Despite missteps in protecting customer information, companies have largely escaped the wrath of consumers.
A year ago, TJX announced that its processing systems had been compromised, leading to the theft of more than 94 million credit- and debit-card accounts. The theft brought the issue of privacy out of the civil-liberties ghetto and into mainstream political news, but TJX has managed to settle with consumers and banks, keeping its costs in dealing with the breach to less than $156 million.
In an equally stunning incident, Britain's Chancellor of the Exchequer announced that the United Kingdom's tax agency had lost two CDs sent through the mail containing the personal details of 25 million people, resulting in the resignation of the agency's chairman. Notably this occurred after the intended recipient had requested an anonymized version of the data from the agency, which HMRC ignored and sent along the complete records, including banking details, names and addresses anyway.
These incidents highlight a basic problem; the demand for privacy has lagged behind the rate at which data has been collected.
Businesses should ready themselves for the coming privacy backlash. Customers won't stage a rebellion in the grocery store aisles, with people refusing to provide I.D. and personal information to clerks, or a sudden run on pre-paid mobile phones. The privacy backlash will be subtle and broad, signaled by diminishing growth in the number of subscribers to rewards programs, social networking sites, small charitable donations, and other services that trade in customer information. Without the assurance that they are safe from future annoyance, these lost clients will create a substantial, unreachable market comprising a long-tail of people who declined to surrender their personal information.
Given the size of existing personal information databases, even a gradual change in people's attitude towards privacy may have profound economic consequences. Unhelpfully, shocking breaches increase demand, and with new regulations as a multiplier, a privacy skills deficit may become an expensive crisis before business can adapt.
Fortunately, companies interested in stemming the bleeding of consumer trust can look to the health sector, who have already set some good precedents for managing data.
A Pound of Cure
The ultimate example of the need for privacy is health information. For health services to work, people must feel assured that they can share personal information with their doctors, nurses and support staff without worrying that it might be disclosed inappropriately.
In contrast to the civil libertarians versus government spooks debate in the U.S., in Canada, the nation's vaunted health care system has been the focus of the debate on privacy. Broad federal privacy legislation has been passed (PIPEDA, FIPPA, Privacy Act), but most of the details have been left to the provinces to sort out for themselves. It is in these bits of regulatory, provincial health care legislation that privacy is defined as a set of roles and obligations for the custodians and agents who process health information. The security implication is that there are legal consequences for organizations that process private information and lack security controls.
The provincial health information privacy legislation in Ontario (PHIPA, 2004) has driven an entirely new privacy sector to support the new controls required to protect health information. Since good privacy controls have not (generally) permeated business sectors that are not obligated by law to implement them, this model of local regulations may inspire other sectors to look at other methods to manage privacy risk in health, as it is here that the most mature privacy programs have been developed.
Healthcare's privacy practices will be sorely tested in the future. In case last year's breaches were not sufficiently terrifying, Google Health and Microsoft's HealthVault services plan to either directly, or indirectly, store user's personal health information and provide a platform for sharing it with doctors and other health care service providers. While electronic health records undoubtedly improve the quality of care and enable the expansion of health care, the security and privacy implications of these services have some major "unknown unknowns".
Consent, Consent, Consent
In particular a major issue is the concept of consent. In privacy circles, the quality of privacy centers on consent. It is acquired from the person who the information is about and tagged to their information throughout its life-cycle, like a security token or a magic cookie. If a client withdraws their consent to share their information, their personal information can be flagged not-shareable, forever.
Clearly, the implications of adding this kind of meta-data to customer records alters the architecture of applications in difficult ways. But a traditional security control such as a firewall, encryption or other infrastructure-layer feature will not protect privacy the way that integrating consent into the business logic of the application might. Consent is being tracked and managed in healthcare, and there is no technical reason why it can't be done elsewhere.
The confluence of changing attitudes towards privacy and the staggering rate at which personal data is accumulating creates a looming multi-industry risk that needs to be managed. A subset of privacy principles from health provides a good start:
- Explicitly acquire and track the consent to use the personal information of each client, and still deliver service if they decline to allow you to share it..
- Understand the risk that changing attitudes towards privacy may have on your business and systems; then conduct a privacy impact assessment on each system.
- Reduce the amount of personal information you collect and share to that which is absolutely necessary to deliver a service. The remaining data will be much more reliable if people are truthful instead of adding junk to protect themselves.
If security staff can take a lesson from the handling of personal health information, it is to treat personal information like it is radioactive waste -- have a plan for how long you are going to store it, as it will still be a risk decades from now. Finally, any system that processes it must be secure, isolated and adequately scrubbed to prevent leaks that will be harmful to your customer, business and to consumer confidence in your sector.
It is becoming clear to consumers that little of this data is used in their direct interest. Regardless of worst case scenarios such as identity theft and the pervasive, low-level anxiety of a panopticon, personal information databases are tremendously valuable and with that value comes risk that, until very recently, has been ignored.