Enhancing business values through personal data protection

The emergence of personal data privacy issues can be traced back to the 1970s, when the increasing societal affluence that led to a rising awareness of individual rights.

The advent of powerful digital computers has also allowed the instantaneous access, consolidation and processing of personal data being used beyond their original purpose of data collection.

The rise of Internet in the 1990s gave birth to electronic commerce, which led to an explosion of cross-border collection and sharing of personal information. Inadequate security protection of data in cyberspace causes prolific identity theft of personal data for criminal use in particular of sensitive financial data, e.g. credit card and bank account information.

From identity threat to personal data use

Identity theft in the new millennium has been the fastest growing form of consumer fraud in North America. The US Federal Trade Commission, the watchdog for consumer affairs, in its 2010 identity fraud survey report, suggested that over 3% of its adult population, approximately 11 million, were victims of some form of identity theft with estimated fraud of US$54 billion.

On the international front, notable data breaches include personal data breaches of 77 million players of Sony PlayStation in 2011 including their name, email address, password and credit card details.

Apart from data hacking by criminals for illegal financial gain, there are increasing concerns of questionable personal data collection by business organizations and social media without adequate notification to and awareness of their customers and constituents. Notable examples include Apple and Google found in 2011 to be collecting excessive personal data for their smartphones and tablets' users for locating their users.

In Hong Kong, the infamous case of Octopus selling personal data of its 2.4 million customers from its loyalty program to third parties in 2010 has brought awareness to the community on the cavalier privacy invasion for monetary gain. Amidst all the complains from the community, a positive spin of the incidence is a significant amendment to the Personal Data (Privacy) Ordinance, which enhance data privacy protection in respect to the use of personal data in direct marketing.

Personal data -- currency of digital future

With the rising consumerization brought by the advance of cloud computing, big data, mobility and social media, the cyberspace is fraught with the intrusion of personal data. It is estimated that 70% of the information in the digital universe is created by individuals through phone calls, photos, banking transactions or postings on social networks. More of this data is being mined and analyzed, as well as regarded by many businesses as the "currency of the digital future". Meanwhile, consumers are expressing great concerns and ranking personal data privacy as their number one concern.

Many economies, including those in Asia, have enacted legislation to provide personal data protection. But the success comes in varying degrees. The obstacles are multi-folds, including legal provisions lagging behind the fast pace of technology development, difficulties in cross-border enforcement due to jurisdiction issues, and the increasingly debatable legal definitions of "personal data", "data access" and "data collection."

Business value for data protection

Given the economic value of personal data and the privacy concern among consumers, Hong Kong enterprises are strongly encouraged to place a priority in personal data protection, not only for legal compliance and damage control, but also to bring a competitive edge in enhancing business values and gaining new customers.

If one looks at the consequential damage of a significant data breach or improper data collection, analysts estimate a loss of US$1.5 billion for Sony with the personal data breach of 77 million players of PlayStation; Google in 2013 had to pay US$17 million to settle a dispute with 37 US States after it bypassed Safari browser privacy settings to place cookies to track consumers' behavior allegedly without their knowledge nor consent.

The high cost of data breach--including financial penalties, expenses in crisis management, damage control and notification to customers, as well as legal and administrative expenses in litigation--could amount to millions of dollars. In some cases, including the Octopus incident, the chief executive had to resign.

The intangible costs are also far reaching, including the damage in brand and commercial reputation and loss of client trust.

Personal data privacy as a business priority

It is therefore important for businesses to institute and implement a policy that respects the personal data privacy for their customers and employees. With senior management commitment, personal data protection should become a corporate priority throughout all levels of the organization.

A culture to protect personal data should be built and sustained, through education, technology, processes and procedures.

In making data privacy a business imperative, an enterprise could gain a competitive edge by enhancing trust and customer confidence, keeping existing customers and attracting new ones, while minimizing the risks of a data breach.

It is particularly encouraging that the Office of the Privacy Commissioner for Personal Data is promoting the adoption of Privacy Management Programs (PMP) within organizations as a strategic framework.

According to Privacy Commissioner Allan Chiang, "organizations, as responsible corporate citizens, should adopt a paradigm shift from compliance to accountability. To this end, top management's commitment is required to build and maintain PMP, which ensures that privacy is built by design into all initiatives, programs or services, and data protection is practiced throughout the organization. This proactive approach should lead to a win-win-win outcome for the organizations and their staff as well as customers"

Stephen Lau is the former HK Privacy Commissioner for Personal Data, and a past President of the HK Computer Society. Currently he is Adviser to HP Enterprise Services, and Vice President (Executive) of the HK Computer Society.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleFederal Trade CommissionGoogleHPOctopusSonyUS Federal Trade Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Lau

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts