Technology permeates every aspect of life today, creating a staggering amount of data on a daily basis. In the course of regular operations, your company is probably collecting vast quantities of information while engaging with stakeholders, from customers and suppliers to employees and shareholders.
The number of risks associated with that new reality are vast and growing. Data misuse or unintended disclosure can bring erosion of customer trust, loss of business opportunities, and reputational harm. Further complicating matters, the concerns over the sheer amount of data being amassed coupled with the frequency of breaches are also prompting a rash of regulatory activity, as states and nations rush to address data privacy concerns through legislation.
Breach Fatigue
“For a while there was a little bit of breach fatigue, where people were quasi-numb to the headlines about the data elements out there in the wild that had been breached,” Myrna Soto, a board member at CMS Energy, Spirit Airlines and Popular Inc., told directors gathered for a panel discussion sponsored by the cybersecurity advisory firm Coalfire. “But what’s happening now is our legislators and regulators are starting to look at not only what corporations are obligated to report, but their obligations regarding managing data protection and data privacy. We’re seeing very aggressive regulatory movement.”
“It seems like every week we get another news blast that a new data privacy regulation has been proposed at the local, state or country level,” agreed David Forman, vice president of privacy & international assurance at Coalfire. “More than 25 states have already proposed or passed legislation around data privacy. Most of our clients are caught in a mode right now where there’s an evolving regulatory landscape and the rules are changing on them constantly, while they also have to meet the [data] needs of sales, marketing and other internal interested parties.”
In the absence of a federal standard, complying with the pockets of varying data protection and privacy requirements popping up across the U.S. will be challenging. However, there’s also an opportunity for companies to stand out from their peers by taking proactive steps toward handling more data responsibly, notes Forman. “It’s important for consumers generally to be able to look at a company and say, ‘Hey, they’re doing things the right way. Whereas, if action is only happening when there’s a bad news cycle or an investigation by the FTC or DOJ, then that’s going to [generate] distrust toward that company and their products.”
Already, corporate leaders on privacy are emerging. Soto, who is also chief strategy and trust officer at Forcepoint, urged board members to take note of Apple’s privacy initiative to remove apps that track consumers data without their permission from its app store. “That’s important to boards because most companies have a digital presence, some type of app of their own, and we as board members should understand, what are we doing with that data?” she said. “Why are we tracking it? And probably most importantly, are we advising our consumers of what we’re doing—and making sure there is an opt in versus just an opt out? Those are brand-protection perspectives you may want to think about in the boardroom. How are we protecting the company’s brands from an unfortunate incident or deterioration of confidence?”
Directors should also be aware that data privacy protections call for consumers to be able to change their minds about the permissions they grant. “We have an obligation to make sure that if we collect data on preferences from a particular customer’s activities, the customer has the right to say, ‘I want you to forget about that,’” said Soto. “You can also put yourself in a liability situation if you don’t understand how a third-party processor of your customer data is accessing certain data elements. Those are some of the scenarios you need to think through and address when you look at data analytics.”
For many companies, the top challenges are collecting enough data to deliver a tailored experience without overstepping customers’ desired level of data privacy, managing that data responsibly and having the ability to adapt when that level changes. On the plus side, as privacy concerns continue to gain momentum, such diligent data privacy practices will pay off.
“As companies get comfortable saying, here are all the things we’re doing in security and privacy, you’ll see consumers will gravitate toward that,” said Forman. “This is a profound opportunity for reputation building going forward.”
