The Risky Business of

By Jeffrey Rothfeder  |  Posted 09-05-2006

The Death of Privacy

In privacy circles, a mostly forgotten incident from the end of the dot-com euphoria aptly illustrates the lack of regard most companies have toward protecting personal data, even if they make a point of promising to do so.

The episode occurred in mid-2000, when Toysmart.com Inc., a Web-based retailer, went out of business. Among the assets the company put on the block during bankruptcy proceedings was one that caught the eye of regulators at the Federal Trade Commission: the names, e-mail and mailing addresses, and shopping histories of 250,000 Toysmart customers. Toysmart was offering these records to the highest bidder, despite an online privacy policy that explicitly stated the company would never share customer data with any third party.

With the Web surging with an enormous amount of commercial activity and sensitive information, the FTC had recently beefed up its Internet consumer-protection efforts. Commission regulators decided that Toysmart's blatant disdain for its own privacy oath was just too contemptuous to be ignored. Backed by 44 state attorneys general, the FTC sued to block the Toysmart data auction, arguing that it constituted a "deceptive practice." In early 2001, an agreement was forged under which Toysmart investor, the Walt Disney Co., would buy the company's customer data for $50,000 and then promptly destroy it.

"The Toysmart case and others like it—among them Living.com and CraftShop .com—proves what some of us have suspected all along: Many companies don't really believe privacy is something to protect when there's money to be made from confidential data, or when safeguarding sensitive data gets in the way of making money," says Luis Salazar, an attorney in the privacy practice group at Miami-based law firm Greenberg Traurig LLP. Last year, at the request of Senator Patrick Leahy (D– Vt.), Salazar authored a provision for a new bankruptcy law that makes it illegal for insolvent companies to sell personally identifiable information if their privacy policies forbade such activities.

The general disinterest in doing little more than the bare minimum to shield consumer privacy extends well beyond companies that are closing up shop. The Canadian Internet Policy and Public Interest Clinic, at the University of Ottawa, recently conducted an in-depth study of 64 major online sites, including those of Amazon.com Inc., Citigroup Inc., Staples Inc., Best Buy Co. Inc. and eBay Inc. The study found that, in general, an alarming number of Web-based operations are sloppy, if not downright negligent, when it comes to privacy practices. According to the CIPPIC report, released in April, "While almost all companies we assessed had a privacy policy and were thus aware of the need to respect customer privacy, many failed to fulfill even basic statutory requirements such as providing contact information for their privacy officers, clearly stating what they do with consumers' personal information and responding to access-to-information requests."

CIPPIC investigators called customer-service numbers at online retailers and asked if the company had a privacy policy and, if so, who was responsible for it. At 68 percent of companies it took more than five minutes to answer the question, and at 22 percent it took more than ten minutes. Moreover, respondents at 56 percent of the companies contacted by phone could not provide the name of the person in charge of the organization's privacy issues.

These findings, while disturbing, should not be particularly surprising when measured against the number of high- and low-profile data breaches that have occurred in the past two years. The Privacy Rights Clearinghouse, based in San Diego, has been keeping a running total of the leaks of sensitive information, such as Social Security numbers, account numbers, and driver's license numbers, by companies and government agencies since data aggregator ChoicePoint Inc. sold 145,000 consumer files to identity thieves in February 2005. Scores of incidents are chronicled, as many as three dozen a month, some involving global brands such as Toyota Motor Corp., Chevron Corp., Allstate Corp. and Equifax Inc. In all, more than 90 million records containing confidential information about individuals—in large part, consumers, patients and employees—have been stolen from U.S. organizations in the past 18 months.

The pattern that emerges is not pretty. Most companies claim that privacy is a priority—chiefly because they believe consumers are more willing to do repeat business with them if personal information is carefully handled. But in reality, many companies are woefully inept at protecting privacy. Some companies view robust data protection as too expensive to consider seriously, so half-hearted steps are taken instead. Others see the penalty for data breaches and privacy failures as too low to generate much concern. In many instances, management of privacy policies is handed off to chief privacy officers who report to the corporate lawyers, not a C-level executive, and whose main responsibility is to make sure the company's data policies are in line with government regulations and industry benchmarks. In other words, privacy is regarded as a risk that must be mitigated, not a strategic imperative.

"It's only been recently, as privacy breaches occur and make the headlines, that it's becoming obvious to everybody that companies haven't been doing a good enough job," says Alex Fowler, co-leader of the privacy practice at Pricewaterhouse­Coopers. "As time goes by, we'll get an even clearer picture of the data-handling practices of companies. My guess is we're not going to like what we find out."

