Private Eyes

Microsoft leads an industry-wide struggle to balance customer privacy and business value.

Since 1999, Peter Cullen has been working overtime to make Microsoft a company obsessed with securing customer privacy and information. It's no small task, turning a giant ship like Microsoft toward information practices that impact every aspect of its business, from software research and development to product marketing. But as Chief Privacy Strategist at Microsoft, Cullen felt the software giant had no choice.

"Three years ago, there was a lot of effort across the company in the field of privacy -- it just wasn't particularly well connected," Cullen says. "In addition to training 8,500 developers about security, we learned we had to be a lot more programmatic in building security into the design process."

The stakes are high for Microsoft -- and for every other company doing business over the Internet. According to a recent survey by the Pew Institute, fears about identity theft and online scams have blunted the growth of online shopping. Some sectors, such as online banking, have been particularly hard hit by eroding customer confidence.

Larry Ponemon, chairman of the Ponemon Institute, a Tucson-based security and privacy research firm, says Microsoft is taking all the right steps toward privacy protection. But he worries that these efforts have yet to spread to most businesses.

A Game Plan for Going Private

Following are tips and tactics for improving information privacy and security:

Create the right culture: Make privacy and security a core part of your business. Ensure that both are at the foundation of every new process, product and proposal.

Set priorities: Determine what information you really need to keep. For instance, eliminate use of Social Security numbers for account tracking and purge aging data. You can't leak information you don't own.

Train your troops: Don't just tell employees what to do and expect them to figure out the details. Implement training programs that show them exactly how to deal with complex situations.

Cross borders: Make sure your business partners' processes meet your security and privacy requirements.

Choose a champion: Establish a chief privacy officer or create a similar, dedicated high-level position to keep privacy and security on the executive team's radar.

Promote your policies: Tell your customers about your privacy and security culture.

-- Michael Desmond

"The problem is that the information sharing practices of large companies are very, very complex," Ponemon says. "The issue forces a company to tackle the question of 'Where is this information going and who has access to it?'"

In the United States, a patchwork of local and state regulations is pushing companies to refine their polices. As one example, Ponemon cites California's "Shine the Light Law," which requires companies to disclose whether and how they share customer information and provide ways that consumers can opt out. But that same patchwork makes compliance unmanageable.

Cullen's response has been to push for a federal law that holds businesses to a single, national standard. "We urged Congress to consider baseline federal privacy legislation as a way to ensure that consumers are adequately protected, as well as give businesses the guidance they need," he says.

He describes a "holistic" approach to solving privacy and information security challenges. He urges companies to look past point technology solutions to pervasive changes in practices and culture. Past and current experiences with spam, spyware and "phishing" are all evidence that technology alone won't address those challenges, he says.

Privacy questions grow in scope when you consider the vast amounts of information that businesses legitimately share. As one step toward addressing that challenge, Cullen describes a Microsoft program that offers privacy training to business partners. Instead of a simple contract that defines what a partner can do, Cullen says his company helps partners actually do it.

Ultimately, companies must balance what Cullen calls the "tension" between keeping information private and reselling data for impressive financial gain. He says businesses must find a way to secure information even as they benefit from it.

"The question really isn't 'Should I do one or the other?'" Cullen says. "The question is 'How do I do both?' [Companies] need to turn the information into value while at the same time keeping it very secure so that it's only used appropriately, the way the customer intended."

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.


comments powered by Disqus

Subscribe on YouTube