CIOs Risk Must Protect Privacy or Risk Litigation

AS AMERICA GIRDS AGAINST TERRORISM, federal privacy regulations That restrict the exchange of data online will probably take a back seat to law enforcement’s need to know. But that doesn’t let corporate America off the hook when it comes to protecting the privacy of consumers. Harvard Law Professor Arthur Miller, the former host of the TV show Miller’s Court and one of the country’s best legal minds, says corporate executives should be especially concerned about protecting their companies and themselves from class action lawsuits stemming from the intrusive use of personal data gathered online. And if that’s not enough to scare any right-thinking CIO, Miller?a longtime expert on the impact of technology on privacy and author of one of the first books on the subject, The Assault on Privacy: Computers, Data Banks and Dossiers (University of Michigan Press, 1971)?has himself become involved in several of these high-profile cases.

In a recent interview in his cluttered book-lined office at Harvard, the courtly looking Bruce Bromley, professor of law, expounded on the principles behind these lawsuits and discussed the line corporations should be careful not to cross when collecting and using their employees’ and customers’ personal information.

CIO: You’ve been writing about privacy issues for the past 30 years. How has the Internet changed the tenor of the debate?

Miller: Before the computer came along, the greatest privacy protector was that you could never find anything. The safest place in the world was a manila folder in some file drawer. I certainly can’t find things in my files. [He laughs and gestures helplessly around his office, where stacks of papers cover every available surface.] The computer has changed that calculus. Now you have the ability to record everything, and you get a mentality that it’s important to record everything. And the Internet allows direct marketers to come into people’s homes and offices and buy privacy. It has changed the scale of [intrusiveness] to a degree we could never contemplate before.

But the industry pollsters say that Americans don’t really care about privacy in this new age. After all, consumers keep giving websites personal information in order to do business online, so how much do they really care about privacy?

I think it depends on how you phrase the question. If you put the issue of privacy in terms of civil liberties or medical records, you get very strong pro-privacy reactions. But if you put it in terms of accessed goodies, then it becomes a trade-off, which leads one to believe that Americans care less about privacy in the commercial context than they do in the medical or employment context. And it’s clear that in certain environments, Americans are willing to sell their privacy. Give them a freebie online and they’ll give you some of their privacy.

Which is the greater threat: hackers who are looking to steal data or the sale of private information to third parties?

In terms of dimension, the bigger problem is the free movement of personal information in the economic system. Yes, there are hackers out there, and you have to protect your systems against them, but I don’t think they pose the privacy threat that the self-interest of an entity to sell or exploit data possesses. Information is so valuable, and circumstances are so unpredictable. Look at all those dotcoms that have folded up; their only asset is their customer base, so they have every incentive to sell that. And there’s a lot of stuff going on out there that’s on the fringe of being very, very intrusive. Like the rampant, uncontrolled use of cookies that give corporations information about your susceptibilities.

Even beyond cookies, many corporations invest tremendous resources in CRM systems that capture personal data and use it to target customers more effectively?for example, by segmenting them into high- and low-value customer groups and then treating them accordingly. Do people recognize the extent to which their personal information is being used in this way?

I don’t think Americans understand that someone is capturing data on them every time they do something, whether they buy something on Amazon.com or use the Net to book an airline seat. And when people are affected by this, they don’t even know it. I mean, say you get turned down for credit. How often can you figure out why you’ve been turned down for credit? I don’t mind if people sell their privacy. You can sell anything you want in this country except your children. But what disturbs me is that individuals are not sufficiently informed to make intelligent choices. You know, way back in the early days of this business, at least Reader’s Digest gave you a choice. The magazine would say, “Look, we’d like to put you on a [subscriber] list and sell it, but if you tell us no, we’ll take you off the list.” Now consumers don’t often get that choice. And they don’t know what the consequences of opting out are. You don’t know if you go on a special list of opt-outs and then get treated as a shabby customer. It’s one thing to say, “Well, if you opt out, I’m not going to put banners on your screen.” It’s another thing to say, “I’m going to sell your name or treat you like a second-class citizen.” [For example, by putting you on hold for longer than customers who have opted in, or not giving you the same discounts that might be afforded a more cooperative customer.]

What’s the downside, if any, of not telling your customers what you’re planning to do with their information?

We’ve already seen a wave of litigation around the cookie business. Privacy buffs have gone after DoubleClick [a New York City-based company that tracks consumer preferences for advertisers] in several lawsuits. What some people argue is that collecting information in this way is no different from wiretapping or eavesdropping. It’s an intrusion, and it goes to the complete absence of consent. Unfortunately, the federal statutes are so primitive?they were enacted at a time before cookies were understood?that a lot of courts are going to have difficulty applying the laws to prevent this kind of privacy intrusion.

