|
Thank you Mr. Chairman for
inviting me to share IBM’s views.
My name is Harriet Pearson
and I am the Chief Privacy Officer of the IBM Corporation. IBM is the
largest information technology company in the world. We develop and manufacture
many of industry's most advanced technologies, including computer systems,
software, networking systems, storage devices and microelectronics. We also are
the world’s largest e-business services company, delivering strategic
consulting and helping our clients to use information technology to improve
their internal operations and service to customers. This gives us a unique
vantage point from which to comment on privacy issues, working as we do on a
global basis with companies, governments, and organizations of all sizes.
IBM has a long standing
commitment to privacy. In the 1960s, IBM developed one of the first global
privacy approaches for business, focused around employee privacy. As the
computer revolution progressed, we supported privacy legislation to protect
e-mail and medical information. IBM remains a leader in privacy and security
technology – currently holding over 600 patents for such technologies. IBM was
the first online advertiser to announce that it would only advertise on Internet
sites that posted privacy policies. Last year our CEO, Louis Gerstner, appointed
me as IBM’s Chief Privacy Officer to confirm that IBM has the right internal
policies in place, to help unify our many privacy research and technology
initiatives, and to engage customers and policymakers worldwide about privacy
issues.
I’m certainly not alone at IBM
in my efforts. We have a privacy team that works across IBM in areas like
marketing, development, services, human resources, and legal. The effort is
complex for large companies. IBM is an $88 billion company that employs more
than 300,000 people in the United States and operates in 160 countries. On the
Web, ibm.com has more than a million pages of content and each site needs
to have a privacy statement.
Externally, IBM’s Privacy
Consulting and Technology teams are helping organizations implement sound
privacy practices and giving them the tools to do so. At all levels, IBMers
speak out about the importance of privacy and are backing their words with
actions to help build a responsible marketplace that can earn people’s trust.
In short, privacy is a priority within IBM and it is important to the health of
the marketplace in which we operate.
How IBM Uses Customer Data
IBM policies and practices are
designed to let us use data creatively and responsibly. Most of IBM’s
customers are corporate rather than individual clients. In both situations we
work to identify likely customers, understand their needs, and market to them.
We strive to offer the right solutions, deliver orders efficiently, offer strong
service and support, and maintain good relationships in hopes of earning future
sales. All of these normal business functions require the collection and
effective use of data about individuals.
For example, when an individual
or small business owner purchases an IBM Aptiva or Thinkpad personal computer,
we ask them for information about their purchase, their name, address, phone,
e-mail and preferences about being contacted. As a special service for those
customers willing to take the time to register with our Owner Privileges
program, we use this information to provide a free e-mail newsletter,
prioritized telephone handling through a special toll-free number, and special
offers for registered customers (e.g. coupon for free stamps from Stamps.com).
We inform customers about their
choices not to receive further marketing materials from IBM, and respect their
preferences. We might also use third-party sources like the National Change of
Address Service managed by the U.S. Postal Service to verify address changes. We
thus use customer information to provide better and more-tailored service, while
solidifying the relationship with the customer.
The net result? In this and other
situations involving customer information, IBM is able to offer services
better-targeted to those who might be interested, while at the same time
delivering fewer solicitations to people who are not.
IBM has a set of corporate-wide
policies and practices to govern our actions when we use personally identifiable
data and we train IBM professionals who are bound by these policies and
practices. Our policies also require that we put in place contractual
protections when we share data with business partners and suppliers.
When IBM gathers personally
identifiable information online, we offer notice of our privacy practices and
inform the individual of their choices regarding the use of that data. In the
case of e-mail solicitations, IBM requires that the individual first give his or
her permission before the e-mail is sent unless we already have an existing
business relationship. Our policies require that we safeguard the information in
our possession and limit its visibility.
