With reports of security breaches undermining consumer confidence in corporate information practices, it's never been more important for companies to define a privacy strategy. Yet few do. Why? I think it's because the privacy function is still misunderstood by many companies and not seen as critical to their business strategies. But the companies that "get it" will tap into huge unmet customer demand and gradually gain a solid market advantage over their competitors.

The drumbeat of security-breach notifications and epidemic of phishing attacks this year has softened customer confidence in how companies manage and protect their personal information. Surveys by The Conference Board Inc. and Ponemon Institute LLC say that Web visitors are now warier than ever about providing their credit card information online, despite zero-liability guarantees by credit card companies for cardholders victimized by fraud (see "Survey: Consumers growing wary of buying online").

How do these trends affect your company's business objectives? They make it harder to earn customer trust, obtain accurate customer information and get their permission to market to them. Without a privacy strategy, companies whose business models depend on marketing directly to customers will suffer these setbacks.

But there's another catch. An overwhelming array of media choices -- numerous cable TV channels, blogs, podcasts and vast online libraries of music and video downloads -- are vying for customer attention. The result? Companies not only need a privacy strategy; they also need a sophisticated communications and marketing strategy linked with it.

Yet few U.S. companies are making this connection. A study last year by Carlson Marketing Group Canada and the Ponemon Institute found that U.S. companies predominantly view privacy as a risk to be avoided rather than as an opportunity to build customer trust. As a result, U.S. companies are far less likely than their Canadian counterparts to appoint senior-ranking privacy leaders who help formulate business strategy. Anecdotally, I haven't seen much change since last year along these lines.

So which U.S. companies do get it? Let me risk the ire of IT managers everywhere by saying that Microsoft Corp. gets it most of all. The "world's largest start-up" has several hundred staffers devoted to privacy and co-sponsors every significant privacy conference or initiative in the U.S.

Outside of the IT sector, The Procter & Gamble Co. gets it. Sandy Hughes, P&G's chief privacy officer, operates in the company's corporate strategy group. Hughes has been at the forefront of industry efforts to set privacy-responsible standards for radio frequency identification. She has set a global policy for P&G that says the whole company will abide by the strictest privacy standards in any of the 80 countries in which it does business. Why? "Because it's the right thing to do," Hughes says.

So what is a privacy strategy? If your company's business model depends in any way on customer information, your privacy strategy should include at least the following elements:

• A strategy map that demonstrates the cause-and-effect linkage of adhering to high privacy standards, building customer trust and loyalty and achieving your top-level business objectives
• A privacy policy that applies to all parts of your enterprise
• A governance model that includes an organizational chart and charter for overseeing the implementation of your privacy objectives
• A project plan that includes deliverables and timetables for implementing your privacy objectives
• A communication plan that describes how you'll make employees and customers aware of your privacy objectives