Turning Risk into Reward

Information is the new currency in today's marketplace. More companies are collecting and analysing Personally Identifiable Information to better understand current and prospective customers in order to build profitable and enduring relationships.

But with the reward of capturing an increased share of the market comes the risk of not having the privacy and data security policies in place to protect huge quantities of personal, sensitive and confidential information. The result can be litigation and loss of reputation from non-compliance, or worse, a privacy violation.

Furthermore, it's not just customer data that poses risks. Privacy legislation at the federal and state level also requires companies to protect the information stored about employees, shareholders and the general public.

In response to recent litigation and legislation, many companies have added the position of chief privacy officer to their senior executive roster. Too often, the position is viewed as one of risk management. Instead, the scope of the job should focus both on complying with statutory mandates and engendering trust and confidence in how the organisation manages personal information.

The risk management approach to privacy and security of personal information creates a situation in an organisation where privacy and customer-based strategies are at odds. A positive and proactive approach to privacy and data protection is what I refer to as Responsible Information Management (RIM).

RIM is a process that applies to all business information and how that information is managed within an organisation. Companies that adopt RIM are in a better position to ensure that their leaders, employees and business partners protect and respect personal information. It also enables the organisation to align the information preferences of its key stakeholders — such as consumers, employees, shareholders and the general public — with business, data and technology management practices within the organisation.

Here's how RIM achieves the dual benefits of creating trust and achieving compliance.

The Five Elements of Ethical Business Practice

Most of the ethical information practices for complex organisations seek to stop or reduce the improper collection of information, the wrongful dissemination or sharing of information without proper permission or safeguards, and excessive profiteering from abusive information usage.

For the typical organisation, proper information management subsumes the following five elements or characteristics of ethical business practice:

Privacy. Does the company understand the privacy preferences of individuals that it deals with? Are the privacy rights of customers, employees and other stakeholders protected? Do consumers trust the company? Does the company "walk-the-walk" with respect to its stated privacy pledge or policy? Does the company take similar steps to control confidential information about business partners and vendors?

Security. Does the company take reasonable steps to protect information from authorised access and use? Is the information infrastructure secure? Are there backup and contingency plans in place to protect information in the event of a business interruption or catastrophic event?

Accuracy. Is the information collected and used reasonably accurate? Does the company exercise controls to ensure that accuracy over customer and employee data is assessed and managed on an ongoing basis?

Efficiency. Does the company use the appropriate amount of information to fulfill its business purpose and needs? Does the company have the right information to develop a one-to-one relationship with customers and other important stakeholders?

Consistency. Does the company employ consistent methods to protect and control business information? Are confidential, sensitive and private information sources protected in a consistent fashion throughout the enterprise?

The RIM Process

The elements of an effective RIM process are closely aligned with the Fair Information Practices advanced by the US Federal Trade Commission and other regulatory groups that are viewed as leaders in the international privacy, security and information protection community. Such fair information practices typically fall into five broadly defined areas:

Notice. Disclosure to the public about how your organisation collects, uses, shares and protects data.

Choice. Typically expressed as an "opt-out" or "opt-in" to the use and sharing of personal information by consumers and employees of an organisation.

Access. Giving people the right to see and correct information held about them.

Security. Reasonable measures to protect data and limit access by unauthorised parties.

Redress. Process for venting concerns and, if necessary, filing a complaint. Keep in mind that management of the redress process is very important because it is the last line of defence before individuals seek counsel from law firms, regulators and public advocacy groups.

Achieving RIM is more than meeting regulatory compliance, though. The choice that an organisation makes concerning its information management practices can have very serious ethical, social and legal implications.

It is my belief that RIM should be viewed as a holistic management process that establishes the roadmap for managing information according to fair information practices. RIM is a continuum of program activities that is designed to motivate, measure and monitor the organisation's information collection, use, sharing, retention and security practices. As such, it is inextricably linked to core business activities such as sales, customer service, marketing, procurement, billing and accounting.

RIM's key elements ensure that a company's information use and handling practices are aligned with business goals and stakeholder preferences. Those key elements of the typical RIM process are:

—Process management, such as performance-based measurement, scorecards, external verification and enabling technologies.

—Education and Awareness, such as classroom training, facilitated training and e-learning programs for all employees who handle sensitive personal information.

—Monitoring, a formal process for identifying privacy and data protection risk and vulnerability areas within core business units, databases and software applications.

—Communications, such as policies, corporate communications, employee handbooks, compliance procedures and crisis management interventions.

—Enforcement, the formal mechanism and due process for responding to consumer or employee issues and concerns.

Measuring the Effectiveness of the RIM Process

Like most management processes, performance measurement is necessary to ensure focus and accountability. Following are some ideas for measuring the effectiveness of the RIM process:

—Develop process performance benchmarks and guidelines that can be verified (perhaps by an independent third party).

—Use drill-down approach to assess privacy, data protection and information ethics risk at the core business process level.

—Develop performance indicators that focus on the antecedents or early warning signs that information practices are not aligned with RIM principles or stakeholder preferences.

—Use a "balanced scorecard" approach to measure improvements and establish accountability for individuals as well as business units.

Further Rewards

Taken together, implementing the list of tasks above will yield benefits for most organisations such as lessening the risk of a costly privacy and security blow-up. Based on my experience, following are some additional observable propositions about the rewards of implementing RIM within a complex organisation.

Improved business performance. Typically, companies spend too much time and effort collecting information that they never need or plan to use. While the cost of storage is nominal, the excess information creates data integrity, quality and accuracy problems. The typical privacy and data protection audit finds that more than half of the personal information collected by a company is not relevant to its business purpose. Hence, eliminating excess or redundant data reduces privacy and data security risk, and at the same time may increase business performance.

Enhanced customer loyalty. As advanced by experts on customer relationship management (CRM), companies that understand and respect the preferences of their customers typically do better in a competitive marketplace. Companies like American Express, Earthlink, Royal Bank of Canada and E-Loan all found that customers appreciated the privacy and security protections they provided. By virtue of customer trust, companies that have superior information management practices tend to get a much higher consent rate to use personal information.

Reduced the risk of litigation. Privacy and data protection regulations are real. Costly class-action litigation for alleged privacy and security abuses of individuals and businesses is becoming a commonplace event. Recent stories such those about Eli Lilly, Ford and DoubleClick show how lawsuits and regulatory investigations can affect world-class companies in terms of stock price declines and lost reputation.

Dr Larry Ponemon is chairman and founder of Tucson-based Ponemon Institute, a think tank dedicated to advancing ethical information and privacy management practices in business and government. He is also a partner with Peppers & Rogers Group, a leading strategic management consulting firm focusing on responsible information management practices.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Larry Ponemon

Latest Videos

More videos

Blog Posts