The Business of Privacy

University economics classes provided me with some great terms, like “negative externalities”. A negative externality is a cost suffered by a third party to a transaction. Group A is producing widgets for Group B, but dumps expensive-to-clean up waste into a river of drinking water that Group C uses. Group A produces for a lesser expense, Group B gets the benefit of that production, but Group C bears the cost. That’s a negative externality.

There’s two basic ways we, as a society, deal with those issues. We can accept them, or we can seek government intervention. The basics of a business education suggests that government exists to provide a framework and level playing field for market participants. Government is the only entity with coercive powers. In the United States, this power is expressed through both legislation and the court system. Either can impose penalties for failure to live up to standards. Regulation isn’t “bad” or “good”, it just changes incentives for different parties, hopefully resulting in fairer outcomes for all stakeholders.

It is understandable how Equifax, as a company, had loose controls. There is a constant drive to reduce IT costs, even for companies in the business of information. Do more with less can strip IT departments of both personnel and knowledge in a race to the bottom; do enough, and just enough, to conduct business and no more. In all, Equifax had few incentives to be responsible in a data breach that affected nearly every adult citizen of the United States. The current environment has been favorable to deregulation of business. Third parties, which includes every person who had their personal data exposed, have no power and were therefore not considered when making company choices. While this is understandable, it is not acceptable.

My interest in privacy and security is rooted in my interest in ethics, and I want to inspire you to share that interest. Business leaders must be responsible and accountable for the actions of the organizations they lead, and we must give our people and projects an ethical framework to do business in. It is essential that we be good corporate citizens, and live up to the trust that society has placed in us.