OneTrust_Square Banner_300x250_DD_ROS_01_19

By Angelique Carson

Data breaches should serve as a wake-up call to companies' top-level management. That's according to New York University Professors Arun Sundararajan and Vasant Dhar, who say companies that share data with third-party service providers must more seriously consider the risks of using such services and weigh them against the benefits.

Dhar, director for the Center for Digital Economy Research at the NYU Stern School of Business, and Sundararajan, associate professor of information, operations and management sciences, say that the recent Epsilon breach is an example of failure in management--not security technology. They say the breach calls into question the management choices the affected companies made when they shared customer data for marketing purposes.  

"Each firm made the conscious choice to take the data that had been entrusted to them by their customer and to share it with a third party. Firms make these choices largely when thinking about returns but without sufficient attention to the risks involved," Sundararajan said. 

For example, "While a customer may have clicked on 'I agree,' their intent when providing an e-mail address wasn't to be marketed to; it was to get banking services from their bank," he said. "This reflects a choice of data sharing on the part of the bank that did not factor risk into the e-mail marketing returns." 

The Epsilon breach should incite CEOs to act two ways, the professors say. First, enterprise management should elevate the role of the privacy officer so that the position reports directly to the CEO. In doing this, conversations and approaches to data management should become holistic and strategic.

"Privacy management is...still at that tactical level," Sundararajan said, because firms aren't quite grasping yet the loss in customer trust that stems from data breaches. "There is a definite need for this role of managing privacy in organizations to move from the tactical to a C-suite issue by someone who reports to the CEO." 

But, Tanya Forsheit, CIPP, of Information Law Group, disagrees. She says that firms, in general, are prioritizing privacy. She says she sees them placing increasing emphasis on the privacy office and that privacy officers are working with top-tier management at many companies. 

"I do think that privacy and security have become a higher priority," she said. "Privacy officers are working with the highest levels at many companies, in particular in response to some of these incidents that have gotten a lot of attention." 

In fact, the IAPP's 2011 salary survey found that 50 percent of top privacy leaders report either directly to the "C-level" executive or to a person one position between the privacy office and the C-level executive. 

But, another recent breach could cast doubt that an elevated role for the privacy professional guarantees data protection. The U.S. Securities and Exchange Commission last week fined the president, chief compliance officer and an account representative at now-liquidated GunnAllen Financial, Inc., after the rep downloaded account holders' data to his personal thumb drive and took them to a new firm with the blessing of GunnAllen management, wrote Andrew Smith, a partner at Morrison Foerster. The chief compliance officer was fined $15,000 for failing "to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information," Information Week reported. In its fine, the SEC also called the firm's data privacy rules "vague." 

"I think the SEC sent a very pointed message by making the compliance officer personally liable," said Jeffrey Neuburger, a partner at Proskauer in New York. "There's a very direct message saying, 'This is on your watch.' It's a point to the most senior level management of broker dealers that they should be focused on this issue." 

"Firms need to be forward-looking and proactive at managing their privacy risks," NYU's Sundararajan said, adding that firms cannot rely on regulations for guidance because, at the "pace technology is progressing, there will always be new revelations or privacy traps that come up, and regulations are backward-looking and reactive." 

Beyond elevating the privacy officer's role, Sundararajan and Dhar say firms should manage data in a way that evenly weighs both the returns and the risks of outsourcing data to third parties.

But it will take a massive data breach, one even greater than Epsilon's, for firms to take the action that is needed, Sundararajan predicts. 

Forsheit declined to comment on the Epsilon and GunnAllen breaches specifically but said that, in general, breaches don't happen as a matter of mismanagement but rather because breaches, well, happen. 

"And when they happen, they happen for a combination of reasons, a combination of sometimes a mistake or an error or an oversight internally. But often, the reason breaches happen is just because there is no such thing as perfect security," she said, adding that the fact that we're seeing more breaches "doesn't mean there's a lot of wrongdoing going on," it just means that the hackers are doing their jobs well.

NYU's Dhar said that "it's reasonable to use third parties, but that's not the main issue...Of course everyone is going to have great security. That's not what it's about. It's about the (data owning companies) telling (their service providers), 'Here are the kinds of things that are okay to do with the information. Here are the ways in which, even if stuff gets leaked out, the risk is lower.' There has to be more emphasis on things going bad, because you have to assume there will be breaches. The question is, every time something gets hacked, what do you lose? How do you lower the risk?"  

Forsheit agrees with Sundararajan and Dhar that due diligence ahead of outsourcing data to third parties is critical. However, the reality on the ground is that service providers always try to put strict limits on their responsibility and liability in the event of a security breach, she said.
"These service providers usually, by contract, will refuse to take responsibility for a security breach and will often provide only a baseline level of security over information," Forsheit said. "So the choice for a data owner is either to acknowledge that those are significant risks you are undertaking when turning data over, or make a decision not to use the service provider or any other service provider."   


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»