Privacy Compliance Programs: What the Data Really Says

Hand-wringing about privacy and cyber-security is all the rage in corporate governance and regulatory circles these days. So I was delighted when NERA Economic Consulting published a research paper recently asking a long-overdue question: Exactly how much is privacy worth to consumers, anyway?

The research on this point is scarce—which is startling, since companies devote so much time to devising privacy compliance programs and defending themselves in court when those programs don’t work. Then come the bad publicity, the unhappy board, and, ultimately, compliance officers sweating out yet another review of breach-disclosure protocols, IT security controls, and data collection policies the marketing department adopted without telling anyone.

All of that rests on the premise that companies must protect personal data because personal data has value. So how much value are we talking about? A lot, apparently.

NERA devised a test asking consumers to select an online video streaming service. Test subjects had to choose one package from a number of possible choices, each one offering various degrees of privacy: an expensive package that shared no data with third parties; a mid-price package that shared your viewing habits but not your personally identifiable details; or a cheap package that shared both.

The study found that test subjects preferred video packages that did not share any data about them, a conclusion so obvious it should surprise nobody. More interesting was this: that consumers were also willing to pay considerably more for packages that shared less of their data. I’ll skip the statistical analysis here (it’s in the NERA paper if you like), but the test packages were priced from $6.99 to $12.99, and NERA calculated a privacy “willingness to pay” factor of $6.01—an exorbitant amount for products in that price range. Or as NERA put it, “This suggests that consumers care a great deal about privacy and would be willing to pay a substantial fee to avoid sharing their information with third parties.”

That would suggest that compliance officers should draft strong privacy policies and keep a sharp eye on data collection, since consumers value it so highly. Here’s the thing, though: evidence taken from court cases suggests that belief might be misguided.

At least, that’s the implication of another bit of research published last year, “Empirical Analysis of Data Breach Litigation.” The authors (led by Sasha Romanosky, professor of IT systems and public policy at Carnegie Mellon University) studied more than 1,700 reported data breaches in the 2000s, which led to 230 lawsuits in federal court. The paper reached some conclusions that would warm the legal department’s heart:

Most data breaches never result in litigation;

Most breaches that do result in litigation are settled because the plaintiffs can’t demonstrate actual harm;

The odds of a company being sued are 3.5 times higher when individuals suffer financial harm;

The odds of a company being sued are 6 times lower when the company offers free credit monitoring.

Put the conclusions of these two papers together, and a bigger picture starts to emerge. First, when a data breach occurs, all those fulminations from consumer advocates and plaintiff lawyers might be beside the point, because consumers don’t suffer much actual harm.

After all, for most victims of a breach, the risk isn’t that you’ll check your bank account one day and find no money; it’s that you apply for a mortgage one day and find someone else already ruined your credit by opening false accounts under your name. With proper credit monitoring that threat is reduced, and consumers aren’t liable for more than $50 in bogus credit card purchases anyway. From their perspective, then, why care? The false purchase is someone else’s problem.

Of course, from the compliance officer’s perspective, the false purchase is still your problem, since the company still has to pay the cost for that stolen product or reimburse a customer for stolen money. But the Romanosky paper, at least, shows that when thieves steal customer data, the steps to placate customers can often be straightforward. Far more important is spending your time working with the IT and internal audit departments on proper IT security and access controls. (Another finding of the Romanosky paper: consumers are less likely to sue if their data was indeed stolen by hackers who somehow pierce your IT security; and much more likely to sue if their data is lost by employee ineptitude like losing a laptop on the subway.)

More problematic for compliance officers is the NERA study, and its conclusion that consumers dislike the idea of companies collecting and sharing data about their behavior. That’s a tough question of business ethics, because plenty of companies now thrive on collecting and sharing information about their customers—but consumers value privacy as a prize unto itself, even if the real harm of losing privacy might be small, as the Romanosky study suggests.

Still, your privacy policy will need to answer that ethical question sooner or later—and if you don’t give an answer that demonstrates restraint and transparency, expect the Federal Trade Commission or plaintiff lawyers to provide an answer for you.