Like honesty, privacy is good policy. And it’s also profitable.
Proponents say proper privacy practices are also ‘good for business’. Now it appears there’s actual evidence to back up this proposition.
A recent survey suggests there are some correlations in consumer perceptions of a company’s privacy practices, trustworthiness, and market standing.
Conducted by Carlson Marketing Canada, a Toronto-based market research firm, and the Ponemon Institute, a privacy research think-tank based in Elk Rapids, Mich., the survey solicited feedback from 4,100 Canadian consumers to determine which companies they perceived as most trustworthy for honouring their privacy commitments, and what factors they used to make their assessments.
This Canadian survey looked at consumer perception only, and did not correlate the findings to actual privacy practices, explains Larry Ponemon, chairman of the Ponemon Institute. But the institute has conducted other recent studies in the U.S comparing perception scores to privacy practices. “We found a high correlation between the two. Companies that get better ratings tend to have a better privacy program and do things better from a privacy and data protection perspective,” says Ponemon.
But consumer perception is tricky, he says, as sorting out the factors and correlations that make or break a company’s reputation for trustworthiness is a complex exercise. It may be tempting to assume a security breach making headlines will affect a company’s ranking. In most instances this is in fact the case, with companies dropping precipitously in their rankings, and losing as much as 1 to 1.5 per cent in market value permanently after a breach, says Ponemon.
But some companies defy this assumption. For example, National City Corp., a financial institution based in Cleveland, retained its high ranking even after a publicized breach, he says. According to feedback from respondents, consumers approved of the way the bank responded to the breach. The bank contacted all affected customers by phone instead of by mail to inform them a breach had occurred, and provided a credit monitoring service. It later provided information by mail about how customers could determine if their data was used in identity theft and how to protect themselves.
“This letter contained no hype about how great the bank was or how concerned it was – it just laid out the facts in plain English,” says Ponemon, explaining that the bank’s good standing might be attributed to the ‘The Tylenol Effect’. In that famous case, Tylenol’s principled response to a product-tampering incident in 1987 earned its customers’ loyalty.
People will overlook a company’s negatives if the positives outweigh them, says Ponemon. “So Tylenol is noted as a textbook case for good ethics and not for bad packaging design.”
Another factor that influences consumer perception is the industry sector’s overall reputation. Ponemon points out that the correlation in ratings and actual practices is high in the financial services sector, where transparency and disclosure is mandated, but not so high on the retail side, especially for Web retailers. The number one factor that contributes to a negative perception of a company’s trustworthiness is its approach to marketing and advertising. “Companies perceived as the most annoying in their advertising practices – companies that use telemarketing, pop-up ads, adware, spyware and the like – were ranked at the bottom,” says Ponemon.
This is a reasonable factor to use to evaluate a company, according to Philippa Lawson, executive director of the Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC). “Companies that [respect] privacy show that in all aspects of their business, especially in their advertising: they are upfront on sign-up about what they’ll do with customer information.”
The Carlson-Ponemon privacy study also asked Canadian respondents to list what would worry them most if their personal information were to be leaked to unauthorized third-parties. Unsurprisingly, identity theft was at the top of the list, followed by stolen assets, stalking or spying activities, telemarketing abuse and spam.
But Lawson says most consumers aren’t really in a position to evaluate privacy issues. “To me, that [list] reflects what’s in the news,” says Lawson. “This doesn’t mean these aren’t legitimate worries, but what concerns me are privacy abuses that people are not fully aware of.”
Lawson points out that some of the most egregious abuses are not obvious to consumers. “We know consumers don’t have full information about privacy practices. One problem is privacy invasions are done behind the scenes and we don’t see it.”
People may be denied jobs, for example, because employers got unauthorized information that may not be accurate, but victims won’t know this is the reason, she says.
Cases like the notorious ChoicePoint breach, where people affected by it can track any resulting issues back to the source, are rare, says Lawson. “News about ChoicePoint was splattered in the media, but many run of the mill privacy invasions, for example, retailers selling customer lists to direct marketers, are not known.” Moreover, under Canada’s PIPEDA legislation, companies are not required to disclose breaches, as they are under California’s law SB-1386 which forced ChoicePoint to contact its customers. “Canada’s privacy legislation is up for review this year. We have been calling for a breach disclosure law like California, but this needs aggressive lobbying,” says Lawson.
Other privacy experts agree the consumer list of privacy worries does not reflect the greatest threats. Michael Gurski, privacy strategist at Ottawa-based Bell Security Services Inc. (BSSI), points out that phishing should be on the list of consumer worries.
“Phishing is rising 1000 per cent but it’s not mentioned.” Phishers target well-known brand names for their scams, so a financial institution that is victimized this way is not culpable. But the company has a vested interest in reducing phishing, as it corrodes trust, says Gurski. This was corroborated in the Carlson survey, as the extent a company was phished was another critical factor contributing to negative consumer perception, says Ponemon.
“These companies are not responsible for bad people doing bad things, but it’s possible to provide tools that protect their customers,” says Gurski. “There are technical ways to achieve this. For example, you could provide customers with digital certificates, so if they go to the right Web site, it’s validated.”