In Depth

Privacy Policies: Serving Up Your Customers

The privacy debate is nothing new. But it will heat up as the lines between security and privacy blur.

By Meg Mitchell Moore

Page 4

"Customers may seem eager to hand over information in exchange for the convenience of banking online or getting through the tollbooth faster," says Randy Sabett, an attorney who specializes in information security and technology law at law firm Cooley Godward. "But ultimately, they don't want to think the company they share their information with is helping Big Brother."

The debate quickly boils down to a question of who owns the customer data. "That's easy," says John Worrall, vice president for worldwide marketing at RSA Security. "The customer does. In fact, most people believe that their personal information belongs to them and that they simply allow a company to borrow it in order to facilitate a business transaction. And if that's what the customer believes, then the business had better believe the same thing."

Customer acquisition and retention is a multiyear investment, Worrall adds, and customers are costly to replace. "Your long-term business goal, no matter what business you're in, is to build a positive relationship with customers and prospects," he says. "The last thing you want to do is to break that trust."Make Policy TransparentThe CSO-however clear his ethical stance is-may face considerable pressures in the handling of customer data. "First, there's the question of legal obligations imposed by legislation such as GLBA, HIPAA, SOX and so on," says Sabett. "Then there are legal obligations imposed by contract, such as confidentiality provisions. Finally, there may be pressures exerted by business forces, either internal or external."

In the health-care industry, for instance, customer-or patient-privacy is paramount. "'Doing the right thing' is dictated by a whole set of government regulations," says Dick Gibson, chief medical information officer at Providence Health System. "But it also takes some common sense." The Health Insurance Portability and Accountability Act (HIPAA) supports business as usual, he says, and simply gives teeth to good business practices. But the challenge for Gibson is that HIPAA puts certain restrictions on sharing patient information for the sake of conducting research, which, he contends, may ultimately adversely affect patient care. "HIPAA really put a chill on what we can do internally now," says Gibson. "I'm afraid the pendulum has swung too far. And the letter of the law doesn't necessarily reflect the intent of the law."

It's in the payment process, not in the hospitals, Gibson says, where the potential abuse could happen. "That's where all the personal data is being transferred," he says. "That's part of the problem with our fee-for-service health-care system." The answer, says Gibson, is to develop a smart privacy policy spelling out exactly when it's right to release customer data-or not-so that your customers are not at the mercy of someone making a quick decision during some crisis on a Saturday night.