Wanted: Privacy Outlaws

Shortly after AT&T Wireless (www.attws.com) launched its PocketNet Web service, the company discovered it had a problem. Subscribers wirelessly strolling the Web left behind records of their phone numbers at Web sites.

When discovered, the privacy breach angered consumer advocates and sparked several articles.

“That was a huge wake-up call,” said Wally Hyer, AT&T Wireless chief privacy officer (CPO).

The real tragedy was that the company had been working on a system to transmit unidentifiable code rather than phone numbers when subscribers visited Web sites. The system was near completion when PocketNet launched, but AT&T Wireless decided to roll out Pocket-Net before eliminating the potential privacy problem, Hyer said.

“We learned a very tough lesson: You don't launch unless you've got privacy protections in place,” Hyer said. “That's why we made the strategic decision that we're going to internalize the importance of privacy in all aspects of our services and offerings.”

At the time of PocketNet's launch, AT&T Wireless still was part of AT&T, and about a month after the launch, AT&T appointed Michael Lamb as its CPO.

“The company as a whole from the chairman (John Zeglis), who was active in drafting our privacy policy, was desirous of ensuring that we provide leadership — not only within the company but also to establish a leadership role in monitoring and maintaining customer privacy within our industry,” Hyer said.

The goal appears a lofty one. Maintaining customer privacy can be complicated. Perhaps the toughest aspect involves protecting subscriber data from threats both inside and outside of the company.

With the current proliferation of Internet users, hackers and viruses, the task becomes daunting.

Recent examples are alleged privacy breaches involving visitors to the Web sites of Verizon Wireless (www.verizonwireless.com) and an AT&T Wireless reseller.

AT&T Wireless discovered that a few of its subscribers might have had personal data stolen, Hyer said. He added that the privacy breach was tracked to a sub-dealer of an AT&T Wireless dealer. The incident provided another lesson for AT&T Wireless.

“There's a great effort under way now to work with, train and sensitize our distribution channels so that they have a deep understanding of the importance of maintaining customer-information protection in their day-to-day business activities,” Hyer said.

With his appointment, Hyer joined a new class of corporate officers.

Privacy experts and analysts say the CPO title still is a rarity in all industries. Alan Westin, president and publisher of Privacy & American Business (www.pandab.org) and head of an associated CPO training program, estimates there are fewer than 500 CPOs in the United States. But he expects that number to continue to increase.

PricewaterhouseCoopers analysts (www.pwcglobal.com) have a similar assessment. In a recent report, they predict companies will be driven by new privacy legislation and consumer concerns to place more emphasis on the CPO role.

Late last year, PricewaterhouseCoopers conducted an informal survey of 66 Fortune 500 companies that employ CPOs and found the companies struggling to define the CPO role and disciplinary focus. In 50% of the surveyed companies, the CPO was part of the legal department. Only 8% of the companies said they'd created an independent privacy department headed by the CPO.

Wireless carriers have been among the slow adopters of the CPO concept, according to Westin.

“The privacy function is not yet institutionalized in the wireless world the way it has been institutionalized in the traditional telecom world,” Westin said. “But that's changing, and it needs to change very quickly.”

Westin said two central wireless privacy issues are driving the change. First, the advent of location-based services will create questions about who should have access to subscribers' location information and under what conditions.

In July, the U.S. Senate introduced legislation known as the Privacy Protection Act of 2001 to address the location issue. If passed, the legislation would require providers of location-based services and applications to give consumers notice about the kinds of information collected, the purposes for which it's used, how it's stored and who can access it. The providers also would be required to get consumers' permission before collecting information.

Advertising on wireless devices is the other significant privacy issue. The key questions here are who should be able to use subscriber information for advertising purposes and what kinds of options subscribers should have.

The wireless industry has begun to adopt its own privacy standards in anticipation of privacy legislation and regulations, Westin said.

Certainly, at AT&T Wireless that's the case, Hyer said.

“I've long held the belief that Congress passes laws when the policies and practices of businesses or individuals become so outrageous that they're intolerable,” he said. “Federal legislation is usually the last bastion of being able to provide protection to Americans where the marketplace won't do it. We have seen and will continue to see the introduction of privacy-related legislation.”

As pressures intensify, Westin anticipates more wireless carriers will abandon the practice of distributing privacy functions to separate business units. He predicts that within six months or a year, nearly every major wireless company will have a CPO to oversee privacy initiatives.

