Keeping data under lock & key: corporations are wrestling with the manifold issues raised by new privacy laws, including the costs, confusing rules and consumer wariness. Even those with dedicated privacy officers have their hands full.In the fall of 2003, discount airline JetBlue hit heavy weather when a group of passengers filed a class action suit charging breach of contract, invasion of privacy invasion of privacy n. the intrusion into the personal life of another, without just cause, which can give the person whose privacy has been invaded a right to bring a lawsuit for damages against the person or entity that intruded. and fraudulent misrepresentation misrepresentation In law, any false or misleading expression of fact, usually with the intent to deceive or defraud. It most commonly occurs in insurance and real-estate contracts. False advertising may also constitute misrepresentation. . The reason? The airline had shared passenger information with a government contractor A government contractor is a private company that produces goods or services under contract for the government. Often the terms of the contract specify cost plus – i.e., the contractor gets paid for its costs, plus a specified profit margin. who was preparing a risk assessment study for the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States . "In the wake of the Sept. 11 attacks, and as New York's hometown airline, all of us at JetBlue were very anxious to support our government's efforts to improve security," JetBlue CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. David Neeleman David G. Neeleman (born October 16, 1959) is the founder and former CEO of JetBlue Airways. Neeleman, an American of Dutch descent, was born in São Paulo, Brazil.[1] said in an apology posted on the company's Web site. But JetBlue wasn't alone--Northwest Airlines and American Airlines American Airlines Major U.S. airline. American was created through a merger of several smaller U.S. airlines and incorporated in 1934. It continued to buy the routes of other airlines, becoming an international carrier in the 1970s; its routes include South America, the faced similar lawsuits. "There are some indications that the law may not treat handing over that information as a violation of privacy, but these companies have already suffered a fair amount of loss of brand value from the flap," says Stewart Baker Stewart Abercrombie Baker (born July 17, 1947) is the Assistant Secretary for Policy for the United States Department of Homeland Security (as of 2006).[1][2] , a Washington, D.C.-based partner in the law firm Steptoe & Johnson. Only in America Only in America is a children's television programme that originally aired in 2005 on the CBBC Channel. It is presented by Fearne Cotton and Reggie Yates. The show documents the pair going on a road trip across the United States. , perhaps, can a company get in trouble for sharing information with the government itself. But as the memory of 9/11 recedes, privacy rights and suspicion of the government once again seem to trump security concerns in the minds of many Americans. And companies are finding that privacy laws are confusing, frequently costly and ripe for misinterpretation. A 2003 Privacy Trust Survey by The CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. Institute of Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). and the Ponemon Institute asked Americans to rank various institutions, companies and professions in terms of their trustworthiness with personal information. Respondents ranked the Department of Homeland Security second from the bottom--just ahead of grocery stores, but behind other retailers. What's more, hundreds of lawsuits have been filed against companies that allegedly violated privacy rights while obtaining, using or sharing information. "The latest figure is $125 million recovered in lawsuits from companies," says Dr. Alan Westin, Professor of Public Law & Government Emeritus at Columbia University Columbia University, mainly in New York City; founded 1754 as King's College by grant of King George II; first college in New York City, fifth oldest in the United States; one of the eight Ivy League institutions. and President and Publisher of Privacy & American Business. Many companies are struggling just to keep up with the proliferation of privacy-protection measures. "We have scores, maybe thousands, of laws in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. on the federal and state level, as well as millions of contracts and as many if not more informal or administrative requirements based on letters from government agencies," notes Alan S. Goldberg, a Washington-based attorney and former president of the National Health Lawyers Association. A study by IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) and the Ponemon Institute found that some companies spend over $22 million annually on privacy. Sometimes the effort to tighten privacy controls backfires, as it did in the case of a company that, for security purposes, decided to change email passwords every 90 days. People forgot their ever-changing passwords, and it could take hours to get a response from the technology department, so managers started distributing global passwords--effectively nullifying the privacy protections. Sometimes corporate decisions, such as outsourcing, have unintended privacy consequences. "One company outsourced a call center to the Ukraine at 22 percent of the call center cost in the U.S.," recalls Dr. Larry Ponemon, chairman of the Ponemon Institute. "But it was an IT sweatshop sweatshop: see sweating system. with no security controls, and people on the inside were not making a lot of money, so when they saw they could sell information for pennies or rubles, they did it." Sometimes it's unclear what the law is, and companies find themselves caught between one court or regulator and another. That was Toysmart's fate. Toysmart had promised customers that information about them and their children (including names and birthdays) would never be shared. But when it went bankrupt, it offered the list for sale. The Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) sued, and the bankruptcy court bankruptcy court n. the specialized Federal court in which bankruptcy matters under the Federal Bankruptcy Act are conducted. There are several bankruptcy courts in each state, and each one's territory covers several counties. quashed Toysmart's first attempt at settling with the FTC. (Eventually The Walt Disney Noun 1. Walt Disney - United States film maker who pioneered animated cartoons and created such characters as Mickey Mouse and Donald Duck; founded Disneyland (1901-1966) Disney, Walter Elias Disney Co., Toysmart's majority owner, made a payment to the subsidiary, and Toysmart destroyed the information.) Enron-Style Privacy Meltdown Managers could be excused for thinking of privacy as a knotty knot·ty adj. knot·ti·er, knot·ti·est 1. Tied or snarled in knots. 