Privacy: What CEOs Need to Know

If chief execs aren't up on the issue yet, they better learn fast: Customers won't stand for anything less

Good privacy is good business, a fact that more than a few CEOs have had to learn the hard way. Over the past year, the chief executives of airlines Jet Blue (JBLU ) and Northwest (NWAC ) have both faced criticism -- and federal investigations -- when it was revealed that they had improperly shared customer travel data with federal agencies. And on Mar. 30, telecom giant MCI paid a $100,000 fine to Indiana -- a state record -- for continuing to interrupt the dinners of households that had signed up for the state's do-not-call list.

Privacy doesn't have to be all stick and no carrot, however. CEOs who proactively protect customers' privacy can avoid humiliating headlines -- and enjoy a boost in business. According to a recent Harris Interactive study, nearly 50% of consumers say they would buy more frequently and in higher volumes from companies they know have sound privacy practices.

And more than 80% of consumers said they would stop doing business entirely with companies that misuse personal information. "Most CEOs still see privacy as a compliance issue," like occupational health and safety rules, says Larry Ponemon, principal at Tuscon-based privacy think tank Ponemon Institute. "But there's an opportunity side. A good CEO knows that good privacy wins you a better reputation and better customers."

Setting the house in order is often best left to a company's chief information officer or, better yet, its chief privacy officer -- people who should be intimately acquainted with the structure of company databases and the flow of information. Yet a CEO who understands the issue and designates privacy as a priority can make all the difference. Here are four tips for CEOs who want to put their companies on the right path:

Learn the lingo.

Privacy, like any business specialty, has its own vocabulary. CEOs shouldn't be expected to know the ins and outs in numbing detail, but a responsible exec should understand the four basic data protection principles that are the foundation of any privacy plan.

First, there's "notice," the information the company gives customers describing how their data will be used and shared, as well as the procedures it uses to ensure that those rules aren't violated.

Second is "choice." In a privacy context, choice describes the options individuals have to protect their personal information. For example, a company might provide its customers a chance to "opt out" -- stipulate that their data can't be passed on to third parties -- or "opt in" and explicitly authorize sharing of their personal information.

Third is "access," the rules under which a business makes individuals' information available to them so they can update, correct, or review it. This is important not only for the customer but for the corporation. For example, a credit-card company whose data on home addresses is out of date puts customers at risk of having their identities stolen when an offer is mailed to the wrong house. And the corporation will get fewer new customers if the mail doesn't arrive at the right place.

Finally, and perhaps most important, is "use, retention, and disclosure." These terms describe how corporations use each piece of information. Will purchasing histories be shared with company subsidiaries? Will home phone numbers be sold to third parties? How long will data be stored? Too often, executives want to issue blanket policies that say their company can do anything with customer data. These days, customers demand more.

Address business incentives.

Most companies genuinely want to safeguard sensitive information and avoid pestering customers. Problem is, there's a disconnect between such good intentions and the incentives given to sales and marketing teams, says Alex Fowler, co-director of PricewaterhouseCooper's national privacy practice. To convert leads into revenue, sales and marketing staffs frequently are under overwhelming pressure to use data in any way they can to make a sale, no matter what the privacy policy requires.

"This is the No. 1 corporate privacy problem -- and one CEOs are uniquely positioned to recognize and set right," says Fowler.

Just how to do that will vary. Some CEOs could change performance metrics for the marketing department so that execs are rewarded based the percentage of positive responses they get to a direct-mail offer, rather than on total revenue earned. This would encourage marketers not to blast everyone with a new offer but concentrate on only those customers who might really be interested.

Provide tools -- and resources.

Nearly a decade into the Internet Revolution, every company has a barebones privacy policy. But having a policy and implementing one are two different things. To ensure that every department is following company rules, CEOs should mandate what experts call a "deep dive" -- an analysis of data usage, flows, and retention.

The goal: To highlight any potential vulnerabilities. Once a company understands its own processes, it can put in place tech tools and new business processes that will help it avoid the privacy black eyes that are becoming increasingly common.

It could also help protect CEOs from prosecution. Laws such as the Sarbanes-Oxley Act, which requires CEOs and chief financial officers to certify that their financial houses are in order, could one day be applied to data privacy and security, predicts Brian Tretick, head of privacy-related services at consultants Ernst & Young.

If that happens, "having a policy is no longer will be good enough," Tretick says. "You'll have to attest that you have effective controls to enforce that policy." The penalties for subverting company standards often include fines, audits, and, in Europe, a possible ban on the use of any data that was handled inappropriately.

Consultants such as Tretick are frequently called in to create a privacy plan. But a company doesn't need an army of outsiders to create a privacy framework. The American Institute of Certified Public Accountants has a particularly good privacy outline available for download free of charge on its Web site.

Get religion.

"The No. 1 thing is to make people culturally aware that privacy is important," says Chris Larsen, chairman and CEO of online mortgage broker E-Loan (EELN ). "It has to come from the top."

Larsen would know. He has made privacy a pillar at E-Loan, going as far as to donate $1 million of his own money to get a financial-privacy bill passed in his native state of California (see BW Online, 8/11/02, "Will Voters Opt for Opting In?". After a four-year struggle, the act was signed into law in August, 2003.)

Larsen says his message has reached consumers: He thinks it's the main differentiator between E-Loan and other online mortgage brokers. In internal surveys, more than 91% of E-Loan customers cite privacy as one of the most important factors in choosing an online broker.

Larsen says he talks about privacy "all the time, at every meeting" in an effort to get employees to tune in. He knows that as CEO he can't be responsible for every data record or customer interaction. But his job, Larsen says, "is to make people realize that at E-Loan, [privacy] is not just a policy on a piece of paper."

Most companies will reach the same conclusion as the Internet-fueled proliferation of data -- and data-sharing -- becomes a more integral part of business. Consumers are slowly but surely wising up to their right to protect their personal information. The Federal Trade Commission has been deluged with complaints about spam e-mail and telemarketers who ignore the national Do Not Call List. The Health & Human Services Dept. receives about 100 complaints a week, mostly from individual patients, about doctors or hospitals who don't obey the Health Insurance Portability & Accountability Act (HIPAA).

It's only a matter of time before consumers turn their attention to corporations. "The consumer backlash is real. We've only seen the tip of the iceberg," says PricewaterhouseCooper's Fowler. So for CEOs, now is the time to act.

By Jane Black in London

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE