Privacy Policies: Serving Up Your Customers

The privacy debate is nothing new. But it will heat up as the lines between security and privacy blur.

Customers of JetBlue, the 4-year-old New York City-based airline, get a few extras when they fly. Among them: comfortable leather seats and individual television screens equipped with DirecTV. But in the summer of 2002, customers got something they hadn't signed up for: the release by JetBlue of their personal data to Torch Concepts, a contractor for the Department of Defense, which sought the names, addresses, phone numbers and flight information of millions of JetBlue customers for a project concerning military base security. When news of this came out in September 2003, it didn't take long for JetBlue to go from being the little airline that could to being the little airline that could screw up.

Following a public outcry regarding the corporate ethics behind giving third-party access to personal information about customers, JetBlue released a public relations statement that acknowledged the incident as falling-depending on whom you ask-somewhere between a small problem and an utter disaster. Finally, an apologetic e-mail went out to customers from company CEO David Neeleman, who reaffirmed JetBlue's dedication to protecting its customers' privacy. "We remain as firmly committed as ever to the goal of making our nation and its skies more secure; however, in hindsight we realize that we made a mistake," wrote Neeleman.

What makes the JetBlue case particularly vexing to privacy watchers is not just the release of the data in principle, but the fact that JetBlue's actions directly violated the company's own privacy policy. The airline, for its part, says it's still flying high, but the blunder highlights data privacy questions that may become a lot more prevalent as businesses reassess their responsibility to protect customers' privacy. "[JetBlue] made a big mistake, one that I think occurs much more frequently than we know about,"

says Jonathan Gaw, a research manager at IDC (a sister company to CSO's publisher).

Meanwhile, businesses and customers alike are asking themselves if what happened with JetBlue is a cautionary tale for businesses or a harbinger of what's to come for consumers. Who owns the data? And should businesses ever expect customers to sacrifice privacy in the name of protection? Helping or Hurting? In answer to the last question, Jim Harper offers an emphatic no. He is the editor of, a Web-based think tank devoted to privacy. According to Harper, companies that think they're likely to help the government by being willing to share customer data are just plain wrong.

"A lot of the national security debate got off on the wrong foot in the beginning," Harper contends. Many security problems, he says, spring from "lack of human intelligence, not a failure of the federal government to be monitoring our every movement." Letting customers believe the latter is doing them a great disservice.

JetBlue is mum on the subject of exactly why it ignored its own privacy policy and turned over the customer information to Torch Concepts, but a press release on the company's website says that it did so "at the special request of the Department of Defense." Responding to such requests, privacy experts say, if indeed they occur, is likely to do more harm than good.

"There isn't just one big soup of data out there that should be interchanged between private companies and the federal government," says Harper. "Companies aren't helping national security very much when they do share data with the federal government, and they are certainly hurting the privacy and civil liberties of their customers."

Companies, for their part, might see it differently. "In the United States, I really haven't found a company that has a problem sharing information with the federal government when specifically asked," says Dave Miller, CSO of Covisint, a business-to-business service provider for the global automotive industry. And, although Covisint's position in the B2B world means that it doesn't collect and store personal information about individuals, Miller's interactions with international companies have made him painfully aware of the different ways Americans and Europeans view privacy (see "Across the Pond," Page 36). European customers, Miller says, want to know what would happen if the U.S. government ever presented Covisint with a subpoena. Would Covisint give up data? "We'd have to," says Miller. "And so the European companies say, 'Help us figure out a way so that answer to that is no.'"Zealotry May Get You SomewhereSpend some time on a privacy activist website at, and you'll see that some customers don't take kindly to having their information given out in the name of national security. The website happily hauls over the coals companies that its founder, Bill Scannell, thinks have violated the privacy rights of consumers. Among recent targets of his wrath are Delta Air Lines and data vendor Galileo International, both of which reportedly agreed to cooperate with the Transportation Security Administration's testing of Capps II, a passenger screening system designed to identify potential terrorists.

"There are so many claims of national security this and national security that, but all I see is our country becoming less and less safe with more and more information floating around," says Scannell. "Is it good to be on good terms with the feds? Absolutely. Does that mean you have the right and the responsibility to do something of [JetBlue's] magnitude? Absolutely not."

Consumers have good reason to worry about where their data ends up. In September, the Federal Trade Commission released the results of a survey reporting that 27.3 million Americans have been victims of some form of identity theft within the past five years. In the year preceding the survey alone, 9.9 million people had their identities stolen, resulting in $5 billion of out-of-pocket expenses for consumers. So it's no wonder that many consumers are more vigilant than ever about protecting their personal information from prying eyes, whether those eyes belong to the government or potential criminals. "I think that average citizens are beginning to realize that their own personal information has value and can be abused," says Scannell. "Wrapping yourself in the American flag is not a valid security argument. It's pure bluster."

The lesson to Scannell is clear: Customers still expect a company's allegiance to their privacy polices to come before any other considerations.

