Microsoft leads an industry-wide struggle to balance customer privacy and business value.
Since 1999, Peter Cullen has been working overtime to make Microsoft
a company obsessed with securing customer privacy and information. It's
no small task, turning a giant ship like Microsoft toward information
practices that impact every aspect of its business, from software research
and development to product marketing. But as Chief Privacy Strategist
at Microsoft, Cullen felt the software giant had no choice.
"Three years ago, there was a lot of effort across the company in
the field of privacy -- it just wasn't particularly well connected,"
Cullen says. "In addition to training 8,500 developers about security,
we learned we had to be a lot more programmatic in building security into
the design process."
The stakes are high for Microsoft -- and for every other company doing
business over the Internet. According to a recent survey by the Pew Institute,
fears about identity theft and online scams have blunted the growth of
online shopping. Some sectors, such as online banking, have been particularly
hard hit by eroding customer confidence.
Larry Ponemon, chairman of the Ponemon Institute, a Tucson-based security
and privacy research firm, says Microsoft is taking all the right steps
toward privacy protection. But he worries that these efforts have yet
to spread to most businesses.
Game Plan for Going Private
Following are tips and tactics for improving information
privacy and security:
Create the right culture: Make privacy and security
a core part of your business. Ensure that both are at
the foundation of every new process, product and proposal.
Set priorities: Determine what information you
really need to keep. For instance, eliminate use of
Social Security numbers for account tracking and purge
aging data. You can't leak information you don't own.
Train your troops: Don't just tell employees
what to do and expect them to figure out the details.
Implement training programs that show them exactly how
to deal with complex situations.
Cross borders: Make sure your business partners'
processes meet your security and privacy requirements.
Choose a champion: Establish a chief privacy
officer or create a similar, dedicated high-level position
to keep privacy and security on the executive team's
Promote your policies: Tell your customers about
your privacy and security culture.
-- Michael Desmond
"The problem is that the information sharing practices of large
companies are very, very complex," Ponemon says. "The issue
forces a company to tackle the question of 'Where is this information
going and who has access to it?'"
In the United States, a patchwork of local and state regulations is pushing
companies to refine their polices. As one example, Ponemon cites California's
the Light Law," which requires companies to disclose whether
and how they share customer information and provide ways that consumers
can opt out. But that same patchwork makes compliance unmanageable.
Cullen's response has been to push for a federal law that holds businesses
to a single, national standard. "We urged Congress to consider baseline
federal privacy legislation as a way to ensure that consumers are adequately
protected, as well as give businesses the guidance they need," he
He describes a "holistic" approach to solving privacy and information
security challenges. He urges companies to look past point technology
solutions to pervasive changes in practices and culture. Past and current
experiences with spam, spyware and "phishing" are all evidence
that technology alone won't address those challenges, he says.
Privacy questions grow in scope when you consider the vast amounts of
information that businesses legitimately share. As one step toward addressing
that challenge, Cullen describes a Microsoft program that offers privacy
training to business partners. Instead of a simple contract that defines
what a partner can do, Cullen says his company helps partners actually
Ultimately, companies must balance what Cullen calls the "tension"
between keeping information private and reselling data for impressive
financial gain. He says businesses must find a way to secure information
even as they benefit from it.
"The question really isn't 'Should I do one or the other?'"
Cullen says. "The question is 'How do I do both?' [Companies] need
to turn the information into value while at the same time keeping it very
secure so that it's only used appropriately, the way the customer intended."
Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.