At its core, protecting privacy is an information management issue. With the cost of computer storage plummeting, companies are maintaining more and more data, for longer periods of time, at rock-bottom prices. Executives are driven by the idea that any morsel of information about customer purchases, browsing habits and preferences could someday be valuable, so they simply can't bring themselves to erase anything. Consequently, personal information and less sensitive details exist side-by-side in the same databases, often accessible by multiple programs throughout the organization, many of which have long been forgotten. Without a complete, up-to-date inventory of what data they possess and how it is being used, which data should be segregated and which can be freely shared, many companies are making privacy breaches a foregone conclusion.

Budgets and leadership also play roles. Technology managers say they are loath to ask for the hundreds of thousands of dollars it would cost to create a blueprint of company data and a system for keeping confidential information from being easily accessed, when management has shown little interest in spending discretionary money on an activity with such limited tangible return.

Encrypting networked information, for example, would "take care of 95 percent of the internal privacy intrusions," says George Toft, a veteran IT manager who has worked at American Express Co., Blue Cross and Blue Shield, the Department of Defense and IBM Corp., and who currently runs My IT Department, a small computer-services firm in Anthem, Az. Yet few companies are willing to pay for this safeguard. CIO Insight's own research indicates that only 41 percent of companies surveyed encrypt stored data and documents. And only 56 percent encrypt data in flight, or during transmission.

Why? The No. 1 issue was the potential for performance degradation; No. 2 was cost. This attitude reflects a serious lack of leadership on the part of executives, notes George Tillmann, former chief information officer at consultants Booz Allen Hamilton. "Companies will not take privacy seriously until management does. So far, most managers prefer to see it as a problem that does not rise to the strategic level," Tillmann says.

Tillmann, who is now retired, argues that CEOs must set stringent corporate information retention policies and processes that "state explicitly what data can be stored, where it can be stored (on PCs, laptops, PDAs, and the like) and how it should be stored (encrypted or not). The policies need to address all types of data—customer, employee and supplier records—not just financial information. They should include guidelines for reducing the amount of information stored by getting rid of it as soon as it is not needed," he adds.

CEOs and other executives may be neglecting privacy safeguards and rigid privacy policies because the cost of failing to protect data is not as high as is commonly believed. It is de rigueur for chief executives to publicly state that protecting customer data is critical, because trust is an essential part of the relationship businesses have with consumers. Yet a closer look at the price of an actual breach reveals that, while not insignificant, it can be relatively minimal. In a recent study of 14 lost-data incidents, encryption company PGP Corp. found that the average opportunity cost of a data breach, measured by the "loss of existing customers and the increased difficulty in recruiting new customers" was about $75 per lost customer record. For typical successful retailers or financial services firms with billions in annual earnings, that represents an acceptable hit to the bottom line.

Moreover, in most cases, companies can easily avoid legal penalties for a data breach. There are nearly three dozen state laws that require companies to notify consumers if their private information has been leaked and a risk of identity theft exists. As long as these procedures are followed, companies are free from criminal liability for the leak itself.

"While there's a general sense that it's embarrassing to be involved in a data breach, and it is true that a breach doesn't do anything for your reputation as a trusted business, privacy is a business decision that ultimately comes down to a risk calculation. And many companies believe—wrongfully, from my perspective—that the price of data loss simply isn't high enough," says Gary Lynch, business continuity management practice leader at Marsh Risk Consulting, a division of New York City-based Marsh Inc.

Most executives don't like to think of it this way, but, so far, companies have created strong privacy policies only when forced to by federal legislation with very specific data-protection provisions. For example, the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, and the Gramm-Leach-Bliley Act of 1999, require healthcare providers and financial services firms, respectively, to implement systems to protect the privacy of patient and customer information. Both bills have been criticized for being long on rhetoric and short on rigorous penalties, but few companies are prepared to ignore mandates from Washington, no matter how weak-kneed the law or how expensive it is to implement. Consequently, the privacy policies in the business sectors overseen by HIPAA and Gramm-Leach-Bliley are considerably more enlightened than in other industries.

These laws affect fewer than a quarter of U.S. companies, and as a result, their reach has been limited. Ironically, the European Union's privacy regulations have probably had a much more significant influence on the data-protection policies of a much wider group of U.S. companies.

Story Guide:

Sidebar:Privacy's Preemptive Strike

Next page: Where Privacy Matters

Next: ' Where Privacy Matters ' >>

Discuss The Death of Privacy   >>> Be the FIRST to comment on this article!

>>> More Past News Articles          >>> More By Jeffrey Rothfeder