We've discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog's inception. "Privacy by design" - while not a new concept - is certainly enjoying a new spot in the sunshine thanks to the European Union's General Data Protection Regulation ("GDPR") (93 days and counting...) and its codification of "privacy by design and default" in Article 25.
Privacy can also be a key differentiator and a competitive advantage. Read on for some points that can help drive your data privacy/data management program.
- Data Breaches Are At An All Time High
Currently, data breaches, as catalogued by the Identity Theft Resource Center (“ITRC”), a U.S. non-profit set up to provide education and assistance with ID theft, found that data breaches had reached an all-time high in 2017. Analysis of the ITRC report showed that breaches were up 45% since 2016, with the business sector the hardest with 55% of breaches.
Further, existing data breaches may be even worse than thought or disclosed. We previously reported on the Equifax breach; Equifax has now described that additional types of information went missing. Earlier we reported on the Uber data breach; Uber CISO John Flynn recently testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security that that paying off the hackers was wrong, and that Uber should have provided notice to the affected public sooner.
- Most Consumers Will Not Deal With A Company Known To Lack Adequate Data Protection
Companies wondering how the public is dealing with this current landscape can rest assured that the public takes these issues seriously. A recent published report found that “69% of survey respondents said they would boycott a company known to lack adequate data protection.” Further “more than half (55%) of respondents would avoid giving data to a company they know had been selling or misusing it before.”
Providing these data protections is no longer a nice-to-have. Consumers want to purchase from companies that value their privacy and security; failing to do so may yield a key competitive advantage.
- Companies That Provide Clear Privacy Policies That Afford Customers Control Will Suffer Far Less Post Data Breach
A recent Harvard Business Review study examined the effects of data breaches on stock prices and found that data breaches cold have significant effects on the stock price of a company experiencing the breach. Further, the study observed that competitors could be helped or harmed by the data breach depending on whether consumers viewed the competitor as either a better alternative, or somehow more risky in light of the existing data breach.
Underscoring actionable steps we have provided previously, the study went on to provide two basic strategies that when used by companies enabled the company “to protect or inoculate themselves from their own or a rival’s breach,”
- First, companies should explain in clear language how the company will be using and sharing customer data. This would include IP address, and search history for example.
- Second, companies should provide users control over their own data, giving the customer opportunities to opt out of certain practices, such as promotions.
The study found that customers did not punish breached companies that provided both transparency and control; instead, “empowered customers are more willing to share information and are more forgiving of data privacy breaches, remaining loyal after the fact.” Unfortunately, only around 10% of the Fortune 500 had implemented these two characteristics in their data management practices. Empowering data subjects is a key component of the GDPR and may start to move the needle.
If you have any questions on how your organization can provide for and implement a transparent data management program that provides meaningful data controls to your customers please do not hesitate to contact the team at Mintz Levin.