The rising threat of privacy debt

New privacy regulations and growing security risks are forcing companies to rethink how they manage customer data

privacy by design
  • Failing to properly manage and protect consumer data is creating troublesome “privacy debt”
  • New privacy regulations and the threat of breaches put corporate data management at risk
  • Stronger data-management policies and practices limit exposure to privacy risks

Businesses and consumers will generate more data in the next three years than they have in the previous 30, according to a global estimate from IDC. Personal data from customers will account for roughly half of the total amount, yet most organizations rely on weak policies and procedures that govern how that information is stored and used.

As a result, many companies are falling into what experts refer to as “privacy debt,” the notion that lax management of customers’ private information can put organizations in a hole that, in the event of a data breach, requires financial and operational resources to fix. (The concept is similar to that of “technical debt,” defined as the future cost a company incurs by delaying the replacement of underperforming or deficient technology assets.)

Privacy debt: The idea that there are financial, reputational, and operational consequences to mismanagement or misuse of customers’ private information.

The prevailing idea behind privacy debt is that companies with inadequate privacy-management tools are more likely to accumulate “debt” not only from data breaches but also from the extra expense required for compliance and IT resources and staff, not to mention regulatory penalties and legal actions. Companies face a growing number of sanctions if their data practices violate government privacy regulations, such as Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Protection Act (CCPA).

Paying off such debt can be expensive. Avoiding it — the better option — requires a combination of proper tools and best practices.

“The existential threats of COVID, recession, and global competition are forcing most organizations to go digital, fast,” said Barbara Kay, senior director of product marketing for security and risk at ServiceNow. “Privacy debt is accelerating with a maturing regulatory environment and consumers’ greater expectation of corporate transparency, control, and accountability. Competitors who have less privacy debt will move farther, faster, and cement their advantage in the market.”

“If you are already behind or providing the most minimal support for data privacy,” Kay adds, “each new digital service you implement or create adds more friction, and more debt. It means your company is on the wrong side of the digital divide.”

Big data, no plan

The magnitude of the privacy debt problem became apparent to Alex Ferrara, a partner at the venture capital firm Bessemer Venture Partners, in discussions with chief privacy officers. Ferrara said the executives described how their companies held users’ private information in multiple databases with little visibility into how much data they have or where it is stored, and no plan to manage it.

“While many tech companies were architected to collect data, they were not necessarily architected to safely store data,” Ferrara wrote in a September 2019 report. “Today there’s not just a rift, but a chasm between where data privacy technology, processes, and regulations should be and where they are, thus creating massive amounts of privacy debt.”

Privacy debt may begin accruing from simple mistakes; for instance, if a call center rep stores a customer’s Social Security number in a chat transcript, leaving the company vulnerable and virtually blind to the threat. It’s not a theoretical problem. Nearly 6 in 10 companies aren’t able to ensure full compliance with data privacy regulation, according to a recent white paper from FTI Consulting.

Companies collect vast amounts of “personally identifiable information” (PII) — names, driver’s license and Social Security numbers, bank accounts, medical records, and other types of sensitive personal information.

According to the FTI report, 42% of executives surveyed said they aren’t building privacy functions into the design of their products and systems; nearly twice as many said they are vulnerable or very vulnerable to a data privacy crisis.

“It’s become a pretty insidious problem,” says Mark Settle, an expert and author on IT management. “Because so many forms of PII have been collected, with different tools, put in different places and forgotten about, in many cases by the people that originally collected the data.”

Reduce privacy debt with an audit

To eliminate privacy debt, experts say, a company must first understand where and how much sensitive customer data it holds. Then, it needs to catalog and classify that information.

Companies then need to encrypt, anonymize, or otherwise camouflage private data so it becomes useless if exposed. Social Security numbers would be a good place to start.

Companies also need to control access to sensitive data and be able to detect any illegitimate movement of it.


of executives surveyed said they are vulnerable or very vulnerable to a data privacy crisis

Poor data management practices by a company’s outside partners can be a significant, and often unrecognized, source of privacy risk. After all, the average enterprise shares data with 730 outside vendors, according to FTI. Cathy Scerbo, the vice president and CIO of the International Association of Privacy Professionals, cites a report by data privacy platform provider Osano that found that two-thirds of all breaches were the fault of third-party vendors.

(A major update to HIPAA, the U.S. health care privacy law, explicitly expanded the responsibility a health care provider has by including their third parties — legal, billing, suppliers.)

Some organizations are now paying more attention to their privacy infrastructure. Last December, Apple Inc. began requiring third-party developers of iOS applications to reveal what user data their apps collect, how they get it, and what they use it for. The information is presented in “privacy nutrition labels,” where users can see how their privacy might be affected, but it’s still too early to tell how effective such labels will be. Truyo, a privacy-rights management company, hosts a portal that companies can integrate into their digital offerings that tells users how their data is being used and how the usefulness of an app may be affected if the data is removed.

Setting the right example

Twilio may be an example of a company that has succeeded in avoiding privacy debt, Ferrara says. (Ferrara’s Bessemer Venture Partners was an early investor in the company.)

Twilio offers a platform that enables developers to incorporate communications capabilities into their software. It works in the background of many applications. In the process, it collects a variety of personal data from its developer customers, such as their contact and billing information and IP addresses.

Privacy debt may begin accruing from simple mistakes.

To safeguard that information, the company enforces what it touts as a “no shenanigans” privacy policy, designed to comply with the GDPR and similar local regulations. An important feature of the policy, and a requirement of the GDPR, is “data minimization,” which informs customers what data it processes and why, and explains how long the information is kept, among other things.

The company also gives developers tools to help them manage the data that Twilio processes on their behalf. Consumers can choose to let the developer keep the full text of an SMS message, or just the metadata.

“It’s about giving customers options,” says Sheila Jambekar, Twilio’s deputy general counsel for privacy and product. “If they can’t get at it, and they can’t make decisions about it, then we shouldn’t be holding it.”