The Hidden Cost of Security-Related Consent Decrees - The Secret Weapon of Regulatory Agencies
by Greg Moran
For those of us that have worked in highly regulated industries, consent decrees are not a new concept. However, in the tech industry, many companies are beginning to understand the power of this regulatory weapon.
Last week the FTC slapped a consent decree on Uber for its flawed privacy practices that led to the disclosure of private information for 100,000 Uber drivers. The FTC cannot fine a company for its first violation, so many viewed the consent decree as a slap on the wrist for a serious violation. Perhaps they should have been fined, but let's parse the effect of that consent decree for a moment to see what it really means.
The consent decree forces Uber to submit to annual audits of its privacy practices for 20 years. 20 years…as in the last audit under this decree will occur in 2037. Travis will be in his 60's when the audits stop.
Uber is a big company now, so let's think through the effect of this audit requirement.
It means that Uber must design and deploy a company-wide set of documented policies, practices and technology tools to protect the privacy of drivers and customers (which is good) that must be documented in an auditable way (which is good, but expensive when done in a hurry).
Next, Uber must begin record-keeping practices company-wide that can be audited - this means that you don't just need to follow the new security program, you have to keep records that prove that everyone followed the program.
This is proving a negative and in business process terms is both challenging and expensive. It's almost hard to fathom all the tentacles this consent decree will have on ID administration, infrastructure design, data governance practices, network scanning internally and externally, securing all communication platforms for the data (email, collaboration, etc.).
Once a year, the FTC will come in and perform the audit (by the way, the typical practice is for the audited company to bear the entire cost of the audit). These audits can be exhaustive - the FTC is not incentivized to make it easy on the target company.
If perchance the FTC finds a violation of the consent decree, they can then fine the company (since it is a subsequent violation by definition). These fines run into the tens of millions (ref. Google's FTC fine of $22.5M for violating a 2011 consent decree). The cold hard reality is that regulatory agencies (at the state and federal level) use fines and oversight fees as a huge source of revenue.
Taken as whole, this is a meaningful financial risk for the company. Uber has to build the cost of all of this into its business model - i.e. the cost of ride. This means they either suffer lower margins (less attractive to investors) or find a way to offset the cost by paying drivers less, advertising less (less attractive to drivers and customers).
When a company is swimming in cash, it can seem like no big deal, but that does not last forever in a business that relies on the laws of physics to exist. Competition increases, margins decrease and then the pain begins…
Wouldn't it be a better idea for tech companies to take this issue seriously from the start and design these practices into their business model from the start
In retrospect, it seems the height of short-sightedness that a company like Uber (founded in 2009) hired its first chief security officer in 2015.