By Brian Kilcourse, Managing Partner
2/24/2009
In RSR’s new study on data security and privacy published just last week (Customer Data Security -Beyond Compliance: The Merging of Privacy and Security), one of our case study interviewees brought up an aspect of customer data security and privacy that doesn’t get discussed much. “What do you do with all of those pieces of paper?,” he rhetorically asked. “How well do you dispose of them? Be it a private label credit card request, credit card slips, or employment application - store management in each of your stores can mishandle that paper – and suddenly you discover that you’ve had a reporter doing a dumpster dive, and you’re on the local news.”
If that seems a little over-dramatic, we offer this cautionary tale from last week’s news.
On February 18th, drug store chain CVS agreed to pay $2 Million to settle a lawsuit resulting from allegedly allowing store pharmacies to toss sensitive customer information such as medical records and personal contact information. According to the U.S. Federal Trade Commission (FTC), CVS did not adequately protect sensitive consumer and customer information at it’s 6300 stores. Specifically, CVS failed to: “(1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal; (2) adequately train employees to dispose securely of such information; (3) use reasonable measures to assess compliance with its established policies and procedures for the disposal of such information; or (4) employ a reasonable process for discovering and remedying risks to such information.”
The practice of tossing such things as used prescription vials with labels still attached, printouts of patient (in pharmacy lingo, an Rx customer is called a “patient”) profile information, and other related sensitive information into open dumpsters is what got CVS into trouble with both the FTC and the U.S. Department of Health and Human Services (HHS), because these practices also violated aspects of the Health Insurance Portability and Accountability Act (HIPAA).
Now, a $2 million fine might seem like chump change to the Woonsocket, RI giant, especially when two days later on February 20, it reported record earnings for the fiscal year just ended. But in the lawsuit agreement, the chain agreed to an audit regimen that lasts for 20 years. And then there’s that pesky issue of the brand. As any consumer who has prescription drug coverage knows, the experience of getting an Rx filled isn’t all that differentiating (at least in the positive sense). You call it in or stand in line for 20 minutes, show up later, stand in line (again) to pick it up, pay your co-pay, and walk out with a generic substitute. The experience is the same whether you go to a CVS, a Target, or your local food & drug combo. There reason you shop at a drugstore is, #1, because it’s convenient, and #2 because somewhere in the back of your mind you believe that a company whose core offering is pharmacy will be more professional about it. Part of that expectation is that the pharmacy will protect your privacy. In short, that’s part of their brand promise and part of your expectations as a consumer. That’s what CVS violated.
If there are any doubts in retailers’ minds that pharmacy “patient” data, POS payment data, “market basket” data, online customer order or “click track” data, employment or credit card application data, or any other kind of data that can be associated with a specific person doesn’t have to be protected – they need to think again. Although customers want and even expect that data about them will be used to craft relevant solutions to their lifestyle needs, they also expect that their privacy will be protected.
And as the CVS story reminds us, the U.S. government expects that too.
|
