Privacy Is Your Business

In September 2002, the Department of Defense asked JetBlue Airways to hand over more than 5 million passenger records. The airline, known for its discount fares and leather seats, promptly complied with the request, releasing names, telephone numbers and travel itineraries to a DoD contractor.

JetBlue’s CIO at that time, Jeff Cohen, didn’t hear about the request; the DoD went directly to the company’s marketing department, bypassing IT altogether. Cohen discovered months later that the airline had released passenger information in violation of its own privacy policy.

JetBlue now faces class-action lawsuits filed by outraged customers and potentially millions of dollars in settlements or awards. Cohen has since left the airline, but in retrospect he says that he and other top executives should have been involved in the decision to turn over such sensitive passenger data. “Everybody in a leadership position at JetBlue who had anything to do with data should have known about that request,” Cohen says.

JetBlue’s saga is a cautionary tale for corporate America, which is increasingly using powerful data mining software and surveillance technologies to gather personal data and track movements of customers on and offline. One of the lessons learned is that CIOs would be wise to play a more central role in the shaping and enforcing of data privacy policies. As the guardians of data, CIOs are uniquely positioned to understand how customers and privacy advocates could view data collection and mining as intrusive. CIOs may not always make the final call on who gets access to customer data?top management will often issue such decisions?but they must do more than oversee data collection; they must reposition themselves as the champions and advocates for privacy. If they don’t, what’s to stop their company from becoming the next JetBlue?

CIOs can become privacy champions by initiating a formal process for data access and educating themselves about new regulations and technologies that can help protect data privacy. They can insist that their companies tell consumers how their data is used and how the latest technologies can track their habits. As marketers search for more information on customers to personalize sales and services, CIOs can secure for themselves a more strategic role by championing data integrity and facilitating the governance of what’s becoming every company’s most prized possession.

“When it comes to data privacy, as a CIO, you are the steward of it all,” says Tim Buckley, CIO of the Vanguard Group. “You can’t sit back because it gets tougher each year. More and more people are going to want access to your data.”

A Short History of Snooping

Surveillance isn’t a recent phenomenon in America. But it’s gathered new momentum in the past decade, as the number of inexpensive computers has multiplied along with storage capacity. “Thanks to the proliferation of computers, databanks and networks, once-distinct spaces of knowledge?credit card records here, medical records there, criminal records elsewhere?now form a single, coherent informational landscape that is easily mapped and controlled by government and business,” writes Christian Parenti in his new book, The Soft Cage: Surveillance in America from Slave Passes to the War on Terror. On a typical day, we may make a call on a cell phone, drive through an E-ZPass or Fast Lane toll, use an ATM card and make an online purchase, leaving a digital trail that can track our movement, preferences and even political beliefs for businesses and government agencies to scrutinize.

Latanya Sweeney, founder and director of the Laboratory for International Data Privacy at Carnegie Mellon University, says the explosion in personal data can be measured by what she calls global disk storage per person, or GDSP, which she calculates by dividing the amount of hard disk storage sold each year by the world’s adult population. The GDSP has grown from 20KB of data in 1983 to 472MB in 2000. And the number continues to grow exponentially. “Experience shows that once our information is captured, someone will inevitably use it at some time for their strategic advantage,” Sweeney says.

Increasingly, Americans are chafing at attempts by government and private sectors to sift through their personal data. In the past year, opposition from privacy advocates and politicians forced the Pentagon to temporarily drop its plans to track the movement of American citizens with its Total Information Awareness project. (Instead of completely shuttering TIA, however, the Pentagon merely renamed the initiative and classified aspects of it, essentially removing it from public view.) More recently, a growing number of states including New York and Wisconsin have pulled out of an anticrime database program known as the Multi-State Anti-Terrorism Information Exchange, or Matrix?initiated after 9/11 to track terrorists?citing cost and privacy concerns. Civil libertarians argue that Matrix, which combines criminal records data with private information such as property and business filings, endangers citizens’ privacy rights.

The private sector is also taking hits on the privacy front. U.K. grocery retailer Tesco got caught conducting an unannounced smart-shelf trial with radio frequency identification tags on Gillette razor blades and canceled the pilot project after negative publicity. Retailers Wal-Mart and Benetton announced last year that (at least for now) they would keep RFID tags out of their stores.

But many businesses don’t seem to understand the extent to which consumers value the privacy of their personal data. According to a recent Accenture survey, 60 percent of the 223 business executives surveyed said that privacy policies are the least important of five factors that influence consumer trust. Yet 51 percent of the 347 consumers surveyed said that they have declined to do business with a company because they were uncomfortable with its privacy protection.

