privacy beyond compliance: a new perspective on enterprise

0 TECHNOLOGY RESEARCH AND CONSULTING www.techvisionresearch.com

© 2016 TechVision Research all rights reserved

Privacy Beyond Compliance: A New Perspective on Enterprise Privacy Excerpt

Abstract

Privacy has been inextricably tied to regulatory compliance and risk mitigation for businesses over the years. This is why many Chief Privacy Officers (CPOs) are attorneys. Privacy is about keeping your organization out of trouble, but TechVision Research believes there is an opportunity to leverage privacy beyond minimal compliance levels to provide economic value for key stakeholders. In this report, we suggest more than two-dozen business cases to evaluate investments in privacy beyond these mandatory compliance levels. The report introduces the concept of Privacy Beyond Compliance (PBC) and provides a framework for CIOs, CPOs, CISOs, CTOs, CEOs and line of business leaders to assist in making informed business decisions. The Recommendations section includes 29 privacy-centric business cases designed help business managers and strategists identify and implement those strategies that are best suited to their particular organization. These tools can be leveraged by our client organizations to asses those goals that have the greatest potential for realizing cost savings, risk reduction and enhanced leverage for their enterprise, and that help promote privacy . . . beyond compliance.

Authors: Scott L. David, J.D., LL.M. Principal Consulting Analyst [email protected] Gary Rowe CEO, Principal Consulting Analyst [email protected]

Jill Phillips, J.D. Principal Consulting Analyst [email protected]

http://www.techvisionresearch.com/

mailto:[email protected]

mailto:[email protected]

Privacy Beyond Compliance David, Rowe and Phillips

1 TECHNOLOGY RESEARCH AND CONSULTING www.techvisionresearch.com © 2016 TechVision Research all rights reserved

Table of Contents




Executive Summary & Key Advice Privacy Beyond Compliance (PBC) and Privacy as Investment (PAI) are concepts that seek to translate the ambiguous term “privacy” into language that businesses can understand. PBC and PAI-based strategies can help lower risk and increase ROI for business, as they are really integrated “business information integrity initiatives.” This document and our client recommendations focus on the business-value propositions associated with achieving and sustaining reliable business information integrity that aligns with broad privacy goals. When IT and business leaders consider the positive economics of the 29 PBC and PAI goals (set forth in the Recommendations section of this report) together with the regulatory requirements of privacy compliance, the result is a more holistic perspective on business opportunities associated with information integrity. This provides businesses with incentives that can motivate them to explore privacy in a different and more opportunistic light. In this report we condense the challenges of privacy beyond compliance and privacy as investment, explain their ramifications, and offer strategic and tactical solutions. Some of the suggested business strategies take longer than others for a business to implement, but all can be initiated at your next management meeting as suggested in the Recommendations section below. The ramifications of currently-broken privacy include unmet expectations of both individuals and organizations, the erosion of trust, and increased friction in the mechanisms of interaction and exchange upon which economies, and the businesses that drive them depend. Business and IT leaders feel powerless to address the structural challenges alone, but equally powerless to recruit others to work with them, particularly given a general lack of trust of outside privacy consultants. The solutions we propose are complex, but all involve the restoration of trust, starting with enhanced reliability and predictability of institutional data actions. Accomplishing and sustaining reliability and predictability happens when interaction and transaction behaviors align with existing stakeholder interests, motivations and incentives. In the case of business stakeholders, that means aligning individual privacy with business economic interests. This may at first seem paradoxical, and in some cases the interests of individuals and businesses do conflict. However, the complexity of online interaction space has caused the risk profiles of businesses and individuals to become more aligned, creating opportunities for “win-win” strategies for forward-thinking enterprises. PBC is intended to promote development of those “win-win” strategies at your organization. This report offers a checklist of solutions as candidates for consideration by your business




organization. Each of the PBC goals in this report can be economically justified by a single business acting alone. When the business conducts PBC in alliance with multiple businesses they can actually “move the needle” on distributed information integrity, and hence help further individual privacy rights and secure business data structures more effectively and sustainably than any one company or government can do by itself. This is similar to individual vaccination during flu season promoting both individual health and “herd” immunity: PBC and PAI offer similar incentives for both individual and collective action to improve overall information network integrity. As discussed in this report, “privacy” is broken partly because it is being misdiagnosed as a separate and isolated problem for business, when in fact it is part of a larger risk profile issue due to increased business interaction complexity. In fact, privacy is just one symptom of the illness triggered by the mismatch of traditional institutional and legal response to a new, complex, distributed and changing information network risk landscape. Treating the symptoms is palliative (you feel better), but it does not cure the illness. Privacy anxiety and data (in)security — along with unknown risk and liability exposures — are symptoms of an illness caused by a deficiency of shared, standardized measurements for information system integrities. In most organizations what gets measured gets done but as discussed in this report, our traditional organizations never had to deal with today’s distributed socio-economic-technical systems, and so they don’t know what to measure to “get privacy and security done.” PBC and PAI offer a place to start by recruiting familiar business metrics into the service of enhanced network integrity.




Introduction Incorporating privacy programs into everyday business organization and operations facilitates superior business performance, saves costs, and enhances income generation. Assessing the relevance of PBC (Privacy Beyond Compliance) and PAI (Privacy as Investment) in common business settings requires answering these types of questions related to eleven key business settings:

1. Internal Budget Discussions – Are the benefits of sunk privacy costs being maximized in your organization? Does the budget accurately allocate the costs and benefits of privacy and enhanced information system integrity to the proper division? Are compulsory and discretionary costs of privacy and data security being properly accounted for? Is the tax treatment of privacy costs being optimized?

2. New Product Introduction – If a new product or service has a data collection component (either at the time of sale or through ongoing data streams generated by the Internet of Things), is that feature positioned for maximum customer understanding, acceptance and adoption? Is the value of that data stream being protected and maximized?

3. Employee Performance Evaluation – Are company internal employee policies and practices relating to privacy and data security consistent with company contractual and regulatory obligations to maximize company performance in its relevant supply chains? Do your company’s metrics for employee performance incentivize good data hygiene among employees?

4. Cloud computing contract negotiations – Are company (and customer) privacy and security concerns addressed in your cloud contracts? What negotiation strategy can yield concessions by cloud providers relating to privacy and data security risks to minimize your business exposure?

5. Outsourcing contract negotiations – Are third parties gaining access to your company’s data? How are they using that data, and are they appropriately protecting it? If your company uses data from a third party, is your company’s handling of that data consistent with its relevant contract requirements?

6. Business combination discussions (mergers, acquisitions etc.) – When your company merges with or acquires another company, how will the two companies ’ data systems, data, and data policies and practices be combined? Is your company appropriately handling data sharing and data access questions in joint-development and joint venture settings?




7. Borrowing money to fund operations – Could the company lower its borrowing costs through improved cybersecurity or privacy practices? Are company assets offered as collateral in partial-recourse lending settings subject to destruction or devaluation from cyber-attacks?

8. Participation in standard-setting organizations – Is the company involved in trade associations or other standard-setting contexts that establish standard terms the adoption of which could lessen the privacy burden on the company?

9. Negotiation of consumer or supplier-facing supply chain contracts – Are company contracts with third parties presenting privacy and data security requirements that are consistent with company operating practices? If not, what is being done to assure that the company does not technically default on those agreements as a result of the differences? What are alternative risk mitigation strategies to help address the liability gap between policy and practice?

10. Brand strategy discussions – Is the company positioning its products and services for maximum positive impact, and adoption, in markets where B2C and B2B customers, respectively, have privacy and data security concerns?

11. International business operations – For companies with operations in multiple countries, has the organization taken a holistic view of its organization and operations in light of privacy and data security policy arbitrage opportunities?

In each business setting above, the question of organizationa l “information system integrity” directly affects the bottom line. Privacy-related expenditures directly relate to the value propositions associated with information system integrity. Once this close relationship of privacy and business information system integrity is fully understood and embraced, the discussion can be grounded in basic business economics – stretching company expenditures for maximum commercial benefit and impact. The challenge/opportunity is building a privacy program focused on the specific goals and strategies that work best for the organization. As discussed in this report, to support our clients’ decision-making processes, we present a model that describes 4 core areas to consider in justifying investment in privacy programs beyond the compulsory duties imposed by laws and regulation. This is the essence of PBC. This report is a research report, a privacy-planning reference document, and a pragmatic toolkit to assist our clients in making better privacy-related decisions.

Privacy, Security and Integrity The three pillars of a sound cybersecurity practice are Confidentiality, Integrity and Availability (CIA). This framework is fundamental to best practice and nearly all cybersecurity activities can be traced to one of these pillars. At TechVision Research we




find that most organizations focus on confidentiality (encryption, firewalls, IDS/IPS, anti-virus, behavioral analytics, etc.) and availability (business continuity, disaster recovery, anti-DOS, network resiliency, etc.) and often place too little emphasis on integrity as a stand-alone element. From a classic cybersecurity perspective, integrity directly ties to protecting and managing both identity and privacy. This is because the integrity of ICT systems and channels is a foundation of the veracity of identity (through the degree of “entropy” of an identity reflected in a credential and its supporting infrastructure) and a foundation of the evaluation of privacy (through its measure of the degree of “intrusion” on the individual’s perceptual and expressive data channels caused by the “insight” of a system user seeking to lower credential identity entropy to improve identity assurance and predictive analytics). Data system “integrity” can be measured from a number of different perspectives; perspectives also directly relevant to both privacy and security strategy and practice. For example, data breaches, unauthorized access to data, harmful uses of data, and data falsification each result from a failure of system integrity, and they are also shared challenges of both privacy and security. Many of the same metrics of data system channel “integrity” inform the analysis of these risks, even though the potential harms are different. It is the concept of system “integrity,” broadly construed, that brings them together.

