[Full disclosure: I work for Microsoft, a Google competitor.]
Rick: How can you close me up? On what grounds?
Captain Renault: I’m shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
[sotto voce] Oh, thank you very much.
[aloud] Captain Renault: Everybody out at once!
The Wall Street Journal reports that Google has decided to appoint a Chief Privacy Officer and to train their staff after external reviews uncovered Google’s collection of personal data was far in excess of their original claims. I’ve already touched upon this event in a prior post, but further discussion is merited given the new information in this article.
- Training– I infer (or does the article imply?) that Google is not training it staff on privacy. “Mr. Eustace said Google would enhance training on the proper collection and use of data for its engineering, product management and legal groups. In December, all employees will be required to take a new information awareness program.” Having privacy training is pretty basic; doing it well is difficult. Here are some key requirements: (i) the content has to be accurate; (ii) the content has to be presented in an interesting way- this enhances learning and retention as well as resulting in positive word of mouth with the training and subject matter; (iii) you need to ensure there is a basic level of retention and ability to apply the knowledge, generally through testing at the end (or you could allow testing out at the beginning); (iv) you need to demonstrate effectiveness for example, you can administer 10 questions to a random sample of employees a month before the training and then administer the same questions to a random sample of employees a month after the training to see if there has been a general improvement (have a drawing for volunteer participants a free Zune (how is that for Microsoft product placement!); (v) no more than 30 minutes (unless you’ve managed to work in romance and action); (vi) it needs to be mandatory.
- Someone to make it all happen– “[Google] also announced several steps it would take to improve its internal privacy and security practices, including the appointment of Alma Whitten, who specializes in computer security, as director of privacy for both engineering and products.” I am a little suspicious of companies that, as a reactionary first step, appoint a security expert to be in charge of privacy. Security experts are very good with the technical and organizational measures necessary to maintain the security of data, but they tend to lack the requisite substantive privacy knowledge or to view data and its use and protection within an organization and industry, holistically. Also, you need someone able to deal with the regulators. I love my security gurus, but I’m not sure I would put them in front of a regulator as the voice of privacy within my organization. (It depends on the issue and the regulator though, of course. If you are post security breach and speaking to the FSA or FINRA, your security may indeed be the best person.) You need a person empowered to view privacy holistically and drive change across your organization. Your operating model will vary depending on the size and complexity of your organization, the volume and type of data, as well as it’s usage, but you did need a central person(s) who is a senior manager or reports directly to the senior manager. Also, the CPO must be articulate, an excellent public speaker, and persuasive. They need to create great internal trainings, persuade senior management of the importance of privacy and that budget is needed to support compliance, and be the face to an increasingly skeptical public (not to mention regulators).
- Credibility and incident management– Once you lose credibility, it’s very hard to get it back. Let’s look at a few lines from the article: “Google initially said the data was fragmentary, but external reviews discovered that some of the data was more complete than expected. ‘A number of external regulators have inspected the data as part of their investigations,’ Alan Eustace, a senior vice president in charge of engineering and research, said in a blog post. ‘It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords.‘” Ouch! This hurts, particularly as it comes on the heels of the Spanish regulator’s actions, and, more distantly, the Italian convictions. It’s been months since this data collection came to light. Internal incident management should have uncovered the extent of the data collection. Your organization needs to get ahead of stories like this. You don’t want the regulators breaking the news- YOU need to break the news. It at least sends the message that you are on top of things post incident. It tells people you know how to clean up a mess. Don’t sit on the information and not do anything in a misguided attempt to minimize legal liability at the expense of reputation. It will ultimately gain you nothing and probably put you in a worse position. After putting the stop-gap measures in place, you to announce a major internal privacy initiative and then follow through with it. When backed into a corner, the only way out is to be better than everyone else.
I know, as pointed out by a colleague from Promontory, that Google’s share price has not gone down. But Google is fast approaching a critical mass where it might be hurt. Google remains primarily a consumer company with most of its revenues still from advertising. Sophisticated commercial customers will suspect serious internal failures in compliance and incident management. Those potential profits are very much at risk.