The stakes are huge for companies, especially those who ignore privacy concerns. Privacy & American Business, a nonprofit group led by privacy expert Alan Westin, is currently tracking 141 lawsuits against companies for alleged violations of consumer privacy. Already these lawsuits have netted plaintiffs more than $130 million in penalties or settlements. “A privacy breach is now much more than a mere annoyance,” says Rich Honen, a lawyer who specializes in technology and privacy at the Albany, N.Y., law firm Honen & Wood. “It can create a serious security risk and become a market issue for a company.”

How Two CIOs Became Privacy Champions

When Buckley took over as CIO of the Vanguard Group two and a half years ago, setting up a leadership team to oversee data was one of the first tasks on his to-do list. “Obviously, our number-one asset is our reputation and the trust of our clients,” he says. “I saw we had to have a plan to protect our customer data.” The plan went far beyond the often vague wording of the typical company privacy policy; it set up a specific process to follow when someone asks for access to personal data. If, for instance, a marketing person at Vanguard wants to get access to consumer data, they have to go through a formal process and get approval from the business owner before approaching IT. If marketing requires names and addresses for a client mailing, Buckley says, IT will provide that information if marketing can make a business case for the request. For a more general need, such as examining broad client trends, they would receive aggregated data.

Vanguard’s leadership team, which includes Buckley, as well as the company’s CSO and the head of internal audit, created a system in which the IT department assigns a steward to oversee each line-of-business database. The steward is responsible for the integrity of a database and makes sure that adequate access controls are in place to protect the data. While the business unit leader makes the final yes or no decisions on data access and assigning “public,” “confidential” or “highly confidential” classifications to all data, the IT side protects and defends the data.

If an internal marketing person at Vanguard wants access to client data, he must first get approval from one of four business line leaders, then send the approved request along to the IT steward. The IT steward won’t turn over data until permission has been granted by one of the business line leaders. “At first I thought people in IT would say this is just a lot of bureaucracy,” Buckley says. “But people get it. The IT people and the business people see that when it comes to data privacy, we need to err on the side of caution.”

When an outside organization?such as a government agency?asks for customer data, the request goes first to the legal department, which requires a subpoena for most such requests. Vanguard’s privacy policy states that it does not sell information about current or former clients or their accounts to third parties. Nor does the company share such information, “except when needed to complete transactions at [the customer’s] request or to make [the customer] aware of related financial products and services that [Vanguard] offers.”

Creating a process for data protection was also high on Chris Kowalsky’s must-do list when he became CIO of Education Management Corp. (EDMC), a Pittsburgh-based company that runs 66 universities and other postsecondary schools across the United States. Kowalsky understands that marketing people often need access to data, but if that entails sensitive student records, they have to go through a strict process to get authorization from business leaders and IT staff. If a marketing person protests or doesn’t understand his company’s data access rules, Kowalsky says he would alert others in that person’s department. “In a perfect world, I wouldn’t have to do that,” he says.

That doesn’t mean that Kowalsky, who spent 22 years as CIO for Pittsburgh-area hospitals before joining EDMC two years ago, is the sole gatekeeper of data. At EDMC, when a marketing person requests access to student records data, for example, she must go to a business leader at the vice president level, and then to human resources. The request then goes to the IT department, which creates an account and access code for the data. “My responsibility as a CIO is for technology and policy that protects data,” Kowalsky says. Identity management systems, an intrusion detection system and technology that validates access codes help secure data privacy at EDMC. Kowalsky and his IT department make sure that the person requesting data still has access privileges (which are cut off automatically once someone leaves the company), and they regularly monitor data access logs for unusual patterns.

There have been several instances in the past two years, Kowalsky says, when he has questioned data access requests, particularly when it has meant that the data would be leaving the company. He has alerted top management, for example, when an external auditor sought data access, and when an outside consultant asked for access to financial and student data. “There have been times when I needed to discuss some requests at a higher level,” he says. “When you are looking at whether information can leave your organization, you need to be sure.”

To Play This Game, You Have to Know the Rules

As CIO at Pittsburgh’s St. Francis Health System in the late 1990s, Kowalsky spent months studying the ins and outs of the Health Insurance Portability and Accountability Act, or HIPAA, which governs how health-care institutions handle sensitive patient information. He read trade journals, studied HIPAA reports and fielded calls from consultants eager to share knowledge about the new regulations. Now, as CIO at EDMC, he studies regulations related to the protection of student records so that he knows how long to keep them and who is allowed to access them. “CIOs have to have a working knowledge of new regulations,” says Kowalsky. “Without it, we can’t have any influence on a company’s policies.”

