In a time when consumers are increasingly sensitive about their personal data and federal regulations regarding
that data are growing stricter, privacy has become a major concern for many organizations.
Can software vendors provide any guidance for their customers?
To date, vendors haven't offered customers much privacy support, said Larry Ponemon, chairman and founder of the Ponemon Institute in Tucson, Ariz., though he expects that to change.
"I think that CRM vendors, particularly the smaller ones that are up and coming, have a monstrous advantage if they build privacy technology into their software," Ponemon said. "When they start to build it into their programs and processes, they can ultimately use it as a competitive advantage."
While the big CRM vendors -- like Siebel Systems Inc., SAP AG and Oracle Corp. -- have a good architectural base for adding privacy controls, the smaller, more nimble companies have an opportunity to more quickly separate themselves in this area, he said.
For example, E.piphany Inc., of San Mateo, Calif., has functionality that lends itself to good privacy controls because of the way it tags data, while Intuit Inc., of Mountain View, Calif., does a good job of embedding privacy controls into its product, Ponemon said.
Federal regulations like the Health Insurance Portability and Accountability Act and the Federal Trade Commission's National Do Not Call Registry are driving most of the privacy concerns.
"Someone's going to get caught [in violation of regulations]," Ponemon said. "The clients are going to blame the software vendor, and that's going to give the small guys a chance."
However, privacy controls within an application can increase liability if they are turned off, Ponemon noted.
"The evidence would suggest that it's almost worse to buy privacy-enabling software and not to use it, than not to buy it at all," Ponemon said.
In a legal sense, deactivating privacy features demonstrates that a company is doing something it ought not to be doing, Ponemon said.
Grappling with privacy concerns of their own and responding to customer concerns, some vendors are creating a privacy position within the company. Late last month, Epsilon, a relationship marketing company owned by The Relizon Company, named Steven Roth its chief privacy officer (CPO). As vice president for CRM strategy and planning, Roth also oversees privacy and security issues for the Wakefield, Mass.-based company's customers. Epsilon hosts more than 40 databases of marketing data.
Due to recent legislation, Epsilon's customers have been concerned enough about privacy to request independent audits on the company, Roth said. Others have asked for assistance dealing with opt-in/opt-out policies.
Roth acts as the point person for privacy issues both within Epsilon and for its customers. He also oversees a privacy committee that draws from the IT, legal, human resources and marketing departments.
It's not absolutely necessary to have a CPO, but most software companies should have a privacy architect, similar to Microsoft, Ponemon said.
"At a large company, like say Ford or GE, with complex organizations, the reason you need a CPO is you need someone at a high end of the management scale to say no [to business decisions that could affect customer privacy]," Ponemon said. "A software company doesn't do that exactly. They're the architects building privacy into what they provide."
Software companies need a person or a team of people to ensure that privacy controls are addressed throughout the development process. And there's still work to be done in that area, Ponemon said.
Managed services in privacy may be the wave of the future. Both Hewlett Packard Co. and IBM offer good privacy education services, but it's not ongoing, Ponemon said. He expects to see more solutions like privacy consulting for a new marketing campaign.