Follow Customer Opinion, Not the Letter of the Law, on Data Breaches

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

This MSNBC column raises significant questions about the public's attitude toward the value of data. The writer traces the work of Alessandro Acquisti, a professor at Carnegie Mellon University and a member of the university's Privacy Technology Center. The research built on the established idea that people put a higher value on their own data than its objective value in the marketplace. Acquisti and other researchers tried to show that the compensation asked for increased use of the data rises as that data's sensitivity increases.


The abstract question of the value of sensitive data to its owners is an important element of the debate over how to address identity theft. It is unclear, however, how Acquisti's results and other insights into people's attitudes can be used to fashion law. For one thing, the sensitive nature of the research kept the surveys from simulating breaches involving Social Security numbers or other sensitive data. Thus, the research is a bit general and generic.


But the research is valuable. Chronic headlines about lost laptops loaded with personnel information and successful hacker raids on corporate databases are making the public wary. Whether the data that disappears is well protected and the company holding the data practiced due diligence isn't a part of the public debate. The key is that people will look to place blame.


Therefore, companies should think about the best ways to avoid that blame, not how to satisfy the local district attorney. Acquisti's research is a nice bookend with a far more tangible point raised by Rob Scott, the managing partner of the law firm of Scott and Scott LLP, in an IT Business Edge Executive Briefing posted June 1. Scott said companies that encrypt data are relieved, in the vast majority of cases, from brand-killing breach notification laws. The point can't be emphasized enough: Not only does encryption protect data -- which, of course, is the right thing to do -- but implementing it enables a company to almost automatically avoid a world of serious pain.


People approach their data with a significant sense of entitlement. What is implicit in Acquisti's research and overt in Scott's comments is that companies run a great risk in gambling with public perceptions, since they are irrational and narcissistic. In that sense, it's far more important to heed customers' attitudes than the letter of the law when it comes to protecting data.