Now the senior policy advisor and chair at the Center for Information Policy Leadership -- a privacy think tank whose members include Proctor and Gamble, Eli Lily & Co. and Microsoft Corp. -- Swindle talked with Computerworld about some of the privacy challenges facing corporate America.
What's driving the privacy agenda these days? In the past year, we've heard about some hundred-plus disclosed security breaches, about hacking, lost laptops, lost files, disclosures of account numbers and even computers falling off the back of delivery trucks. Each one of these represents a potential disclosure of very sensitive information. The reports we've read very likely exaggerated the nature of the harm done in some cases. But that's not to say we don't have a problem. We darn sure do have one. And this inadequate protection of sensitive data is just unacceptable. We have got to collectively do a much better job at it. And I say 'we' collectively because it's going to take everyone, including consumers. There's no security initiative, there's no new law, there's no new technology that's going to solve this problem altogether.
What does this mean for businesses? The biggest concern for business is just being aware that if you handle information you've got an obligation to protect it. The Federal Trade Commission with a couple of decisions last year plainly stated that. Those two cases specifically involved BJ's Wholesale Club and DSW Inc. Both of the cases were bought against companies not for a promise not kept but for simply being in the business of collecting and using information that is sensitive and not taking sufficient precautions to protect that information. The important thing to note with these two cases is that BJ's Wholesale and DSW were not [regulated entities such as] medical institutions; they were not financial institutions. But what they encountered was a de facto extension of the Gramm-Leach-Bliley requirement under the unfair and deceptive practices aspect of the FTC Act Section 5. In other words, what the FTC said to those two firms is that your conduct in not protecting this information is unfair in that you didn't do what you ought to have done.
Do you see the FTC being more proactive in taking action against companies, even if no actual breach may have taken place? This, in effect, has already happened. There are a couple of cases on record. It would be impossible for me to say which ones they are. But there is at least one case where the FTC, again under Section 5, brought a case against a company -- not for a breach but for making a promise of having certain safeguards that really weren't there. They were making a promise of things they couldn't keep, because they didn't have the mechanisms in place to provide that kind of security.
ChoicePoint was fined US$15 million by the FTC recently. What sort of precedent does that set? That case is quite a bit different from BJ's Wholesale and DSW. In the ChoicePoint case, there were lots of things that were violated there -- in particular, the Fair Credit Reporting Act .That carries with it monetary penalties that can be substantial, and in this case, obviously were. If nothing else, it certainly should be getting people's attention. Talk about a two-by-four between the eyes getting your attention.