It would require an extraordinary set of blinders not to recognize that American consumers are increasingly privacy-conscious. Survey data bear out that consumers are concerned about threats to their privacy and about whether they have lost control of information they consider personal and private.
When a privacy issue-identity theft-is the premise for a hit movie starring Sandra Bullock, "The Net," I do not think it is productive to continue to debate whether privacy is a major consumer issue, or to suggest that customer concerns are merely "anecdotal." The question must be, rather, how the issue can be credibly addressed, and how fast that can be done.
Against this backdrop-this increasingly charged atmosphere where each new reported invasion of personal privacy triggers a visceral, public reaction-I would like to reflect on the topic of privacy and its business challenges.
In part, we have arrived at this point in the privacy debate because of the explosion of information technology. Technological advances have greatly facilitated the collection, dissection, and transfer of vast amounts of personal data. Information can be sliced, diced, and shared at a level of personal detail that was never before possible.
These new capabilities have turned personal information into a marketable commodity. They cause consumers-when they learn about it-to question whether highly personal medical and financial information should be in the hands of, and exploited by, third parties.
Congress is considering legislation that would enhance the ability of different types of financial services companies to affiliate, thereby increasing the potential for gathering and using financial and medical information about the company's customers.
One key rationale for these combinations is that resulting companies will be able to "warehouse" data on an expanded customer pool and "mine" that data to design an increasing array of targeted and profitable product and service offerings. Affiliations among diverse sectors of the financial services industry are intended to create new synergies and opportunities for cross-marketing. Again, this ability is heavily reliant on sharing and pooling data.
The sheer magnitude of these data warehouses and the sensitivity of the information fuels public skepticism and anxiety and propels Congress to devise safeguards to protect against the misuse of the data.
That gets us to the heart of the privacy debate-both the perception and the reality that individuals are losing control over their personal information. When the information is highly sensitive, such as medical and financial information, consumer concern about who has control over its disposition is compounded.
Curiously, given the importance and value of information as a business asset, the financial services industry has been more defensive than proactive in its reactions to customer privacy issues.
The attitude of at least some industry representatives has been "show me the harm, show me the complaints." The problem with this is that, in many instances, individuals may not realize-and have no way of forcing disclosure of-just how their personal information is being handled. However, as daylight begins to shine on firms' practices for handling customers' personal information, the public appears ready to make a stink about the shortcomings they see. Any company that ignores or fails to understand the tinderbox of public sentiment waiting to ignite on privacy, acts at its peril.
I commend the banking trade groups for promulgating privacy principles and urging their members to adapt and adopt such principles. Many, many banks have heeded the call. More and more banks are posting privacy policies on their Web sites.
It is essential, however, that these steps be more than window-dressing. Privacy policies are meaningful only if they reflect an organizational commitment, are adhered to, are stated in terms customers can readily understand, and meet legitimate customer expectations about the handling of their information.
Congress has pending many bills concerning the treatment of personal information-most of which are aimed squarely at the financial services industry.
In the last Congress, discussions of privacy were at the periphery of the debate over modernizing the financial services industry. Privacy legislation affecting the industry that was either enacted or came close to passage in the last Congress was aimed at data security-such as curbing identity theft, which is now law, or punishing pretext callers who obtain confidential information from banks under false pretenses.
The dynamics have shifted dramatically over the course of this year. In March, the House Banking Committee had an unexpectedly long and vigorous debate over an amendment offered by a freshman congressman that would have required banks to notify customers about their information-sharing with third parties and would have given them an opportunity to opt out of that sharing. Members reacted viscerally to descriptions of current practices and the limited reach of existing privacy laws.
But by the next day, after committee members were "educated" by the industry, many had set aside their gut reactions and spoke about operational difficulties and the unknown consequences of increased restrictions on the transfer of customer information. The amendment failed, and in its place, the committee adopted an amendment requiring disclosure of privacy policies.
When the Senate considered its financial modernization bill, in early May, privacy amendments were generally fended off. A number of pro-privacy senators announced that the issue should be considered separate and apart from the bill. That view largely prevailed.
But just weeks ago, the issue resonated when the House Commerce Committee considered the House version of that legislation. A Commerce subcommittee adopted a measure mandating that financial services companies disclose their information-sharing practices to customers. However, by June, a growing clamor to address existing and potential privacy abuses resulted in the passage of an amendment that requires financial services companies to provide their customers with the opportunity to opt out of all types of sharing arrangements with unaffiliated and affiliated third parties.
It remains to be seen whether some type of enhanced privacy protection will be retained in financial modernization legislation. But it is evident that the marketplace has already begun to recognize the significance of distinctions in privacy protections afforded consumers.
There is evidence that-when information is available-market forces will take privacy issues into account. Just last week, a large bank announced that it was taking an "industry-leading" privacy position by ceasing the sharing of customer information with third- party marketers. In doing so, the bank said that "customer privacy is one of our highest priorities."
That brings me to my last point: Where do we go from here? The financial services industry is just beginning to realize the potential of the Internet and the business opportunities made available by technology. But these very developments increase the potential for intrusions on personal privacy and facilitate the transfer of personal data. As more information becomes available about how customer information is collected and used, market forces increasingly will take privacy consequences into account.
I would offer one suggestion for how the financial services industry can approach this challenge. It is not a solution, but rather an attitude, drawn from Justice Louis Brandeis' eloquent description more than 70 years ago of the concept of privacy. He called it "the right to be left alone-the most comprehensive of rights, and the right most valued by a free people."
These words capture an issue central to treatment of privacy concerns in the new information age.
Privacy as an individual right implies that to some degree personal and private information about an individual is the property of that individual. It also implies that when a customer gives that property to another for one express purpose, he or she is not implicitly giving it for whatever other purposes the recipient may want to use it.
My suggestion is to think of personal information from your customers' perspective, as something they feel belongs to them. In developing and implementing privacy policies, think about how your customers would react if you gave them a full description of how much of their information you collect, what you do with it, whether you transfer it, to whom you transfer it, and what then happens to it.
Would you be embarrassed? Would your customers feel they had been treated fairly? Structure your privacy policies-and implement them- accordingly.