“Do unto others,” the Golden Rule says, “as you would have them do unto you.”
Everyone knows the Golden Rule. It’s a simple bit of moral philosophy that tells us to treat others the way we would like to be treated. Though most of us strive to be the best possible version of ourselves, as individuals we all occasionally fail to follow the Golden Rule.
But to (almost) quote David Bowie, we try.
Oh, we try.
What about companies, though? Do they consistently try to follow the Golden Rule? When it comes to data security, unfortunately many companies do not. When a business fails to protect sensitive data and/or fails to mitigate the impact of a data breach, are they treating their customers the way they would like to be treated?
The answer to that question is an all-caps “NO.”
Careless employees who toss sensitive data in the dumpster and companies that fail to take legally required corrective action in the event of a data breach are not treating customers in a manner consistent with both the law and consumer expectations about what being a decent and human company means in the 21st century.
When we were children, breaking the Golden Rule was usually accompanied with a lecture from a parent or teacher, followed with a relatively trivial punishment like being grounded from Saturday morning cartoons. Missing The Smurfs may have felt like a pretty severe punishment when you were a kid. However, the punishment companies receive from failing to adhere to the Golden Rule when it comes to data security is starting to be measured in the millions and billions of dollars.
Google was recently in the headlines after being fined $57M under Europe’s General Data Protection Regulation (GDPR). The specific infraction and fine were the result of Google failing to disclose how data is collected across its services (including the company’s search engine, YouTube, and Google Maps) for the purpose of creating personalized ads for users. In plain English, Google was spying on, getting creepy with, and finally lying (or, omitting the truth) to its customers.
In even plainer English, Google broke the Golden Rule—and paid a steep fine as a result.
In 2013, the pharmacy chain Walgreen’s paid a $16.6M fine after it broke the Golden Rule (and the law) by discarding prescription receipts and pill bottles containing patient names, dates of birth, drug names, prescription record numbers, and other sensitive patient data in dumpsters outside of more than 600 stores.
In 2018, the public became aware of a massive data breach at Facebook that exposed the private information of 50 million users. With its European corporate headquarters located in Dublin, there is talk that the penalty levied by the Irish Data Protection Commission will be the largest fine yet under the GDPR. In this case, failing to adhere to the Golden Rule (and EU law) could cost Facebook billions of dollars.
That’s billions—with a big capital B.
At CSR Privacy Solutions, we provide a suite of services to data security companies (including shredding companies) serving small and medium-size businesses (SMBs) that help ensure their customers remain compliant with local, national, and international data security and privacy protection laws.
That’s what we do.
But helping companies avoid fines isn’t the main reason we are passionate about proper, ethical, legal handling of sensitive data.
We believe that in the 21st century, privacy protection and data security are moral imperatives. The fines levied against companies like Google, Facebook, and Walgreen’s play an important role in ensuring companies comply with the law. That said, fines do not undo the personal trauma customers and users face when their data is carelessly and illegally handled.
Multimillion- and even multibillion-dollar fines are important enforcement actions, but true data security only exists for customers of business that understand privacy protection isn’t just a matter of legal compliance and fine avoidance.
It’s about treating others the way you want to be treated.
It’s about the Golden Rule.