Risk & Compliance

A Little Privacy, Please

Under the threat of government intervention, companies strive to make privacy on the Internet a reality.
Joseph McCaffertyMay 1, 2000

Like all revolutions, the Internet revolution has a dark side. Along with online shopping and stock trading with the click of a mouse, the Web has brought an invasion of its users’ privacy that only Big Brother could love.

And no longer is the threat a futuristic one. DoubleClick, an Internet advertising network based in New York, has compiled 100 terabytes of data on more than 100 million Web users’ habits. In February, the company announced that it was backing away from plans to link personal identities and other information gathered from the offline world to databases containing Web- browsing habits. DoubleClick shelved the idea only after a public scolding by privacy advocates, a probe by the Federal Trade Commission (FTC), and a lawsuit by the state of Michigan.

Indeed, privacy is quickly becoming a subject of debate for just about every company with a Web site. And the battle is just beginning. New data- gathering technologies and more-aggressive companies continue to push the limits of privacy on the Net. While E-commerce increases the ability to target specific customers, the mountain of data Internet sites collect could also be valuable to employers, insurance companies, and nosy neighbors.

At stake, of course, is consumer trust. Large E-commerce companies such as Amazon.com and Ebay Inc. fear that a few highly publicized breaches of online privacy could scare away customers. But even more than that, Internet companies fear that if they cannot impose self-regulation, the government is likely to step in. “Government intervention is the last thing business wants,” says Russ Bodoff, senior vice president of BBB Online, a privacy auditor based in Arlington, Virginia. “Restrictive legislation could retard the development of technology and slow the growth of electronic commerce.”

Little wonder that last March, at a financial summit at Boston College, IBM Corp. CEO Louis Gerstner called on every executive in the country to personally “inspect his or her company’s privacy policies [to] find out where they stand, and get on with it.” So far, said Gerstner, “our partners in government have been very patient on this one.”

Maintaining that patience, however, demands finance’s attention, says Frank Siskowski, CFO of E-Loan, an online provider of consumer loans, based in Dublin, California. “I see privacy as an integral piece of the fabric of our internal controls,” he says. “All CFOs have to be involved.” C. Andrew Johns, CFO of 24/7 Media Inc., an interactive media and technology firm based in New York, agrees. “It’s the CFO’s role to make sure that all the company’s practices stand up to public scrutiny. Ensuring good privacy practices is certainly a key part of that,” he says.

Privacy Disasters

There’s been plenty of scrutiny lately in the wake of a number of privacy missteps, both on the Internet and off.

In January, ZapMe Corp., a San Ramon, California-based firm that provides free Internet access and equipment to schools in exchange for providing advertising to students, was accused of helping advertisers collect the names and addresses of minors for marketing purposes without parental consent.

Last May, Liberty Financial Cos. was forced to settle a complaint from the FTC that it was inappropriately collecting personal information from children and teens on its Young Investor Web site. The company was accused of hoarding personal information, such as weekly allowance, spending habits, and college plans, along with names and addresses, after promising anonymity.

Last June, General Electric Co.’s GE Investments unit was forced to stop using tracking codes on envelopes that identified survey respondents without their knowledge. A Washington Post article cited a letter in which a GE Investments official praised a printing company for the “discreet” way respondents were identified.

According to some observers, the worst is yet to come. Robert Ellis Smith, publisher of Privacy Journal, a monthly newsletter on computer privacy, located in Providence, warns that many companies are at risk for a “privacy disaster.” He says there is a good chance that companies could experience the equivalent of an “oil spill” of sensitive consumer information. “There have been plenty of instances where hundreds of credit card numbers got posted on the Web,” he says. To Smith, the potential danger amounts to a risk- management issue. “Companies need to measure the probability that there will be a breach compared with the costs of fixing it, and make the right decisions,” he says.

Lost Chance?
While it is hard to determine if such breaches have affected customer loyalty, it’s clear that the government is watching. In fact, last month President Clinton warned Silicon Valley executives that the failure to protect consumer privacy could limit the Internet’s potential growth. He also hinted at government intervention if businesses don’t take stronger measures. “This is a big deal. Do you have privacy practices you’re proud of?” he asked.

To many, the question is not if the government will regulate privacy online, but when, and how much. “Online marketers’ hopes of avoiding government regulation have been dashed,” warns Jim Nail, a senior analyst with Forrester Research Inc., in Cambridge, Massachusetts. “Waves of legal action and negative publicity have ruined the chance to self-regulate,” he asserts.

Already, several bills have been introduced in Congress. One, from Sen. Robert Torricelli (D­N.J.), would ban “cookies”–small programs that Web sites place on their visitors’ computers to track Web activity–that are being used without consumer permission. Others have proposed legal protection for certain types of information, such as medical and financial data.

Still, companies are holding out hope that they can stave off government regulation. To date, several industry efforts are under way to develop privacy guidelines. Last November, for example, the Network Advertising Initiative was formed to focus on consumer privacy. And in April, a group of 26 companies, including DoubleClick, American Airlines, and PricewaterhouseCoopers, launched the Personalization Consortium to develop guidelines for using personal information.

Some finance executives, however, believe that what is needed is consistency. “We as an industry need to demonstrate to the consumer, as well as to the FTC, that we can be responsible,” says 24/7’s Johns, who calls for industry leaders to come up with a set of consistent and acceptable industry standards.

