Thursday, September 07, 2006

The Rationale for Privacy Regulation

A recent post focused on Congressional efforts to amend the privacy laws in the United States. Today I saw a piece in CIO Insight by Jeffrey Rothfeder discussing the fact that companies have no economic incentive to abide by their own privacy policies.

CEOs and other executives may be neglecting privacy safeguards and rigid privacy policies because the cost of failing to protect data is not as high as is commonly believed. It is de rigueur for chief executives to publicly state that protecting customer data is critical, because trust is an essential part of the relationship businesses have with consumers. Yet a closer look at the price of an actual breach reveals that, while not insignificant, it can be relatively minimal. In a recent study of 14 lost-data incidents, encryption company PGP Corp. found that the average opportunity cost of a data breach, measured by the "loss of existing customers and the increased difficulty in recruiting new customers" was about $75 per lost customer record. For typical successful retailers or financial services firms with billions in annual earnings, that represents an acceptable hit to the bottom line.

Moreover, in most cases, companies can easily avoid legal penalties for a data breach. There are nearly three dozen state laws that require companies to notify consumers if their private information has been leaked and a risk of identity theft exists. As long as these procedures are followed, companies are free from criminal liability for the leak itself.

"While there's a general sense that it's embarrassing to be involved in a data breach, and it is true that a breach doesn't do anything for your reputation as a trusted business, privacy is a business decision that ultimately comes down to a risk calculation. And many companies believe—wrongfully, from my perspective—that the price of data loss simply isn't high enough," says Gary Lynch, business continuity management practice leader at Marsh Risk Consulting, a division of New York City-based Marsh Inc.

Most executives don't like to think of it this way, but, so far, companies have created strong privacy policies only when forced to by federal legislation with very specific data-protection provisions. |CIO Insight|
This provides an excellent example of why corporate self-regulation on privacy protection has failed and underscores the need for a regulatory approach to privacy that involves systemic oversight and real penalties.

Personally, I like the approach taken by the Canadians who have an Information and Privacy Commissioner federally and one in every province (although Alberta did defund their privacy commissioner for a while).

No comments: