The Profits in Customer Privacy

Last year, CartManager International, a provider of online shopping cart and checkout software, sold personal information on 1 million customers to a third party for $9,000. The data included names, credit card numbers, phone numbers and dollar amounts of purchases. Not only were those customers not CartManager’s to begin with but selling their information violated the privacy policies of many of the merchants from which CartManager had obtained the information.

It was not a wise move.

Angry customers (who had been solicited by the company that bought their personal data) complained to the merchants that used CartManager on their websites. The merchants, in turn, complained to the Federal Trade Commission, claiming CartManager had violated their privacy policies. “It’s simple,” reads a privacy policy on a website operated by one merchant using CartManager. “We don’t sell, trade, or lend any information on our customers or visitors to anyone.” The Federal Trade Commission charged CartManager with an unfair practice levying a fine of $9,000—equal to the amount the company had received from selling the information.

The size of the monetary penalty should fool no one. The real damage has been to CartManager’s reputation. “This happened almost a year ago, and it still hangs out there in articles,” laments Justin Hill, head of sales for CartManager. “It’s hard for it to go away.”

Truer words were never spoken. The issue of data privacy is not going away for any business or organization that stores, uses or sells personal data on customers or members. Recent publicity about personal data stolen or hacked fromBank of America, ChoicePoint and even the United States Air Force has only heightened the public’s concern over the security and privacy of information they provide to businesses.

This mounting concern is now affecting the future of online e-commerce. Even online banking—until this year the fastest growing segment of online activity since 2000—is not immune. The percentage of Americans using online banking services has stalled at 39 percent after a period of blistering growth, according to an August 2005 survey conducted by the market research firm Ipsos Group. The primary reason: 73 percent of consumers say they are avoiding online banking because they are concerned that banks do a poor job of protecting their privacy, including selling personal information to other businesses, Ipsos reports. Although e-commerce is still increasing (holiday online shopping increase by 30 percent last year), 54 percent of consumers said they have curtailed online shopping because of privacy fears, according to a 2005 survey conducted by Javelin Strategy & Research. That concern translates into a loss of $5.5 billion of annual online revenue, Javelin reported.

Faced with this backlash, state and federal regulatory agencies are beginning to respond. California has already passed strong privacy legislation that requires financial institutions to obtain permission from customers before sharing personal information with nonaffiliated companies. Another California law requires other businesses to report to customers if they share personal information with nonaffiliated companies. Twenty-one states have passed laws that require companies to contact customers if a security breach occurs. On a national level, more than a dozen data security bills have been introduced in Congress this year. They vary in severity, the strictest requiring all companies to notify consumers whenever there is a data breach and give those consumers the ability to see and correct information collected about them. Experts say some kind of legislation on data security and privacy will almost certainly be passed this year.

“There will be legislation to tighten up privacy,” says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. “And if not legislation, there will be more regulation.”

Government intervention aside, many experts argue that carefully thought-out privacy controls make good business sense. Larry Ponemon, the founder and chairman of the Ponemon Institute, has some evidence to back up that assertion. He measured “privacy trust scores” for over 1,000 companies by asking customers to rank on a scale of one to five how much they trust the companies with which they do business. For each company, Ponemon asked consumers more than 20 questions, including how much they believe the company is committed to protecting their personal information, how accurate and trustworthy they believe the information in the company’s privacy policy is, and if they believe the company would do the right thing in a case of a data breach. From the rankings, Ponemon calculated weighted privacy trust scores for each company. The higher the score, the more consumers trusted a company. Ponemon then measured the rate at which consumers responded to marketing campaigns, be it direct mail or Web advertising. The higher the privacy score, the higher the response rate to marketing campaigns—and the higher the company’s revenue. Taking measurements over time, Ponemon determined that just a small 1 percent increase in a privacy trust score would translate into an increase of tens of millions of dollars in revenue.

“The perception of how well a company manages privacy has quite an astounding impact on sales,” Ponemon says.

CIOs can play a major role in boosting their companies’ “privacy scores.” Because customer data resides in databases, it is the CIO who is in the position to suggest certain privacy policies and spearhead programs to put them into action. CIOs who work for companies with strong track records in this area say there are a number of ways IT can be used to enhance a company’s privacy reputation. These corporate pioneers make sure privacy is part of every executive discussion about new products, services or internal use of customer information. And they ask their customers how they want their personal information handled. Furthermore, while most large companies offer an opt-out feature for customers who do not want their personal information used for marketing purposes or research (although even that feature is often hidden in the fine print of privacy policies), the pioneers routinely adopt opt-in, rather than opt-out, policies. And they have found that these practices help their companies improve customer relationships, ultimately contributing to a better bottom line.

“That’s the real benefit of this,” says Charles Giordano, associate director of privacy marketing strategy at Bell Canada and former associate director of data governance and strategy. “Opt-in and other privacy controls force you to look at the business value rather than just accessing customer information for information’s sake.”

