Site Network:Privacy for Business | Cobb Associates | | | Privacy Think Blog

Welcome! the redesigned Privacy for Business site.

This site provides links to privacy news and other practical resources for privacy officers.



Stephen Cobb, CISSP

Stephen CobbThe author of more than two dozen books, Stephen Cobb has been a Certified Information System Security Professional since 1996. He has delivered information security and data privacy classes to thousands of students from companies and government agencies to unversities. Examples include security awareness training for 10,000+ AT&T Wireless employees, privacy training for all Microsoft employees, and more than a dozen online and in-person HIPAA seminars.

Stephen is currently a Senior Security Researcher at security solutions provider ESET. He is also working on a graduate degree in the Criminology Department at the University of Leicester. In the past he has served as an Adjunct Professor and curriculum contributor to Master of Science in Information Assurance at Norwich University, Vermont. Stephen has advised government agencies, including the Federal Trade Commission, on computer security and privacy. He helped develop ground-breaking security and anti-spam technology (now marketed by Symantec) as well as techniques for ensuring the deliverability of legitimate commercial email published as the Trusted Email Open Standard (PDF).

"If you were to ask me for my mission statement with regard to privacy and security I would say it is: to maximize the benefits we get from of information technology by minimizing the risks arising from its ever-expanding deployment."

Thoughts on privacy and business, from Stephen Cobb

The following are some observations, past and present, on privacy and business. You might also enjoy my podcasts, available here.

Privacy will become a primary driver of information security

That's what I predicted at the end of 1999 and it has come to pass. As early as 1997, I was warning corporate clients that security breaches involving the personal data in their care could prove more costly than breaches involving financial data. By the end of the decade a string of regulations were coming down the pike, including Gramm-Leach-Bliley and HIPAA.

In 2002, the Federal Trade Commission swore out a complaint against a major pharmaceutical firm that resulted in a consent decree mandating federal and third party oversight of the firm's information protection program for a period of ten years. The basis: accidental disclosure, to a small group of people, of the email addresses of 669 web site visitors who might be construed as having expressed an interest in an anti-depressant.

That single FTC action raised the privacy stakes for business to unprecedented levels. And the FTC kept it raised, with a string of complaints alleging inadequate protection of private information. Not to be left out of the action, which clearly played well with consumers, the states starting taking on data privacy.

In the East, the man who is now governor of New York, but was then Attorney General Eliot Spitzer, started prosecuting companies who failed to protect against known vulnerabilities (see, it plays well with consumers, who are also voters). In the West, the State of California passed the first "database breach disclosure law" setting a precedent that was quickly copied by many other states (such laws are one reason more people whose data is exposed get to know about, and typically quicker than they used to).

An abiding concern

There is no doubt that privacy concerns have been impacted by the tragic events of 9/11 and the ensuing war on terror. But we should not forget that privacy was of major concern to the public before 9/11/01. Indeed, when the Wall Street Journal and NBC conducted a telephone poll of more than 2,000 adults at the end of 1999 and asked them what they feared most in the coming century, “loss of personal privacy” topped the list; cited as the number one concern by 29 percent of respondents, well ahead of overpopulation, acts of terrorism, and racism. And those numbers were not just fin de siècle jitters. A 1995 Harris poll found that 82% of people were concerned about their
privacy, up from 64% back in 1978.

Privacy concerns are obviously particularly acute with respect to the Internet; for example, a survey in June of 2002 by Jupiter Media Metrix found that almost 70 percent of U.S. consumers worry that their privacy is at risk online. This is not just a vague sentiment. A Harris survey in February of 2002 revealed the top three privacy concerns of consumers to be that:

(a) their information would be provided to other firms without their permission
(b) their transactions may not be secure
(c) hackers could steal their personal information.

These findings are not just important for Web-based companies. Any “clicks-and-mortar” company that combines Web operations with traditional business premises should note that, in the same Harris survey, over 80 percent of the respondents said that they would “completely stop doing business with a company that had misused customer information.” In other words, as Jupiter analysts have pointed out:

“With poor online privacy practices, many companies will experience negative effects not only on their online sales over the next several years, but also on off-line sales that shift to more privacy-sensitive competitors.”

In the five years following the above prediction, the extent to which it has proved true remains unclear. Measuring effects that manifest themselves in negative actions or inaction (like not shopping online or avoiding a specific retailer) is arguably harder than measuring positive effects. A retailer may not see an actual drop in sales after a security breach that exposed their customers' private data, but the rate of growth of sales may be retarded by the incident. Loss of market share to a competitor may be attributed to a variety of factors.

However, in a 2006 study, consumers confirmed they are both worried and agitated when it comes to online privacy and security. "Sixty-five percent say they have experienced some kind of computer security problem. Over half say they would either strongly consider or definitely take their business elsewhere if their personal information were compromised." -- CMO Council

The impact extends into the business-to-business market. "Half of all corporate executives polled said they would either consider or would recommend taking their business elsewhere if a business partner suffered a security breach that compromised their corporate or customer data." --

And the toll taken by the press coverage cannot be ignored. "In several cases, security coverage of specific companies that suffered a breach accounted for more than half of all stories written about those businesses in 2005." -- CMO Council

That security breach events negatively impact stock performance now seems clear. When I have performed my own analysis in the past I often came up with numbers around 4% although it is famously tough to isolate any single factor in a stock's pricing. However, Emory University researchers, who one can assume applied more resources to the issue than me, found that "a company loses, on average, from 0.63% to 2.10% value in stock price when a breach is reported -- equivalent to a loss in market capitalization of $860 million to $1.65 billion per incident. -- CMO Council

It's just not healthy

Inadequate security measures to protect personal data, combined with the unrelenting efforts of some persons to abuse information systems, continues to have a negative impact beyond the markets and the consumer's retail preferences. A national study by the California HealthCare Foundation in January, 1999, found 15% of American adults say they have done something out of the ordinary to keep medical information confidential.

Consider these behaviors: asking a doctor not to write down certain health information or to record a less serious or embarrassing condition; giving inaccurate or incomplete information; paying out-of-pocket; doctor-hopping; avoiding care altogether. These behaviors are quite common among people who do not trust doctors' offices or hospitals to properly protect patient privacy. The effects: patient risks undetected and untreated conditions; the doctor’s ability to diagnose and treat patients is jeopardized without access to complete and accurate information; and future treatment may be compromised if the doctor misrepresents patient information so as to encourage disclosure.

And it is not just the process of getting medical care that is impacted. How do you conduct valid medical research or provide proper insurance coverage when people don't trust the uses to which their health data will be put. The stress extends beyond clinics and labs to the work place. In a 2000 survey of Fortune 500 companies, only 38% responded that they do not use or disclose employee health information for employment decisions (Report prepared for Rep. Henry A. Waxman by Minority Staff Special Investigations Division Committee on Government Reform, U.S. House of Representatives April 6, 2000).

Clearly, privacy is one of the major issues of this decade and will probably remain a serious challenge for the rest of the century, across society and across the world. We will be failing future generations if we do not put our best efforts into finding answers to the myriad questions that 'privacy' raises.


Site menu:

Home | Privacy Sources | Privacy News | Read the Book | Meet the Author | About Top of Page