January 28 was designated as Data Privacy Day by the International Association of Privacy Professionals in order to promote the importance of protecting personally identifiable information. Given the increasing importance of data privacy, Data Privacy Day is a good reminder for you to review your company’s data privacy policy and ensure it meets today’s regulations and protects against today’s threats.

What is data privacy?

Privacy is difficult to articulate. The American Heritage Dictionary defines privacy as “the quality or condition of being secluded from the presence or view of others” and “the state of being concealed; secrecy.”

But do these definitions capture the spirit of what data privacy is? Personally identifiable information is normally shared with individuals or institutions that we trust; therefore, is privacy a form of trustworthiness? What happens when that trustworthiness is violated?

Why should we care about data privacy?

It seems we hear almost daily of some organization mishandling or losing their customer’s personally identifiable information. Examples include financial institutions such as ChoicePoint, retailers like BJ’s Wholesale Club, Life is Good (a small clothing retailer in Hudson, N.H.), government organizations such as the Veterans Administration, and state governments like West Virginia and Ohio. Data breaches keep occurring with financial, health and lifestyle information.

Who bears the costs of privacy problems -- the person whose identity was stolen, financial institutions, retail businesses, law enforcement, taxpayers or consumers?

According to Jason Krause’s recent article “Stolen Lives,” today the law sees the primary victims of identify theft as the holder of the information that was stolen – the financial institutions and retail businesses – rather than the person whose identity was stolen. It is not your personal information that was stolen, but their information about you that was taken. However, attention is now focusing on what responsibilities businesses have to protect the private information of their customers and their employees.

California has already enacted a law requiring businesses with customers in their state to notify its residents when they have reason to believe that personally identifiable information has been compromised. Many other states are racing to enact their own legislation leading to a jumble of state laws on businesses’ responsibility to protect personally identifiable information.

Another aspect of data privacy breaches is your business’ reputation. Michael Friedenberg in CIO Magazine states that if you mishandle your customer’s personally identifiable information, “20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers.”

How can we protect data privacy?

Cory Doctorow of the Guardian Unlimited suggests that “we should treat personal electronic data with the same care and respect as weapons-grade plutonium – it is dangerous, long-lasting and once it has leaked there’s no getting it back.”

Laws are one way to protect privacy and the dozens of recent privacy breaches will likely cause another round of federal and state actions. There are other ways to protect data: subscribing to industry guidelines, such as membership in the Online Privacy Alliance, your choices as an individual regarding your personal information, and using technology.

While technology is often involved in the gathering, processing and dissemination of the information, Daniel J. Solove, Associate Professor at George Washington University Law School, in his article “A Taxonomy of Privacy” states that “privacy problems … are caused not by technology alone, but primarily through activities of people, businesses, and the government.”

Do not fall victim to thinking that having technology in place will solve all of your potential data privacy issues. You must train all employees in the safe handling of personally identifiable information – your customer’s as well as your employee’s information. Data handling policies and procedures must be reviewed and updated as your business’ data needs change and as the threats to keeping information safe change.

In the United States, most businesses today are impacted by the Fair Information Practices Principles that have been developed by the Federal Trade Commission (FTC) to address the collection and use of personally identifiable information and the safeguards required to assure these practices are fair and provide adequate privacy protection. Keep in mind that other federal agencies as well as many state governments have privacy protection laws in place that are more stringent than the FTC’s regulations and you must ensure that your business complies with all relevant regulations or face potential fines or legal action.

Does your company have a comprehensive program to address all of the government regulations and industry guidelines or does your company only have an IT data protection strategy? Have all employees been trained on what policies and procedures are in place for how they should handle personally identifiable data on a daily basis? Do they know what to do if a breech occurs?

Data Privacy Day is a good reminder for you to think about what you do as part of your daily activities to ensure private information is kept private – your information as well as the private information of others that you use or come across in your daily work life.