Why go the extra mile for data privacy and infosec?

17 Feb 2017

Image: Robert Hurworth/Shutterstock

Valerie Lyons is looking at how technology organisations approach privacy, and how it could affect their competitive edge. She spoke to Claire O’Connell.

When was the last time you thought about your privacy online? Maybe when you noticed an ad being targeted at you as you browsed the internet? When you checked your bank balance using an app on your phone? Or perhaps you wondered how much a voice-activated device was ‘listening in’? 

Privacy is becoming more of an issue for consumers, and that will continue as big data drives business forward. That’s according to Valerie Lyons, an information security (infosec) risk expert and researcher at the Irish Centre for Cloud Computing and Commerce in Dublin City University (DCU).

Her PhD research in DCU’s School of Business compares technology organisations that tick the boxes for privacy regulation compliance with their counterparts who go the extra mile and place privacy at the heart of their information management strategy. Why? To assess the impact of their chosen approach, both on the incidence of privacy breaches and on levels of consumer trust.

To compliance, and beyond

Broadly speaking, organisations take two approaches when it comes to privacy management, Lyons said.  “One approach is control based, the organisation takes the view that it owns your data and uses it how it wants to within the regulations,” she said. “It just focuses on compliance, which is intended to be something that you must do as a minimum.”

The other approach is more ‘justice-based’ privacy management, and builds more awareness around privacy practices among staff and consumers, creating a culture of ‘doing the right thing’.

Lyons explained: “In this case, the organisation is likely to focus on fair information privacy practices and to act as custodians of data, guarding it on behalf of the consumer,” she said. “This goes beyond the tick-box exercises of complying with the minimum regulations.”

Infosec analysis

Her PhD research explores the impact of control-based versus justice-based privacy protection approaches in large technology organisations. To do this, she is comparing what organisations say they do with what independent audits say they do.

“I’m looking at what organisations say in their privacy policy, in their corporate social responsibility reports and in other disclosures on the one hand,” said Lyons. “Then I am looking at published breach reports in the media and the management letters and internal controls reports filed in the SEC [Securities and Exchange Commission] database”

By analysing the data, Lyons wants to see whether there is a difference in the frequency of privacy breaches between the control-based and justice-based approaches, and perhaps to even put a cost-benefit analysis on each one.  

She draws on 15 years of experience as head of information risk in the financial sector, where she has seen first-hand how well consumers respond to organisations going the extra mile to protect data.

“My hope is that when my research is finished, I will be able to prove empirically that organisations may have fewer privacy incidents if they invest in privacy initiatives that are aimed at nurturing and sustaining the trust relationship with the consumer – for example, by implementing privacy awareness, compliance and a privacy culture – and that such investments will give an organisation a competitive edge,” she said.  

Valerie-Lyons

Valerie Lyons, researcher at DCU. Image: Aidan Oliver

Building trust

The consumer relationship with an organisation hinges significantly on trust, which is hard won and easily lost – particularly if we are wary of our devices or what the organisation is doing with our data.

“Devices are systemic in the consumer’s life and if consumers feel a bit distrustful of them, tech companies need to sell them enhanced trust. Privacy is a huge element contributing to this distrust, so if an organisation goes far beyond the minimum regulation, the consumer will be more inclined to engage with that organisation,” explained Lyons. 

“So I think as big data continues to grow, we are going to see organisations who go the extra mile for privacy as being the ones gaining the competitive edge.”

Mind your privacy 

For individual consumers, Lyons has practical advice to help safeguard privacy.

If specific apps are a little flimsy on privacy, then seek alternatives and have different passwords across your devices and apps, she suggested.

Lyons herself avoids using online banking on any device where she is unsure of the security settings, and she urges everyone to be aware of the fine print when it comes to consent regarding data use. 

“We should all read the terms and conditions,” she said. “And the companies can help us to do that by using clear and transparent language and sending us notifications of updates. We all need to be clear on our options.”

Dr Claire O’Connell is a scientist-turned-writer with a PhD in cell biology and a master’s in science communication

editorial@siliconrepublic.com