Here's a balancing act for you to try:
Your organization buys customer relationship management (CRM) software so it can get as much information as it can about its customers and analyze (or sell) that information to maximize its sales and profits.
But those customers want to keep that personal information as private as possible, and increasingly governments in the U.S. and elsewhere are on the side of the customers.
As a security manager, you can help balance these competing needs. But your job isn't to implement complicated new privacy-management software for CRM applications. For one thing, there aren't any such tools, analysts say. That's because privacy management is primarily a business, not a technical, problem. But so is security; and as a security manager, you can bring many of your skills at judging the business value of security to the job of judging the business value of customer privacy. There are some specific security tools that might help, but the business issues are the most critical.
"We get lots of questions from our clients about 'Is it legal to do this, is it legal to do that, is it ethical to do this'," says Garter Inc. Analyst Walter Janowksi. "At the end of the day, you can do anything you want as long as you told the customer and they agreed to it. It has to do more with the ways that companies set up their internal processes to manage the flow and distribution of customer data, than with the (CRM or security) tools themselves."
Getting it right is important, first of all, because there are plenty of laws, both domestic and international, to consider. In the last two years, Congress has considered more than 80 bills dealing with privacy, says Janowski. For example, the Health Insurance Portability and Accountability Act (HIPAA), now being implemented, tells healthcare providers in the U.S. how they must protect patient information. The European Union's Data Privacy Directive calls on member nations to prevent the collection of personal data unless the consumer agrees to it. But various countries in the EU interpret and enforce the directive in various ways, making it difficult for global companies to come up with a single policy.
When it comes to CRM, data privacy policies depend on "what companies think they can get away with, and what kind of customer you are," says Forrester Research Inc. Analyst Laura Koetzle. A bank, for example, might risk alienating low-profit customers by selling their names to a telemarketer. But, she says, "if you're a premium money-market type of customer, chances are they're going to try to be a little more careful about who they're going to give your name to."
CRM vendors are not offering privacy management tools themselves, says Koetzle, because they have little control over how their software is used and don't want to face lawsuits if customer data from a CRM application is misused. Instead, she says, they leave it up to the customers or consultants implementing the software. The Personalization Consortium, a Wakefield, Mass.-based trade group that includes CRM vendor E.piphany Inc. and PricewaterhouseCoopers, issued a set of privacy principles in early 2001 but has kept a low profile since then.
Some customers are using access control tools such as Tivoli Systems Inc.'s SecureWay Privacy Manager to enforce privacy policies. Watchfire Corp.'s WebCPO manages privacy on Web sites, and Richardson, Texas. -based consultancy Privacy Council Inc. helps companies form and implement privacy policies. Privacy Council also offers a free online tool (www.privacycouncil.com/freep3pfix.php) to help companies comply with the Platform for Privacy Preferences standard, which aims to tell Web users if a site doesn't meet the user's privacy preferences. Most of these tools and services, though, are not specific to CRM applications.
One technical hurdle to implementing CRM privacy rules is that most companies lack a single database with accurate information about all its customers, regardless of what products or services they buy, says Janowski. At a phone company, for example, the database would have a single entry listing "James Smith" with his privacy preferences, even if he signed up as "Jim" for his home long distance and as "James" for his wireless access. Many companies have tried, and failed, to set up such a "data warehouse" to help them sell different products and services to the same customer. The lucky ones who have succeeded, says Janowski, can easily add privacy preference to the customer's record.
"Until there is a large, messy liability lawsuit that gets litigated, I don't think we'll have any clear answers on what companies need to do" from a strict legal standpoint, says Koetzle. But until then, security managers can help make the business decisions about customer data privacy policies: make sure they're communicating corporate privacy policies at the same time as their security policies; and be aware of when their existing access and authentication tools can also help enforce privacy policies.
You can't solve the entire privacy management issue yourself. But as a security manager concerned with the proper use of corporate data, there's a lot you can do to help.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
This was first published in April 2002