Corporate Institutionalization of Privacy in the US by 2016

While talking to the endless trickle of people visiting the IAPP booth at RSA last week, I was able to confirm my belief that corporate attitudes towards privacy are changing—It’s just that they are changing slowly. I thought this week while I was at the Global Privacy Summit, I would ask those with far more knowledge and experience in privacy than I have, what, if anything, they though it would take for the slow changes in corporate awareness of privacy to gain momentum.

I fielded a number of different opinions but most agreed that while there has been a shift in attitudes towards privacy it has been slow, and almost universally I was told that for a real momentum ramp-up in the US companies will require a reason to care.

In other words, it has to hit the company’s bottom line. That could be in the form of a fine or the loss of customers, but it has to cost something significant. Given that near universal agreement I thought it might be fun to play prescient and describe how and when I think privacy will become a corporate institution, much the same way that information security embedded itself at the C-level in the last decade.

A quick note: Europe, parts of Asia and Latin America are much more advanced on privacy issues than the US, and the new EU regulations recently proposed (setting the high bar for the rest of the world) will likely be in full force in the next couple of years. Given that, there is no need to predict a privacy movement elsewhere, so I’m going to stay firmly US-centric.

The Present Day - The Ubiquitous Privacy Policy

We live in a litigious society and corporations have learned to effectively mitigate the legal risks society has thrust upon them. In the area of privacy this is no more apparent then the ubiquitous privacy policy. These policies might not have much enforceability, nor are they a useful tool for users to understand what happens to their personal data, but any site, of any modest level of consumer interest has one linked in the footer of every page. Which, in some sense is ironic since US law pretty much gives most companies free reign to collect and use data as they wish unless they state otherwise in something like a privacy policy.

Even though everyone has a policy, I don’t think anyone bothers to read them and, by all accounts, most people don’t care if they’re present at all. All the policy provides at this stage of our “privacy evolution” is some modest legal protections, and frankly, we shouldn’t expect anything more than this minimal effort from most companies.

A smart organization will only do what everyone else does and no more. They may talk about privacy being a important, or a core value, etc. but they’ll only do the absolute minimum amount required. That’s because doing the minimum is what makes the most economic sense. Why would a company go above and beyond the minimum when it doesn’t bring any incremental revenue? Of course they wouldn’t–it’s an unnecessary expense and their investors wouldn’t stand for it.

An argument could be made that really smart companies are leaders, not followers, and that those that set a precedent for respect for their customers’ privacy will enjoy the explosion of users who opt-out of selling themselves when the public wakes up. Having said that I do recognize that the stereotypical elite school MBA will shake his head as he immediately dismisses me for my naiveté. Naive or not, leaders lead and followers just follow and if you believe in my predictions as I lay them out below I would argue the time to lead with privacy is now. But I’m getting off track and didactic as well.

If privacy policies are all we’re going to get in the current climate, what market forces will encourage even the MBA to take privacy more seriously?

The Years 2012-2013 - The Media Hype Cycle

The next phase kicks off with the media taking up the issue. Currently institutions such as The New York Times and Forbes will occasionally do a serious piece on privacy, and the tech journals enjoy getting in a lather over various privacy violations, but these stories come and go quickly. However, each successive story seems to gain a bit more attention then the last, the public’s reactions are a little sharper and the stories tend to hang around a bit longer.

These stories help move the public’s attention to the issue, but it’s only enough to maintain the slow momentum we already experience. The real kick start will be something big. Something that CNN will feature and that Oprah will get behind (is she still on TV?). Someone is going to unfairly suffer serious financial harm and go public with it, or someone will go missing due to a privacy violation.

Imagine the story of a small business owner who loses his business because the bank won’t lend him any money. We find out that the bank used a mistaken identity on Facebook to come to the false conclusion that he was living the double life as a drug dealer. Or maybe a teenage girl goes missing because a local political committee posted some private electronic messages that rankled a radical member of the political party.

Note: If you have 20 minutes you should read Cory Doctrow’s Scroogle for an example of a frightening future that would send Oprah’s blood boiling.

That kind of personal interest story, especially if there is a sad backstory, will get the waters churning and remain in the public attention for a much longer time then such news as the recent CarrierIQ or Path stories. The media loves a personal drama and the public is voyeuristic by nature. The right story will shift our culture’s perception of privacy.

When a story like that breaks, and a larger slice of the public gets emotionally involved, politicians start to respond.

The Year 2013 - Legislative Reforms

The Privacy Bill of Rights recently announced by President Obama is primarily an effort to layout a framework for industries to create self-regulatory privacy guidelines, but it also gives the FTC some ability to enforce those regulation. It’s not much, and it doesn’t have any real teeth but it is something. Despite this recent move by the President, the US is widely considered to have one of the weakest governmental privacy protections among the developed world. Europeans consider privacy a human right, here in the US we act more libertarian and expect the market to take care of itself.

That said, the government will step in when the markets fail in a public way. When billions of dollars were lost in the wake of the Enron and Worldcom scandals politicians immediately stood up and took notice. This type of watershed event is what politicians live for. It’s their chance to swoop in, enact legislative reforms and announce that we’re all safe. Case in point, the Enron and Worldcom events in part lead to the creation of Sarbanes-Oxley (SOX).

By 2004, when SOX came into full force, entire industries around technical, legal and accounting had blossomed to handle the business of SOX compliance. The average cost of compliance that year was $4.36 million per company.

Around the same time frame we were experiencing more frequent loss and misuse of medical records–arguably the most sensitive personal information we have. Once again, politicians to the rescue. This time it was HIPAA (which actually preceded SOX), and once again when compliance was in full swing the average cost exceeded $3 million per company.

Credit card fraud is another example of something effecting massive change due to regulatory reform, although this is slightly different from the aforementioned. PCI-DSS came out of industry self-regulation but the end result was the same: In 2007 the average company spent $2.7 million to become PCI compliant.

These numbers are staggering and when reform starts to cost that kind of money, the board room takes notice. While the cost of compliance is high, the cost of non-compliance can be greater (in both fiscal and reputational costs). Even though corporations spent millions to be compliant with SOX, HIPAA and PCI that doesn’t eliminate all of the risks, it only minimizes it and there is no guarantee they won’t be fined or sued for something they overlooked.

This is where insurance companies and auditors step in to help. Wherever there is a risk, CEOs want to either minimize or transfer that liability and they will pay handsomely to do so.

The Year 2014-2015 - Insurance and Auditor

This is the final step in the institutionalization of privacy. Once the insurance companies start accepting the risk of non-compliance they will insist on checks and balances. These appear in the form of audits.

As HIPAA, SOX and PCI came into full force entire businesses around audit and compliance were born. Companies large and small pay significantly for these services and many results are backed by liability insurance.

When the privacy laws and regulations go into full effect we will see the same businesses expand into this realm as well as new ones appear and with that the circle will be complete.

The Year is 2016 - The Circle is Complete

This is the story of how privacy is going to “all of the sudden” establish itself into our corporate consciousness. It will start with a big news story, or series of news stories that captivate the public’s attention. That attention will manifest itself as legislation that will provide some real teeth in the form of heavy fines for failure to comply. The risk of those fines will give birth to insurance options and auditors to transfer the liability. The costs here will be real and the audits insisted on by insurance companies will ensure that privacy professionals will be well established and highly visible at all levels of the corporate hierarchy.


Now read this

Getting Dirty in Modern Web Development

The IAPP just launched a complete rebuild of its virtual face to the world – As part of my current position at the IAPP the website, and this project, is the responsibility of my business unit. It’s been a number... Continue →