5 min read

Making Privacy Work

Developing a policy to protect customers is only the beginning
There hasn't been great demand for privacy-management tools in part because about 80% of privacy problems can be resolved without major IT investment and with relatively simple policy changes, says Larry Ponemon, CEO of Privacy Council Inc., which sells privacy-related consulting services and software. Examples include halting questionable Web-site practices, such as unnecessary data collection or use of cookies, and tweaking internal practices with regard to data access. But there are some privacy issues that could benefit from better technology, such as tools to monitor customer data and privacy preferences. Vendors of customer-relationship management software, which is designed to track a company's knowledge about its customers, generally haven't made privacy preferences a high priority.

A new generation of software is emerging to fill the gap. These products help companies align business processes with privacy policies and monitor the flow of customer data throughout the company to prevent intentional or inadvertent violations. Privacy Council markets its Privacy Scan software for identifying privacy risks by comparing Web-site practices with written privacy policies. Watchfire provides a similar product. Zero-Knowledge Systems in January shipped its Enterprise Privacy Manager, an application designed to centrally manage privacy policies and practices.

IBM is testing software to manage privacy standards across a company. The Tivoli Privacy Manager, a module of IBM's Tivoli Systems management line, will tag data according to which privacy policies apply and then monitor applications accessing that data to prevent violations. The software, which is planned for release this fall, will include templates for complying with privacy laws such as Gramm-Leach-Bliley and the law governing medical-records privacy, the Health Insurance Portability and Accountability Act. The software is based on eight privacy principles composed by the Organization of Economic Cooperation and Development, a group of 30 countries, including the United States. IBM also has had input from privacy officers at nearly 20 major companies, including Fidelity Investments, Marriott International, Novant Health, T. Rowe Price, and Sharp. "What we're doing is pushing privacy down to the application level," says Tivoli product manager Phil Fritz. "Our customers are finding that writing policies and training employees isn't enough."

Of course, there's still plenty of policy and business-process work to be done in parallel with technology advances. Privacy statements need to be less complex, with less legalese and more plain English. An effort is under way by a number of large companies, including Citigroup, Fidelity, IBM, Procter & Gamble, and J.P. Morgan Chase, to develop privacy notices that are closer to consumer-friendly food-content labels than to the legalese-ridden scripts typical of compliance with Gramm-Leach-Bliley. (For more on this effort, see

Companies also can't ignore the changing regulatory environment, which often requires IT changes. Privacy officers say a sizeable part of their job is keeping up with the dozens of proposed and approved state and federal privacy-related laws. "We're tracking about 150 of them right now, both state and federal," says Kirk Herath, chief privacy officer for Nationwide Mutual Insurance Co. To comply with a new California law designed to combat identity theft, Nationwide spent about $130,000 reprogramming its IT system so no mail from the company contains a customer's Social Security number.

State lawmakers are giving consumers greater control over data. For example, a Vermont law enacted last year requires financial-services companies to get opt-in permission before they can share data among business units. This means companies need flexible data systems. Fleet Boston Financial Corp. built a data warehouse that chief privacy officer Agnes Bundy Scanlan describes as the bank's system of record for information about customer privacy preferences. Fleet uses an opt-out standard, exchanging customer data among its business units unless customers ask it not to. So the opt-in law in Vermont, where Fleet has some 80,000 customer accounts, required the company earlier this year to develop a privacy category for its Vermont customers in the data warehouse. As more states create their own laws, such complexity will increase. Yet eight of 10 companies rely on manual checks to know whether their Web sites' information collection and sharing practices meet the law and internal policy, according to the Watchfire-PricewaterhouseCoopers survey.

At Nationwide Insurance, chief privacy officer Herath is involved in monitoring IT-security systems such as firewalls, virus-detection software, and password and encryption standards to protect customer data from internal and external prying eyes. The Gramm-Leach-Bliley Act calls for reasonable levels of security, and Herath says that's a challenge that requires an understanding of IT, given the pace of change in security technology. "I can guarantee that what's reasonable today won't be reasonable two or three years down the road," he says.

For the most forward-looking companies, privacy isn't just about meeting regulators' expectations and avoiding bad publicity. It's a chance to build closer ties to customers. For these companies, and rivals trying to keep up with them, IT will play an increasingly important role in getting that job done.

Illustration by Richard Borge.