Who Owns Customer Information?

A fundamental change is in store:Companies and data aggregators will soon need to make a shift from thinking thatthey are owners of captured personally identifiable information (PII) data to viewingthemselves as custodians of that data. Therefore, companies will have to revisetheir operations and security to avoid adverse business and legal consequences.

Data aggregation is essential formodern business practice. Every organization needs to track contact informationto fulfill its business model.

The law and the force majeure (a clause in contracts that removes liability forunavoidable natural catastrophes) give rights of ownership for data and thestructures of its retention to the aggregator. In other words, the company thatcollects data on its customers currently owns that data and generally values ithighly, since it is the lifeblood of its customer base. Proprietary data alsoincludes designs, specifications and traditional intellectualproperty.

Asthe organizational workflow has become automated?overlaid onto a company?s communicationsactivities and posted to the Internet?operational workflow, embodied by thesoftware, apps and the way of doing business, hasbecome part of this data privacy and security legacy. Companies have battled incourt when salespeople, key personnel or technicalinsiders hop jobs and carry this valuable information with them (illegally) tothe new job.

Though this is a concern, a new riskhas developed in the evolving data privacy and security milieu?one that isreflected in the difference between data ownership and data stewardship.

Even if you are not yet aware of thisissue, you?re likely to have it heaped on your plate within a fewyears. It?s a function of adverse events, the type of business you run and thedensity of the personally identifiable information within your databases. Themore personal details you capture to describe each person in those databases,the more your organization is at risk for legal or public relations exposures.

This data is likely to include acustomer?s personal likes and dislikes. More alarmingly, it is likely toinclude the columns of information not yet included in the safe-harborcategories of PII that can be combined?either internally or with external free,publicor commercial databases?to reveal a person?s identity. See www.ftc.gov/os/comments/privacyreportframework/00191-57181.pdffor background and a technical description of this risk.

Even when operations that use PII seemisolated from the Internet or are fragmented in steps that lack workflowintegration, the infiltration of smartphones, tablets and end-to-endconnectivity for data flow and processes puts the bulk of this information atrisk for exposure. Companies from Heartland, T.J. Maxx, Sony, universitiesand even our government have found themselves explaining that they didn?t meanto be the source of a breach.

This points out the discrepancybetween who actually owns?or should own?the private data and who is just theresponsible steward of the data. Privacy is the same as security,except that security occurs with the ownership role, while privacy emphasizesthe stewardship.

What is the difference between the tworoles? Data ownership means unqualified rights to granular intellectualproperty and PII data. Stewardship, on the other hand, is a standard of carefor tangible fixed, depreciable or amortizable assets that include datarecords, documents, intellectual property and other intangibles.

Richard Santalesa, senior counsel in theInformation Law Group’s East Coast office, reinforces some of these assertionswith his own view of the environment. Primarily, his work relates to securityand privacy issues when they breach explicit or implied contracts.  He says that ?Organizations are simply notkeeping pace with the rate of change,? referring to legal enforcement as wellas technological matters. ?We tend to be reactive rather than proactive.?

ANational Policy of Privacy

Thepush is on for a national policy of privacy by design, a structure foroperational privacy based on current understanding, and the so-called right-to-forgetinformation in databases after some arbitrary elapsed period of time. This pushis represented by a number of Congressional bills for a national data-breachlaw and do-not-track laws.

However, these efforts are dying in committees,suppressed by the efforts of data aggregators that use paid lobbyists. The lackof legislation does not diminish the need for the judiciary to reinterpretthese issues, while making case law and raising the concerns to the forefront.

Although these matters are not coveredby legislation or existing law, privacy proposals from nonlegislative bodiesare altering the environment. While the NationalInstitute of Standards and Technology?s draft recommendations do nothave the force of law in most venues, the Federal Communications Commission andthe Federal Trade Commission are enforcing them as a law of operationalsecurity. Primarily, this consists of pushing the obligation of privacy anddata security to the companies accumulating the PII data.

These commissions are slowly allowingtangible damages in the event of breaches through innovative claims filed byhurt parties. Companies are on notice that they should employ defensibleactions as part of their common law duties. Santalesa also notes a growth inactions for tort damages. This should be a wake-up call for organizations toadapt to this privacy and security evolution proactively, not as an immediatehot button, but rather as an evolving riskfactor.

All U.S. legislative and enforcement efforts lag the activitytaking place in the European Union, primarily in Germany. This points to atrend that will ultimately erode how organizations that profit from dataaggregation (such as data obtained from Web-based sales) can no longer ignorethe fallout from leaks, breaches, thefts and insiderswalking away with privileged data.

While this is not a crisis now, it doesshow a clear trend toward putting the rights of individuals to their own PIIabove the rights of data aggregators. Failure to protect this data will becomea more actionable civil, and potentially even criminal, consequence forcompanies that fail to adapt and take measures to protect losses.

This goes beyond public relationsfiascos and shows that now is the time to consider adapting to the evolvingdata privacy and security milieu in easy steps. Doing this will allow companiesto proactively catch up and ultimately get ahead of therapid changes taking place.

Important touch points include Websiteoperators and online merchants that are exchanging PII obtained under acontract of care that try to sidestep Website limitations and data-retentiontime frames.The relevant point is that breaches cause erosion of customer loyalty,litigation, complications under policies in other countries and adversefindings under torts.

In evolving case law, ownership of PIIis reverting to individuals under the stewardship of the data integrators.Ownership remains in question for the foreseeable future, but the standard ofcare and migration to stewardship is clearly the wave of the future.

Martin Nemzow troubleshoots broken businesses, and was adata security executive consulting with military commands, intelligenceagencies, and prime contractors and integrators. Before that, he was anexecutive at Fortune 500 companies, a consultant and a principal in numeroushigh-tech startups. Martin can be reached at [email protected].