Chief Privacy Officers: Forces? Or Figureheads?

The sudden interest in appointing chief privacy officers (CPO) stems as much from fear as it does from the desire to protect customers.

The CPO movement is young [Page One, Sept. 18]: About 50 to 75 companies have created such positions in the past several months, according to Alan Westin, a business privacy expert who in July started the Association of Corporate Privacy Officers (ACPO) in Hackensack, N.J.

Many more CPOs are expected to be hired as a result of the growing corporate angst over whether Congress will pass strict privacy laws that may hamper business. The Federal Trade Commission (FTC) has already suggested that corporate self-regulation isn't working [Business, June 19].

1pixclear.gif
1pixclear.gif
1pixclear.gif

Warding Off Washington?

Corporate America is desperate to convince the public that it can be trusted with private consumer information.

Otherwise, pundits say, Congress will likely enact privacy laws that will force many businesses to change the way they handle data. Several such bills are pending and are expected to be debated next year.

The appointment of CPOs is just one small move companies are taking. And small is the operative word, says Jonathan Gaw, an analyst at IDC.

"In an organization where everybody is focused on making money, you need someone to wave the consumer flag. CPOs are necessary in that regard, but [they're] not enough," Gaw says.

Other recent corporate steps to establish and maintain consumer trust include:

• The ACPO (www.pandab.org), a professional group for CPOs, was created in July.

• Nine of the biggest online advertising firms signed a deal with the federal government in August to limit the kind of information they collect from Web surfers without the users' consent.

• In June, 24 companies and trade associations formed the Privacy Leadership Initiative, an alliance to study consumer privacy issues and lay out voluntary guidelines. The group announced last month that it will work with the New York-based Direct Marketing Association on a three-year, multimillion-dollar publicity blitz to convince consumers that their data is safe.

1pixclear.gif

But having a CPO is fast becoming a checklist item to help companies ward off government regulation and to reassure customers that their privacy will be protected, says Jonathan Gaw, an analyst at International Data Corp. in San Mateo, Calif.

Often, a CPO is at a disadvantage from the start, Gaw says. "Companies are about making money," he says. "But CPOs don't have a budget. They are not responsible for profit and loss. They generally don't have large staffs relative to the rest of the company, and, of course, they don't bring in any revenue."

In general, no standard chain of command involving the CPO exists yet. At some companies, the CPO reports to the director of compliance; at others, he reports to the CEO. CPOs are former lawyers, marketing people and compliance officers. They may or may not have an information technology background, although experts say having an understanding of IT is key.

The job description varies, but, according to the ACPO, general duties include the following:

• Training employees about privacy.

• Comparing the company's privacy policies with potential risks and then figuring out whether or not and how to fill gaps.

• Managing a customer-privacy dispute and verification process.

• Informing senior executives on how the company deals with privacy issues.

Sometimes a CPO is named after a bad privacy incident threatens sales and profits.

For example, Minneapolis-based U.S. Bancorp, an $86 billion bank, appointed a CPO in August after spending $3 million to settle a lawsuit that accused the bank of selling confidential customer financial data to telemarketers. CPO Patricia Bauer reports to the president and chief operating officer.

DoubleClick Inc., an online advertising firm in New York, brought in a CPO after the FTC and several states started to investigate its data-sharing practices last winter. People had complained about DoubleClick's tracking of individual Web users by name and then matching the information to a marketing profile database. The company has since stepped back from that plan. DoubleClick appointed the CPO to oversee and educate the public about its privacy policies, the company said in a statement.

What separates a forceful CPO from a figurehead is whether that person can change or stop a marketing or IT project when privacy questions arise.

At AT&T Corp., for example, Mike Lamb, who was appointed CPO in June, recently had a hand in nixing a deal with a large consumer retail company to market AT&T's long-distance service.

The retailer insisted that it get full access to AT&T customer data, Lamb says. But that would have violated the phone company's vow to keep such information confidential unless the customer OK's its release.

"I got directly involved in the conversations [with the retailer]. I reinforced in the context of those negotiations that our commitment to privacy was nonnegotiable," Lamb says.

Sally Cowan, CPO at New York-based American Express Co., participated in the recent creation of single-use credit-card numbers for online shopping, a company spokeswoman says. At every step - from customer focus groups to development and implementation - Cowan made sure Amex's privacy policies explained how the so-called Private Payments service took shape before it was launched in September.

One warning sign that a CPO may be ineffective is when he has other job titles and responsibilities, says Jim Grady, an analyst at Giga Information Group Inc. in Cambridge, Mass.

When that happens, the CPO will likely be too busy to keep up with all the business, political and technical aspects of the privacy issue, Grady says.

Pat Carmody is a multitasking CPO at Mutual of Omaha Insurance Co. A lawyer by training, Carmody was appointed to lead privacy efforts four months ago. As CPO, he's overseeing a companywide audit of data flows to determine what happens to customer information as it moves through the Omaha-based insurer.

Yet Carmody's actual title is vice president of insurance department services. He's also in charge of making sure the insurer's many forms and rate structures comply with state and federal laws. But he maintains that despite his multiple roles, privacy is "an important mission" for the insurer. He plans to have three people working for him on privacy issues by year's end.

Still, a better strategy is to keep the CPO free of other duties, Grady says. "There's a new wrinkle to privacy every day. If you're responsible for several other areas, it'll be quite difficult to do the privacy part of the job well," he says.

The relationship between the CPO and the IT group is critical. Not only must a CPO understand IT security, but he should also be well-informed about how the IT group treats customer data as it pulses through the company's systems.

Proactive or Reactive?

Even when they go to the trouble of naming a CPO, not all companies insert that executive into IT processes. Often, for example, IT people aren't required to meet with the CPO when applications are being designed. Rather, the CPO is contacted only after privacy questions surface.

Some experts criticize this approach, saying it's easier and cheaper to fix potential problems early in a project rather than afterward.

Shelley Harms, executive director of privacy at New York-based Verizon Communications, says that although she isn't a checklist item on the IT group's agenda during new projects, she regularly talks with technology managers in each business unit. "So if a crisis comes up, we have that relationship," she says.

That's just what happened this summer, when a form on Verizon's Web site that lets customers place repair orders inadvertently exposed account information. When Verizon found out about it, IT shut down the application to fix it while Harms offered advice on how to route the account information so it wouldn't be revealed online. She also worked with IT on a postmortem study of what went wrong and how to avoid making the same mistakes in the future. But even when a company has a formal privacy policy, employees may disagree about how to interpret it. That's when the CPO must referee.

Harms recently mediated when internal marketing staffers questioned which Verizon pledge should take precedence: the company's vow to honor customer requests not to receive marketing mailings or a promise to give customers better alternatives to their current long-distance programs. "We debated, and we decided that telling somebody that his service has become cheaper or that tweaking it in this manner will make it cheaper isn't a solicitation," Harms says.

Overall, she says, she must consider philosophical issues about how to protect customer privacy while the company earns a profit. But she also has to dig into technology issues such as how best to combine Verizon's various "do not call" customer opt-out lists into a single Oracle Corp. database.

"The CPO's job," she says, "is a combination of 50,000 feet and down in the dirt."

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon