Eleni Constant – ICLR Candidate
What is Privacy in the Age of Data Breaches?
Although the concept of privacy is not easily defined, most people are unified in the theory that privacy deals with the ability to control who is using your personal information and how they are using it.[1] People seem undeterred in the amount of online sharing happening on a daily basis despite the fact that some of the biggest data breaches in the world have happened in the U.S. over the past decade. Even though these online companies front privacy policies that put the online users in control, once personal information is shared online, it becomes data. Online companies are built and grown on the collection and use of personal data; thereby making personal data the cost users pay to participate in online exchanges. While there is an ‘implied social contract’ that online companies will take reasonable precautions to keep users properly informed about how personal data is collected and used and to secure against data breaches, incidents involving the misuse of personal data have only increased in the 21st century.[2] Between 2016 and 2017 alone, over 600 million online user’s personal information were compromised as a result of data breaches.[3] As recent as 2018, nearly 50 million Facebook profiles were impacted by the Cambridge Analytica data breach.[4] In a world consumed with non-stop daily online exchanges of personal information, how realistic is it for users to maintain this expectation of privacy? Furthermore, to what extent should companies be held responsible when there is a violation of privacy involving personal information due to data breaches or sharing with third parties?
How Effective are Privacy Policies?
How many people actually read the terms of service or privacy policies of online networking services?[5] From the 1970s to today, as the age of digitalization unfolds, the general approach to privacy protection adopted by online companies is an approach commonly referred to as ‘notice and choice’.[6] The idea behind this approach is to keep the digital user informed about the collection and use of personal information so as to allow that user “management control” over their personal data.[7] The main method for online companies to provide users with notice is through terms of service or privacy policies. Unfortunately, a large proportion of online users fail to read the privacy policies or have a difficult time understanding what they actually mean.[8] In fact, privacy policies are often filled with vague language and unclear terms as to how personal information is being shared to third parties, leaving online users clueless as to the myriad of ways their personal data can be accessed or harvested by other entities.[9] How then are companies tackling the issue of uninformed consent or data breaches exposing personal user information?
Third Party Liability & Cyber Insurance
Put simply, online companies tend to react to data breaches that affect a large percentage of their online users or receive negative media coverage. While some companies promise to update privacy policies and terms of services whenever changes are made to the methods of collection or usage of personal information, studies reveal that users tend to ignore these updates.[10] Recent efforts have been made by some online companies to employ clickwrap policies that prompt online users to either agree or disagree to continued services.[11] While clickwraps offer users an alternative to reading lengthy privacy policies, they do not assist in informing the user as to what they are consenting to and consequently act as more of a speed bump than an effective means of notifying online users of privacy concerns regarding personal information.[12] Given the ineffectiveness of privacy policies and other bottom-up strategies for notifying or informing online users of when and how their personal information is being collected or shared, it may be time to hold third parties liable for the misuse of personal information. By regulating third party behavior towards the collection and use of personal information harvested through first party relationships, online companies will have clearer guidelines as to how to frame their privacy policies regarding third party sharing. Additionally, minimizing cyber risk by offering cyber insurance and risk management services may promote more secure handling of the personal information of online users by online companies.[13] However, this approach may only further along an already growing issue with how online companies deal with data breaches and unauthorized use of personal information by third parties by adding another potential misuser to the mix: cyber insurance companies.
[1] Acquisti, A., Friedman, A., Telang,R., Is there a Cost to Privacy Breaches? An Event Study, ICIS 2006 Proceedings, p. 94 (2006), https://aisel.aisnet.org.
[2] Id.
[3] Amerding, T., The 17 Biggest Data Breaches of the 21st Century, (2018), https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html.
[4] Cadwalladr, C., Graham-Harrison, E., Revealed: 50 million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach, The Guardian, (2018), https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election.
[5] Obar, J., Oeldorf-Hirsch, A., The Biggest Lie on the Internet: Ignoring Privacy Policies and Terms of Service Policies for Social Networking Services, Information, Communication, and Society, (2018), https://doi.org/10.1080/1369118X.2018.1486870.
[6] Id.
[7] Id.
[8] Id.
[9] Shvartzshnaider, Y., Apthorpe, N., Feamster, N., Nissenbaum, H., Analyzing Privacy Policies Using Contextual Integrity Annotations, Sciendo, (2018), https://arxiv.org/pdf/1809.02236.pdf.
[10] Id.
[11] Id.
[12] Id.
[13] Talesh, S., Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses, Wiley Online Library, (2017). https://doi.org/10.1111/lsi.12303.
