Over the last two decades, the primary contribution of information technologies in firms has been about efficiency and enablement: to improve processes, make people more productive, reduce time to market, or enable things that couldn't be done previously. The focus has been on costs and payoffs. This decade is witnessing a new challenge: data. There is suddenly too much of it, and while firms rush to mine it, they do so without adequate regard for the risks in keeping and using it.
Hardly a week goes by without yet another major breach or scandal involving data. The last month has been particularly bad. Tom Tom sold location data to law enforcement without asking its consumers, Apple has been gathering consumer movement and use data on its devices, while >Epsilon and Sony were hacked, with sensitive data on hundreds of millions of individuals stolen. Despite reassurances from these companies, it is hard to be certain whether and when this data will be misused. More importantly, the reputations of these companies have been badly damaged.
Are these incidents any different in terms of potential impacts on franchises from product recalls due to defects in industrial products? Not really. And perhaps some companies are beginning to realize this. Indeed, one major positive development from the Sony fallout has been the creation by the company of a "Chief Information Security Officer (CISO)". This is a laudable step that others should follow. But it doesn't go far enough in acknowledging the real problem.
Sony and many other firms view the security and use of data as a technical problem. But in fact, the governance of data is a management problem. The lapses we are seeing are not technical ones, but failures in management. Where data is the lifeblood of commercial activity, its management in many industries must reside in the C-suite, not in the trenches.
Lapses in data governance in data-dependent industries are no different than product defects in the physical world. The reason is simple. Increasingly, it is information itself that is the product, with technology being the critical conduit for its exchange. Many industries that touch our lives on an everyday basis involve information products. If one considers the firms that we deal with every day, such as Google, Facebook, banks, media, and telecommunication companies, their products are information-based. Even when there is a physical product, digital interaction with consumers transforms part of the consumer experience into one that is information-based. Information products have different properties than traditional physical products and are subject to different economics and risks. Furthermore, the growing volume of data created as a by-product of this digital interaction brings with it significant benefits as well as risks.
CEOs who are insulated from technology have largely failed to grasp the implications of this shift in the role of information technology from enabler to product and still expect their technologists to deal with all aspects of data. This is a mistake. They must partner actively with their CIOs in assessing the importance of data to their product or service and the franchise to avoid the reputational risks from the lack of effective data governance.
When an automobile has a defect, it involves the CEO. If a brake or gas pedal is defective or a tire substandard, the CEO steps in immediately to manage the fallout and address its customers directly. The same must be true for data breaches and misuse. The Sony data breach was an important milestone in that its chief apologized, albeit somewhat late, for a defect in its information-based product. While Sony appointed a dedicated CISO to deal with data security, it didn't go far enough in acknowledging that this is a management problem, not a technical one.
We believe that firms need to give the same level of importance to their firm's data governance policies as they do to their company's products, financial reporting practices, or brand equity management. Viewing data privacy management through the lens of network management or potential liability is too narrow. This isn't a legal, technological or compliance issue. Rather, it's an executive matter, one made more critical by the continual increase of data and the corresponding increase of risk in cyberspace. As devices become more powerful, providing more and richer electronic touch points to human activity, the scope of available electronic information explodes, and the associated risks to handling these data also grow exponentially. Companies actively collect and mine this data and even sell it without considering the risks, as the recent Apple, TomTom and Epsilon incidents reveal.
These developments strengthen the case for the CIO being a full-fledged member of the C-suite and embracing the new role of managing their firm's data with a more holistic and strategic approach. CIOs should partner with their CEOs in putting in place a coherent and transparent policy that defines the frequent and deliberate choices about what data to acquire, keep, use and share. A first question that such a policy might answer is: Do we keep too much data? Our research (in conjunction with NYU research scientist Jessy Hsieh) suggests that the answer to this question is generally "yes."
The less data you keep, the less you need to worry about keeping it secure. Next, it is essential to have a clear idea about the use of the data you keep, and specifically, to assess whether this use is congruent with the customers' intent when they provided it to your firm. We have developed a framework that provides executives with a roadmap for answering these questions, the details of which are available in our working paper titled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," available from the Center for Digital Economy Research at the NYU Stern School of Business.
It took a global financial crisis to get the public to pay attention to systemic financial risk. There is equivalent and growing systemic risk in cyberspace. We hope it does not take a massive data breach at an Apple, Google or Facebook to make data governance a top executive priority. Because once that data is out there, it's out there for good, and there's no taking it back.
Vasant Dhar is the Daniel P. Paduano Fellow and Professor at NYU's Stern School of Business, and Director of Stern's Center for Digital Economy Research. Arun Sundararajan is the NEC Faculty Fellow and Associate Professor at NYU's Stern School of Business, and a Distinguished Academic Fellow at the Indian School of Business for 2010-12. Vasant and Arun conduct research about how information technology transforms markets and corporate strategy, with expertise in privacy, business intelligence and digital business models.
Read more about data protection in CIO's Data protection Drilldown.