Affinity Programs

Judging from the results of a survey CSO conducted late last fall, a high percentage of respondents (from among nearly 800 CSOs and other top security executives) may feel more of an allegiance to their former colleagues in law enforcement than they do to their enterprise’s customers. In answer to our questions about their willingness to rat out various stakeholders and under what conditions, 24 percent of respondents said they would give up information about customers to government or law enforcement agencies without a court order. When it came to their trading partners and employees, the percentages were 23 and 37, respectively (or disrespectively, in the case of the poor benighted employees).

Upping the ante somewhat, we asked roughly the same question in the context of a national security investigation; in that case, the segment willing to give up customer information without a warrant rose to 41 percent (versus 43 percent who would surrender such data only under court order or subpoena).

To me, this says something about the strength of professional affinity. In many cases, CSOs come from law enforcement backgrounds. They trust police and government agencies to operate in good faith and to do the right thing. Sometimes the people who come knocking for information are old friends whose ties go back a long way. One prominent CSO told me he is frequently called by former police colleagues trying to locate people on outstanding criminal warrants. On request, he would search his company’s customer records and, if any matches were found, provide the subjects’ address information to police.

We live in a world in which most people don’t have guilty consciences (even those who ought to). In the view of a self-described average citizen, those who have “nothing to hide” should never object to invasions of their privacy. By that rationale, privacy is itself a presumptively suspect condition, making those who would insist upon it appear to be guilty of something. Dan Geer, the CTO of security consultancy @Stake, has opined that privacy is a generational thing and that the expectation of having any is being gradually bred out of the populace (this is of course less true in Europe, which continues to exalt privacy). Some of us of a certain age are outraged by practices that younger citizens may take for granted. My mother, for example, reacted with horror to surveillance video of a woman beating her child in a mall parking lot. Her horror, however, was triggered more by the very existence of the video than by the behavior of the woman.

But when it comes to customers, CSOs entreated by police or government agencies to divulge customer information should at least feel the twinge of divided loyalties. They need to ask themselves what, if any, duty they may have to protect the information they get from customers. Must the privacy of customer information always take a backseat to requests from law enforcement? Should such requests be governed by probable cause limitations applied by courts? At a minimum, should customers be fully informed as to the circumstances under which a company will provide information to police?

Clearly, an important debate is needed now about privacy in the context of national security. CSOs should stop to consider where their loyalties lie and whether customers would agree that those loyalties are in the right place. For more on CSO’s related survey, visit www.csoonline.com/csoresearch/report49.html.