Inside 1to1:Privacy

IBM's Privacy Strategy: Trust Enables Innovation

January 1, 2008

By Jay Cline, CIPP

When IBM became the first known corporation in October 2005 to announce that it wouldn't use genetic information in employment decisions, some observers may have thought Big Blue was taking an altruistic stand. But Harriet Pearson, IBM's CPO since 2000 and architect of the policy, connected the policy to a business objective:  build trust in corporate handling of genetic information. This trust could in turn pave the way for IBM's -- and its clients'-- innovations in the new area of personalized medicine.

"We are taking this step today because it is the right thing to do," IBM's Chairman and CEO Sam Palmisano said in a letter to employees about the policy change, "for the sake of the innovation that lies just over the horizon, and because it is entirely consistent with our values and with who we are as a company."

The IAPP last month awarded Pearson the IAPP/Deloitte & Touche Vanguard Award for a string of similar accomplishments. The award "honors the privacy professional who best demonstrates outstanding leadership, knowledge and creativity through privacy programs and practices that have a lasting impact on the profession."

Today's absence of Social Security Numbers on U.S. health-insurance cards, for example, can be traced in part to one of Pearson's initiatives. In 2002, she and the physician who heads IBM's health-benefits programs used IBM's purchasing power -- the company spends $1 billion annually to cover 500,000 employees, dependents, and retirees -- to help reduce the risk of identity theft.  Their pivotal action was to notify over 100 insurance-company CEOs that IBM thenceforth would be including in its purchasing criteria whether or not their companies had eliminated SSNs from cards and other easily-viewed documents.

The ubiquity of Web site privacy notices also owes a debt to Big Blue. In 1997, when IBM was the second-largest purchaser of online ads, the company announced it would only buy ads on sites that posted privacy policies. Various measures at the time estimated one-half to two-thirds of U.S. sites posted privacy policies, a figure that topped 95% in the ensuing years.

Inside: 1to1 Privacy
recently caught up with Pearson, who explained that in order to understand why moves like these are part of IBM's business strategy, people would benefit from understanding how the company is now positioned.

The world's largest computer enterprise started in 1911 as the Computing-Tabulating-Recording Company, a manufacturer of time recorders and scales. Today, the Armonk, New York-based company employs almost 370,000 in 170 countries.  IBM's $91 billion in annual revenues is divided roughly evenly among computer hardware, computer software, and business and technology services.

According to Pearson, it's important to understand the global nature of IBM. Half of the company's revenues are generated outside the U.S., over half of its employees live outside America, and all key businesses and support functions operate as global units. Taking a truly multinational approach on its policymaking is a given.

The role of continual innovation is also centerstage at the company. For the last 14 years, IBM's Research Division and business units have earned more patents than any other company, and it counts 3 Nobel Prize winners among its employees.

"We use that expertise to help our clients and partners innovate their business and technology models," Pearson said. "It makes sense to consider and plan about issues like privacy and security alongside that innovation."

Writing in Foreign Affairs in 2006, Palmisano proposed that companies seeking to take full advantage of the globalization phenomenon will need to incorporate trusted information practices into their strategy.

"A challenge [in shifting to globally integrated enterprises] will be to figure out how to maintain trust in enterprises based on increasingly distributed business models," Palmisano wrote. "A company's standards of governance, transparency, privacy, security, and quality," he continued, "need to be maintained even when its products and operations are handled by a dozen organizations in as many countries."   

Pearson sees her job as integrating the company around the CEO's point of view.

"Getting privacy and data protection right is a team effort," she said. "I'm fortunate to lead a world-class team of privacy pros who work directly with our business units all over the world to help our business leaders set and follow leadership policies and practices."

The team is truly global," Pearson added.  "It includes the first corporate CPO ever appointed in India, our global privacy compliance leader who happens to be based in Canada, and a team of European specialists who support the complex statutory requirements in that part of the world."

What privacy innovations are on the horizon for Big Blue?

"Global data flows," Pearson said. "We have to find more effective ways to access data across borders and across organizations in an accountable way.  I'm optimistic that progress can be made here, working together with other global organizations and policymakers who see the need for workable models.  I think this is one of the key issues in 2008."


Cline is President of Minnesota Privacy Consultants and can be reached at cline@minnesotaprivacy.com