Individual Versus Corporate Privacy Perspectives Privacy is important for individuals and for society as a whole and is therefore the subject of government attention and regulation. By contrast, businesses are typically left to figure out how to improve their security with less governmental guidance, except in the cases where business security has a direct impact on broader social, economic and other similar concerns of government. This sets up a continual tension where privacy is typically grudgingly accepted and considered by businesses to be, at best, a cost of doing business or a means of protecting an organization from regulatory fines or “bad press.” This grudging acceptance is further challenged by the breadth and ambiguity of the term “privacy” under various (and often inconsistent) laws, which drives businesses to engage conservatively with privacy programs for fear of being “second guessed” by regulators and markets if even their well-intentioned programs go astray. As a

By contrast, businesses are typically left to figure out how to improve their

security with less governmental guidance,

except in the cases where business security has a

direct impact on broader social, economic and

other similar concerns of government.




consequence, many organizations seek to do “just enough” in the area of privacy to permit them to avoid major legal or media damage, but do little beyond that minimal investment. In fact, many or most Chief Privacy Officers have a legal background, which reflects this general institutional focus on mitigating regulatory and compliance risk. As a result, compliance with privacy and related data security regulation benefits individuals but it’s expensive for businesses. The consideration of “privacy” as part of ordinary business operations is becoming more natural as it becomes clearer that the realization of individual privacy and company data security have the same roots. This is because many of the same strategies and tactics needed to improve privacy can also improve security and risk mitigation. This perspective is at the heart of many PBC and PAI strategies and goals described in the Recommendations section of this report. This report explores how businesses can achieve enhanced ROI from their privacy-related expenses, whether those costs are compelled by law, or are discretionary investments of the business in pursuit of its commercial goals. TechVision Research believes that there is an increasingly credible economic case to be made for businesses to engage in privacy programs beyond that minimal level of compliance.

Regulation, Risk Mitigation and Cost Savings The costs of compliance with regulations are not all bad news for business, since the costs of complying with duties imposed under regulations can also function to shield business from potentially even more significant costs that could result in the absence of any regulations in a complex and rapidly evolving sector. In some situations, laws —even those that are ineffective and out-of-date— can help narrow business risks by creating de facto standards that constrain business action discretion, offering some cost savings. This is more than just a rationalization – particularly in dynamic and high-risk areas (such as privacy and data security) and markets where the known regulation may be more acceptable than the unknown risks. In fact, even though many businesses justifiably complain about the incoherence and inconsistency of current privacy laws and data security regulations, those rules (such as GLBA1, HIPAA2, FERPA3, state data breach laws,4 European data regulations5 and many more) also do enterprises a favor to the extent the rules establish statutory “standards of care” that courts and regulatory authorities can apply as objective evidence of adequate

TechVision Research believes that there is an

increasingly credible economic case to be made for businesses to engage

in privacy programs beyond that minimal level

of compliance.




privacy and data security practice. Legislation functions as a de facto standard for data behaviors where it applies. An irony of our current state of privacy protection is that many established “privacy” laws and rules may not adequately protect the privacy-rights for individuals in modern distributed, networked settings, but they are still somewhat cost-effective for businesses in establishing legal duties of care upon which organizations can rely in their budgeting and operations. As a result, these archaic privacy and data security laws may protect organizations’ interests (by clarifying their legal duties, and lowering risk and cost) more than they may protect individual interests. However, in the rapidly evolving world of privacy and data security, it is important that businesses also focus on the potential for cost savings associated with anticipating future trends in law and regulation by following PBC/PAI strategies.

From a Cost Center to a Business Opportunity If we look beyond the rationalization that regulation can yield cost savings by narrowing business risk exposure, the overlap of individual privacy and business information security and risk mitigation opens the door to privacy-protecting activities becoming more than just a “cost center” for business. From the expanded perspective offered by this report, the overlap gives rise to multiple cost saving and revenue enhancing o pportunities for businesses. This economic opportunity is outlined in two questions for businesses:

First, how can my business maximize return on sunk, legally-required costs of privacy compliance? This first “leverage” benefit is captured in the concept of Privacy-As-Investment (PAI). It is an ROI analysis that is applied “after the fact,” since the “decision” to incur regulatory compliance expenditures is compelled by law. Second, what are the circumstances in which my business should invest more in privacy than is required by applicable law and regulations? This second “investment” benefit is captured in the concept of Privacy-Beyond-Compliance (PBC). In this second circumstance, the ROI analysis takes place “before the fact,” in that the decision of whether or not to incur additional, discretionary expenses associated with information system integrity has not yet been made, and PBC can help to inform that spending decision.

As a result, these archaic privacy and data security

laws may protect organizations’ interests (by clarifying their legal duties, and lowering risk and cost) more than they may protect individual

interests.




Problem Statement and/or Key Trends There is a logical, if lamentable, reason for the disconnect between individual and business views on privacy. “Privacy” is the term used to describe a set of individual’s rights, not business rights. Therefore, from the business perspective “privacy” is a set of legally-compelled obligations and duties merely creating costs and inefficiencies for the organization. The disconnect is pervasive, but the business skepticism is greatest (justifiably so) in those sectors and jurisdictions where the laws are most out of step with the new commercial and social reality ushered in by massively distributed, networked data and interaction systems. In those cases, the compliance costs seem to yield the least benefit. Given the business mission and obligation to maximize value and return to its owners, privacy compliance in the current context is grudging at best, and incomplete at worst. When we couple this business skepticism with individual cynicism (as consumers and employees) we begin to perceive the futility of promoting privacy rights through the de facto practices of “liability theatre:” this includes the popular acts such as the “notice and consent” duet predicated on unread terms of service; the “I agree” button tap dance; and, the data de-identification shuffle, among others. Privacy can be supported more effectively by business, and it must be in order to establish the “trust” needed to sustain distributed interaction networks needed for future commercial activity.

