E-Loan is Rock Solid IMO....Here is an interesting article on E-Loan and Internet Privacy...
<<Privacy, Practically Speaking
By Alex Lash
The Industry Standard
July 23, 1999
The New York Times reported that morning that as new PC users stepped through the online
registration procedure, Windows had been silently transferring a serial number unique to each PC into
Microsoft's corporate databases. When the press contacted the company about this, Microsoft moved
quickly to fix the problem and purge its databases of the information, which offered a way to track a
user's documents over networks. Microsoft said it had collected the data to help technical support staff.
The incident was another black eye for a company with an already bruised image.
"My ultimate goal is to say that the Microsoft brand is sufficient to uphold a trust[ed] relationship," says
Microsoft customer-information manager Richard Purcell. "If I said that were true today, I'd be laughed
out of the room. It would sound arrogant. We had a snafu that didn't help me."
Consumer advocates immediately called for an investigation into Microsoft's data-collection practices.
At first blush, the task seemed to fall to TrustE, an industry organization whose members see
self-regulation as the best way to avert privacy abuses. (To display TrustE's seal of approval on their
Web sites, licensees pay a nominal fee and promise to comply with the organization's guidelines on
protecting consumer privacy.) TrustE acknowledged that licensee Microsoft "compromise[d] consumer
trust and privacy," but chose not to revoke Microsoft's TrustE seal because, TrustE said, the
serial-number transfer was unrelated to Microsoft's Web properties. For its part, Microsoft refused to
submit to an external audit of its privacy policies.
A privacy violation occurs when an organization uses its customers' information – anything from phone
numbers to credit-card histories to online behavior patterns – in ways the customer didn't explicitly allow
when first divulging the information. Marketers have bought and sold customer data lists for a long time,
but the issue has become explosive on the Net, where information is collected, cross-referenced and
disseminated with greater speed and ease.
Protecting customer privacy – and proving to the world that you're doing so – is not easy. It can be
expensive, but as the world wakes up to online privacy, companies can't afford to sit back and do
nothing. For one thing, Washington has latched onto the issue. Having passed legislation protecting
medical data and the privacy of children, Congress is now considering several broader bills.
The European Union has already passed tough privacy measures – too tough, say some multinational
businesses. On the other hand, IBM (IBM) , Microsoft and Disney have proclaimed they won't work with
advertisers who don't have at least a baseline privacy-protection policy. The Direct Marketing
Association announced July 1 that members who don't give customers a chance to opt out of marketing
lists will face public expulsion. To add to the pressure, new technology may soon give surfers the ability
to easily find merchants with favorable privacy policies.
Bad data practices could also lead to lawsuits and government prosecution. A few hundred thousand
dollars now for some expert advice might be money well spent, especially if you're just starting to build
the backbone of your company's technological – and ethical – infrastructure.
"There's no sense baking things in if you'll have to change them later on" to please privacy advocates,
says Tara Lemmey, president of the Electronic Frontier Foundation. She used to work at Narrowline, an
Internet ad broker that paid Coopers & Lybrand more than $200,000 for a 1997 audit. "If you look at it as
mission-critical to reduce liability for customers and investors, it's really not that much," she says.
To Web businesses sensitive to growing public concern with data protection, the Microsoft incident was
galvanizing.
"It was a real cop-out," says Chris Larsen, CEO of Dublin, Calif.-based E-LOAN. Soon after, Larsen
decided to submit his site to a stringent, month-long PricewaterhouseCoopers privacy audit and abide
by any recommended changes. Simply acquiring a "good housekeeping" seal such as TrustE may be a
good start for an online business, but the Microsoft incident showed it's not enough, Larsen says.
The audit and the resulting changes ultimately cost E-LOAN 700 personnel hours and more than
$200,000. Ongoing quarterly inspections will run $20,000 a pop. As a financial lender, E-LOAN is privy
to sensitive information and falls under special legal strictures. Not every Web startup can afford to
submit to such scrutiny, but anything less than a full-scale audit for the likes of E-LOAN could be
construed as negligent.
It's easy to create a privacy policy. Microsoft's Link Exchange and the Direct Marketing Association
offer free privacy-statement generators on their Web sites. But there's good reason not to rush the
process. Establishing a flawed policy, or promising more than you can deliver, can lead to a public
relations and legal disaster.
If you don't know the regulatory landscape, there are plenty of lawyers and consultants who do. Most
high-tech law firms have privacy and data-protection experts. Many of the privacy advocates quoted in
the press will also consult. Fees of $400 an hour are not unusual. If you're shopping around, it's a good
idea to ask candidates a few tough questions, such as, "For which other companies have you written
privacy statements?"
Once the clock is ticking, your new privacy guru will do the asking. "One of my clients was requesting
Social Security numbers during the Web-registration process," says attorney Ray Everett-Church of
Haley Bader & Potts in Arlington, Va. "My question was, 'Why?' After some investigation, the answer
was, 'We thought it might be useful.' That was a red flag with gold stars on it."
If you decide to draft a privacy statement the next step is to have it evaluated. Simply having your lawyer
or legal department green-light it is one route. Another is to emblazon a third-party seal of approval on
your site. TrustE and BBB Online, an arm of the Better Business Bureau, are self-regulated compliance
programs that award their seals to privacy-friendly sites. The fees, based on company revenues, are a
pittance compared to the costs of getting sued.
