Last month, Edith Ramirez, Chairperson of the Federal Trade Commission (FTC), gave a speech (for full text of same click here) about “big data” and the risks that companies face when they fail to protect consumer privacy. The takeaway: Any company that collects or stores personally identifiable non-public information is at risk.
Of particular interest to companies that collect and use personal information are three principles the FTC urges organizations to follow in order to minimize privacy risk. These principles are particularly timely because of the monetary and other risks businesses face when they fail to protect personal information, and because the FTC is urging Congress to enact legislation requiring a wide range of businesses to implement these safeguards.
Background: The Intersection of Big Data, Privacy Protections, and Data Security
Big data describes how large amounts of information are collected from many sources, put together, and analyzed for use in many business (and other) purposes. Big data often includes information about individuals, including non-public sensitive personal information that can identify an individual (for example Social Security number; financial information, and health information). Privacy laws seek to protect the value of personal information, and to prevent the use or disclosure of personal information from harming individuals. Maintaining the privacy of personal information requires companies to use appropriate security to protect information.
The Privacy Risks Big Data May Create- For Businesses
Financial Risk: As is well-publicized, when personal information is disclosed without authorization in a data breach, companies pay dearly. According to a recent report1, the 2012 average cost per consumer record compromised in a data breach was $189.
Almost every state now has laws requiring businesses to notify affected individuals (and sometimes governmental entities) of a data breach and the costs of providing notification and protecting affected individuals in the wake of a breach are significant. Some states allow affected individuals to recover damages resulting from a data breach.
Regulatory Risk: As Chairman Ramirez notes in her speech, the FTC exercises its enforcement authority when it believes companies have failed to keep customer data confidential or provide reasonable data security.
Reputation Risk: Use of information in a way that does not match customer expectations may negatively affect the trust and goodwill a company enjoys. A significant data breach or loss often affects a company’s bottom line for many months and years. And customer trust is difficult to recover in a competitive market.
Steps Companies Can Take to Minimize Privacy Risk and Maintain Customer Trust
Chairwoman Ramirez recommended companies consider three principles- privacy-by-design, simplified choice, and greater transparency- to protect personal information as they incorporate more and more data into their operations:
Privacy-by-Design. As you build your business, a) identify the personal information you collect or use; 2) consider how the use or disclosure of that information could harm individuals (and your company); and 3) determine how to protect that information.
Simplified Choice. According to the FTC, consumers are entitled to know who is collecting their data, what it will be used for, how it will be shared, and what choices they have with regard to those practices. Any choices consumers are given with respect to the collection and use of their personal information should be simple and easy to understand.
Greater Transparency. In order to build and maintain consumer trust, entities that collect, use, and share personal data must tell consumers about their information practices. As Chairwoman Ramirez put it: “[t]he time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight.”
1 2013 Cost of Data Breach Study: United States, Ponemon Institute, May 2013. Available at http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-us-report-2013.en-us.pdf