Now the senior policy advisor and chair at the Center for Information Policy Leadership -- a privacy think tank whose members include Proctor and Gamble, Eli Lily & Co. and Microsoft Corp. -- Swindle talked with Computerworld about some of the privacy challenges facing corporate America.
What's driving the privacy agenda these days? In the past year, we've heard about some hundred-plus disclosed security breaches, about hacking, lost laptops, lost files, disclosures of account numbers and even computers falling off the back of delivery trucks. Each one of these represents a potential disclosure of very sensitive information. The reports we've read very likely exaggerated the nature of the harm done in some cases. But that's not to say we don't have a problem. We darn sure do have one. And this inadequate protection of sensitive data is just unacceptable. We have got to collectively do a much better job at it. And I say 'we' collectively because it's going to take everyone, including consumers. There's no security initiative, there's no new law, there's no new technology that's going to solve this problem altogether.
What does this mean for businesses? The biggest concern for business is just being aware that if you handle information you've got an obligation to protect it. The Federal Trade Commission with a couple of decisions last year plainly stated that. Those two cases specifically involved BJ's Wholesale Club and DSW Inc. Both of the cases were bought against companies not for a promise not kept but for simply being in the business of collecting and using information that is sensitive and not taking sufficient precautions to protect that information. The important thing to note with these two cases is that BJ's Wholesale and DSW were not [regulated entities such as] medical institutions; they were not financial institutions. But what they encountered was a de facto extension of the Gramm-Leach-Bliley requirement under the unfair and deceptive practices aspect of the FTC Act Section 5. In other words, what the FTC said to those two firms is that your conduct in not protecting this information is unfair in that you didn't do what you ought to have done.
Do you see the FTC being more proactive in taking action against companies, even if no actual breach may have taken place? This, in effect, has already happened. There are a couple of cases on record. It would be impossible for me to say which ones they are. But there is at least one case where the FTC, again under Section 5, brought a case against a company -- not for a breach but for making a promise of having certain safeguards that really weren't there. They were making a promise of things they couldn't keep, because they didn't have the mechanisms in place to provide that kind of security.
ChoicePoint was fined US$15 million by the FTC recently. What sort of precedent does that set? That case is quite a bit different from BJ's Wholesale and DSW. In the ChoicePoint case, there were lots of things that were violated there -- in particular, the Fair Credit Reporting Act .That carries with it monetary penalties that can be substantial, and in this case, obviously were. If nothing else, it certainly should be getting people's attention. Talk about a two-by-four between the eyes getting your attention.
What impact are all of these breaches having ? Let's talk about the individual first. We know that millions of people have had their information exposed, bank accounts depleted and have had to go through the trauma of getting their credit ratings squared away. Then there's the firm that failed to provide adequate security through negligence or inadequate measures. They suffer a number of losses. Ask ChoicePoint how much it cost them not having it done adequately There's the loss of reputation, brand denigration, the [impact on] stock prices. Then there's the peripheral things that become awful big. The lawsuits and the litigation costs become enormous. It's causing consumers to lose confidence in using the medium of information technology. That may be the biggest loss of all.
How is all of this steering the privacy debate in Congress? There's the emotional hue and cry of all of this affecting members of Congress and members of state legislatures to 'do something.' Unfortunately, we will see some onerous legislation that might allow some political figure to declare victory and walk away. But it will not be a victory, unfortunately. Legislation alone is not going to solve this problem.
So what do companies need to be doing differently? We think of information and protecting it as protecting our stuff. Our corporate secrets, the Cocoa-Cola formula and things like that. But today information security is about protecting all that other stuff. It's the information we use. We gather it, we store it, we manipulate it, we use it, we sell it, we transfer it. All those things are points of vulnerability that the company that owns the information is responsible for. To do this right, businesses have to start thinking more holistically about how they manage, how they function, how they use their processes. You know right now, I hear it frequently talking to CIOs and chief privacy officers and the majority of them lament they are just third tier in their organizations and they are viewed as overhead, nobody pays attention to them and so forth. Well, it's time for management, the CEOs. the senior VPs [to see] that information is the lifeblood of their organizations.
Is a national privacy law a good thing to have, considering the patchwork of state laws that companies have to currently deal with? Well, you know sometimes a good thing to have is the least worst of all the other alternatives. Right now, I think there are 23 state laws concerning security breaches. I think there are another 19 or 20 states well along the path. I think it's just one of those situations that begs for some national standard. When you have this many laws what you really get is a de facto national standard that happens to be the most onerous of all those laws.
Will privacy concerns push the industry to an opt-in standard? I don't know. I've been leery of opt-in notices. [A company's] opt-out policy might tell you that we are XYZ credit card company and that we collect this information and here's how we use it and here's how we share it with affiliates and if you don't want us to do this, tell us. The last I heard about how many people opt-out, it certainly was in the single-digit percentages. It's very low compared to the gazillion people who get these notices. Suppose that was opt-in and the company says if you want us to continue to do this please let us know and the response was say 50 percent we'd still lose 50 percent of the members moving their information around. Think about what that would do to the economy. How disruptive it would be. It just seems that opt-in, while in some cases [it's] definitely appropriate, just making everything opt-in might create more harm that good.