RFID Vendors Need a Privacy Strategy

By Kirk J. Nahra and John W. Kuzin

June 19, 2006—News reports continue to raise fears that RFID will be used to monitor consumers' personal lives. These reports demonstrate firsthand that RFID solutions providers that do not account for privacy and security concerns in their product development, marketing and sales cycles will be at a substantial disadvantage to those providers that do. A report published in the June 2006 issue of Consumer Reports (see Consumer Reports Looks at RFID) strongly implies the industry has decided to keep its head in the sand and hope privacy and security concerns will subside. Even though the implication is false, the likelihood of privacy and security concerns dissipating is slim.

Given how the press has followed the National Security Agency's alleged monitoring of phone calls made in the United States, it is much more likely that privacy and security concerns raised by RFID will continue to swell. In fact, a recent poll found 70 percent of Americans to be "worried about the invasion of privacy through new technology." This percentage was the highest among all countries surveyed, according to a poll taken by Roy Morgan International (see Five Countries Review Privacy, Technology).

Kirk J. Nahra

RFID solutions providers that work closely with their customers to develop a strategy for ensuring privacy and security compliance will be rewarded. Those that can demonstrate a deep understanding and appreciation of the concerns raised by applications including personally identifiable information (PII) will be more likely to gain customers' trust and close more substantial deals than those that only offer lip service to those concerns. How can RFID technology vendors use the issues of privacy and security affirmatively to give themselves a competitive advantage?

Develop a Compliance Strategy
RFID solutions providers should develop an appropriate program for managing their customer relationships from a privacy and security standpoint. It should be no surprise that the marketing credo of "know the customer" applies with equal force to RFID privacy and security issues. Solutions providers need to understand how and why their customers use PII, what they do with it and with whom they share it.

RFID solutions providers will find that many of their end-user customers outsource data management tasks, including those that involve PII. While the majority of domestic and international privacy laws permit outsourcing, the outsourcing of business operations involving PII introduces added risk (legal, political and reputational). These risks are made real by widespread publicity about security breaches and enforcement actions from regulators aimed at companies suffering such breaches. The emerging standard for addressing these issues from a legal perspective is to require additional oversight of end-user customers—at the front-end, due-diligence stage and at the back-end, through both comprehensive audits and spot-check assessments. Most end-user customers recognize this to be a serious and daunting challenge, one that must be taken seriously to avoid harming their business reputation.