InformationWeek

teve Hoberman works for one of the largest process-manufacturing companies on the East Coast. Hoberman is a data architect in the company's IS division. He generates reports for the company's marketing and sales executives based on information in its data warehouse. He considers himself an expert in database design and has a master's degree in IT from Carnegie Mellon University.

You might think Hoberman would know all there is to know about his company's data policies, or at least he'd be generally aware of what the company does with its data. But ask him whether his company sells data to third parties. "No," he answers right off, but then, thinking about it, "I guess I don't know for sure." Does he care? "Not really," he says. "I'm an enabler. I solve people's problems." Hoberman says he translates management's need to interpret data into a tool executives can use to help the business. "Beyond that point," he says, "I don't care."

As an IT professional, Hoberman isn't unusual in his lack of awareness of his company's data policies, nor is he unusual in his insistence that he doesn't need to know those policies. As the debate over data privacy grows louder and more acrimonious, IT professionals increasingly find themselves in the middle of the controversy, whether they know it or not--and a disturbing number don't know it. IT is what makes the collection, manipulation, and dissemination of data possible. And while data has been collected and sold since the invention of the abacus, the furious pace at which that industry has grown over the past 10 years can be laid directly at the feet of the technology industry.

What do professionals in the "data industry"--data marketers and vendors of database and data-mining technology--think of the ethical implications, if any, of what they do? What about IT professionals who specialize in data storage and management? Many data marketers equate their ethical obligations with following the letter of the law. As for data-technology vendors, by and large they feel removed from the issue. Many IT professionals, even some directly involved in creating marketing databases, profess an ignorance--willed or not--of any implications to what they do outside their immediate business obligations.

The data industry has come under harsh review. There is a raft of federal and local laws under consideration to control the collection, sale, and use of data. American companies have yet to match the tougher privacy regulations already in place in Europe, while personal and class-action litigation against businesses over data-privacy issues is increasing. Privacy advocates, educators, and industry observers say it's time for the data industry, and the IT community in general, to embrace the issue and drop the duck-and-cover mentality that pervades the controversy. "This whole area is a minefield," says Brian Staff, marketing VP at database supplier Informix Corp., which was recently acquired by IBM.

Earlier this year, N2H2 Inc. learned about the politics of the privacy debate the hard way. The Seattle company, which provides 40% of the Internet filtering software used in U.S. schools, decided last year to enter a new business: the sale of aggregated data. In a partnership with marketing powerhouse Roper Starch Worldwide, N2H2 began marketing the data, called Class Clicks, that its filtering tools collected on the Web-site usage trends of elementary and high-school students. The data contained no names or personal information and complied with the new federal Children's Online Privacy Protection Act.

Yet N2H2's new line of business brought such loud howls of protest from online privacy advocates that the company scrapped the effort in February. "We went above and beyond the call to make sure there was no way to trace anything back to a school or an individual," says Ken Collins, N2H2's director of analytic services. "It was all aggregated data, but it still triggered a bunch of flags in public perception. It was a confusing and chaotic mess."

There's no doubt that data marketers feel under scrutiny. "If we don't get it right, and we allow abuses to happen, the whole industry will pay the price for years," says Paul Gustafson, VP of business development and product management for IQCommerce Corp., which builds the IT behind online promotions for companies such as Unilever and Johnson & Johnson. "There's an awful lot at stake, and we're a long way away from having all the answers."

Many companies in the consumer-information business describe ethical business practices primarily in terms of complying with existing laws, such as the 31-year-old Fair Credit Reporting Act or the recently ratified Gramm Leach Bliley Act that regulates consumer financial data. "We try to balance how we use information while complying with laws and regulations and doing things in an ethical manner," says Rich Crutchfield, executive VP at Equifax Corp. in Atlanta, the world's largest provider of credit data.

"There's a tremendous amount of federal, state, and contract law out there dealing with privacy," says David Lee, an executive VP at ChoicePoint Inc., which compiles public-record information for insurance carriers, the FBI, and the U.S. Marshals, among other customers. "We view ourselves almost as a regulated industry." At ChoicePoint, chief privacy officer Michael de Janes is also the company's general counsel.

Clearly, business and government leaders aren't satisfied with how data privacy has been handled so far. The growth of a management position known as the chief privacy officer is an attempt by companies--across many industries, not just those in the data business--to indemnify themselves against potential liability over data issues, both internal and external.

As well they should. Along with the privacy laws already on the books, there are 50 bills pending in Congress concerning privacy and more in state and local governments.

One of the most controversial of the new privacy laws is the Health Insurance Portability and Accountability Act. Former President Clinton signed the bill into law in 1996, but Congress never devised specific rules governing medical data, so that onerous task was deferred to the Department of Health and Human Services. The department released 1,500 pages of rules in December (available at http://www.hhs.gov/ocr/regtext.html), Congress ratified them last month, and companies have two years to comply.

