In privacy circles, a mostly forgotten incident from the end of the dot-com euphoria aptly illustrates the lack of regard most companies have toward protecting personal data, even if they make a point of promising to do so.
With the Web surging with an enormous amount of commercial activity and sensitive information, the FTC had recently beefed up its Internet consumer-protection efforts. Commission regulators decided that Toysmart’s blatant disdain for its own privacy oath was just too contemptuous to be ignored. Backed by 44 state attorneys general, the FTC sued to block the Toysmart data auction, arguing that it constituted a “deceptive practice.” In early 2001, an agreement was forged under which Toysmart investor, the Walt Disney Co., would buy the company’s customer data for $50,000 and then promptly destroy it.
“The Toysmart case and others like it—among them Living.com and CraftShop
.com—proves what some of us have suspected all along: Many companies don’t really believe privacy is something to protect when there’s money to be made from confidential data, or when safeguarding sensitive data gets in the way of making money,” says Luis Salazar, an attorney in the privacy practice group at Miami-based law firm Greenberg Traurig LLP. Last year, at the request of Senator Patrick Leahy (D– Vt.), Salazar authored a provision for a new bankruptcy law that makes it illegal for insolvent companies to sell personally identifiable information if their privacy policies forbade such activities.
These findings, while disturbing, should not be particularly surprising when measured against the number of high- and low-profile data breaches that have occurred in the past two years. The Privacy Rights Clearinghouse, based in San Diego, has been keeping a running total of the leaks of sensitive information, such as Social Security numbers, account numbers, and driver’s license numbers, by companies and government agencies since data aggregator ChoicePoint Inc. sold 145,000 consumer files to identity thieves in February 2005. Scores of incidents are chronicled, as many as three dozen a month, some involving global brands such as Toyota Motor Corp., Chevron Corp., Allstate Corp. and Equifax Inc. In all, more than 90 million records containing confidential information about individuals—in large part, consumers, patients and employees—have been stolen from U.S. organizations in the past 18 months.
The pattern that emerges is not pretty. Most companies claim that privacy is a priority—chiefly because they believe consumers are more willing to do repeat business with them if personal information is carefully handled. But in reality, many companies are woefully inept at protecting privacy. Some companies view robust data protection as too expensive to consider seriously, so half-hearted steps are taken instead. Others see the penalty for data breaches and privacy failures as too low to generate much concern. In many instances, management of privacy policies is handed off to chief privacy officers who report to the corporate lawyers, not a C-level executive, and whose main responsibility is to make sure the company’s data policies are in line with government regulations and industry benchmarks. In other words, privacy is regarded as a risk that must be mitigated, not a strategic imperative.
“It’s only been recently, as privacy breaches occur and make the headlines, that it’s becoming obvious to everybody that companies haven’t been doing a good enough job,” says Alex Fowler, co-leader of the privacy practice at PricewaterhouseCoopers. “As time goes by, we’ll get an even clearer picture of the data-handling practices of companies. My guess is we’re not going to like what we find out.”