In privacy circles, a mostly forgotten incident from the end of the dot-com euphoria aptly illustrates the lack of regard most companies have toward protecting personal data, even if they make a point of promising to do so.
The episode occurred in mid-2000, when Toysmart.com Inc., a Web-based retailer, went out of business. Among the assets the company put on the block during bankruptcy proceedings was one that caught the eye of regulators at the Federal Trade Commission: the names, e-mail and mailing addresses, and shopping histories of 250,000 Toysmart customers. Toysmart was offering these records to the highest bidder, despite an online privacy policy that explicitly stated the company would never share customer data with any third party.
With the Web surging with an enormous amount of commercial activity and sensitive information, the FTC had recently beefed up its Internet consumer-protection efforts. Commission regulators decided that Toysmart’s blatant disdain for its own privacy oath was just too contemptuous to be ignored. Backed by 44 state attorneys general, the FTC sued to block the Toysmart data auction, arguing that it constituted a “deceptive practice.” In early 2001, an agreement was forged under which Toysmart investor, the Walt Disney Co., would buy the company’s customer data for $50,000 and then promptly destroy it.
“The Toysmart case and others like it—among them Living.com and CraftShop
.com—proves what some of us have suspected all along: Many companies don’t really believe privacy is something to protect when there’s money to be made from confidential data, or when safeguarding sensitive data gets in the way of making money,” says Luis Salazar, an attorney in the privacy practice group at Miami-based law firm Greenberg Traurig LLP. Last year, at the request of Senator Patrick Leahy (D– Vt.), Salazar authored a provision for a new bankruptcy law that makes it illegal for insolvent companies to sell personally identifiable information if their privacy policies forbade such activities.
The general disinterest in doing little more than the bare minimum to shield consumer privacy extends well beyond companies that are closing up shop. The Canadian Internet Policy and Public Interest Clinic, at the University of Ottawa, recently conducted an in-depth study of 64 major online sites, including those of Amazon.com Inc., Citigroup Inc., Staples Inc., Best Buy Co. Inc. and eBay Inc. The study found that, in general, an alarming number of Web-based operations are sloppy, if not downright negligent, when it comes to privacy practices. According to the CIPPIC report, released in April, “While almost all companies we assessed had a privacy policy and were thus aware of the need to respect customer privacy, many failed to fulfill even basic statutory requirements such as providing contact information for their privacy officers, clearly stating what they do with consumers’ personal information and responding to access-to-information requests.”
CIPPIC investigators called customer-service numbers at online retailers and asked if the company had a privacy policy and, if so, who was responsible for it. At 68 percent of companies it took more than five minutes to answer the question, and at 22 percent it took more than ten minutes. Moreover, respondents at 56 percent of the companies contacted by phone could not provide the name of the person in charge of the organization’s privacy issues.
These findings, while disturbing, should not be particularly surprising when measured against the number of high- and low-profile data breaches that have occurred in the past two years. The Privacy Rights Clearinghouse, based in San Diego, has been keeping a running total of the leaks of sensitive information, such as Social Security numbers, account numbers, and driver’s license numbers, by companies and government agencies since data aggregator ChoicePoint Inc. sold 145,000 consumer files to identity thieves in February 2005. Scores of incidents are chronicled, as many as three dozen a month, some involving global brands such as Toyota Motor Corp., Chevron Corp., Allstate Corp. and Equifax Inc. In all, more than 90 million records containing confidential information about individuals—in large part, consumers, patients and employees—have been stolen from U.S. organizations in the past 18 months.
The pattern that emerges is not pretty. Most companies claim that privacy is a priority—chiefly because they believe consumers are more willing to do repeat business with them if personal information is carefully handled. But in reality, many companies are woefully inept at protecting privacy. Some companies view robust data protection as too expensive to consider seriously, so half-hearted steps are taken instead. Others see the penalty for data breaches and privacy failures as too low to generate much concern. In many instances, management of privacy policies is handed off to chief privacy officers who report to the corporate lawyers, not a C-level executive, and whose main responsibility is to make sure the company’s data policies are in line with government regulations and industry benchmarks. In other words, privacy is regarded as a risk that must be mitigated, not a strategic imperative.
“It’s only been recently, as privacy breaches occur and make the headlines, that it’s becoming obvious to everybody that companies haven’t been doing a good enough job,” says Alex Fowler, co-leader of the privacy practice at PricewaterhouseCoopers. “As time goes by, we’ll get an even clearer picture of the data-handling practices of companies. My guess is we’re not going to like what we find out.”
Story Guide:
Next page: The Risky Business of Privacy