Individual and Business Interests Align in a Complex Networked Data World

In this report, TechVision Research suggests that the dysfunctional stalemate of ineffective legislative processes directed at establishing and enforcing various “privacy” rights can be turned around, at least in part, by commercial practice initiatives that are fully justified on business grounds, and which can also further multiple privacy-related goals. This opportunity for a strategic turn offers a second bite of the apple to IT professionals, and reflects a more matured view of the changing risk profile – from yesterday’s emphasis on data protection to tomorrow’s focus on information co-management. In distributed networks, the traditional perimeter is evaporating, inviting new strategies of risk mitigation.

TechVision Research suggests that the

dysfunctional stalemate of ineffective legislative

processes directed at establishing and

enforcing various “privacy” rights can be

turned around …




This shift corresponds to the final stages of the initial “big data” land rush and the start of a new, more sustainable gradual development phase for networked information systems where technical, economic, legal, social, market and other factors come together to morph the organization to its new incarnation as an integrated socio-economic-technical information processing system that is fit-for-function to interact with other such organized systems in tomorrow’s distributed and interdependent networks of information interaction/supply chains. This is an accelerated late stage of the general business organization de-centralization trends of the past hundred years - from the vertical integration of business in the prior century, to “just in time” manufacturing and delivery in more recent supply chains, to outsourcing, to cloud services, and to emerging B2B/P2P relationships. As a consequence of these trends, “Perimeter 2.0” of distributed enterprise information architectures w ill be a soft edge that is defined more by the measured reliability gradients of trusted interactions (promoted by contractual incentives, penalties, and enforceable relationships) and less on building higher technical walls in a Sisyphus-like effort to corral data. PBC and PAI strategies are based on familiar business goals that, when hitched to the horsepower of unmet “privacy” and “data security” expectations, can yield practical strategies for established businesses (even in highly regulated sectors) to enhance ROI. The integration of privacy and data security in the broader context of business information system integrity can help balance and meld both individual interests and business goals in the rapidly expanding, and still unsettled, “distributed interactions zone” of today’s and tomorrow’s supply chains and markets.

Privacy and Data Security Are Related

Enterprise nimbleness on privacy issues is enhanced when “privacy” issues are viewed and addressed in the larger context of the huge changes taking place in the areas of data system security/integrity and business relationship management at all levels of the organization. These changes are painful for everyone, and the shared pain presents a time of great opportunity. The pain is already there, but businesses and individuals are only starting to realize the opportunities discussed in this report.

PBC and PAI strategies are based on familiar

business goals that, when hitched to the

horsepower of unmet “privacy” and “data

security” expectations, can yield practical

strategies for established businesses (even in

highly regulated sectors) to enhance ROI.




Privacy is one piece of the puzzle. It is interrelated with security and data management. But security and data management encompass a much larger information pool. As a result, security typically gets the attention (and the budget) in an enterprise. Privacy initiatives at a company that are integrated into those being driven by security can take advantage of those resources to help promote good privacy practices. Most organizations are engaged in a constant triage of scarce operating resources and don’t focus on “privacy” until they (or a close competitor) experience a breach. That is also the time when they learn (along with their shareholders and other stakeholders) - after the fact - that an ounce of prevention is worth a pound of cure. The integration of privacy with security is already being pursued as best practice among leading privacy officers who recognize that integration of privacy operations with security practices can help the enterprise to know what data it has and where it is – an important first step to an effective implementation. If the security and data management pieces are mature, it is much easier to implement a viable, cost-saving and rights-enhancing privacy program. Once built, maintaining a privacy program (including such elements as internal policy, website privacy statement, Privacy Impact Assessments (PIAs), tools, guidelines, awareness, training, transfer mechanism, audit, evergreen practices and an incident response plan) is not nearly as costly in terms of money and personnel as bolting on privacy as an afterthought.

Shared Interests Support Common Goals

Businesses and people care about information leaks, whether they call it security, privacy or operating risk. This shared concern is a foundation of many PBC/PAI strategies described in the Recommendations section of this report. The control of information system “leakiness” requires attention to operational factors at an organization. At TechVision Research we believe that “operational privacy” should be introduced as a term for making an information system measurable and accountable. As data and information value continues to expand its presence in a variety of products and services, f uture markets will likely reward higher levels of “operational privacy” that reflect superior information system operating integrity. Businesses can start preparing themselves today, using PBC and PAI as a call to action.

Most organizations are engaged in a constant

triage of scarce operating resources and don’t focus on “privacy” until they (or

a close competitor) experience a breach.




Negative Risk Can Feed Positive “Entrepreneurial Risk” and Business Opportunity

Privacy considerations are part of a larger pattern of change due to the perceived and actual risks of broad dependency on distributed information and interaction networks. Those perceptions and realities can motivate positive institutional operational and organizational changes. Businesses operate in a distributed, yet interconnected world and they need accurate information to survive. The distributed information networks in which they now operate present new and unknown risks to the business. Business anxiety is heightened, since each enterprise is flying blind due to a lack of relevant metrics fo r gauging new distributed interaction risks. The fear is compounded by the awareness that a lack of decision creates even greater risks, from loss of market share to a loss of relevance and disintermediation. Neither the risk reflex of standing still, nor joining the herd, will be rewarded in markets, shareholder meetings or quarterly reviews – and business leaders still continually struggle to identify viable strategies and options. The exponential rate of change, and its associated risks, also presents entrepreneurial opportunity for those businesses that can help its employees, customers and partners that are not having their operational privacy expectations met because of the disconnect of law and technology. Businesses that are first movers with efficient and effective strategies in their respective markets, jurisdictions and sectors will drive business and enhance the customer experience, while delivering value for their stakeholders. An example of this is seen in cases where the institutional enthusiasm for their “re-intermediation” as gatekeepers through blockchain-based systems positions the business to deliver on future promises to its customers. In times of rapid change, “privacy” can be more than just a compliance requirement - it can be a business opportunity:

