Breach highlights need for privacy professionals' elevated role
By Angelique Carson
Data breaches should serve as a wake-up call to companies' top-level management. That's according to New York University Professors Arun Sundararajan and Vasant Dhar, who say companies that share data with third-party service providers must more seriously consider the risks of using such services and weigh them against the benefits.
Dhar, director for the Center for Digital Economy Research at the NYU Stern School of Business, and Sundararajan, associate professor of information, operations and management sciences, say that the recent Epsilon breach is an example of failure in management--not security technology. They say the breach calls into question the management choices the affected companies made when they shared customer data for marketing purposes.
"Each firm made the conscious choice to take the data that had been entrusted to them by their customer and to share it with a third party. Firms make these choices largely when thinking about returns but without sufficient attention to the risks involved," Sundararajan said.
For example, "While a customer may have clicked on 'I agree,' their intent when providing an e-mail address wasn't to be marketed to; it was to get banking services from their bank," he said. "This reflects a choice of data sharing on the part of the bank that did not factor risk into the e-mail marketing returns."
The Epsilon breach should incite CEOs to act two ways, the professors say. First, enterprise management should elevate the role of the privacy officer so that the position reports directly to the CEO. In doing this, conversations and approaches to data management should become holistic and strategic.
"Privacy management is...still at that tactical level," Sundararajan said, because firms aren't quite grasping yet the loss in customer trust that stems from data breaches. "There is a definite need for this role of managing privacy in organizations to move from the tactical to a C-suite issue by someone who reports to the CEO."
But, Tanya Forsheit, CIPP, of Information Law Group, disagrees. She says that firms, in general, are prioritizing privacy. She says she sees them placing increasing emphasis on the privacy office and that privacy officers are working with top-tier management at many companies.
"I do think that privacy and security have become a higher priority," she said. "Privacy officers are working with the highest levels at many companies, in particular in response to some of these incidents that have gotten a lot of attention."
In fact, the IAPP's 2011 salary survey found that 50 percent of top privacy leaders report either directly to the "C-level" executive or to a person one position between the privacy office and the C-level executive.
But, another recent breach could cast doubt that an elevated role for the privacy professional guarantees data protection. The U.S. Securities and Exchange Commission last week fined the president, chief compliance officer and an account representative at now-liquidated GunnAllen Financial, Inc., after the rep downloaded account holders' data to his personal thumb drive and took them to a new firm with the blessing of GunnAllen management, wrote Andrew Smith, a partner at Morrison Foerster. The chief compliance officer was fined $15,000 for failing "to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information," Information Week reported. In its fine, the SEC also called the firm's data privacy rules "vague."
"I think the SEC sent a very pointed message by making the compliance officer personally liable," said Jeffrey Neuburger, a partner at Proskauer in New York. "There's a very direct message saying, 'This is on your watch.' It's a point to the most senior level management of broker dealers that they should be focused on this issue."
"Firms need to be forward-looking and proactive at managing their privacy risks," NYU's Sundararajan said, adding that firms cannot rely on regulations for guidance because, at the "pace technology is progressing, there will always be new revelations or privacy traps that come up, and regulations are backward-looking and reactive."
Beyond elevating the privacy officer's role, Sundararajan and Dhar say firms should manage data in a way that evenly weighs both the returns and the risks of outsourcing data to third parties.
But it will take a massive data breach, one even greater than Epsilon's, for firms to take the action that is needed, Sundararajan predicts.
Forsheit declined to comment on the Epsilon and GunnAllen breaches specifically but said that, in general, breaches don't happen as a matter of mismanagement but rather because breaches, well, happen.
"And when they happen, they happen for a combination of reasons, a combination of sometimes a mistake or an error or an oversight internally. But often, the reason breaches happen is just because there is no such thing as perfect security," she said, adding that the fact that we're seeing more breaches "doesn't mean there's a lot of wrongdoing going on," it just means that the hackers are doing their jobs well.
NYU's Dhar said that "it's reasonable to use third parties, but that's not the main issue...Of course everyone is going to have great security. That's not what it's about. It's about the (data owning companies) telling (their service providers), 'Here are the kinds of things that are okay to do with the information. Here are the ways in which, even if stuff gets leaked out, the risk is lower.' There has to be more emphasis on things going bad, because you have to assume there will be breaches. The question is, every time something gets hacked, what do you lose? How do you lower the risk?"
Forsheit agrees with Sundararajan and Dhar that due diligence ahead of outsourcing data to third parties is critical. However, the reality on the ground is that service providers always try to put strict limits on their responsibility and liability in the event of a security breach, she said.
"These service providers usually, by contract, will refuse to take responsibility for a security breach and will often provide only a baseline level of security over information," Forsheit said. "So the choice for a data owner is either to acknowledge that those are significant risks you are undertaking when turning data over, or make a decision not to use the service provider or any other service provider."