And, of course, all of these companies monitor who accesses customers’ personal data. At Bell Canada, a rep who accesses a customer account without that customer having called in may be flagged for review. In addition, the company controls access to customer data on a need-to-know basis. Almost all access to personal data is limited to those employees who have direct contact with the customer. Giordano is working the Bell Canada’s CIO to develop an application that pops up a message warning employees if they access information they should not. If the employee proceeds, the CIO and appropriate manager will be alerted.

If someone in the company does violate the data use policies, company privacy experts say action must be swift and appropriate to the violation. At companies interviewed for this article, punishments ranged from reprimands and transferring an employee to a less sensitive job to dismissal.

As these examples illustrate, there is much that CIOs can do to take a proactive stance on privacy. The last thing their companies want is to be a sitting duck for the kind of disaster that tarnished CartManager’s reputation. After the FTC citation, CartManager was sold to new owners, Vision Bank Card, who immediately instituted a stronger privacy policy. The policy now explicitly states no customer information will be sold to third parties. The FTC also ordered CartManager to provide “a clear and conspicuous disclosure” that consumers are entering their credit card and other personal information on CartManager’s website, not the original merchant’s website.

“We’ve changed our policy,” Hill says. “We now take privacy very seriously.”