Privacy is challenging because of the Internet’s global nature and our current disharmonious and dynamic regulatory environment

There are cultural and social differences and experiences that impact the ability to create a standard "global" approach to privacy

Up to this point, almost all businesses view privacy as a legal/compliance issue and therefore a cost center. This is reinforced by both the high percentage of lawyers occupying the Chief Privacy Officer (CPO) position and the lack of measured ROI associated with compliance costs

The current narrow perspective of privacy obscures the potential business opportunities

For “privacy” to be seen as a revenue-generating enhancement for the enterprise, it must be integrated with other viable business initiatives




This report outlines a means to convert privacy risk to business opportunity. It offers a checklist of business goals each of which can simultaneously further the goals of the enterprise, the CPO and other members of the C Suite, program and project managers, employees, shareholders, customers, regulators and the general public. Fundamentally, we offer a way the business and its stakeholders may do well, by doing good. PBC offers an invitation for businesses to shake off the structural and operationa l complacency engendered by legal lag, and consider the potential benefits of positive engagement with organizational and operational elements of the business that potentially affects the privacy of individuals. PBC outlines “win-win” scenarios for organizational and individual stakeholders.

Privacy Beyond Compliance Details As discussed above, privacy is a challenge for all organizations. When TechVision Research meets with clients to implement a PBC/PAI strategy, the following sorts of questions typically come up:

Privacy beyond compliance? - How can the concept of “privacy” have any business relevance beyond compliance with applicable law?

What can PBC possibly mean to our organization?

How can my company improve its ROI on existing privacy expenses? How is a company supposed to know what “privacy” is, and what “data security” is ,

beyond the specific compliance duties established by law? Our business is improved or built on collecting data that is legally collected, but used

in ways that people might not fully understand. Won’t PBC hurt our bottom line, and if so, why should I even read this document?

Isn’t the term, “privacy” defined by law? If it is, then how can there be a concept of “privacy” for businesses to apply beyond compliance with assigned legal duties?

Aren’t we already spending enough on privacy compliance? How could my business justify spending the resources on privacy as investment? Why would we want to do so when there are so many other traditional business investments that we might make? How could we justify it to shareholders?

This report introduces the concept of “Privacy Beyond Compliance” (PBC) and Privacy as Investment (PAI) to address these questions. PAI and PBC are defined, respectively, by two practical questions for businesses:

1) How can companies maximize their overall economic return on their sunk costs of legal compliance under mandatory privacy and data security regulations? (PAI)

2) When, if ever, is there economic justification for business to spend more on “privacy” and data security than is minimally required for legal compliance? (PBC)




Privacy Beyond Compliance is a new strategic awareness for businesses about how privacy and data security costs can also fund investments in revenue-producing and cost-saving operations and initiatives. PBC defines how linking privacy and information system security will reveal new opportunities for business improvement. The migration of privacy and data security from being a “cost center” to being revenue enhancing is a logical result of the increasing value proposition associated with information system integrity as a risk-mitigating factor in business. As business is more dependent on networked information, information system integrity takes center stage in business organization and operations. The examples set forth in the Recommendations of this report were all derived from real-world commercial settings. All of these justifications for expenditure are of the type that, if thoughtfully pursued and properly documented, will be well received in the boardroom, the auditor’s office, and at a shareholders’ meeting. Taking this PBC/PAI approach identifies that subset of potential “privacy” activities that are available to a business that can stand on their own merit in commercial contexts, beyond forced compliance actions and expenditures. Companies that pursue these opportunities will help to create more commercially sustainable systems of interaction, enabling privacy innovation as part of responsible commercial operation.

The Problem with “Privacy Within Compliance” - What Gets Measured (is all that) Gets Done

Before discussing Privacy beyond compliance, it is helpful to consider its mirror image — privacy within compliance. Privacy laws and regulations across the globe impose liability on businesses for compliance failures, with varying effectiveness, impacts and severity. In addition to direct liability for compliance lapses, privacy and data security failures lead to stock price reductions, negative brand impacts, expensive remediation measures and other business costs. The passage of privacy laws and regulations reflect a noble goal of protecting individual interests in society, but privacy laws and regulations have a problem of space and time – they are not global and they are out-of-date even before they are enacted.

The migration of privacy and data security from being a “cost center” to

being revenue enhancing is a logical result of the

increasing value proposition associated

with information system integrity as a risk-mitigating factor in

business.