IBM is leading within a larger
business trend of taking action to be accountable on privacy. In just the past
few years, we’ve seen a rapid growth of the number of online privacy
statements, chief privacy officers, privacy technologies, seal programs, and in
the U.S., targeted laws to protect sensitive information. This subcommittee
should be proud its work to explore what further needs to be done. To best reap
the benefits of the information economy and preserve privacy in the process,
there must be a balanced approach. IBM believes it should begin with an
understanding of what the future holds.
The Future of the Information
Economy
Much has been said about the
demise of the information economy in the wake of the dot.com meltdown. In fact,
however, we are still in the early stages of a global technological
transformation that will revolutionize our society over the next 25 years,
driving our economy and exponentially expanding our opportunities. The
transformation is being fueled by the rapidly increasing power of the technology
itself and of information networks. These enable new models for business, health
care, education and government.
The Internet will transform every
important business transaction and relationship. This includes improving
relations with customers, but much more. It also means transforming relations
with people who want to invest with you and people who want to work for you.
Companies also will use the Net to integrate supply chains that connect an
enterprise to markets and industries. Internal transactions, such as order
processing, fulfillment, logistics, manufacturing and employee processes, will
be faster and less costly.
Companies will even be able to be
in contact with their products -- appliances, industrial machinery, consumer
electronics -- so the company can provide after-sale service, understand product
performance, and make improvements. Government will evolve similarly, as
taxpayers will expect not only online services, but also efficient management.
The benefit is very significant in hard dollar savings and cost avoidance when
transactions are performed on the Web as opposed to the old paper format. For
example, IBM saves 70 percent on transaction costs when we use the Web and we
have seen many similar results across industry as a result of e-transformations.
However, all this adds up to
massive data collection and management and requires a heightened awareness and
commitment to privacy throughout our society.
My colleagues and I at IBM see
first-hand how thousands of companies use information to improve their
service and products for consumers -- we've helped over 18,000 businesses
successfully leverage the Internet. And these companies use consumer information
in ways very similar to the companies at today's hearing, and with much the same
level of concern for consumer satisfaction and privacy.
Here are some examples:
A multi-billion dollar US-based
financial services firm uses state-of-the-art database technology in a way
that's allowed them to anticipate customer needs and to respond rapidly. The
company uses customer information to help it pinpoint delinquencies early, so it
can work harder and earlier with customers to help them become solvent again. It
can better tailor product offers to those who might be interested -- for
example, offering coupons toward phone service for those customers who achieve a
certain level of usage. The firm's objective is to treat all of its customers
with the same level of respect and to discover what is important to each
customer.
A utility company uses the
consumer information it collects to identify customers that may be interested in
additional services and market them accurately; to further customize rates and
offer analysis to specific customers; to generate personalized reporting much
faster than it was able to previously; and to diversify their service offerings
and react quickly to new business opportunities.
A grocery store chain uses
information about consumer product purchases to: make better decisions about
which items to stock and when; to offer customized discounts and other offers on
those products which an individual customer buys or may be likely to be
interested in; and overall to reduce cost and run the company more efficiently.
It is clear that the fullest
fruits of the information revolution will remain untapped unless individuals can
understand how information about them is collected and communicated to others.
This lack of knowledge can drive feelings of mistrust, fear, and a loss of
control. Individuals also must understand that they benefit from information
exchanges in terms of savings, convenience, services, and jobs. Many surveys
show that people want products quickly and conveniently and want high levels of
service. They realize that some information exchange is needed.
Importantly, individuals must be
able to exercise choices and feel that the system is under control. They must
feel confident entering into data sharing relationships with banks, doctors,
credit card companies, grocery stores and their government. This is the heart of
the privacy challenge.
Need for A Broader U.S. Privacy
Debate
Agreement is emerging around the
world that private sector initiatives are critical to address privacy concerns
in day-to-day commercial activities. Even in environments that embrace strict
data processing regimes like the European Union, governments recognize that
robust and accountable market-led measures must play a prominent, if not
preeminent, role. Europeans call it "co-regulation." In the United
States it is often referred to as industry self-regulation.
