Photography & Animation: Sky Pie Studio; Retouching: Black Magic Studio
Photography & Animation: Sky Pie Studio; Retouching: Black Magic Studio
In the annals of data privacy scandals, Facebook’s current debacle is fairly monumental. After allegations surfaced last month that British data company Cambridge Analytica improperly accessed the private data from 87 million (at last count) of its users to target voters on behalf of the 2016 Trump presidential campaign, the fallout was swift.
In the span of just 10 days, the company’s stock took a nosedive, wiping out nearly $70 billion of its market cap. Several state attorneys general threatened to sue. The Federal Trade Commission opened an investigation and lawmakers in both Washington, D.C., and the United Kingdom demanded that Mark Zuckerberg, Facebook’s founder and CEO, appear for questioning. (He testified before Congress last week.) The company itself revealed additional gaffes, including registering the text and call histories of android users. By the time Zuckerberg launched his high-profile apology tour, a full-blown boycott movement, #DeleteFacebook, was well underway—with everyone from Tesla founder Elon Musk to comedian Jim Carrey calling on others to scrap the app.
While Facebook’s ongoing privacy fiasco thrust it into a massive reputation crisis—not to mention the crosshairs of lawmakers and regulatory agencies—it also laid bare the murky, ever-changing world of data privacy, where consumers’ trust and personal information vie with the business interests of companies and organizations.
Enter the chief privacy officer. Once a marginal player among a handful of companies, increasingly businesses are deploying gatekeeping CPOs tasked with not only setting privacy strategy, but also protecting customers’ interests—while navigating the shifting landscape of regulatory compliance. According to the recent PwC 2018 Global State of Information Security survey, 79 percent of institutions worth $10 billion or more have installed a privacy executive; while those worth between $15 billion and $25 billion say 81 percent have. Indeed, the International Association of Privacy Professionals (IAPP), a nonprofit group focused on privacy, saw its membership jump 40 percent to 35,000 this year from 25,000 in 2017—a giant leap from the few dozen members it had in 2000.
“Security is protecting companies from the world,” says Richard Purcell, who served as Microsoft’s first CPO from 2000 to 2003 before founding the consulting firm Corporate Privacy Group. “Privacy is all about protecting the world from the companies.”
How organizations collect and use data has become one of the most important issues of our time. In part, that is because the amount of data produced—from social media to financial transactions—is astounding. According to market intelligence firm IDC, by 2025, consumers are expected to generate around 180 zettabytes (in layman’s terms: one zettabyte is equal to 250 billion DVDs). What’s more, as IBM noted, in 2013, 90 percent of the world’s data flow was created in just the previous two years.
With all that data sloshing around, companies are under ever-increasing pressure to safeguard the privacy of the information that they manage. And all of this data is vulnerable, as the number of large-scale breaches, cyberattacks, identity theft and fraud in recent years has demonstrated. Since 2005, the Privacy Rights Clearinghouse, an advocacy organization, has logged approximately 8,000 data breaches exposing 10.3 billion records.
Like hurricanes and superstorms, such attacks are occurring with alarming frequency. In March, Under Armour announced that as many as 150 million users might have had data stolen from its MyFitnessPal app. Earlier this month, Lord & Taylor and Saks Fifth Avenue reported data breaches that potentially exposed as many as 5 million credit card accounts. In April, Panera Bread disclosed a data breach of its website. By some estimates, the number of those who had their credit cards data stolen is as high as 37 million customers.
“Breaches have become the third guarantee in life after death and taxes,” says Credit.com co-founder Adam Levin, who now runs the security firm CyberScout.
Then there are the financial, legal and reputational costs associated with these breaches. Javelin Strategy & Research reported that last year a record 16.7 million Americans were the victims of identity theft—up 8 percent from 2016 and totaling $16.8 billion in losses. Last year, the news that 3 billion Yahoo user accounts were compromised in 2013 nearly derailed Verizon’s planned $4.8 billion acquisition of the company’s core business, ultimately slashing $350 million off the purchase price. Equifax took a major PR hit and its CEO Richard Smith was forced to resign after the credit reporting agency disclosed last year that hackers broke into its systems and pilfered the personal information of some 145.4 million Americans.
One of the biggest worries a company now faces, says J. Trevor Hughes, IAPP’s CEO, “is that you become the privacy pariah of the month.”
