"Nonpublic Personal Information (NPI) [means] nonpublic personal financial and personal health information. NPI includes any personally identifiable information about a customer which is provided to us . . . whether such information is received from the customer themselves or from any outside source."
-- The Ameritas Acacia Companies Privacy Protection Policy
I just received a letter from Ameritas Life Insurance Corp. detailing its privacy protection policy that curiously does not include the above definition. I suspect the omission is easily explained: The letter I received filled both sides of a single sheet of paper in 8-point type, and if the company had included the full text that it posts on its Web site, it would have to use two sheets of paper -- too expensive for something they don't really care about.
The rest of the privacy policy is the usual gobbledygook that, unless I am much mistaken, could be summarized as: "We know lots of private stuff about you and will share this data with anyone who we feel we have some kind of need to share it with. Now, go back to being a good little sheep."
Just check out the section "Disclosure of Customer NPI" on the Web site (www.ameritasacacia.com/privacy.htm), a list of companies/organizations the company may share NPI with. Let's just say they cast the net awfully wide.
Moreover, if your information is passed on to another company, the Ameritas policy doesn't say how they will transfer your data and with what assurance of accuracy, or how they will enforce or audit other companies they give your data to.
Ameritas isn't alone in its privacy practices. Such cavalier behavior is commonplace and -- given current law -- completely legal.
What I wonder is what IT is doing about it. We have a responsibility to, if you'll excuse the grand phrase, "do the right thing."
If the vice president of marketing asks the CIO to transfer the records for all customers known to be suffering from cancer to some pharmaceuticals outfit, the CIO should ask: Why? Who is the recipient? Have we audited its data-handling practices and is its privacy policy in line with ours?
In the case of Ameritas, the company has appointed a chief privacy officer, and one would hope that such concerns would be handled by someone in his position, but where's the accountability? Sure, if you catch them and can afford to take a multibillion-dollar corporation to court, you might get some satisfaction, but don't count on it.
And just check out the following: "We do not disclose NPI... without first notifying the customer in writing of our plans, providing the customer with an opportunity to 'opt out' of the disclosure." So if the notice they send me goes missing in the mail they can assume I haven't opted out! What a crock!
Most organizations that plan to share NPI with other entities don't really appreciate that electronic data is more dangerous and harder to control than paper-based data.
They don't realize that they instantly lose control once they share data. Indeed, in most companies assuring that data even stays private internally is next to impossible.
As an IT professional you should be proactively involved in making sure your organization acts responsibly and ethically with regard to NPI because it is most likely that non-IT staff will not begin to understand the issues beyond the basics that the law demands.
What do you do about ensuring your outfit plays nicely with NPI? Confessions to nwcolumn@gibbs.com.
