Who’s to blame when data breaches, hackers, or developer mistakes cause harm in the real world? This is a topic we should all be thinking about, before courts and regulators start making up new rules or allocating the costs.
This week the Federal Trade Commission (FTC) hosted an all day workshop to examine consumer injury when it comes to data privacy and security. The four panels featured speakers from academia, policy, and public interest groups with diverse backgrounds – from data engineering and privacy to law and policy. The panels built upon one another, starting with basic consumer injuries like identity theft then moving to assessing injury and the differences in business and consumer perspectives before ending with how to measure harm.
Themes of good data stewardship, consumer trust, and how to best regulate collection and use of consumer data ran throughout.
THE TOP TAKEAWAYS
In the first panel, participants elaborated on how simple consent or anonymization cannot eliminate harm. When data sets are combined, intimate details about a consumer can be easily inferred. This has especially become the case as algorithms are more frequently used to find correlations.
The second panel featured legal and policy participants who were given two hypothetical situations where they were asked to indicate at which point there was injury. The answer, of course, was “it depends.” Although the panelists' opinion of when harm was incurred varied from the first instance to the last, they generally agreed that harm is difficult to measure – and it's challenging to reach a consensus at which point it occurs.
Several of the third panel participants argued that compliance does not equal data security, nor does lack of compliance equal data loss. One challenge we also see with our members is that larger companies have the resources to implement the strongest security protocols, yet small businesses and startups don't always have that ability.
A critical theme for application developers was consumer and business education on privacy: how much can people absorb, and what happens when information becomes overwhelming. Panelists expressed concerns over consumers becoming immune to data breaches, particularly when the event doesn’t impact them directly or they don't fully understand it. And when that is the case, consumer response is often to take no action rather than taking measures to make their data more secure.
For businesses, some panelists recommended more transparency on what they do with data. Ultimately, it's the consumer who will make the decision whether the businesses' data practices meet their expectations of trust and stewardship, and whether to use the product or service.
The fourth and final panel went over ways to measure – and cost – injury. What information users provide is mostly determined by context (i.e. did they trust the platform, was it in exchange for a service or product). Most panelists agreed it's difficult to measure at what instance the injury took place, especially when there’s no apparent harm.
OUR TAKEAWAY FOR DEVELOPERS
Many of the panelists’ questions and answers were left open for debate but the concerns surrounding proper data collection, storage, and use are real. Currently there's no industry standard to guide businesses on how to manage data transparency, security, and stewardship. Alliance members and software developers, information engineers, data management professionals, and others working directly with consumer data would benefit from having a set of principles by which to adhere and thereby earn trust with consumers. Plus, access to education tools for consumers and businesses alike on what data is shared and when, how to protect personal information, and what companies do with consumer data; all of which could lead to a better business-consumer relationship.
The Alliance appreciates the FTC hosting these panels to gather expert opinion on consumer data privacy, businesses' role and responsibility in being a good steward, and how to handle breaches and misuses (and understanding the difference). We look forward to being part of this process as decisions are made on regulation and best practices.