It seems that not a day goes by without news about lost or stolen personal data.
Some of the most widely reported breaches involve personal data collected and stored on company networks. Crackers recently stole credit and debit information from a BJ’s Wholesale Club customer database, and in another incident, accessed the credit card, debit card and checking account information of more than 1.4 million customers of DSW, a shoe discounter.
The problem is not limited to individual corporations. Data aggregators such as Acxiom, ChoicePoint and LexisNexis collect and sell personal information on virtually every American. At one time or another, each of these companies has had to notify hundreds of thousands of individuals across the country that their personal information was accessed by unauthorized individuals. The Federal Trade Commission recently fined ChoicePoint $15 million after it sold sensitive personal information to con artists who then used the data for fraudulent purposes.
Yet despite growing concerns about privacy and the security of personal data, most American companies still collect too much personal information from their customers without giving them a choice on how this data is used, shared, sold or retained.
Opt-Out, Opt-In—Same Difference
Indeed, just over half of large U.S.-based companies offer an opt-out choice to customers, according to a new study by the Ponemon Institute (the company I founded). And even fewer companies—23 percent—operate on a consent or opt-in approach. (With an opt-in policy, companies will not collect personal information unless their customers specifically consent or opt in.)
Even if companies do offer opt-out, it can be a very frustrating experience—much like calling customer service at your telephone company to complain about their billing error. And there is no guarantee that personal information will actually be stricken from the company’s customer contact database. Not only are Americans increasingly worried their personal data may fall into the wrong hands but they are also becoming more anxious about omnipresent surveillance of their personal lives by the government. In January, the Ponemon Institute conducted a survey on whether search engine Google should release Internet search information to the federal government. More than 56 percent of respondents in our study said that Google should not release Web search information to the government.
Some recent surveys indicate that privacy concerns are behind the recent plateau in the numbers of people who bank online. And privacy experts say that they foresee an increasing number of lawsuits against corporations from angry consumers whose personal data has been breached. Recent government enforcement actions have also raised the bar for companies. In its ruling against DSW, the FTC required the shoe retailer to establish a comprehensive information security program that includes administrative, technical and physical safeguards.
Where the CIO Fits In
I believe that it is “good business” for American companies to be more responsive to customer and employee privacy concerns. After all, when a company succeeds in creating a trusted relationship, many customers do, in fact, appreciate the personalization of marketing messages that making their personal data available can enable and are therefore willing to share more information about their purchasing habits and lifestyle.
As the chief information steward for their companies, CIOs are in a position to take a leadership role here. When all is said and done, you are most likely the executive who has to create a cohesive data protection strategy within your enterprise and, if your company is outsourcing, outside it as well. It is up to you and other top executives to ensure that all of your business partners maintain the same level of vigilance as you do over the information entrusted to them.
What You Can Do to Safeguard the Data
One of the lessons learned from recently publicized data breaches is that the failure to properly secure personal information can be very costly in terms of lawsuits, fines, diminished reputation and customer churn. Hence, it is always a good idea for companies to be honest and open with people whose data has been entrusted to them. That means posting privacy policies that are easy to understand. Remember, not everyone has a law degree. Transparency also requires the company to explain clearly how personal information is being used and why it may be shared.
CIOs should also consider installing technologies that make it easier to manage customers’ privacy preferences and track illegal data movement. Effective use of these technologies will promote a higher sense of confidence that your organization is committed to protecting privacy, thus protecting your brand or reputation. As you put these technologies in place, keep in mind that not all personal information is considered equal in terms of potential sensitivity. CIOs should know where in the organization the most sensitive types of personal data (Social Security numbers, credit card accounts and health records) reside and make sure this data is secured at a higher level than other types of information.
IT executives should also make sure that their companies do not collect too much information. This is tricky, since marketing departments often have ambitious goals for targeting customers to increase revenue and that, in turn, results in pressure to collect as much information as possible. In the privacy game, however, less should always be preferred to more. The key is to collect just what is needed to get the job done. In addition, CIOs need to take steps to ensure that personal data the company collects is accurate and current. One way to improve accuracy is to provide customers with the ability to access and, if necessary, correct, personal information collected about them. And when personal data is no longer relevant (or required by law), companies should get rid of it. The storage of stale or outdated personal information is almost always a threat to privacy.
The CIO must be proactive in making sure the organization can “walk the talk” when it comes to its privacy and data protection commitments. While this is a difficult and politically risky task, in the end your company will thank you for taking on this leadership role.