Corporate privacy policy concerns grow: at a time when corporate reporting and governance issues have been dominant, privacy has often been getting too low a priority, lawyers and other experts warn.

• Author: Morris, Barbara A.
• Position: Privacy

Not too long ago, sensitive customer information was tucked away somewhere in an office, often stored securely in a file cabinet. With access restricted to only a handful of employees, such information was generally believed by customers to be "safe."

In an age when that same information is now stored in electronic bytes, able to be shared or displayed to potentially millions of viewers with a click of the mouse, consumer attitudes about privacy have changed dramatically. Customers are growing skittish, and companies are being held to much higher standards for protecting the personal data they obtain.

For example, Federal Trade Commission (FTC) fines stemming from privacy violations can easily reach the seven-figure range, while careless treatment of consumer data can subject a company not only to huge legal headaches but a public relations nightmare.

Consider the public, media and FTC scrutiny recently levied against a major drug manufacturer when it inadvertently posted the e-mail addresses of more than 600 users of the anti-depressant Prozac. And in a speech last year, FTC Chairman Timothy Muris cited the public's growing privacy concerns and announced a stepped-up agenda calling for a 50 percent increase in FTC resources dedicated solely to consumer privacy.

Yet, strangely enough, says Alan Sutin, a partner at the Washington, D.C.-based international law firm of Greenberg Traurig, many corporate leaders still view privacy as a low priority. "They think it doesn't matter," says Sutin, co-chair of the firm's National Information Technology & E-Commerce Practice. That is, until they "get into trouble."

Many corporations, Sutin adds, are subject to very specific statutes governing how they can use and share protected customer data. Yet even those companies that don't fall under regulatory umbrellas are still being held to increasingly strict privacy expectations. The challenge to corporations, whether regulated or not, is to ensure that their privacy policies are clearly stated, are thorough and followed to the letter.

"A general approach that can keep a company safe (from potential liability) is to say what you do and to do what you say," advises Sutin. Companies must clearly tell the public what information is being collected, as well as how it's being gathered, used and ultimately protected. It's "ill-advised" for companies to remain silent about their privacy policies, he says.

"The biggest mistake a company can make is to ignore the problem -- to adopt the head-in-the-sand mentality and assume the problem will go away," concurs Alan E. Brill, senior managing director at...