InformationWeek: The Business Value of Technology

teve Hoberman works for one of the largest process-manufacturing companies on the East Coast. Hoberman is a data architect in the company's IS division. He generates reports for the company's marketing and sales executives based on information in its data warehouse. He considers himself an expert in database design and has a master's degree in IT from Carnegie Mellon University.

You might think Hoberman would know all there is to know about his company's data policies, or at least he'd be generally aware of what the company does with its data. But ask him whether his company sells data to third parties. "No," he answers right off, but then, thinking about it, "I guess I don't know for sure." Does he care? "Not really," he says. "I'm an enabler. I solve people's problems." Hoberman says he translates management's need to interpret data into a tool executives can use to help the business. "Beyond that point," he says, "I don't care."

As an IT professional, Hoberman isn't unusual in his lack of awareness of his company's data policies, nor is he unusual in his insistence that he doesn't need to know those policies. As the debate over data privacy grows louder and more acrimonious, IT professionals increasingly find themselves in the middle of the controversy, whether they know it or not--and a disturbing number don't know it. IT is what makes the collection, manipulation, and dissemination of data possible. And while data has been collected and sold since the invention of the abacus, the furious pace at which that industry has grown over the past 10 years can be laid directly at the feet of the technology industry.

What do professionals in the "data industry"--data marketers and vendors of database and data-mining technology--think of the ethical implications, if any, of what they do? What about IT professionals who specialize in data storage and management? Many data marketers equate their ethical obligations with following the letter of the law. As for data-technology vendors, by and large they feel removed from the issue. Many IT professionals, even some directly involved in creating marketing databases, profess an ignorance--willed or not--of any implications to what they do outside their immediate business obligations.

The data industry has come under harsh review. There is a raft of federal and local laws under consideration to control the collection, sale, and use of data. American companies have yet to match the tougher privacy regulations already in place in Europe, while personal and class-action litigation against businesses over data-privacy issues is increasing. Privacy advocates, educators, and industry observers say it's time for the data industry, and the IT community in general, to embrace the issue and drop the duck-and-cover mentality that pervades the controversy. "This whole area is a minefield," says Brian Staff, marketing VP at database supplier Informix Corp., which was recently acquired by IBM.

Earlier this year, N2H2 Inc. learned about the politics of the privacy debate the hard way. The Seattle company, which provides 40% of the Internet filtering software used in U.S. schools, decided last year to enter a new business: the sale of aggregated data. In a partnership with marketing powerhouse Roper Starch Worldwide, N2H2 began marketing the data, called Class Clicks, that its filtering tools collected on the Web-site usage trends of elementary and high-school students. The data contained no names or personal information and complied with the new federal Children's Online Privacy Protection Act.

Yet N2H2's new line of business brought such loud howls of protest from online privacy advocates that the company scrapped the effort in February. "We went above and beyond the call to make sure there was no way to trace anything back to a school or an individual," says Ken Collins, N2H2's director of analytic services. "It was all aggregated data, but it still triggered a bunch of flags in public perception. It was a confusing and chaotic mess."

There's no doubt that data marketers feel under scrutiny. "If we don't get it right, and we allow abuses to happen, the whole industry will pay the price for years," says Paul Gustafson, VP of business development and product management for IQCommerce Corp., which builds the IT behind online promotions for companies such as Unilever and Johnson & Johnson. "There's an awful lot at stake, and we're a long way away from having all the answers."

Many companies in the consumer-information business describe ethical business practices primarily in terms of complying with existing laws, such as the 31-year-old Fair Credit Reporting Act or the recently ratified Gramm Leach Bliley Act that regulates consumer financial data. "We try to balance how we use information while complying with laws and regulations and doing things in an ethical manner," says Rich Crutchfield, executive VP at Equifax Corp. in Atlanta, the world's largest provider of credit data.

"There's a tremendous amount of federal, state, and contract law out there dealing with privacy," says David Lee, an executive VP at ChoicePoint Inc., which compiles public-record information for insurance carriers, the FBI, and the U.S. Marshals, among other customers. "We view ourselves almost as a regulated industry." At ChoicePoint, chief privacy officer Michael de Janes is also the company's general counsel.

