The Profits in Customer Privacy

Last year, CartManager International, a provider of online shopping cart and checkout software, sold personal information on 1 million customers to a third party for $9,000. The data included names, credit card numbers, phone numbers and dollar amounts of purchases. Not only were those customers not CartManager’s to begin with but selling their information violated the privacy policies of many of the merchants from which CartManager had obtained the information.

It was not a wise move.

Angry customers (who had been solicited by the company that bought their personal data) complained to the merchants that used CartManager on their websites. The merchants, in turn, complained to the Federal Trade Commission, claiming CartManager had violated their privacy policies. “It’s simple,” reads a privacy policy on a website operated by one merchant using CartManager. “We don’t sell, trade, or lend any information on our customers or visitors to anyone.” The Federal Trade Commission charged CartManager with an unfair practice levying a fine of $9,000—equal to the amount the company had received from selling the information.

The size of the monetary penalty should fool no one. The real damage has been to CartManager’s reputation. “This happened almost a year ago, and it still hangs out there in articles,” laments Justin Hill, head of sales for CartManager. “It’s hard for it to go away.”

Truer words were never spoken. The issue of data privacy is not going away for any business or organization that stores, uses or sells personal data on customers or members. Recent publicity about personal data stolen or hacked fromBank of America, ChoicePoint and even the United States Air Force has only heightened the public’s concern over the security and privacy of information they provide to businesses.

This mounting concern is now affecting the future of online e-commerce. Even online banking—until this year the fastest growing segment of online activity since 2000—is not immune. The percentage of Americans using online banking services has stalled at 39 percent after a period of blistering growth, according to an August 2005 survey conducted by the market research firm Ipsos Group. The primary reason: 73 percent of consumers say they are avoiding online banking because they are concerned that banks do a poor job of protecting their privacy, including selling personal information to other businesses, Ipsos reports. Although e-commerce is still increasing (holiday online shopping increase by 30 percent last year), 54 percent of consumers said they have curtailed online shopping because of privacy fears, according to a 2005 survey conducted by Javelin Strategy & Research. That concern translates into a loss of $5.5 billion of annual online revenue, Javelin reported.

Faced with this backlash, state and federal regulatory agencies are beginning to respond. California has already passed strong privacy legislation that requires financial institutions to obtain permission from customers before sharing personal information with nonaffiliated companies. Another California law requires other businesses to report to customers if they share personal information with nonaffiliated companies. Twenty-one states have passed laws that require companies to contact customers if a security breach occurs. On a national level, more than a dozen data security bills have been introduced in Congress this year. They vary in severity, the strictest requiring all companies to notify consumers whenever there is a data breach and give those consumers the ability to see and correct information collected about them. Experts say some kind of legislation on data security and privacy will almost certainly be passed this year.

“There will be legislation to tighten up privacy,” says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. “And if not legislation, there will be more regulation.”

Government intervention aside, many experts argue that carefully thought-out privacy controls make good business sense. Larry Ponemon, the founder and chairman of the Ponemon Institute, has some evidence to back up that assertion. He measured “privacy trust scores” for over 1,000 companies by asking customers to rank on a scale of one to five how much they trust the companies with which they do business. For each company, Ponemon asked consumers more than 20 questions, including how much they believe the company is committed to protecting their personal information, how accurate and trustworthy they believe the information in the company’s privacy policy is, and if they believe the company would do the right thing in a case of a data breach. From the rankings, Ponemon calculated weighted privacy trust scores for each company. The higher the score, the more consumers trusted a company. Ponemon then measured the rate at which consumers responded to marketing campaigns, be it direct mail or Web advertising. The higher the privacy score, the higher the response rate to marketing campaigns—and the higher the company’s revenue. Taking measurements over time, Ponemon determined that just a small 1 percent increase in a privacy trust score would translate into an increase of tens of millions of dollars in revenue.

“The perception of how well a company manages privacy has quite an astounding impact on sales,” Ponemon says.

CIOs can play a major role in boosting their companies’ “privacy scores.” Because customer data resides in databases, it is the CIO who is in the position to suggest certain privacy policies and spearhead programs to put them into action. CIOs who work for companies with strong track records in this area say there are a number of ways IT can be used to enhance a company’s privacy reputation. These corporate pioneers make sure privacy is part of every executive discussion about new products, services or internal use of customer information. And they ask their customers how they want their personal information handled. Furthermore, while most large companies offer an opt-out feature for customers who do not want their personal information used for marketing purposes or research (although even that feature is often hidden in the fine print of privacy policies), the pioneers routinely adopt opt-in, rather than opt-out, policies. And they have found that these practices help their companies improve customer relationships, ultimately contributing to a better bottom line.

“That’s the real benefit of this,” says Charles Giordano, associate director of privacy marketing strategy at Bell Canada and former associate director of data governance and strategy. “Opt-in and other privacy controls force you to look at the business value rather than just accessing customer information for information’s sake.”

