May 2003

How Companies Can Benefit By Addressing Privacy Issues

By Jack Miller and Rob Arning

The information-gathering techniques that spur the growth of global trade also give rise to a paradox: As obtaining information becomes easier, more individuals and regulatory agencies are calling for stricter limits on the collection and dissemination of personal data.

Instead of seeing this development as a threat, leading businesses view privacy protection as a way to enhance shareholder trust, build their brand name, avoid costs, mitigate risks, improve customer satisfaction, and generate potential new sources of revenues. For example, while 35 million Americans spent about $45 billion online in 2000, some researchers estimate that U.S. companies lost out on another $12.4 billion because of consumers’ reluctance to share personal information over the Internet.

Perhaps a first step is balancing a customer’s right to privacy with a company’s interest in using customer information. Companies must understand the potential responsibilities and risks of using customer information. Until something happens to place them at risk, many organizations simply do not know how much or what kind of information they have, who has access to it, to what extent its use may be regulated, and what penalties they may face for mishandling it.

Recent examples of misuse include a large U.S. bank that paid millions of dollars to settle a complaint that it sold customer data, including account numbers and balances, Social Security numbers, and home phone numbers, to telemarketers; as well as an online advertising agency whose share price tumbled after it was informed that it would be charged with violating consumer privacy if it merged anonymous user names with data from a company it had acquired.

The lines are not always so clear-cut. For example, a large manufacturer may have to comply with federal privacy laws if it issues credit cards, and a large retailer may be affected by medical privacy regulations if its stores contain pharmaceuticals. Moreover, multinational organizations may face complex, conflicting regulations and customs.

A Strategic Issue

To prevent problems from occurring or to benefit strategically from a focus on the protection of privacy, a company should consider how to adapt its business model to recognize investment in privacy protection as an investment in an asset, instead of a cost of doing business.

This process begins with the recognition that privacy is a strategic issue, not solely a technology or e-business issue. An effective privacy risk management program will meet a business’ needs while satisfying regulatory requirements and marketplace expectations. In addition, a company should:

To accomplish these goals, companies may want to consider appointing a chief privacy officer or a privacy team that will be held accountable for implementing the process. Alternatively, an effective privacy risk management effort may require the collective expertise of a variety of departments and specialists, including professionals with insight and experience in information risk management; business process analysis and redesign; and regulatory and industry-specific requirements.

Once implemented, separate privacy and security audits can help ensure compliance with laws and regulations. They can also help demonstrate to customers, stakeholders, and other parties the company’s commitment to privacy management. Some organizations use third-party professional services firms to conduct these audits, which may reinforce the standard of audit quality. Tangible evidence of a successful audit may include a seal (such as WebTrust) that demonstrates a company has fulfilled certain criteria in various areas of business, information security, and transaction integrity.


Jack Miller, CPA, is vice chairman of KPMG’s healthcare and public sector line of business and leader of the KPMG privacy leadership team.
Rob Arning, CPA, is the partner in charge of KPMG’s financial services practice in New York.



Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2006 The CPA Journal. Legal Notices

Visit the new cpajournal.com.