In dire economic times such as these, companies are scouring their internal functionalities seeking ways to run "leaner and meaner." Operations and personnel that do not ostensibly contribute to profit are at risk. And nowhere are employees more vulnerable than in New York City, the nation's center for financial services, an industry particularly devastated.
Because the influence of privacy on profit is not immediately apparent, managers searching for excisable fat will doubtless be attracted to the privacy function, concluding that it makes no contribution to the bottom line. But although many view privacy solely as a legal concept, it often provides important commercial benefits. Where privacy does indeed contribute to profit, chopping away at privacy will be counterproductive, slicing off meat and bone, rather than fat. If management is not educated to this fact, the privacy function will be at unnecessary risk.
There are 11 reasons why privacy may benefit the bottom line, which should be raised with management.
Reduced risk of sanctions. The most obvious result of good privacy is that it helps keep the company "out of trouble." Regulatory authorities, domestic and foreign, are increasingly enforcing privacy laws. The Federal Trade Commission, the state attorneys general, the data protection authorities of the European Union and other regulators are seeking out privacy violations at an increasingly energetic pace.
The adverse ramifications of alleged violations include counsel fees and a major diversion of management and other employee effort, even if the organization is ultimately exonerated.
In the event a violation is found, monetary sanctions may run as high as $1 million or more. And some sanctions require a costly modification of practices (even though it might not have been costly if adopted initially).
In the United States and some other nations, disclosure[FOOTNOTE 1] of a major data security breach will likely result in private litigation, including class actions, greatly increasing the level of counsel fees and potential damages. And even if the company is successful in its defense, the mere governmental, or even private, allegation of impropriety will have an adverse effect on some existing and prospective customers, as discussed below in connection with customer churn and damage to brands.
Reduced risk of damage from contractor malfeasance. A company may be responsible for the privacy of personal information it controls that is in the possession of its contractors. But when the economy dives, the likelihood increases that contractors will not treat the data appropriately. In an attempt to save money, contractors may cut corners on security, or in extreme cases may even hold data hostage to force the company to make payments not contractually required.
A company that adheres to privacy requirements will likely have a contractual right to audit, and will audit, so as to detect privacy-diminishing cost-cutting. And that company will have in place measures to ameliorate the effects of data hostage-taking, such as requiring a weekly data dump.
Reducing or eliminating the company's privacy functionalities will limit its ability to protect against such contractor malfeasance.
More effective use of information. Imposing good privacy practices on a company generally enhances its understanding of what personal information it collects, as well as of its policies and practices regarding collection, use and disclosure. And it presents the opportunity to centralize disparate operations where the company's right hand was ignorant of what its left hand was doing.
Accordingly, the privacy exercise may render the company's data practices more effective, e.g., by eliminating unnecessary duplicative collection and storage practices, and contradictory disclosure policies. A concrete example occurs every time a company conducts a privacy audit and concludes it is collecting unnecessary data, or that it is retaining data longer than required by law or business necessity.
Ceasing to collect unnecessary data, and limiting retention periods, saves a good deal of money.
Enhanced privacy also leads to better information. Thus, for example, the company's contact lists will contain fewer stale addresses and fewer individuals who wish not to be contacted, which will increase the company's efficiency in using this information.
Reduced customer churn. Enhanced privacy will reduce the probability a company's name will find its way into the press, ballyhooed as the latest perpetrator of a data breach against its customers, employees and the public.
Studies have shown that, especially in consumer businesses, there is generally a loss of customers in the wake of a publicized data breach. While the degree of churn can be ameliorated by the manner in which the company communicates with customers, and the communication's content, the best methodology and content in the world will not eliminate churn.[FOOTNOTE 2]
Reduced probability of brand damage. Where the company is portrayed as a perpetrator or at best negligent, recognizably or subliminally many consumers will likely view the company and its brands negatively.
Brand damage can make it more difficult to acquire new customers, either because prospective customers remember the data breach, or because in the back of their minds they harbor a negative association with the company or its brand. In aggravated situations this may even adversely affect the company's stock price.
The company's privacy image can also affect the attitudes of prospective business partners (e.g., providers of lists, or prospective joint marketing partners) as to whether and how they will deal.
In activities especially sensitive to privacy, such as the sale or licensing of customer lists, prospective business partners may be reluctant to affiliate with a company known for lax privacy.
A reputation for strong privacy, on the other hand, makes a company an attractive candidate for affiliation with such a prospective partner.
