By Brian Kilcourse, Managing Partner
February 23, 2010
According to an ancient Greek myth, a curious Pandora opened a gift that Zeus had given to her, and in so doing unwittingly unleashed a whole host of evils onto the world. Although perhaps the story is overused to explain the law of unintended consequences in extremis, it certainly seems to apply to digital enablement as relates to personal information. The retail industry has been focused on securing digital payment information since at least 2005 with the PCI mandates, but RSR contends that since the retailer represents the first point of aggregation for consumer demand data, the strategic brand challenge of data security and consumer privacy, looms larger than ever. As our forthcoming report entitled Building Trust and Growing the Brand: The Role of Privacy and Security in Retail 2010 shows, retailers increasingly agree with that assessment, and many feel that “showing sensitivity to the issues works in favor with our customers.”
‘We Have Met the Enemy, and He Is Us’
The issue of consumer privacy goes well beyond retail itself, as our society continues to digitize content of every kind, and individuals continue to consume and add to that content. Indeed, although the new report indicates that virtually all retailers feel that “recent publicized breaches have raised consumer awareness about payment data,” there’s also evidence everywhere that consumers themselves are contributing in a carefree way to their own loss of privacy. For example, a new website exists at www.PleaseRobMe.com that posts information readily provided by real people on Twitter about when they’re not at home. “JenniLoLo” isn’t at home now because she’s at the Animal Hospital, and “Mimezone” is in Las Vegas at the MGM Grand. None of this would be too bad if the same people didn’t also post their real names and hometowns in their profiles – but they do! Well publicized concerns about Google’s social media site Buzz (buzz.google.com) and changes to Facebook’s privacy settings make headlines, but in the meantime consumers continue to give away the keys to their private information in the digital domain.
It’s almost as if we collectively took Scott McNealy’s infamous advice too willingly: "You have zero privacy anyway. Get over it." And so, quoting another famous thought leader (Pogo), “We have met the enemy and he is us.” In that mental risk-reward calculation that each of us make when sharing our information, it’s clear that many put more value on the tangible (money) than the intangible (safety). And of course, the bad guys have the same focus - at least for now. As the new report states, “While privacy advocates argue that payment data is not the most commonly stolen form of customer information (government identification such as social security number has that dubious distinction), it is certainly the most sought after by organized crime rings the world over who view retailers as target-rich environments, for the simple reason that payment data can be easily converted into cash.” But the report also notes, “it is not surprising to see that many retailers view privacy and security as ‘thankless’ jobs… privacy and security are only recognized in times of failure, and that customers offer no reward for security ‘done right.’” Thankless job or not, consumers want the rewards but not the risk – and so those who service those consumers have to close up all the security holes that could put privacy at risk.
Onward Through the Breach!
RSR noted one of the more odd instances of a failure to protect private consumer data in a 2/24/09 Retail Paradox Weekly column, Consumer Privacy & Data Security at CVS: A Cautionary Tale. That story was about the dangers of tossing carbon-based (as opposed to digital) information into the dumpster. The point of that story was that it could happen to anyone, and not just with prescription information – what about job or private label credit card applications? And since paper-based information doesn’t scale as well as digital information, many organizations and whole industries continue to march on in their digitization agendas, scaling the risks in like kind.
A great example of this is the notion of “electronic patient records”. Although “money” might be top-of-mind for most consumers, “health” isn’t far behind, and the mega issue of health industry reform has been headline news in the U.S. since Barack Obama was elected to the presidency. On January 29, 2009, the president stated: “To improve the quality of our health care while lowering its cost, we will make the immediate investments necessary to ensure that within five years, all of America’s medical records are computerized. This will cut waste, eliminate red tape, and reduce the need to repeat expensive medical tests. But it just won’t save billions of dollars and thousands of jobs – it will save lives by reducing the deadly but preventable medical errors that pervade our health care system.” That sounds reasonable, but as every CIO knows, it’s one thing to say such a thing, and another to accomplish it. Humans show a wonderful optimism about the upside of technology adoption, but rarely think about the downside effects until they are “out of the box”. While politicians and pundits argue about “Big Brother” government agencies, technologists worry about the more pragmatic issues of speed, reliability, and… security.
The Unmanaged Risk: 3rd Parties
The medical record is a useful issue to bring forward because it underlines the risks from sharing data with 3rd parties, intentionally or otherwise. In the health industry context, than means insurance and benefits management companies. The U.S. public is well aware of the issue: there are fears that 3rd parties will use information provided by patients (the 1st party) and doctors and pharmacists (the 2nd parties), to deny coverage, not to provide it. It’s a real concern – and it’s been around for years. A key component of President Clinton’s 1994 failed health care initiative was implementation of a database containing every American's medical records, identified by a unique number. The idea reappeared in 1996 as a component of the 1996 Health Insurance Portability and Accountability Act (HIPAA) which gave the Federal government the power to electronically tag, track and monitor every citizen's personal medical records. Congress was given 3 years to enact privacy legislation but failed to do so, and so in 2000 the federal Department of Health and Human Services (HHS) published a “privacy rule”, and in 2002, regulation was enacted. According to the HHS website, “A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.” As prescription drug consumers (may) know, that “written authorization” is the signature log at the pharmacy counter of your local retailer.
The reason this should be interesting to retailers as well as consumers (even those who haven’t gone to a doctor or pharmacy) is that it brings the concept of the “3rd Party” into the discussion. We all live with 3rd parties: in addition to health insurance companies, there are credit agencies and other “databases” that track our financial status and life events. And then there are 3rd parties like Facebook, Google, Twitter, and others that track our dating preferences, professional C-Vs, etc. As empowered consumers in the digital age, we may think we’re having a conversation with our “friends” in the social network, our health care providers, and our favorite retailers, but whole industries have essentially outsourced management of personal information to 3rd parties, and that has created new opportunities and risks- both which get systematically exploited. And because there are no hard-and-fast rules governing how the sharing of information with a third 3rd party will be monitored and verified safe, data security measures only tend to get looked at when something goes terribly wrong – such as when a “bad” 3rd party like a professional hacker breaks into the digital conversation.
What Now?
We at RSR aren’t advocating that consumers go “off the grid” or that companies go back to the safe old days of mass anonymity. There’s a lot of “reward” associated with consumers and service providers sharing digital information to arrive at the right solutions to lifestyle needs. And (back to the Greek myth for a moment) at the very bottom of Pandora’s jar, lay hope.
But as some wiseguy once said, “Hope is not a strategy”. Just as PCI compliance doesn’t equal a privacy and data security policy in retail, vague regulations about appropriate use don’t equal an overall governing framework. Technology can knock off the “evils” one at a time when they are encountered, but what’s missing is an overall governing framework that dictates how the security of sensitive information will be continuously monitored and verified. Since such a framework would transcend particular industries, it should fall to government to resolve – if you believe that the true role of government is to do for the citizenry what it can’t do for itself.
In the absence of that, in this age of digital enablement, consumers need to use common sense and enact their own set of “need to know” rules of use.
|