The problem of “space” arises because privacy laws vary from one country/regional jurisdiction to another, reflecting cultural, economic, and philosophical differences about the relationship between the individual and society.6 The Internet and modern networked IT systems are not constrained by borders for technical reasons, but by conflicting policies imposed by various sovereign governments. Dealing with this patchwork of different laws is risky and very costly, and the risks are compounded for businesses with international operations. The problem of “time” is far greater than the problem of “space .” Universally, privacy and data security laws are out-of-date and ambiguous when applied in a distributed, networked information world. The performance metrics that are frequently applied to gauge legal compliance failures typically reflect aspirations toward decades-old “best practices” and attention to harms characterized in earlier periods. How can laws composed to protect the interests of people and organizations in a pre-Internet, paper-based, non-networked, centralized-institutional world be expected to be fit-for-function today? They cannot. Businesses are continually forced to navigate between yesterday’s laws and today’s market pressures. Unfortunately, the law is the law, and businesses have little choice but to comply.7 Everyone knows that there is a “gap” between the laws and the technology, with the “rules” lagging way behind the technology “tools,” But there is little current agreement about how to address it. Given these limitations, law itself becomes a source of risk for business. In an effort to maximize value and minimize cost, businesses tend to try to stay close to the compliance rules - consistent with their basic function and institutional “programming” to generate net income for shareholders. Towing the line of stable (albeit archaic) laws is broadly viewed as “good business practice,” even if it does little to promote the original noble goals of protecting individuals and businesses in a balanced way. This approach, while understandable from a business perspective, does not stimulate innovation in the world of privacy or in the future data and identity rights management markets. Surprisingly, it also does little to help businesses actively manage the mandatory costs of privacy and data security. When viewed from a global, Internet-wide perspective, privacy within compliance is not living up to its promise. If privacy laws and regulations are not fit-for-purpose to protect

This approach, while understandable from a business perspective,

does not stimulate innovation in the world of

privacy or in the future data and identity rights management markets.




individuals in a global networked world, privacy beyond compliance will be necessary to achieve human goals. This is not just a privacy compliance issue. It is sometimes better business practice to positively engage with compulsory laws and regulations, than to just passively react. Just as a company might do with other business law compliance challenges, businesses can improve their compliance performance and compliance cost profiles with intentional and directed planning. In this way, PBC/PAI is like business tax analysis – it is not just a matter of filling out the compliance forms. Instead, the costs of compliance create incentives to maximize the business benefit of every compliance dollar spent. PBC and PAI invite enterprises to explore ways to commercially embrace privacy and data security as positive business strategies.

PBC Bridges the Gap of Company Rights and Individual Rights

As noted in the introduction, individuals have privacy rights, and companies and other organizations do not. Companies and other organizations may have concerns that are similar to privacy harms, but they are not privacy harms. For example, companies seek to protect confidential information (similar to the privacy tort of “intrusion on seclusion”), preserve proprietary rights in intellectual property (similar to the privacy tort of “misappropriation”), and have concerns about brand (similar to privacy protection against harms to reputation from libel and slander). Organizations may even rely on security mechanisms (such as passwords) similar to those used to assure privacy for individuals in other domains, but still these various institutional harms are not “privacy” harms, and company “rights” are not “privacy” rights. Organizational “privacy” issues represent only a set of duties, obligations, costs, challenges, and potential liabilities, but not rights. The end result is that individuals benefit from privacy rights, while companies are merely burdened by the duties that breathe life into those rights. This has the effect that most companies just want to minimize the risk and cost of compliance with privacy rules, and to get on with business. Minimizing costs, including compliance costs associated with privacy regulation, enhances profit. All of this has the result that most companies sincerely seek to comply with applicable law and regulation, with the tacit understanding that those rules were established by lawmakers to provide adequate levels of privacy; but the companies are not motivated or incentivized to do more than the minimum necessary for compliance. Privacy and data security are broadly viewed by commercial entities as compulsory expenses to be

Companies and other organizations may have concerns that are similar

to privacy harms, but they are not privacy harms.




minimized. This is hardly a recipe for commercial innovation in privacy. The management of most organizations (who are individuals themselves) are certainly not opposed to helping individuals enjoy the benefits of their respective privacy rights, but that goal is typically just incidental to their organizational mission as reflected in their organizational articles, bylaws and contracts, i.e., to generate a profit from operations. PBC/PAI can be a bridge. It can help to attract the positive engagement of businesses in ways that advance both commercial interests and individual rights. The increasing overlap of the information risk profiles being faced by both institutions and individuals with their ever-greater adoption of and shared dependence on distributed information network systems has better aligned individual and organizational data risk profiles and information protection interests. Networked information systems have effectively leveled the power and efficacy playing field among people and institutions. Never before have institutions and individuals shared so many of the same information network integrity challenges. It is akin to the shared perception of risks of electrical blackouts or integrity failures in other networked systems upon which both organizations and individuals rely, even if they do so in different ways. There are additional reasons why institutional and individual interests are aligning – institutions are populated and powered by people. While the concept of PBC/PAI as introduced in this report may initially seem to some readers as based too heavily on “privacy” when viewed from a commercial perspective; that approach is intentional. As individuals, we all share an interest in the accomplishment of privacy-related goals. As employees during the workday, we take on additional employer interests, but that does not erase our individual interests. PBC offers an opportunity for the pursuit of information operations that simultaneously further both individual interests and commercial interests. PBC/PAI can help bridge the ethical, normative (and existential) divide in employees as Homo sapiens versus Homo economicus. The practical intention of this report’s focus on business considerations is to create a “win-win” for both companies and the individuals with which they interact without resort to ethical, normative or corporate social responsibility motivations. Those PBC strategies that can be independently justified in the boardroom, the

The practical intention of this report’s focus on

business considerations is to create a “win-win” for both companies and

the individuals with which they interact

without resort to ethical, normative or corporate

social responsibility motivations.




