Privacy Matters

Early last month, the employees of Pfizer Inc. received a letter from Lisa Goldman within Pfizer's privacy office stating that due to a security breach approximately 17,000 current and former employees had had their names, Social Security numbers, and, in some instances, their bonus information posted on the Web.

Goldman's letter was among the initial steps of a multipart effort to communicate and address the breach. For its part, Goldman's printed missive immediately helped quell some concerns by offering affected employees a $25,000 insurance policy to cover any costs resulting from the incident. Within the next few days, an initial investigation concluded that about 15,700 people had had their data accessed and copied and about 1,250 may have had their data compromised. Despite what appeared to be a quick response, Pfizer was unable to escape greater scrutiny as word of the breach spread.

"I am asking Pfizer … when the breach occurred, exactly what information was compromised, what steps it took after learning of the breach, and its policies for handling personal information and security compromises," explained Richard Blumenthal, attorney general for the State of Connecticut, who made known his concerns to Pfizer in a letter dated June 6.

The importance of protecting customer and employee information has escalated to mission-critical status for organizations in both the public and private sectors as data theft and fraud proliferate around the globe. No longer the domain of the IT function, privacy protection is now addressed holistically at companies aspiring to best practices in this critical area. The titles Chief Security Officer and Chief Privacy Officer have proliferated -- and finance executives are becoming increasingly invested in ensuring that their company excels in privacy program management.

The threat of data security breaches looms larger for companies in certain industries. Large financial services companies that keep extensive customer personal financial information and big retailers, for example, are potentially more lucrative targets for criminals than, say, a professional services firm that doesn't store substantial amounts of customer and employee information or transact much business online. But no organization can be totally invulnerable to problems arising from the loss or theft of personal information.

"Most businesses think about hacker risks, and these aren't really the biggest risks in terms of privacy issues," says David Paige, chief operating officer of DeWitt Stern Group, a niche risk advisory firm. Paige, a former attorney, has oversight of the firm's information security. "The biggest risk is simple negligence in many cases. Let's say that you're a trusted advisor, an attorney or accountant, who has confidential information in your server, say a series of emails that go back and forth with clients about upcoming transactions. You're at an airport and you turn around and your Blackberry is gone. A thief can go into the server and see private information. From a legal point of view, the information is not legally confidential anymore. Technically, it's been shared, and this can be used against you in a court case."