Leveson’s privacy lessons for business
The Leveson inquiry and the 2Day FM scandal highlight the reputational risks that data breaches pose and the need for businesses to adapt as attitudes to privacy and data protection evolve.
"Data protection has become one of the burning issues of the day,” UK judge Lord Justice Leveson told the UTS Communications Law Centre privacy conference in Sydney last Friday.
Justice Leveson’s inquiry into UK media ethics came into being because of a commercial privacy breach that allowed journalists to access the mobile phone message banks of murder victims, celebrities and anyone else in the news.
As the Leveson inquiry evolved, it became clear that poor privacy practices by businesses and government agencies had been the source of many UK tabloid stories for years and the results of those betrayed confidences had distressed families and cost people their jobs.
Last week’s 2Day-FM scandal is a classic privacy breach where a patient’s medical condition has been disclosed, and broadcast, due to poor procedures. The results of that have proved to be tragic.
Making privacy issues even more complex is the internet, or as Justice Leveson put, "the elephant in the room.” Easy access to poorly secured information has raised the stakes considerably for private and public organizations.
When computers became common in the 1980s, the information stored by businesses and government agencies exploded. As hard drives became cheaper and the internet appeared, the ability to acquire, store and process data using technologies lumped under the label ‘big data’ has become a basic business function.
The arrival of big data is portrayed as manna to marketing folk – and so it is – but it is also a target for enthusiastic journalists, hackers and anyone else interested in peeking into the dealings of customers and staff.
Around the world governments have been reacting to the data explosion by tightening privacy acts. Last month the twenty-five year old Australian Federal privacy act was tightened up with increased penalties for breaches to come into effect in March 2014.
One of the notable points in the amended Australian privacy law is the lifting of the prohibition of storing data offshore implied in the old act which predated the internet and widespread offshoring.
The role of offshore privacy jurisdiction is important as the tightened Australian law still falls short of those in Europe and parts of the United States. In the US, Delta Airlines is facing a law suit from the state of California over not stating the privacy policies of the company’s smart phone app.
Earlier this year the internet’s big four – Apple, Amazon, Google and Facebook – along with many other major corporations agreed to comply with California’s privacy rules. Delta is now facing the consequences of not submitting to the state’s legal requirements.
That a smartphone app could get a major US corporation in trouble should be enough to convince directors and executives of the importance of privacy policies. That the law is rapidly evolving in this area should also make businesses think carefully about their obligations.
Much of this discussion isn’t new. Similar privacy concerns were raised in the 19th century as new communications and business technologies developed.
Justice Leveson’s Sydney speech outlined how much of today’s privacy discussion has in common with the past – the arrival of the penny press, the telegraph and later the Kodak box camera created fierce debates about protecting rights and privacy which took nearly a century to be settled.
For the media there’s now the challenge of information becoming a commodity, driven by social media users and bloggers, many of whom have servers offshore that enable them to avoid local laws and regulations.
Overseas competitors and product commoditisation aren’t just threats to the news media business model. The same issues have radically changed the retail, manufacturing and services industries in recent years. Now privacy considerations have to be added to the challenges facing executives.
Some of the participants at the Sydney conference suggested that businesses need to be held liable for serious privacy breaches and it’s hard to see how increased penalties for lapses won’t become law in the foreseeable future.
Even without stronger laws being passed, the reputational risks to businesses of data breaches are substantial – as Sony discovered after a series of security lapses in 2011.
The training of staff and changing management views on the value of data is as important as any technological measures. Much of this will change as attitudes to privacy and data evolve.
"Our view of privacy may change,” Justice Leveson said at the conclusion of his Sydney speech, "the question for us in this century will not simply be how to protect it, but what it is that we seek to protect.”
Like many areas, privacy and data protection is evolving as technology changes the way our businesses operate. Lord Justice Leveson’s presentations in Sydney and Melbourne should serve to remind business leaders that those changes aren’t just risk to media organisations and public servants.