It’s a safe bet that few CEOs would like to go through what Mark Zuckerberg went through with regards to privacy issues. The Facebook CEO has been under fire for allegations that his company permitted a firm attempting to manipulate the 2016 presidential campaign to access the personal data of 50 million members. While only a handful of companies gather data in the volume that Facebook does, the issues of customer privacy that the case raises are relevant to CEOs in many other industries.
Privacy protection will undoubtedly be one of the defining issues of the internet age, and many companies outside of the technology sphere are taking notice. Imagine that your bank inadvertently divulges the ways you and your company spend their money. Or a drugstore discloses information about your family’s medications. Or an insurance agency releases your driving records. These days, there seems to be no end to the ways in which malicious actors can cause embarrassment or harm with personal information.
Honoring customer privacy and security
A company’s customers are the most important aspect of any business. The product or service you render as a company is done for the customer, so ensuring their privacy and security needs to be a part of your mission. Should a breach occur, the lasting negative impact on your brand credibility and trust typically outweighs the additional costs associated with building security and privacy into your product or service. As the leader, setting the tone for how your company views the importance of security is one of the most important things you can do. CEOs set the bar for the entire organization. Embed the privacy and security of your customers within the nucleus of your company and its products. Why? Because no matter the type of business you’re in, if you collect any data on your customer, you instantly become a fiduciary of that information. There is a duty and responsibility to protect and safeguard that information.
The good news is that the stock market thrashing that victims of privacy breaches often suffer is usually a short-term phenomenon. The bad news is that your customers’ trust and loyalty may have been irreparably damaged.
IBM’s recent Future of Identity Study found that more than 20 percent of consumers (and 25 percent of millennials) would stop using a service following a data breach. A survey by data protection firm Gemalto was even more alarming. The survey reported that 70 percent of consumers said they would stop doing business with a company that suffered a data breach, and that 93 percent would consider legal action if they were affected. Competitors will make sure customers don’t quickly forget your company’s missteps, and search engine memories last for years.
New regulations such as GDPR narrow the window of time that companies have to report compromises and strengthen public disclosure requirements. Hunkering down and hoping nobody notices a misstep is no longer an option. A company’s failure to protect sensitive personal information becomes a matter of public record, along with all of the consequences outlined above.
Following the law
Equifax has been hit by dozens of individual class-action lawsuits, including a rare national class-action lawsuit comprised of complaints from all 50 states. The company will be in litigation for years, and the costs will be in the millions. While Equifax may be an extreme example, the ease with which compromised customers can now pursue litigation can create a nightmare for companies, even those that are the victim of a minor breach. There’s now even a chatbot service that helps you sue anyone.
Regulatory penalties are another landmine. The General Data Protection Regulation in Europe (GDPR), which went into effect in May, imposes penalties of up to 4 percent of a company’s total revenue for each privacy violation. What this means is that even a modest breach could spell bankruptcy for the compromised company. Similarly, the Canadian government is considering amendments to its privacy regulations that would give individuals greater control over the disclosure of personal information online. The legal costs of fighting prosecution are substantial, not to mention the distraction penalty on senior executives.
Customers and investors want ownership after a security breach, and the CEO is often the one people look to for answers. Equifax did a thorough evaluation of its leaders last year following a breach that compromised the data of 143 million Americans. The chief executive of TalkTalk resigned after a 2015 cyberattack compromised the personal information of more than 150,000 customers and knocked the stock price down by 30 percent. As we all know, the CEO sets the tone for company priorities so when things fail or go wrong we must take responsibility.
In sum, between increased regulation and news coverage there is sufficient evidence of growing concern by consumers over the safety of their personal information, it’s clear that privacy protection is becoming an organizational mandate. As the person leading the ship, the CEO should be particularly vigilant and proactive in ensuring their business is protected and prepared should a breach occur. CEOs should mandate processes with its design and technology teams to confirm that controls and systems are in place to safeguard customer information at every level of the organization and within its products and service offerings.
This article is published as part of the IDG Contributor Network. Want to Join?