Patients are promised the ability to access their medical records; previously, that was allowed in only 28 states. Also, they can make changes to inaccuracies in their medical files. Health-care entities covered under HIPAA must receive written consent from patients to use their medical data. Health-care companies must also hire a privacy officer and train employees in how to handle the sensitive data. Those who misuse data face up to 10 years in prison and $250,000 in fines.

HIPAA won't affect some data-collection methods. Medical Marketing Service in Wood Dale, Ill., and A. Caldwell List Co. in Atlanta aren't using official records or under-the-table schemes to gather the information they sell to data marketers. They get it voluntarily from ailment sufferers who respond to direct-mail or online questionnaires that promise coupons, discounts, and samples in exchange for a bevy of personal data. "We not only get ailment information, but also data on college degrees, income, age, hobbies, address and phone number, if they have an American Express or Visa card, and whether they plan to travel or buy [specific] things in the next six months," says Tori Weathersby, senior sales executive at A. Caldwell. For the millions who respond, they're informed of the marketing possibilities on the questionnaires.

HIPAA also doesn't cover dot-coms, so when an individual fills out a health-care assessment on a medical Web site, that information is fair game for any marketing efforts. "There's a false sense of security that consumers and patients would have at an E-health dot-com," says Paul Tang, chief medical information officer at the Palo Alto Medical Foundation, a health-care provider and medical research group in northern California. Tang is also chairman of the public policy committee of the American Medical Informatics Association. "A critical point is that they're not doing anything that's currently illegal. So it's really a 'consumer beware' situation," he says.

A common refrain among technology providers and the companies collecting and mining data is that ethical, privacy-respecting practices simply make good business sense. "Poor privacy practices harm relationships," says Rachael Shanahan, chief privacy officer at Unica Corp., a supplier of customer-relationship management software. "Any company that doesn't understand the value of the customer relationship won't be around for very long."

But most database-technology vendors don't believe it's their place to dictate how their customers can or can't use their products. "We're like the companies that make the metal that goes into guns--one step removed," says Informix's Staff. "It's hard to see how we could impose any controls on how [Informix technology] is used."

Oracle's head database developer, Ken Jacobs, admits he has conflicting feelings when his dinner is interrupted by a telemarketer--who has perhaps culled his name from an Oracle database. "I sometimes ask myself, 'Do I really want to help these people?'" he says with a laugh. But Jacobs, the database-industry leader's VP of product strategy for server technologies, says he doesn't know how Oracle could enforce any edicts on how its products are used, or not sell to a customer it considered unethical. "I don't think we'd be in a position to do that," he says. "Would the hardware people not sell them hardware? Or the electric company not sell them electricity?"

Far from apologizing for what they do, many in the data industry say they perform a valuable function for society. "One of the key things that fuels our economy is easy access to credit information," says Equifax's Crutchfield. "You can buy a car in an hour because the auto company can see [your credit data] instantly."

Business-intelligence software vendor Business Objects SA tries to convince companies that aren't in the information business that they're passing up a potentially large source of revenue by not analyzing and selling data they collect. "We ran a seminar session called 'You're Sitting On A Gold Mine And Don't Know It,'" says David Kellogg, senior VP of marketing at Business Objects.

Another vendor touts the capability of its products to go beyond the generally accepted norm of aggregation--categorizing data by demographic details without referencing specific names--as a competitive advantage. "Marketers can indeed target personally identifiable individuals, going beyond aggregation," says Paul Rodwick, VP of market development and strategy at E.piphany Inc. "Companies want a deep relationship with their customers, and technologies like ours help prevent spam because marketers can do finer segmentation and market to people who are actually interested in what they're selling."

That all makes sense to at least one IT professional. "To me, there's nothing bad here," says database designer Hoberman. "I don't see anything wrong with collecting all this information about us. I live for information. The more information you have, the better. It's all good stuff."

Are there guidelines or an ethical code to help database experts sort out their responsibilities? Should there be? Some senior IT managers say database professionals don't bear much responsibility at all. "I never really thought about [usage of data] from the database administrator's position," says Lou Saviano, director of IT services and infrastructure development at Osram Sylvania, the Danvers, Mass., division of Osram GmbH. "A database administrator would never make the decision on how the data is used. That would be a sales and marketing call."

That also goes for outside consultants who create databases for clients, says Trey Johnson, a data-warehouse architect for Encore Development, an E-business consulting firm in Jacksonville, Fla. "We're just building tools," Johnson says. "The customers are ultimately responsible for how they're using these tools." Johnson admits it's possible that Encore would create a tool that would collect data at a fairly personal level, but the responsibility for how that technology is used "falls squarely on the shoulders of the companies that use these tools," he says. "That's where privacy starts and ends."

