Responding to legal and business concerns, execs guard against costly privacy breaches

   ADVERTISEMENT
  

Free IT resource

Hear how top CIOs turn change into a competitive advantage.

Sponsored by HP

Free IT resource

Try Sun servers, workstations and storage products free for 60-days.

Sponsored by Sun Microsystems

RELATED LINKS
»  Google delivers ad-supported video clips via AdSense
»  3Com waiting for details of Bain/Huawei acquisition bid
»  Indian outsourcers' U.S. shopping spree
»  Business RSS feed 

IDG ENTERPRISE NETWORK
The Broader the E-Biz, the Bigger the Lawsuit  (CIO)
Time To Change  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
GONE ARE THE DAYS when corporate boards would ask, rather pointedly, how a CPO (chief privacy officer) could possibly benefit the bottom line. High profile privacy debacles, sweeping new privacy legislation on the horizon, and lawsuits pending against some of the Internet's largest players are sparking the rise of CPOs, most of them attorneys with techno-policy backgrounds.


Although their days are spent poring over the arcane wording of corporate privacy policies or struggling to reign in a zealous marketing department, CPOs are emerging as the guardians of a company's good name.

"A CPO's primary role is to keep the company out of harm's way. And by that I don't mean protecting the company from fines for violating its own privacy statement," says Steven Lucas, CPO of Broomfield, Colo.-based Persona, which works with online marketers on privacy-based initiatives.

"The CPO is now keeper of the corporate brand," adds Lucas, who emphasizes that a CPO can be and often is the difference between cutting-edge initiatives and headlines screaming of a major privacy blunder.

Netcentives' privacy point man Rodney Gould agrees. "I'm the last person at the door to make sure we don't do something that could go wrong for both the company and the customer," he explains.

Putting privacy in its place

The newly formed Association of Corporate Privacy Officers (ACPO), in Hackensack, N.J., estimates that there are currently about 100 CPOs. That number is expected to shoot up dramatically, possibly to 500, in the next year, says Alan Westin, ACPO's president.

The CPO position in e-business emerged out of new privacy-related regulations in the financial and health care industries. But the recent proliferation of CPOs reflects an increased privacy awareness across the industry, according to Westin.

"There is now a fear that there could be a sharp collision between corporate marketing departments -- which are generating income and influencing stock prices -- and certain privacy limitations," Westin explains.

Both Internet powerhouses and traditional enterprises are rapidly hiring CPOs, but neither side initially saw the value in having a top executive helm data collection practices. It took a handful of much-ballyhooed privacy gaffes at companies such as DoubleClick and ToySmart to help turn the tide. CPOs are now popping up across the IT landscape, although there are two competing reasons why companies are hiring these top privacy executives. Some view the hiring of a CPO as a pre-emptive strike against litigation, whereas others see privacy as a market advantage, a way to play directly to certain customer sets, sources say.

Netcentives, for instance, hired Gould away from the U.S. Postal Service, where he worked as an attorney in the agency's consumer division. "A CPO should really be a consumer advocate," Gould says.

Tying privacy directly into its marketing efforts, Netcentives has Gould reporting to the San Francisco-based company's vice president of marketing, although Gould says he also enjoys a "dotted line up to the CEO."

Many CPOs point to the marketing department as the business division most in need of a primer on privacy dos and don'ts, so Gould says that reporting to the department he watches most closely makes sense.

Calling himself a "data minimalist," Persona's Lucas says he has spent a great deal of time educating the marketing department and speculates that most of his counterparts are doing the same. "As an industry, we really have to get away from the model that says [we should] collect as much information as possible," he notes.

As have many CPOs before him, Lucas came up the ranks as an in-house attorney. Before joining Persona, where he doubles as CIO, Lucas worked as legal counsel to a division of Excite@Home. There, he also tracked relevant privacy legislation, a common element in the job description of today's CPO. Similarly, Michael Lamb served as chief counsel for a division of AT&T, in Basking Ridge, N.J., before becoming the company's CPO.

Both Lamb and Lucas stress the need to balance legal and policy backgrounds -- which often produce well-prepared CPOs -- with a healthy dose of technical expertise.

"When working with a new product or service, I am also constantly being educated by the staff," says Lamb, adding that his technical background comes from years spent as an Internet lawyer. "At the same time, I am continually asking them, 'What happens to the customer data you collect?' "

Those kinds of questions pervade a CPO's day-to-day efforts to safeguard a company's reputation against potentially fatal privacy blunders. Tactically, the job often involves duties such as combing through the data-collection practices of potential business partners.

Policing policies

Meanwhile CPOs at merger-hungry companies such as New York-based Verizon -- a blend of regional telephone giants GTE and Bell Atlantic -- spend many a day in meetings designed to synchronize the practices of newly consolidated companies.

In its initial blockbuster merger with Nynex, Verizon (then Bell Atlantic) acquired Nynex employee Shelley Harms, a privacy pioneer who drafted one of the industry's first Web site privacy statements in 1994.

Harms learned early on the tedious realities of reconciling the corporate privacy statements and practices of two separate companies. "We sat the two policies side by side and took the best from each [during the Nynex merger]," she recalls.

Far more difficult than writing the privacy language to hang on a Web site is ironing out the practices that make up those policies. For example, Bell Atlantic and GTE had very different philosophies on marketing services to customers with unlisted phone numbers.

"I have taken a lead on the policies, and others have been available to help me figure out how we are going to make [privacy compliance] happen," Harms says.

CPOs such as AT&T's Lamb meet extensively with development teams and working groups to make sure a new service or technology complies with the broad set of privacy principles laid out on their Web sites.

Staying on top of new corporate initiatives is perhaps the hallmark of a CPO; today's CPO is expected to recognize and head off privacy-related situations before they become full-blown problems.

Lamb offered a recent example at AT&T. Faced with potential criticism suggesting that customer cell phone numbers were being passed to Web sites they visited, AT&T made a proactive change.

"We were meeting all of the privacy commitments we had made to customers, and we had discussed extensively how the data would be used. But some of our users said they were not happy with some of the data that was being disclosed. So we decided that it was not the right thing to do," Lamb says.

At the end of the day, those decisions involving a balance between privacy-related discretion and business goals define the successful CPO, says ACPO's Westin.

"You need someone who sees clearly the company's privacy position, but someone who at the same time wants to see the company succeed," Westin says.