However, to make the Web work economically, companies will have to provide some security and confidentiality to their customers. Then again, privacy may get indirect help from people’s mercenary instincts. Retailers will realize that you won’t come on the Web if you think somebody’s going to steal your credit card number.

The invasions of privacy I see are not invasions by Big Brother. They’re not invasions by a malevolent government. They are invasions that occur because people see an economic motivation to capturing personal data, and they want to market something. The question is, Have you given people a choice to be part of that marketing scheme or not?

Which method do you think is more effective in protecting privacy, the opt-in one that Europe has or the opt-out method that most U.S. companies employ?

Opt-in is a little tough. If you go to an opt-in system, you could do serious damage to the economic vitality of marketing, and that’s not something I want to achieve. Opt-out is less dangerous from that perspective, but maybe it has to be reinforced by full information as to what you’re opting out of or why you might want to think twice about opting out. A number of countries in western Europe do something we haven’t done yet and that is they have a privacy ombudsman?a civil servant whose job is to represent the people in their dealings with corporations and government agencies. Just to make sure people are dealt with fairly.

Will privacy concerns be a major stumbling block for e-commerce and the exchange of data online? If so, what can be done to forestall that?

It depends on how upset people get. All you need is one horror story, one anecdote that creates a widespread loss of confidence. And that would have serious economic consequences. That would sour online commerce for a lot of people. A lot of dotcoms [including AmeriCounsel.com, a venture Miller was involved in] failed because of the basic difficulty of getting people to readjust their thinking. When they think of legal assistance, for example, many people want to sit down with someone they trust; they want a face behind the advice. But much of law as it affects the ordinary person is cookie-cutter stuff, like advice about wills or buying a home, and you don’t really need a face to do certain typical things. AmeriCounsel.com was designed to provide that kind of low cost and stereotypical legal counsel. But people couldn’t get used to the idea of giving up that kind of information online. I think eventually Americans will get used to it, particularly if their privacy is protected.

What kind of legal consequences should CIOs be concerned about as they build systems that capture personal data?

Every employer is required by law to provide a safe workplace for its employees, and that extends to a safe informational workplace. Similarly, a company and its CIO have to be concerned about a safe informational environment for their customers because if calamity strikes and there were things you could have done but didn’t, some jury somewhere is going to smack you across the snout with a two-by-four. Suppose, for example, that you’re collecting medical data and your system is not up to standard. If there are security precautions you’re not using and somebody hacks in, and Joe Smith gets hurt because his wife finds out he has AIDS or somebody engages in identity theft, your information system has some legal problems. Sometimes we have to protect people by pointing the gun at others. And that gun is legal liability. Juries have shown themselves capable of getting extremely angry when people are not protected and they could have been protected.

Does that liability extend to one company sharing customer data with another company?

Yes. I recently argued a case before the Supreme Judicial Court of Massachusetts involving the national drugstore chain CVS. It was giving identifiable prescription information to drug companies, and someone brought a class action suit. The question I argued before the court was whether this was a proper class action. The court said yes, that a class action could be brought against CVS on the theory that CVS had violated the relationship between pharmacist and customer by providing identifiable information. CVS has since settled the case, and they’re not doing it anymore. The question now is whether the drug companies who got the information will be held liable. It’s like the DoubleClick litigation. These lawsuits are designed to get companies to improve their practices.

But it’s not clear how effective these suits will be, given the existing statutes. Are federal regulations that deal with cookies and other privacy issues inevitable?

Most of the privacy legislation that does exist was the product of a Democratic Congress in the 1960s and ’70s. With the current Congress, I think passing such legislation will be an uphill battle?even more so in light of the recent terrorist attacks. There’s no question there will be increased pressure to overturn privacy guarantees in the wake of Sept. 11. Still, privacy doesn’t necessarily fall on that liberal and conservative line; there are a lot of very conservative forces that are pro-privacy and vice versa. I’m big on medical privacy, so that’s an area where I think regulations are necessary. In addition, some thought should be given to employee privacy. I think employees are entitled to a certain amount of privacy. Some states already have legislation around this; others don’t. So it may be necessary to have some federal legislation to protect employees in the workplace. That doesn’t mean everyone has the statutory right to e-mail anything they want, but you have to make clear to people what their vulnerabilities are, that they are being monitored constantly. Most major employers do that now, and I think they understand there is a legal risk if you don’t inform your employees about what’s going on.

What about gathering data for e-commerce purposes? Will Congress intervene there?

As I said before, all you need is one nasty event to foul the water. I think a lot of companies exercising goodwill and common sense will make good decisions. But they will be tarnished, unfortunately, by the bad apples, by the people who try to sell data when they shouldn’t. And it’s a sad fact of life that we very often make policy in this country by anecdote. It’s the squeaky wheel effect.