Clearly, business and government leaders aren't satisfied with how data privacy has been handled so far. The growth of a management position known as the chief privacy officer is an attempt by companies --across many industries, not just those in the data business-- to indemnify themselves against potential liability over data issues, both internal and external.

As well they should. Along with the privacy laws already on the books, there are 50 bills pending in Congress concerning privacy and more in state and local governments.

Data marketers are keenly aware of the growing momentum behind those legislative efforts, and what it might mean for their industry. "We want to avoid heavy-handed regulation with unintended consequences," says John Ford, chief privacy officer at Equifax. "Why use a vise grip when a pair of tweezers will do?"

One of the most controversial of the new privacy laws is the Health Insurance Portability and Accountability Act. Former President Clinton signed the bill into law in 1996, but Congress never devised specific rules governing medical data, so that onerous task was deferred to the Department of Health and Human Services. The department released 1,500 pages of rules in December (available at http://www.hhs.gov/ocr/regtext.html), Congress ratified them last month, and companies have two years to comply.

Patients are promised the ability to access their medical records; previously, that was allowed in only 28 states. Also, they can make changes to inaccuracies in their medical files. Health-care entities covered under HIPAA must receive written consent from patients to use their medical data. Health-care companies must also hire a privacy officer and train employees in how to handle the sensitive data. Those who misuse data face up to 10 years in prison and $250,000 in fines.

HIPAA won't affect some data-collection methods. Medical Marketing Service in Wood Dale, Ill., and A. Caldwell List Co. in Atlanta aren't using official records or under-the-table schemes to gather the information they sell to data marketers. They get it voluntarily from ailment sufferers who respond to direct-mail or online questionnaires that promise coupons, discounts, and samples in exchange for a bevy of personal data. "We not only get ailment information, but also data on college degrees, income, age, hobbies, address and phone number, if they have an American Express or Visa card, and whether they plan to travel or buy [specific] things in the next six months," says Tori Weathersby, senior sales executive at A. Caldwell. For the millions who respond, they're informed of the marketing possibilities on the questionnaires.

HIPAA also doesn't cover dot-coms, so when an individual fills out a health-care assessment on a medical Web site, that information is fair game for any marketing efforts. "There's a false sense of security that consumers and patients would have at an E-health dot-com," says Paul Tang, chief medical information officer at the Palo Alto Medical Foundation, a health-care provider and medical research group in northern California. Tang is also chairman of the public policy committee of the American Medical Informatics Association. "A critical point is that they're not doing anything that's currently illegal. So it's really a 'consumer beware' situation," he says.

Data marketers realize they have a public-perception problem. The Direct Marketing Association represents 5,000 consumer-marketing and data-collection companies. Pat Faley, VP of ethics and consumer affairs for the association and the former VP of public responsibility at American Express, heads a staff of 10 who focus on consumer-protection and privacy issues. The association has specific privacy guidelines that its members must follow or they can be kicked out of the group--and last year, it did just that to three members, including Columbia University's Graduate School of Business, that refused to certify their adherence to the guidelines. "They felt it was not the appropriate role for a trade association, but we obviously disagree," Faley says. "Any company that violates their customers' privacy gives the entire industry a black eye."

A common refrain among technology providers and the companies collecting and mining data is that ethical, privacy-respecting practices simply make good business sense. "Poor privacy practices harm relationships," says Rachael Shanahan, chief privacy officer at Unica Corp., a supplier of customer-relationship management software. "Any company that doesn't understand the value of the customer relationship won't be around for very long."

But most database-technology vendors don't believe it's their place to dictate how their customers can or can't use their products. "We're like the companies that make the metal that goes into guns--one step removed," says Informix's Staff. "It's hard to see how we could impose any controls on how [Informix technology] is used."

Oracle's head database developer, Ken Jacobs, admits he has conflicting feelings when his dinner is interrupted by a telemarketer--who has perhaps culled his name from an Oracle database. "I sometimes ask myself, 'Do I really want to help these people?'" he says with a laugh. But Jacobs, the database-industry leader's VP of product strategy for server technologies, says he doesn't know how Oracle could enforce any edicts on how its products are used, or not sell to a customer it considered unethical. "I don't think we'd be in a position to do that," he says. "Would the hardware people not sell them hardware? Or the electric company not sell them electricity?"