Getting Privacy Right This Time

By Courtney Macavinta

It was the kind of headline a consumer or CIO never wants to read in the morning paper, but it happened to TJX Companies Inc. earlier this year. The global retailer, which includes popular stores like TJ Maxx and Marshalls, experienced an "unauthorized intrusion" and reported that 45.7 million credit and debit card numbers were compromised, along with 455,000 merchandise return records containing customers' driver's license numbers, military ID numbers and Social Security numbers. A class action lawsuit followed, and it was later reported that the company didn't have adequate computer security measures in place.

Privacy breaches come at a high cost for companies, according to the 2006 Annual Study: Cost of a Data Breach by PGP Corporation, Vontu Inc., and The Ponemon Institute, LLC. On average, data breaches cost companies $182 per compromised record, a 31% increase over 2005. The total costs for the breaches analyzed in the study ranged from less than $1 million to more than $22 million.

Ensuring customers' privacy -- in large part due to such high-profile breaches --should be at the top of every CIO's to-do list today. It's not just consumers that an organization has to answer to, however. A plethora of U.S. and global regulations have been passed to help better protect people's digital information. And more laws could be on the horizon. In May, the U.S. Senate Commerce Committee (SCC) approved the "Identity Theft Prevention Act of 2007," which requires new data security practices by companies and entities that collect sensitive consumer data and also mandates the disclosure of data breaches to the Federal Trade Commission (FTC), consumer reporting agencies and consumers.

"One of the first things that's really important is to develop a central approach to privacy," says Jennifer Albornoz Mulligan, an analyst with Forrester Research. "Over half of the Fortune 100 companies do have a privacy office. But if you don't have a true privacy officer, the CIO needs to be someone who is very engrained in doing this."

Increasing privacy to appeal to consumers can also go hand in hand with compliance with new privacy regulations to protect data. Here are steps CIOs can take to bring their organizations into compliance, as well as appease consumers:

• Get up to speed on global best practice and laws  Even though it can seem overwhelming, CIOs need to be current on relevant consumer privacy laws. One way to stay abreast is to keep tabs on new sources of information about privacy laws, such as guidelines offered by the Organisation for Economic Co-operation and Development (OECD), which can be found on oecd.org within the Information and Communications Policy section. Another information clearinghouse is the International Association of Privacy Professionals (IAPP) found on privacyassociation.org. Forrester also recommends that organizations create a formal process "for the easy and efficient handling of incoming legal or regulatory inquiries about your privacy program, controls and incidents."
• Take a centralized approach  Albornoz Mulligan, who co-wrote a November 2006 Forrester report entitled, Build Your Privacy Program: Law, Regulation, and Compliance, recommends that CIOs help to create a centralized privacy policy. The policy should detail what the organization stands for when it comes to protecting privacy, and what security measures and processes it will put into place to meet these standards. Mulligan says that one key aspect is that: "It should be that the consumer has a choice in how you use their information."

The National Association of State Chief Information Officers (NASCIO) also suggests in its October 2006 report, Keeping Citizen Trust: What Can A State CIO Do To Protect Privacy?, that CIOs need to secure their place at the table when it comes to discussing how an organization stores, transmits, shares and disposes of personal information. NASCIO reinforces the importance of the CIO creating a tight relationship with the chief privacy officer or general counsel to create and institute a unified approach to consumer privacy protections.

• Raise awareness  Getting privacy "right" means that everyone -- from corporate officers to staff to customers -- has to be well-informed. "The next step is to do a certain amount of training and awareness-raising for employees and customers," Albornoz Mulligan says.

Organizations need to do internal and external marketing about how they are handling and protecting information from customers. That includes internal training sessions about how to properly handle information and the posting of a company's policies on its Web site for customers to see.

At the end of the day, CIOs need to be a part of the holistic effort, Albornoz Mulligan says, "to assure consumers that you are trustworthy."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  The Online Family (TheOnlineFamily.net).