The most stringent "trustmark" comes from the American Institute of Certified Public Accountants'
CPAWebTrust program. Unlike the other two, WebTrust requires an evaluation by an accountant or
auditor, which could drive costs well over $100,000. The AICPA Web site lists 150 CPAs who are
certified to help companies earn a WebTrust seal.
If one of the Big Five accounting firms already audits your company finances, however, you may already
feel comfortable with them. In addition, their famous brands – PricewaterhouseCoopers audits the
Academy Award voting process, for instance – can give a boost to an unknown company. E-LOAN
chose PricewaterhouseCoopers for both reasons.
With the Big Five, expect the cost to be at least five figures. The price for Arthur Andersen's Electronic
Commerce Readiness review, which targets large companies, often starts at $250,000, says Kerry
Shackelford, director of Andersen's e-commerce competency center. Such reviews examine a host of
issues surrounding data protection, including legal compliance, security, business practices, data flow,
and the availability and scalability of systems.
Andersen consultants will eyeball a client's data to find the vulnerable links. "We test where it goes from
the user at a Web site, to servers, to databases," says Shackelford. "You need to know where the data
goes and check those places" for potential leaks or policy violations. Auditors might also insist on
extensive employee interviews to measure their comprehension of and attitudes toward privacy
concerns.
The more complex a company's data networks, the higher the price climbs. "It would cost tens of
millions to do for someone the size of IBM or Microsoft what we did for E-LOAN," says Larry Ponemon,
PricewaterhouseCoopers' global leader of compliance risk management.
That's one reason to keep audits within the family, according to Cindy Braddon, a VP at publisher
McGraw-Hill and cochair of the company's privacy steering committee.
In place since the end of 1997, McGraw-Hill's policy is a work-in-progress as the regulatory and
technological landscape shifts, Braddon says. Other than hiring outside legal experts to help draft the
policy and advise on international issues, the company has kept the process in-house. With more than
80 Web sites, the 16,500-employee company has appointed a privacy supervisor for each division's
audits and updates. Braddon says it's difficult to pinpoint the costs of privacy because they're
interwoven with the costs of security, human resources and regular IT upgrades.
For example, the privacy committee ordered a company-wide database upgrade to flag whether a
customer wanted responses by e-mail, fax, phone, a combination of these or none.
McGraw-Hill eschews third-party seals of approval. "Our own brand is our seal," Braddon says. It's a
sentiment echoed by other well-known brands like American Express, which sponsors the BBB Online
program but hasn't applied for a BBB seal.
There's plenty more pain once the auditors put away their fine-toothed combs. Complying with their
recommendations can mean redesigning Web sites and other systems like databases. One KPMG
client recently spent $250,000 to redesign the way customer information travels to its databases and to
create a separate "opt-out" database for customers who don't want their personal information reused,
says Ronald Koorn of KPMG's information-risk-management program. A company may also have to put
money into retraining its employees, from the customer call center to the human resources department.
An auditor may recommend giving customers the option of saying goodbye forever – a cardinal sin in
marketing. PricewaterhouseCoopers "recommended we should allow people to opt out of having any
future communication with us," says E-LOAN's Larsen. "It's painful, but we have to allow it."
In today's data-driven climate, E-LOAN is refreshingly zealous in its refusal to run third-party ads on its
Web site, thereby assuring customers that their loan data isn't being passed on to advertisers. Other
companies that traffic in sensitive personal data, such as prescriptions, payroll information and medical
and financial records, would be well-advised to consider similar measures. A warning shot has already
sounded from Europe, as the European Union has criticized the largely self-regulatory stance
championed by the White House. The E.U.'s privacy directive compels companies to disclose to
individuals, upon request, the information being stored about them. The E.U. could eventually block the
transfer of personal data beyond national borders.
So how or when do privacy measures boost a company's bottom line? The quick answer: It's too soon
to tell. Giving customers more control over their personal information and winning their trust, and
eventually their business, is a long-term proposition.
In the short term, marketers could see a reduction in "dirty data" – false information submitted by
people who are nervous about privacy. In theory, a clear policy will coax customers into providing more
truthful data.
One benefit of cleaner data is less misdirected e-mail, an additional cost savings. Sending bulk e-mail is
cheap – much to the chagrin of spam haters everywhere – but not free. E-mail outsourcer Exactis sent
out 135 million e-mails last month, 10 percent to 15 percent of which was missent, according to CEO
Tom Detmer, who expects it to double in two years. And missent mail has another cost: It can alienate
the people who receive it. "It builds animosity to your brand," says Shop2u.com President Keith
Wardell.
Eventually, a more sophisticated understanding of privacy matters on the part of both consumers and
marketers could give individuals the power to charge marketers for the use of their personal data. Such
"privacy marketplaces" will require much more education all around and a complex infrastructure to
allow on-the-fly negotiations. Before that day comes, marketers tempted to reuse the flood of online
personal data will have to prove to wary customers that, if they want, their information will stay their
own.
Kathi Black contributed to this story. >> |
