[ISN] Profitable privacy

[R. A. Hettinga]

--- begin forwarded text


Status:  U
Date: Fri, 22 Feb 2002 02:53:51 -0600 (CST)
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: [ISN] Profitable privacy
Sender: owner-isn at attrition.org
Reply-To: InfoSec News <isn at c4i.org>

http://www.computerworld.com/storyba/0,4125,NAV47_STO68354,00.html

By PATRICK THIBODEAU
February 18, 2002

Privacy is an important part of Royal Bank Financial Group's customer
relationship management (CRM) system.  Employees explain Web cookies
to customers; the bank offers cell phones with special encryption
chips for wireless transactions; and it has a pilot program through
which it gives away firewalls and other security products to
customers. That's right, for free.  So where's the profit in that?

For Peter Cullen, chief privacy officer at Toronto-based Royal Bank,
there's profit in privacy. "It is one of the key drivers of a
customer's level of commitment and has a significant contribution to
overall demand," he says.

As more countries adopt stricter privacy laws, companies have to adapt
their CRM systems to comply. But Royal Bank clearly sees privacy as
more than a legal issue -- it's also a pathway to a customer's loyalty
and spending.

"We are very much in a relationship business," Cullen says, adding
that privacy "plays a measurable part in how customers decide [to]
purchase products and services from us. It brings us more share of the
customer's wallet."

Many companies are reluctant to offer customers more privacy choices,
such as opt-in features that require getting customer permission to
collect or transfer personal information. Businesses fear they'll lose
their ability to leverage customer data and share such information
with affiliates.

Dennis Behrman, an analyst at Meridien Research Inc. in Newton, Mass.,
sums up the prevailing attitude: "You won't lose customers if you
offer privacy options, but you may lose access to your ability to gain
information."

But before companies can ask how privacy fits into a CRM strategy,
they need systems that can handle privacy compliance. New domestic and
international laws are arriving rapidly. Australia, which enacted its
new privacy law in December, is a good example.

A section in Australia's law requires companies to destroy customer
data or make it anonymous once it's no longer needed. That includes
backup files, says Andrew Handelsmann, an attorney at Deacons, a law
firm in Sydney. Compliance will involve more than simple deletion to
ensure that files are really erased from drives, he says.

Complying with laws of this type, as well as integrating privacy into
a CRM strategy, requires changes in IT systems and management. "It's
keeping the system smaller, and it's more controlled," says Greta
Ostrovitz, IT director at Cadwalader, Wickersham & Taft, an
international law firm in New York. "We don't have these huge, huge
databases that just have a life of their own and no one knows what's
in it."

Tighter control is important to CRM strategies and legal compliance,
Ostrovitz says. For instance, when her firm wants to send online and
print mailings to clients in England, it must first get client
permission for the mailings, according to U.K. privacy regulations.
"In building a system, the key is maintaining an audit trail so you
know exactly when something gets entered, who entered it, when was
something mailed, what exactly got mailed," says Ostrovitz.

The Gramm-Leach-Bliley Financial Services Modernization Act, which
took effect in the U.S. July 1 (see story), was one of the reasons
Cleveland-based KeyBank revamped its massive customer databases.

KeyBank pulled about 50 million customer records held by various
business units and distilled them into a single database of 11 million
records.

"We wanted a customer-centric approach, where the customer just came
to us once -- at any entry point in the company -- and we could then
identify the rest of their relationships in the organization," says
Angela Maynard, chief privacy officer at the Fortune 500 bank.

In going through the 50 million customer records, KeyBank also
"cleaned" the data held by different business units to improve
accuracy. It did this in part by matching the data against 200 million
credit records maintained by Experian Inc. in Orange, Calif.

>From a CRM perspective, this single view of the database means that if
a customer asks to be excluded from certain forms of information
sharing, as allowed under the Gramm-Leach-Bliley law, this privacy
request can be consistently applied across all business units, Maynard
says.

"If you don't have all those [records] collected and connected
together, there's a risk you are going to miss a record or two,"
Maynard says.

Although privacy issues present technical challenges to data
management, a well-designed CRM system is much better suited to
privacy controls than a hodgepodge of separate legacy systems, says
Michael Beresik, national director of the privacy practice at New
York-based PricewaterhouseCoopers.

Keeping Data Sacred

Most affected by privacy law compliance is the health care industry,
which, under the Health Insurance Portability and Accountability Act
(HIPAA), must have strict access controls for records.

Providence Health System, a Beaverton, Ore.-based health care provider
with about 780,000 members, is developing a system that limits access
to medical records on a need-to-know basis. A financial analyst, for
instance, would see only the customer data pertinent to his work, says
Chris Apgar, Providence's data security and HIPAA compliance officer.

These changes, although not directed at customers, are nonetheless a
form of CRM because customers expect their health care records to be
confidential. "One of the big selling points is how well you are
taking care of my health data -- that's one of those things that's
sacred," Apgar says.

But many industries are worried about the unsettled nature of privacy
laws. In addition to various privacy initiatives in Congress, states
are free to adopt their own privacy standards. Some, such as
California, may require a customer opt-in policy for financial record
sharing, instead of the federal opt-out approach, which requires
consumers to take action if they want to stop record sharing.

"We are holding our breath that [lawmakers] don't change direction,
and we will have to build something totally new," says Maynard.

Internationally, U.S. firms that transfer customer and personnel data
out of Europe have to comply with European privacy laws. These laws
allow customers access to data that's held about them, and let them
determine how that information is used.

Some U.S. firms, such as consumer products giant Procter & Gamble Co.
in Cincinnati, have adopted as their global business rule the European
privacy standard, which is gradually being followed by other
countries. This approach creates uniformity and reduces potential
compliance costs, the company says.

Analysts say e-commerce companies can lose business if consumers don't
trust that personal information will be carefully guarded. Forrester
Research Inc. in Cambridge, Mass., estimates that total online
spending last year of $47.6 billion would have been $15 billion higher
had it not been for consumer privacy concerns. Companies can increase
sales by making their privacy policies clearer and easily
understandable and accessible to consumers, says Christopher Kelly, a
Forrester analyst.

On the other hand, active online consumers don't seem to pay much
attention to privacy policies, according to data compiled by
WebSideStory Inc., a company that analyzes Web site data. In its
analysis of page views, "the privacy page rarely makes the top 100" of
anyone's site, says Randy Broberg, chief privacy officer at the San
Diego-based company.

"The opinion polls that say that everybody in America is frightened to
death about privacy overstate the reality of people who are actually
surfing the Internet," Broberg says.

But based on its internal studies, Royal Bank is convinced that
privacy keeps customers coming back, says Cullen. The secret to
effective CRM is delivering value to the customer, he says.

If a customer starts turning off the information flow, does that
indicate that he's concerned about his privacy, "or does it say that
we haven't generated enough value to them?" asks Cullen.

"We have a high level of trust with our customers right now. It's ours
to lose," he says. "But there are huge benefits to doing things that
continue to reinforce that trust."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn' in the BODY
of the mail.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com