Technology is an inescapable part of our lives. Unless you live completely off the grid—grow your own food, never drive a car, transact with only the cash kept under your mattress inside your built-by-your-own-hands house—your personal information is collected, tracked, and exchanged by and among businesses. We knowingly provide private information to some; others come by it through craftily drafted terms and conditions tacked onto customer agreements (often in small print).
In a talk at RSA Conference, Laura Koetzle, VP and Group Director for Security & Risk at Forrester Research, presented Five Ways to Drive Revenue by Protecting Customer Privacy. Forrester, through its Data Services group, surveyed consumers about their attitude towards online privacy and trust. Koetzle shared some results of the survey.[i] According to the data presented, 44% of consumers worry that apps are collecting information without their consent; 58% of US online adults have changed their online behavior; and 30% refrain from online purchases from what they deem untrustworthy sites.
While these numbers aren’t staggering, they have increased steadily over the years as smartphones have begun to offer more availability and efficiency, when Edward Snowden very publicly revealed the US government’s surveillance of its citizens, and now, as technology companies fight for their right to protect their customers’ data privacy. Consumers are better informed today than they were a year ago, and will be even better educated a year from now. Koetzle reasoned that over the next five years, “Consumers’ sophistication and commitment to privacy will grow: And they will continue to ‘vote with their wallets.’”
The idea of Privacy-as-a-Service is an interesting concept. It’s true that consumers are more privacy-conscious than ever before. Still, data shows that companies bounce back rather nicely after a breach. Since many of the major breaches in the US have been credit-focused, maybe the issue is that US consumers value convenience over privacy.
How will that change as technology tracks more of our thoughts and desires than it does our transactions? Sure, today when credit card information is stolen it’s possible for the attackers to correlate the data to learn more about the person behind the plastic, but that’s not attackers’ focus (yet). Even with health records—yes, that’s getting more personal, but despite some crazy, FUD-based-but-entertaining conference talks, the public hasn’t seen where their health care has been impacted. People haven’t died because of altered records; if a patient is given the wrong medication or an incorrect dose, it’s been due to human error (aside from in The Net[ii]).
If you stop and really think about it, a ton our personal thoughts and feelings are already available through data collected as we go about our days. Where and what we like to eat and buy. The geographic circles in which we travel. How frequently we go to the gym. What companies we pay regularly for utilities, mortgages, loans, Internet service, etc. A lot of this information isn’t right in consumers’ faces, though. Very few people (outside of security) stop and think about this. Frankly, just writing this is a wakeup call. Now that new, cool, convenient apps which track your grocery list, when your heat/AC turns on/up/down, your jogging time/progress against your entire running circle, and more are becoming commonplace, consumers are going to start thinking about it. (Attackers are already thinking about monetizing it.) With all of that data about everyday preferences and movements stored in one place—and as the government continues to advertise just how much they want access to our private information (image how foreign governments are drooling for the same access)—businesses need to start thinking about Privacy-as-a-Service and how to use it to gain consumers’ trust. If consumers don’t or can’t trust your business to keep their information safe, they will shop elsewhere. Very few businesses are “the only game in town.”
When the creepiness factor starts to set in, revenue will be lost or gained based on business’s abilities to protect personal information. Consumers will be demanding more, and businesses must rise to the challenge. There’s a long way to go, but the gauntlet has been thrown. Apple is willing to spend millions of dollars to defend its right to protect customer privacy (and thereby increase market share). Not all businesses can do that, but the point is that a giant is out there making consumers aware, giving them food for thought. As customers become better educated, business will have to earn their trust by demonstrating over and over their commitment to data privacy. Once a business loses its customers’ trust, it’s a long climb back uphill (check out Volkswagen’s 1 year stock price for illustration[iii]).
B2B companies have a different challenge than B2B2C or B2C companies. The latter can easily allow users to control privacy features, opt-ins, and permissions upon registration. Maybe, though, it’s time for B2B companies to start thinking that way too. How many times have you bought an item online and been automatically registered for the company’s email blasts, which become quickly annoying as they clutter your inbox with deals irrelevant to you? Or how about when the store from which you bought an item resells your information to another company from which you now start receiving emails? That’s an even bigger violation of privacy and trust.
Considering customer privacy from this aspect, the perspective of, “What if it were me? How would I want my privacy protected were I the consumer and not the security SME?” is what’s going to drive privacy forward. With increased privacy protection, businesses will have the ability to prove over and over that they are trustworthy with consumers’ most important assets: personal information. As a result, the business will increase market share, and security teams will gain their place as trusted business partners rather than the defenders against illusive zero-days and potential scary threats that (in the eyes of the business) may or may not pose problems to the bottom line.