Industry searches for better privacy software

Over the past year, many companies have jumped at the chance to demonstrate their commitment to privacy by naming chief privacy officers (CPOs).

That was the easy part. Now these executives are looking for the products and services they need to tackle their jobs and finding that while there are plenty of consultants available -- even special privacy teams at major accounting firms -- software products available to help them mount a comprehensive approach to complying with new privacy regulations are sorely lacking.

One new CPO recently complained that after accepting the title she felt like a chief financial officer without spread sheets, enterprise resource management software or accounting programs, according to Austin Hill, executive vice president and chief strategist of Zero Knowledge Systems Inc., which makes privacy management software for consumers.

The number of concerns for a CPO is huge. In the U.S., financial services companies have to comply with the Gramm-Leach-Bliley financial privacy law, which gives financial institutions until July to explain their privacy policies to their customers and allow them to "opt out" of marketing solicitations. It also requires financial institutions to disclose who sees the private customer information in their possession. The Health Insurance Portability and Accountability Act (HIPAA), meanwhile, affects almost every health care operation and requires them to have a privacy officer.

The Children's Online Privacy Protection Act, which requires Web sites targeted at children to ensure the children have parental permission to view the site, contains privacy requirements, as do the Cable Privacy Act and the Fair Credit Reporting Act. In addition, U.S. state governments passed more than 400 bills addressing privacy concerns last year, and this year more than 50 have been introduced in the U.S. Congress.

Beyond that, there's an international component for multinationals. For example, any company doing business in Canada will also have to comply with the Personal Information Protection and Electronic Documents Act, which was enacted last year to protect disclosure of personal information in electronic transactions.

Another privacy-related government policy that took affect last year is the safe harbor agreement between the U.S. and the European Union. It went into effect Nov. 1 and is designed to provide some legal protection to U.S. companies and organizations whose European subsidiaries gather personally identifiable data about people living there, including employees and customers. Safe harbor provides a self-regulatory framework designed to give U.S. companies a way to adequately meet the E.U.'s 1998 data privacy directive, which is more stringent than current U.S. privacy law.

With all the privacy legislation that's been passed recently, it's no wonder that the average organization doesn't yet have a good understanding of all the issues surrounding privacy, said Bob Blakley, chief scientist for security at Tivoli Systems Inc., an IBM Corp. subsidiary that makes IT management software including one for managing privacy.

"The Y2K problem gave us a lot more advance notice than this," Blakley said. "IBM worked on that for decades or more, whereas privacy regulations sprang into being in the last three years."

And to compound the problem, there is not a set of robust and secure products that help the CPO get a handle on it, Blakley said.

The first concern of CPOs is usually figuring out what private information their organization has in its possession, and that can be difficult because back-end systems were not designed with that requirement in mind, Blakley said.

Next is figuring out who has access to the private information and what has been done with it. Third is to make sure the company's processes and systems support the company's privacy policy. This list of duties is typically carried out on an ad hoc basis and sometimes manually. Gradually, tools that automate the procedures are coming out, but no CPO thinks automation will be a reality any time soon.

"Everyone realizes that they are going to want to automate this process, but they generally do not believe the tools exist to automate the process yet," Blakley said.

Many companies currently are taking a services route with the help of consultants, Hill said, citing three or four different approaches. But some consultants come away from projects convinced that there's got to be some kind of software tool to make procedures easier, Hill said.

In addition to its team of privacy consultants, Tivoli offers Tivoli SecureWay Privacy Manager access control software, an extension to Tivoli SecureWay Policy Director. It provides a set of best practices and categories of data that can be adapted to an organization's own privacy policy. There are a few small deployments of the product, Blakley said, but none of the customers are willing to share their experiences publicly at this time.

Zero-Knowledge "knew this market was going to come," Hill said, and is preparing to announce a new "privacy rights management" product that will ship in the third quarter. The software will be designed to help CPOs start to monitor and manage what's happening in the enterprise.

It will be the first in a suite of products aimed at helping companies meet privacy regulations. Zero-Knowledge is not releasing a lot of details about the software, but Hill described it as "a console" for CPOs to let them deal with inventory of data and monitor how data is used. Other products in the suite will come out in about 18 months.

Michael Erbschloe, vice president of research at Computer Economics and co-author of "Net Privacy: A guide to developing & implementing an ironclad e-business privacy plan," said he also believes new privacy laws create a market opportunity.

"But I think the most market opportunity will be utility packages that can plug and play with large databases, or added features to database packages that provide for privacy rights management," he said. "A good database administrator can build this into the database they are managing, but what a lot of companies are looking for is that plug and play utility. I really expect the big database companies to go fully in that direction."

Oracle Corp., for example, is moving toward providing on and off switches for database records that would determine how they could be used. There will be more activity in this area later in the year, Erbschloe predicted, adding that SAP AG and PeopleSoft Inc. are addressing privacy in their human resources modules.