CHICAGO—Without a solid policy on protecting customers' and employees' private information, companies expose themselves to numerous professional liability risks that could result in legal battles on several fronts, according to insurance and risk management experts.

"Privacy and how you handle information create risk and liability for companies that have nothing to do with dot-coms and Internet sites; this is not an Internet issue," said Robert A. Parisi Jr., a senior vp with FINPRO, Marsh Inc.'s financial and professional liability practice in New York.

"This is relevant to any company that has a computer network or retains information on customers and employees," Mr. Parisi said during an educational session at the Professional Liability Underwriting Society's international conference in Chicago. PLUS held its 19th annual conference Nov. 8-10.

Customers are not the only parties who are suing companies that fail to protect sensitive data, said David J. Navetta, a managing member of consultant InfoSecCompliance L.L.C. of Denver. He noted that a bank that had issued credit cards to a group of customers whose card information was compromised by a vendor's inadequate security system sued the vendor for the cost of issuing new cards to the group.

In addition, the Federal Trade Commission has sued companies under deceptive and unfair trade practices regulations for not providing privacy notices and for implementing security systems that the agency did not consider reasonable, said Mr. Navetta and Mike Donovan, global product leader for technology and miscellaneous professional liability insurance with Beazley Group P.L.C. in San Francisco.

"So, a company can get hurt by the government, its customers and its partners," Mr. Navetta said.

But privacy rules and regulations do not clearly stake out privacy policy guideposts for companies. One of the biggest issues in this area is that rules and regulations demand that companies provide--without elaboration--reasonable information security. Referring to that requirement, Mr. Navetta said, "The problem is, what does this mean?"

"No statute is ever going to tell you how often you have to change the password on your computer system" to guard against security breaches, Mr. Donovan said.

Yet, companies must comply with a variety of federal and state laws that cover medical, financial, school and criminal information, the panelists said.

Indeed, companies will face only an increasing number of rules and regulations on data privacy, the panelists said. For example, the European Union has some complex privacy rules, Canada's statutes are stricter than those in the United States and Japan has enacted strict rules, Mr. Donovan said.

In addition, about three dozen states have enacted laws requiring companies to notify customers and employees when their private information has been compromised, and more are expected to pass similar requirements, the panelists said.

"You have to worry about all of these laws," Mr. Navetta said. The rules vary by jurisdiction, "which makes compliance complex."

To safeguard sensitive information, companies must understand the variety of ways that the information can be compromised, the panelists said. Company insiders, as well as outsiders, can steal sensitive information contained in paper files, online and offline sources, and laptops, noted Thomas Srail, a vp with the Executive Risks unit of Willis of Ohio Inc. in Cleveland.

Companies also can trigger breach-of-privacy lawsuits even if the sensitive information they retain is not stolen, the panelists said.

For example, companies involved in mergers are at risk of being sued for misrepresenting their privacy policies if they change their policies after the merger, Mr. Donovan warned.

Mr. Navetta agreed. "Once you represent that you are doing something a certain way and you don't, you have FTC issues" concerning deceptive trade practices, he said.

Panelists also noted how efforts to find the source of boardroom leaks of confidential information at Hewlett-Packard Co. led to criminal indictments of former Chairman Patricia Dunn, among others, after board members' private information was compromised (BI, Sept. 18).

Mr. Donovan noted that HP had been recognized for its privacy policy before then. "That's a great example of how privacy issues can arise in circumstances that are very difficult to predict," he said. The lesson to be learned is that "companies can get into trouble in an unlimited number of ways" by mishandling sensitive data.

Developing a privacy policy is not a simple task, and it is a major investment, Mr. Donovan said. But it is good corporate governance, and developing a policy entitles a company to apply for insurance that covers privacy-related damages, he said.

A good starting point is an Internet search, which should provide an abundance of material on how to draft a privacy policy, Mr. Donovan said.

A good privacy policy should explain, among other things, customer and employee choices on how their information will be used and shared with other parties, how to correct information and how to contact the company if information has been handled inappropriately, Mr. Donovan said.

Many companies develop one policy for its online customers and another for its employees, he noted.