Managing the Cost of Privacy Regulations

Computerworld - Abuses of privacy have proliferated in recent years with corporate America's increased dependence on the Internet and other new technologies, such as Wi-Fi networks. Because enormous amounts of personal information are stored on company databases, privacy can be easily violated. Marketers gather all kinds of information about customers and track their buying habits. Financial institutions and health insurers obtain details about their clients from documents such as mortgages and claims forms. Companies get into trouble, however, when they obtain personal information by misrepresentation or fraud, or when sensitive information is improperly used or disclosed.

Consumers have good reason to be worried about the way their personal information is being used. The disclosure of private information can result in the loss of a job or insurance coverage, or damage a person's reputation. Lawmakers have responded to the problem by enforcing existing laws and enacting a variety of new ones to protect customer privacy. In just the past few years, Congress has passed the Gramm-Leach-Bliley Act, the Child Online Protection Act and the Health Insurance Portability and Accountability Act. However, Congress has not passed a singular, unified privacy law. Frustrated, many states have taken matters into their own hands. California lawmakers recently enacted a bill that, as of July 1, 2003, makes companies that store data electronically and conduct business in that state responsible for alerting California customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person" (see story).

Most companies have been doing their best to comply with federal and state privacy laws. But for the corporate world, the cost of complying with all these new regulations can be considerable. It may require an overhaul of business processes or the revamping of computer security systems. It may mean giving up certain profitable marketing strategies.

Failure to comply with the privacy laws, however, can be far more costly. For instance, in 2000, a U.S. district court approved a $3.5 million settlement of a class-action lawsuit against U.S. Bancorp. The plaintiffs asserted that U.S. Bancorp sold customer account information without permission to a third-party telemarketing firm.

Alarmed by abuses of their privacy, consumers are increasingly taking companies to court. Plaintiffs have won more than $111 million in settlements or judgments against companies in 110 separately reported privacy cases against 92 corporate defendants, according to the Privacy & American Business study "Consumer Privacy in the Courts: Annual Trend Report and Analysis 2002." Class-action lawsuits represented 17% of the total, but as privacy concerns gain steam, class actions could become a litigation hotbed.