Tom Preece, Rational’s Business Development Manager, recently spoke with Kurt Wimmer about his thoughts on emerging data privacy and security trends and how organizations should begin to address these risks. Kurt Wimmer is the U.S. chair of Covington & Burling’s Data Privacy and Cybersecurity practice and is the immediate past chair of the Privacy and Information Security Committee of the American Bar Association’s Antitrust Section.
Tom Preece: You have written in the past about how companies manufacturing IoT devices will need to pay attention to consumers’ desire for privacy of personal data in order to be economically successful. However, there is an increasing sentiment that Generation Y values privacy far less than their preceding generations. As Gen Y purchasing power increases, will the IoT still boom without having to take this desire into account?
Kurt Wimmer: I think the privacy motivations of Generation Y are often misinterpreted. Of course, I agree that Gen Y members are willing to share more personal data than previous generations. But they will only do it on their own terms, and they are quite conscious of protecting their privacy. Gen Y consumers are also cautious about sharing information with institutions their parents trusted implicitly — including banks and other financial institutions that didn’t fare well during the Great Recession. I don’t expect Gen Y consumers to trade privacy and data security for the simple convenience of IoT devices — I expect them to be careful consumers.
Tom: What is your advice to Fortune 500 companies struggling to align their business goals and priorities with data security and privacy protection? Is compromise always necessary?
Kurt: I have seen a marked change in U.S. companies’ attitudes toward personal privacy over the course of my 20 years of practicing in the privacy area. Back in 2000, when the EU-US Safe Harbor came into force, I expected U.S. consumers to finally begin demanding the same privacy rights that U.S. companies were affording EU consumers under the Safe Harbor. That didn’t happen, but the rise of social media and the ubiquity of data breaches has caused the American public to finally focus on privacy and security as a product differentiator. Companies such as Microsoft and Apple now are taking tough privacy positions against government access of their customers’ data, and are finding that these policies resonate with consumers. In my view, Fortune 500 companies are moving toward more progressive and consumer-centric views of privacy, both as the marketplace has begun to demand it and as companies begin to understand that privacy can be a competitive advantage for their products and services in a competitive market.
Tom: Security and Privacy managers often fail to secure executive buy-in for comprehensive privacy or information security programs. What advice do you have for managers seeking such buy-in?
Kurt: Executive support for privacy and security programs is, of course, essential. Corporate structures take their cues from boards and CEOs, and leaders who understand and value privacy will create companies that protect privacy. I believe that executive buy-in for data privacy and cybersecurity programs is massively increasing in today’s market, both in light of cybersecurity issues arising out of high-profile data breaches such as Sony and in light of new penalties being adopted in Europe. The FTC, too, is being taken seriously as a tough regulator as it imposes 20-year consent orders on an increasing number of companies across industry, and state attorneys general are stepping up. These enforcement actions are gaining the attention of CEOs, CFO and boards of directors, and top-level corporate support for protecting privacy and security is increasing.
Tom: There seems to be a fundamental difference between the way that the US and EU view personal data, culminating most recently in the Safe Harbor agreement being struck down. Is one perspective more correct than the other, and why?
Kurt: Europe has long held that privacy is a fundamental human right, whether it is impinged by the government or a private company. The U.S. has had even longer historical protection for privacy, but U.S. privacy interests have focused on protecting the individual against the government. Both perspectives are valid, and arise from different cultural and historical experiences with privacy. In enacting the General Data Protection Regulation (GDPR), the European Union has gone a step further in attempting to restrain commercial use of personal data, and it will be interesting to see how much that effort may impact the EU’s ability to host cutting-edge digital companies as the GDPR is implemented over the next two years.
Tom: What role does Information Governance play in data privacy and security?
Kurt: Enlightened companies looking to truly secure their data against internal and external threat often begin with organizing their data. Data storage often is based more on history than logic, and idiosyncratic storage procedures that have built up over time can present a serious danger to establishing clear administrative, physical and technical controls over important personal data, IP and trade secrets. Establishing an information governance system is often an important first step toward creating a secure and effective system for collecting, storing and effectively using a company’s data.