Choose an area of interest:
Search 

Choose an area of interest:


Keeping Data Under Lock & Key
By Gregory J. Millman

July/Aug. 2004 (Financial Executive) In the fall of 2003, discount airline JetBlue hit heavy weather when a group of passengers filed a class action suit charging breach of contract, invasion of privacy and fraudulent misrepresentation. The reason? The airline had shared passenger information with a government contractor who was preparing a risk assessment study for the Department of Homeland Security.


"In the wake of the Sept. 11 attacks, and as New York's hometown airline, all of us at JetBlue were very anxious to support our government's efforts to improve security," JetBlue CEO David Neeleman said in an apology posted on the company's Web site.

But JetBlue wasn't alone -- Northwest Airlines and American Airlines faced similar lawsuits. "There are some indications that the law may not treat handing over that information as a violation of privacy, but these companies have already suffered a fair amount of loss of brand value from the flap," says Stewart Baker, a Washington, D.C.-based partner in the law firm Steptoe & Johnson.
  
Only in America, perhaps, can a company get in trouble for sharing information with the government itself. But as the memory of 9/11 recedes, privacy rights and suspicion of the government once again seem to trump security concerns in the minds of many Americans. And companies are finding that privacy laws are confusing, frequently costly and ripe for misinterpretation.
  
A 2003 Privacy Trust Survey by The CIO Institute of Carnegie Mellon University and the Ponemon Institute asked Americans to rank various institutions, companies and professions in terms of their trustworthiness with personal information. Respondents ranked the Department of Homeland Security second from the bottom -- just ahead of grocery stores, but behind other retailers. What's more, hundreds of lawsuits have been filed against companies that allegedly violated privacy rights while obtaining, using or sharing information. "The latest figure is $125 million recovered in lawsuits from companies," says Dr. Alan Westin, Professor of Public Law & Government Emeritus at Columbia University and President and Publisher of Privacy & American Business.
  
Many companies are struggling just to keep up with the proliferation of privacy-protection measures. "We have scores, maybe thousands, of laws in the United States on the federal and state level, as well as millions of contracts and as many if not more informal or administrative requirements based on letters from government agencies," notes Alan S. Goldberg, a Washington-based attorney and former president of the National Health Lawyers Association. A study by IBM and the Ponemon Institute found that some companies spend over $22 million annually on privacy.
  
Sometimes the effort to tighten privacy controls backfires, as it did in the case of a company that, for security purposes, decided to change email passwords every 90 days. People forgot their ever-changing passwords, and it could take hours to get a response from the technology department, so managers started distributing global passwords -- effectively nullifying the privacy protections.
  
Sometimes corporate decisions, such as outsourcing, have unintended privacy consequences. "One company outsourced a call center to the Ukraine at 22 percent of the call center cost in the U.S.," recalls Dr. Larry Ponemon, chairman of the Ponemon Institute. "But it was an IT sweatshop with no security controls, and people on the inside were not making a lot of money, so when they saw they could sell information for pennies or rubles, they did it."
  
Sometimes it's unclear what the law is, and companies find themselves caught between one court or regulator and another. That was Toysmart's fate. Toysmart had promised customers that information about them and their children (including names and birthdays) would never be shared. But when it went bankrupt, it offered the list for sale. The Federal Trade Commission (FTC) sued, and the bankruptcy court quashed Toysmart's first attempt at settling with the FTC. (Eventually The Walt Disney Co., Toysmart's majority owner, made a payment to the subsidiary, and Toysmart destroyed the information.)

Enron-Style Privacy Meltdown
  
Managers could be excused for thinking of privacy as a knotty, costly nuisance, as most seem to. It's surprising, then, to hear the CEO of one of the biggest e-commerce success stories calling for stricter regulation of data and warning of dire consequences.
 
