How Effective Are Your Policies?
Pravin Kothari
It’s all over the news now that the Supreme Court has agreed to hear a case on employee privacy, specifically regarding the ownership of electronic communications (email, text) generated using company issued computers and cell phones. Needless to say that whatever ruling comes out of this case will have profound impact on privacy rights within the US. What also intrigues me about this case is the effectiveness of policies in an organization. According to the news, Ontario Police Department claims that the department’s privacy policy is very clear on this matter. Now, what do you think is the chance that this policy officer has read that privacy policy, let along have understood its impact on him? How many officers in that policy department do you think have actually read the privacy policy? The answer is probably a very very small percentage. Now think about your organization, do you think your company is doing any better? Do you know what your company’s privacy policy is and how it impacts you? Chances are you don’t. Unfortunately most companies treat policy as a paper exercise. Companies put a lot of effort into writing, reviewing and approving policies, then the effort to socialize and enforce those policies take a steep dive. Most companies just send out an email or a casual reminder to all employees once a year. A few more companies request employees to attest to the fact they read it and also make on-line training available. Few actually attempt to measure comprehension and compliance to those policies. Policies are basically controls. You can define all the controls you want, but if you don’t enforce them and measure their effectiveness, then it is just a paper exercise to give you a false sense of warm and fuzzy. As we welcome 2010 and a new age of privacy enforcement in the US, do you know where your policy program stands?
