Which of these two recent trends disturbs you the most?
With the recent breach announcement from Marriott, you could almost predict the fallout. First, the news outlets all jumped in to report the story and highlight what you should do if you may have been impacted, or basically restate what was already stated in the Marriott press release or make hypothetical predictions about the attack. Second, every security vendor immediately released social tweets, blogs, and press about how their app/software/hardware/expertise could have prevented this breach from happening. Third, every non-security person with an opinion weighed in – I like to call this group the gluten-free, organic, low sodium, nut-free peanut gallery. I had a good friend who loved using this quote from Mark Twain:
“It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt.”
– Mark Twain
I cannot help but think of this quote whenever I read comments from the peanut gallery. But to get back to my point, there seems to be much more attention and focus on breaches of data compared to the recent breaches of trust. And I wonder – is this a good thing?
The Impact of Breaches of Data
For organizations that suffer a breach, the repercussions can be costly. In the recent Global State of Online Digital Trust Report, Frost & Sullivan found that 48 percent of consumers will stop using a service after a breach is reported. Additionally, almost every organization that had been involved in a publicly disclosed data breach shared that the breach had “long-term negative impact to their revenues and to consumer trust.” Zig Ziglar said that “if people trust you, they will do business with you.” Trust is even more critical to online business because Frost & Sullivan found that consumers “with the highest levels of digital trust increased their net spending online significantly more compared to those with the lowest.” The bottom line is that data breaches lowers a consumer’s digital trust in an organization, and this has negative impacts to revenue. But what about the other breaches of trust that we have seen recently?
Breaches of Trust
Another alarming trend, although it does not seem to get the same level of exposure, is selling personal data for profit – which is, admittedly a breach of trust. Facebook has been the poster child for this new trend because they were caught selling personal data, and more recently because it was discovered that there were discussions to further profit on collected data. Google, Apple, cell carriers, and more recently, the Weather Channel have all come under fire for how they are handling, or potentially mishandling personal data they are collecting. However, this trend is more widespread than you think. Frost & Sullivan found that “43% of business leaders indicated that they sell personally identifiable customer data to other organizations.”
Many argued that this practice was being done legally because this was clearly spelled out to users within their online terms and conditions agreements – you know, those pesky legal disclaimers that are written in tiny font and written in a language that only an attorney could decipher; the ones we all click through as fast as possible so we can actually use the app or service. Yes, this is where most organizations are telling us that they are going to treat our personal data like a commodity on the open market. It’s like shaking on a deal with one hand, while you have your fingers crossed on your other hand behind your back (the universal sign that you plan to renege on your deal). One bright piece of news on this front is that the European Union is looking closely at these agreements as “they could be interpreted as forced consent by the General Data Protection Regulation (GDPR).”
Most studies are focuses on the impact of data breaches, but few examine the impact of breaches in trust. Does the public view these equally or not? Which is worse – to accidentally lose data because your organization was targeted, or to purposely sell that data to third-parties for profit? In my mind, there is no contest – one is clearly worse than the other. To use a legal analogy, breaches of data compared to breaches of trust are like manslaughter is compared to murder; it all comes down to intent. And as such, the public scrutiny, penalties, and fines should be much harsher for one versus the other. What do you think?