Business leadership is crucial
because governments do not have the manpower, technology, or jurisdictional
authority to comprehensively monitor consumer transactions in cyberspace, nor
would many people want government to carry out such a task if it could.
This brings me back to the question I posed earlier about preserving privacy and
the benefits of the information economy: Is there a balanced approach between
government regulation, industry action, and individual responsibility?
As this subcommittee established
at an earlier hearing, approximately 30 federal laws regulate privacy in some
form. These laws tend to focus on (1) preventing fraudulent or harmful uses of
data (e.g. identity theft, employment discrimination, deceptive trade practices,
or surreptitious monitoring of e-mail) and (2) establishing special rules and
protections for sensitive information (e.g. financial, medical, and children’s
data).
Layered upon these protections
are industry initiatives like privacy policies, seal programs, industry codes of
conduct, and suppression lists for telemarketing and commercial e-mail.
Furthermore, people can use privacy technologies to control cookies or to surf,
shop, and send e-mail anonymously. Many are free and some are being built into
the architecture of the online marketplace (e.g. the Platform for Privacy
Preferences).
U.S. law and practice reflect a
desire to balance individual privacy and the societal benefits of data
availability (e.g., economic efficiency, free speech, accountable government).
This is a solid framework and should be the basis on which any new or modified
U.S. privacy regime is built.
Some have asked, "where is
the harm" in data collection as a rhetorical question to imply there is no
harm or risk. We should ask the question in earnest. And then answer it by
devising responses to people’s real and legitimate concerns about data, such
as identity theft, financial fraud, disclosure of embarrassing information,
employment discrimination, denial of insurance, government seizure, or nuisance
issues like spam. We should not create laws because of a vague notion that data
collection itself is harmful.
We need to examine the incidence
of these concerns, identify their causes, assess any harm they may cause, and
then as leaders--in government and the private sector--ensure that an
appropriate policy regime is in place. Too much of the privacy debate now
speculates on how commercial data might be used without going through
these steps. We should identify a spectrum of privacy concerns and link them
with protections afforded by current law and practice. Most Americans are
unaware of the privacy protections afforded them now by the Fair Credit
Reporting Act, the FTC Act, the Network Advertising Initiative, the Privacy Act,
the Electronic Communications Privacy Act, and the Fourth Amendment.
Against this backdrop we should
review proposals by Members of Congress and consider what further actions might
be appropriate for industry or the Administration. This subcommittee has
demonstrated that privacy has many dimensions and is complex, but I sense that
we are beginning to gain a fuller knowledge and perspective that will allow us
enter a more productive dialogue on privacy and to craft appropriate responses.
In summary, we should build on
current law where necessary and link solutions to people's top priorities. We
appreciate the subcommittee’s thoughtful e xamination of privacy issues and
the critical role you will play in shaping balanced, appropriate responses. IBM
is committed to continue being a constructive player in this process. For
example, we have joined with other companies in groups such as the Privacy
Leadership Initiative to further the contributions that the private sector can
make to understanding these complex issues and communicating helpful information
to fellow business and consumers.
Most companies agree that any
U.S. privacy regime should be a national solution, not a patchwork of fifty
conflicting regimes. The regime should encourage transparency and choice. It
should hold government and non-profit organizations accountable to similar
standards asked of industry. It should neither discriminate against the Internet
nor create new private rights of action.
In consummary, IBM believes that
the best privacy model is a layered approach of responsible industry action,
consumer-empowering technology, and targeted government action that promotes
transparency, protects sensitive information, and appropriately addresses
harmful and fraudulent data practices. This framework can build consumer trust
and remain flexible enough to allow companies to offer the convenience, savings,
services, and jobs that benefit our citizens.
Thank you for this opportunity to
share our views.
|
