Who Owns Customer Information?
A fundamental change is in store: Companies and data aggregators will soon need to make a shift from thinking that they are owners of captured personally identifiable information (PII) data to viewing themselves as custodians of that data. Therefore, companies will have to revise their operations and security to avoid adverse business and legal consequences.
Data aggregation is essential for modern business practice. Every organization needs to track contact information to fulfill its business model.
The law and the force majeure (a clause in contracts that removes liability for unavoidable natural catastrophes) give rights of ownership for data and the structures of its retention to the aggregator. In other words, the company that collects data on its customers currently owns that data and generally values it highly, since it is the lifeblood of its customer base. Proprietary data also includes designs, specifications and traditional intellectual property.
As the organizational workflow has become automated—overlaid onto a company’s communications activities and posted to the Internet—operational workflow, embodied by the software, apps and the way of doing business, has become part of this data privacy and security legacy. Companies have battled in court when salespeople, key personnel or technical insiders hop jobs and carry this valuable information with them (illegally) to the new job.
Though this is a concern, a new risk has developed in the evolving data privacy and security milieu—one that is reflected in the difference between data ownership and data stewardship.
Even if you are not yet aware of this issue, you’re likely to have it heaped on your plate within a few years. It’s a function of adverse events, the type of business you run and the density of the personally identifiable information within your databases. The more personal details you capture to describe each person in those databases, the more your organization is at risk for legal or public relations exposures.
This data is likely to include a customer’s personal likes and dislikes. More alarmingly, it is likely to include the columns of information not yet included in the safe-harbor categories of PII that can be combined—either internally or with external free, public or commercial databases—to reveal a person’s identity. See www.ftc.gov/os/comments/privacyreportframework/00191-57181.pdf for background and a technical description of this risk.
Even when operations that use PII seem isolated from the Internet or are fragmented in steps that lack workflow integration, the infiltration of smartphones, tablets and end-to-end connectivity for data flow and processes puts the bulk of this information at risk for exposure. Companies from Heartland, T.J. Maxx, Sony, universities and even our government have found themselves explaining that they didn’t mean to be the source of a breach.
This points out the discrepancy between who actually owns—or should own—the private data and who is just the responsible steward of the data. Privacy is the same as security, except that security occurs with the ownership role, while privacy emphasizes the stewardship.
What is the difference between the two roles? Data ownership means unqualified rights to granular intellectual property and PII data. Stewardship, on the other hand, is a standard of care for tangible fixed, depreciable or amortizable assets that include data records, documents, intellectual property and other intangibles.
Richard Santalesa, senior counsel in the Information Law Group's East Coast office, reinforces some of these assertions with his own view of the environment. Primarily, his work relates to security and privacy issues when they breach explicit or implied contracts. He says that “Organizations are simply not keeping pace with the rate of change,” referring to legal enforcement as well as technological matters. “We tend to be reactive rather than proactive.”
A National Policy of Privacy
The push is on for a national policy of privacy by design, a structure for operational privacy based on current understanding, and the so-called right-to-forget information in databases after some arbitrary elapsed period of time. This push is represented by a number of Congressional bills for a national data-breach law and do-not-track laws.
However, these efforts are dying in committees, suppressed by the efforts of data aggregators that use paid lobbyists. The lack of legislation does not diminish the need for the judiciary to reinterpret these issues, while making case law and raising the concerns to the forefront.
Although these matters are not covered by legislation or existing law, privacy proposals from nonlegislative bodies are altering the environment. While the National Institute of Standards and Technology’s draft recommendations do not have the force of law in most venues, the Federal Communications Commission and the Federal Trade Commission are enforcing them as a law of operational security. Primarily, this consists of pushing the obligation of privacy and data security to the companies accumulating the PII data.
These commissions are slowly allowing tangible damages in the event of breaches through innovative claims filed by hurt parties. Companies are on notice that they should employ defensible actions as part of their common law duties. Santalesa also notes a growth in actions for tort damages. This should be a wake-up call for organizations to adapt to this privacy and security evolution proactively, not as an immediate hot button, but rather as an evolving risk factor.
All U.S. legislative and enforcement efforts lag the activity taking place in the European Union, primarily in Germany. This points to a trend that will ultimately erode how organizations that profit from data aggregation (such as data obtained from Web-based sales) can no longer ignore the fallout from leaks, breaches, thefts and insiders walking away with privileged data.
While this is not a crisis now, it does show a clear trend toward putting the rights of individuals to their own PII above the rights of data aggregators. Failure to protect this data will become a more actionable civil, and potentially even criminal, consequence for companies that fail to adapt and take measures to protect losses.
This goes beyond public relations fiascos and shows that now is the time to consider adapting to the evolving data privacy and security milieu in easy steps. Doing this will allow companies to proactively catch up and ultimately get ahead of the rapid changes taking place.
Important touch points include Website operators and online merchants that are exchanging PII obtained under a contract of care that try to sidestep Website limitations and data-retention time frames. The relevant point is that breaches cause erosion of customer loyalty, litigation, complications under policies in other countries and adverse findings under torts.
In evolving case law, ownership of PII is reverting to individuals under the stewardship of the data integrators. Ownership remains in question for the foreseeable future, but the standard of care and migration to stewardship is clearly the wave of the future.
Martin Nemzow troubleshoots broken businesses, and was a data security executive consulting with military commands, intelligence agencies, and prime contractors and integrators. Before that, he was an executive at Fortune 500 companies, a consultant and a principal in numerous high-tech startups. Martin can be reached at firstname.lastname@example.org.