Data and privacy in the aftermath of Cambridge Analytica – Normal Deviance

The Facebook – Cambridge Analytica saga has dominated headlines. It has been a useful case study for companies thinking about their data and partnerships arrangements.

There has been plenty of coverage on the Cambridge Analytica controversy in the media. The company obtained access to 87 million Facebook profiles via an online personality test, allowing it to place highly targeted political advertising. Actuaries generally deal with large amounts of data, much of it sensitive, so it’s worth reflecting on the lessons we can draw from the saga.

1. You cannot shut the door once the horse has bolted

This story represents a second high-profile case where the company tried to solve the problem by asking a third party to delete data they should not have (Uber being the other recent high-profile case). It’s clearly an awkward strategy, and there’s no real way to ensure data gets deleted. In the case of Cambridge Analytica, a related issue was the existence of derivative information (highly detailed ‘models’ that encoded much of the data) – this was not covered by the promise to delete.

2. Avoid inconsistencies between what data people can access and what they are allowed to access

One of the issues is that access to the behaviour and likes of friends was available to the researcher who supplied data to Cambridge Analytica. The use of friends’ data for targeted advertising was against Facebook’s rule, but the data access loophole meant there was a mismatch between what people could do and what they were supposed to do.

In Facebook’s case, it wasn’t a particularly hard loophole to fix either – they quietly removed the functionality recently.

3. Think through what data you have and who is using it

Data is one of the key assets for companies. The incentive to hold and use data to inform marketing and other business functions is very strong, but it also increases the risks. Many companies are moving from a ‘keep everything’ mentality to a more strategic view of what data is important, and what can be done to reduce their residual data risk. Credit card data is an obvious example – retaining these details on file may make future customer transactions easier, but there is a significant risk to manage and outsourcing to third party payment apps might be preferable.

4. Responding to a data breach

The response to a crisis is often as impactful as the original event. An honest mea culpa is compulsory, and best not delayed too long. People will track such statements carefully, particularly around what level of responsibility the company is assuming. Because crisis events require quick and decisive responses, forward planning never goes astray. Having a practices process can less the resulting fallout.

Longer-term, there is also an expectation of improved practices and policies to prevent similar events from occurring. Facebook as been proactive in supporting tighter controls internationally, in line with it’s European compliance obligations (although perhaps actions speak louder than words).

5. The regulatory elephant in the room

Facebook seems to have survived relatively unscathed, in part thanks to its unassailable position as the biggest social network company. The share price impact has been visible but modest.

The more substantive issue, relevant to companies in Australia, is that every high-profile data breach increases the momentum behind stricter privacy legislation. Many would welcome better safeguards for consumers, but it creates a quandary for companies – should they invest in analytics that maximise what they can do, or should they factor in expected tightening in future privacy rules and be less aggressive?

No Australian company has the same set of data and risks as Facebook, but we all have risks and responsibilities around data. Customers are the ultimate arbiter of what is appropriate use of their data, and are increasingly aware of the issues. With notifiable data breach reporting laws coming into effect this year, the need for companies to be diligent data handlers continues to rise.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.