Report: U.S. Businesses Fail 'Safe Harbor' Data Privacy Test

"The reality of today's global economy, especially the use of the Internet as a channel for conducting business, has amplified the need to focus on individual privacy," said Russ Gates, managing partner of Andersen's risk consulting services .

According to Gates, it is a "strategic necessity" for businesses on the Internet to find acceptable ways to address the privacy requirements of their customers.

"Companies doing business internationally must pay particular attention to the privacy requirements in the places they do business," Gates added.

Of the 75 companies studied in the report, none met all of the international privacy standards established by the Safe Harbor agreement that went into effect July 1st between the European Union (EU) and the United States.

Sailing By

In addition, only 5 percent of the companies studied have established mechanisms for assuring compliance with the safe harbor principles and for providing recourse to individuals whose privacy is breached.

Just 25 percent, meanwhile, included proper notice to individuals before using their information for a purpose other than originally intended or before disclosing their information.

"Any company can take a few simple actions to begin improving their privacy practices," said Andersen principal Kerry Shackelford.

Step by Step

The first step, Shackelford said, is for companies to review the completeness of their online notices.

"More than a third of the companies we studied did not address if and how a user could inquire about and amend or erase personal information possessed by the company," he said.

The second step for e-businesses looking to comply with the standards is to be sure that they have addressed how an Internet user could submit a complaint and what follow-up they could expect.

Third, companies can protect personal identity information with the same rigor as they protect payment data.

"More than a third of the companies studied failed to take this easy step," said Shackelford.

Way To Go

The safe harbor standards were jointly developed by the U.S. Department of Commerce and the EU in response to the European Commission's Directive on Data Privacy, which prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.

Standards in which the multinationals fared better in the study included data integrity (for which 74 percent complied), which requires that personal information captured be relevant to the purpose for which it is used.

Another standard, choice, for which 80 percent complied, requires that individuals be allowed to opt-out from disclosing information to a third party or for a purpose other than its initial intent.

The Andersen study also compared industries to determine which online segments were doing a better job with privacy issues. The financial services industry scored the highest on any single principle, with 92 percent meeting benchmarks on the choice standard.

Risky Business

According to Andersen, it is expected that the EU will increasingly assess the adequacy of U.S. companies' privacy practices.

"Disruption to the conduct of business is a very real risk," Shackelford said. "U.S. companies that take the lead in embracing privacy standards will safeguard customer loyalty , enhance reputation and image, and enjoy the freedom to structure business operations unrestricted by data protection laws."

Does Microsoft Pass?

Redmond, Washington-based Microsoft (Nasdaq: MSFT) (Nasdaq: MSFT), for example, has come under fire for possibly violating the safe harbor standards. According to the Electronic Privacy Information Center (EPIC), a U.K. resident is planning to ask the U.S. Federal Trade Commission (FTC) to investigate whether Microsoft’s Passport system is in compliance with the international privacy standards.

EPIC and 12 other consumer watchdog groups filed a similar complaint last month alleging that Microsoft is engaging in unfair and deceptive trade practices.

In response, Microsoft said it was reducing the amount of information necessary to establish a Passport account. But EPIC said individuals signing up for a Passport still must provide an e-mail address, country, state, and ZIP code.

According to EPIC, routine privacy standards, such as collection limitations and data quality, are being ignored by Microsoft's Passport.