Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Free Info Sec & Privacy Training Hosted By The FTC and COPP | Main | Privacy Concerns Of Google Walking Directions »

New Website Seal For Companies Participating In The EU Safe Harbor Program

Something I've been spending a lot of work on this summer is creating management tools to help information security and privacy practitioners do their jobs more effectively and efficiently. In the past three months I've had over a dozen CISOs and CPOs call me and ask if I had specific types of tools to help them with their information security, privacy and compliance efforts and iniatives. One of the tools will help them with managing their programs and processes for, along with the many complex issues involved with, transferring personally identifiable information (PII) with any of the 27 European Union (EU) contries to the U.S. and other countries. One of the areas involved with tackling this issue is whether or not to participate in the Safe Harbor program.

So, I was very interested to read that the U.S. Commerce Department announced a new certification mark/seal for organizations to put on their websites to show that they have self-certified compliance with the Safe Harbor Framework requirements.

Before the availability of this certification seal/mark, you had to check the online list to see if a company participated in the program. The search process is a bit kludgy.

There are over 1,500 organizations participating in the EU Safe Harbor program; many, many more than just a few years ago.

It is important to understand that this is a *SELF CERTIFICATION* program. Under the program, organizations "certify" (I really don't like the use of this word for this type of program) their compliance with the privacy principles required under the EU Data Protection Directive 95/46/EC.

If the U.S. Federal Trade Commision (FTC) discovers one of these self-certified organizations are not actually following the Safe Harbor program requirements, the FTC can bring enforcement action against the U.S. company. There can also be negative repurcussions from the EU countries. Note; to date the FTC has not yet exercised a formal action for non-compliance with the program.

The reported purpose of this new Safe Harbor certification mark/seal is to help consumers in European to quickly see if they are interacting with a Safe Harbor company.

It is interesting to also see that the Commerce Department is creating a similar Safe Harbor program for U.S. organizations to use for PII transfers between Asia Pacific (APEC) countries.

Often various BU leaders, lawyers, and even marketing heads, sign up for Safe Harbor without first speaking with the information security or privacy areas to see if the organization can even meet the requirements for which they are "self certifying" the organization.

Has someone signed up your organization for Safe Harbor without talking to information security or privacy areas? You wouldn't want to be the first organization to which the FTC assigned penalties for not following the program requirements.

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 3, 2008 1:04 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/777

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.