budget process and the general ledger are more commercially sustainable than those that depend on non-economic justifications. This report suggests that when one or more of the situations described in the checklist in the Recommendations section of this report are present, PBC/PAI can be independently justified on economic grounds. The commercial focus of PBC and PAI does not undermine privacy, but instead is intended to speed its realization as an independent business consideration in commercial decision -making. If policy makers want to help pollinate more sustainable solutions to privacy challenges, they will attract more commercial bees with PBC/PAI “honey” than with regulatory “vinegar.” PBC and PAI can foster enhanced privacy in society. This report identifies the ways in which “privacy” can mean more to a company than just cost, hassle, and potential liability. This report provides a checklist that is part of a methodology being developed by TechVision Research to quantify these benefits as a means of evaluating investments in “privacy” beyond the bare minimum necessary for legal compliance. This is particularly important for the future innovation in privacy and security, since the applicable government laws and regulations increasingly show their age and detachment from current ICT practices and capabilities and are not able to innovate with sufficient speed or scope to balance individual and organizational interests particularly in international contexts. PBC/PAI is a virtual laboratory for sensible and sustainable network policy creation. PBC/PAI is not the entire future story of privacy, but it is poised to be a stronger facilitator of the achievement of privacy as individual and organizational concerns merge regarding information integrity.

Integrating Privacy and Data Security in “Data Integrity”

When businesses are considering PBC and PAI goals, it is helpful to make explicit the connections of mandatory privacy compliance and independent business considerations and goals. Even in those situations where, for budgetary reasons, a business is interested only in the cost savings and efficiencies of PAI (leveraging compulsory privacy costs) and not PBC (making new investments beyond those required by law), companies still want to maximize their leverage from every dollar spent, and to avoid unnecessary costs. When those businesses are dealing with their regulators, they typically prefer to engage internally in audits of systems and operating performance under such mandatory regulations so that they can correct any deficiencies that they discover without

This report identifies the ways in which “privacy”

can mean more to a company than just cost,

hassle, and potential liability.




experiencing a negative reaction from markets or outside regulators. In those settings, PAI provides a unique opportunity for businesses to leverage their mandated compliance behaviors and the resulting compulsory regulatory self-audits into expanded internal system integrity reviews. For example, where businesses have a pre-existing obligation to conform to privacy/data security compliance standards (such as under GLBA,8 HIPAA,9 EU data laws, etc.), they will already be engaged internally in some levels of systems training, auditing, operations, etc. This existing attention and focus creates an opportunity for the company to also engage in a broader internal audit of related information systems for PBC/PAI purposes. The needed elements are already assembled for regulatory compliance making it the best time to leverage PAI opportunities. Part of the power of PBC/PAI is it frames a process for organizations to identify and help develop existing incentives for people and institutions in all of their company roles to help drive privacy-enhancing actions within the natural patterns of business and commercial behaviors, including performing regulatory compliance. This aligns the interests of the organizations and their individual stakeholders, both as customers, individuals, and community members.

Does “PBC” = Costs Beyond Justification?

Whether legal duties are contractual or regulatory in origin, there is no benefit from the perspective of either compliance or accounting to a company that spends more than is minimally necessary to fulfill those legal duties. Shareholders view such spendthrift behavior by corporate officers and managers as inefficient and wasteful of corporate resources. You will never hear of a public company adding extra payments to its compelled costs such as its tax bill, or paying additional government franchise, royalty or license fees. Companies are not rewarded by markets for internalizing or front-loading more costs than that of their competitors to produce a similar product or service. Companies don’t frequently brag about having a higher operating costs or “cost of goods sold.” In fact, it is usually seen as a competitive disadvantage for a company to spend more than its competitors to achieve the same compliance result.

Whether legal duties are contractual or regulatory

in origin, there is no benefit from the

perspective of either compliance or accounting to a company that spends

more than is minimally necessary to fulfill those

legal duties.




Privacy beyond compliance is built on the need for businesses to have rational economic justifications for additional privacy-based expenditures. At the core of PBC is the need for effective privacy programs to have clear business benefits beyond the compliance prerequisites. PBC provides a high-level roadmap and framework to help our clients navigate this uncharted territory. There will be several subsequent reports with supporting tools and details to help organizations implement better, more focused and integrated privacy and information system integrity programs. We will also look to cover the “grey areas” of benefits that are harder to quantify such as brand value. In these contexts, our clients will need to make value judgments in their unique business operating settings to weigh their PBC and PAI options and to determine if, for example, providing enhanced privacy for customers will positively impact customer perception of their respective companies, and increase customer loyalty and revenue. These and similar determinations are challenging and will also be a function of how this privacy-related positioning ties in with each businesses’ particular corporate values, operating environment, history, and strategies. The PBC/PAI checklist identifies different economic motivations for companies to internalize costs toward operations that have a positive “privacy”-related impact, and might be broadly attractive to business organizations. The checklist is drawn from real-world business settings. The PBC/PAI checklist in the Recommendations section reveals how the answers to the key questions posed above have strategic, tactical, organizational, operating, accounting, and bottom-line implications for the business. We feel strongly that companies that ignore PBC/PAI are leaving money on the table. Companies that follow PBC/PAI can “do well by doing good” and will also enjoy more robust value propositions in tomorrow’s transparent supply chains and marketplaces. While this report focuses primarily on longer-term planning, the PBC/PAI strategies are grounded in enhancing short-term profit results, and the recognition that nearly all companies seek to minimize the costs of compliance with their legal duties. PBC provides cost-effective pathways to system reliability, not charity; an economically sustainable reliability that benefits all stakeholders.

