Privacy Risk

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

The growing concern about the risk of exposure of User Private Information has been labeled as a Privacy Risk that has been legislated into a legal and reputation risk for Enterprises that collect and store that information.


Tom Jones (2019-09-06)


User Risk

The meaning of the term Privacy has been growing as the Information Age has expanded into every aspect of our human experience. While it started with the Warren and Brandeis article as the "right to the let alone" [1] it has expanded into a wide range of User Rights. While users have shown increasing anxiety about their privacy, they continue to show very little appetite for changing their behavior to protect their Privacy. As a result federal and state governments around the world have been passing laws designed to give users more control over their User Information.

Enterprise Risk

While in an earlier age it was possible to appeal to an Enterprise's good will, in an age of "maximizing shareholder value" the only way to coerce socially beneficial behaviors is by demonstrating risks to their continued profitability or existence. The are two broad categories of Enterprise Risk: Legal risk and Conduct Risk.

Legal Risk

  • Compliance with legislation mandates always entail additional expenses for a hosting provider, both operational and fines for non-compliance.
  • The risk of tort costs will also expand with additional legislation mandates, both for lawyers fees and judgements.

Conduct Risk

Since executive compensation is often predicated on shareholder value, any risk must be measured strictly in that metric to become an important consideration for executive action by the bulk of public companies. A similar calculus will apply to public enterprises because of pressures from the population at large and thanks to the investigations of a free press where it still exists. In both cases Conduct Risk is a growing discipline that Enterprises have learned to fear through the experiences with general business cases describe on the page Conduct Risk as well as those cases that are specific to service providers. For example, since the 2016 US presidential election Facebook has been called on the carpet in several countries for numerous privacy lapses that continue to grow.[2][3] When Facebook reported that 3 million users in Europe had abandoned them it lost $120 Billion in market value and the stock has continued to lose value throughout 2018.[4] The loss to Equifax market cap after their privacy breach is more that 30% with some experts doubting that the company can continue in existence after all the legal cases are settled.[5]

Opportunity Risk

By far the biggest risk to privacy is the simple fact that data is stored in any centralized location. The following are some of the exploits that have arisen due simply to the availability of a central collection of data:

  1. The department of motor vehicles (DMV) of each state in the US now is tasked with holding identity information on all citizens of the state that requires some sort of sovereign identification card, which will in 2020 include anyone that wants to fly on an airplane in the US[6]. All governments are pressured to find new sources of general funds. The DMVs have all found that they can make big bucks selling data that you are required to give them.[7] The sale of this data to licensed private investigators is perfectly legal, due to the Driver's Privacy Protection Act (DPPA), a law written in the '90s before privacy was recognized to be such a threat, give private investigators access to the data, which means that anyone that can pay a PI can get whatever data they want. In effect the DPPA offers no privacy what-so-ever.
  2. Exemptions granted to scientific and educational organization to use data collected by (for example) Facebook lead to the Cambridge Analytical scandal in the US 2016 elections.


  • Compliance by the Web Site with the agreed terms will be hard to track which means that we can expect to see continued substantial loses as regulatory and market forces exact penalties for bad behavior.
  • It is hard for user's to make informed choices about the impact of consent give to web sites.
  • Recovery and Redress require that user's be give access to their data online, but to prevent that action from being just another attack on the user's privacy is difficult.
  • No right, especially a right so nebulous as privacy, is absolute. The wiki page Privacy as the Enemy discusses some of the pathology of too much privacy.


  • It would probably improve the conversation to change the discussion from Privacy to User Rights, but habits and meanings of words are had to change, so it may be necessary to continue to talk about Privacy even though it would be more informative to talk about User Rights.
  • Changing corporate habits can be difficult unless the CEO of the Enterprise makes and enforces a commitment to treating customer with respect. [8]


  1. Warren and Brandeis The Right to Privacy (1890-12-15) Harvard Law Review
  2. Kevin Roose, No gentile Giant, But a Juggernaut Playing Hardball. (2018-12-06) p. B1 New York Times
  3. Adam Satariano +1, Leveraging User Data To Show Favoritism Among Its partners. (2018-12-06) p. B1 New York Times
  4. Over $119bn wiped off Facebook's market cap after growth shock. The Guardian
  5. Equifax’s stock has fallen 31% since breach disclosure, erasing $5 billion in market cap. (2017-09-14) Market Watch
  6. US Department of Homeland Security, Real ID (announced on December 20, 2013)
  7. Joseph Cox DMVs Are Selling Your Data to Private Investigators Vice (2019-09-06)
  8. Time magazine special report on Habits