[ISN] Profitable privacy

From: InfoSec News (isnat_private)
Date: Fri Feb 22 2002 - 00:53:51 PST

  • Next message: InfoSec News: "[ISN] Privacy Enhancing Technologies 2002"

    February 18, 2002 
    Privacy is an important part of Royal Bank Financial Group's customer
    relationship management (CRM) system.  Employees explain Web cookies
    to customers; the bank offers cell phones with special encryption
    chips for wireless transactions; and it has a pilot program through
    which it gives away firewalls and other security products to
    customers. That's right, for free.  So where's the profit in that?
    For Peter Cullen, chief privacy officer at Toronto-based Royal Bank,
    there's profit in privacy. "It is one of the key drivers of a
    customer's level of commitment and has a significant contribution to
    overall demand," he says.
    As more countries adopt stricter privacy laws, companies have to adapt
    their CRM systems to comply. But Royal Bank clearly sees privacy as
    more than a legal issue -- it's also a pathway to a customer's loyalty
    and spending.
    "We are very much in a relationship business," Cullen says, adding
    that privacy "plays a measurable part in how customers decide [to]
    purchase products and services from us. It brings us more share of the
    customer's wallet."
    Many companies are reluctant to offer customers more privacy choices,
    such as opt-in features that require getting customer permission to
    collect or transfer personal information. Businesses fear they'll lose
    their ability to leverage customer data and share such information
    with affiliates.
    Dennis Behrman, an analyst at Meridien Research Inc. in Newton, Mass.,
    sums up the prevailing attitude: "You won't lose customers if you
    offer privacy options, but you may lose access to your ability to gain
    But before companies can ask how privacy fits into a CRM strategy,
    they need systems that can handle privacy compliance. New domestic and
    international laws are arriving rapidly. Australia, which enacted its
    new privacy law in December, is a good example.
    A section in Australia's law requires companies to destroy customer
    data or make it anonymous once it's no longer needed. That includes
    backup files, says Andrew Handelsmann, an attorney at Deacons, a law
    firm in Sydney. Compliance will involve more than simple deletion to
    ensure that files are really erased from drives, he says.
    Complying with laws of this type, as well as integrating privacy into
    a CRM strategy, requires changes in IT systems and management. "It's
    keeping the system smaller, and it's more controlled," says Greta
    Ostrovitz, IT director at Cadwalader, Wickersham & Taft, an
    international law firm in New York. "We don't have these huge, huge
    databases that just have a life of their own and no one knows what's
    in it."
    Tighter control is important to CRM strategies and legal compliance,
    Ostrovitz says. For instance, when her firm wants to send online and
    print mailings to clients in England, it must first get client
    permission for the mailings, according to U.K. privacy regulations.  
    "In building a system, the key is maintaining an audit trail so you
    know exactly when something gets entered, who entered it, when was
    something mailed, what exactly got mailed," says Ostrovitz.
    The Gramm-Leach-Bliley Financial Services Modernization Act, which
    took effect in the U.S. July 1 (see story), was one of the reasons
    Cleveland-based KeyBank revamped its massive customer databases.
    KeyBank pulled about 50 million customer records held by various
    business units and distilled them into a single database of 11 million
    "We wanted a customer-centric approach, where the customer just came
    to us once -- at any entry point in the company -- and we could then
    identify the rest of their relationships in the organization," says
    Angela Maynard, chief privacy officer at the Fortune 500 bank.
    In going through the 50 million customer records, KeyBank also
    "cleaned" the data held by different business units to improve
    accuracy. It did this in part by matching the data against 200 million
    credit records maintained by Experian Inc. in Orange, Calif.
    >From a CRM perspective, this single view of the database means that if
    a customer asks to be excluded from certain forms of information
    sharing, as allowed under the Gramm-Leach-Bliley law, this privacy
    request can be consistently applied across all business units, Maynard
    "If you don't have all those [records] collected and connected
    together, there's a risk you are going to miss a record or two,"  
    Maynard says.
    Although privacy issues present technical challenges to data
    management, a well-designed CRM system is much better suited to
    privacy controls than a hodgepodge of separate legacy systems, says
    Michael Beresik, national director of the privacy practice at New
    York-based PricewaterhouseCoopers.
    Keeping Data Sacred
    Most affected by privacy law compliance is the health care industry,
    which, under the Health Insurance Portability and Accountability Act
    (HIPAA), must have strict access controls for records.
    Providence Health System, a Beaverton, Ore.-based health care provider
    with about 780,000 members, is developing a system that limits access
    to medical records on a need-to-know basis. A financial analyst, for
    instance, would see only the customer data pertinent to his work, says
    Chris Apgar, Providence's data security and HIPAA compliance officer.
    These changes, although not directed at customers, are nonetheless a
    form of CRM because customers expect their health care records to be
    confidential. "One of the big selling points is how well you are
    taking care of my health data -- that's one of those things that's
    sacred," Apgar says.
    But many industries are worried about the unsettled nature of privacy
    laws. In addition to various privacy initiatives in Congress, states
    are free to adopt their own privacy standards. Some, such as
    California, may require a customer opt-in policy for financial record
    sharing, instead of the federal opt-out approach, which requires
    consumers to take action if they want to stop record sharing.
    "We are holding our breath that [lawmakers] don't change direction,
    and we will have to build something totally new," says Maynard.
    Internationally, U.S. firms that transfer customer and personnel data
    out of Europe have to comply with European privacy laws. These laws
    allow customers access to data that's held about them, and let them
    determine how that information is used.
    Some U.S. firms, such as consumer products giant Procter & Gamble Co.  
    in Cincinnati, have adopted as their global business rule the European
    privacy standard, which is gradually being followed by other
    countries. This approach creates uniformity and reduces potential
    compliance costs, the company says.
    Analysts say e-commerce companies can lose business if consumers don't
    trust that personal information will be carefully guarded. Forrester
    Research Inc. in Cambridge, Mass., estimates that total online
    spending last year of $47.6 billion would have been $15 billion higher
    had it not been for consumer privacy concerns. Companies can increase
    sales by making their privacy policies clearer and easily
    understandable and accessible to consumers, says Christopher Kelly, a
    Forrester analyst.
    On the other hand, active online consumers don't seem to pay much
    attention to privacy policies, according to data compiled by
    WebSideStory Inc., a company that analyzes Web site data. In its
    analysis of page views, "the privacy page rarely makes the top 100" of
    anyone's site, says Randy Broberg, chief privacy officer at the San
    Diego-based company.
    "The opinion polls that say that everybody in America is frightened to
    death about privacy overstate the reality of people who are actually
    surfing the Internet," Broberg says.
    But based on its internal studies, Royal Bank is convinced that
    privacy keeps customers coming back, says Cullen. The secret to
    effective CRM is delivering value to the customer, he says.
    If a customer starts turning off the information flow, does that
    indicate that he's concerned about his privacy, "or does it say that
    we haven't generated enough value to them?" asks Cullen.
    "We have a high level of trust with our customers right now. It's ours
    to lose," he says. "But there are huge benefits to doing things that
    continue to reinforce that trust."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 03:58:01 PST