Managing the Cost of Privacy Regulations

Abuses of privacy have proliferated in recent years with corporate America's increased dependence on the Internet and other new technologies, such as Wi-Fi networks. Because enormous amounts of personal information are stored on company databases, privacy can be easily violated. Marketers gather all kinds of information about customers and track their buying habits. Financial institutions and health insurers obtain details about their clients from documents such as mortgages and claims forms. Companies get into trouble, however, when they obtain personal information by misrepresentation or fraud, or when sensitive information is improperly used or disclosed.

Consumers have good reason to be worried about the way their personal information is being used. The disclosure of private information can result in the loss of a job or insurance coverage, or damage a person's reputation. Lawmakers have responded to the problem by enforcing existing laws and enacting a variety of new ones to protect customer privacy. In just the past few years, Congress has passed the Gramm-Leach-Bliley Act, the Child Online Protection Act and the Health Insurance Portability and Accountability Act. However, Congress has not passed a singular, unified privacy law. Frustrated, many states have taken matters into their own hands. California lawmakers recently enacted a bill that, as of July 1, 2003, makes companies that store data electronically and conduct business in that state responsible for alerting California customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person" (see story).

Most companies have been doing their best to comply with federal and state privacy laws. But for the corporate world, the cost of complying with all these new regulations can be considerable. It may require an overhaul of business processes or the revamping of computer security systems. It may mean giving up certain profitable marketing strategies.

Failure to comply with the privacy laws, however, can be far more costly. For instance, in 2000, a U.S. district court approved a $3.5 million settlement of a class-action lawsuit against U.S. Bancorp. The plaintiffs asserted that U.S. Bancorp sold customer account information without permission to a third-party telemarketing firm.

Alarmed by abuses of their privacy, consumers are increasingly taking companies to court. Plaintiffs have won more than $111 million in settlements or judgments against companies in 110 separately reported privacy cases against 92 corporate defendants, according to the Privacy & American Business study "Consumer Privacy in the Courts: Annual Trend Report and Analysis 2002." Class-action lawsuits represented 17% of the total, but as privacy concerns gain steam, class actions could become a litigation hotbed.

By failing to protect consumer privacy, companies not only run the risk of being sued, but they also put one of their most important assets -- their reputations -- on the line. The failure to protect the privacy of even just a few customers can damage the confidence of a much larger group of existing or potential customers. Loss of consumer confidence, class-action lawsuits and negative publicity can cause irreparable harm to a company's reputation.

Jim West

That danger was brought to light in a stunning fashion in late 1999, when a hacker stole 300,000 customer credit card numbers from CD Universe, an online music retailer, and then demanded a ransom payment of $100,000 to return the numbers. He made good on his threat to release the numbers to the public when CD Universe balked. The retailer tried to control the damage by notifying its customers about the theft and working with credit card companies to help customers whose card numbers might have been stolen. But the damage was done.

It's not just dot-coms and e-commerce companies that are at risk. Any company that has a Web site or a call center or that gathers information about its customers is at risk. In the Information Age, no company is immune from privacy risks.

Certain companies, however, are at greater risk. Those at greatest risk are companies in the financial service and health care sectors or companies that deal with children. In addition, any business with operations in Europe or Canada, where privacy regulations are much stricter than in the U.S., must take an extra level of precaution.

In 2002, a large telecommunications multinational was fined $730,000 by Spain's data-protection authority for violations of national and European Union privacy laws. An EU directive requires that personal data be "collected for specified, explicit and legitimate purposes and not further processed in any way compatible with those purposes" without consent. The European model -- also adopted in Canada -- prohibits the transfer of personally identifiable information to any country that doesn't provide protection that the European Commission deems adequate. U.S. protections don't meet the European standards, and few U.S. companies have enrolled in a compromise Safe Harbor program.

To keep track of the various U.S. and international privacy laws and to help ensure that they're compliant, a number of companies, including IBM, American Express Co. and AT&T Corp., have created the position of chief privacy officer. The chief privacy officer can coordinate efforts by the human resources, marketing and IT departments; help develop a coherent privacy policy; and make sure employees are properly trained.

There are additional steps companies should take to help minimize their exposure to U.S. privacy law violations:

  • Determine the company's risk profile. A company that deals with children or works in the financial services sector must be more aggressive in implementing and complying with privacy regulations than a company in a lower-risk sector.
  • Train employees about the company's privacy policies. Don't assume that they already know or understand the policies.
  • Improve computer security. Make sure all computer systems and databases are properly protected with firewalls, encryption and any other necessary security devices. Be particularly careful where wireless technology is concerned. Wi-Fi has become extremely popular over the past few years. But Wi-Fi is often a huge, open door into a company's networks and databases, and few companies have taken the proper steps to secure their Wi-Fi technology.
  • Put the necessary resources behind the management of privacy policies. Make privacy a priority. It's easy for privacy issues to fall through the cracks because of a lack of management commitment. One way to avoid that pitfall is by establishing a chief privacy officer position.
  • Comply with the most restrictive of the privacy policies. There are currently more than 600 state and federal regulations concerning privacy. It's not necessary to comply with all of them. Companies should learn which ones apply to their industry and then follow the toughest standards.
  • Follow the company's stated privacy policies. Many companies have privacy policies and then fail to abide by them. It's useless to have a privacy policy if a company isn't prepared to live up to its obligations.

Consumer privacy has come under attack like never before in recent years, and each technological advance creates new challenges for companies seeking to protect their customers. Companies that take steps to meet those challenges, however, can avoid violations that lead to costly lawsuits and can enhance their reputation with customers.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon