Privacy Nation: The Business of Managing Private Information and Documents

Authors: Randolph Kahn, Daniel Goldstein and Barclay Blair

Publisher: AIIM International

ISBN: 0-89258-411-4

Price: $29.95

By Graeme Burton

In hindsight, it was a glaringly obvious security risk. And ChoicePoint, one of the biggest identification and credit verification agencies in the US, should have had processes in place to protect itself. But identity thieves, because of the easy and substantial sums of money involved in their crimes, can be cunning and ingenious.

In 2004, a gang of identity thieves hatched the perfect plan. Using stolen identities, they established a string of apparently legitimate businesses. For a year, these businesses were used as a front for collecting personal data from accounts set up with ChoicePoint. But the thieves were also careful, paying for the data of no more than 750 people from each front company to ensure that they did not arouse the suspicion of ChoicePoint security auditors.

The scam was only uncovered by police investigating a reported case of identity theft – and after an estimated 140,000 ChoicePoint accounts had been compromised. To compound the error, it later admitted that it did not even tell the people whose information had been compromised, except where legally obliged to do so under Californian disclosure laws.

Meanwhile, in the UK, the Driver Vehicle Licensing Agency (DVLA) has been criticised for opening up its database of driver records – including names and addresses of private citizens – to private sector organisations. Many of these, it later transpired, had not been properly vetted and one newspaper even claimed that information had fallen into the hands of convicted criminals running shady vehicle wheel-clamping organisations.

There are plenty of other examples of organisations using, abusing or exposing personal identifiable information. While often it is the result of a simple mistake, in many cases insiders are responsible for accessing and stealing the most valuable of the personal information that companies have been collecting for years.

The message is clear: organisations can no longer treat personal information in a careless or lackadaisical manner. It must be treated as if it were as valuable an asset to the organisation as it is to the individuals to whom it belongs. But where to begin?

Kahn, Goldstein and Blair’s book is an attempt to provide organisations with a foundation for managing personal information. It covers the issues in part one, while providing readers with a framework for how the challenge can be dealt with in part two.

Kahn and Blair were previously responsible for Information Nation, also published by AIIM. That introduced a compliance methodology for information management. The authors therefore borrow heavily from the methodology established in that earlier work.

First steps

The suggested framework is clear and logical. First, senior managers from the board downwards must be made aware of the importance of what the authors call ‘privacy information management’ or PIM.

A PIM-team then needs to be assembled to drive through the changes in culture and processes required. One of the first tasks of this team, of course, is to conduct a privacy audit. That will include frank interviews with managers in departments that use private data. “An incomplete or poorly conducted audit serves only to create a false sense of security,” argue the authors.

Then the real hard work begins, with the formulation of a robust privacy policy and its implementation. These are the real heavyweight chapters of the book that will provide the return on investment for the $29.95 purchase price. Its success in doing this is mixed.

In many respects, the book only addresses the organisation’s need to reassure customers and consumers, when more meat is required to enable a privacy manager to really nail down the issue in their organisation.

There is, however, some important general information for the organisation seeking to address the issue for the first time. Communication is the key, stress the authors, both with the public and internally.

After the roadmap has been developed and the technological elements implemented, mandatory privacy training workshops ought to be run and a privacy-resource website established – staff should have no excuses, especially those handling customer information.

However, while the book is full of valuable information, it is not an all-encompassing guide to managing private data. Rather, it provides a high-level managerial overview – with many useful suggestions – that should be helpful for putting the issue into perspective and providing a roadmap for tackling it. But for a more detailed guide, readers may need to look elsewhere.

Graeme Burton is managing editor of Inside Knowledge and Enterprise Information. He can be contacted at gburton@ark-group.com.