We All Care About Data Security, Except When We Don’t

It should be clear by now that we are most comfortable expressing our thoughts in the form of movie quotes, falling as we do into that demographic of Americans who believe that if you can’t say it with a gif from an 80s movie, you don’t need to say it at all. Really, it works very well and helps fill in those awkward silences at family dinners, PTA meetings, or weddings. Some of these lines, of course, are better than others, and few rival this gem from The Princess Bride:

Image result for you keep using that word gif

It’s perfect, really, because it allows you to throw shade, but to couch it in Mandy Potemkin’s best pre-Saul Berenson performance.  It also sets out the perfect response to a situation where, either intentionally or unintentionally, people take two positions that completely contradict one another. Like, for instance, when two surveys, released on the same day, indicate that consumers are, somehow, simultaneously losing their trust in digital services because of privacy concerns while also less concerned about privacy than at any point in the last five years.

Wait, what?

As you can read in the first report, people worry about the causes of data breaches at the companies where that they do business. For instance, most of those who responded stated that they would not use a company, or that they had, in fact, stopped working with a company, in response to a data breach. This dovetails with other findings that have similar results; in particular, respondents say that they are more likely to avoid using a company that is had a notable data breach then a company that has not. And that makes sense.

Image result for target lady snl gif
Target got serious about ID verification.

Everyone seems to recognize that the potential consequences of a data breach – including some stolen identity, misuse of personal financial information, misuse of personally identifiable information, etc. – are the kind of things that you like to avoid if possible. In the same way, research demonstrates that companies which respond to a data breach, like Target in 2015, are able to recoup some of their lost business by demonstrating a commitment to the privacy and security of the information that they hold.  Target’s steps were fairly drastic, though, including the resignation of their CEO.  The takeaway was clear: the public was attuned to (and cared about) data security.


Except, apparently, not so much.  The second survey, taken by Axios, examining consumer attitudes about security and privacy, revealed that a large number of Americans are less concerned about privacy, less focused on data security, and less likely to be data savvy than at any point in the last five years. This, coming on the heels of some of the largest data breaches in history, like Equifax, Anthem, Yahoo, and others. Axios’s report demonstrates that the number of people who are focused on data security issues has dropped from around 27% to around 18%.

Image result for who cares gif
Fun fact: You can replace “public opinion” with “Michael Scott,” and it works just as well.

How can we reconcile these two surveys? It may be that consumers are not thinking about data issues cogently. What do I mean by that? Well, if you think about the approach that many businesses to take into the GDPR in the past three months, It’s pretty obvious that there is a bit of doublespeak going on in the United States. There’s plenty of talk about data security, but fairly little action from the average consumer, and so little incentive for American businesses to be aggressive about promoting data security practices (unless they have a presence in Europe, or they’re trying to get into Europe, or they Europe just happens to be a component of their business plan). Indeed, many Americans seem to think of data security as something more oriented towards national security, then their own personal information. That’s a makes advances in data security and privacy law unlikely, because there won’t be any comprehensive legislation unless consumers/voters demand it.  Of course, when they do, the businesses that have already made privacy a part of their business model will reap the benefits.

Image result for take my money gif

So what should we make of the apparent conflict between these two studies? For us, it’s a matter of perspective. Or, to put it more directly, a matter of changing perspectives. We have to work to resolve the disconnect between the way businesses see data security and the way consumers see privacy. Because, in many ways, we’re talking about the same thing, but using different language for it. As long as people believe that there is a disconnect between data privacy best practices and the operations at the businesses where they shop, there’s never going to be much push in the American public for a comprehensive approach to data security.

Why would businesses want that? Because in the absence of a clear standard and a clear-cut approach data security, we are going to be wandering around coming up with different laws and standards across jurisdictions and industries. As we’ve seen in Europe over the past 20 years, a multiplicity of approaches never leads to a good outcome for anyone – business, data subjects, government, or otherwise. In the end, what’s necessary is the development of an approach to data security and privacy that provides everyone with consistency and clarity.  Creating that kind of consensus is difficult, but worthwhile, and requires collaboration from stakeholders.  And rather than waiting for legislators to decide what to do, it can start within your business — have these conversations internally so that, no matter what the outcome, you’ll be thinking about the questions that matter.

Leave a Reply