Webcon Ad_300x250_NYMITY_FINAL

By Angelique Carson

Data breaches should serve as a wake-up call to companies' top-level management. That's according to New York University Professors Arun Sundararajan and Vasant Dhar, who say companies that share data with third-party service providers must more seriously consider the risks of using such services and weigh them against the benefits.

Dhar, director for the Center for Digital Economy Research at the NYU Stern School of Business, and Sundararajan, associate professor of information, operations and management sciences, say that the recent Epsilon breach is an example of failure in management--not security technology. They say the breach calls into question the management choices the affected companies made when they shared customer data for marketing purposes.  

"Each firm made the conscious choice to take the data that had been entrusted to them by their customer and to share it with a third party. Firms make these choices largely when thinking about returns but without sufficient attention to the risks involved," Sundararajan said. 

For example, "While a customer may have clicked on 'I agree,' their intent when providing an e-mail address wasn't to be marketed to; it was to get banking services from their bank," he said. "This reflects a choice of data sharing on the part of the bank that did not factor risk into the e-mail marketing returns." 

The Epsilon breach should incite CEOs to act two ways, the professors say. First, enterprise management should elevate the role of the privacy officer so that the position reports directly to the CEO. In doing this, conversations and approaches to data management should become holistic and strategic.

"Privacy management is...still at that tactical level," Sundararajan said, because firms aren't quite grasping yet the loss in customer trust that stems from data breaches. "There is a definite need for this role of managing privacy in organizations to move from the tactical to a C-suite issue by someone who reports to the CEO." 

But, Tanya Forsheit, CIPP, of Information Law Group, disagrees. She says that firms, in general, are prioritizing privacy. She says she sees them placing increasing emphasis on the privacy office and that privacy officers are working with top-tier management at many companies. 

"I do think that privacy and security have become a higher priority," she said. "Privacy officers are working with the highest levels at many companies, in particular in response to some of these incidents that have gotten a lot of attention." 

In fact, the IAPP's 2011 salary survey found that 50 percent of top privacy leaders report either directly to the "C-level" executive or to a person one position between the privacy office and the C-level executive. 

But, another recent breach could cast doubt that an elevated role for the privacy professional guarantees data protection. The U.S. Securities and Exchange Commission last week fined the president, chief compliance officer and an account representative at now-liquidated GunnAllen Financial, Inc., after the rep downloaded account holders' data to his personal thumb drive and took them to a new firm with the blessing of GunnAllen management, wrote Andrew Smith, a partner at Morrison Foerster. The chief compliance officer was fined $15,000 for failing "to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information," Information Week reported. In its fine, the SEC also called the firm's data privacy rules "vague." 

"I think the SEC sent a very pointed message by making the compliance officer personally liable," said Jeffrey Neuburger, a partner at Proskauer in New York. "There's a very direct message saying, 'This is on your watch.' It's a point to the most senior level management of broker dealers that they should be focused on this issue." 

"Firms need to be forward-looking and proactive at managing their privacy risks," NYU's Sundararajan said, adding that firms cannot rely on regulations for guidance because, at the "pace technology is progressing, there will always be new revelations or privacy traps that come up, and regulations are backward-looking and reactive." 

Beyond elevating the privacy officer's role, Sundararajan and Dhar say firms should manage data in a way that evenly weighs both the returns and the risks of outsourcing data to third parties.

But it will take a massive data breach, one even greater than Epsilon's, for firms to take the action that is needed, Sundararajan predicts. 

Forsheit declined to comment on the Epsilon and GunnAllen breaches specifically but said that, in general, breaches don't happen as a matter of mismanagement but rather because breaches, well, happen. 

"And when they happen, they happen for a combination of reasons, a combination of sometimes a mistake or an error or an oversight internally. But often, the reason breaches happen is just because there is no such thing as perfect security," she said, adding that the fact that we're seeing more breaches "doesn't mean there's a lot of wrongdoing going on," it just means that the hackers are doing their jobs well.

NYU's Dhar said that "it's reasonable to use third parties, but that's not the main issue...Of course everyone is going to have great security. That's not what it's about. It's about the (data owning companies) telling (their service providers), 'Here are the kinds of things that are okay to do with the information. Here are the ways in which, even if stuff gets leaked out, the risk is lower.' There has to be more emphasis on things going bad, because you have to assume there will be breaches. The question is, every time something gets hacked, what do you lose? How do you lower the risk?"  

Forsheit agrees with Sundararajan and Dhar that due diligence ahead of outsourcing data to third parties is critical. However, the reality on the ground is that service providers always try to put strict limits on their responsibility and liability in the event of a security breach, she said.
"These service providers usually, by contract, will refuse to take responsibility for a security breach and will often provide only a baseline level of security over information," Forsheit said. "So the choice for a data owner is either to acknowledge that those are significant risks you are undertaking when turning data over, or make a decision not to use the service provider or any other service provider."   


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»