Chris Larsen, chairman and CEO of E-Loan, paints a nightmarish scenario of data sharing in the consolidating financial services industry. "A lot of financial services companies have patched together thousands of affiliates crossing credit card companies, brokerage companies and so forth. The whole objective there is that they can use the data they get in one affiliate to see if a customer is a good risk or not. You can have data sharing among affiliates with no opt-in or opt-out," he explains. "I think this is clearly an area where something has to give or you'll have an Enron-style privacy meltdown."
  
For example, he adds, "Someone who buys a book on Amazon suddenly can't get health insurance, or it comes out that purchasing a gun is somehow correlated with higher insurance incidents, so people who buy guns to protect themselves or their homes can't get house insurance. That's the kind of undisclosed thing you can now do with data, given the power of networks and databases."
  
Absent a clear legal framework, E-Loan has already taken steps to position itself as a company with far more than average sensitivity to privacy issues. Like other financial services companies, E-Loan has outsourced some back-end processes to India. Unlike any competitors, however, E-Loan offers its customers the ability to control whether their own applications go offshore or not. If loan applicants have concerns about Indian privacy protections, they can click a box that marks the application for processing in the U.S.

Privacy and Brand Value
  
E-Loan is not alone in its decision to make privacy a point of competitive differentiation. Other privacy pioneers also see it as an opportunity. So, as difficult as mere legal compliance is, companies like Procter & Gamble Co., Hewlett-Packard and Nationwide Mutual Insurance Co., among others, have chosen to go far beyond the requirements of the law, believing that privacy protection builds brand value and therefore shareholder value. Some have even managed to quantify the effect of privacy on brand value. Research at Royal Bank of Canada demonstrated that privacy contributed 7 percent to that institution's overall shareholder value, according to Peter Cullen, who established the corporate privacy group at the bank. In 2003, Cullen joined Microsoft as chief privacy strategist.
  
"Beyond legal requirements, privacy is an expectation of our customers," he says. "If we say we meet the requirements of the law, many customers would tell us that's not good enough. We approach it from a customer-first standpoint."
  
Procter & Gamble's chief privacy officer, Sandy Hughes, cites research indicating that half of the customers who visit a Web site and read the privacy statement will leave if they don't like the statement. "Having consumer trust is good business for us. Our whole privacy program is built on that. If we just wanted to satisfy the letter of the law, we'd have a different program. But we see it as a competitive advantage."
  
Hughes wears two hats at P&G -- the global privacy hat and the competitive intelligence hat. "It's two sides of the same coin," she says. "By knowing how people piece together pieces to gather information, I know what's possible. With the privacy program, we are protecting information entrusted to us." P&G has a privacy challenge, however, in connection with customer suspicion of radio frequency identification (RFID) tags, now becoming popular for tracking inventory and retail sales.
  
"The issue from a public policy standpoint is whether these tags could track someone inside and outside. There are a lot of misperceptions and fears and there's a consumer backlash, fears about what companies would do," Hughes says. P&G's Web site has, under its prominent privacy button, a lengthy explanation of its policy on RFID tags -- when products carry the tags, the choice to disable them and control over whether personal information is linked to the electronic product codes.
  
Choice and control are the P&G lodestars. P&G is a permission-only marketing company, and customers who visit P&G Web sites have to give the company explicit permission to contact them again. "The whole company mantra is that the customer is boss," Hughes concludes.
  
The word "global" in P&G's privacy program means that the company has one program worldwide. The alternative is to tailor local programs to local laws, an alternative some find adds more complexity than it's worth. Barbara Lawler, who heads HP's global privacy program, says, "We've chosen a consistent, global approach as much as possible. It's difficult to manage different policies based on different data types and countries. It's difficult to train a workforce and keep them educated and aware, and it also makes compliance assurance difficult."
  
The company's privacy rulebook establishes standards and an interactive checklist that designers can use in the product development to flag potential privacy issues and directs a privacy manager to the area. "The driver for us is [that] we saw privacy as an opportunity to reinforce our business values and create competitive advantage on the customer side," Lawler says.