The PBC/PAI checklist identifies different

economic motivations for companies to internalize costs toward operations

that have a positive “privacy”-related impact,

and might be broadly attractive to business

organizations.




PBC is not just for Business

Some of the PBC/PAI goals listed in the checklist will also be of interest to governmental and NGO entities, particularly to the extent that they share some of the budgeting and operations concerns of commercial entities.

The PBC/PAI Checklist

Goal Category A: PBC for market and competition-driven goals GOAL 1 - PBC Enables Competitive Brand Differentiation

GOAL 2 - PBC Enhances Trust in Products And Company Reputation GOAL 3 - PBC As “Jumping On The Bandwagon” Defensive Business Strategy GOAL 4 - PBC As Business Community Norm

GOAL 5 - PBC As “Localization” To Reflect Customer Community Norms GOAL 6 - PBC As A “Loss Leader” To Attract Customers GOAL 7 - PBC As Brand Restoration GOAL 8 - PBC-Based Operations Reflect Well On Product Or Service Quality

GOAL 9 - PBC Can Help Catch Traffic Of The “Privacy Social Movement” GOAL 10 - PBC As “Capacity” Mining Goal Category B: Internal Operations Factors GOAL 11 - PBC Exposes Information Leaks GOAL 12 - PBC Support for BYOD Challenges GOAL 13 - PBC As Strategy To Reduce Investment Tax Costs GOAL 14 - PBC As Uniform Corporate Response To Branch Compliance Constraints GOAL 15 - PBC To Protect Trade Secrets And Confidentiality GOAL 16 - PBC To Lower Data Storage Costs GOAL 17 - Post-M&A: PBC Integration Opportunity GOAL 18 - PBC Synergy with HRO Operations GOAL 19 - PBC and Insurance – Risk Sharing, Risk Timing and Premiums

GOAL 20 - PBC Support for Lending Criteria and/or Lowering Borrowing Costs GOAL 21 - PBC To Leverage Sunk Costs Of Employee Privacy

GOAL 22 - PBC To Reduce Risk Planning Costs Goal Category C: External Factors (Other than Market and Competitive Factors) GOAL 23 - PBC As Response To Customer Demand – “Privacy As A Product” in B2C transactions GOAL 24 - PBC Requirement Imposed by B2B Customer Standard Form Contracts GOAL 25 - PBC Required By B2B Seller/Supplier Standard Form Contracts GOAL 26 - PBC As Artifact Of 3rd Party Network Participation GOAL 27 - PBC As Shared Compliance Burden Creating Pressure On Competitors To Create Standards GOAL 28 - PBC Investment To Help Reduce Later Regulatory Fines

GOAL 29 - PBC To Avoid Data “Chain Of Title” Potential Liability




About TechVision

World-class research requires world-class consulting analysts, and our team provides just that. Our research leverages our team’s in-depth knowledge, as well as their real world consulting experience. Gaining value from research also means having access to research. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. All TechVision Research licenses are “enterprise licenses”; this means everyone that needs access to content can have access to content. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective. TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This expertise provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and provides a basis for more informed decisions. We also support vendors in areas such as product or strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis. TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

1 GLB is the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6801, et. seq. https://www.law.cornell.edu/uscode/text/15/chapter-94. The law applies to financial data. 2 HIPAA is the “Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191. The law applies to health care data. 3 FERPA is the “Family Educational Rights and Privacy Act, 20 U.S.C. Sec. 1232g, 34 C.F.R. 99. The law applies to the privacy of student educational records. 4 A listing of US State data breach notice laws can be found at the “National Conference of State Legislatures site at http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx#1 5 Current information and links to EU data protection rules can be found at the European Commission website at” http://ec.europa.eu/justice/data-protection/reform/index_en.htm 6 See OECD paper entitled “At a Crossroads: “Personhood” and Digital Identity in the Information Society at https://www.oecd.org/sti/ieconomy/40204773.doc , which suggests a fundamental philosophical division between a Hegel-derived European perspective on identity and U.S. based notions of identity based on the writings of John Locke. That schism places the “safe harbor/privacy shield” data discussions between the U.S. and the EU in a new light, and raises the question of whether tomorrow’s global data and identity-based “big data” markets will be philosophy-as-commodity markets by another name. Will we see the recruitment by conceptual arbitrageurs trading in those markets of advisers plucked from the philosophy faculty at universities to offer insights into cultural-bias-based data derivatives products? Time will tell. 7 Fair Information Practice Principles (FIPPs) that inform many current laws were drawn from 1970’s era, post-Watergate civil rights scenarios, and suffer from this anachronism. Their continuing popularity reflects


https://www.law.cornell.edu/uscode/text/15/chapter-94

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx#1

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx#1

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

https://www.oecd.org/sti/ieconomy/40204773.doc



the momentum of precedent, and a lack of consideration of their eroding efficacy in an era of big data. information, and rapid interactions. 8 See note 1 above 9 See note 2 above


privacy beyond compliance: a new perspective on enterprise

Documents