2. Covered with knots or knobs; gnarled. 3. Difficult to understand or solve. See Synonyms at complex. , costly nuisance, as most seem to. It's surprising, then, to hear the CEO of one of the biggest e-commerce success stories calling for stricter regulation of data and warning of dire consequences. Chris Larsen Chris Larsen is the chairman and founder of E-loan and the co-founder of Prosper.com. Larsen received a B.S. degree from San Francisco State University and a M.B.A. from Stanford University. In 1996 Larsen founded the Palo Alto Funding Group which later became E-Loan in 1996. , chairman and CEO of E-Loan, paints a nightmarish scenario of data sharing The ability to share the same data resource with multiple applications or users. It implies that the data are stored in one or more servers in the network and that there is some software locking mechanism that prevents the same set of data from being changed by two people at the same time. in the consolidating financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. industry. "A lot of financial services companies have patched together thousands of affiliates crossing credit card companies, brokerage companies and so forth. The whole objective there is that they can use the data they get in one affiliate to see if a customer is a good risk or not. You can have data sharing among affiliates with no opt-in or opt-out," he explains. "I think this is clearly an area where something has to give or you'll have an Enron-style privacy meltdown." For example, he adds, "Someone who buys a book on Amazon suddenly can't get health insurance, or it comes out that purchasing a gun is somehow correlated with higher insurance incidents, so people who buy guns to protect themselves or their homes can't get house insurance. That's the kind of undisclosed thing you can now do with data, given the power of networks and databases." Absent a clear legal framework, E-Loan has already taken steps to position itself as a company with far more than average sensitivity to privacy issues. Like other financial services companies, E-Loan has outsourced some back-end processes to India. Unlike any competitors, however, E-Loan offers its customers the ability to control whether their own applications go offshore or not. If loan applicants have concerns about Indian privacy protections, they can click a box that marks the application for processing in the U.S. Privacy and Brand Value E-Loan is not alone in its decision to make privacy a point of competitive differentiation. Other privacy pioneers also see it as an opportunity. So, as difficult as mere legal compliance is, companies like Procter & Gamble Co., Hewlett-Packard and Nationwide Mutual Insurance Co., among others, have chosen to go far beyond the requirements of the law, believing that privacy protection builds brand value and therefore shareholder value. Some have even managed to quantify the effect of privacy on brand value. Research at Royal Bank of Canada Bank of Canada Canada's central bank, established under the Bank of Canada Act (1934). It was founded during the Great Depression to regulate credit and currency. The Bank acts as the Canadian government's fiscal agent and has the sole right to issue paper money. demonstrated that privacy contributed 7 percent to that institution's overall shareholder value, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Peter Cullen Peter Cullen, born in 1944 in Montreal, Canada[1] , is a voice actor who is best known for providing the voices for Optimus Prime and Ironhide, in the original Transformers series and the narrator in both American Voltron series. , who established the corporate privacy group at the bank. In 2003, Cullen joined Microsoft as chief privacy strategist. "Beyond legal requirements, privacy is an expectation of our customers," he says. "If we say we meet the requirements of the law, many customers would tell us that's not good enough. We approach it from a customer-first standpoint." Procter & Gamble's chief privacy officer, Sandy Hughes, cites research indicating that half of the customers who visit a Web site and read the privacy statement will leave if they don't like the statement. "Having consumer trust is good business for us. Our whole privacy program is built on that. If we just wanted to satisfy the letter of the law, we'd have a different program. But we see it as a competitive advantage." Hughes wears two hats at P & G--the global privacy hat and the competitive intelligence hat. "It's two sides of the same coin," she says. "By knowing how people piece together pieces to gather information, I know what's possible. With the privacy program, we are protecting information entrusted to us." P & G has a privacy challenge, however, in connection with customer suspicion of radio frequency identification See RFID. (RFID (Radio Frequency IDentification) A data collection technology that uses electronic tags for storing data. The tag, also known as an "electronic label," "transponder" or "code plate," is made up of an RFID chip attached to an antenna. ) tags, now becoming popular for tracking inventory and retail sales. "The issue from a public policy standpoint is whether these tags could track someone inside and outside. There are a lot of misperceptions and fears and there's a consumer backlash, fears