Story Guide:

  • The Death of Privacy
  • The Risky Business of Privacy
  • Where Privacy Matters
  • Why Privacy Matters
  • Sidebar:Privacy's Preemptive Strike

    Next page: The Risky Business of Privacy

    The Risky Business of

    Privacy">

    At its core, protecting privacy is an information management issue. With the cost of computer storage plummeting, companies are maintaining more and more data, for longer periods of time, at rock-bottom prices. Executives are driven by the idea that any morsel of information about customer purchases, browsing habits and preferences could someday be valuable, so they simply can't bring themselves to erase anything. Consequently, personal information and less sensitive details exist side-by-side in the same databases, often accessible by multiple programs throughout the organization, many of which have long been forgotten. Without a complete, up-to-date inventory of what data they possess and how it is being used, which data should be segregated and which can be freely shared, many companies are making privacy breaches a foregone conclusion.

    Budgets and leadership also play roles. Technology managers say they are loath to ask for the hundreds of thousands of dollars it would cost to create a blueprint of company data and a system for keeping confidential information from being easily accessed, when management has shown little interest in spending discretionary money on an activity with such limited tangible return.

    Encrypting networked information, for example, would "take care of 95 percent of the internal privacy intrusions," says George Toft, a veteran IT manager who has worked at American Express Co., Blue Cross and Blue Shield, the Department of Defense and IBM Corp., and who currently runs My IT Department, a small computer-services firm in Anthem, Az. Yet few companies are willing to pay for this safeguard. CIO Insight's own research indicates that only 41 percent of companies surveyed encrypt stored data and documents. And only 56 percent encrypt data in flight, or during transmission.

    Why? The No. 1 issue was the potential for performance degradation; No. 2 was cost. This attitude reflects a serious lack of leadership on the part of executives, notes George Tillmann, former chief information officer at consultants Booz Allen Hamilton. "Companies will not take privacy seriously until management does. So far, most managers prefer to see it as a problem that does not rise to the strategic level," Tillmann says.

    Tillmann, who is now retired, argues that CEOs must set stringent corporate information retention policies and processes that "state explicitly what data can be stored, where it can be stored (on PCs, laptops, PDAs, and the like) and how it should be stored (encrypted or not). The policies need to address all types of data—customer, employee and supplier records—not just financial information. They should include guidelines for reducing the amount of information stored by getting rid of it as soon as it is not needed," he adds.

    CEOs and other executives may be neglecting privacy safeguards and rigid privacy policies because the cost of failing to protect data is not as high as is commonly believed. It is de rigueur for chief executives to publicly state that protecting customer data is critical, because trust is an essential part of the relationship businesses have with consumers. Yet a closer look at the price of an actual breach reveals that, while not insignificant, it can be relatively minimal. In a recent study of 14 lost-data incidents, encryption company PGP Corp. found that the average opportunity cost of a data breach, measured by the "loss of existing customers and the increased difficulty in recruiting new customers" was about $75 per lost customer record. For typical successful retailers or financial services firms with billions in annual earnings, that represents an acceptable hit to the bottom line.

    Moreover, in most cases, companies can easily avoid legal penalties for a data breach. There are nearly three dozen state laws that require companies to notify consumers if their private information has been leaked and a risk of identity theft exists. As long as these procedures are followed, companies are free from criminal liability for the leak itself.

    "While there's a general sense that it's embarrassing to be involved in a data breach, and it is true that a breach doesn't do anything for your reputation as a trusted business, privacy is a business decision that ultimately comes down to a risk calculation. And many companies believe—wrongfully, from my perspective—that the price of data loss simply isn't high enough," says Gary Lynch, business continuity management practice leader at Marsh Risk Consulting, a division of New York City-based Marsh Inc.

    Most executives don't like to think of it this way, but, so far, companies have created strong privacy policies only when forced to by federal legislation with very specific data-protection provisions. For example, the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, and the Gramm-Leach-Bliley Act of 1999, require healthcare providers and financial services firms, respectively, to implement systems to protect the privacy of patient and customer information. Both bills have been criticized for being long on rhetoric and short on rigorous penalties, but few companies are prepared to ignore mandates from Washington, no matter how weak-kneed the law or how expensive it is to implement. Consequently, the privacy policies in the business sectors overseen by HIPAA and Gramm-Leach-Bliley are considerably more enlightened than in other industries.

    These laws affect fewer than a quarter of U.S. companies, and as a result, their reach has been limited. Ironically, the European Union's privacy regulations have probably had a much more significant influence on the data-protection policies of a much wider group of U.S. companies.

    Story Guide:

  • The Death of Privacy
  • The Risky Business of Privacy
  • Where Privacy Matters
  • Why Privacy Matters
  • Sidebar:Privacy's Preemptive Strike

    Next page: Where Privacy Matters

    Where Privacy Matters


    The EU's data directive is the most stringent in the world. Passed in 1995, the legislation forbids companies in EU nations from using confidential information, which is quite broadly defined, for secondary purposes without the explicit approval of the consumer. That rule, and other restrictions allowing individuals access to companies' personal data and providing ways to correct errors, go well beyond the privacy protections practiced by almost every U.S. company. Consequently, with the adoption of the EU directive, U.S. companies with European operations and sales activities found themselves in danger of being legislated out of a lucrative market.

    In 2000, after months of negotiations, the EU and the U.S. Commerce Department forged a safe-harbor agreement that allows U.S. companies to collect and share data in Europe in the course of doing business, as long as they promise to abide by a slightly watered-down version of the EU's data protection rules. Since then, hundreds of U.S. organizations have signed on to the accord.

    Safe-harbor companies are required to follow the EU's austere data protection standards only when dealing with European consumers, or when managing subsidiary or affiliate businesses on the continent. The result: Most U.S. companies now have two sets of privacy rules—one for the European market, and another set of less rigid policies in the U.S. and other nations. However, a few companies were convinced that the EU approach served the consumer's appropriate expectation of privacy quite well. These companies saw safe harbor as an opportunity to create a single, strict data-protection regimen for the entire organization, wherever on the globe it operated.

    In 2001, Eli Lilly & Co., the maker of Prozac, made the embarrassing mistake of sending out an e-mail to 600 users of the anti-depressant that contained the e-mail addresses of every recipient. In effect, Lilly had broadcast the names of Prozac patients to perfect strangers around the world. That incident resulted in a deal with the FTC under which Lilly agreed to improve its privacy practices, and coincided with Lilly's signing on to the EU's safe-harbor agreement. With these two activities on the front burner at the company, Lilly management, with the strong urging of Global Privacy Officer Stan Crosley, decided to make data protection a centerpiece of the company's strategic direction.

    "Europe was a significant driver on privacy for Lilly," says Crosley. "It showed us that there was a different approach that could have a nice return for the company—not necessarily in dollars and cents, but in the gains a company can get from having good business practices. There is a distrust of large corporations among consumers. But we cannot survive in the pharmaceutical industry as a target of that distrust."

    Lilly spent tens of millions of dollars over many months to develop a global data-protection system that contains a series of approval layers for accessing private information. Its information protocols are designed to ensure that the only people permitted to view discrete, confidential data are those who must access it to do their jobs. Furthermore, sensitive information is clearly marked and segregated from less classified data in order to make it difficult to inadvertently leak customer records.

    "Information is valuable to us, and we realized that we would only be able to continue to collect it if we convinced consumers that we appreciated that things of value should be protected," Crosley adds.

    Story Guide:

  • The Death of Privacy
  • The Risky Business of Privacy
  • Where Privacy Matters
  • Why Privacy Matters
  • Sidebar:Privacy's Preemptive Strike

    Next page: Why Privacy Matters

    Why Privacy Matters


    Stories like Lilly's—particularly the role that the EU directive played in the company's conversion to a pro-privacy stance—bolster the notion that U.S. companies won't install comprehensive data-protection systems until government legislation forces them to. About a dozen bills have been introduced in the current Congress that tackle various aspects of data protection. The most expansive legislation is the Personal Data Privacy and Security Act, co-sponsored by Senator Arlen Specter (R–Pa.), chairman of the Judiciary Committee, and Senator Leahy, the committee's ranking member. Their proposal would require most companies with at least 10,000 digital files on individuals to adopt data-privacy procedures that protect against unauthorized access and use of personally identifiable information. Violators face fines and prosecution.

    When it was introduced in mid-2005, the bipartisan legislation was expected to pass easily before the end of the year. But revelations about warrentless wiretapping of domestic phone calls by the National Security Agency and other terrorist-related law enforcement activities have preoccupied the committee since then, and the Specter-Leahy bill has yet to reach the Senate floor. None of the other data-privacy proposals have been voted on, in either house of Congress. Frustrated by the lack of action, Senator Leahy says that it signifies a general disinclination among lawmakers to tackle privacy problems. "The longer there is erosion of Americans' privacy rights, the more difficult it becomes to do something about it," says Leahy. "This Congress has not made a priority of privacy protection. I hope the next Congress will."

    That can't come a moment too soon, says PwC's Fowler. As companies grapple with basic data-privacy concerns that should probably have been dealt with a decade ago, the issue is fast gaining in complexity. "Our notion of identity is going to change a lot in the new millennium. We're just scratching the surface now," Fowler says. "Which aspects of our data identity must be protected at all costs, which aspects of it are the most sensitive, is just beginning to come into shape even as the amount of data about us continues to expand. We need to step back and understand the dynamics of identity, and how it is shifting and putting pressure on businesses, government, regulators and policy makers from a social, political and cultural perspective. That is a discussion we are not having."

    Be sure to read the sidebar: Privacy's Preemptive Strike