Make Privacy Your Competitive Edge
from Winter 2000
Some 4,000 privacy protection bills appeared on the floors of various state houses this year; about 350 passed, a clear indicator that privacy is an issue that isn’t about to go away. David Aaron, U.S. undersecretary of commerce for international trade until earlier this year and now senior international adviser at Dorsey & Whitney, a Washington, D.C. law firm, predicts that in 2001, Congress will pass tough new privacy legislation that will affect the way most companies do business. “Mark my words, there’s a big federal bill coming,” he says.
Over oatmeal and coffee with Corporate Board Member’s Joshua Green, Aaron discussed how directors can help their companies avoid the pitfalls of such new laws—and craft the smart privacy policies that he believes will be competitive assets.
Do corporations worry enough about privacy?
No. Americans used to worry about government intruding into their privacy, but they’re now becoming much more concerned about what corporations are up to and how safe their credit card numbers and other data really are. That fear cost businesses $16 billion in lost online sales last year, and the number is going up. The American business community is just waking up to the broad implications of this.
Will the new laws hamstring business?
Maybe not. The tough new federal laws about privacy that most people think we’ll see next year could actually clear up some confusion. In fact, companies that ordinarily wouldn’t be enthusiastic about federal legislation are coming to see that a federal standard would be preferable to complying with 50 different state laws.
Should companies be cheering on the feds?
They don’t have to go that far. But they do need to consider the other side of the issue, namely, if you as a company fight privacy protection, and look as if you’re fighting it, that conveys a very bad image to your customers.
What privacy laws are already on the books that could bite corporations?
There are five major areas that boards and top management need to be aware of. What puts companies at risk is that the new consumer protection laws have such broad jurisdiction. Companies subject to these laws may not even be aware of it.
The first is the Financial Modernization Act. Because the law expanded the definition of a “financial institution,” a company now can be considered one and not realize it. Even traditional financial institutions that were never covered by privacy laws in the past suddenly have to comply with them. For example, information that commonly appears at the top of a credit report—a person’s name, address, birth date, and social security number—is now considered “financial information” by the FTC.
The second area of risk is new medical privacy rules, which the Department of Health and Human Services are expected to finalize soon. Again, “medical privacy” has expanded beyond the usual suspects—health plans, insurers, and medical institutions—and now includes a company’s business affiliates and partners, such as drug makers or marketing companies that would have a business interest in obtaining personal medical information. So here again, privacy laws are going to spread quite broadly across all kinds of industries.
The third thing to worry about is the Children’s Online Protection Act, which also has broader applications than many people realize. Even if you don’t intend to collect children’s information on the Net, your company will come under the rules if it inadvertently collects that information.
Fourth, you have the recent Safe Harbor privacy accord between the U.S. and the EU. It provides a template for multinationals, Internet service providers, nonprofit institutions, hospitals, and universities that move data between North America and Europe and want to obey Europe’s strict privacy laws. It could well be the precursor for more stringent rules within the U.S.
Finally, the more traditional telecommunications laws are increasingly complicated. For example, laws designed to prevent people from listening in on other people’s phone conversations get more problematic, because people communicate via a blend of options like the Internet, e-mail, and voice mail. There are a lot of new areas, and they’re coming all at once.
So far we’ve focused on online business-to-consumer privacy for individual consumers. What about threats to the privacy of business-to-business transactions over the Net?
Privacy comes up much more often in B2C than B2B. But in many cases they’re intertwined. An example would be when a company transmits a customer’s personal information, her credit card number, say, or medical information, to another company that fulfills an order. The one thing companies should do if they are passing along personally identifiable information is to make sure that the privacy standards of their business counterparts meet their own. If they don’t, you can wind up in the same hot water as you would if your own company were negligent in protecting that data.
What’s the worst that can happen to a corporation that isn’t vigilant about protecting customer privacy on the Net?
You don’t have to look any farther than DoubleClick. When it began compiling consumer profiles that linked individuals with their online purchases, they committed a cardinal sin by not recognizing the importance of consumer privacy. Customers were furious and the FTC launched an inquiry. DoubleClick stock went into free fall, and in the end the CEO and founder had to resign.
What questions should board members be asking management to make sure they are not asleep at the switch on privacy?
First of all, they should ask management: Do you have a privacy policy? What does it say? And does it really relate to the business model and the technology the company uses?
For big companies, this is a very complicated question. Different parts of the organization might have different business models, each with their own technologies for handling and exploiting personal information. In crafting your privacy policy, you really have to drill down deep to know what’s important to the business and how to protect it.
And is this happening?
What I’ve found in a startling number of businesses is that they’ve just gone off and Xeroxed somebody else’s privacy policy instead of crafting their own.
And the danger of doing that…
…is that they’ll get sued. Liability is the number-one issue companies face when they come up short on privacy. Many just don’t recognize that yet.
How do you build a first-class privacy policy that will make you proud and keep you profitable—and out of court?
A sound privacy policy needs to encompass a full appreciation of the law or the industry-regulated rules that affect how the company actually operates, how it collects information, what it does with the information, and why it needs to do that.
The next thing that a company needs to do is let its customers know exactly what its privacy policy is. That’s not the same as setting out a privacy policy in a lot of small print. It’s a very specific communication, addressed to the individual customer, that spells out what your policy is in such a way that the customer, whether it’s a company or an individual, is reassured.
A company also needs a compliance program. It’s not good enough to just say you’re going to protect privacy. You’ve got to have a real program that your employees follow to make sure privacy is indeed protected. And you have to have in-house systems to keep them under some kind of supervision or audit. It’s no different from setting up ways to protect your company against fraud and white-collar crime.
Who should supervise all of this?
The one thing I can’t stress enough is the need to get your corporate counsel, your information technology people, and the folks in marketing to sit down and go through the privacy policy together.
How are the smartest companies approaching this challenge?
They’re taking a proactive approach and turning their privacy policy into a competitive advantage. I think we’re soon going to see more companies follow the lead of American Express, which has done exactly that. After several years of anxiety about how privacy might constrain it, the company is now taking the other tack and offering privacy as an important service to its customers. For example, cardholders don’t have to reveal their card number for online shopping; American Express will give them a disposable one to use instead. The company plans to unveil technology that will allow cardholders to determine how much information they release about themselves while surfing on the Internet.
Courts can now authorize the FBI to use its Carnivore system to tap the e-mail of suspected criminals and to look at internal corporate communications, such as brokerage accounts. Some of the Internet service providers are really upset. Is government cyber-tapping a danger to privacy?
I think the threat of Carnivore has been exaggerated. It might make for a good James Bond plot, but a company is far more likely to be hurt by failure to comply with the many new privacy laws than by government snooping.
What’s your best advice to board members?
The e-commerce market will punish companies that don’t care about privacy, while rewarding those who do. If the success of a business is privacy-sensitive—and more and more businesses are—I think board members need to make sure the company is positioning itself to make privacy a virtue. In other words, what companies are selling is not just their product but also the service of protecting the privacy of people who buy it.
