In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.
- Your choices matter most. I beat this drum pretty heavily, but it is true. While technology, the marketplace and even the law will serve to provide you some protections and redress when it comes to privacy and security matters, the biggest impact on protecting your personal information are the choices you make with respect to that information. What information you share, with whom (which companies) and under what conditions are all things you can control.
- Audit. Get up in your third parties’ business. Facebook could have verified that Cambridge actually deleted the Facebook profiles. Rather, it took a contractual attestation to the fact and allegedly did nothing more. Not always a bad idea, but if you are entrusting third parties to handle your customer’s sensitive data or data in large amounts, use your agreements as an opportunity to ensure that the third party uses the same (or better) safeguards than you do and reserve the right to verify. Not only does this prevent bad things from happening, it shows your customers, regulators, and opposing counsel that you take privacy seriously.
- Data is your business. I do not care what industry in which you operate—you are a data business. Get smart about the data you collect, store, share and destroy. Take the time to classify your data and map your data throughout your organization and with third parties. Write policies and procedures for how your data will be used properly and what is prohibited. Write agreements with your third parties and with your customers that are easy to understand and place a priority on data protection. And get insurance. Even with all the best practices, you WILL have a data incident. It is not IF but WHEN. Plan and invest in protection for not only your customer data, but the survival of your business and its reputation.