Privacy


“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

It is questionable if all the mechanical inventions yet made have lightened the day’s toil of any human being.  - John Stuart Mill

Last year, California was in the news as a result of an interpretation of a long-standing law, written and passed before the advent of the internet or ecommerce, that limited the amount of data that could be collected by retailers in order to complete a purchase.  The law, Civil Code § 1747.08 (a), expressly forbids retailers from doing the following:

(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
(3) Utilize, in any credit card transaction, a credit card form which contains pre-printed spaces specifically designated for filling in any personal identification information of the cardholder.
Essentially, if the information isn’t required for the fulfillment of the order itself, the retailer is prohibited from collecting the data.  This came to the forefront last year when the California Supreme Court ruled that collecting zip codes for Address Verification Service (AVS) was a violation of the 1971 law.  This year, the California Supreme Court is tackling the law again, this time to determine if the law does, in fact, apply to online retailers.  Retailers are concerned, understandably, that limiting the amount of information that can be collected may increase their exposure to credit card fraud.  This sets up a battle between privacy advocates and retailers that will likely set the stage for many more challenges to come.  Stay tuned to the ProPay Blog for updates on the case…

On this blog, we have discussed, almost ad nauseum, data breaches.  How they happen, how they can be avoided, what to do if your business is impacted.  What we haven’t discussed much is that most merchants, particularly in the SMB segment, are also consumers.  So what rights do consumers have when their data has been compromised?  The Privacy Rights Clearinghouse has been producing a six part video series on important privacy topics.  This week, the organization released Part 4: Data Breaches: Know Your Rights.

The video walks viewers through an incident in which a consumer is notified that his data has been compromised.  It discusses what questions you should ask and what steps you might take to protect yourself.  As an example, we hear that consumers are often advised to get a “credit freeze” in the wake of a compromise.  But what does that mean and is that really the best option for everyone?

As an additional resources, check out the Fact Sheet also offered by the organization. Unfortunately, data breaches are going to continue to be common for the foreseeable future.  Not because organizations aren’t taking appropriate steps to protect the data, but because data thieves are often highly motivated and see hacking as a high-reward/low-risk activity.  That being the case, as consumers, it makes sense that we educate ourselves on how to respond and what rights we have under the various state or federal laws surrounding our financial or personally identifiable information.

As someone that watches with great interest as the great privacy debate unfolds, this article really caught my attention.  The issue in question is the trade-off between online privacy and discounts or special offers.  According to  a study by KPMG (Consumers and Convergence V: The Converged Lifestyle survey) a majority of US shoppers would offer up their online activity history in exchange for discounts on goods or even digital content.  Further, 43% of those surveyed would be willing to receive advertising, if they didn’t have to offer up personal details, in exchange for lower fees.

This is an interesting juxtaposition to the privacy hearings that have been occupying the US Congress of late.  Legislators have been greatly concerned with things like smartphone tracking and browsing histories.  It’s interesting to note that the issue may not be that consumers are upset about these activities on the part of merchants, but that they are not currently getting anything out of the bargain.  It is true that organizations should not be tracking consumer behavior, at least individual consumer behavior, without the consent of said individual, but there are benefits to sharing browsing history  and shopping behavior and consumers are recognizing those.  The question becomes, how can one  leverage the consumers’ self-interest to help the merchant?

It is important not to lose sight of the fact that consumer notification, awareness and choice remain priorities.  Tracking consumers without letting them know and providing them with the ability to opt out is a major faux-pas.  However, providing them some quid-pro-quo seems to ease many consumer qualms. What would be interesting to know though, is the consumer “break-even point.”  In other words, what sort of discount or service is the minimum for sharing their online behaviors?  That is not included in the KPMG survey, and is likely much more difficult to ferret out.

In today’s world, the balance between marketing research and a breach of consumer privacy can be difficult to measure.  For organizations that have questions about managing consumer privacy, there are a number of resources that can be referenced. Included is a short, certainly not exhaustive, list of privacy guidelines.

1) OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

2) Federal Trade Commission Fair Information Practice Principles

3) Generally Accepted Privacy Principles

4) Privacy by Design

Dr. Heather Mark, PhD; SVP of Market Strategy

Those that are familiar with this blog may have heard it said more than once that the United States lags far behind Europe with respect to the protection of consumer information.  The European Union, in fact, has been operating under the penumbra of the European Directive on Data Protection for 15 years.  The EU actually recognizes the protection of personal data as a fundamental human right.   That is a far cry from the legislative activities surrounding data privacy in the United States.  The US has traditionally take piecemeal approach to data protection, often leaving the regulation of data privacy and security to the states, and in some cases to individual industries.  Given the political culture of the United States, such an approach is not terribly surprising.  However, the rapid advancement of technologies has perhaps been enough to spur the federal legislature into evaluating the lessons of the EU directive to see if, or how, similar regulation might work in the US.

On Friday, Sept 16th, the House Energy & Commerce Committee’s Commerce Subcommittee will be holding hearings on the issue of privacy, and specifically the impact of the EU regulations.  In Rep. Bono-Mack’s published opening comments, she states “The purpose of the Directive is to harmonize differing national legislation on data privacy  protections within the European Union, while preventing the flow of personal information to  countries that – in the opinion of EU regulators – lack sufficient privacy protections.”  She goes on to discuss the large number of unintended consequences of the regulatory regime.  To be fair, unintended consequences are almost always found the in wake of new legislation, particularly such sweeping legislation as the EU Directive on Data Protection.  It should be noted, though, that with 15 years of implementation history and lessons, the US should be able to draw sufficient parallels without also reaping the same number of “unintended consequences.”

In looking at the purpose of the directive one can immediately see the attraction of such a regime in the US.  As stated by Rep. Bono-Mack, the purpose is to “harmonize differing … legislation on data privacy…”  In looking at the domestic regulatory landscape surrounding data privacy and protection, it is difficult to conclude that some “harmonizing” would not benefit both businesses and consumers.  As of this writing, more than 45 states have data breach notification laws.  While there are some major commonalitites to these laws, there are also significant variations.  There are differing definitions of “personally identifiable information,” “breach,”  ”trigger,” and other critical terms.  Some states include data security protections in those laws, while others have separate laws for data security, and still others have no laws regarding data protection and security.  The situation becomes even more confusing when one considers the federal legislation impacting privacy and security (FERPA, HIPAA/HITEC, GLBA, SOX, etc) and industry self-regulating programs.

While there are some concerns that tomorrow’s hearing is too slanted towards industry, ignoring or downplaying the concerns of consumers, I believe that it is a positive step. Bill McGevern, professor of law at University of Minnesota does bring up an interesting point, though.  That is the different conceptions of data privacy between the US and Europe.  According to McGevern, Europeans think of privacy as a fundamental human right, while Americans (and particularly American businesses) conceive of privacy as a market force with which they have to deal.  That being said,  this author does believe that it is possible to create a European-style privacy directive that accounts for American sensibilities.

Dr. Heather Mark, PhD; SVP of Market Strategy

Next Page »