A Passion for Privacy: Three Chief Privacy Officers Reflect on a Decade of Work Creating a More Trustworthy Computing Ecosystem

REDMOND, Wash. — March 7, 2012 — A mountain climber turned database whiz. A customer loyalty manager for one of the world’s largest banks. A quality assurance and risk management consultant.

The career arcs that led Richard Purcell, Peter Cullen and Brendon Lynch to Microsoft couldn’t have been more different. Yet, in their own unique way, each path was preparation for serving as the corporate privacy officer of one of the world’s largest software and services companies.

To mark the 10-year milestone of Microsoft’s Trustworthy Computing initiative, Purcell, Cullen and Lynch recently looked back at key privacy efforts on their watch and ahead to social and marketplace trends that will change how privacy is managed in the decade ahead.

Purcell, an avid outdoorsman, got his start in technology in the 1980s when he went to work for Early Winters, a Seattle-based catalogue company that sold outdoor recreational equipment. Like many retailers at the time, Early Winters knew little about its customers. So Purcell developed computer models to analyze hundreds of thousands of customer orders. That led to a job at Microsoft analyzing and streamlining the company’s fast-growing information databases.

In 2000, Microsoft established the Corporate Privacy Group and appointed Purcell as senior director of privacy. It was the first appointment of a corporate privacy officer by a multinational company.

With a staff of two, Purcell developed corporate privacy principles to guide business practices and internal processes to help teams apply those principles. He also worked with business groups to encourage an atmosphere of compliance.



From left to right: Former Chief Privacy Officers, Peter Cullen and Richard Purcell, along with current Chief Privacy Officer, Brendon Lynch, who discussed the past, present and future of privacy at Microsoft.

Externally, Microsoft began to garner attention for privacy features in key products and services. Microsoft.com was the first multinational, multilingual website to incorporate notice and consent provisions in its data-collection efforts. Internet Explorer 6, the most widely used browser at the time, gave users a way to control how their personal information could be used by websites.

One challenge Purcell faced was creating a unified privacy strategy that could be applied consistently, yet meet a rapidly evolving continuum of government privacy requirements. “The challenge for a global enterprise is to understand the culture and policies of the various countries where you’re doing business — and to harmonize your approach to privacy across all of your activities, regardless of the country,” Purcell says.

In January 2002, Bill Gates sent an email to employees saying that as more people connected to the Internet and used Web services and applications, “building trust into every one of our products and services” was the company’s highest priority. He emphasized that protecting users’ privacy would be a key pillar of the company’s Trustworthy Computing efforts.

In 2003, Purcell recommended that Microsoft hire Peter Cullen as his successor. At the time, Cullen was chief privacy officer of the Royal Bank of Canada — a position to which he was appointed after advising upper management that the bank needed to, and had an opportunity to, take a more proactive approach to protecting and managing its customers’ financial information.

Before accepting the offer, Cullen visited Microsoft and was intrigued. “I saw a lot of interest and focus on privacy, but it was fragmented,” he recalls. “As is probably typical in maturing companies, people were in their silos, and there were many ad-hoc processes. It was very different from what I was used to in a 135-year-old risk-based organization.”

Cullen also saw that many people at Microsoft cared deeply about privacy. “I thought the company had a really interesting opportunity to bring all those disparate pieces together into a more comprehensive privacy strategy, and then leverage that to drive trust,” he says.

After accepting the position, Cullen quickly moved to convert a loose federation of privacy experts at Microsoft into a Privacy Management Committee. He also asked his team for a copy of the company’s privacy policies. They handed him a 200-page employee handbook on privacy that included a little bit of everything — aspirations, some legal requirements and various employee training materials.

So Cullen and team set about creating and getting senior leadership to approve a new Microsoft Privacy Standard for Development (MPSD), a set of requirements to guide engineers in software development. Although the MPSD to a large degree codified existing privacy policies and processes at Microsoft, it was a critical step in establishing consistent expectations and best practices companywide. (The MPSD and other subsequent privacy standards were eventually combined into a single Microsoft Privacy Standard.)

Cullen and his team also developed internal training sessions — mandatory for any employee or vendor touching customer information. To date, more than 80,000 people have taken the training.

“All of these things really embedded privacy into the company’s infrastructure,” Cullen says. “Few other companies in the world had that same level of investment.”

In 2010, Cullen’s role evolved to general manager, Trustworthy Computing, and Brendon Lynch was appointed as chief privacy officer.

Twenty years earlier, when Lynch graduated from college in his native New Zealand, privacy was barely on the radar of most companies. But a decade of experience helping companies manage risk, comply with quality assurance standards and improve professional service delivery prepared Lynch to jump in as privacy emerged as a critical issue for many organizations.

Before joining Microsoft, Lynch helped establish a privacy consulting practice for PricewaterhouseCoopers. That was followed by a stint as director of privacy and risk solutions for Watchfire, a security and compliance-testing software company.

Lynch came to Microsoft in 2004 to help develop strategies for new privacy-enhancing technologies, so he was well-prepared to take over as chief privacy officer. In that role, he oversees internal privacy policies, processes and training programs and is responsible for the company’s external engagement on privacy issues with policymakers, advocacy groups and other industry leaders.

Lynch credits the company’s senior leadership with recognizing more than a decade ago that an effective privacy strategy must span governance, technology and industry engagement. Today, he believes strategy sets the company apart.

“We come at privacy from the standpoint that trust is the foundation of the customer relationship,” Lynch says. “We also believe it is in our strategic interest to ensure that our customers’ information is protected. We don’t just approach privacy from a legal compliance perspective. For us, it’s about building, earning and retaining the trust of our customers.”

Because Microsoft’s products and services are in the market for years, Lynch says they need to be “future-proof” — particularly in the enterprise cloud space where privacy and security are big concerns for customers thinking about outsourcing.

To accomplish this, Microsoft embedded more than 40 full-time privacy managers inside product groups, where they work directly with development teams to ensure that privacy is addressed at all stages of the software development process. (Several hundred other Microsoft employees support privacy in different capacities.)

In the development of Microsoft Office 365 — Microsoft’s cloud-based productivity service — a team of privacy professionals worked with Microsoft engineers, business planners and marketers to ensure that strong data protections were incorporated from the start.

Privacy considerations were also top of mind in the development of Kinect, a hardware accessory for the Xbox 360 game console, because it uses facial recognition technology to identify gamers and body movement information to allow users to control games.

In Internet Explorer 9, a feature called Tracking Protection was incorporated to gives users choice and control about the information third-party websites can potentially use to track their browsing activities.

But as Lynch notes, new technology and business models — the growth of cloud computing, online advertising and collection of location-based data — will influence how companies, individuals and policymakers view privacy.

“Right now, we’re in a world where the sands are shifting constantly, and people are looking to define how core privacy principles apply in these spaces,” Lynch says.

Cullen, Lynch and Purcell agree that the current privacy framework most companies use isn’t keeping pace with the evolving technology landscape or the explosion of customer data.

“The net effect of where we are today is that consumers are expected to effectively understand and control all collection and use of their information — in effect, police their own environment,” Cullen says.

They also agree that a more suitable framework would shift more responsibility to organizations, with an expectation that they will abide by principles of appropriate and expected use of customer data.

Companies that ignore consumers’ growing concerns about how their information is used do so at their peril, Purcell adds: “Just as we have learned that natural resources must be handled with a standard of care, organizations need to treat customer information as a strategic asset, and nurture it as opposed to exploit it, in order to have long-term business success.”

For more information, visit www.microsoft.com/privacy.