In a recent podcast I heard that “a penny for your thoughts” is now $2 for your privacy. Two Harvard Business School professors authored a case study to illuminate the digital privacy issues that students will face as newly-minted MBAs. The case emerged from observations that business managers say they “care about privacy” while many “stop short of… actually doing something about it.” Research by the authors showed that 48% would sell their privacy for only $2. This contradicts consumer interviews revealing pervasive paranoia. The professors think the concern is largely driven by ambiguity: Who is collecting what data; and what are they doing with it? In a familiar twist the Google spinoff at the heart of the case study is described as having a “murky” revenue model. No one is certain how they are making money. For most digital platforms if you are not a client you are likely the product.
The case study sparks classroom discussion of privacy topics familiar to the fintech industry – data collection, data usage, data ownership and data sharing. The podcast struck a chord for me as we were in the midst enhancing our privacy policies; further affirming our role as a custodian of user data. Client-driven annual independent reviews testing that controls are appropriate and operating effectively are huge investments. Interestingly, some firms intentionally restrict their market to the US where privacy regulation is sparse while avoiding sophisticated clients like global banks who impose high standards. More technology firms should view user data – even if the user is US-based or a smaller organization – as a valuable asset held in custody and entrusted to their care; not a profitable opportunity up for grabs behind the screen.
An interview with the case study authors
SOC 2 Report for AlphaPipe Data Portal (A Type 2 Independent Service Auditor’s Report on Controls Relevant to Security and Availability) April 1, 2018 to March 31, 2019