Bell Canada and other privacy pioneers also give customers access to their personal data and closely monitor which employees have access to that data. They and other experts also say privacy must be ingrained in the corporate culture, which includes nonstop education, making it a part of employee performance reviews and enforcing meaningful punishments for not adhering to privacy policies.

“Times have changed,” says Alan Westin, head of Privacy & American Business. “If you are the CIO, you have to go to the boss and say, ‘It isn’t like the old days. Unless we spend more money and more time on data security, our customer trust and reputation can go down the toilet.’”

Protecting Customer Data: A Cost/Benefit Analysis

Privacy policies that strictly protect customers’ personal data may seem draconian, almost a noose around companies that rely on mining their customer data to better target new products and services, or that make a few bucks in selling lists to other companies. But good privacy policies are not dams. They are more like finely tuned control valves that direct the flow of information where customers’—along with company executives—want it to flow for the best outcome.

That’s why good privacy practitioners follow the first rule of valuing the information they have—figuring out what the information is worth to them in helping meet specific goals, be it better health or more revenue—versus protecting that information so that others cannot view or abuse it. That’s the balancing act John Glaser, CIO at Partners HealthCare System in Boston, was faced with when developing the health-care organization’s intranet. All health-care providers who have privileges at Partners’ eight hospitals and medical centers and the administrative and clinical staffs (37,000 in all), have access to the intranet to check on the electronic medical records of patients. Glaser knew the intranet must protect patients’ records from unauthorized users, as well as from health-care providers who should not be looking at the records, but he also knew the records had to be easily accessed and immediately available so that doctors and other health-care providers could administer the best care in an emergency.

As a result of that value analysis, Partners’ intranet does not have a complicated identity management application that controls access to patient records. When a health-care provider or administrator signs onto the intranet to check a patient’s health record, the user must provide her name and relationship to the patient, whether she is the patient’s personal physician, attending nurse or lab technician. The system allows access only to those health-care providers who have a working relationship with Partners. However, there is no electronic means to verify the provider’s identity through a password or some other second-factor identification.

“Technically, we have never been able to figure out how to do that,” Glaser says, or at least how to do it in a way that would not hamper providing the proper health care for patients. Glaser says when a patient comes in to the ER because he suffers from, say, a cardiac arrest, and other complications are found, such as a malignant tumor, specialists have to be consulted immediately. “You are smothered with people, and you’d better be smothered with people,” Glaser says. “We have no idea who has been called in to consult on a patient. We have to protect privacy on the one hand, but we don’t want to unintentionally shut out a provider that can give the proper care now.”

When immediate access isn’t such a high priority, and personal information is handled by a wider set of people, a more strict value set should be applied. At health researcher I2B2—which stands for Informatics for Integrating Biology and the Bedside, a federally funded research program at Partners HealthCare System—doctors are developing a protocol that requires asking the permission of people before collecting their DNA. In addition, researchers must follow a defined process for accessing patients’ health records and then comparing their DNA to the medical histories to find links and causes for genetic diseases, along with possible treatments.

Because such information could be so readily abused (employers could conceivably refuse employment to people with a certain genetic makeup, for instance) the value bar researchers must clear to access such information has to be higher. “The investigators allowed to see this genetic data are also required to sign contracts saying they will not share the data with anyone,” says Dr. Shawn Murphy, principal investigator at Massachusetts General Hospital and a founder of I2B2.

Find Out What Your Customers Want

One of the best ways to place a value on personal information is to let the customer decide the value of it. That might seem counterintuitive, but it works for E-loan, an online provider of mortgages and car and personal loans. E-loan has built its reputation on providing strict privacy policies. On its website, E-loan states it has “Lending’s strictest privacy policy.”

In its online home equity and car loan application forms, E-loan asks customers if they want to opt out of sending their application to an overseas third-party processor. If they opt out, E-loan sends the application to a domestic processor. Unlike many other loan companies, E-loan asks customers for permission before it shares personal information with other lenders—an opt-in policy. E-loan also allows customers access to their personal data to correct errors.

“Opt-in is where the value is,” says Tess Kolczek, chief privacy officer for E-loan. “That’s where you get a better return.”

Ponemon recommends asking customers directly what information of theirs would be a problem if it got into the wrong hands. There are the obvious answers: Social Security numbers, credit card numbers, driver’s license numbers, medication information and addresses. CIOs understand the privacy implications of releasing that kind of information. But CIOs might not view other information as sensitive, even though customers do. These could include life events such as a birth of child, anniversaries and birthdays, a job change or change in marital status. Companies may use such information to send out e-mail pitches associated with these events to promote a product or service, irritating customers or violating their own privacy policies.

1 2 Page 1
Page 1 of 2
Download CIO's Roadmap Report: 5G in the Enterprise