Privacy Is Becoming Everyone’s Business

The business of privacy is booming.

Not since Y2K has an issue spawned such a cottage industry of consultants, accountants, public relations experts and law firms, all hoping to cash in on the growing corporate angst over privacy.

Among the Big Five accounting firms, PricewaterhouseCoopers and Deloitte & Touche have launched specialized units that sell comprehensive privacy audits to Fortune 500 companies for $50,000 to $150,000 each. At Ernst & Young, privacy-related business tripled last year.

IBM Corp., which does more than just make computers, was a pioneer in privacy consulting when it established a two-member practice in 1998. Three years later, it has built its staff of experts to 60.

And new privacy consulting boutiques such as Dallas-based Privacy Council and Guardent Inc. of Waltham, Mass., have venture capitalists lining up to pour money into them. Guardent, started in 2000, says it expects to achieve profitability by the end of the year and become the first privacy-consulting start-up to issue stock publicly.

“This business is about solving some very messy problems with no quick fixes,” said Larry Ponemon, who led PricewaterhouseCoopers’ privacy practice until he became Guardent’s president in February. “There’s so much confusion in the marketplace about privacy, it’s created a bubble for consultants like us who can provide solutions.”

Driving the demand for privacy advice are growing consumer anxiety about data collection, new state and federal privacy laws and tougher enforcement of existing laws. Gartner Dataquest estimates that privacy consulting, a $300-million business in 1999, could bring in $1.8 billion by 2003.

“We’re already making money in this space, but we think the best years are to come,” said Steve DelVecchio, a PricewaterhouseCoopers partner.

Like others in the competitive consulting business, the firm declined to release revenue figures or identify clients. But most predict that privacy consulting will become a permanent niche, rather than a fad.

In fact, many consulting firms have enjoyed robust privacy-related business at their European operations for years. In the U.S., recent laws such as the Gramm-Leach-Bliley Act, which required financial institutions to tell customers how they use personal information, and the Health Insurance Portability and Accountability Act, which restricts patients’ medical records, helped spur demand at home during the last year.

U.S. firms that do business abroad also face a plethora of foreign laws, creating even more confusion. “Large multinational companies are having to deal with privacy requirements that sometimes are conflicting,” said Elizabeth Krentzman, partner at Deloitte & Touche, which recently began hawking its privacy-consulting services in Fortune magazine.

Privacy-related services and products run the gamut. For about $2,000, Privacy Council offers a three-day training program for “chief privacy officers.” For between $10,000 and $50,000, Montreal-based ZeroKnowledge conducts a “privacy risk assessment,” testing a company’s databases, training employees and in some cases building computer systems to prevent information leaks.

PricewaterhouseCoopers charges about $15,000 for its standard Web site seal, verifying that a company’s privacy practices match its policies, DelVecchio said. A more thorough check-up, in which the accounting firm attests to its client’s privacy practices in writing, costs upward of $50,000.

For companies seeking a top-to-bottom privacy and security review, the consulting bills can reach into the millions of dollars, including the costs of software and technology.

In some cases, such reviews can last several months. A team of consultants combs through a company’s computers, records and databases, analyzing how personally identifiable information about customers or employees is used. They review training procedures for workers who handle sensitive data. To ensure ongoing compliance with the company’s stated privacy policy, some consultants test a company’s security systems on a regular basis, sometimes by attempting to hack into a database as a criminal would.

PricewaterhouseCoopers got the call when a large consumer products company decided to launch a variety of new Web sites built around individual products and brands. The sites would collect personal data from consumers to sell them products and offer coupons. The accounting firm helped the corporation develop companywide privacy policy for how such information would be handled and then tested each of the sites to ensure they were in compliance.

Another U.S. company was preparing to launch an online business and wanted to stand out from the competition by adopting the industry’s toughest privacy and security practices. PricewaterhouseCoopers examined rivals’ practices and then helped the company take its own practices one step further. The accounting firm also helped the corporation apply for a certification seal from two self-regulatory programs, Truste and BBBOnline.

The advice and services don’t come cheap, but they might be less expensive than a privacy lapse that becomes public.

John McCarthy, group director at Forrester Research, estimates that a small company might pay $44,000, including public relations costs, management time, customer service and outside consultants, to cope with a controversy about its use of personal information. At a large company, the cost could exceed $1 million.

That might explain why public relations giant Weber Shandwick decided last year to jump on the privacy bandwagon, creating a unit to help companies that suddenly find themselves in the public spotlight about their information practices.

“After DoubleClick became the poster child for bad privacy, there was a lot more interest from our clients,” said Weber Shandwick Vice President Rosabel Tao, referring to the public relations storm about the Internet ad firm’s ill-fated plan to link consumers’ anonymous Web-surfing habits with their names. The company quickly dropped the idea.

Other familiar corporate names that have had to defend their privacy practices are Intel, Amazon.com, Microsoft, America Online and Toys R Us.

Executives at many large companies, consultants say, are frequently unfamiliar with the extent of their own information-gathering practices, which might extend to dozens of subsidiaries and millions of Web pages. Many companies violate their own privacy policies, triggering investigations by the Federal Trade Commission or suits from customers.

As during the Y2K consulting boom, those peddling privacy advice are facing criticism that they sometimes hype privacy fears, exaggerate problems or lobby for tougher laws that might stimulate need for their advice.

“Some players out there are putting unreasonable fear into the public perception of this issue,” said Rick Lane, director of Internet technology for the U.S. Chamber of Commerce.

PricewaterhouseCoopers, for example, warns potential clients on its Web site about the “billion dollar privacy class-action litigation industry,” even though so far lawsuits have yielded mostly small settlements.

Privacy Council took heat this spring for a public briefing it gave the Congressional Privacy Caucus, which is considering the need for tougher laws. The highlight was a dramatic demonstration of how a Web site was using hidden “Web bugs” to illegally steal information from the computer of Internet users who simply visited the site. Later, the company clarified that it had created the Web site with a consulting partner as a theoretical illustration and said it knew of no actual sites that used Web-bug technology in such a way.

“I was outraged,” said Christine Varney, head of Online Privacy Alliance, a business trade group also invited to the event. “Here was a company that makes money selling software and consulting services.”

Gary Clayton, president of Privacy Council, said there was no intention to mislead the caucus or audience members. He stressed that his company does not specifically sell products to help businesses protect themselves from Web bugs.

“We were just trying to alert businesses and people to the issues they need to be aware of,” Clayton said.