For over twenty years, my father was a wholesale seafood supplier. One day over dinner (probably lobster, because that’s just how we rolled), my father tells us that he has hired an off-duty US Department of Agriculture inspector to inspect the fish that his company will be sending out to its grocery store clients. When I asked him if this was a legal requirement, he said it was not (the Department of Health and Human Services, via the FDA, apparently regulates fish, not the USDA). When I then asked him why he was doing it, he said, “If you were in the grocery store and you saw one piece of fish labelled ‘USDA Government Inspected’ and one piece of fish without that label, which one would you buy?” An informal “seal” program had been born!
Seal programs are nothing new. We’ve all heard of the Good Housekeeping Seal of Approval, which confirms that a company’s products meet a certain standard of reliability, or the Better Business Bureau’s Dynamic Seal, which is designed to give consumers added confidence in a company’s business practices. Seal programs are a way for businesses to boost their reputation for ethical conduct and quality standards, which in turn (hopefully) will boost their revenues and profits.
Given the endless stream of lawsuits and media stories surrounding data breaches and companies’ inadvertent and intentional misuses of the personal information of its customers, it should come as no surprise that there are several seal programs out there whose sole focus is consumer privacy. Secure one of these, and your company can boast that its information handling practices conform to the highest standards of privacy and security. But should every company processing personal information participate in a privacy seal program? The answer, as usual, is that it depends…
Consider first the quantity and type(s) of personal information your company gathers. If you merely retain the email addresses of people who buy from you so you can notify them of your upcoming Arbor Day Sale, then it may not be worth the expense to obtain a privacy seal (the annual license fee is scalable based upon company revenue, but it can still be thousands of dollars, not including any costs associated with assessing your eligibility for the program in the first place). Or the type of information you collect may already require you to comply with a pre-existing privacy or data security standard. If your company stores, processes or transmits payment cardholder data, regardless of the number of credit card transactions, you must comply with the Payment Card Industry Data Security Standards (PCI-DSS). Membership in the Digital Advertising Alliance requires that you adhere to a variety of DAA Self-Regulatory Principles concerning mobile devices, online behavioral advertising, etc. The cost to comply with these standards or principles is higher than the more generic privacy seal programs, but if you are going to have to pay those costs anyway, it may make participation in TrustArc or WebTrust’s seal program unnecessary, especially if you can boast that you are “PCI-DSS Certified” (then again, if TrustArc or WebTrust will consider PCI-DSS or DAA compliance as the equivalent of compliance with their requirements, you might get two seals for the price of one).
Also consider whether the privacy seal program might net you a benefit beyond reputational enhancement. The HITRUST Certified Security Framework (CSF) is (according to HITRUST anyway) a comprehensive and flexible framework of prescriptive and scalable security controls that incorporate not only federal and state privacy regulations, standards and frameworks but also existing, globally recognized standards and business requirements, such as ISO, NIST and PCI-DSS. The CSF is aimed primarily at the healthcare industry, and while HITRUST acknowledges that being HITRUST CSF Certified does not mean you are HIPAA compliant, CSF validated or certified assessments have previously been accepted by the Office of Civil Rights (OCR), the federal agency tasked with HIPAA enforcement, as evidence of an entity’s compliance with the HIPAA Security Rule. In other words, getting CSF certified may save your company the hassle of an OCR audit down the road, or at the very least make the audit a much less stressful affair!
Articles 42 and 43 of the EU General Data Protection Regulation (GDPR) also contemplate the establishment of data protection certification mechanisms and data protection seals and marks for the purpose of demonstrating a data controller or processor’s compliance with the GDPR. Given the stiff penalties associated with GDPR non-compliance, participating in one of these seal programs may head off a DPA investigation and allow you to find and fix any issues before the DPA gets wind of them.
The downside to these programs is that they could cost significantly more than TrustArc, BBB Online or WebTrust. Whilst investigating the possibility of pursuing a HITRUST CSF Certification for one of my clients, one external assessor told me that it could cost anywhere from $20,000 to $40,000 for a baseline assessment, and that the costs could go into six figures, depending upon the size of the company and the amount of personal information involved. At least an OCR audit is free (assuming you pass, of course)!
Ultimately, which privacy seal(s) to pursue involves a cost-benefit analysis, but if your business processes a decent amount of personal information, pursing some sort of privacy certification is worth it. After all, you want your customers buying your fish, not the competition’s.