Using Risk Management to Answer Online Privacy Concerns

We are living at a distinguished time of internet history when businesses are bringing products and services to consumers’ fingertips at a staggering pace. While with technological advancements capabilities for such offerings are only going to increase, it is a sore reality that businesses are losing the all important consumer trust due to the way online personal data is handled and processed. It is no exaggeration to state that consumers’ trust was never as low as it is now.

More than one consumer confidence surveys conducted this year highlight the widespread mistrust about security of their online privacy. In a January US Consumer Confidence Index TRUSTe revealed  steadily declining online confidence with privacy concerns hitting three-year low and more consumers are concerned about business data collection than government surveillance programs. Only 55% trust businesses with their sensitive data, the numbers stood at 57% and 59% in the corresponding month of 2013 and 2012, respectively. A resounding 92% of internet users worry about their privacy online, up from 89% and 90% in the period mentioned above, while an unchanged number 89% confessed to avoiding business transactions with firms consumers believe do not adequately protect their privacy online.

According to a February 2014 survey by Global Research Business Network (GRBN) 40% and 45% of respondents in the UK and the US, respectively, are highly worried about how businesses use their personal data. The lack of trust is prevalent for a variety of organizations across the geographies. While 38% do not trust the way Google and Bing use their data, 53% show distrust for Facebook and Twitter, and market research companies are not believed by 41% of respondents.

And none other than businesses themselves are more aware that the mistrust is not misplaced. While a growing number of privacy-aware consumers are slowly turning their back on online information sharing, businesses are finding innovative ways to collect sensitive personal data only to use them insensitively. According to TRUSTe CEO Chris Babel, “While some businesses are taking steps today to address privacy concerns, many are not, and the bar is rising… Companies need to act now to protect consumers and their personal information, which is vital to the success of their business, and address these high privacy concerns to build online trust, minimize risk and stay ahead of the competition.”

To answer the increasing online privacy concerns organizations need to view consumer data as an asset, the high value of which warrant protection supported by business ethics and a suite security practices. Irrespective of an enterprise size, management of this asset gives rise to risk. Therefore, businesses should integrate privacy risk management (PRM) into their overall risk framework and it should be categorized as operational risk to be treated with preventive actions that meet regulatory requirements while minimizing business disruptions. Enterprises should view online privacy concerns as another area of risk and manage it by effectively executing the following practices:

Identify: Businesses must adopt efficient processes – both formal and informal – to identify potential privacy breach areas such as a potential misuse, leak, or loss of personal information. Identify risk scenarios with the help of security practices supported by human elements. Over a period of time, the processes transform to a culture of respecting and safeguarding customers’ personal data.

Measure and Manage: Measuring in privacy risk management could be two dimensional: Assessment of the identified risks, and periodic self-assessment to come up with time-sensitive solutions. Eliminate the risks where potential loss could outweigh probable gains and manage risks within an accepted level. Assess the personal information your organization possesses alongside your organization’s capacity to judiciously the data. Also, assess your third-party data sharing practices from time to time to stay relevant.

Prioritize: Categorize the information based on importance, impact and sensitivity – both for storing and processing. While all personal information needs to be treated with care, some parts of those are more sensitive – financial records and health information, for example – and therefore present greater risk warranting more care. Believe in the information lifecycle and destroy any data you no longer need.

Treat and Monitor: Determine how to treat online privacy risks. Being preventive in nature, efficient privacy risk management eliminates risk before it is realized. Prepare and implement a baseline set of controls to safeguard sensitive information from the known set of relevant threats. Regularly monitor the implemented security practices to ensure that they are functioning to truly mitigate the targeted risks.

Enterprises need data to provide targeted services and develop useful products. The problem arises when the collected data is used carelessly, be it in storing inadequately or processing in a manner not legally and ethically accepted by consumers. But the time has peaked for organizations to accept the risk and act to arrest the eroding trust or be prepared to suffer losses – financial, reputational and regulatory – all of which could combine to cripple an organization in its entirety.

Due to the increasing complexity, legislation alone can no longer effectively safeguard against online privacy risks. Moreover, systematic research detailing online privacy as a risk management issue has yet to evolve. Against such a backdrop, using evolved standards of ISO/IEC 27001:2013 information security (ISMS) helps businesses keep personal data assets secure. Well-executed, ISMS will ensure business continuity by minimizing privacy security breach.