Companies treat privacy breaches as any other business risk
7 September 2006
Companies that collect your data won’t act responsibly until they are financially affected by their sloppy and thoughtless privacy practices. When you get the chance, read this fascinating overview of the condition of privacy controls among US companies:
At its core, protecting privacy is an information management issue. With the cost of computer storage plummeting, companies are maintaining more and more data, for longer periods of time, at rock-bottom prices. Executives are driven by the idea that any morsel of information about customer purchases, browsing habits and preferences could someday be valuable, so they simply can’t bring themselves to erase anything. Consequently, personal information and less sensitive details exist side-by-side in the same databases, often accessible by multiple programs throughout the organization, many of which have long been forgotten. Without a complete, up-to-date inventory of what data they possess and how it is being used, which data should be segregated and which can be freely shared, many companies are making privacy breaches a foregone conclusion.
CEOs and other executives may be neglecting privacy safeguards and rigid privacy policies because the cost of failing to protect data is not as high as is commonly believed. It is de rigueur for chief executives to publicly state that protecting customer data is critical, because trust is an essential part of the relationship businesses have with consumers. Yet a closer look at the price of an actual breach reveals that, while not insignificant, it can be relatively minimal. In a recent study of 14 lost-data incidents, encryption company PGP Corp. found that the average opportunity cost of a data breach, measured by the “loss of existing customers and the increased difficulty in recruiting new customers” was about $75 per lost customer record. For typical successful retailers or financial services firms with billions in annual earnings, that represents an acceptable hit to the bottom line.
Moreover, in most cases, companies can easily avoid legal penalties for a data breach. There are nearly three dozen state laws that require companies to notify consumers if their private information has been leaked and a risk of identity theft exists. As long as these procedures are followed, companies are free from criminal liability for the leak itself.
The article goes on to describe how the European Union’s approach to privacy has forced some US companies to change their behaviour. However, a much bigger shift in actions and attitudes will occur when the United States adopts similar laws.
The EU’s data directive is the most stringent in the world. Passed in 1995, the legislation forbids companies in EU nations from using confidential information, which is quite broadly defined, for secondary purposes without the explicit approval of the consumer. That rule, and other restrictions allowing individuals access to companies’ personal data and providing ways to correct errors, go well beyond the privacy protections practiced by almost every U.S. company. Consequently, with the adoption of the EU directive, U.S. companies with European operations and sales activities found themselves in danger of being legislated out of a lucrative market.
Read more about privacy