Now, entering the picture: tough new regulations aimed at providing consumers more control and better protections over their private information. The European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, marks the most significant shift in data privacy in over 20 years. The landmark law compels organizations to adhere to a strict set of provisions concerning why and how they collect personal information or face steep financial penalties. That includes any American company that manages EU citizens’ data. Just how big of a deal is this? At last month’s IAAP conference, where over 4,000 privacy professionals convened, GDPR was the biggest topic of conversation.
“Most businesses don’t have the time or budget to take stock of what they have,” says Groupon global privacy counsel Jeanne Sheahan. “This is a very unique time in history to get your house in order.”
Indeed, U.S. lawmakers are proposing new regulatory frameworks. Last month, Rep. Bobby Rush (D-Ill.) introduced the Data Accountability and Trust Act that would create a national standard for privacy and data protections. In California, a groundbreaking ballot initiative, the California Consumer Privacy Act, is coming up for a vote in November that would require large companies to disclose the types of data they collect from consumers. During Zuckerberg’s congressional testimony last week, a pair of U.S. Senators presented a new bill aimed at further consumer data protections.
The idea of a CPO is not necessarily a new one. Data broker Acxiom’s first C-suite privacy pro, Jennifer Barrett Glasgow, began leading the company’s compliance initiatives in 1991. What is new is that companies, whether by choice or regulation, are now obliged to make privacy a central tenet of their businesses. As PwC’s survey noted, “For CEOs and boards, the existential question is less about the future of privacy and more about the future of their own organization.”
Unlike a chief security officer—whose main role is to protect a company’s physical assets and intellectual property—the role of chief privacy officer requires a skill set that is part lawyer, engineer, businessperson, marketer and customer relations specialist. A CPO must weigh the risks and agendas between protecting consumers’ information while assessing how that information can be used to a business’s advantage. In short, they must understand what happens with every single user’s personal information—from the architecture of how it’s collected and where it comes from to how it’s used and where it goes.
Doug Miller, CPO of Oath—the Verizon subsidiary that includes recently acquired AOL and Yahoo—says there’s been a “palpable, cultural shift” in how the company views privacy. Miller, who was with AOL before the company’s merger, now oversees hundreds of systems and databases while regularly communicating with the company’s CTO, CMO and his Verizon CPO counterpart about how emerging tech such as AI, smart cities and other innovations could help or hurt their privacy efforts.
For companies—especially ad- and mar-tech firms that have spent billions on building databases to microtarget consumers’ interests online—the new privacy landscape is nothing less than a front-burner issue.
Alisa Bergman, who became Adobe’s CPO last year, says her prior experience with three law firms focused on privacy taught her the need to educate companies and government officials on how privacy can play out. Now, she spends much of her time drafting policies while also working with engineers to bake in privacy tools earlier on in the process—a concept known in the industry as “privacy by design.”
In February, Demandbase, an account-based marketing firm, hired its first CPO, Fatima Khan. According to Khan, the first thing she did was conduct a risk assessment of the firm’s privacy tools, including a gap analysis to see where it might have vulnerabilities in its platforms. Khan and her team discovered there was a need for Demandbase to better understand data subject rights, leading her to hire a project manager focused specifically on that task.
This brave new world for the CPO can also mean mitigating tensions between a company’s business considerations and its legal ones, which don’t always align. In 2013, OpenX, a programmatic advertising company, decided to remove unverifiable inventory found in its exchange, as part of a broader crackdown on bad actors. While the move improved overall privacy measures, it drove revenue down by 25 to 30 percent. That in turn forced the company to cut its growth rate to 30 percent rather than hit its projected 40 to 50 percent.
“It was not a happy board meeting after we took that action,” says OpenX CPO Douglas McPherson. “But we felt like that was important for the long-term brand and the company we were building.”
At the moment, a number of companies have begun taking steps to deal with both upcoming regulations and greater scrutiny by investing in technology and tools aimed at better protecting data. In the wake of its current scandal, Facebook announced it will make it simpler for users to examine and change some of the data it tracks about them. This includes a central hub in its app settings that contains existing tools for users to review and, if desired, delete traces of their activity such as past posts and search terms. Earlier this year, Amazon offered improved data encryption on its cloud storage service.
The question remains, however, are these changes enough? In other words, as the data grows so too do the challenges. Will companies and their CPOs ever be able to keep track of it all—let alone protect it all?
At this time, trust, business and privacy remain locked in a long-term struggle. How it all shakes out remains to be seen. As Sen. John Kennedy (R-La.) said during last week’s Senate Commerce and Judiciary Committee hearings with Zuckerberg: “Our promised digital utopia, we have discovered, has minefields."