In this Q&A, Randal S. Milch, Distinguished Fellow at the NYU Law School Center on Law and Security, former EVP and General Counsel to the Chair and CEO for Verizon Communications, and an Analysis Group affiliate, discusses the complexities around determining use and misuse of data, the differences between privacy and data security, and how company management and boards of directors assess related risks.
Mr. Milch: Clearly, firms should think through the tradeoffs involved in collecting and maintaining customer data. When the data has a specific use in mind, it is easier to design policies and procedures that secure authorization for that use and design systems to protect the data itself, including the basic questions of how much data should be gathered and how long it should be kept. Data is an attractive nuisance: companies may want data on hand given the possibility that they may think of some great new use, but it is harder to design policies and systems to manage data for unknown uses.
Mr. Milch: This is a complex issue, but I think that authorization and consent are not sufficient, for a couple of reasons. There are differing views as to how one defines “consent” and “authorized,” especially in a legal context. Some are of the view that an employee can do something with data that is objectively “wrong” but not necessarily “unauthorized.” Computer Fraud and Abuse Act cases and other related criminal matters often turn on questions over what has been “authorized.” Examples include United States v. Aaron Swartz [in which Mr. Swartz, an MIT student, was indicted for violating the terms of service of the digital library JSTOR, and later committed suicide] and United States v. Andrew Auernheimer [in which Mr. Auernheimer, a known hacker, was indicted for accessing unprotected data that was freely available on an AT&T website due to a security flaw. Mr. Auernheimer was found guilty of identity fraud and conspiracy to access a computer without authorization, but the conviction was later overturned.].
From a customer perspective, a large number of watchdog groups (with the Federal Trade Commission and state attorneys general near at hand) closely monitor this space to call out what they regard as bad uses of data – and “use” here means anything from capture, to storage, to what we would more traditionally understand as “use” for marketing or direct revenue by sale. An additional challenge for many organizations is that the nature of how customer data is being collected and used is constantly changing, which creates a significant burden with respect to how they develop and adhere to their respective privacy policies. And customers' understanding of what "consent" means is constantly changing as well. In many contexts, consent or authorization may seem implicit, but the user of data provided with implicit consent is taking a risk that they can demonstrate that consent to a court or regulator down the line.
Mr. Milch: Privacy and cybersecurity are
very different entities, although they do overlap in certain instances. With
respect to privacy, organizations are typically making decisions about how data
are collected and used – but there is no “lost” data per se. In a privacy
context, the use of data becomes “misuse” when you say you’re going to handle
the data one way, and then do something different. For some organizations, this
is in the context of alleged violations of their privacy policies. But
privacy-related data can also be misused in violation of regulatory
requirements in industries such as health care, telecom, and finance, where use
of data is affirmatively limited.
relates to the technical and human defense of data and systems. What is your
cybersecurity policy? What are you spending to protect your organization? What
are the mechanisms in place to ensure protection? Where the two areas overlap
is when the defense breaks down, and there is an organizational failure that
permits the dissemination of data that was never intended to be in the public
domain. When cybersecurity is violated, privacy becomes violated as well.
Mr. Milch: There are thousands
of companies and other organizations that are grappling with data security, and
directors and management certainly recognize the risk as a general matter. In
highly regulated industries, the regulators are driving investment. All studies
continue to confirm, as they have for a decade, that the first and most
productive step to cyber health is good cyber hygiene. So investment in cybersecurity
makes sense, but there is a logical way to go about it, and there are obviously
diminishing returns at a certain point. I suspect that there is very uneven
investment currently. The degree of exposure is not clear, though as former FBI
Director Robert Mueller said, "There are only two types of companies:
those that have been hacked, and those that will be." Companies
must first determine what their cyber risk is; for many organizations, the risk
will be relatively small. For those with greater risk, careful planning is essential. Cyber
insurance is cheaper if you have a good post-breach plan; in fact, some
insurance rates depend more on post-breach planning than prevention abilities.
exposure in an actual or potential privacy or data breach matter is a key step
that will inform potential settlements and spending on litigation, but also
should inform investments in prophylactic measures. Also critical is thinking
through how the firm can maintain, provide, and analyze information that would
be responsive to subpoenas or discovery requests. Put simply, if you do not
maintain data on consent in a sufficiently robust form, it will be difficult to
demonstrate it to a regulator or fact-finder. Firms may shy away from expanding
the record, but on issues like consent and authorization, a careful analysis of
the data can be effective and also lead to more realistic estimates of
Mr. Milch: There are different
ways to monetize enhanced security. However, while every customer would agree
that they want their data to be protected, most are not willing to pay very
much for enhanced protection. In my experience it has been very difficult to “sell”
cybersecurity at the customer level, and the “free” culture of the Internet
doesn’t help with getting consumers to pay. For those organizations that have
experienced a high-profile breach, there does not appear to be a long-term cost
with respect to customer loyalty. Are most customers less likely to shop at
Target, for example? If a hospital experiences a breach, are most patients
unlikely to return to the hospital for treatment? It’s unclear to what degree
businesses suffer from short-comings in their data security practices, although
the Yahoo! breaches may prove to be different. We haven’t seen many lawsuits
come to conclusion from the mass loss perspective. When we do, I would guess
that individuals get relatively little. At the same time, it is unlikely that
the tort system will encourage sensible, risk-justified standards of cyber care. ■
This feature was published in January 2017.