In June 2005, a unit of lexis-nexis discovered the theft of 310,000 customer records containing sensitive information such as customer names, addresses, social security numbers, and driver's license numbers.5 This incident followed closely on the occasion of ChoicePoint's disclosure of the theft of personally identifiable information (PII) of hundreds of thousands of customers and Bank of America's declaration that it lost backup tapes containing information on 1.2 million customers.16 Given the seriousness of the matter, firms are struggling with finding ways to best ensure the privacy of their customer's and employees' sensitive data.
Regulatory systems, especially those in the U.S., have been very active in the past four years in trying to find ways to combat such problems; for example, in mid-2002, as many as 80 privacy laws were being considered by the U.S. Congress. Such highly publicized laws as HIPPA, Sarbanes-Oxley, and the Graham-Leach-Bliley Act have profoundly changed the firm's responsibilities to protect the privacy of information of its key stakeholders. However, laws and technology alone cannot ensure the implementation of safe privacy policies; Vijayan13 discusses a number of difficulties in applying new technologies and inventing new business practices to monitor and ensure privacy compliance, respecting stakeholder privacy choices, and overseeing the privacy practices of business suppliers, partners, and vendors.
Therefore, privacy is viewed by many organizations as a vital management issue, shaped by a complex environmental factors emanating from economic, political, social and technological factors. Recently, a number of firms and public sector entities began to address the issue of privacy in a more radical way through the creation of a new corporate-wide job functionthat of chief privacy officer (CPO). A number of academic and practitioners attribute the emergence of this position to a public awareness of privacy.10 The position of the CPO is a relatively new one; the first CPO being hired in 1999.1
Given the novelty of this position, it can be expected that one finds most of the CPO literature to be prescriptive in nature. Some describe the key functions of the CPO, and others look into the required capabilities and competencies of the position. To the best of our knowledge, no study has investigated the level of concentration of CPOs in specific industries; such as, why some organizations decide to create a CPO position while others, decide against it.
This study addresses the CPO concentration levels in the U.S. Fortune 500 companies. The choice of the U.S. is a natural attraction due to the large number of incident of identity theft, system hacking, both in the private and the public sectors, and the many scandals associated with compromising customers' privacy, similar to those mentioned here.
In August 2002, California enacted the first data breach notification law in the United States (California's S.B. 1386); this law went into effect in July 2003.4 Since then, 22 other states have enacted similar data breach notification laws. In 2006, eight of the remaining 27 states enacted similar laws, and 10 deliberated the introduction of such law. Most of the enacted state laws and pending bills have the following five features in common:
Personal Information. In general, include a person's name, social security number, credit card number, and date of birth.
Encryption. All of the laws do not require notification if the data that were lost, stolen, or accessed by an unauthorized person are encrypted.
Notification Requirements. All entities owning or are responsible for personal data and information and reasonably believe that such data have been accessed by an unauthorized person have to notify affected residents of the state.
Notification Procedures. This provision requires that people whose personal information has been compromised must be informed; this can be done either in writing or electronically.
Notification Timelines. Most of the laws fundamentally call for notification within a practical timeline; but, some laws have specific timelines, including some that compel notice within seven days of detection of the data breach.
One of the most remarkable privacy laws in recent time is the California Law enacted with the purpose of giving individuals early warning when their personal information has been compromised (such as falling in the hands of an unauthorized person), so that they can take the necessary actions to protect themselves against identity theft or to diminish the crime's impact. Since this California Law took effect, reports of breaches have brought the issue of information privacy to public attention, and several states in the U.S. have enacted similar laws to protect their citizens.6
There seems to be a consensus among policy makers in the public sector that the CPO represents the agency not the individuals; this view stems from the understanding that privacy officers have a different role than privacy advocates.7 However, the approach is different in the private sector; while the position is viewed as that of an internal adviser, it also is that of an ombudsman who must sometimes say publicly that the firm erred. The following summarizes the functions, capabilities, and competencies of the CPO.
a. Educate in the fundamentals of fair information practices. Employees in any organization, be it private or public, must understand the principles of fair information practices, and that is the role of a chief privacy officer. In order to accomplish this task, the chief privacy officer's main responsibility here is to provide employees with privacy awareness training.
b. Observe compliance with privacy laws. Today's CPO must understand the current state, federal, and international legal and regulatory climate and make sure the company is compliant with all relevant standards everywhere it operates. This is an especially critical function since the move in the U.S. has been towards viewing the CPO as a "ombudsman." Making sure the company is in compliance with the various privacy laws and directives is probably the most important function of the CPO.
