by Constantine von Hoffman

Why Do Companies Bother to Protect Customer Data?

Dec 11, 20124 mins
Data and Information SecurityIntrusion Detection SoftwareSecurity

The upside for companies to protecting consumer data is practically nonexistent and the downside is barely any greater, according to blogger Constantine von Hoffman. So why do organizations even bother?

Companies are collecting more personal data on their customers than ever before, and a fair number of those organizations spend a lot of money trying to keep the information out of the hands of hackers. But why?

The news is often filled with talk about the need for online privacy, but the complaints only come from a handful of people and groups. Here in the United States it’s the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), random academics, a handful of old hippies, some white-hat hackers and select others. There are also some government agencies, but who really pays attention to them? The fines they levy for infractions are pathetic. And, keep in mind, the government only gets involved if it’s not the party collecting the data.

The most recent sure-to-be-short-lived hullabaloo relates to apps that collect data on kids. The FTC released a report that examined the privacy policies and practices of 400 apps. It found that only 16 percent provided a privacy policy to parents before their children downloaded the apps and only 20 percent after downloading.  Even then, most of the policies were written in typical EULA: Language so dense it is better used as a soporific than as a transmitter of information. Not that it matters. A bunch of the apps that said they didn’t share data actually do. Shocking, right?

These apps weren’t just sharing babies’ favorite colors, either. They gathered device IDs, phone numbers, geolocation data, birth dates, email addresses, home addresses and other information. (Thankfully, child weight, toilet-training status and teddy-bear names were not collected.)

And that’s just the corner of the blanky. According to the Wall Street Journal:

“The widening ability to associate people’s real-life identities with their browsing habits marks a privacy milestone, further blurring the already unclear border between our public and private lives. In pursuit of ever more precise and valuable information about potential customers, tracking companies are redefining what it means to be anonymous.”

Here’s the funny part: People don’t care about being anonymous–unless they’re head of the CIA and sleeping around–even though industry types like to pretend they do. Here’s what Stuart Ingis, counsel for the Digital Advertising Alliance, said during a recent FTC hearing:

“The market reacts when they see a business practice they don’t like.”

To which I can only reply: “Prove it.”

I dare you to name three medium-to-large size companies that have suffered significant long-term financial harm because of a breach involving consumer data. The Sony Network is doing just fine. The companies that have suffered significantly have been the ones that lost other businesses’ data, not consumer data. 

Consumers get upset if their info is stolen and they find out that something actually happened because of it. They kick and shout at the company a bit. Some of them get assistance from the company, and some don’t. Some go through real, long-term difficulties because of it, and they tell all their friends not to do business with that company, which maybe notices a tiny little flicker to its bottom line and maybe doesn’t.

Nationwide Insurance just admitted it was breached two months ago, and data on 1.1 million people was exposed. Nationwide did what most major companies do after a breach: Offer no-charge credit monitoring for one year and $1 million in identity theft insurance coverage. Nationwide did this to head off the worst-case scenario: Getting hit with a class-action lawsuit.

But that will have no impact on Nationwide’s earnings or its ability to attract customers.

The truth is the upside to protecting consumer data is practically nonexistent and the downside is barely any greater. Your company could have state-of-the-art protection or you could have the barest of bare bones security, and it wouldn’t make any difference in the consumer-choice process.

I’m sure it’s possible for a company’s security to be so bad that it loses enough consumers to feel it. In theory anything is possible.

(Odd but true — when I wrote this I hadn’t seen Simon Moffatt’s excellent piece on the exact same topicwhich was published THE DAY BEFORE THIS CAME OUT.  However now I have and I highly recommend givinging Information Security: Why Bother a read.)

Apathy image via Shirtoid