RISKVUE ARCHIVE | FEATURE STORIES

Privacy On The Internet:
Building Trust and Managing Risk

By Emily Freeman

The Privacy Issue

The very nature of e-Business and the migration of marketing and servicing to the Web involves collection and use of personal data, such as phone numbers, credit card histories, income, and on-line buying patterns. It can be said that certain key aspects of e-commerce value proposition are at odds with the privacy issue: portal marketing (projecting a group of aligned companies as a single entity to a customer); personalization (creating an environment that is tailored to each customer’s need), integration (integrating with business processes as well as with business partners, suppliers, etc.), and return on investment (leverage the vast data resources for higher margins and new revenue sources). These e-commerce aspects encourage the greater collection and use of non-public personal information to improve customer service and overall revenues, at a time when controls of such use are ever more important to the public and regulators.

Privacy is an important concern for consumers who use data networks and provide non-public personal, financial and health-related information about themselves as a necessary part of a transaction or service. Jupiter, a leading Internet industry analyst, surveyed consumers and found that 86% of consumers are reluctant to purchase from on-line sellers because of concerns over privacy and security of the personal data they must provide in order to complete the transaction. Other surveys confirm that merely placing a privacy policy statement on a web site was not sufficient to overcome privacy concerns. There appears to be a disconnect between the way in which business and the private citizen perceive privacy issues. And the consequence is a top-line issue for businesses engaged in e-business activities.

Many of the lawsuits and regulatory enforcement actions regarding privacy revolve around the following issues. In each case, the alleged privacy violator would be the commercial provider of services or products, e.g. the “company”:

• Inadequate notice to those individuals providing information of the company’s intent to use the information.
• The company’s failure to obtain informed consent from the individual providing information.
• The individual’s lack of access or ability to control and/or change information, because the company provided no means to do so.
• The company’s failure to enforce the stated privacy policy, either directly or indirectly through unaffiliated marketing partners
• The parent company’s attempted sale of a customer list following bankruptcy of a subsidiary or affiliate.

Industry has begun to answer the objections of privacy advocates. For example, companies can obtain privacy policy certifications that can be displayed on a web site (such as the Better Business Bureau or TRUSTe). These certifications involve a best practices approach to utilizing customer data. In addition, major U.S. companies such as Disney, IBM, Intel, and Microsoft have set an example of only working with web advertisers that do have a base line privacy policy. Consumer privacy advocate organizations are still not impressed with industry voluntary efforts and want more vigorous prosecutions and laws.

In a number of major corporations, a new management position has been created to manage privacy company-wide. The challenge for the CPO (Chief Privacy Officer) in a large corporation is the many departmental silos and management structures in affiliates and subsidiaries.

CPO risk objectives include:

• Increase top line revenues to e-Commerce clients by reducing the reluctance of their potential customers to purchase goods or services or transact business activities over the Web. An effective privacy program that is recognized as such by the customer can reduce this reluctance.
• Decrease vulnerability to potentially disruptive and expensive regulatory action and litigation on the privacy issue.
• Protect the public reputation and image of the company, without sacrificing operational objectives in utilizing Internet based technology.

However, privacy risk control must extend to the practices and activities of internal audit/compliance, customer relations, data management, marketing, and risk management. With new applications or business units, where the use of non-public information about individuals may be concerned, privacy risk control needs to be part of the picture, not an afterthought.

Many companies are entertaining some or all of the following privacy risk control activities:

