Help Net Security — Companies need to be custodians of customer data, not owners

Posted on Jan 29, 2015 in Blog & Opinion |


custodians of data

Help Net Security: Companies need to be custodians of customer data, not owners

In an opinion piece published by Help Net Security, Protegrity CEO Suni Munshani argues that businesses must change their mindset and realize that they are not “owners” of their customers’ data that must be monetized, but rather “custodians” of data that needs to be protected. It is republished below in its entirety. The original can be found here.


When U.S. President Barack Obama recently called upon education service providers to safeguard student privacy by following a set of commitments regarding the collection, maintenance, and use of personal information, more than 80 companies signed the White House-backed pledge.

Apple, Microsoft, Shutterfly, Follett, Houghton Mifflin and other well-known K-12 industry players have all agreed not to sell student information or to target students based on data about their behavior. They also promised to limit how long they retain student data, to support parents’ access to their children’s information, and to correct errors when they occur.

Due to the fact that most students are under the age of legal consent and only beginning to establish a “digital footprint” that will follow them the rest of their lives, it’s not hard to understand why so many companies that serve this market agreed to follow a set of rules aimed at protecting the privacy of this special class of consumer. It’s a no-brainer, right? Wrong.

Conspicuous by its absence on the list of pledge signatories was Google, a company whose suite of e-mail, calendar, remote storage, word processing, presentation and spreadsheet applications are used by more than 40 million students, teachers and administrators. Google claims that its own contracts and policies already demonstrate its commitment to student privacy. However, Google would not say which, if any, specific commitments outlined in the industry pledge were objectionable or would require the company to change how it currently handles sensitive student data.

According to a study by Pew Research, 91 percent of consumers feel that they have lost control over how their personal information is collected and used by companies. Google’s “just trust us” response to reasonable questions about its customer data privacy practices flies in the face of that widespread concern. And while so many organizations signed the student privacy pledge, it’s likely that more companies would side with Google if a similar pledge was proposed to better protect the personal information of their adult customers.

The DNA of business is profit and profit enhancement. The extraordinary possibilities of monetizing the data they possess about their customers is too great for them to pass up. Right now those organizations that are the best at leveraging the vast amount of data they collect are winning in the market. As a consequence, different groups and departments within enterprises are finding new uses for this data. The speed of this innovation is moving at such a rapid rate that the fundamentals of data loss prevention and the responsibilities of protecting this data are being forgotten. This is allowing many security gaps to be created.

As evidenced by the ever increasing number of data breaches reported each day in the news, we need to put the brakes on this lax attitude toward data privacy and protection. This change will not likely come from the boardroom but rather from legislation being driven by citizens fed up with their personal information being exposed. In addition to the Student Digital Privacy Act mentioned earlier, President Obama introduced a series of initiatives designed to better protect consumers from identity theft and safeguard everyone’s privacy, including a new Consumer Privacy Bill of Rights.

Whether forced by law or their by their own initiative, businesses must change their mindset and realize that they are not “owners” of their customers’ data that must be monetized, but rather “custodians” of data that needs to be protected. The minute businesses start thinking of themselves of custodians of their customers’ data, they will think a lot harder about how that data is accessed and used. They will put in place protections to keep it out of the hands of people – both inside and outside of their companies – who don’t require it.

Companies who become better custodians of their customers’ data also don’t simply build walls around the places where data is stored. They realize that the only way to secure sensitive data is to protect the data itself in such a way that still allows the data to flow through required processes but is unable to be understood by anyone who doesn’t have permission to access it. In other words, even if hackers were to get around the firewalls and other defenses put in place around the data, all they would see is meaningless gobbledygook.

Enlightened companies will also give their customers the power to decide what data about them is collected and retained and how and when it is used. Tools should be created to provide a more transparent view of the data companies have on their customers and to enable individuals to put a value on their personal data and be compensated for the use of that data by others.

As more consumers awaken to these issues, businesses that think and act as custodians rather than owners will be able to acquire and keep customers based on their reputation for safely protecting their sensitive information. Centralized, data-centric security will be a competitive advantage. Privacy will be another trait or brand attribute customers use to determine who they will do business with.

Organizations that are not at the cutting edge of their industries when it comes to data protection should be fearful about losing market share to companies that are better custodians of their customers’ sensitive information.