about what companies would do," Hughes says. P & G's Web site has, under its prominent privacy button, a lengthy explanation of its policy on RFID tags--when products carry the tags, the choice to disable them and control over whether personal information is linked to the electronic product codes. Choice and control are the P & G lodestars. P & G is a permission-only marketing company, and customers who visit P & G Web sites have to give the company explicit permission to contact them again. "The whole company mantra is that the customer is boss," Hughes concludes. The word "global" in P & G's privacy program means that the company has one program worldwide. The alternative is to tailor local programs to local laws, an alternative some find adds more complexity than it's worth. Barbara Lawler, who heads HP's global privacy program, says, "We've chosen a consistent, global approach as much as possible. It's difficult to manage different policies based on different data types and countries. It's difficult to train a workforce and keep them educated and aware, and it also makes compliance assurance difficult." The company's privacy rulebook establishes standards and an interactive checklist that designers can use in the product development to flag potential privacy issues and directs a privacy manager to the area. "The driver for us is [that] we saw privacy as an opportunity to reinforce our business values and create competitive advantage on the customer side," Lawler says. Trade-Offs Privacy isn't cheap, though, and sometimes the cost of privacy is a reduction of consumer choice, as Nationwide Insurance discovered. Nationwide began to pay serious attention to the privacy issue in the mid-1990s, says the firm's chief privacy officer, Kirk Herath. "First, the Europeans passed a strict privacy directive in 1995, then the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) passed in 1996. In November of 1999, the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition passed. We all realized that privacy would not simply be a compliance project but clearly an ongoing obligation and program." Gramm-Leach-Bliley required, among other things, that financial companies notify customers of privacy policies. "We've got millions and millions of customers, so the task of mailing these things cost an estimated $3 to $4 million," Herath recalls. HIPAA, on the other hand, cost Nationwide some business, since it used to sell health insurance through its agents. By the mid-1990s, rising medical costs, combined with Nationwide's relatively small health insurance customer base, were making the business uneconomical. The added costs from HIPAA compliance caused Nationwide to rethink its involvement in medical insurance, and to sell its Medicare claims processing operation. "HIPAA was the straw that broke the camel's back The idiom the straw that broke the camel's back is from an Arab proverb about loading up a camel beyond its capacity to move. This is a reference to any process by which cataclysmic failure (a broken back) is achieved by a seemingly inconsequential addition (a single straw). . We ended up winnowing winnowing: see threshing. down. We started with seven or eight product lines that needed HIPAA compliance, and we ended up with three," says Herath. A strategic alliance with a law firm allowed Nationwide to pare the costs of developing the necessary compliance documents, and by the end of 2002, Nationwide was well along the road to compliance, and had developed an in-house HIPAA training program. Of course, 2003 was the year of "do not call." "I did legislative affairs for over a decade, and I knew 'do not call' was an issue, but if you told me that almost the whole country would have done something, including the federal government, I'd have told you you were crazy," Herath says. For the most part, the new laws and regulations are uniform, but there are enough differences that compliance is a challenge, especially with a widely distributed sales force that relies heavily on telephone contacts. Collecting all of the names on the national and state lists and putting them on an internal system would have been costly and perhaps less reliable than the solution Nationwide adopted. "We ended up outsourcing to an outside vendor with an 800 number all of our producers call through, dialing through a server which includes every federal 'do not call' list, every state and our own corporate 'do not call' list. If you dial a number on one of the lists, it blocks the call," he explains, noting, "We're trying to do something similar to that with spamming." Technological advances, industry consolidation, outsourcing, brand value--there seems to be no front-burner business issue that does not now or will not soon have a privacy dimension. Clearly, no one privacy recipe is right for every company. Some firms have discovered, to their chagrin, after announcing a strict "me too" privacy policy to the public, that honoring it would involve putting a unit out of business or otherwise sacrificing a valuable asset. Interestingly, the experience of E-Loan indicates that the very act of clearly explaining a privacy policy seems to put the public at ease. Although E-Loan offers people the opportunity to opt out of data outsourcing, over 80 percent of loan applicants choose to opt in. The message seems to be that if you tell people what you're going to do, and do what you tell them, you can have efficiency and customer trust, too. That translates into brand value. Areas of Privacy Concern * Sharing information with governments * Obtaining or using information from overlapping sources * Security problems with emails or firewalls * Allowing outsourcers access to confidential material * Sharing data with no regard to opt-in or opt-out * Consumer suspicion about tracking devices like RFID * Challenges over compliance with 'do-not-call' laws * Compliance costs, including mailing costs for privacy notices Gregory J. Millman (gj.millman@earthlink.net) is a business writer in Green Brook, N.J., and a frequent contributor to Financial Executive. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion