In the brave new world of e-business, one challenge
overshadows all others — how to ensure a customer’s right to
privacy. With stories of credit card fraud and identity theft becoming
almost commonplace, (not to mention our inundation with “spam”
e-mails) the issue has become critical to many companies’ survival
in the electronic age.
According to a new book, “The E-Privacy Imperative”
(AMACOM 2002) by Mark S. Merkow, CCP, CISSP and James Breithaupt, “The
truth is that with each click on some irresistible online offer, consumers
may be giving up a little bit of themselves.”
However, there are steps e-businesses can take
to protect themselves, their companies and their customers. AMA’s
Shari Lifland recently spoke to Mark S. Merkow to shed some much-needed
light on this complex and compelling topic.
AMA: In the introduction to “The E-Privacy
Imperative” you write, “The climate of today’s Internet has
created potentially insurmountable problems that may, in time, doom the
promises of e-commerce.” Do you really think the problems are “insurmountable?”
Now that consumers have discovered how easy it is to click their way to
material gratification, will they abandon the Internet for “safer”
shopping options?
Mark S. Merkow: If left unchecked, the rise in
identity theft because of stolen credentials via the Internet or abuses
of personal information will indeed cause people to find safer ways to
shop. Without such controls, the Internet--in time--may return to its
earliest days of marketing fluff, without any mechanisms to purchase goods
and services because people cannot trust the channel or operators within
the channel to keep their confidential information safe and secure from
prying eyes.
AMA: Many consumers still distrust the Internet and so refuse to
join the e-commerce revolution. What steps must e-tailers take to convince
these people that it’s safe to purchase goods online?
Merkow: Retailers need to work much harder than
ever before to convince people that they’ll honor commitments to
keeping private information private. They should subscribe to new technology
initiatives and trust services, like those offered by Visa with the Verified
By Visa program and the AICPA with the Webtrust program, and similar initiatives.
If the merchant acquiring banks offer incentives to merchants to adopt
safer payment protocols, and merchants follow the advice of security experts
and e-commerce experts, they’ll go a long way to convincing people
they’re honest, upstanding and worthy of consumers’ business—and
trust!
AMA: What role do you think the federal government, specifically
the Federal Trade Commission, should play in protecting consumers’
right to privacy on the Internet?
Merkow: The FTC should continue with annual reports before Congress
on privacy and problems related to privacy, and continue prosecuting offenses
that come to their attention. When E-tailers finally understand that abuses
will not only be punished, but also threaten their very existence, the
temptations to misuse personal information should begin to decline. In
the end, it’s not the technology that’s abusing personal information,
it’s the human operators on the other end of the pipe who are making
the decisions. Sometimes those decisions are made too hastily and lead
to a disregard for promises (privacy policies) they’ve made to customers.
AMA: I recently opened up a “hotmail” account to preserve
the privacy of my home and office e-mail addresses and immediately received
a spam e-mail for a porn website. How did they manage to access the new
address so quickly?
Merkow: Simple — the Member Directory will list all entries
unless you explicitly tell Hotmail NOT to list your name, address or other
information you supplied to set up the new address. Rather than opt-in
to the membership directory, you need to opt-out on your own.
AMA: When an online business states that it does not collect user
information, should consumers believe them?
Merkow: Well, if there’s a form on the site to collect information
and the business states that no information is collected, I’d be
instantly suspicious. Deeds speak far louder than words. On the other
hand, if the firm states it only uses the information it collects to consummate
a transaction and does not sell the information to affiliates or third-parties,
I would remain wary until I saw proof (over time) that my name did not
‘leak’ onto mailing lists that could only have emanated from
that merchant, e.g. reserving a room at the Hilton won’t cause me
to receive E-mail from Embassy Suites for some “irresistible offer.”
AMA: What are some of the main security and privacy issues specific
to B2B E-commerce?
Merkow:
- Information leakage of negotiated contract data and pricing
- Running an insecure Web server that could be used by hackers to attack
another member of the marketplace
- Theft of customer data on insecure database servers
- Incomplete or insufficient compliance to stated privacy policies and
information security policies and standards
AMA: Can you briefly discuss the critical elements
of an acceptable privacy policy?
Merkow: A good privacy policy incorporates the four central themes
as outlined by the FTC:
1. Notice—Tell people what information you
collect, for what purposes you’re collecting it, how long you plan
to keep it, whether or not you plan to re-sell it and how your site uses
cookies for preferences or later visits to the site.
2. Access—Let people see what information
you’ve collected about them and let them decide if they wish to continue
allowing you to keep their information and/or allow people to make corrections
to the data if it’s out of date or incorrect.
3. Choice—Let people decide how they wish
to remain in contact with your company. Make choice as granular as possible,
allowing people to opt-in and opt-out at will, without an all-or-nothing
approach to information sharing. Perhaps some people will want to read
your monthly e-mail newsletter, but don’t want daily specials that
you send via e-mail. The more granular choices you offer, the better off
your site becomes.
4. Security—Tell people how you’ll
protect their information both en-route to the site and after their information
is in your databases. Tell them about your uses of SSL (Secure Sockets
Layer, the mechanism to protect data from a Web browser), who is involved
in payment processing, how credit card data is handled, etc.
AMA: In your experience, which works best for
most companies--the establishment of an in-house Internet security team
or outsourcing the function?
Merkow: One important aspect of security is that accountability
can NEVER be out-sourced! It’s not the firm that monitors the network
or establishes the firewall rules that will wind up in court in the case
of an incident--it’s the owner/operator who will. Having said this,
it’s totally appropriate to hire an outside firm to establish policies,
construct the secure networks, configure and harden the E-commerce servers
and monitor the network 24/7. Good security people don’t come cheap,
and nephews who took a course in HTML tend to be poor security administrators.
So unless you can commit sufficient budget for full-time personnel, you’re
better off with a hired hand.
AMA: What company or companies would you identify as having the
best consumer or business privacy protection policies today? Why?
Merkow: Throughout all the research James Breithaupt and I did
for the book, I kept pointing to Amazon.com as the prototype for an Internet
site that truly lives up to their promises--for security, for privacy
and for extraordinary customer service. Amazon sets the bar ever higher
and few other sites have even come close to matching its heights!
Click here for Merkow
and Breithaupt’s “Top Ten” initiatives that any business
concerned about e-privacy should take NOW.
Click
here for more information about this book and AMACOM’s extensive
list of business titles.
|
