Businesses embarking upon e-commerce must comply with challenging new regulations respecting the protection of personal or "private" information from unauthorized use, disclosure or distribution. Many businesses may be forced to create compliance programs to ensure that private information remains protected. A privacy "audit" is a good starting point for any business developing an effective compliance plan to address: 1) compliance objectives; 2) current information flows; and 3) the resources available to implement necessary changes.

                An audit starts with a clear set of objectives for compliance that are formed by existing and anticipated future legal requirements, and the reasonable expectations of business partners and customers. Businesses should start by reviewing applicable regulations such as: 1) Federal Trade Commission regulations governing websites; 2) privacy requirements for personal health information under HIPAA; 3) requirements for privacy of financial information under the Gramm-Leach-Bliley Act; 4) other specific federal statutes such as COPPA and FCRA; 5) the European Union Privacy Directive; and 6) state unfair competition and consumer protection laws.

                After identifying compliance objectives and the private information requiring protection, a company’s relevant information practices can be charted and assessed. This process can be time-consuming, but it should lead to an understanding of information flows, particularly with respect to e-commerce. The company will want to review the "entry points" for information; identify the sources and elements of data collected; identify the flows and uses of information; and review information flow and characterize each use or disclosure of private information.

                Taking the time to develop an effective compliance plan should address: 1) technical security measures to protect both sorted and transmitted information; 2) physical security and access to private information; and 3) policy and procedures, including training, security, human resource practices, record keeping and audit controls, and management responsibilities.