Westin said a privacy officer should communicate with all business units that could affect subscriber data privacy. The goal is a comprehensive policy rather than a fragmented one.

Among the top 10 U.S. wireless carriers, companies such as Verizon Wireless, Cingular (www.cingular.com) and Sprint PCS (www.sprintpcs.com) don't have CPOs; although, one or more employees within each company address privacy issues as needed. As in most industries, privacy duties often fall under the jurisdiction of the legal department.

Although Hyer is an attorney, he's quick to say that ensuring compliance to privacy laws is not his primary function. Instead, he considers it his duty to foster a culture of privacy throughout the organization, with the goal of getting and keeping customers' trust.

Public relations is a big part of the job. Internally, the efforts translate to employee-awareness training, which is tailored to specific business functions. It also means conducting team meetings about privacy and providing privacy updates on the company's intranet site and during staff meetings. AT&T Wireless also is working on a video to inform new hires of privacy issues during orientation.

“It's part of my job to understand all aspects of our business, all aspects of the services and products that we offer, ranging from network to IT to human resources to business security to product development and so forth,” Hyer said.

As Hyer puts it, one person would need brain matter 15 times the normal size to handle such a task. For this reason, AT&T Wireless created a privacy council to apprise Hyer of privacy risks and issues within business units. The council of about 10 senior executives meets at least once each month to discuss issues ranging from product and service design to business security and the use of cookies.

External public relations is another important part of the job. Hyer defines that as letting people know what AT&T Wireless is doing in the privacy arena and encouraging them to visit the company's Web site and read the privacy policy posted there.

At the end of the Web version of the AT&T Wireless privacy policy, a link enables visitors to give feedback or ask questions. Hyer said the company received about 600 hits on the privacy policy the first week it was posted. During the week of Aug. 13, the policy received more than 10,000 hits.

However, most of the questions AT&T Wireless receives from the Web site involve customer-service issues such as signing up for service, according to Hyer.

“There are others that ask deeper questions about the use of cookies or banner ads and the use of information,” he said. “We give them personalized e-mail responses back. If they choose not to have cookies placed and so forth, we accommodate that.”

But Hyer said people haven't expressed much concern about the company's use of cookies, Web bugs and other data-collection technology. He attributes the small degree of concern to consumer awareness of the technologies.

At the same time, Hyer stresses the importance of his job to avoid breaches of privacy, which lead to loss of consumer confidence. He perceives his primary function as preventing such incidents, which he calls “missed expectations.”

“I don't want our customers to have missed expectations or to be surprised,” Hyer said. “I want to be able to communicate to them quite clearly what information is collected, why it's collected and give customers the opportunity to choose whether or not they want to participate in a particular service.”

Nextel (www.nextel.com), which reportedly also employs a CPO, was contacted for this story but did not respond to calls before press time.

In 1999, Harris Interactive (www.harrisinteractive.com) conducted an IBM-sponsored (www.ibm.com) consumer privacy survey. Between April 19 and May 31, the pollers interviewed about 1,000 adults each from the United States, Germany and Great Britain. They also conducted an online survey of 2,000 U.S. adults to determine Internet buying habits and privacy attitudes. Here are some of the key survey findings:

• 78% of the American consumers, 52% of German consumers and 58% of British consumers had refused to give information to a business because they considered the information unnecessary or too personal.

• 58% of American consumers had asked to be removed from a company's marketing list, along with 23% in Germany and 29% in Britain.

• 53% of American consumers have asked a company not to sell or give their names to another country, compared to 32% in Germany and 54% in Britain.

• 54% of American consumers had decided not to use a company or buy a product or service because they were not sure how their personal information would be used. This compares to 35% of German and 32% of British consumers.

• Internet users are more interested in personalized marketing communications than non-Internet users, as long as privacy policies are provided. Internet users tend to be more privacy-conscious than non-Internet users.

• Organize and coordinate privacy task force or committee
• Conduct privacy risk assessment for business operations involving personal data
• Help to develop a corporate privacy code
• Monitor the corporation's compliance with privacy laws and regulations
• Conduct privacy reviews of new products
• Watch for privacy concerns among consumer groups and regulators and address those concerns
• Handle crisis management
• Act as corporate spokesperson on privacy issues
• Conduct regular and annual privacy audits.

Privacy & American Business, Chief Privacy Officer Program