c. Assist with the development of privacy impact assessment (PIAs). Those reviews are required each time the firm/agency creates a new information system or begins collecting any new data that includes personally identifiable information (PII). Public and private sector organizations have many needs for collecting PII, and it is possibly easy to do so; the substantial question is how organizations maintain, use, protect and, possibly, share the information. These are all areas where the CPO plays an instrumental role. An associated duty of the CPO is to ensure that the organization keeps privacy policies in mind when it acquires new information systems; the CPO should play a pivotal role in making sure that privacy principles are built into the systems from the start. This is especially vital in this age of ubiquitous computing where data collection is changing dramatically, not only quantitatively but also qualitatively. Never before has detailed information about individuals been instantly available to many others in such an easy way.9
d. Promote privacy in conjunction with security. Since privacy and security go hand in hand, many organizations (public and private) have opted to combine effective privacy practices with strong security procedures. In a new age of terrorism threats, chief privacy officers have to consider public safety and security concerns in conjunction with privacy protections. Security infringement at information-intensive companies, credit card companies, e-commerce retailers and banks over the years have increasingly jacked up fear and anxiety among consumers, e-commerce customers and firms, online retailers and policy makers about guarding personal information. In addition, new laws and regulations in the United States necessitate the disclosure of such breaches, adding to the level of anxiety on the part of consumers and damaging the image and reputation of and trust in the business entity. To avoid the negative consequences of security breaches and violation of privacy, many organizations are making privacy a central concern at all levels of their organizations. The CPO, then, must understand technology, including technological safeguards against breaches and threats.
e. Make privacy part of the fabric of the organization. The CPO must have enough power to affect business strategy and operating procedures, striving to make privacy a concern of everyone in the organization. Privacy concerns should be an integral part of designing new systems, devising strategies at the corporate and business levels, introducing new products, and/or forming alliances with partners or suppliers. It is the job of the CPO to make privacy much more than just a policy; the CPO's job is to make privacy an organizational imperative; a state of mind; a principal value system which is overwhelmingly ingrained in the organization and unequivocally subscribed to by all employees.7
f. Communicate privacy concerns and issues with top management. The CPO plays a vital role in advising the top executive team about privacy and security issues pertaining to the organization.
Companies comprising the 2005 Fortune 500 list were used in this study. To find out which companies have a CPO, a search of companies' literature and Web sites was done; our search revealed that, as of 2005, 74 firms had a CPO position (see the accompanying sidebar containing the list of sample firms with CPO). Table 1 shows the distribution of the 74 firms in our sample by industry.
Examining the results in Table I, one might be tempted to conclude that the three broad categories of banks and financial services, computers and related equipment and insurance have a high level of concentration of CPOs; this conclusion might be biased due to the fact that some of these industries represent a larger percentage in the Fortune 500 list than other industries (Table 2 shows the distribution of the 2005 Fortune 500 firms by industry).
To reach an objective conclusion in summarizing the degree of CPO concentration found in the 17 broad categories of industries, we have decided to use a summary statistics common in the economics and industrial organization literature; that is the revealed comparative advantage measure (RCA) of CPO concentration among the different industries. This is derived by computing the ratio of the percentage CPOs for a specific industry in the sample divided by the percentage of firms in the specific industry in the Fortune 500 list.
The concept of revealed comparative advantage (RCA) is grounded in conventional trade theory. The original RCA index, formulated by Balassa,2 can be written as:
where X represents exports, i is a country, j is a commodity, t is a set of commodities and n is a set of countries. B is based on observed trade trends and patterns; it measures a country's exports of a commodity relative to its total exports and to the corresponding export attainment of a set of countries. If B>1, then a comparative advantage is revealed. Applying Balassa's concept of revealed comparative advantage in our case:
where %CPOi is the percentage of sample firms with a CPO in industry I; %(Industry Fortune)i is the percentage of firms of industry i listed on the Fortune 500; and CPOi Concentration is the degree of CPO concentration in industry i. As an example, 14 firms out of the sample of 74 firms with CPOs fall in the Banks and Financial Services industry; 69 firms out of the 2005 Fortune 500 fall in this category; based on these numbers, we can compute the Banks and Financial Services concentration level of CPOs as:
Since the revealed comparative advantage (or the CPO concentration level) of the Banks and Financial Services industry is greater than 1, we can conclude then that there a high concentration of CPOs in this specific industry. This high level of concentration might be due to factors which are industry-specific or company-specific, as will be explained later.
