Return to site

Duty to Protect Privacy: Too Much Hype?

broken image
Duty to Protect Privacy: Too Much Hype?

Published on July 9, 2015

Much of the hysteria conflates two types of data breaches:

  1. Breach by mistake.
  2. Breach by design.

Many companies design their data management processes to intentionally share data with other entities, for reasons ranging from profit to self-interested trades.

 

For example, a cell phone carrier might sell its customers' data to a litany of highest-bidding marketers.

But that's different than the same cell phone carrier weakly complying with non-mandated requests from state or federal agencies to share customer data. Many times, this latter type of "trade" is a ploy to ease the regulatory scrutiny those agencies might otherwise subject that carrier to, regarding issues entirely unrelated to data. T-Mobile, as a hypothetical example, might think, "I hope regulators don't come after us for falsely advertising device contracts as no contracts. So just in case, to stay on their good side, we'll make some other investigation they're conducting easier by completely rolling over and giving up any customer data they desire."

While consumers don't always agree on what should be considered "private data," people generally don't like to feel like taken advantage of--and when news breaks of yet another big company, being too busy with other projects, not paying close enough attention to protecting their customers' data, something just strikes us as fishy, at worst, or misguided, at best.

In his recent post, "Is Your Competition Hacking You?," Nodal founder and CEO, Marcus Eagan, writes:

...the problems with just about every organization. Your own users, you even, are your greatest threat to your system. The only way to prevent the attacks that have happened implies that the organization needs to play a bit of offense to assess its own defenses.

Luckily, the recent media hype cannot all be simply distilled down to "hysteria." So I don't think I'm guilty of bandwagon-gossip here. There have been some interesting regulatory fines levied, like AT&T's $25 million fine from the FCC for a privacy breach.

The question is...

  

What expectation is the company setting--whether implicit or explicit--at the outset, regarding the degree to which they'll protect data?   And quite simply, has the company met that expectation in the eyes of consumers?

Data breaches garner headlines with the same fury as any other big company blunder that affects millions of consumers at a time. But what makes data breaches unique is the fear attendant to not knowing who has harmed you, how, and why, combined with the convenience of holding the conduit company (i.e. AT&T) accountable, since you don't yet know who's really to blame.

I don't know who stole my baby. So in the meantime, I'll just blame the babysitter.