Trade-Offs
  
Privacy isn't cheap, though, and sometimes the cost of privacy is a reduction of consumer choice, as Nationwide Insurance discovered.
  
Nationwide began to pay serious attention to the privacy issue in the mid-1990s, says the firm's chief privacy officer, Kirk Herath. "First, the Europeans passed a strict privacy directive in 1995, then the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996. In November of 1999, the Gramm-Leach-Bliley Act passed. We all realized that privacy would not simply be a compliance project but clearly an ongoing obligation and program."
  
Gramm-Leach-Bliley required, among other things, that financial companies notify customers of privacy policies. "We've got millions and millions of customers, so the task of mailing these things cost an estimated $3 to $4 million," Herath recalls. HIPAA, on the other hand, cost Nationwide some business, since it used to sell health insurance through its agents.
  
By the mid-1990s, rising medical costs, combined with Nationwide's relatively small health insurance customer base, were making the business uneconomical. The added costs from HIPAA compliance caused Nationwide to rethink its involvement in medical insurance, and to sell its Medicare claims processing operation.
  
"HIPAA was the straw that broke the camel's back. We ended up winnowing down. We started with seven or eight product lines that needed HIPAA compliance, and we ended up with three," says Herath. A strategic alliance with a law firm allowed Nationwide to pare the costs of developing the necessary compliance documents, and by the end of 2002, Nationwide was well along the road to compliance, and had developed an in-house HIPAA training program.
  
Of course, 2003 was the year of "do not call." "I did legislative affairs for over a decade, and I knew 'do not call' was an issue, but if you told me that almost the whole country would have done something, including the federal government, I'd have told you you were crazy," Herath says. For the most part, the new laws and regulations are uniform, but there are enough differences that compliance is a challenge, especially with a widely distributed sales force that relies heavily on telephone contacts.
  
Collecting all of the names on the national and state lists and putting them on an internal system would have been costly and perhaps less reliable than the solution Nationwide adopted. "We ended up outsourcing to an outside vendor with an 800 number all of our producers call through, dialing through a server which includes every federal 'do not call' list, every state and our own corporate 'do not call' list. If you dial a number on one of the lists, it blocks the call," he explains, noting, "We're trying to do something similar to that with spamming."
  
Technological advances, industry consolidation, outsourcing, brand value -- there seems to be no front-burner business issue that does not now or will not soon have a privacy dimension. Clearly, no one privacy recipe is right for every company. Some firms have discovered, to their chagrin, after announcing a strict "me too" privacy policy to the public, that honoring it would involve putting a unit out of business or otherwise sacrificing a valuable asset.
  
Interestingly, the experience of E-Loan indicates that the very act of clearly explaining a privacy policy seems to put the public at ease. Although E-Loan offers people the opportunity to opt out of data outsourcing, over 80 percent of loan applicants choose to opt in. The message seems to be that if you tell people what you're going to do, and do what you tell them, you can have efficiency and customer trust, too. That translates into brand value.

Subscribe! The flagship publication of Financial Executives International (FEI), Financial Executive magazine provides senior financial executives with financial, business and management news, trends and strategies to help them work better, faster and smarter. For more information about FEI, visit www.fei.org.

GREGORY J. MILLMAN (gj.millman@earthlink.net) is a business writer in Green Brook, N.J., and a frequent contributor to Financial Executive.

2004 Financial Executive International. Reprinted with permission.

Related Stories
 
 
Are You on Top of Your Software Licensing?

Fraud: What Starts Small Can Snowball
  Related Courses
 
Professional Education Center


 
Would you recommend this article?
5 (yes, highly)
4
3
2
1 (no, not at all) 		Comments:


 
 
About SmartPros | Accounting Products | Professional Education | Marketing Services | Consulting | Engineering Products | Contact Us
2009 SmartPros Ltd.