Companies must not forfeit privacy in march of technology

Businesses need to take steps to recognize and protect stored data as a valuable asset

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It’s tru­ly amaz­ing that we need pay no sub­scrip­tion fee to use Web mail or Web search, nor to par­tic­i­pate on Face­book or Twit­ter or par­take of count­less oth­er social media web­sites and Web apps.

But make no mis­take, these empow­er­ing online ser­vices are not tru­ly free.

The price you pay is your per­son­al pri­va­cy. Every move you make online is rou­tine­ly logged, stored and data-mined by com­pa­nies aggres­sive­ly seek­ing to prof­it from pro­fil­ing indi­vid­ual Web users.

Mean­while, the def­i­n­i­tion of per­son­al privacy—namely, the right to be left alone that was shaped and wide­ly hon­ored before the arrival of the Internet—has been dis­man­tled in our Inter­net-cen­tric soci­ety.

Relat­ed: Pro­tect­ing the Pro­tec­tor II: Keep your clients’ infor­ma­tion secure and employ­ees safe from a pri­va­cy breach

Michelle Dennedy, Cisco chief privacy officer
Michelle Dennedy, Cis­co chief pri­va­cy offi­cer

Third­Cer­tain­ty recent­ly sat down with Michelle Dennedy, chief pri­va­cy offi­cer at Cis­co, to dis­cuss the wider con­text and go-for­ward impli­ca­tions. (Text edit­ed for clar­i­ty and length.)

3C: Are busi­ness­es tak­ing too much advan­tage of the absence of online pri­va­cy?

Dennedy: We have not come to a com­mon cul­tur­al def­i­n­i­tion, and cer­tain­ly not a com­mon finan­cial def­i­n­i­tion, of pri­va­cy. When I say pri­va­cy what I mean is the autho­rized pro­cess­ing of per­son­al­ized infor­ma­tion accord­ing to fair prin­ci­ples. Now wrapped in that func­tion­al def­i­n­i­tion are all kinds of opin­ions and bias­es. So the right to be left alone is part of autho­riz­ing how infor­ma­tion about you is stored and processed. And the com­mer­cial aspect of that has to do with who owns what data.

3C: Aren’t those lines blurred?

Dennedy: They’re more and more opaque to the indi­vid­ual. You don’t know who has access to infor­ma­tion about you, who has made obser­va­tions about you, or who is mak­ing state­ments that may impact you. Today it’s com­ing full cir­cle. We’re start­ing to talk about what orga­ni­za­tions need to do to pre­pare them­selves for increas­ing demands in a mul­ti­cul­tur­al world where peo­ple want to be assured that their data is being treat­ed with respect.

3C: From the cor­po­rate per­spec­tive, what are some myths about online pri­va­cy that need to be addressed?

Dennedy: We think that because it’s cheap to buy the hard­ware to store infor­ma­tion, and the pro­cess­ing pow­er is expo­nen­tial­ly cheap­er than it once was, and we’re all car­ry­ing super com­put­ers in our pock­ets, that we can just grab infor­ma­tion real­ly quick­ly. We’ve deval­ued data and made it feel like it might be fast food. But the real­i­ty is, data is nour­ish­ment for our busi­ness­es.

And so if our busi­ness­es take the view that infor­ma­tion is cheap, easy and worth­less, they’ll treat infor­ma­tion about their employ­ees and cus­tomers as cheap, easy and worth­less. And then you start to see cat­a­clysmic lev­els of breach­es because we’re not curat­ing our infor­ma­tion and treat­ing it as if it’s an asset that’s wor­thy of cura­tion.

3C: Cyber­crim­i­nals have cer­tain­ly fig­ured out the val­ue of stored data.

Dennedy: I love the word val­ue. We as indi­vid­u­als believe in deter­min­ing our own rep­u­ta­tion, our own life sto­ry. But we also val­ue build­ing sus­tain­able com­pa­nies that have enough cash cur­ren­cy, as well as infor­ma­tion­al cur­ren­cy, to grow. … As we build out the Inter­net of Things, we should also think about build­ing the Inter­net of Expe­ri­ences. But you can’t build an Inter­net of Expe­ri­ences unless you real­ly build in pri­va­cy pro­tec­tions.

3C: Right now there are a lot of creepy expe­ri­ences. Why do I need to turn over vir­tu­al­ly every­thing on my phone to use an app to tune my ukulele?

Dennedy: So let’s take that ukulele app. It may be that by down­load­ing all of your con­tacts, that app devel­op­er has a slight­ly high­er chance of get­ting to a cou­ple more peo­ple who hap­pen to play the ukulele—if they pinged all of your con­tacts.

How­ev­er, it’s inef­fi­cient and waste­ful for them to prob­a­bly creep out all of your friends when they do that. And what they’ve done is acquired more risks. If they were to lose your con­tacts, they’re going to have to pay for breach repair, and they’re going to have to deal with bad press.

And why do they need all of your data in the first place? The answer is, they don’t. Maybe they want stick­i­ness for their app, or they want to resell their cus­tomers, who are devot­ed ukulele fans, to a larg­er com­pa­ny. They need to think through what they real­ly want to know about you and how to get what they need in a way that delights the cus­tomer. Maybe do a sur­vey.

3C: So busi­ness mod­els built around users mak­ing informed choic­es about use of their per­son­al data?

Dennedy. Own­ing and curat­ing data is going to start being rec­og­nized as being expen­sive again. We’ve seen a lot of activ­i­ty com­ing out of Europe. The Safe Har­bor deci­sion alone has real­ly thrown the world into an uproar. And here in the U.S., hav­ing a mis­step in pri­va­cy is no longer a small offense. If you mess up and the FTC catch­es you, that can cost you mil­lions of dol­lars over 20 years.

Also the require­ments to recov­er after a major breach are becom­ing pro­hib­i­tive­ly expen­sive. The notion once was ‘Data is cheap, we don’t real­ly know what it’s for yet, but we might use it lat­er, so we’ll store it as an uncu­rat­ed asset.’

On a bal­ance sheet, an uncu­rat­ed asset is known as a lia­bil­i­ty. By its very nature you are not in con­trol of an uncu­rat­ed asset. We’re going to start to see more com­pa­nies wake up and rec­og­nize that an uncu­rat­ed asset equals a lia­bil­i­ty, while a curat­ed asset equals oppor­tu­ni­ty.

More on pri­va­cy:
With­out bet­ter data han­dling by pri­va­cy pros, cyber walls will do lit­tle good

Cana­da puts teeth into dig­i­tal pri­va­cy law

Super­zoom cam­era is amaz­ing, but puts new lens on pri­va­cy