IAPP-GDPR Web Banners-300x250-FINAL

By Don Peppers and Martha Rogers, Ph.D.

In the early days of mandatory data breach disclosures, which in the U.S. began in 2005, notifications followed a now predictable pattern: Organizations issued a press release expressing contrition, mailed notification letters, strategically released details on the scale of the breach, and emphasized the strides they were taking to mend and prevent.
What was perhaps most notable was what didn't happen: At the senior-executive level, no heads rolled. Overall, corporate accountability for lost data seemed slight, at best.
Lately, however, a number of episodes suggest that we may be entering a new culture of senior-level accountability--over privacy, abuses of "secrecy," and for the data-related misdeeds of subordinates. The events seem to suggest a broader cultural shift toward increased transparency and accountability for whoever's in charge, and a growing realization that when it comes to collecting data, "more is better" isn't always best.
The privacy buck stops where?
The misdeeds of subordinates in several organizations have recently led to the chief's ouster. Last month, discount supermarket chain Lidl sacked its head of German food operations, Frank-Michael Mros, after documents recovered from a dumpster showed that throughout 2008 and 2009, the company illegally collected confidential information on employees (noting such state-of-health information as "operated on for a tumor" and "wants to get pregnant").
In March, the head of Deutsche Bahn, Hartmut Mehdorn, resigned after revelations that the state-owned rail operator had spied on its employees. As part of an internal fraud investigation, managers accessed confidential information on hundreds of thousands of employees and illegally monitored employee e-mail.
That same month, a student journalist at Binghamton University found an unlocked storeroom containing boxes full of documents containing students' and parents' personal information, the third breach in less than a year. While the administration threatened to charge the reporter with trespassing, students circulated a petition to sack Terry Dylewski, the chief information security officer. Those calls were renewed after a fourth privacy breach in April.
In December, the Ohio Department of Job and Family Services fired its Deputy Director of Child Support for authorizing database checks on a state resident for no legitimate purpose. Two other department employees associated with the checks also no longer work with the department due to their involvement in a breach of the records of Samuel J. Wurzelbacher, better known as "Joe the Plumber."
Swiss bank secrecy under fire
Calls for accountability--and with it, transparency--are becoming the new norm, and the financial services industry is on the frontline, given the furor over bonuses for bailed-out bank executives, and President Obama's pledge to crack down on international tax havens.
Not even Swiss banks, legendary for their secrecy, are immune. Last year, federal authorities charged several cross-border private banking executives at UBS, Switzerland's largest bank, with helping American citizens hide an estimated $20 billion in offshore accounts. That, plus the recent threat of indictment for all of the bank's executives, saw UBS, the largest bank in Switzerland, recently admit to defrauding the IRS. The bank agreed to pay a $780 million fine and release the names of American accountholders.
Parliament expenses scandal
Perhaps the lesson is this: With notions of transparency and accountability on the rise, companies hide behind secrecy laws at their peril. In the UK, members of Parliament (MPs) learned that the hard way, after details of their expenses revealed that many had abused the system to pay for things not related to their duties as an MP, such as moat cleaning and tennis court repairs. The expenses, which the Labor majority in Parliament battled for five years to keep private, came to light after courts upheld a journalist's right to obtain the information under Britain's relatively new Freedom of Information Act.
The irony of MPs who abused and hid their expenses--during a recession, no less--while pushing a national ID card, building a network of millions of CCTV cameras, and regularly losing large amounts of sensitive or classified data has brought British voters to the boiling point. The government and even forms of representational government are facing their biggest shakeup in more than 100 years, with citizens demanding further transparency and accountability, including proportional representation.
Life after "keep everything"
Interestingly, resistance is also growing to the UK government's "collect and keep everything" approach to data. One recent study branded the country as a "database state," and estimated that 25 percent of all government databases contained illegal information and should be scrapped. Likewise, courts recently ruled that the UK police practice of photographing everyone who attends a demonstration violated people's liberty, and instructed police to cease such practices and purge all such images from their databases.
The UK offers an insightful case study: If a society has gone to the brink of the "more is better" approach to collecting and retaining private data, while demanding little accountability from those in power, what happens next?
In fact, the outgoing UK Information Commissioner Richard Thomas recently predicted that collecting less personal information will become the new norm, to better balance security and liberty when government agencies collect and share data to do everything from spotting child abuse to discovering potential terrorists. "If you're looking for a needle in a haystack, it does not make sense to make the haystack bigger," he said.  
Collect data, but collect it smarter, and retain only what you need? And know that your job is on the line if improper data gets collected, abused, or lost, or if people's rights get trampled?
Those are words to live by in what is arguably our new culture of accountability.

Don't shoot the messenger. Make him accountable.
Or not?

Who should be accountable for privacy breaches, and how accountable should they be?
In Italy, four current and former Google executives, including its global privacy officer, are under indictment because of the 2006 posting of a three-minute video to the Italian version of YouTube showing a boy with Down syndrome being bullied by peers.
Google did not create or post the video, but owns the site that housed the offensive content. And although Google quickly removed the video when alerted to its presence two months after it was posted, a Milan prosecutor has argued that the company broke privacy laws and should be held responsible for the content on its site.
Italians close to the case have admitted that the proceedings are less about sending the Google executives to jail (the maximum sentence for the charges at hand is three years' incarceration), and more about testing the interpretation and application of the country's data protection laws and opening a dialogue about who should be held accountable for data uploaded to content-hosting sites.


If you want to comment on this post, you need to login.


Related Posts


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»