Privacy issues: getting noticed; Privacy has become a bottom-line business issue, and companies around the globe are seeing value in ramping up compliance efforts to enhance their marketing, brand and image.Driven by the Internet, sophisticated marketing practices, legislation and regulation, privacy issues have taken on new prominence, both in the U.S. and internationally.
A lapse in the handling of customer or employee information could cost companies dearly, not only in dollars (in lawsuits), but also in reputations and subsequent customer loss. Yet while most U.S. companies follow the law, only about 5 percent of the largest U.S. corporations seem to demonstrate a "strategic" view of privacy, by creating a management position for the implementer of policies, the "chief privacy officer (CPO (Chief Privacy Officer) An individual who manages the privacy issues within an organization. Arising out of the privacy regulations in finance and health care in the late 1990s, the CPO position eventually crossed over to all industries. )." Growth of the role came to a screeching halt amid budget cuts following the early 2000 recession and 9/11. That may be changing.
Financial Executive Managing Editor Ellen M. Heffes spoke to Alan Westin about the nature of privacy issues impacting business. Dr. Westin is co-founder and publisher of Privacy & American Business, a publication of the Hackensack, N.J.-based Center for Social & Legal Research, for which he leads the activities, and Professor of Public Law & Government Emeritus at Columbia University Columbia University, mainly in New York City; founded 1754 as King's College by grant of King George II; first college in New York City, fifth oldest in the United States; one of the eight Ivy League institutions. .
Q While privacy has long been a business concern, it's recently take new prominence. What has sparked this greater interest for businesses?
AW: Yes, privacy has been a business concern for a decade or more, but recently three things are driving it. One is identity theft and its enormous impact: Surveys show that between 33 and 38 million persons have been victims of identity theft.
Second, a significant number of people online are upset about so-called "spyware" and [other] monitoring functions. They read about "footprints" [and that] their identities and information can be harvested and misused. So, there's a feeling that the Internet is not a safe place to be.
The third is huge new regulatory [changes] in the last five to seven years in the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. industry with GLBA GLBA Gramm-Leach-Bliley Act of 1999 (Financial Modernization Act of 1999)
GLBA Gay and Lesbian Business Association
GLBA Great Lakes Booksellers Association
GLBA Glacier Bay National Park and Preserve (The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition , or The Finance Modernization Act of 1999, which replaced the Glass-Steagall Act The Glass-Steagall Act, also known as the Banking Act of 1933 (48 Stat. 162), was passed by
Congress in 1933 and prohibits commercial banks from engaging in the investment business. ). People now receive notices telling them what [information] is being collected, and they are given certain choices.
Now, marketing to acquire customers or get them to purchase more services is impacted by a major federal regulatory system. So, financial-services businesses must pay serious attention to privacy because of both regulations and the threat of civil litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute.
When a person begins a civil lawsuit, the person enters into a process called litigation. issues.
All of the major industries that deal with consumer relations have been impacted by privacy regulation--telecommunications, financial-services, health and medical--and if you're online in any industry, privacy is relevant. Take health, for example. Driven by privacy rules under HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, (The Health Insurance and Portability Accountability Act There are a number of piece of legislation known as the Accountability Act:
These [notices] have intensified the concern about privacy, and moved it from a kind of "yes, maybe we should say something nice and tell consumers we're concerned about their privacy," into a major marketing, compliance, brand and public image issue.
Q Discuss the emergence of the "chief privacy officer" that started to take hold a few years ago. Is it growing?
AW: There are between 2,000 and 3,000 privacy officers. Sometimes, somebody gets designated as a privacy officer because the organization needs to comply with a law or regulation. Other companies have a privacy officer who is more a chief strategy person and implementer. Organizations such as IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) Corp., Hewlett-Packard Co. and American Express American Express (NYSE: AXP), sometimes known as "AmEx" or "Amex", is a diversified global financial services company, headquartered in New York City. The company is best known for its credit card, charge card and traveler's cheque businesses. Co. have created a privacy officer because they see privacy as being essential to their brand, marketing and customer loyalty. The difference is at the reporting and salary levels, and the perceived role inside the organization. In those with high-paid and important figures in the management system, there's a big difference in the role.
Maybe 5 percent of the largest companies have this type of strategic privacy officer. This coincides with the management style of an organization. Does it want to be proactive in areas like social policy, environmental policy, employment policy? Or does it want to wait until its industry sets standards and follow what the industry association says to do? That's about another 25 percent.
