Keeping customer information private and securing it is different from protecting other enterprise assets. Many assets, such as real property or commercial papers, can be enclosed within walls and locked away. Such assets do not require immediate access and provide an ROI (return on investment) based on possession alone. Assets in information need to be secure, under lock and key, but also need more immediate access to maximize the ROI. A customer database has to be secure but needs to be used regularly to have value.

Privacy and Security: Joined at the Hip

Keeping data private can start with a secure network infrastructure. Today's enterprises maintain firewalls that filter and block unwanted traffic to and from the corporate network. VPNs (virtual private networks) offer secure remote communications, while ventures using SSL (Secure Socket Layer) and TLS (Transport Layer Security) secure Web transactions using strong cryptography. These point products are important building blocks toward a secure network infrastructure, but they are not ends in themselves (see "The Survivor's Guide to 2001: Security", December 11, 2000). Their raison d'etre is to keep the network secure; keeping data secure or private is another matter.

An enterprise's first step in keeping data private is to identify the type of information collected and the needs of customers, both internal and external to the organization, to access it. Also, the enterprise should research the applicable state and federal laws. Finally, to use the information as a business asset, the enterprise must provide secure access and a safe way to transmit or transfer it to interested parties.

The type of data an enterprise collects, retains and uses as a business asset is closely associated with the kind of business the enterprise is in and the kind of information it needs. Clothiers will collect and use information differently from the way that automobile manufacturers will. Of course, the applicable laws affecting the use of the information collected vary by business sector. For example, the Gramm-Leach-Bliley Act (GLB) requires financial institutions to detail how they handle customers' financial information and stipulates that institutions must formulate privacy policies and disclose them annually to all customers, with procedures for customers to "opt out" of marketing promotions using their private data. Depending on the type of information collected, other laws may apply.

For Internet presences directed at children, the Children's Online Privacy Protection Act of 1998 (COPPA) prohibits unfair or deceptive practices in collecting, using or disclosing personal information about children under 13 on the Internet. And, for health-care providers, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy provisions will apply in 2003. HIPAA's final rules cover all medical records and other individually identifiable health information used or disclosed by health-care providers who conduct financial and administrative transactions in electronic form.

A Patchwork of Protection

HIPAA, like GLB and COPPA, is neither pre-emptive nor comprehensive. Privacy in the United States finds protection under a patchwork quilt of laws from federal and state constitutions and codes. For example, in addition to HIPAA, state laws continue to protect patient records relating to mental health, HIV infection and AIDS. And GLB supplements the Fair Credit Reporting Act (1970), the Right to Financial Privacy Act (1978) and state laws designed to safeguard privacy in commercial transactions.

Like some quilts, these laws have holes. For example, COPPA does not apply to Web sites, such as hard-core pornography sites, that do not target children. GLB permits financial institutions to share customer information with affiliates without letting customers opt out. And HIPAA lets health-care professionals apply their own policies where no law affects disclosure. Industry self-regulation supplements U.S. law, but all told, privacy protection in the United States falls short of the comprehensive regulations of the European Union and Canada.

Many Web sites take matters into their own hands by informing customers of data collection and opt-out procedures. And industry watchdogs like Truste and the Electronic Privacy Information Clearinghouse (EPIC) replace the need for government regulators. Truste certifies Web sites that provide customers with control over their information; EPIC is a public-interest research center in Washington that focuses public attention on privacy, among other things.

Enterprise privacy policies should inform customers of what data is collected, the data's retention period and how it is used; the enterprise should also give them facilities to review, revise and even remove the data collected about them. For sensitive financial and health information, it should require opt-in vis-ý-vis opt-out strategies and confine the collection of sensitive information, such as credit-card or health information, to the period of a specific transaction. These policies support a customer's ownership and control of data and put businesses in a responsible caretaker position. But self-regulation does not stop with acknowledging who owns the data. It continues with the caretaker's restricting access to the data and securing transmission using a multiplicity of technologies.

Authentication schemes using secure, encrypted passwords provide one level of security in keeping data private. Kerberos 5, a network-authentication scheme based on a key distribution model, is built into Microsoft Windows 2000 and Unix. But authentication schemes should go further to determine granular levels of access for users based on their needs. Some users may need only to view the data; others may need to modify it. DBMSes, like Microsoft SQL and Oracle, and premier directory services, like Novell NDS and iPlanet Directory Server 5.0, can administer granular rights to data. For Web-based authentication, all Web servers have built-in authentication modules. Going a step further, Securant Technologies' ClearTrust SecureControl 4.0 adds dynamic, rule-based policies for content (see "ClearTrust Takes the Upper Hand in Web-Based Authentication", June 12, 2000). In addition, audit trails should track changes or modifications of data back to the data's origin.

E-mail Privacy Hurdles

Transmitting information using e-mail has become a fast, easy and inexpensive way to communicate, yet e-mail is also a durable and persistent business record that can compromise privacy and lead to potential liability if not used responsibly. Employee-sent e-mail messages may be logged and saved outside the corporate firewall on intermediate servers for extended periods of time.

One way to keep e-mail secure and secret is to encrypt it by using technologies such as PGP and S/MIME (Secure MIME). PGP plug-ins work with many e-mail clients, and S/MIME is built into e-mail programs like Microsoft Outlook and Netscape Communicator. Yet S/MIME requires an internal or third-party CA (certificate authority) to verify the sender and authenticate the data. If you don't care to set up a CA, you can look to secure messaging providers, such as Hush Communications and PrivacyX.com, or other solutions that protect mail after delivery.

Protecting data after it leaves the enterprise depends on the nature and extent of its use under contract or intellectual property laws. New technologies, however, are enabling more proactive, assertive management of intellectual property. Disappearing Inc.'s e-mail solution puts an expiration date on e-mail; it also lets enterprises set up specific e-mail retention policies to manage messages. Authentica's NetRecall software adds to the concept of disappearing e-mail by including files downloaded from a Web browser.

In many cases, technology is not enough. Tools to keep data secure and private are only as good as the people who use them. They can't replace good hiring practices, privacy policies and education aimed at the appropriate use of technology and information.

Keeping data private begins with identifying information as a business asset and complying with legal and self-regulatory practices to assure customers of the primacy and privacy of their data. This necessarily involves a number of strategies to enable a secure network infrastructure and an ongoing commitment to treat the private information of customers with care.

Sean Doherty is a technology editor based at Network Computing's Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he planned and helped develop the infrastructure behind a campuswide, centrally supported applications and storage system. In addition, Sean earned his JD from the University of California, Berkeley, School of Law. Send your comments on this article to him at sdoherty@nwc.com.