Collect all the data. Store all the data. Once you've got a massive reservoir of data, you'll be able to answer all the questions the business wants to ask, right? Maybe you can even anonymize the data, package it and sell it, driving revenue to the bottom line.
Not so fast. Monetizing that data may well be the right decision for your company, but it's important to recognize that your data may represent a massive liability from a legal and security perspective, says Jennifer L. Rathburn, partner with law firm Quarles & Brady and a specialist in data management, data breach and privacy and cybersecurity issues.
"Anyone who does cybersecurity and data breach work would say never to retain more than the minimum amount that you need because of the risk of a data breach," she says. "It's really a balancing act. Don't just collect all the data you think you want. You have to have a good business justification for collecting it because it can be a liability."
The Value of That Data
It's clear that data initiatives offer myriad opportunities both internally (streamlining processes, customer insight, enabling new products, etc.) and externally (selling data to third parties). As an example of the latter, Rathburn points to Carolinas HealthCare System, which buys patient data (like credit card purchases) as a data source that it uses as part of an initiative to predict and prevent illness.
Such uses have the potential to transform your business, but they also may expose your organization to considerable risk. In a paper published last month, Rathburn and Associate Simone Colgan Dunlap note that regulatory issues may just be the tip of the iceberg.
"One of the biggest risks associated with use of big data stems from regulatory issues," they write. "The regulation of data is complex and is shifting rapidly. Accordingly, a critical part of creating a successful data monetization strategy involves understanding regulatory constraints related to data acquisition, use and disclosure."
The U.S., for instance, has a confusing array of federal and state laws that address privacy, mostly by industry. Violation of these laws can result in big fines, criminal penalties or lawsuits.
Rathburn and Colgan also note that the U.S. Federal Trade Commission (FTC) has broadly interpreted its authority under Section 5 of the FTC Act, which empowers it to pursue enforcement actions against entities for "deceptive" or "unfair" practices. These enforcement actions can result in consent decrees that require periodic audits for up to 20 years, with fines for those that find themselves in violation.
"Chances are, if your organization is operating within a regulated industry, you are aware of applicable data privacy requirements," Rathburn and Colgan write. "But, mitigating risk requires organizations to go beyond awareness to developing what the FTC has dubbed 'privacy by design,' or building and periodically re-evaluating workable privacy protections into policies, procedures and products."
Who Owns the Data?
There are also contractual sources of risk to consider. Just because you have access to certain data, that doesn't mean that you own the data or can use it in particular ways.
"Everyone thinks the data they have is their own," Rathburn says. "Do you really own that data? Are you getting it from a company you contract with? Are there restrictions on how you can use that data? Do you have the legal authority to do what you want to do with it?"
Rathburn and Colgan note that restrictions on data use may be buried in ownership or confidentiality provisions, meaning your organization needs to conduct a careful review of existing contracts to determine the parameters of relevant restrictions and how they affect the intended uses of your data initiative. And going forward, your organization should determine how it wants to use data, how it needs to use data and then make sure all future contracts are negotiated with those wants and needs in mind.
That anticipates another potential source of risk: your relationship with consumers. It's not enough to simply meet the legal requirements associated with your use of data, Rathburn says. Those requirements form a baseline, but you must balance the potential economic upside to your use of data against reputational harm.
"Keep in mind that angry consumers can do more than sheath their credit cards and tweet scathing reviews," Rathburn and Colgan warn. "U.S. common law has handed consumers a serious weapon in the form of privacy torts -- i.e., no caps on damages, potential for class-actions, torts with a capital 'T'."
"If you can't lock down your big data and segregate it off, you really need to make sure you're only keeping the minimum necessary amount of information," Rathburn adds.
Big Data Questions to Ask
Here are some questions Rathburn suggests you answer with relevant stakeholders at the outset of a new data initiative:
- How is the data collected?
- What type of data is collected?
- Is the data coming from outside the U.S.?
- Are we a regulated entity (e.g., healthcare provider, financial institution, etc.)?
- What does our Privacy Notice say?
- Was consent obtained from individuals?
- If de-identified data is being used, how is de-identification being accomplished and is it in accordance with applicable law?
- What do our contracts provide about data use and monetization?
- How and where is the data stored?
- What purpose do you want to use or disclose the data for?
- Do we have cyber, privacy and breach notification policies and procedures in place?
- Are we periodically conducting risk assessments related to data?
- Will we receive any remuneration for the data?
Rathburn stresses that you shouldn't allow yourself to become too gunshy to use data -- "No risk, no reward," she says -- but it is essential that you stay aware of the risks and plan for them.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.