Johns could use the guidance. 24/7 recently backed away from plans to marry online and offline databases after competitor DoubleClick’s missteps. The company is now taking a higher road on the privacy issue. “[Practices] need to stand up to the white glove of public scrutiny,” says Johns. “With all the creative ways to gather information, there is the temptation to take that additional step; to say, ‘No one will catch me.’ But that’s not going to work [anymore].”

Empty Promises?
The wait for standardized guidelines may soon be over. The FTC’s Federal Advisory Committee on Online Access and Security, which includes industry representatives as well as privacy advocates, is set to release a report on online access and security issues on May 15. And privacy experts, such as Larry Ponemon, a partner with PricewaterhouseCoopers who sits on the FTC committee, says he “would be surprised if we didn’t see a convergence on this issue within the year.”

In the meantime, companies have been rapidly adopting their own privacy policies to demonstrate their eagerness to self-regulate. A recent survey conducted by the McDonough School of Business at Georgetown University and commissioned by the FTC, in fact, found that 94 percent of Web sites now post some type of privacy statement on how the information they gather is used, up from 71 percent last year.

But critics warn that posting a privacy statement on the Web is not enough to fend off government regulation. “Most companies are at the baby stage of privacy practices,” argues Smith. “They post privacy statements [on their Web sites] willy-nilly instead of implementing a real privacy policy. There is a big difference.” In fact, a study earlier this year by the California HealthCare Foundation found that 16 of 19 major health-related Web sites violated their own privacy policies and allowed confidential medical data to be passed on to advertisers.

Some companies are now conducting internal and third-party privacy audits to make sure they live up to their own standards. E-Loan, for example, hired PricewaterhouseCoopers to conduct a quarterly privacy audit. “We told them we wanted to be bulletproof,” says CFO Siskowski. The accounting firm conducts interviews with employees who handle customer information, studies the flow and security of sensitive data, and conducts tests of E-Loan’s systems by posing as online customers.

In addition, E-Loan conducts privacy training for all employees and asks that they sign a privacy pledge when they are hired. The company also created a position to oversee all of E-Loan’s privacy practices. E- Loan even extends its stringent privacy practices to its partnerships. Partnership agreements contain a clause that requires their privacy policies to live up to E-Loan’s standards.

The reason E-Loan spends so much time on privacy is because gaining customer trust is an important part of its business plan. The company is trying to bring online a transaction that has traditionally been done face-to-face and with a handshake. “We collect a lot of sensitive information,” says Siskowski. “Our customers have to feel comfortable that it is secure.” In fact, E-Loan took a step hardly any Internet company has followed when it adopted a “no cookies” policy. “We consider our strong stance on privacy to be a competitive advantage,” adds Siskowski. “There is a cost associated with it, but the cost of misusing sensitive information is even greater in the long term.”

Indeed it is. Privacy has become one of the biggest concerns of Internet users. But that won’t stop some companies from pushing the envelope on the issue. “The Internet is a very young industry that is concerned about bottom-line growth,” says Andrew Shen, policy analyst at the Electronic Privacy Information Center, a watchdog group in Washington, D.C. “The right to privacy needs to be backed up by an independent enforcement agency.”

If Congress has its way–and it looks like it will–that will happen sooner rather than later. And as more high-profile privacy breaches occur, and consumers start to shy away from conducting transactions online, Internet companies may start to beg for it.

Isn’t It Ironic?

Government agencies may be threatening to regulate the Internet to combat privacy violations. But at least one is having its own practices scrutinized.

In March, the Securities and Exchange Commission announced plans to create an automated surveillance system to search the Internet for violations of securities law. The system would scan Web sites, message boards, and other public sites for suspicious phrases and activities that would then be analyzed for possible legal actions.

The move was criticized by at least one vendor bidding on the project, however, as having the potential to violate users’ privacy. PricewaterhouseCoopers announced it wouldn’t participate, says Larry Ponemon, a partner and global leader of compliance risk management at the accounting firm, because the system could potentially “push the legal and ethical envelope.”

SEC chairman Arthur Levitt noted in a statement, however, that “the SEC has never had any intention of intercepting or monitoring public transmissions, including conversations taking place in chat rooms or on E-mail, in the pursuit of Internet fraud.” Instead, SEC spokesman John Heine points out that the system simply will automate “what the commission currently does manually.”

All Eyes On Privacy

What makes a good Web site policy?

  • The existence of all data systems with personal information in them should be publicly disclosed, and the purpose for which information is gathered should be disclosed. This is the principle of openness or transparency.
  • There must be a mechanism for an individual to find out what information about him or her is in a record and how it is used.
  • There must be a mechanism for an individual to prevent information about him or her that was obtained for one purpose from being used or made available for another purpose, without consent. This is the principle of secondary use.
  • There must be a way for an individual to correct a record that is inaccurate.
  • The organization creating, maintaining, using, or disseminating records of personal data must assure the reliability, accuracy, security, and timeliness of the data.
  • An organization must make sure that other entities handling personal information on behalf of the first organization are bound by these same principles.
  • An organization must conduct periodic risk assessments, balancing the possibility or probability of unauthorized access or disclosure against the cost of security precautions and the expected effectiveness of the precautions.
  • Organizations must take special precautions in collecting and using personal information about children.
  • An organization should designate an individual or office to handle privacy issues by assessing the privacy impact of new undertakings, assuring that the organization complies with all laws and trade- association standards; and informing the organization of the latest technology and policies that affect the privacy of customers or employees.
  • An organization should conduct periodic training of its employees to assure that they know applicable laws on confidentiality that govern the organization, and the organization’s policies and actual practices. m

Source: Privacy Journal

4 Powerful Communication Strategies for Your Next Board Meeting