Risk Management

Privacy Risks Threaten Bottom Lines

Why CFOs should worry about their companies' Internet privacy policies.
David KatzFebruary 22, 2001

Unlike most everyone else, it seems, I don’t care much about privacy.

If a marketing firm sends my name to a bunch of telemarketers, I don’t whine— except when the telemarketer calls at dinner time.

If my medical records go straight to my health insurance company, that’s the consequences of the employee benefit plan I’m happy to have.

And if a bank suddenly wants to sell me a life insurance policy because it’s just gotten my name from a recently acquired insurance agency, it can be my guest.

But my lack of concern seems to be a minority attitude, at least if one takes as proof all the state and federal privacy bills that have been introduced, the laws passed, the lawsuits filed, and the probes made by regulatory agencies.

For example, in one high-profile investigation, the Federal Trade Commission looked into charges that DoubleClick, the online ad agency, would violate consumer privacy if it merged anonymous user names with data from Abacus Direct, a company it had acquired. A year ago, when news broke that the FTC had launched its probe, DoubleClick’s share price tumbled more than 20 percent in a week. With the tech stock bear market showing no signs of letting up, the stock continued its long downward slide. Wednesday, it closed at $12.13.

While the FTC recently dropped its investigation, and DoubleClick reportedly dropped its plan to merge the data, the company’s image suffered a bad wound. And its legal problems are far from over.

Besides regulatory actions like the FTC’s against DoubleClick, 38 class- action lawsuits have been filed against organizations that have allegedly violated their own Internet-privacy policies, says Alan F. Westin, president of Privacy and American Business, a non-profit, Hackensack, New Jersey-based think tank. The plaintiffs generally accuse the organizations of breaking promises made to consumers about how personal information would be used.

The potential for big legal costs stemming from alleged privacy violations is a risk that corporations can’t afford to ignore. Add to that the possibility that privacy missteps will damage a company’s goodwill, and you have an issue CFOs would do well to look at closely.

At the moment, however, Internet privacy concerns are fast becoming the bailiwick of a new, flavor-of-the month corporate executive: the chief privacy officer, or CPO.

Westin, a professor emeritus at Columbia University and a widely quoted legal expert on privacy, says there are at least 100 CPOs in place today. Spurred by new privacy rules in health care and financial services, the number will jump to 500 to 1000, he predicts. (In 2000, Westin’s organization launched a training and certification program for CPOs.)

Westin tells CFO.com he doesn’t think that “every CFO has a role to play” in the actual management of a corporation’s privacy procedures. “The CPOs are the ones who are going to be responsible for privacy and [confidentiality] policy.”

Instead, he sees the CFO as “a significant participant in…multifunction decision-making” on privacy issues. In other words, the CFO should be a member of a privacy task force chaired by the CPO.

Chief Steward of Financial Facts

Westin sees the CFO’s essential role in privacy matters as that of a steward of the financial information the company has about consumers. Financial information is one of the two kinds of information consumers are touchiest about revealing, he notes, with health care being the other.

Many companies sit atop a vast array of personal financial data linked up to credit cards, billing and accounting systems, and telephone records. In such data sources, consumers reveal “where I shop, what kinds of products I buy, whom I write my checks to,” Westin notes.

In practical terms, CFOs also make decisions about how their companies spend money on information systems, and that includes the privacy aspects of the systems. The pull of the purse strings puts them in a key policy-making position.

From that standpoint, they’re in a position to guide an organization’s technological decisions about whether to provide consumers with an “opt- out” or an “opt-in” notice. Under an “opt-out” policy, consumers can choose to ask the company not to share personal information with third parties.

In contrast, under the more stringent “opt-in” policies, companies must ask consumers for permission to use personal information.

Emily Q. Freeman, a San Francisco-based senior vice president of Marsh, the insurance broker, notes that the decisions a CFO makes on privacy- technology spending can either put teeth into a corporate program or defang it.

For instance, a CFO working for a company with an opt-out policy could order the company’s information-technology staff to see that data are encrypted so that if the consumer opts out, the data actually “can’t go anywhere,” says Freeman.

Overall, CFOs can choose whether their company spends enough to enact a “robust” privacy risk management strategy that goes beyond legal and regulatory compliance or one that stresses “what’s merely required legally.”

Managing the Risk

Freeman said that the elements of privacy risk management include:

  • A legal assessment of the company’s consumer privacy statements aimed at erasing ambiguities.
  • Controls set up to make sure IT problems don’t deter enactment of the privacy policy and that outside organizations the company deals with have compatible privacy policies.
  • An assessment of the company’s organizational structure for dealing with privacy risks. That assessment could result in a decision to hire a CPO, and the CFO could be the one to propose it.

Understandably, the broker says there’s an insurance solution to liability exposures involving privacy violations that Marsh or other brokers, backed by insurers including Zurich Financial Services Group and Lloyd’s, can provide.

Such “cyber-risk” policies, which cover privacy legal claims and legal costs, as well as property and crime risks, aren’t accompanied by the increased price tags being seen in other insurance lines, she says.

But such insurance still doesn’t come cheaply. Companies can buy cyber- risk coverage at premiums ranging from $5,000 to $12,500 per $1 million of insurance, according to Freeman, who says buyers can assemble as much as $100 million or $200 million in coverage.

To her credit, Freeman offers the proviso that “no insurance policy can pick up your pure good will” lost through a damaging lawsuit or regulatory action caused by lax privacy risk management.

That may be the main reason that CFOs should become a little more concerned about privacy than I am.