Tang, of the Palo Alto Medical Foundation, has a different view--that IT professionals should go beyond creating the tools and take an active role in building their companies' privacy policies. Not only has Palo Alto implemented strict policies for users of patient medical data, it's also adopted policies for how the IT department handles such information. "Every time you make a purchase or upgrade of a system, you should consider the security features built in and make sure they're sufficient to handle privacy regulations, governed either by professional ethics or law," he says. "I don't think that's been at the top of mind for any industry, including health care. We live in a new world, and this should be a key component of any new system."

The ethical "duties" of a database administrator revolve around maintaining the integrity, security, reliability, and availability of a company's data, says Bill Burke, director of information services, strategic operations, at supply-chain software vendor i2 Technologies Inc. That means preventing information about a consumer's credit history or an employee's human-resources records from becoming corrupted, that no "inadvertent or malicious damage" is done to the data, Burke says. Making such data secure, both from access by outside hackers and inappropriate use by internal employees, is also part of a database administrator's ethical responsibility. "You have the salary of everyone from the janitor to the CEO on file," Burke says.

When it comes to data privacy and the changes that IT is bringing, the industry hasn't done enough to raise ethical questions, says David Ozar, director of the Center for Ethics at Loyola University in Chicago. The speed at which things are changing is no excuse. Ozar compares it with human genome research, where technology may be outstripping the ethical debate, but there's at least an active discussion about it in the professional and academic community. "There was a self-conscious effort to say 'Let's talk about the fundamental questions here,'" Ozar says. "I don't think IT has anything comparable."

The problem is that many IT people don't know very much about the privacy debate. "You find that there's a general lack of understanding about privacy, about the laws and regulations," says Larry Ponemon, president of Guardent Inc., a Waltham, Mass., security service provider. Before Guardent, Ponemon was a partner with PricewaterhouseCoopers, where he established the consulting firm's ethics and corporate-compliance practice. He's considered one of the leading experts on privacy. "[IT professionals] will say things like 'We know our company has a privacy policy, but I don't know where it is.' They don't understand how it affects their business processes," Ponemon says.

That's dangerous, says Ira Rothken, principal of the Rothken Law Firm in San Francisco. Rothken is a lead counsel in a class-action lawsuit in California against online data marketer DoubleClick Inc. in a privacy-invasion dispute over the use of cookies, the Internet device many Web sites use to keep track of visitors. While Rothken says IT executives aren't likely to be cited in a data-privacy lawsuit unless they've done something criminal, they should understand the legal environment. "An IT person would be acting below the standard of care not to know the laws and regulations in their area," he says.

Where do IT professionals find training in ethics? Not in college--at least not yet. Database designer Hoberman says he never once discussed ethics during his time at Carnegie Mellon. "I don't really mention the word ethics. I talk about privacy and security," says Daniel Norris, a professor of management information systems at Iowa State University who specializes in teaching database management and computer security. The subject of ethics comes up only in relation to security, he says, and the students themselves never bring it up. "If it won't help them on the job, they don't want to talk about it," he says.

Norris says there's a push at Iowa State to integrate ethics into the curriculum and that the school has created an ethics center. As far as the computer-science department is concerned, "it's going to be a slow process," he says.

But not if Doris Lidke can help it. Lidke is a professor of computer and information sciences at Towson University in Towson, Md. She's also a member of the Accreditation Board of Engineering and Technology, which accredits computer-science departments across the country.

Lidke recently headed a task force to explore the possibility of creating a computer-science curriculum that specializes in very large systems, to prepare graduates to work with, say, air-traffic control systems. The task force was made up of equal parts academics and business executives, the latter from companies such as Boeing Co. and Citibank as well as a large phone company and a large computer manufacturer. In developing a list of potential subjects for such a curriculum, Lidke and her colleagues were surprised to see one nontechnology topic score as high in terms of priorities as user-interface and systems integration. "We were quite surprised that [ethics] was one of the things that absolutely had to be in the curriculum," she says. This summer, the Accreditation Board of Engineering and Technology will add a new subject to its list of mandatory courses: one credit hour of ethics study.

The teaching of business ethics has grown rapidly in recent years, but linking ethics to IT, and to decisions about the way data is collected and used, is long overdue. Jody Giles, VP and CIO of shoemaker Vans Inc. in Santa Fe Springs, Calif., says he had to rely on the expertise of @Once, the company's E-mail-distribution partner, when Vans began marketing to teen-agers online. "Had they not made me aware of the Children's Online Privacy Protection Act, I wouldn't have known a thing about it," Giles says. "This is a new, emerging issue that comes with the technology. They didn't teach me about it when I was taking ethics classes in business school."

--with Eileen Colkin, Robin Gareiss, Diane Rezendes Khirallah, Chris Murphy, and Rick Whiting