Then there are maybe another 50 percent that wait until the law is passed, and just comply with the law. The remainder percentage has trouble even complying with the law because they are badly managed and they don't know Don't know (DK, DKed)
"Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. what to do.
[On growth of the CPO role], the last three or four years has seen downsizing (1) Converting mainframe and mini-based systems to client/server LANs.
(2) To reduce equipment and associated costs by switching to a less-expensive system.
(jargon) downsizing and cost reduction inside organizations, plus, the post-9/11 limit on people traveling. A lot of things have come together to make some organizations minimize the role of privacy officer, and growth of the significant privacy officer has been hampered by those. But times are changing, and I do anticipate an expansion of the strategic privacy officer position in the next three to five years.
Q Why do businesses need to pay attention to privacy issues?
AW: Part of it is legal reasons--compliance with laws, avoidance of litigation and regulatory oversight, earning greater customer loyalty and trust and also [because companies] are in competition with others.
Q What differences do you note between the U.S. and international approach to privacy issues?
AW: Most of the industrialized in·dus·tri·al·ize
v. in·dus·tri·al·ized, in·dus·tri·al·iz·ing, in·dus·tri·al·iz·es
1. To develop industry in (a country or society, for example).
2. nations of the world now have data protection laws which are different than [those in] the U.S. Here, we have mostly sector legislation--one set of laws for financial services, one for health, another for telecommunications, etc.
In a majority of nations, the approach is one of comprehensive privacy legislation, which covers the entire private sector, and is administered by an enforcement agency, with independent status. In the U.S. companies can pick and choose their strategy; in other countries they really have to comply with very detailed regulatory regimes.
Q On the "do-not-call-type" lists for marketers and now for cellphones: what's your view on the appropriateness of doing it that way, what you refer to as "permission marketing?"
AW: The do-not-call laws are magnificent. Without that, there would be a continued, deep anger at business. Before the do-not-call legislation, we had reached an absolutely unacceptable relationship between business and consumers in America, not matched anywhere else in the world in terms of intrusive telemarketing.
This was done by the Federal Trade Commission (FTC FTC
See Federal Trade Commission (FTC). ). A court decision challenged it, and within one day, Congress reversed that decision. And, it hasn't hurt business in the sense that the American economy has not dried up. Companies simply use alternative and acceptable marketing tools.
Q What trends do you see emerging in 2005 and beyond related to privacy?
AW: Both at the Congressional and the state legislative level, this is not going to be a year in which business privacy is off the agenda. At the federal level, there are proposals to control more of the use of Social Security numbers; anti-spyware legislation is going to have hearings; as is the use of radio frequency identification See RFID. (RFID (Radio Frequency IDentification) A data collection technology that uses electronic tags for storing data. The tag, also known as an "electronic label," "transponder" or "code plate," is made up of an RFID chip attached to an antenna. ), to make sure it doesn't pose any privacy problem as it's rolled out in business and government.
The Homeland Security-business relationship is going to be re-examined as Congress looks into the Patriot Act Patriot Act: see USA PATRIOT Act. and whether it should change the requirements for airlines on the verification of customers, in terms of providing data to the government on movement of suspicious persons, or in frequent traveler-type programs. So, it's not going to be a quiet year in Congress on many of these issues where businesses are sharply invested.
In addition, the state legislative scene is boiling up; in California, Michigan, Massachusetts, New York New York, state, United States
In addition, [there are the] regulatory agencies. The FTC continues to be very active in defining what data security business has to embrace in order to say that they give adequate protection to the personal information they collect about customers.
The Federal Communications Commission Federal Communications Commission (FCC), independent executive agency of the U.S. government established in 1934 to regulate interstate and foreign communications in the public interest. (FCC (1) (Federal Communications Commission, Washington, DC, www.fcc.gov) The U.S. government agency that regulates interstate and international communications including wire, cable, radio, TV and satellite. The FCC was created under the U.S. ) is involved in whether there should be a directory of cellphones, and under what conditions, etc.
A second trend: All of the surveys that I've done show that each year consumers are becoming increasingly assertive. Eighty percent of respondents tell us, "Yes, I've asked a business not to sell my name and address but use it only for my relations with them." Or, "I refused to give my personal information to a business because I thought it was too personal and it wasn't really needed for what they wanted."
