Can You Keep a Secret?

Data privacy's competitive advantage - and potential risk - affects all it and cuts across all industries

Probably nowhere in business will you find a more essential activity for people working in IT than focusing on the big picture of data privacy. This issue has quickly evolved into a very big concern for businesses today, and no wonder: Inadvertent - and sometimes intentional - transmission of personal and proprietary business information to unauthorized parties does happen.

The public is watching and so is the government. Already, many states are moving to enact some kind of privacy legislation. In many instances, states are even trying to control how banks and their affiliates share customer information. The Federal Trade Commission (FTC) has joined the battle and has made initial declarations to Congress that some form of government regulation is needed.

The message is clear: Privacy and other aspects of trust are essential when it comes to maintaining good relationships with customers, employees, suppliers, and other business partners. The consequences of not doing so can be serious.

Privacy Defined

Privacy is a broad and elusive concept. In this column, privacy applies to the information-handling practices of an organization and the processing of personal information through all stages of its life cycle - including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation and use, disclosure and dissemination, and erasure or destruction.

Privacy can be seen both as a constraint on the ways in which you can handle information and, conversely, as an enabler for information-rich business offerings. Personally identifiable information is frequently in the spotlight - this information lets you identify, locate, or contact a person. If you tie those elements together with account, transaction, Web usage, financial, health, and private communication information, you can see how sensitive this data can get.

You also should not lose sight of concerns about the nonpersonal information you gather by tracking or profiling consumers' behavior, such as the Web sites they have visited or the purchases they have made. Information exchanged in a business-to-business setting is very much a part of the privacy issue.

In fact, the advent of the Internet as a key business channel is probably the most obvious context in which privacy does - or should - get such high priority. Privacy affects all information technology, including Web sites, Web-enabled services, back-end systems and databases, network connections with other parties, outside service providers, and legacy systems. However, the need to assure that information sharing follows some sort of enforceable code of conduct isn't limited to Internet activities. A privacy policy is also important in face-to-face transactions with customers, call-center interactions, and any other means through which your company deals with people. It requires the attention and insight of the technologists who design, implement, and operate those systems and networks.

Trust and Confidence

On the one hand, you might argue that technical expertise is the biggest enabler of e-commerce growth. But, in the final analysis, what really leverages your organization's ability to sell products and services is the trust and confidence that you build with customers, business partners, employees, and other parties. It's fundamental to creating customer loyalty. Ironically, the potentially valuable and powerful leveraging capability offered by technology can become your Achilles' heel.

For example, business partners want assurances from you that your processes and supporting systems are secure. They want a high level of comfort that proper controls are in place. Customers want to be certain some well-meaning but overzealous sales representative hasn't seen an opportunity to share or broker private information to third parties. Your alliance partners don't want their pricing information, customer lists, or other strategically sensitive information falling into the hands of competitors.

The Consequences Of Failure

Data privacy is tightly linked with the overarching idea of trust. Trust management is a critical business issue for most organizations. And the technologists have to be on board.

Establishing rules and standards isn't limited to any particular industry or small group of industries. Every company that deals with customer information to any extent will have customers who have actual or perceived privacy issues.

Privacy issues can be complex, and the consequences for not addressing them properly from the beginning can spell more than mere embarrassment or a stern lecture from the legal department. Compelling reasons exist to make sure that your organization's information technology is subject to solid, verifiable controls and that it actually practices them.

When you do not assure data privacy and the word gets out, you come under the intense scrutiny of privacy advocates and security analysts. When you're targeted and exposed, adverse publicity - not only in the trade press but also in the general news media - usually isn't far behind. This scenario isn't a pretty picture - and restoring your reputation, especially with your shareholders and customers, is a difficult task.

Tripwire Situations

One of the most common pitfalls is doing things you tell people you aren't doing. For example, you tell people your Web site doesn't use cookies when, in fact, it does. The problem may have been inadvertent - a utility used to maintain the system might have been left on when it should have been turned off. But strong, consistent change controls would have prevented the unintentional act. These inadvertent leaks of personally identifiable information are often reported to the news media.

"Data spills" can also occur when, for example, a customer clicks on a Web site banner ad that transparently sends personal and transactional information to an Internet marketing company. An all-too-frequent accidental data spill occurs when a mass marketer sends a broadcast email to a large volume of recipients whose names are in the message's "To:" field instead of the "Bcc:" field. The result: Thousands of customer names and email addresses are leaked.

However, privacy blunders are not limited to the Internet. For example, financial account information can be inappropriately supplied to telemarketers. Or the business development group might craft a deal that includes the inappropriate exchange of customer information with a third party. Privacy-related events also include:

• Customer service representatives disclosing another customer's information in telephone conversations
• A firm announcing business deals that are contrary to its privacy statement and fair information practices
• A hacker or other unauthorized person exploiting a weak spot in your security to gain access to a customer's personally identifiable information and other account information
• A company inadvertently or intentionally collecting personally identifiable information directly from children under age 13 in violation of the Children's Online Privacy Protection Act.

Gun-Shy of the Web

An IBM survey recently found that 61 percent of U. S. consumers said they shied away from financial Web sites because they were unsure of how their personal information would be used. Another poll by Cyber Dialogue reported that 70 percent of those asked were very concerned that the health information they provided to a Web site might be used by an insurer to limit or otherwise affect their coverage. Another recent poll conducted by Harris Interactive discovered that more Americans are concerned about the loss of personal privacy than are worried about health care, crime, or taxes. Is establishing privacy and trust important? With these responses, you bet it is.

What to Ask

Determining what kinds of disclosure policies you need to follow is an important task. You should be clear on what you need to provide to your employees, IT consultants, and Web site developers. But what type of controls should you establish to verify that your company's policies handle data privacy issues appropriately?

• Have you defined just how you assure the fair use of information?
• Have you formulated and documented your informationhandling policies?
• If you have decided to outsource any processes, do you and your colleagues understand them and their risks thoroughly?
• Are privacy policies in place, and is your company following them? Are people assigned to these tasks? Do their job descriptions confirm that they have these responsibilities?

Third-Party Verification

Your adherence to these privacy controls should be good enough to stand up under the scrutiny of independent third parties. These advisors will verify and certify that you're addressing trust and privacy properly - and that you're doing what you say you're doing.

The Big Five accounting firms have large staffs of people with a combination of technical and business know-how that are skilled at assessing applications and systems. They can advise on and assess your business processes. They can also provide a privacy blueprint for you and help assure that you collect, use, disclose, and secure personally identifiable information according to fair information principles.

Best of all, these specialists can help you safeguard possibly the most precious commodity that you have - the trust and confidence of your customers and business partners.

Brian Tretick is a principal with Ernst & Young LLP and leads the firm's Privacy Assurance and Advisory Services. He has 14 years of experience in technology and management consulting, and specializes in advising clients in the online, financial services, retail, and software industries in the technological, organizational, regulatory, and third-party relationship aspects of data privacy.