The collection, storage, use, and disclosure of consumer data are hot topics in the legal, regulatory, and legislative communities.
In addition to the types of data that may be particularly sensitive and/or targeted by hackers (e.g., credit card information, health data), many organizations collect consumer data to better understand and connect with customers (e.g., demographic information, consumer preferences). However, the collection and use of data sets the stage for unauthorized individuals to access information through cyberattacks and misuse that data to harm both the entities that legitimately collect data and their customers. In this Q&A, affiliates Randal S. Milch, Michael Siegel, and Catherine E. Tucker offer corporate and academic perspectives on data breaches, related litigation, and big data as a potential source of market power.
What are the most pressing issues on the minds of company boards and executives with respect to privacy and data security?
Professor Siegel: Based on my research, most of the questions we are getting from board members are related to what is an appropriate cybersecurity framework. Cybersecurity is a mostly non-regulated field in which there are many issues to be discussed, including risk, compliance, security, and best practices. Most organizations have made building a culture around security a major priority. Many are using the NIST [National Institute of Standards and Technology] Cybersecurity Framework as an overall guide for understanding cyber-readiness. But there is always a question of how much to spend and where to allocate resources.
Mr. Milch: Directors and management certainly recognize the risk as a general matter. In highly regulated industries, the regulators are driving investment. All studies continue to confirm that the first and most productive step to cyber health is good cyber hygiene. So investment in cybersecurity makes sense, but I suspect that there is very uneven investment currently.
How can companies minimize their exposure to the potential disclosure of sensitive data through a breach?
Professor Siegel: First and foremost, cybersecurity is about people, process, and technology. The largest emphasis is on people because most breaches – some say as much at 90 percent – have been aided and abetted, knowingly or unknowingly, by insiders in the organization.
Is the exposure clear?
Mr. Milch: The degree of exposure is not clear. Companies must first determine what their cyber risk is; for many organizations, the risk will be relatively small. For those with greater risk, careful planning is essential. Cyber insurance is cheaper if you have a good post-breach plan; in fact, some insurance rates depend more on post-breach planning than prevention abilities. Determining exposure in an actual or potential privacy or data breach matter is a key step that will inform potential settlements and spending on litigation. Also critical is thinking through how the firm can maintain, provide, and analyze information that would be responsive to subpoenas or discovery requests.
How is the world of big data affecting data breach class action lawsuits?
Professor Tucker: The explosion of digital data has been matched by an increase in related litigation, including data breaches, alleged privacy intrusions, and many other things that can happen when companies collect detailed data about an individual customer. However, what I think is interesting is that parallel to this increase is the opportunity to get more information about how the consequences of these different data breaches or privacy issues vary so much across individuals. For example, in my research I have shown that while many users of social networking sites can respond negatively to intrusive use of their data in advertising, there is a subset of users who appreciate the personalization of their advertising and respond positively to it. In addition, it is not clear that the effects of a privacy intrusion or a data breach are going to be constant across time or instance. My research indicates that people’s privacy preferences evolve over time, and change considerably between the ages of 18 and 30. We have also observed that, although people can be protective of their data, for a small financial incentive they are willing to behave differently. All of these inconsistencies and idiosyncrasies are important when thinking through the implications of class certification cases related to data breaches and privacy.
Can big data be a source of market power?
Professor Tucker: Although policymakers often make this argument, this contrasts with standard strategic managerial models of what can confer market power. We analyzed whether or not big data meets the four traditional criteria for being a barrier to entry or a source of sustainable competitive advantage (inimitability, rarity, value, and non-substitutability). At least at the moment, the kind of big data that most digital firms have access to doesn’t make the cut. Big data’s advantages are relatively easily to mimic, and by itself big data is often not that valuable. Instead, competitive advantage stems from having the right personnel with the right training to make sense of the swaths of data.
Adapted from “Privacy and Cybersecurity: The Corporate Perspective,” a Q&A with Randal S. Milch; “The Impact of Data Breaches and Hacking,” a Q&A with Michael Siegel; and “Is Big Data a True Source of Market Power?” a Q&A with Catherine E. Tucker; all published on analysisgroup.com.