For years, information privacy in the United States has been protected only through an amalgam of narrowly targeted rules governing specific sectors, says Joel Reidenberg, a professor of law at Fordham University in New York City and an expert on data privacy. Where other parts of the world (including the European Union) have passed laws to protect data privacy, the American legal system has relied more on market self-regulation and litigation to right data privacy wrongs. That’s all changing as an increasing number of privacy statutes are being drawn up by state and federal authorities. And that means that CIOs will have to start boning up on public policy. That’s already happened in the health-care industry (with HIPAA) and in financial services with the Gramm-Leach-Bliley Act of 1999, which requires financial services companies to create privacy policies, and governs how information can be shared within and between institutions. New regulations for more sectors are sure to follow.

“CIOs need to recognize the uncertainty and start planning today,” Reidenberg says. “Just because there are no privacy regulations governing your industry today doesn’t mean that in five years’ time it will remain unregulated.”

In order to educate themselves on privacy issues, CIOs should make contact with the company’s government relations department, which will probably be following privacy debates on Capitol Hill. At EDMC, Kowalsky has had to study the Family Educational Rights and Privacy Act with regards to student records and the Gramm-Leach-Bliley Act when he is dealing with student loan data.

Privacy education also includes awareness of the latest technologies that can protect data. Technology vendors have been slow to develop programs that can “anonymize” data or alert companies to the risk of a privacy breach, but some options are now hitting the market. For example, IBM last year launched Enterprise Privacy Authorization Language, or EPAL, an XML-based programming language designed to allow companies to automatically restrict access to sensitive data stored in corporate applications and databases. Niche vendors such as Pittsburgh-based Privacert sell software programs that can “de-identify” a data set in accordance with HIPAA. The resulting data can be shared freely and remains useful for bioterrorism surveillance without jeopardizing individual privacy, says Carnegie Mellon’s Sweeney, who invented the Privacert technologies.

“The trick for the CIO is to enable access to data while guaranteeing privacy,” says Sweeney, who adds that CIOs are not likely to stop CRM or other data mining efforts that can add to a company’s bottom line. “Computer technology got us into this mess by enabling widespread data sharing,” she says. “But it is also important to know that computer technology can now get us out.”

The Advantages of Being a Privacy Champ

CIOs trying to champion data privacy are in a tough position, especially if they are not part of the management team. Marketers or government officials who want the data may call CIOs obstructionists if they don’t provide access, and top management may call them meddlesome if they speak out on privacy and propose strict measures. But Buckley says that creating a process for data access allows the CIO to stick up for data privacy without fear of criticism.

Some CIOs may wonder why they should bother taking on this difficult assignment. After all, top managers are the ones who usually define privacy policies, and some companies appoint a CPO to oversee privacy-related issues. But if the company doesn’t have a CPO, and the CIO doesn’t stand up for the customers’ data, no one will. And that actually creates an opportunity for CIOs to talk directly about privacy issues with top management, as Buckley and Kowalsky have done. “The board of directors and the chairman want to hear about data privacy,” Buckley says. “I know my feet will be held to the fire on this.”

CIOs can use such accountability to raise their own profile internally. “One of my top responsibilities as a CIO is to make sure that my superiors and my peers understand how information can be made available, and to ensure we have a process for safe data access,” Kowalsky says. In fact, he believes that there is no way CIOs can influence their company’s privacy policy unless they are working directly with top management. Kowalsky himself reports to EDMC’s President and COO Bill Brooks and has been part of the executive committee since he joined the company.

The JetBlues

When its privacy scandal broke in September of 2003, JetBlue learned a costly lesson: Once customer data leaves your control, it can end up just about anywhere. This is what happened: After obtaining the passenger data from JetBlue, Torch Concepts (the DoD contractor) bought additional customer demographic information?including Social Security numbers?from the consumer data processor Acxiom (see “Privacy and Security: You Can’t Have One Without the Other” on Page 52). The defense contractor then used the information from JetBlue and Acxiom as part of a pilot program to develop passenger profiles to assess the level of risk air travelers pose to security. The existence of these profiles became a cause cŽl¿bre when a passenger’s Social Security number made it briefly onto a public webpage as a part of a presentation by Torch Concepts.

For all of its mea culpas (JetBlue publicly apologized to its passengers last fall), the airline still doesn’t seem to understand the central role that CIOs should play in this issue. In fact, Cohen decided to leave JetBlue last year when he was told it was reorganizing, and that from then on he would report to the head of the sales and marketing department instead of the COO. “I don’t think sales and marketing should be the leaders of technology,” says Cohen, who recently started an aviation software company called Vertical Software Group in Denville, N.J.

If Cohen takes on another CIO position in the future, he says that he’ll make sure he’s in the loop. In the meantime, he sometimes reflects on what he would have said if the DoD had come directly to him in its quest for passenger data. “I would have taken it to the executive committee and asked if we were jeopardizing our privacy policies,” he says. “I would have asked the questions that I believe were never asked.”