Building (and Breaking) Bonds of Trust
added: 11.14.2013, by Hiro Kataoka
I recently attended the annual Ponemon Institute conclave known as the RIM Renaissance. RIM in this context stands for responsible information management.
Attendees included a compelling mix of data privacy and information security experts representing the legal profession, government, technology, compliance, and consulting, as well as individuals from Canada and the EU.
Over the course of the two day event I participated in a lot of lively discussions and heard a lot of interesting thoughts from a variety of perspectives. Much of what was said was shared in confidence, but in the days following and as I considered what I heard, I was inspired to put my thoughts together to share with you via this blog (and on slideshare).
One idea that came up again and again was the need to establish and maintain trust between the owners (disclosers) of private information, and those who collect that information, especially in our hyper-connected, digital world.
In that world the data collectors fall into three categories:
- Social Networking/Advertising: companies whose business model requires users to barter their personal information in exchange for the delivery of free services or entertainment. Facebook and Google are two well-known examples.
- Product and Service Providers: these organizations compete to sell their wares to the consumer and use the information they collect to better understand the consumer and provide a superior product or service. Companies like Amazon or your financial institution fall into this category.
- Government: while consumers have choices and a measure of control over the way they interact with the first two categories, we are often compelled to provide information to government agencies (think IRS). In some cases, these organizations may work behind the scenes and use their authority to collect information surreptitiously (think NSA).
However these organizations collect information and for what purpose, they all operate within a spectrum of trust that is based on a shared understanding between the data owner and collector about what kinds of information are collected and for what purpose, the proper use of that information, and what measures are used to protect and manage the information. When the collector clearly communicates and successfully fulfills its end of the bargain, bonds of trust are established and strengthened.
Breaches of trust are the result of some combination of three conditions: a lack of transparency, in which the collector withholds or fails to clearly communicate intent; a lack of security, in which the information entrusted to an organization is compromised; and a lack of responsibility, in which the organization or in some cases the consumer is found to be in violation of its terms of agreement.
There are times when circumstances transcend the usual one-on-one equation where a trust failure affects the relationship between one organization and its constituency. A rash of high profile banking breaches may affect the entire financial services industry, for example. Or, as we have seen in recent months, disclosures of domestic surveillance by the highly secretive National Security Agency and the involvement of telecommunications and Internet service providers can create a pervasive atmosphere of distrust that permeates society.
Clearly, since the Edward Snowden disclosures first broke in May of 2013, that has been the case and, as a result, we are suffering a crisis of trust.
But there are opportunities to learn from these events and to take steps to regain trust even in the current atmosphere through increased transparency in order to not only make sure terms and intent are clearly communicated between data collector and data owner, but also to demonstrate that shared expectations have been met (or exceeded). It’s also a good time to review process and technological investments intended to implement safeguards against data loss or mismanagement.
Finally, take an objective assessment of the knowledge and tools available to the data owners that enable them to be aware of and in control of their personal and private information. An enlightened and empowered consumer is key to establishing an ecosystem of trust.
Policy makers and industry must step up to create, nurture, and protect trust so that everyone benefits. Consumers must also seek transparency as well as take more responsibility for protecting their own data privacy. After all, lack of trust puts consumers at risk, limits their online experience, and casts doubt on companies doing business online, costing them millions of dollars a year