PRSA Dialogue: March 29, 2017
Suzanne Ross, APR
Are you providing educational and strategic counsel on cyber security and privacy to leadership and colleagues within your organization and the publics you serve?
As high-profile data breaches and invasive malware unfold in the news at increasing frequency, it’s an opportune time to use this heightened awareness to educate your stakeholders about data hygiene and preventive practices, as well as begin to develop a cyber security policy and scenario-based response plan.
Kathy Stershic, an information technology and policy expert from Dialog Research & Communications, led a dialogue on Wednesday, with the Public Relations Society of America National Capital Chapter’s Public Affairs, Government, and Accredited Public Relations professionals on “The PR Professional’s Role in Managing Data Privacy Risk.”
She explained, the increasingly complex and interactive devices in our environments through the Internet of things (IOT) such as sensors that monitor traffic lights and building functions, or devices with embedded and networked functions (glasses, watches, refrigerators, televisions and beds) can offer powerful social benefits, but they also enable an unwanted bridge into our private lives.
Discussion Focused on Conflict to Core Values
Stershic said, “From cyber breaches to data brokering, there’s a lot of confusion about what’s happening with our data.”
Collectively, event participants were mostly concerned about two issues:
i) Sustaining trust personally in their interactions
ii) Sustaining trust on behalf of the organizations and stakeholders they serve
- Assumption: The capturing of datasets on U.S. consumers through alliances and relationships is eroding trust.
- Response: Make trust central to your brand promise and core message.
What are the Legal and Regulatory Boundaries of Privacy Expectations and Implied Consent?
People in the U.S. hold strongly to rights under the Fourth Amendment of the Constitution that protects our right to personal privacy, also referred as the “right to be left alone.”
The Supreme Court Fourth Amendment case, Boyd v. United States, 116 U.S. 616 (1886), describes the invasion of privacy as not only physical, but applies to all “ invasion of his indefeasible right of personal security, personal liberty, and private property[.]”
Invasion of our privacy through these devices can have damaging outcomes not only to individuals but also to companies liable for exposure of embarrassing information and intrusion of privacy. Stershic said, “It’s an issue of brand trust as much as liability.”
Orin Kerr, a Professor at The George Washington University Law School explains, the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, applies from a legal point of view, only to actions of the government. However, the Fourth Amendment principles and assumptions also inform our common conception of the boundary between the public and private spheres.[i]
What Triggers Changed Public Opinions?
Data collection itself wasn’t objectionable until use of data conflicted with fundamental values. One participant at the event commented, “I didn’t realize that by signing a permission to using a database of an Internet service or wireless communication provider, I also gave them permission to share or sell my information to another third party.”
The U.S. third-party doctrine is your voluntary approval to third parties such as banks, phone companies, Internet service providers (ISPs), and e-mail servers to allow access to your information and you have “no reasonable expectation of privacy.”
Although you may have given your authorization for data collection, with the understanding that you were agreeing to principles to help prevent objectionable content, you may not have realized your risk exposure. While protections under the first amendment for the use of a person’s name or likeness for commercial purposes, or exclusive advantage and benefit, could result in misappropriation, or False light, requirements such as proof of knowledge and indifference to a person’s preferences and injury, make it difficult to pursue legal remedies. Anyway, after discovery, your reputation is already potentially compromised by adjacencies that are not necessarily “uniformly objectionable.”
Holding firm to the third-party doctrine, Facebook’s data use policy statement is explicit: “You give us permission to use your name, and profile picture, content and information in connection with commercial sponsored or related content served or enhanced by us.”
On the one side, the Supreme Court opined the terms of service contract did not extend to target advertising or create profiles of users’ preferences. The Court held that this distinction provided an appropriate way to draw the line between reasonable and unreasonable expectations of privacy, concluding that “[b]ecause the two processes were allegedly separate, consent to one does not equate to consent to the other.”[ii]
On the other side, Congress on Tuesday, repealed the Federal Communications Commission’s plan to roll out stronger privacy rules and protections administrated by the Federal Trade Commission. What impact this will have on the collection and targeting of messages to the consumer is unclear as this also changes the regulatory framework governing internet service providers and other telecommunication carriers.
Over the short term, the public and private sector will likely continue to reconcile and accept this practice as a tradeoff for preferred services and access to business opportunities reaching some four billion people globally at an estimated $4 trillion revenue opportunity. The benefits of free-market innovation are unlikely to be curbed unless a re-calibration occurs as a result of cyber intrusion, manipulation and impersonation influences public opinion, impact markets and public safety.
Follow-up: See Kathy Stershic’s FIVE Tips for Developing your Data Breach and Information Policy Toolkit coming on Wednesday, April 6.
Internet Association of Privacy Professionals: www.iapp.com
US State Breach Notification Laws: http://www.ncsl.org/research/telecommunications-and-information -technology/security-breach-notification-laws.aspx.
US Federal Trade Commission: http://www.business.ftc.gov/privacy and security
The FTC’s Data Breach Response: A Guide for Business and business blog, provide steps that businesses can take and whom to contact in the event of a data breach, as well as a model breach notification letter.
[ii] Google Inc. Gmail Litig., 2013 LEXIS 17278, at *13.