Inside 1to1:Privacy

Privacy Blunders Foster a New Era of Accountability

June 1, 2009

By Don Peppers and Martha Rogers, Ph.D.

In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent.
 
What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
 
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best.
 
The privacy buck stops where?
 
The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant").
 
In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
 
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April.
 
In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
 
Swiss bank secrecy under fire
 
Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens.
 
Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
 
Parliament expenses scandal
 
Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act.
 
The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
 
Life after "keep everything"
 
Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases.
 
The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next?
 
In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said.  
 
Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled?
 
Those are words to live by in what is arguably our new culture of accountability.

Don't shoot the messenger. Make him accountable.
Or not?


Who should be accountable for privacy breaches, and how accountable should they be?
 
In Italy, four current and former Google executives, including its global privacy officer, are under indictment because of the 2006 posting of a three-minute video to the Italian version of YouTube showing a boy with Down syndrome being bullied by peers.
 
Google did not create or post the video, but owns the site that housed the offensive content. And although Google quickly removed the video when alerted to its presence two months after it was posted, a Milan prosecutor has argued that the company broke privacy laws and should be held responsible for the content on its site.
 
Italians close to the case have admitted that the proceedings are less about sending the Google executives to jail (the maximum sentence for the charges at hand is three years' incarceration), and more about testing the interpretation and application of the country's data protection laws and opening a dialogue about who should be held accountable for data uploaded to content-hosting sites.