Bell Canada and other privacy pioneers also give customers access to their personal data and closely monitor which employees have access to that data. They and other experts also say privacy must be ingrained in the corporate culture, which includes nonstop education, making it a part of employee performance reviews and enforcing meaningful punishments for not adhering to privacy policies.

“Times have changed,” says Alan Westin, head of Privacy & American Business. “If you are the CIO, you have to go to the boss and say, ‘It isn’t like the old days. Unless we spend more money and more time on data security, our customer trust and reputation can go down the toilet.’”

Protecting Customer Data: A Cost/Benefit Analysis

Privacy policies that strictly protect customers’ personal data may seem draconian, almost a noose around companies that rely on mining their customer data to better target new products and services, or that make a few bucks in selling lists to other companies. But good privacy policies are not dams. They are more like finely tuned control valves that direct the flow of information where customers’—along with company executives—want it to flow for the best outcome.

That’s why good privacy practitioners follow the first rule of valuing the information they have—figuring out what the information is worth to them in helping meet specific goals, be it better health or more revenue—versus protecting that information so that others cannot view or abuse it. That’s the balancing act John Glaser, CIO at Partners HealthCare System in Boston, was faced with when developing the health-care organization’s intranet. All health-care providers who have privileges at Partners’ eight hospitals and medical centers and the administrative and clinical staffs (37,000 in all), have access to the intranet to check on the electronic medical records of patients. Glaser knew the intranet must protect patients’ records from unauthorized users, as well as from health-care providers who should not be looking at the records, but he also knew the records had to be easily accessed and immediately available so that doctors and other health-care providers could administer the best care in an emergency.

As a result of that value analysis, Partners’ intranet does not have a complicated identity management application that controls access to patient records. When a health-care provider or administrator signs onto the intranet to check a patient’s health record, the user must provide her name and relationship to the patient, whether she is the patient’s personal physician, attending nurse or lab technician. The system allows access only to those health-care providers who have a working relationship with Partners. However, there is no electronic means to verify the provider’s identity through a password or some other second-factor identification.

“Technically, we have never been able to figure out how to do that,” Glaser says, or at least how to do it in a way that would not hamper providing the proper health care for patients. Glaser says when a patient comes in to the ER because he suffers from, say, a cardiac arrest, and other complications are found, such as a malignant tumor, specialists have to be consulted immediately. “You are smothered with people, and you’d better be smothered with people,” Glaser says. “We have no idea who has been called in to consult on a patient. We have to protect privacy on the one hand, but we don’t want to unintentionally shut out a provider that can give the proper care now.”

When immediate access isn’t such a high priority, and personal information is handled by a wider set of people, a more strict value set should be applied. At health researcher I2B2—which stands for Informatics for Integrating Biology and the Bedside, a federally funded research program at Partners HealthCare System—doctors are developing a protocol that requires asking the permission of people before collecting their DNA. In addition, researchers must follow a defined process for accessing patients’ health records and then comparing their DNA to the medical histories to find links and causes for genetic diseases, along with possible treatments.

Because such information could be so readily abused (employers could conceivably refuse employment to people with a certain genetic makeup, for instance) the value bar researchers must clear to access such information has to be higher. “The investigators allowed to see this genetic data are also required to sign contracts saying they will not share the data with anyone,” says Dr. Shawn Murphy, principal investigator at Massachusetts General Hospital and a founder of I2B2.

Find Out What Your Customers Want

One of the best ways to place a value on personal information is to let the customer decide the value of it. That might seem counterintuitive, but it works for E-loan, an online provider of mortgages and car and personal loans. E-loan has built its reputation on providing strict privacy policies. On its website, E-loan states it has “Lending’s strictest privacy policy.”

In its online home equity and car loan application forms, E-loan asks customers if they want to opt out of sending their application to an overseas third-party processor. If they opt out, E-loan sends the application to a domestic processor. Unlike many other loan companies, E-loan asks customers for permission before it shares personal information with other lenders—an opt-in policy. E-loan also allows customers access to their personal data to correct errors.

“Opt-in is where the value is,” says Tess Kolczek, chief privacy officer for E-loan. “That’s where you get a better return.”

Ponemon recommends asking customers directly what information of theirs would be a problem if it got into the wrong hands. There are the obvious answers: Social Security numbers, credit card numbers, driver’s license numbers, medication information and addresses. CIOs understand the privacy implications of releasing that kind of information. But CIOs might not view other information as sensitive, even though customers do. These could include life events such as a birth of child, anniversaries and birthdays, a job change or change in marital status. Companies may use such information to send out e-mail pitches associated with these events to promote a product or service, irritating customers or violating their own privacy policies.