Table III shows the results of computed CPO concentration levels in the various industries based on the revealed comparative advantage measure. Twelve of the 17 industries revealed a high concentration level; these are industries with RCA greater than one (1.0); however, these results may be misleading if one examines the weight of certain industries in the Fortune 500 list; Three Fortune 500 companies comprise the Payroll Services and four Transport Equipment firms represent that industry in the Fortune 500 list. To remove the bias introduced by the weight effect of these sub-samples, we will ignore from the analysis any industry with a weight of less than 4%, or with a sub-sample of less than 20 companies (these remaining industries appear in bold in Table 3).
Table 3 shows that Computers and Related Equipment industry has the highest level of CPO concentration (RCA = 3.51); followed by Telecommunications (RCA = 2.25), Banks and Financial Services (RCA = 1.37), and Insurance (RCA = 1.07). The other two industries in the sample, Motor Vehicles and Part (RCA = 0.48), Speciality Retailers (RCA = 0.28) and Semiconductors (RCA = 0.10) all have an RCA less than one, indicating a lower level of concentration relative to their size of representation.
Table 3 shows four industries with a high level of CPO concentration, with RCA > 1.0 (Banks and Financial Services, Computers and Related Equipments, Insurance, and Telecommunications), and three industries with low level of CPO concentration (Motor Vehicles and Parts; Semiconductors; and Specialty Retailers).
The results are not surprising since all of the four industries with high level of CPO concentration are information intensive industries. Information intensity is not a new concept; Porter and Millar11 an information intensity matrix where industries were classified as either product information intensive and/or value chain information content. Palmer and Griffth modified Porter and Millar information intensity matrix to include a third component; they argue that information intensity includes the amount of information that goes into the development of the product or service; the amount of information required by consumers to use the product or service; and, the amount of information required throughout the value chain to produce and deliver the product or service. To these three components, I would like to add the amount of information collected by organizations specific industries and stored in data warehouses, databases, or data marts for mining, segmentation, and possibly profiling.
Numerous authors and practitioners classified industries qualitatively as either high information-intensive or low information-intensive based on the information contents of the product or service, and the information density of the value chain. Wolff14 and Hu & Quan8 do a very good job in summarizing research on information intensity of industries. Liang et al. measured the information intensity of six different industries based on a sample of companies chosen for investigation. These industries are: Information Content Providers (ICP), Advertising, Security Brokers, Banking, Retailing, and Software. They did measure the information content of the product and the information density of the value chain. Their findings show that Banking, Security Brokers, and Software industries were the most information-intensive industries.
All four industries in our sample with high level of CPO concentration are classified as high information-intensive industries. Retail and Motor Vehicles fall in the low information-intensive industry category. The only exception in our case is Semiconductors which can be is classified as an information-intensive industry in terms of amount of information required in production (mainly R&D); a number of plausible explanations for the low concentration level of CPOs in this industry is that this industry is not as heavily regulated as the other information-intensive industries in our sample such as banks, insurance and telecommunications. Second, companies in this industry deal with other high tech companies and do not collect or hold sensitive information about individuals as consumers; most of their dealings are with other high tech companies.
The last column in Table 3 shows the level of information intensity in the corresponding industry. The highest concentration level appears to be in the Computers and Related Equipment industry where 13 out of the 25 Fortune 500 Firms have a CPO. This result in not surprising since firms in this industry have been the avant guards of privacy; in November 2001, IBM officially launched the IBM Privacy Management Council which is a team of chief privacy officers and security executives from a cross-section of key industries working with IBM to define the next-generation of enterprise-class privacy management software technology.
This Council deals with and technological and business-related concerns stimulated by inner and outer stakeholders' pressures including consumers and legislative, and that require companies to manage personally identiflable information. In addition, the Council aims to identify possible privacy issues and their effect on business, while suggesting ideas into the requirements for next-generation privacy solutions needed from the information technology industry.
The telecommunications industry CPO concentration index is 2.25; Seven of the 21 Fortune 500 telecommunications firms have privacy officers. This is an informationintensive industry; companies such as Verizon, AT&T and Qwest have realized very early on that privacy and security are two of the main business imperatives. As such they have developed strict policies governing employee access to customer records. Awareness programs have been developed in these companies to educate employees about their obligation to safeguard customer information and telephone calls, and hold them accountable for their actions. Furthermore, periodically, these companies perform privacy audits, which include consumer input, as part of their product development process.
