Required Acknowledgement of Security Policy Changes

Legal precedents are beginning to dictate a new standard for the notification of policy changes to your customers and employees. In the “old days” organizations would post changes to information security policies on the corporate intranet, and perhaps even notify employees that these changes occurred via email or some other means. However, in legal actions where employees were terminated for violating policy and then sued for improper termination, the conclusion was that mere notification is not enough. Organizations are expected to notify employees of important policy changes, but must go a step further and verify acknowledgment by employees affected by the change.

A recent case with a telecommunications provider seems to indicate that this standard applies to customers as well. The typical line in many online privacy policies goes something like “we reserve to change this policy at any time.” While this practice is common, it is certainly not in the spirit of “open” communication with customers as outlined in OECD Privacy Principles. This ruling came as part of a class-action lawsuit where customers sued for terms of service changes that were applied automatically to their account. However, it seems likely that an equal case could be made for changes to privacy policies that would effect the collection of personal information.

I believe it is now “best practice” to require acknowledgement of important security and privacy policy changes. I am interested to hear if this is becoming standard practice in real organizations, or just the unrealistic musings of a policy “purist.”