By Horace McPherson, CISA, CISM, CGEIT, CRISC, CISSP, PMP
Data privacy is more than just a compliancy or a business issue. People become vulnerable whenever they turn over their personal information to companies. Companies, regardless of industry, owe it to their customers or subscribers to protect their personal information as if they are protecting people’s most precious possessions.
I see what happens to people when they are notified that a company holding their personal information has been breached: anxiety sets in, people have sleepless nights and they sometimes even become pessimistic about the future. Victims of identity theft sometimes feel alone since, in most cases, the burden of proof is on them to prove that they are not responsible for the results of any nefarious actions performed by an identity thief.
In my opinion, personal information is worth more than the numbers on a balance sheet or income statement. In the area of corporate social responsibility (CSR), organizations must be concerned with what is called the triple bottom line. Elements of the triple bottom line include social, environmental and economic factors. Protecting customers’ information is aligned with the social and economic aspects of the triple bottom line, 2 of the essential elements of CSR. If companies do not properly protect personal information, they are not being good corporate citizens. Once sensitive information is collected, there is an expectation of due diligence and due care in the application of data protection policies and mechanisms.
At the end of the day, a company’s approach to data privacy and protection depends on the moral outlook of the company’s leaders. The ethical perspective of the top management team determines whether a company will be proactive and a leader in setting and supporting privacy protection policies and whether privacy protection is put ahead of profits. The tone at the top is very important. Let us hope that the tone is a good and fair one.