Banks and Financial Services industry's CPO level of concentration is the third highest and it stands at 1.37. Fourteen out of the 69 Fortune 500 firms in this industry has a CPO. This is followed by the Insurance industry (RCA = 1.07). These concentration levels are relatively low, given the nature of the products and services delivered by firms in the two industries and given the nature of the regulatory environment. One expects to find a higher level of CPO concentration here, given the relatively new FTC regulations. The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, contains clauses aimed at protecting stakeholders' personal information held by financial institutions. The Act identifies three main components to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and Pretexting provisions.
The GLB Act provides eight federal agencies and the states with the power to oversee and enforce the first two components, Financial Privacy Rule and the Safeguards Rule. These two rules pertain to and are applicable in "financial institutions," comprised of not only banks, securities firms, and insurance companies, but also entities offering a host of other types of financial products and services, such as brokering, lending or servicing any type of consumer loan, safeguarding money, offering financial advice, and an array of other activities. The Federal Trade Commission (FTC) is the governmental body that regulates these non-traditional "financial institutions."
The Safeguards Rule mandates that all financial institutions design, realize and maintain an array of safeguards to protect stakeholder information. These rules apply to financial institutions that collect information from their own customers, as well as to financial institutions that receive customer information from other financial institutions, such as credit reporting agencies.
In the financial sector, the widespread demand for personal data has led to the development of systems specializing in data aggregation and warehousing, and data mining and analysis; systematic collection of data and profling of individuals have become the norm rather than the exception in this sector. Due to the high level of concentration of personal data in the financial sector, laws and regulations were enacted (reactively as well as proactively), both at the federal and the state levels, in order to impose the strongest security measures on the industry; almost every piece of data is protected at a high level and compliance with regulations is at the center of everything financial institutions do. Hence, one possible explanation here is that the need to consider the role of the CPO is somewhat reduced because a lot of this is already core business.a Notwithstanding high security measures and regulatory demands, the concentration of personal data in databases in the financial institutions presents an attractive target to hackers, especially where information can be converted into financial gains of the intruders. Consequently, it is a constant challenge for financial institutions to find ways to better protect their customers' data.
One possible explanation to the relatively low level of CPO concentration in the financial sector is that financial institutions are more attentive to the fast-paced and changing security environment. They are shifting priorities and are taking the necessary measures to mitigate the various security risks and challenges; and possibly not paying enough attention to the information privacy component.
The three industries with low level of CPO concentration are the motor vehicles and parts, semiconductor industry and the specialty retailers industries. As these industries move more and more into the e-commerce side of the retail equation, they should be thinking harder and harder about information privacy and information privacy management. We expect the number of CPOs hired in the next few years to increase in these industries.
It is believed that the creation of a CPO position on the top level management team is industry-specific and company-specific. Companies operating in information-intensive industries, like banking and insurance, are likely to collect lots of information about customers and provide services that are information-based; consequently, they are expected to invest more in systems to protect the security of information; to guard the privacy of their stakeholders; and to hire an executive in charge. The more information-based the product or service is, the more information is needed to produce it, to market it, and to service it. According to Porter and Millar11 the degree to which information and information technology can be used to compete strategically depends on the existing and potential information-intensity of the products or processes of the business.
Information intensity is the degree to which firms' products or services and their activities depend on the information collected, stored, processed, organized and, possibly, traded as part of internal transformational processes and exchanges along the value-added chain.3 Although the importance of information is increasing across the board, the role and the degree of importance of information varies, depending on the industry. Because the degree of information intensity differs from one industry to another, the vitality of the CPO position vary among industries. Both banking and financial services and insurance industries are traditional information-intensive industries, but food or oil refining industries might use physical processes in addition to information-processing technology. Zhu17 suggested that banks, stock exchanges, airlines, e-commerce retailers, and high-tech companies that develop IT products are examples of information-intensive organizations. Stiroh12 classified computer-using sectors for those where the nominal value of office, computing, and accounting machinery (OCAM) capital services exceeded 4% of total capital services. Computer-using sectors include printing and publishing (major group of SIC: 27), stone, clay, and glass (32), non-electrical machinery (35), electrical machinery (36), instruments (38), trade (Division F and G of SIC), financial services, insurance, real state, and other services sectors.
From our analysis here, the logical conclusion is that information-intensive industries tend to have a higher level of CPO concentration.
4. California Office of Privacy Protection. Recommended practices on notice on security breach involving personal information. (April 2006). http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf.
The author would like to thank two anonymous referees for their input on an earlier version of this paper; she also would like to thank her two teaching assistants, Nader El Koukache, and Ghadeer Al Khatib for their help in the data collection phase.
This paper was written when the author was a Visiting Scholar at INSEAD, Fontainebleau, France.
©2009 ACM 0001-0782/09/0400 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found