The answers customers provide will give CIOs the information they need to categorize personal data as highly sensitive, somewhat sensitive or nonsensitive. Appropriate protections and policies can be developed for each category, with stricter security and privacy policies for the most sensitive and less restrictive for the not so sensitive information. “This helps build trust,” Ponemon says.

Once values are established for different kinds of personal data, the CIOs we talked to had specific processes that employees were required to follow to make sure the data is not misused or accessed inappropriately. At Boston’s I2B2, researchers are required to go through the patient’s health-care provider to obtain a patient’s consent for information that is not in the medical record, such as DNA. Researchers are not allowed to contact the patient directly. The data is then encrypted before it is sent out to researchers.

Still, once the data is released, there is no safeguard (other than fear of sanctions for violating HIPAA and the researchers’ professional word) that the data will not be released to third parties, such as pharmaceutical or insurance companies. “It comes down to only giving these things to people you trust,” Dr. Murphy says.

The same precautions the health industry follows can be employed in other industries. Bell Canada’s Giordano developed a list of privacy questions marketing managers at the telecom company must check off when new services and products are being developed and readied for marketing. Marketing managers must provide answers to such questions as how the personal data will be collected, with whom they will share the data, how the information will be stored and for how long. Giordano and sometimes a regulatory officer at the company go over the answers, and if any answers to the questions violate privacy policies or laws, Giordano works with the managers to rework the service to make sure the privacy policy is followed.

Unlike privacy officers in American companies, Giordano has a big stick to wield. In 2001, Canada passed a strict privacy law, which sets rules for how companies can collect, use or disclose personal information. For example, data cannot be stored indefinitely and can only be stored for however long it is needed. The law also gives Canadians the right to access and request correction of personal information. Companies cannot share information among affiliated companies unless they obtain permission first from customers.

Still, Giordano says Bell Canada’s marketing department was reluctant at first to discuss with company executives who oversee privacy the kind of personal information they had and how they intended to use it, fearing that they might be prohibited from continuing some marketing practices. So Giordano approached the marketing managers with the idea that he was trying to find ways to protect privacy but not necessarily say no to the use of this data. For example, Bell Canada collects customer consents for its four primary services—wireless, DSL, satellite broadcasting and wireline (a multi-channeled digital service that can service three TVs, high-speed Internet and telephony all at once). In other words, a customer gives the company permission to discuss marketing opportunities with them for any or all of these three services. An onscreen prompt reminds reps what they can and cannot discuss with customers who call in.

“The approach should be: If you give us more information, we can help you with what you are trying to do within the bounds of the law and our privacy policy,” Giordano says.

There’s much more companies can do to make privacy a top priority among employees. At Partners Health, the staff sees posters in the halls and elevators that remind them of the HIPAA regulation requiring them not to discuss patient data in public. E-loan’s Kolczek recommends that CIOs build a strong relationship with their marketing departments to keep them informed on new privacy laws, citations and how a new marketing practice may violate the privacy policy. “It can be a love-hate relationship,” she admits. “But marketing knows if something is done wrong, our relationship is at stake.”

Recently, Kolczek had to convince the marketing department that installing third-party adware on E-Loan’s website that could track a visitor’s viewing habits was something she felt violated E-loan’s promise to protect customers’ privacy. Marketing agreed not to install the software, she says.

The Carrot-and-Stick Approach

At Bell Canada, educating employees about privacy includes managers reviewing the company’s privacy policy and code of ethics with each employee during a performance review and discussing the rules governing use of data, access and disclosure of data, and how that relates to the person’s job function. The more access an employee has to customers’ personal data, the more time the manager spends on the review. Employees then are asked to sign a document pledging they understand the policies.

And, of course, all of these companies monitor who accesses customers’ personal data. At Bell Canada, a rep who accesses a customer account without that customer having called in may be flagged for review. In addition, the company controls access to customer data on a need-to-know basis. Almost all access to personal data is limited to those employees who have direct contact with the customer. Giordano is working the Bell Canada’s CIO to develop an application that pops up a message warning employees if they access information they should not. If the employee proceeds, the CIO and appropriate manager will be alerted.

If someone in the company does violate the data use policies, company privacy experts say action must be swift and appropriate to the violation. At companies interviewed for this article, punishments ranged from reprimands and transferring an employee to a less sensitive job to dismissal.

As these examples illustrate, there is much that CIOs can do to take a proactive stance on privacy. The last thing their companies want is to be a sitting duck for the kind of disaster that tarnished CartManager’s reputation. After the FTC citation, CartManager was sold to new owners, Vision Bank Card, who immediately instituted a stronger privacy policy. The policy now explicitly states no customer information will be sold to third parties. The FTC also ordered CartManager to provide “a clear and conspicuous disclosure” that consumers are entering their credit card and other personal information on CartManager’s website, not the original merchant’s website.

“We’ve changed our policy,” Hill says. “We now take privacy very seriously.”