It occurred to me this morning, while going through my news feeds, that it may not be obvious to everyone why companies do not (and are hesitant) to protect customer data.
The "Really?" moment came while I was reading "Customer Data Requires Full Data Protection" by Christopher Burgess.
I took it as a given that most people knew intuitively why enterprises choose not to protect customer data; as they do their intellectual property.
It never occurred to me that it was a mystery to the general public or that it was up for discussion or even an issue worthy of thought cycles by the industry punditry. This leads me to the obvious.
Customer data is their asset with the lowest risk profile. Even though it is necessary to help with the successful management of the customer relationship and for some businesses it is the driving force behind their value (or valuation), the impact of compromise (or damage) of that data has (relatively) little impact on the company itself. In legal terms, "harm" is done primarily to the data owner ("customer"), not the data steward ("company"). For example, each of the hundreds of millions of people affected by the Target breach face a lifetime of vigilance over their financial identity and activity. The possible harm is significant and the total impact on the data owners could reach the order of hundreds of billions of dollars. The possible harm for Target will be capped by legislative action and will be a (small) fraction of the company's profit margin. Over the long term, Target can weather this storm and still be a viable company - making this an acceptable risk. However, for their customers, this is potentially a life-altering event from which they cannot recover.
The Expense of Data
In most cases, customer data is either donated by the customer or gathered by the company's customer relationship managers. Compared to acquiring patents to protect the firm's business processes or generating information on optimizing their internal operations, the price and cost of customer data is negligible.
Cost- Benefit Tradeoff of Protection
Though the benefits of protecting data are well-established and the current trend of multiple daily attacks is not dissipating, the discipline of data protection is a risk management process (and rightly so). Protection technology is expensive to implement and incorporate into an existing business, has an (often negative) impact on the internal operations of the business (i.e. it impacts how you perform your core functions, it impacts the performance of those functions, it impacts the requirements needed to execute these functions) and is viewed primarily as a cost center (with no real, measurable return on investment at the time of installation). Thus, data protection is a defensive investment with perceived value only after security and privacy incidents have been thwarted. So, companies choose to deploy data protection technologies for the data that are of the highest value to them.
You put these factors together and you get our current state of affairs, where "cheap", "low-risk" (to them) customer data is often left unprotected because the benefit of doing so is not worth the cost of doing so. It becomes an acceptable (and tolerable) business risk that they can rationally take. Unfortunately, I believe this perspective is flawed and will do more harm than good in the long term.
The first step in solving this issue is to have companies realize that the damage done when customer data is compromised will have significant impact on their current and future profitability.
In this environment, Security and Privacy are competitive differentiators; at least until all companies are on the same page.
I have been thinking lately about what it takes to have corporations start seriously thinking about data ownership from the point of view of the people who provide the information.
What would it take for an entity, whose business model mainly depends on the self-proclaimed rule - "we store your data, so we own your data", to give up some control (and revenue)?
The idea that the owners of the "means of production" would claim that they own "all raw material given to them" is ridiculous in any other field. However, it is acceptable in the IT industry - a discussion I will have in another blog.
Back to the main thought - How to get businesses to play fair with the people who give them data?
Last week, Gartner hinted to the possible answer and our possible future.
In their special report examining the trends in security and risk, Gartner predicted that 90 percent of organizations will have personal data in IT systems they don't own or control.
This prediction hints to a future where corporations are losing money and control of their revenue stream - data. It is only a matter of time before corporations figure out that when they provide data to other companies that provide a service to them, the service provider should share the revenue they get from using the gifting company's data.
So, I am optimistic that corporations will see the value of creating a data ownership ecosystem - as a matter of self-interest and survival.
I am sure they will market it as being for the benefit of the regular Web user.
However, I am less hopeful that the claimed benefit of this ecosystem (and revised viewpoints on data ownership) will actually see the pocket of the ordinary Web user.
We can all agree that the data in our wallets and contained in filing cabinets in our homes are owned by us and we are well-aware that there are legally-stipulated rights that apply to the use, processing and disclosure of this data.
The majority of privacy frameworks and thinking around the issues of privacy across the globe can be attributed or traced back to the guidelines produced by the OECD (Organization for Economic Cooperation and Development).
The OECD issued a report titled "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data" (around 1980) that sought to create a comprehensive data protection system throughout Europe. This report became the foundation of the European Union's Data Protection Directive and many other privacy legislation and approaches across the world.
The OECD's report recommended that seven principles be employed for protecting personal data:
I have been thinking for the past few days about these principles, and the status quo in the technology industry.
Take for example, the principle of Purpose. The current best practice is for companies to gather lots of user data and find creative, and sometimes useful, ways to utilize this data. Typical examples include:
However, it clearly represents best practices in the IT industry today - "Collect as much user data as possible. Claim it as ours. Find ways to monetize it".
Will it ever be possible to adhere to this privacy principle when current business practice operates contrary to it? Probably not.
Will it be possible to change the current business models? I do not know.
What about the adherence to other privacy principles? Do they face a similar uphill battle?
I would love to hear your thoughts on the matter.
Dr Tyrone Grandison
Executive. Technologist. Change Agent. Computer Scientist. Data Nerd. Privacy and Security Geek.