To some, though, the privacy debate raises questions. Consumers can be a wishy-washy bunch, vacillating between feeling wronged and feeling apathetic about where their information goes, and that makes it difficult for companies to decide which lines to draw and where. According to Steve Hunt, vice president and research director for security at Forrester Research, a general sense of anxiety about protecting customer information pervades many conversations he has with companies. "The litigious nature of most consumers will lead customers to take legal action, which, more often than not, will result in bad press," he says. Indeed, a quick Google search reveals plenty of irate JetBlue customers willing to vent online.

It can be a quick jump from online complaints to business losses, but experts disagree about how abruptly the former can turn into the latter. "Violations of privacy policies can be fatal depending on the business," argues Hunt.

But according to IDC's Gaw, tales like JetBlue's become problematic only when they start to cost a business money. And while JetBlue says it can offer no specifics on how its privacy gaffe affected sales or profits, in October, its third-quarter results revealed a net income of $29 million, compared with $12.2 million in the same quarter the previous year. The number represents the company's 11th consecutive quarter of profitability. If large numbers of JetBlue's customers are turned off by what happened, they're hiding their dissatisfaction pretty well.

"People say they're concerned about privacy, but do people make flying decisions based on that?" asks Gaw.Put Your Money Where Your Mouth IsFor every person who cares desperately about what happens to his personal information once it lands in a company database, there is probably another who simply doesn't care all that much and still another who is willing to sacrifice privacy for protection, convenience or cost savings. "Some people are happy to fly naked if they think that will make them safer," says Scannell. (For more about this phenomenon, see "With Liberty and Surveillance for All," Page 38.)

"Customers may seem eager to hand over information in exchange for the convenience of banking online or getting through the tollbooth faster," says Randy Sabett, an attorney who specializes in information security and technology law at law firm Cooley Godward. "But ultimately, they don't want to think the company they share their information with is helping Big Brother."

The debate quickly boils down to a question of who owns the customer data. "That's easy," says John Worrall, vice president for worldwide marketing at RSA Security. "The customer does. In fact, most people believe that their personal information belongs to them and that they simply allow a company to borrow it in order to facilitate a business transaction. And if that's what the customer believes, then the business had better believe the same thing."

Customer acquisition and retention is a multiyear investment, Worrall adds, and customers are costly to replace. "Your long-term business goal, no matter what business you're in, is to build a positive relationship with customers and prospects," he says. "The last thing you want to do is to break that trust."Make Policy TransparentThe CSO-however clear his ethical stance is-may face considerable pressures in the handling of customer data. "First, there's the question of legal obligations imposed by legislation such as GLBA, HIPAA, SOX and so on," says Sabett. "Then there are legal obligations imposed by contract, such as confidentiality provisions. Finally, there may be pressures exerted by business forces, either internal or external."

In the health-care industry, for instance, customer-or patient-privacy is paramount. "'Doing the right thing' is dictated by a whole set of government regulations," says Dick Gibson, chief medical information officer at Providence Health System. "But it also takes some common sense." The Health Insurance Portability and Accountability Act (HIPAA) supports business as usual, he says, and simply gives teeth to good business practices. But the challenge for Gibson is that HIPAA puts certain restrictions on sharing patient information for the sake of conducting research, which, he contends, may ultimately adversely affect patient care. "HIPAA really put a chill on what we can do internally now," says Gibson. "I'm afraid the pendulum has swung too far. And the letter of the law doesn't necessarily reflect the intent of the law."

It's in the payment process, not in the hospitals, Gibson says, where the potential abuse could happen. "That's where all the personal data is being transferred," he says. "That's part of the problem with our fee-for-service health-care system." The answer, says Gibson, is to develop a smart privacy policy spelling out exactly when it's right to release customer data-or not-so that your customers are not at the mercy of someone making a quick decision during some crisis on a Saturday night.

Too often, however, privacy policies are complicated, and customers either don't understand the language or they don't read the fine print. "Most privacy policies are too cumbersome," says says RSA Security's Worrall. "They're written in two-point type in ways that only lawyers can understand." The solution: Make it simple. Let customers know what they're signing, and make it easy for them to opt in or out of it. "A combination of good policy and good technology will prevent misuse of data and angry customers," says Worrall (see "Read It or Weep," Page 34).

Sabett agrees, and adds, "It's not enough for the CSO to create a privacy policy and toss it over the wall." Sabett recommends that the CSO form an information security "Tiger Team" made up of executives from the legal, technical and business side of things-and even bring a representative from PR into it if they can. "You need to make sure that the CSO is not an island," he says. "If the team meets proactively every couple of months or so, they'll be better prepared to react to a situation if they need to."

Finally, make sure your policy states that no one person can make the decision by themselves to release customer data. "It's really an issue of sound business practices," says Worrall. "You need to have sufficient checks and balances in place."

That advice might have saved JetBlue any injury to its reputation as a great new airline. "They'll work at it, undoubtedly," says Privacilla's Harper, "and certainly they will never make a mistake like this again."

Even if JetBlue doesn't, it's a safe bet that someone else will. The privacy debate is going to get more complicated as the lines between security and privacy inch closer together. And as they do, it will be every consumer-not just the ones flying in JetBlue's leather seats, glued to DirecTV and munching the company's signature blue potato chips-who will be wondering, Who knows what about me? And why?


Copyright © 2004 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)