IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson

Data breaches should serve as a wake-up call to companies' top-level management. That's according to New York University Professors Arun Sundararajan and Vasant Dhar, who say companies that share data with third-party service providers must more seriously consider the risks of using such services and weigh them against the benefits.

Dhar, director for the Center for Digital Economy Research at the NYU Stern School of Business, and Sundararajan, associate professor of information, operations and management sciences, say that the recent Epsilon breach is an example of failure in management--not security technology. They say the breach calls into question the management choices the affected companies made when they shared customer data for marketing purposes.  

"Each firm made the conscious choice to take the data that had been entrusted to them by their customer and to share it with a third party. Firms make these choices largely when thinking about returns but without sufficient attention to the risks involved," Sundararajan said. 

For example, "While a customer may have clicked on 'I agree,' their intent when providing an e-mail address wasn't to be marketed to; it was to get banking services from their bank," he said. "This reflects a choice of data sharing on the part of the bank that did not factor risk into the e-mail marketing returns." 

The Epsilon breach should incite CEOs to act two ways, the professors say. First, enterprise management should elevate the role of the privacy officer so that the position reports directly to the CEO. In doing this, conversations and approaches to data management should become holistic and strategic.

"Privacy management is...still at that tactical level," Sundararajan said, because firms aren't quite grasping yet the loss in customer trust that stems from data breaches. "There is a definite need for this role of managing privacy in organizations to move from the tactical to a C-suite issue by someone who reports to the CEO." 

But, Tanya Forsheit, CIPP, of Information Law Group, disagrees. She says that firms, in general, are prioritizing privacy. She says she sees them placing increasing emphasis on the privacy office and that privacy officers are working with top-tier management at many companies. 

"I do think that privacy and security have become a higher priority," she said. "Privacy officers are working with the highest levels at many companies, in particular in response to some of these incidents that have gotten a lot of attention." 

In fact, the IAPP's 2011 salary survey found that 50 percent of top privacy leaders report either directly to the "C-level" executive or to a person one position between the privacy office and the C-level executive. 

But, another recent breach could cast doubt that an elevated role for the privacy professional guarantees data protection. The U.S. Securities and Exchange Commission last week fined the president, chief compliance officer and an account representative at now-liquidated GunnAllen Financial, Inc., after the rep downloaded account holders' data to his personal thumb drive and took them to a new firm with the blessing of GunnAllen management, wrote Andrew Smith, a partner at Morrison Foerster. The chief compliance officer was fined $15,000 for failing "to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information," Information Week reported. In its fine, the SEC also called the firm's data privacy rules "vague." 

"I think the SEC sent a very pointed message by making the compliance officer personally liable," said Jeffrey Neuburger, a partner at Proskauer in New York. "There's a very direct message saying, 'This is on your watch.' It's a point to the most senior level management of broker dealers that they should be focused on this issue." 

"Firms need to be forward-looking and proactive at managing their privacy risks," NYU's Sundararajan said, adding that firms cannot rely on regulations for guidance because, at the "pace technology is progressing, there will always be new revelations or privacy traps that come up, and regulations are backward-looking and reactive." 

Beyond elevating the privacy officer's role, Sundararajan and Dhar say firms should manage data in a way that evenly weighs both the returns and the risks of outsourcing data to third parties.

But it will take a massive data breach, one even greater than Epsilon's, for firms to take the action that is needed, Sundararajan predicts. 

Forsheit declined to comment on the Epsilon and GunnAllen breaches specifically but said that, in general, breaches don't happen as a matter of mismanagement but rather because breaches, well, happen. 

"And when they happen, they happen for a combination of reasons, a combination of sometimes a mistake or an error or an oversight internally. But often, the reason breaches happen is just because there is no such thing as perfect security," she said, adding that the fact that we're seeing more breaches "doesn't mean there's a lot of wrongdoing going on," it just means that the hackers are doing their jobs well.

NYU's Dhar said that "it's reasonable to use third parties, but that's not the main issue...Of course everyone is going to have great security. That's not what it's about. It's about the (data owning companies) telling (their service providers), 'Here are the kinds of things that are okay to do with the information. Here are the ways in which, even if stuff gets leaked out, the risk is lower.' There has to be more emphasis on things going bad, because you have to assume there will be breaches. The question is, every time something gets hacked, what do you lose? How do you lower the risk?"  

Forsheit agrees with Sundararajan and Dhar that due diligence ahead of outsourcing data to third parties is critical. However, the reality on the ground is that service providers always try to put strict limits on their responsibility and liability in the event of a security breach, she said.
"These service providers usually, by contract, will refuse to take responsibility for a security breach and will often provide only a baseline level of security over information," Forsheit said. "So the choice for a data owner is either to acknowledge that those are significant risks you are undertaking when turning data over, or make a decision not to use the service provider or any other service provider."   


If you want to comment on this post, you need to login.


Related Posts


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»