• Senior management education on issues and costs related to privacy enterprise management in order to develop an appropriate on-going strategy. The key concept is to obtain senior management involvement in setting the corporate privacy policy that then can be implemented with adequate support and financial resources.
• Management training for marketing, customer relations, and IT departments. Privacy workshops help decision-makers identify strategies for responsible handling of customer information and define management action plans.
• Privacy risk assessment focusing on data flows, workplace privacy risks, compliance obligations, online privacy practices and use of customer and employee information. These assessments are independent evaluations of corporate privacy policies, data practices, training, compliance, and documentation. The consultants for these assessment interview and evaluate a number of corporate functions. Typically, questions delve in depth into how applications collect, use, store, or disseminate non-public personal information. A number of firms provide these services, including Privacy Council (www.privacycouncil.com) and an on-line service for financial services from Compliance Coach (www.compliancecoach.com).
• Joining a privacy consortium (such as the Online Privacy Alliance or the Direct Marketing Association) and/or obtaining a Privacy Certification, such as TRUSTe and BBBOnLine. These measures can demonstrate to the public that privacy is a serious corporate concern.
• Comply with a new standard called P3P (Platform for Privacy Preferences) developed by the Worldwide Web Consortium. P3P is a browser specification that sifts through XML tags tied to elements of the corporate privacy policy. In essence, P3P lets web sites put out machine-readable versions of the company’s data collection and sharing practices to consumers. Note that P3P focus is just on web sites, but privacy issues concerning corporate networks and databases go far beyond web sites.
• Information dissemination on the latest relevant legal and regulatory news concerning privacy, both domestic and international. The legal and regulatory environment keeps changing, and the company needs to be aware of the latest issues.
• Risk transfer through contracts and insurance in coordination with legal and risk management functions. At a minimum, the company should examine relevant contracts with other firms where individual data is shared in some manner. What indemnification is provided in the contract for a privacy violation? Also, the risk manager should review relevant liability policies for scope of indemnity and defense for privacy lawsuits and regulatory actions.

Insuring Privacy

It is important to review contract requirements and insurance coverage related to this issue, especially in the higher risk businesses (financial services, health care, media, retail, and Internet infrastructure/services).

The new ISO Commercial General Liability Coverage Form (CG 00 01 10 01) proposes changes in a number of significant areas as a result of the impact of the Internet on business liability risks. One of the areas concerns Coverage B. Personal Injury and Advertising Injury, where coverage related to privacy is found. The new form considers Internet and electronic publications and broadens the territory definition to activities on a worldwide basis for Coverage B.

There are, however, some issues concerning privacy in the new CGL forms.

• Suits brought in countries outside of the U.S., its territories, Canada or Puerto Rico. The CGL limits the territory for where suits can be brought. The international nature of data transfer may involve the insured in defending itself in countries outside of this territory definition (in particular, refer to previous comments concerning the E.U. Data Directive).
• Coverage for regulatory enforcement actions. This is particular problem for financial and health care companies—see previous comments on this subject.
• Damages exclude punitive damages, fines, and penalties (which may be associated with a privacy case).
• The CGL utilizes the phrase “oral or written publication, in any manner, of material that violates a person’s right of privacy”. Does the word “publication” do far enough address all of the aspects of a possible privacy violation?
• Exclusions related to:
  • Knowing violations or criminal acts of the “insured” (without a severability or innocent insured provision);
  • Insureds in an Internet or media type business, web sites with electronic chatrooms or bulletin boards. (quite a few companies will fall in one or more these excluded categories).
• A number of the new stand-alone cyber liability policies (e-business or Internet Services liability policies) may provide broader definitions and coverage for the privacy issue. Large companies may prefer to create manuscript language to extend the coverage under existing custom insurance policies or in these new e-Business policies.

The new e-business policies do address a number of issues that are problematic in the new CGL; but note there are differences in the individual carrier polices and they need to be reviewed carefully. In general, the e-business policies provide:

• Suits brought anywhere in the world
• Coverage for Internet or media type businesses, chatrooms and bulletin boards
• Coverage for security breaches and failures, as well as privacy-related issues
• Coverage for punitive damages
• Broader definition of claim or suit to include an administrative or regulatory proceeding (review policy exclusions carefully, however, with regard to regulatory actions)
• Broader definition of media services beyond just “publication” of material. 

AUTHOR’S NOTE

Reader comments and ideas on these issues and solutions are greatly appreciated. Please feel free to e-mail me at Emily.Freeman@marsh.com. A good review of security best practices can be obtained by taking the free on-line security assessment at www.aignetadvantage.com.

riskVue | The webzine for risk management professionals
August 2001