The business community is going to have to engage in more honest dialogues with customers--about what they're comfortable with or what they are not comfortable with--if they are going to continue to have customers sign on to do business with them. That kind of increasing "privacy service," as I call it, is going to be a major factor now and in the future.
Finally, the identity theft issue is not going away at all. Even though there's been a much better legal definition of what constitutes identity theft, and much more enforcement and prosecutions at the state and federal level, identity thieves are very clever. So, while the level of identify theft in 2005 may not be as high as it's been in 2003 and 2004, this is going to be an extremely important issue for business.
"If you make a list of things that represent 'strategies of business in the Information Age,' addressing the privacy of data security is among the Top 10." Alan Westin
RELATED ARTICLE: Privacy Notices: A Global Perspective
Regulators worldwide are changing their definition of what constitutes an acceptable privacy notice. The European data protection commissioners representing the 25 European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the
European Community (EU) member states published [for financial services] a common position on harmonized multi-layered notices within the EU last December. The European notice regime includes up to three layers.
The first layer is very short; it includes only the name of the collector, primary purpose and where to go for additional information. It is used when first collecting information, and notification space is limited. The second, "food-label-like" layer, would include the collector, information collected, uses and sharing, consumer choices and how to request additional information. The common, graphic format will make this layer easy to use.
The last layer would include all required disclosures. The EU common position breaks new ground by saying that compliance isn't based on any single notice element, but rather on the total notice package. Further, the EU statement recognizes the research that was used to inform the development of food nutritional labels; that research found that notices need to be very short and focused, written in "everyday" language and presented in a common format.
This is not just a European issue. The Organization for Economic Cooperation and Development Organization for Economic Cooperation and Development (OECD), international organization that came into being in 1961. It superseded the Organization for European Economic Cooperation, which had been founded in 1948 to coordinate the Marshall Plan for European (OECD OECD: see Organization for Economic Cooperation and Development. ) and the Asia-Pacific Economic Community (APEC APEC
in full Asia-Pacific Economic Cooperation
Trade group established in 1989 in response to the growing interdependence of Asia-Pacific economies and the advent of regional economic blocs (such as the European Union and the North American Free Trade Area) ) have both placed multi-layered notices on their 2005 work plans, and there is a private-sector project in Australia to reform privacy notices. Also, U.S. financial services regulators are conducting consumer research on layered notices; and it's an issue that is especially important to the regulator of national banks, the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. (OCC OCC
See: Options Clearing Corporation
See Options Clearing Corporation (OCC). ).
In a speech last January, acting Comptroller of the Currency Comptroller of the Currency
A government official, appointed by the President of the United States, who keeps control over all national banks, and receives reports from the banks at least quarterly, to be published in newspapers. Julie Williams focused on the failure of notices of all sorts to protect consumer interests. "For free markets to work, consumers need to have the means to make informed choices," said Williams, who had special criticism for those she regulates: "[I]t does trouble me that, when presented with the prospect of lessening burdens, and saving costs by providing a streamlined, short-form privacy notice ... some in the industry seem to balk balk
the action of a horse when it refuses to obey a command to which it usually responds. See also jibbing. . Marketing departments get uneasy because simple and straightforward disclosures ... might mean that customers will actually understand those policies and decide to opt out! The tension here is that shorter, focused consumer disclosures can meaningfully reduce regulatory burden, but, if they are done well, they will empower consumers to make some decisions that a particular bank may not like."
However, many financial services companies participating in the Center for Information Policy Leadership (CIPL CIPL California Interfaith Power and Light
CIPL Central Images Picture Library (UK)
CIPL Commercial Invoice and Packing List
CIPL Center for Intellectual Property Law ) project believe quality notices help build long-term profitable relationships.
Food-label-like privacy notices will be an international norm in two to five years. The process will begin in Europe, be adopted in the APEC region and will become part of the U.S. privacy framework.
Senior managers can embrace this change as enhancing trust in a marketplace where consumer power is increasing, or they can fight it. In the end, consumers will have the knowledge to drive markets. Consumers will chose those companies that enhance their trust, based on the value they create, the manner in which they protect information and the appropriateness of their information practices.
By Martin Abrams
Martin Abrams (firstname.lastname@example.org) is Executive Director, Center for Information Policy Leadership, at Hunton & Williams LLP LLP - Lower Layer Protocol (www.hunton.com).