E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Computerworld

Posted on March 24, 2001

      The sudden interest in appointing chief privacy officers (CPO) stems as much from fear as it does from the desire to protect customers.

      The CPO movement is young: About 50 to 75 companies have created such positions in the past several months, according to Alan Westin, a business privacy expert who in July started the Association of Corporate Privacy Officers (ACPO) in Hackensack, N.J.

      Many more CPOs are expected to be hired as a result of the growing corporate angst over whether U.S. Congress will pass strict privacy laws that may hamper business. The Federal Trade Commission (FTC) has already suggested that corporate self-regulation isn't working.

      But having a CPO is fast becoming a checklist item to help companies ward off government regulation and to reassure customers that their privacy will be protected, says Jonathan Gaw, an analyst at International Data Corp. in San Mateo, Calif.

      Often, a CPO is at a disadvantage from the start, Gaw says. "Companies are about making money," he says. "But CPOs don't have a budget. They are not responsible for profit and loss. They generally don't have large staffs relative to the rest of the company, and, of course, they don't bring in any revenue."

      In general, no standard chain of command involving the CPO exists yet. At some companies, the CPO reports to the director of compliance; at others, he reports to the CEO. CPOs are former lawyers, marketing people and compliance officers. They may or may not have an information technology background, although experts say having an understanding of IT is key.

      The job description varies, but, according to the ACPO, general duties include the following:

  • Training employees about privacy.
  • Comparing the company's privacy policies with potential risks and then figuring out how to fill gaps.
  • Managing a customer-privacy dispute and verification process.
  • Informing senior executives on how the company deals with privacy issues.

      Sometimes a CPO is named after a bad privacy incident threatens sales and profits. For example, Minneapolis-based U.S. Bancorp, an $86 billion bank, appointed a CPO in August 2000 after spending $3 million to settle a lawsuit that accused the bank of selling confidential customer financial data to telemarketers. CPO Patricia Bauer reports to the president and chief operating officer.

      DoubleClick Inc., an online advertising firm in New York, brought in a CPO after the FTC and several states started to investigate its data-sharing practices last winter. People had complained about DoubleClick's tracking of individual Web users by name and then matching the information to a marketing profile database. The company has since stepped back from that plan. DoubleClick appointed the CPO to oversee and educate the public about its privacy policies, the company said in a statement.

      What separates a forceful CPO from a figurehead is whether that person can change or stop a marketing or IT project when privacy questions arise.

      At AT&T Corp., for example, Mike Lamb, who was appointed CPO in June, recently had a hand in nixing a deal with a large consumer retail company to market AT&T's long-distance service.

      The retailer insisted that it get full access to AT&T customer data, Lamb says. But that would have violated the phone company's vow to keep such information confidential unless the customer OK's its release.

      "I got directly involved in the conversations [with the retailer]. I reinforced in the context of those negotiations that our commitment to privacy was nonnegotiable," Lamb says.

      Sally Cowan, CPO at New York-based American Express Co., participated in the recent creation of single-use credit-card numbers for online shopping, a company spokeswoman says. At every step -- from customer focus groups to development and implementation -- Cowan made sure Amex's privacy policies explained how the so-called Private Payments service took shape before it was launched in September.

      One warning sign that a CPO may be ineffective is when he has other job titles and responsibilities, says Jim Grady, an analyst at Giga Information Group Inc. in Cambridge, Mass. When that happens, the CPO will likely be too busy to keep up with all the business, political and technical aspects of the privacy issue, Grady says.

      Pat Carmody is a multitasking CPO at Mutual of Omaha Insurance Co. A lawyer by training, Carmody was appointed to lead privacy efforts four months ago. As CPO, he's overseeing a companywide audit of data flows to determine what happens to customer information as it moves through the Omaha-based insurer.

      Yet Carmody's actual title is vice president of insurance department services. He's also in charge of making sure the insurer's many forms and rate structures comply with state and federal laws. But he maintains that despite his multiple roles, privacy is "an important mission" for the insurer. He plans to have three people working for him on privacy issues by year's end.

      Still, a better strategy is to keep the CPO free of other duties, Grady says. "There's a new wrinkle to privacy every day. If you're responsible for several other areas, it'll be quite difficult to do the privacy part of the job well," he says.

      The relationship between the CPO and the IT group is critical. Not only must a CPO understand IT security, but he should also be well-informed about how the IT group treats customer data as it pulses through the company's systems.

Proactive or Reactive?

      Even when they go to the trouble of naming a CPO, not all companies insert that executive into IT processes. Often, for example, IT people aren't required to meet with the CPO when applications are being designed. Rather, the CPO is contacted only after privacy questions surface.

      Some experts criticize this approach, saying it's easier and cheaper to fix potential problems early in a project rather than afterward.

      Shelley Harms, executive director of privacy at New York-based Verizon Communications, says that although she isn't a checklist item on the IT group's agenda during new projects, she regularly talks with technology managers in each business unit. "So if a crisis comes up, we have that relationship," she says.

      That's just what happened this summer, when a form on Verizon's Web site that lets customers place repair orders inadvertently exposed account information. When Verizon found out about it, IT shut down the application to fix it while Harms offered advice on how to route the account information so it wouldn't be revealed online. She also worked with IT on a postmortem study of what went wrong and how to avoid making the same mistakes in the future. But even when a company has a formal privacy policy, employees may disagree about how to interpret it. That's when the CPO must referee.

      Harms recently mediated when internal marketing staffers questioned which Verizon pledge should take precedence: the company's vow to honor customer requests not to receive marketing mailings or a promise to give customers better alternatives to their current long-distance programs. "We debated, and we decided that telling somebody that his service has become cheaper or that tweaking it in this manner will make it cheaper isn't a solicitation," Harms says.

      Overall, she says, she must consider philosophical issues about how to protect customer privacy while the company earns a profit. But she also has to dig into technology issues such as how best to combine Verizon's various "do not call" customer opt-out lists into a single Oracle Corp. database.

      "The CPO's job," she says, "is a combination of 50,000 feet and down in the dirt."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.