Privacy Technologies can save you money…
21 December 2007
Researchers in the Privacy Technology field have for a long time warned that services collecting and keeping personally identifiable information may face hidden costs down the line — in case the data gets compromised! If those in charge of procurement took this risk into account, then they would start finding Privacy-friendly technologies, that cost more upfront, cheaper in the long run. This would be true, even without taking into account abstract costs such as reputation loss, resulting from unauthorised access.
For a long time this theory went untested, but one case has emerged that puts a value on this risk. As an article from Infosecurity reports on the 17th December: the UK’s Financial Services Authority has fined life assurance company Norwich Union Life £1.26 million ($2.54m, €1.77m) for “not having effective systems and controls in place to protect customers’ confidential information and manage its financial crime risks.” (Emphasis added.)
This is a lot of money, and it would have been even more (NU got a 30% discount) if the building society had not fully cooperated from the start of the investigation. Given that in today’s world the probability of compromise of non protected information is very high, this gives us an estimate on how much NU, should have spent on Privacy Technologies, to ensure they can conduct their business without collecting much data as well as better protecting the data they collect.
Incidentally, and more related to traffic analysis, another branch of Norwich Union runs wide-scale trials for Pay-as-you-drive insurance. They better take note of what happened to their sister company, and change their technical infrastructure to something more privacy friendly: right now they simply collect and store the full location over time of all insured vehicles. Some colleagues any myself have written about a detailed architecture to provide the same functionality without the collection of such data:
Troncoso, C., Danezis, G., Kosta, E., and Preneel, B. 2007. Pripayd: privacy friendly pay-as-you-drive insurance. In Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society (Alexandria, Virginia, USA, October 29 – 29, 2007). WPES ’07. ACM, New York, NY, 99-107. DOI= http://portal.acm.org/citation.cfm?doid=1314333.1314353