Privacy and Cybersecurity: The Corporate Perspective
In this Q&A, Randal S. Milch, Distinguished Fellow at the NYU Law School Center on Law and Security, former EVP and General Counsel to the Chair and CEO for Verizon Communications, and an Analysis Group affiliate, discusses the complexities around determining use and misuse of data, the differences between privacy and data security, and how company management and boards of directors assess related risks.
Q: Firms are collecting data from an ever-increasing set of interactions with customers. These data may be used to inform business decision-making and may also generate revenue, but a lot of data is never used or even intended to be used. Are firms taking on too much risk when they collect and maintain data?
Mr. Milch: Clearly, firms should think through the tradeoffs involved in collecting and maintaining customer data. When the data has a specific use in mind, it is easier to design policies and procedures that secure authorization for that use and design systems to protect the data itself, including the basic questions of how much data should be gathered and how long it should be kept. Data is an attractive nuisance: companies may want data on hand given the possibility that they may think of some great new use, but it is harder to design policies and systems to manage data for unknown uses.
Q: How can companies distinguish misuses of data from uses of data? Are authorization and consent sufficient to establish permissible use of data?
Mr. Milch: This is a complex issue, but I think that authorization and consent are not sufficient, for a couple of reasons. There are differing views as to how one defines “consent” and “authorized,” especially in a legal context. Some are of the view that an employee can do something with data that is objectively “wrong” but not necessarily “unauthorized.” Computer Fraud and Abuse Act cases and other related criminal matters often turn on questions over what has been “authorized.” Examples include United States v. Aaron Swartz [in which Mr. Swartz, an MIT student, was indicted for violating the terms of service of the digital library JSTOR, and later committed suicide] and United States v. Andrew Auernheimer [in which Mr. Auernheimer, a known hacker, was indicted for accessing unprotected data that was freely available on an AT&T website due to a security flaw. Mr. Auernheimer was found guilty of identity fraud and conspiracy to access a computer without authorization, but the conviction was later overturned.].
From a customer perspective, a large number of watchdog groups (with the Federal Trade Commission and state attorneys general near at hand) closely monitor this space to call out what they regard as bad uses of data – and “use” here means anything from capture, to storage, to what we would more traditionally understand as “use” for marketing or direct revenue by sale. An additional challenge for many organizations is that the nature of how customer data is being collected and used is constantly changing, which creates a significant burden with respect to how they develop and adhere to their respective privacy policies. And customers' understanding of what "consent" means is constantly changing as well. In many contexts, consent or authorization may seem implicit, but the user of data provided with implicit consent is taking a risk that they can demonstrate that consent to a court or regulator down the line.
Q: Where do you see the dividing line between privacy-related concerns and cybersecurity – is it related to how the data is collected and/or stored? Are the determining factors technical?
Mr. Milch: Privacy and cybersecurity are very different entities, although they do overlap in certain instances. With respect to privacy, organizations are typically making decisions about how data are collected and used – but there is no “lost” data per se. In a privacy context, the use of data becomes “misuse” when you say you’re going to handle the data one way, and then do something different. For some organizations, this is in the context of alleged violations of their privacy policies. But privacy-related data can also be misused in violation of regulatory requirements in industries such as health care, telecom, and finance, where use of data is affirmatively limited.
Cybersecurity relates to the technical and human defense of data and systems. What is your cybersecurity policy? What are you spending to protect your organization? What are the mechanisms in place to ensure protection? Where the two areas overlap is when the defense breaks down, and there is an organizational failure that permits the dissemination of data that was never intended to be in the public domain. When cybersecurity is violated, privacy becomes violated as well.
Q: How are company management and boards of directors evaluating the risks associated with data security and privacy, and how is this evaluation affecting investment decisions? Is the exposure clear?
Mr. Milch: There are thousands of companies and other organizations that are grappling with data security, and directors and management certainly recognize the risk as a general matter. In highly regulated industries, the regulators are driving investment. All studies continue to confirm, as they have for a decade, that the first and most productive step to cyber health is good cyber hygiene. So investment in cybersecurity makes sense, but there is a logical way to go about it, and there are obviously diminishing returns at a certain point. I suspect that there is very uneven investment currently. The degree of exposure is not clear, though as former FBI Director Robert Mueller said, "There are only two types of companies: those that have been hacked, and those that will be." Companies must first determine what their cyber risk is; for many organizations, the risk will be relatively small. For those with greater risk, careful planning is essential. Cyber insurance is cheaper if you have a good post-breach plan; in fact, some insurance rates depend more on post-breach planning than prevention abilities.
Determining exposure in an actual or potential privacy or data breach matter is a key step that will inform potential settlements and spending on litigation, but also should inform investments in prophylactic measures. Also critical is thinking through how the firm can maintain, provide, and analyze information that would be responsive to subpoenas or discovery requests. Put simply, if you do not maintain data on consent in a sufficiently robust form, it will be difficult to demonstrate it to a regulator or fact-finder. Firms may shy away from expanding the record, but on issues like consent and authorization, a careful analysis of the data can be effective and also lead to more realistic estimates of exposure.
Q: From a customer perspective, in economic terms, are they willing to pay for privacy/security, or are they just saying it matters to them?
Mr. Milch: There are different ways to monetize enhanced security. However, while every customer would agree that they want their data to be protected, most are not willing to pay very much for enhanced protection. In my experience it has been very difficult to “sell” cybersecurity at the customer level, and the “free” culture of the Internet doesn’t help with getting consumers to pay. For those organizations that have experienced a high-profile breach, there does not appear to be a long-term cost with respect to customer loyalty. Are most customers less likely to shop at Target, for example? If a hospital experiences a breach, are most patients unlikely to return to the hospital for treatment? It’s unclear to what degree businesses suffer from short-comings in their data security practices, although the Yahoo! breaches may prove to be different. We haven’t seen many lawsuits come to conclusion from the mass loss perspective. When we do, I would guess that individuals get relatively little. At the same time, it is unlikely that the tort system will encourage sensible, risk-justified standards of cyber care. ■