CIOs think about privacy the way some people think about exercise: with a sigh and a sense of impending pain. Outside of regulated industries like health care--where patient privacy is paramount--privacy affects CIOs as a corollary of security when, say, a laptop holding millions of people's records is lost or hackers siphon off customer data.
"CIOs generally don't care about privacy," says Peter Milla, former CIO and chief privacy officer at Survey Sampling International (SSI). Milla says most CIOs either focus on technology, or regard privacy as outside their domain, the province of a chief privacy or chief security officer. He finds both attitudes wrongheaded. CIOs, Milla says, should "want to be ahead of the curve" on privacy.
The reasons, Milla adds, will become more obvious as business goes increasingly digital. Web 2.0 applications connect like Legos, creating opportunities for companies to gather incredible amounts of data. On social networks and blogs, people post vast amounts of information about themselves. Marketers, meanwhile, are developing ever-better tools to exploit information about what individuals do online. Companies routinely unlock sensitive data for business partners. As businesses enter into cloud computing, they will give custody of their data to service providers. These trends create the potential for unprecedented insight into people's behavior and open new ways to do business. But they also create challenging questions about privacy, questions for which the answers are unclear.
Milla says he recently worked to modify a request from a big-box retailer who wanted information about the people surveyed by his company on their behalf. "They were bewildered and frustrated that we wouldn't give it to them," says Milla. The retailer already collects plenty of data on its customers and didn't see what the problem was with a bit more. But Milla saw a breach of privacy, a contractual violation. If it leaked out that SSI shared personal data about its panelists, it could devastate its business.
Milla says the big-box retailer's attitude is endemic. Companies think the data they gather belongs to them. Not true, he says, but is he right?
The very question might strike CIOs as strange. Ten years ago, then-Sun Microsystems CEO Scott McNealy told us, "You have zero privacy anyway. Get over it." Since then, we collectively got in touch with our inner exhibitionist. People talk about their antidepressants on Facebook or post videos of themselves violating work policies on YouTube (two Domino's workers were fired for such a stunt). Teenagers are sending naked or semi-clad pictures of themselves over their cell phones.
But people also ask for photos or videos to be removed from social networking sites, says Deirdre Mulligan, a lawyer and former law professor who is now assistant professor at the University of California at Berkeley School of Information. Individuals and communities have balked at the way Google Maps' Street View exposes location information. Meanwhile, a 2008 Harris Interactive poll found that 60 percent of Americans were uneasy about having Web content customized for them based on their usage patterns.
Maybe privacy isn't dead. In fact, says Michael Blum, a partner at Fenwick & West and chair of the firm's privacy and information security practice, privacy should trigger all sorts of alarms for CIOs who must protect trade secrets, prevent security breaches or clean up after incidents that lead to bad public relations, lawsuits and expensive records repairs. It won't be long, Blum says, before some company has to deal with employees harassing each other in public via Facebook. Welcome to privacy 3.0.