Avoidance of the monetary cost associated with a data breach. Aside from churn and brand damage, a data breach requires the company to spend money notifying data subjects where notification is required by law or is deemed advisable by the company.[FOOTNOTE 3]
Counsel must determine if notification is required by law, to whom notification must be given, and how it must be given, among other things. These determinations are time-intensive, and generate a substantial fee.
If notification is given, there is a cost associated with preparing and communicating it, whether done by telephone, first-class mail, overnight, or even e-mail or Web site. And credit monitoring or other services provided for the benefit of affected data subjects will also cost money.
Improved employee morale. As is the case with other people, employees like to think their personal information is maintained with good security. And they like to work for a company with a good reputation for treating people -- and their information -- appropriately.
Happy employees tend to do a better job, with higher productivity, fewer "sick days," etc. They also are less peripatetic, which lowers the cost of training personnel to fill the positions of departing employees.
Protection against discontented employees. When the economy turns down, the threat (and reality) of layoffs materializes. There are many instances where unhappy employees -- and ex-employees -- have engaged in destructive conduct, making it difficult or impossible to use computer systems. Adhering to privacy and security best practices minimizes such problems.
Enhanced suitability for merger/acquisition. If the company sees itself as a candidate for merger or acquisition, it will enhance its status by getting its privacy house in order. A company with negative privacy publicity or privacy legal problems, or poor privacy policies and practices, is less attractive to a potential suitor. An acquiring company may be reluctant to clean up its partner's privacy-related Augean stables.
Less-likely target for litigation by competitors. Litigation increases when business is bad, as competitors often become less reluctant to pump employee effort and time into supporting litigation, as opposed to engaging in sales, R&D, design, or other normal duties. A company's privacy failure that adversely affects a competitor (even colorably) may trigger litigation.
In one recent case a company offering online college application services to students proved that its competitor damaged it in the amount of $4.5 million by posting a privacy policy that misled students about whether their personal information might be disclosed to third parties.4 While injury as a result of a competitor's privacy violation may not be common, it occurs, and compliance with privacy law will avert it.
Greater flexibility in bankruptcy proceedings. Bankruptcies are more numerous when the economy is on the skids. An overly restrictive privacy policy unnecessarily limits the company's flexibility in bankruptcy. In particular, representations that customer personal information will not be disclosed to third parties have been the basis for a bankruptcy court's refusal to permit the sale of customer lists.[FOOTNOTE 5]
As a result, the bankruptcy law was modified, and now explicitly permits debtors with a posted privacy policy to convey consumer personal information if the transaction does not violate the policy, or the court approves it after appointing a consumer privacy ombudsman.[FOOTNOTE 6] Accordingly, to maintain flexibility in the ability to sell data assets in bankruptcy, a company should carefully craft its privacy policy.
CONCLUSION
In seeking to identify unprofitable operations and personnel, management attempts to quantify the value of each functionality. The value of good privacy is not easily quantified, and some of the rationales identified above are particularly difficult to quantify. But with a reasonable amount of thought, even rationales difficult to quantify can perhaps be approximated.
In many if not most institutions, the considerations outlined above will give rise to a credible if not compelling argument that privacy is not just ethical, but is also good business.
David Bender, a solo practitioner in Dobbs Ferry, N.Y., specializes in privacy, information technology and intellectual property law.
::::FOOTNOTES::::
FN1 Almost all states now have statutes requiring the owners of certain types of unencrypted personal information to notify affected data subjects residing in the state (and sometimes state attorneys general and major credit reporting agencies). See the previous columns in this series published on p. 5 of the NYLJ, June 30, 2005, Sept. 29, 2005, Dec. 12, 2006, and Feb. 13, 2007. These statutes have greatly increased the potential adverse consequences of a breach. Although there are certain narrow breach notification statutes in the EU, there are no generally applicable breach notification statutes outside the United States.
FN2 See Ponemon Inst., "National Survey on Data Security Beach Notification" (26 Sept. 2005). Some 19 percent of survey respondents (individuals who received breach notifications) reported they had terminated or planned to terminate their relationship with the breaching organization.
FN3 According to one recent Ponemon Institute survey (http://www.encryptionreports.com/costofdatabreach.html), which queried some 43 organizations in 17 sectors of the economy, the average total cost per record of a data breach resulting in notification is $202.
FN4 CollegeNet v. XAP (USDC D. Ore. 03-CV-1229-BR, opin. 26 March 2007).
FN5 See, e.g., FTC v. Toysmart.com, LLC (No. 00-11341-RGS (USDC D. Mass. Filed 10 July 2000), and In re Toysmart.com, LLC (US Bankr. Ct. D. Mass. No. 00-13995-CJK).
FN6 11 USC §§332, 363(b).
