DR TYRONE W A GRANDISON
  • Home
  • Documents
    • Publications
    • Patents
    • Blog
    • External Posts
  • Service
    • Professional Activity
    • Memberships
    • Skills + Certifications
    • Recognition
    • Talks
  • Public Relations
    • News Articles
    • Audio & Video
    • Other Webpages
    • Bio
    • Press Kit
  • Contact

Why Companies Don't Protect User Data?

3/31/2014

1 Comment

 
Picture
It occurred to me this morning, while going through my news feeds, that it may not be obvious to everyone why companies do not (and are hesitant) to protect customer data.

The "Really?" moment came while I was reading "Customer Data Requires Full Data Protection" by Christopher Burgess.

I took it as a given that most people knew intuitively why enterprises choose not to protect customer data; as they do their intellectual property.

It never occurred to me that it was a mystery to the general public or that it was up for discussion or even an issue worthy of thought cycles by the industry punditry. This leads me to the obvious.


Risk

Customer data is their asset with the lowest risk profile. Even though it is necessary to help with the successful management of the customer relationship and for some businesses it is the driving force behind their value (or valuation), the impact of compromise (or damage) of that data has (relatively) little impact on the company itself. In legal terms, "harm" is done primarily to the data owner ("customer"), not the data steward ("company"). For example, each of the hundreds of millions of people affected by the Target breach face a lifetime of vigilance over their financial identity and activity. The possible harm is significant and the total impact on the data owners could reach the order of hundreds of billions of dollars. The possible harm for Target will be capped by legislative action and will be a (small) fraction of the company's profit margin. Over the long term, Target can weather this storm and still be a viable company - making this an acceptable risk. However, for their customers, this is potentially a life-altering event from which they cannot recover.

The Expense of Data

In most cases, customer data is either donated by the customer or gathered by the company's customer relationship managers. Compared to acquiring patents to protect the firm's business processes or generating information on optimizing their internal operations, the price and cost of customer data is negligible.

Cost- Benefit Tradeoff of Protection

Though the benefits of protecting data are well-established and the current trend of multiple daily attacks is not dissipating, the discipline of data protection is a risk management process (and rightly so). Protection technology is expensive to implement and incorporate into an existing business, has an (often negative) impact on the internal operations of the business (i.e. it impacts how you perform your core functions, it impacts the performance of those functions, it impacts the requirements needed to execute these functions) and is viewed primarily as a cost center (with no real, measurable return on investment at the time of installation). Thus, data protection is a defensive investment with perceived value only after security and privacy incidents have been thwarted. So, companies choose to deploy data protection technologies for the data that are of the highest value to them.

You put these factors together and you get our current state of affairs, where "cheap", "low-risk" (to them) customer data is often left unprotected because the benefit of doing so is not worth the cost of doing so. It becomes an acceptable (and tolerable) business risk that they can rationally take. Unfortunately, I believe this perspective is flawed and will do more harm than good in the long term.

The first step in solving this issue is to have companies realize that the damage done when customer data is compromised will have significant impact on their current and future profitability.

In this environment, Security and Privacy are competitive differentiators; at least until all companies are on the same page.

1 Comment

What Ever Happened To Our Data Privacy Rights?

6/5/2013

0 Comments

 
Picture

We can all agree that the data in our wallets and contained in filing cabinets in our homes are owned by us and we are well-aware that there are legally-stipulated rights that apply to the use, processing and disclosure of this data.

The idea of your data containing a dimension of physicality and of you having proximity (or possession) of your data underpins the way privacy law was constructed in the past and how it is being interpreted today by the legal community.

The problem with that paradigm is that there is no differentiation between the data itself and the container that holds that data. In the past, it was a valid abstraction to assume that both were the same. Unfortunately, with the advent of computers, your data and the computer that it resides on (or in) needs to be separated if an individual's privacy is to survive this and the next century.

Moving forward, there are two notions that should guide policy and technology in the privacy space.

First, your data is your data irrespective of where it resides. Be it your licence card (in your pocket), your tax returns (in your home office), your medical history (in your provider's computer) or your genomic data (in 23andMe's cloud). Unfortunately, over the decades, it has been beneficial for companies to leverage the expression "possession is nine tenths of the Law", which they invariably interpret to mean that all data under their purview is owned by them.

The second notion is that there is a clear distinction between data stewards and data owners. As a direct consequence of the first notion, the data owner is always the person who is the data is about, whether it is collected (directly or indirectly) or is the result of some processing. The data owner has the most to lose from the misuse of his data whether it is used actively against him or her, or for another purpose that seeks an advantage for someone else, e.g. money, procedures, etc. The data steward is the person or entity that has control of the container that holds the data. As such, there should be an expectation of "good stewardship", i.e. taking care of the data as if it were your own.

Why are these notions critical to our future?

Currently, the majority of consumers and or patients assume that their data is their property. Unfortunately, they are only aware of the truth of their situations when a company, which they trusted, experiences a data breach and it has negative effects on their ability to live their lives as they expect or want. Imagine the brand and reputational damage incurred by these trusted institutions. Imagine the harm inflicted on the naive consumer or patient. This situation is not sustainable and will not create a future where businesses can continue this behavior and still be profitable.

The core tenet of privacy is control. Alan Westin (in 1967) described privacy as "the ability to determine for ourselves when, how and to what extent information about us is communicated to others". This viewpoint, which is assumed by most people, has been surreptitiously eroded over the decades. To reconcile consumer expectations with actual business practice and to get back to the core of privacy, we need to factor these notions in future policies, systems and activities.


Additional Material
  1. Patient Data Ownership - Health 2.0 London Talk
  2. Patient-Centric Privacy: Envisioning Collaboration Between Payers, Providers & Patients With The Patient At The Core -
0 Comments
    Picture

    Dr Tyrone Grandison

    Executive. Technologist. Change Agent. Computer Scientist. Data Nerd. Privacy and Security Geek.

    Archives

    May 2018
    April 2018
    March 2018
    February 2018
    November 2017
    September 2017
    October 2016
    September 2016
    October 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    October 2014
    April 2014
    March 2014
    July 2013
    June 2013
    May 2013
    April 2013

    Categories

    All
    Data Owner
    Data Steward
    Privacy
    Purpose
    Technology

    RSS Feed

Picture
  • Home
  • Documents
    • Publications
    • Patents
    • Blog
    • External Posts
  • Service
    • Professional Activity
    • Memberships
    • Skills + Certifications
    • Recognition
    • Talks
  • Public Relations
    • News Articles
    • Audio & Video
    • Other Webpages
    • Bio
    • Press Kit
  • Contact