Why CIOs Should Care About Privacy

What accounts for the generational divide on privacy?

Privacy is part of personal data hygiene. If you ask a 17-year-old if they’re worried about protecting their privacy, you get a puzzled look.

I had this conversation with my son. I asked, “What if you’re trying to get a job when you’re 40 and your employer calls this stuff up on your Facebook page?” He said, “Don’t you think my employer will have his own stuff to worry about on Facebook?”

He had a point. They will take precautions, but they’re not obsessed about privacy protection. That obsession is an artifact of the pre-Internet world. Remember when you got your first cellphone? You never wanted to give your number out because people might call you and try to sell you stuff. People were the same way with email addresses, too.

Why should CIOs care about privacy?

The Sony PlayStation data breach illustrates an important aspect of privacy protection and its relationship to customer trust. Trustworthiness is going to be more important as the volume and speed of interactions between customers and companies go up. Our standards for what constitutes trustworthy behavior will be more demanding and less forgiving. Violating a customer’s privacy will be found to be even more egregious in the future than it is today.

What can the CIO do?

Trust is made up of two elements. One is that I trust that you have my interests at heart. The second has to do with competence. The fact that you want to protect my privacy is your intent, your policy. Your data security safeguards, the training you give to employees—these are elements that go to your competence.

There are more mistakes of trust due to incompetence than due to bad intent, by far. When someone leaves a laptop on the subway and customer data is swiped, people are upset and it makes headlines. But it’s not that the company had bad intent. They were incompetent. If it happens over and over, this lack of attention to detail might indicate bad intent in that the company is more intent on its own profit or cost control than on protecting customer interests.

If it turns out Sony could have avoided the recent hacker invasion and privacy breach with just a bit more security, then we’ll be asking ourselves whether it really cares very much about protecting its customers’ interests. This would have far more serious consequences for Sony’s business than a mere mistake.

So the CIO is at the nexus of competence.

The CIO is a senior officer and will play a role in making sure the company’s privacy philosophy is a respectable one. But yes, the CIO is at the forefront of competence. This means not just having the right security software. He or she should be actively involved in programs to train anyone who has access to sensitive data. The CIO should make sure that training is refreshed on a regular basis. The CIO needs to put his company through fire drills, pretending to have had a big data breach. If more CIOs actually ran this kind of privacy-breach fire drill, they’d be more attentive to protecting privacy.

Everything in IT comes down to a cost-benefit analysis. How does that work for privacy?

One thing you keep customer information for is to be able to treat customers better by knowing more about what they bought and what they need. CIOs need to strike a balance.

I would spend time thinking carefully about which data might constitute real privacy problems. How much protection do I need to buy for data that doesn’t actually cost the company money right away if it’s released? I protect credit card data because if it’s released, I pay a lot of money. It’s probably not appropriate in most cases to subject all customer information to the same strict protections.

Follow Senior Editor Kim S. Nash on Twitter: @knash99.