Why CMOs Need To Get Real About The Policy Implications Of Big DataJanuary 10, 2012 – In The News
Big data. Just those words alone are enough to send a collective shudder up AND down the spine of CMOs the world over.
For proof, look no further than the IBM survey conducted last year in which more than 1,700 CMOs from around the world were asked to identify their four biggest challenges — at the top of the list was big data. Many CMOs feel underprepared to oversee the deluge of data.
And while more than two-thirds believe investing in new technologies and tools and developing new strategies is key, relatively few CMOs are thinking about the profound policy implications of big data — especially those relating to privacy and security. Less than one-third considers it necessary to change their privacy policies despite the numerous ways in which customers’ privacy can now be compromised.
This last finding surprised me a great deal. So I decided to reach out to Scott Vernick, a partner at Fox Rothschild LLP. Scott has worked with many Fortune 1000 companies advising them on issues related to cyber security, privacy and data breaches. [Full disclosure: Fox Rothschild LLP is a Star Group client]
SO: What was your reaction to the finding from the IBM Survey and the fact that less than one-third of the respondents are even thinking about privacy policies and possible implications from big data?
SO: What should a business do as they face this influx of big data re: their respective privacy policies?
SV: A lot of it is common sense. They need to ask themselves very straightforward questions to which they should know the answers:
- Is it written so that is understandable by consumers and not loaded down with legalese?
- Are we actually following and adhering to it?
- Are we showing full transparency, e.g. are we upfront about what we plan on doing with any data we collect?
It seems obvious, but companies still get into trouble because they’re not forthright and candid about what they’re doing with the information.
SO: What about internally–what about the internal checks and balances companies need to do to best handle big data?
SV: Well, it’s the same sort of exercise, meaning, they need to ask themselves some questions and the answers to these will dictate next steps:
- How did we acquire the data?
- Did we acquire it legitimately?
- What exactly can we do with the data? This will, of course, depend on what we told customers and consumers we’re doing with it, and whether we have their permission.
- Is the data we have only accessible to those who need it?
- Are our systems robust?
- Do we have the necessary controls in place?
- Do we have a security policy?
- Do we know what’s in it?
- Is our data encrypted?
- Do we conduct regular trainings?
- Do we update the information as needed?
- Do we conduct routine audits?
SO: What’s your take on all the cyber-security bills currently in Congress?
SV: It depends on the details of the bill but, under one proposal, if businesses are prepared to share what they know about the risks and threats to cyber security, then the government is prepared to provide immunity from liability.
Separately, the proposals for federal legislation relate to issues of safeguarding data and what to do in the event of a breach. Outside of the heath care context, there are no federal standards about what you’re supposed to do in terms of your obligations. If you’re a business or an enterprise, you have to worry about the regulatory schemes of 45 states. If the breach is serious enough, you have to worry about what the FTC is going to do.
Greater information sharing would foster a better cyber security environment – plus the government won’t come after you. I wouldn’t be surprised if any number of thoughtful CEOs would be interested in that, — especially given the incredible, aggressive stance being taken by hackers around the world. The federal government and the private section are realizing that the problem is more systemic than can be handled alone. A partnership with the federal government would put them in a better position to prevent attacks on their own.
The government can foster, through legislation, an incentive for cooperation so that businesses can be in a better position to really thwart hackers. It will help them protect their own interests. I can see all kinds of incentives created around reporting and notification, and building safe harbors around that in a cyber security bill. But what lever do you put in place to incentivize? There will be a need for other actions to reduce liability or cost of compliance obligations. Companies are finally recognizing that when it comes to cyber security, the “do-it-yourself” approach doesn’t work — – threats are too robust and pervasive at the top.
SO: Any final thoughts?
SV: If I were a CEO or CMO, my three best friends would be my CFO, CTO and general counsel. In the scheme of things, all that really matters are the integrity of the books and the computer infrastructure. Everything else is secondary.