COLUMBUS, OHIO (10/03/2003) - Regulatory requirements and the need to protect corporate reputations are making it crucial for companies to implement comprehensive data privacy programs, said users at the PrivacyCon 2003 conference in Columbus, Ohio this week.
A failure to do so will eventually expose them to legal risks, hinder their ability to do business in certain parts of the world and jeopardize trusted relationships with customers, they added.
"Privacy laws are having a huge impact" on companies, said Jay Cline, privacy manager at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries.
Carlson, which until late 2000 had no formal privacy program, is rolling out a global effort aimed at getting its business units to comply with a patchwork of state, federal and international requirements, Cline said.
A Corporate Value
Companies will need to "advance privacy as a corporate value," said Kevin Lyles, a Columbus-based attorney at international law firm Jones Day LLC. "If you don't have a privacy program, you have legal exposure. Fines and penalties are going to be much higher" for noncompliance, he said. A company's perceived stance toward privacy will also have an impact on shareholder value, he added.
A recent controversy involving JetBlue Airways Corp.'s release of passenger information to a private contractor is an example of the kind of reputation damage companies risk from privacy-related failures, said Peter Cullen, chief privacy strategist at Microsoft Corp.
The incident involved JetBlue providing passenger information to a Department of Defense contractor, which used the data for a project related to military-base security.
"JetBlue is a company that probably wishes it had done things differently," Cullen said during a keynote address.
A JetBlue spokesman offered no comment, saying that it was still too soon after the incident to be able to say what lessons have been learned from the episode.
Establishing a privacy program is more complex than just meeting regulatory requirements, said Keith Herath, chief privacy officer at Nationwide Mutual Insurance Co. in Columbus. "Legal requirements are only the minimum. Most laws are a compromise to the lowest common denominator," Herath said.
Sometimes companies have to accommodate higher standards to ensure that a consistent policy is applied to all customers, users said.
For instance, prior to the Gramm-Leach-Bliley Act, Nationwide had to comply with a law in 15 states that required it to provide to customers certain rights of access to personal data -- and the means to correct any inaccurate data. Though the act doesn't require Nationwide to take the same measures in the other 35 states, the insurer has begun doing so anyway, Herath said. "We felt that it made no sense to offer it in 15 states and nowhere else," he said.
But implementing a consistent global privacy program can be a huge challenge, said Scott Shipman, chief privacy officer at eBay Inc.
As a company with operations in several countries, San Jose-based eBay is forced to deal with various cross-border data transfer and retention requirements, consumer consent models, reporting requirements and enforcement issues.
New state-level privacy regulations such as those being proposed in California add to the problem, Shipman said.
But multinational companies are going to have few options but to comply, Lyles said.
"The data protection directives in Europe are forcing companies to take privacy seriously," Lyles said. The real concern today for a lot of companies is that enforcement of European laws could well force them to stop the flow of data to and from that region, he added.
Microsoft Exec Says Privacy a Top Concern at Company
Microsoft Corp. is determined to incorporate better privacy safeguards into its products and practices, according to its chief privacy strategist, Peter Cullen.
Addressing a group of privacy professionals at the PrivacyCon 2003 conference here this week, Cullen said Microsoft is focused on giving users more choice and control over the manner in which information is collected and used.
To that end, Microsoft has implemented a privacy program to create a high level of awareness relating to privacy issues in the product design stage. The Microsoft Windows group alone has 125 employees with privacy-related responsibilities and five privacy managers focused on ensuring that each of the components that goes into the Windows operating system has been "thought through from a privacy perspective," he said. This includes looking at how each component collects, stores and uses data, he said.
The company is also focused on giving users more choices and control over their information, he said. As an example, he cited the user consent that's required to send error reports to Microsoft via the Internet when an application crashes.
Microsoft is also working on a new security technology called the Next-Generation Secure Computing Base that will allow users to secure confidential data within a "virtual vault" in a PC. The technology will allow users to store confidential information in a separate location on a PC and control application access to that data. It will also allow users to control who can see that data during data transmission.