Daphne van der Kroft of Bits of Freedom talked at the GovCert 2010 symposium about new proposals for making it mandatory for companies to report loss of personal data. At the end she posed the following interesting question. Should companies be fined for losing personal data, or not? Which of the two approaches would be the most effective to decrease this privacy problem?
Actually, both approaches exist already, in completely different domains. The fine-for-data-loss model corresponds to the current approach to reduce environmental pollution: the so called polluter-pays model. The report-without-repercussion model on the other hand is used in the airline industry.
In the past, the problem with environmental pollution was that for industries the environment was, in economical terms, an externality: the cost of polluting the environment was not borne by the polluter, but by society at large. By (heavily) fining a polluter for environmental pollution, the cost of pollution becomes part of the economic equation. As a result, pollution by industries has decreased significantly.
In the airline industry (and in health care as well), a report-without-repercussion model is used instead. In this model, after an incident (a plane crash, or a fatal medical operation), the people and organisations involved that cooperate in the investigation of the incident are assured that they will not be prosecuted. This ensures that all parties will fully cooperate to determine the cause of the incident. As more parties cooperate, and more information about the cause of an incident becomes available, it will be more likely that the cause of the incident is found so that the problem can be fixed. This model has helped to improve the safety of airlines.
So, how well do these approaches apply to data loss?
The fine-for-date-loss model will make data leaks part of the economic equation. But it will also make businesses wary of reporting data leaks in the first place. If they can get away with not reporting (even if reporting is a legal requirement), they will probably not report. As a result, we, as society, will not have a proper picture of the scale at which personal data is lost, and by which means. And with that information missing or incomplete, we cannot solve or mitigate the data loss problem.
The report-without-repercussion on the other hand will remove an important barrier for reporting data loss. Of course, businesses like banks or in health care may still want to protect their reputation by pretending nothing is wrong. To overcome this hurdle, a less public way to report data loss should be chosen. But in this model, businesses that worry less about their reputation will still have no incentive to prevent data loss. The data loss problem is again unsolved, not because of lack of knowledge, but because of lack of incentives.
Both approaches are thus seen to be ineffective. But I believe both contain part of a solution. Make reporting data loss mandatory. Make sure that reporting a data loss is not punished, unless the same way of losing data was reported by the same organisation before, and the organisation is unable to prove that it made a reasonable effort to prevent the problem from happening again. If they fail to do so, the penalty should be high enough to matter to them, businesswise.