsible for various data types and should be involved in the legal review process along with counsel. Bringing these parties together and reviewing the information can be a rather lengthy process and may require international assistance if the enterprise operates across international borders. The organization needs to conduct the legal requirements phase for each country in which it conducts business.

The major obstacles in accomplishing a thorough review of laws and regulations related to information privacy requirements are time and expertise. Medical organizations have already been confronted with a variety of privacy requirements, and financial services companies have long been dealing with privacy issues. Most organizations, however, are just beginning to deal with privacy issues and probably have very few staff familiar with privacy requirements. If in-house legal counsel is not available, contracting with an outside specialist in the field of privacy law is the best course of action.

Although outside legal counsel can be a very expensive aspect of privacy policy development, taking the do-it-yourself approach is not advised. For interpreting laws and regulations covering data privacy, and especially when the organization needs to comply with laws in several countries, the organization needs legal counsel that is expert in privacy law. Laws and regulations are seldom self-contained, but rather relate to other laws and regulations. Therefore a lack of familiarity with the structure of such laws can result in improper interpretations and incorrect actions. During this regulation review step, small organizations with limited budgets, especially start-up companies, are at risk. If such organizations do not have the budgets to deal properly with this legal review step, they are ill equipped to handle the entire privacy plan development process.

Step 5: assessing your insurance requirements and coverage

Along with laws and government regulations, an organization's insurance company's guidelines can determine how data are used and collected. The company should consult with its insurance company on any coverage that may relate to privacy planning, management, or protection. Most insurance companies provide coverage of corporate assets and many provide some sort of business disruption coverage. Both types of coverage could potentially relate to the violation of corporate privacy or the violation of the privacy of others by the enterprise's actions. A straightforward inquiry with the insurance carrier is best. Seeking the insurance carrier's input on the privacy planning approach could also be helpful.

The major obstacle in assessing an organization's insurance coverage is finding the expertise to do an adequate assessment. Larger organizations often have a risk management department to evaluate risks and insurance coverage. Smaller organizations tend not to have such expertise in-house, which means that they will need an outside consultant to help with this step. Basically, coverage from insurance companies regarding privacy violations is not expected. If it is a matter of data theft, they may provide some coverage. On the other hand, if inappropriate risk taking or an employee blunder causes a privacy violation, then the insurance company is not likely to provide coverage. During this step the enterprise must determine what if any coverage its insurance policies provide.

Step 6: identifying past or present privacy problems

Once an organization has a good understanding of all the internal and external factors that control and govern data collection and use, it should analyze any privacy problems that the organization is facing or has faced in the past. Unfortunately, many organizations do not start dealing with privacy issues until they have a privacy-related incident. If privacy management problems have occurred, the task force must have a full understanding of those problems. Such problems can include customer complaints, litigation, and government inquires. In addition to understanding the problems, the task force must also be informed on how the organization re-sponded to those issues.

The company is urged to take a comprehensive look at existing or past issues. This process may include a review of customer complaint forms or records in all business units and departments. If it has a Web site, the company should review any email or inquiries regarding privacy. All too often these inquiries get buried in an email box somewhere on a server and are never reviewed. If visitors to the Web site have made inquiries, these inquiries could provide insight into the perspective of the organization's Web customers or users.

The major obstacle in identifying past data privacy issues is what is referred to as institutional memory. In some cases people who have been involved in privacy incidents may have left the company. In other cases memory tends to be selective, and the task force may have difficulty assembling an objective perspective on past privacy incidents. As major incidents of the past are identified, the task force should contact the people who are no longer with the organization and attempt to get their perspectives on specific incidents. If employees involved in an incident are still with the company, the task force should talk to as many people as possible to make sure a well-rounded perspective of the incident develops. All of these efforts will help the task force develop a full understanding of what the organization faces and has faced in terms of privacy problems created within the enterprise.

Step 7: reviewing the privacy _policies and problems of your _business partners

Along with internal privacy problems, the task force needs to understand the privacy issues in which the organization's external business partners are involved. The task force should examine privacy policies, problems, or issues that the business partners have experienced. An organization could be vulnerable because of poor privacy management practices of suppliers, channel partners, or other companies with which it has some business arrangement.

These organizations should be informed that a privacy plan is being developed. This part of the privacy planning process can be very problematic; however, the enterprise must recognize that even the best privacy policies and procedures cannot protect it from encountering problems if a business partner obtains data that it misuses in a way that exposes that data to unauthorized parties.

The major obstacle is getting business partners to cooperate. If a company has long-standing relationships with the business partners, it will probably not be too difficult to foster cooperation. The most difficult scenario occurs when large numbers of channel partners are affiliates. This scenario especially applies to newer Web-based companies that use affiliate programs or to the large technology companies that have relationships with resellers, VARs (value added resellers), OEMs (original equipment manufacturers), or consultants. In these cases, collecting information on each affiliate may be impossible. The best course of action in these situations is to focus on the largest partners first. In addition, once the privacy policies are formulated, the organization can require all partners to adhere to its policies as a condition of having the business relationship.

Along with assessing the privacy policies and problems of business partners, the company should establish a process that follows news stories in which the partners are mentioned. Even if self-reporting of privacy problems is required, a business partner that gets bogged down in a privacy scandal may not place a high priority on calling to discuss the problem. Thus, a monitoring process is advisable. Any privacy-related information found through such monitoring, as well as all self-reported information from business partners, should be catalogued and analyzed by the task force....

Read More Show Less

Table of Contents

Chapter 1: The Threat to Privacy and Corporate Vulnerability Chapter 2: The Nature of Privacy Problems. Chapter 3: The Regulatory and Legislative Environment. Chapter 4: Organizing to Protect Privacy. Chapter 5: Conducting a Privacy-Needs Audit. Chapter 6: Evaluating Technology Needs for Privacy Protection. Chapter 7: Developing the Enterprise Privacy Plan. Chapter 8: Implementing the Enterprise Privacy Plan. Chapter 9: Managing Privacy on the Enterprise Web Site. Chapter 10: Managing Privacy on Internet Supply Chains. Chapter 11: Managing Privacy Efforts on the Long-Term. Chapter 12: Protecting the Privacy of Enterprise Storage and Processing. Chapter 13: Protecting the Privacy of Corporate Communications. Chapter 14: Protecting Corporate Desktop Privacy. Chapter 15: Protecting the Privacy of the Road Warrior's Laptop. Chapter 16: Protecting the Privacy of Remote Access and Telecommuters. Chapter 17: The Future of Privacy Management.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 2 Customer Reviews
  • Anonymous

    Posted April 24, 2001

    Excellent Guide to Managing Privacy Planning!

    This book took us through the privacy planning process step by step. There were so many things we had not thought of and the book helped us make sure we covered privacy planning from all angles.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted April 26, 2001

    This is the definitive guide to privacy planning

    This book provides a thorough structure for the privacy planning process. The framework and step-by-step process helped me through the privacy planning process.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 2 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)