At the Privacy and Identity Theft: Protecting Your Company seminar on Long Island last week, the speakers (from the International Association of Privacy Professionals, the NAD and CA) spoke of many different issues, but one theme kept recurring: the damage to customer trust when information is lost by or stolen from a company. (The presentations can be downloaded as PDFs here.) Trust is a key element in establishing and maintaining customer relationships, and part of that trust is that the company will be responsible about the information the customer chooses to share with it. Even when the company isn't even the cause of the problem (as with phishing, where criminals use reputable firms' logos and names in e-mails to fool victims into revealing account and personal info.), trust in the impersonated company can still be irreparably harmed. The loss of trust can extend beyond companies to local and federal government agencies, when articles like this one from The New York Times (free registration required) highlight vulnerabilities of county Web sites and veterans' personal information is stolen from a VA employee's home.

There are many articles out on how individuals can protect themselves, but that's only half the story. On a corporate level, what can you do to prevent your organization from being a facilitator of identity theft? Whatever your business, you must take a hard look at not only your information collection practices (how data get into your company) but how and by whom your databases are maintained. Make sure that you have both physical and electronic safeguards in place, and use encryption at every possible level so that, even if your databases are stolen or lost, they will be scrambled and unusable in the wrong hands. If you share information with third parties (Web hosts, service bureaus, marketing partners), you need to require them to follow good privacy practices as well, since their lapse could cause your customers to blame you.

This isn't just smart business; sometimes it's the law. Depending on your industry (e.g. health care, covered by the HIPAA privacy regulations) or your customer base (for example, COPPA for children's marketers), you may have specific standards to follow for data retention and protection. Foreign jurisdictions such as member states of the EU may have their own laws and rules that affect your organization. Public companies must look to Sarbanes Oxley and their own auditors' guidelines for appropriate data practices. Additionally, every organization may be subject to mandatory disclosure of privacy breaches (such as California's Shine the Light law).

Whatever your area of business, when you begin your analysis of your organization's data protection and retention practices, make sure you include IT, finance, administrative and legal in the process. Together, you should be able to reduce the risk that you will have to explain to your customers, and the press, how your internal data "left the building," taking the trust you've so carefully built up with it.

Jonathan I. Ezor, Special Counsel, The Lustigman Firm