Interview with Dana Louise Simberkoff

October 2006

Interviewee: Dana Louise Simberkoff, Vice President of Business Development of HiSoftware

Interviewer: Terry McQuay, President of Nymity

Subject: Managing Online Privacy Compliance in the Enterprise

Nymity: What are the main business risks facing large, multi-jurisdictional corporations when collecting personal information online?

Simberkoff: The Internet age has revolutionized how organizations collect, communicate, publish and find information. While this technology has created new opportunities for global communication and commerce, it has also created new challenges in risk management.

If your organization has a website that collects personal information from consumers, or provides online services to consumers, you are at risk.

Privacy managers need to be concerned with a variety of issues that may impact their organizations. These include:

1. Regulatory Compliance-non-compliance may result in monetary fine, legal action or other penalties
2. Image and Branding-privacy breaches can shake consumer confidence and impact public perception
3. Financial Loss-in addition to fines and legal penalties-privacy breaches may impact willingness of consumers to do business online, reduce customer loyalty, or result in other monetary consequences (i.e. credit monitoring.)
   

Nymity: For a global organizations, what are the main compliance requirements?

Simberkoff: Many organizations, both public and private, are mandated by privacy legislation which governs their collection, use, retention and distribution of personal information. These organizations include government agencies, financial institutions, health care organizations and a wide range of other organizations conducting business online. Privacy legislation varies between countries. Private companies may be subject to different rules and standards in different regions of the world, and through different areas of their businesses. Organizations must identify and manage online privacy and risk issues to ensure regulatory compliance, and to earn and retain customer trust.

Nymity: What challenges do corporations face when managing their online privacy policies?

Simberkoff: Many organizations have fallen prey to exponential growth of electronic information with few if any controls in place to monitor content for compliance with government, corporate and regulatory standards for Privacy. When these standards can be structured and implemented they have great value. However, implementing a solution to accomplish this task has been unmanageable and cost-prohibitive to most organizations. Organizations often do not have dedicated IT and personnel resources to allocate to such challenges; however organizations may be at risk of non-compliance without implementation of an enterprise-wide solution.

Nymity: How does the AccMonitor® Privacy Module address these challenges?

Simberkoff: HiSoftware’s AccMonitor® Privacy Module allows active reviewing and monitoring of all of your online properties for common privacy issues and provides comprehensive reporting tools that allow you to identify, assign and track any online privacy issues through the testing, repairing, enforcing and reporting of compliance issues across the organization’s Web properties.

HiSoftware provides quality assurance, testing, remediation and monitoring solutions that can easily integrate into current practices and defect tracking methodologies. Content quality assurance can also be integrated into the test processes for dynamic Web applications and Web sites. The adoption of the HiSoftware’s automated, repeatable back-end server-based monitoring system, the AccMonitor® Privacy Module, provides your organizations Web property stake holders with the solutions they need to ensure their content/applications meet these policies effectively and efficiently. In addition to automated enterprise server solutions, HiSoftware also provides interactive, user-driven desktop solutions. HiSoftware AccVerify/Repair allows developers to test and remediate content in their development and quality assurance environment. Incorporating standards based compliance into design and development practices is a much more cost-effective strategy for agencies, versus the alternative of simply monitoring for compliance “after the fact”.

By implementing an automated solution, organizations will be able to mitigate risk and ensure compliant web properties as well as reduce the man hours spent on testing Web content/applications:

• Scans and reports will identify Web Content that expose the organization to the maximum risk for privacy and accessibility violations to help prioritize projects and resources.
• Reports provide exact locations of errors and this will also further reduce the time it takes to implement fixes and changes.
• Business and policy owners can continuously monitor published web sites, systems and applications to ensure they continue to conform.
  

Nymity: The United States Department of Transportation implemented the AccMonitor® Privacy Module. What was the main impetus for the implementation?

Simberkoff: The US Department of Transportation (DOT) is implementing AccMonitor Privacy Module to collect, audit and report on privacy issues such as website data collection practices, privacy statement links, security features, visitor tracking practices through the use of cookies, web beacons and P3P compliance to proactively address critical risks and compliance challenges. DOT originally adopted the AccMonitor Compliance Server platform to address accessibility issues in October 2002.

Nymity: In closing, what are some best practices for smaller companies that cannot justify an automated solution?

Simberkoff: An online privacy best practices program, provides a model that gives companies confidence in the proper collection, usage and protection of consumer’s personal data while also allowing consumers control over their personal data.

This program should include:

• Creation/adoption of a Privacy Policy
• Creation/adoption of a Web Privacy Statement
• Education and empowerment of key-stakeholders for compliance
• Regular Self-assessment/audits
• Adoption of a system for ongoing monitoring

An online privacy risk management strategy should give an organization the ability to view policy implementation from a project management perspective, which will enable the allocation of resources appropriately across an organization and track site progress, as well as identify problem areas so action items can be assigned against them. A good privacy strategy should also provide the ability to integrate testing into any quality assurance and content delivery processes associated with existing web development and deployment practices. Finally an organization should keep a historical view of their testing over time, which is a great way to measure the progress of a project and set goals for the future.