November 11, 2008
Whether you happen to be a manager, an economist or a moralist, you agree that risks and rewards need to stay in balance to avert catastrophic events to your team, the economy or society. Human nature however has a remarkable capacity to ignore risks, insane insouciance when one bears the risk, and when the risk is one's neighbors', criminal cupidity.
Yet how could have humankind been told not to play with fire before Prometheus stole it from the gods? Nothing is more natural than ignorance about the new risks which our own restlessness unceasingly creates. Pity who, ahead of the public, recognizes these new risks as they arise.
Speaking of the current financial crisis, we have already mentioned Benoit Mandelbrot and Nassim Taleb. Steve Lohr tells us about another timely warner (*). In October 2004, Andrew W. Lo wrote about "the rising systemic risk to financial markets". "On the industry side, it was dismissed," recalls this much credentialed academic.
When it comes to what we dubbed the data bubble, I have encountered the same will to pretend the sky is not even the limit. In our Information Age, can data have no downside? More than three years ago I wrote an entire series of lectures on information risk (1). Week after week, these fillips highlight significant events as reported in the media. Who will accuse me of making it up?
Centralizing data online automatically puts it at a greater risk. Doesn't Demetri Sevastopulo disclose an FBI warning that the computers of both US presidential campaigns have been hacked into last summer (**)? Internet is used today as an "Augean Agora" where freedom trumps responsibility and virtual means abet very real prostitution. Doesn't Brad Stone report how "Craigslist [has] reached an agreement with 40 state attorneys general and agreed to tame its notoriously unruly "erotic services" listings" (***)?
Not a few, I concede, look at computer hacking and dating for hire as fundamental human rights. But even they will draw a line against blackmail, a risk we pointed at last February and then again in May. John Markoff obligingly reveals a plot which surfaced via "an extortion letter threatening to expose millions of patient records stolen from Express Scripts, a medical benefits management company" (****). I warned against targeted blackmail whereby individual perpetrators single out victims. Overrunning my imagination, the risk has already reached industrial scale (2).
What if Express Scripts refuses to pay the ransom? Will the blackmailer infer patients' conditions from physicians' prescriptions, go retail and directly threaten the most exposed patients? Will Express Scripts be sued by patients who allege public knowledge of their diabetes has made it difficult for them to get or hold a job? What if the next plotter gets a list of all diabetics per their health or search records held by Google?
"Innovation can be a dangerous game", Steve Lohr quotes Andrew Lo. Equally dangerous would be to condemn innovation in principle. Forget the friendly Indians. Without Prometheus, the Pilgrims would never have survived their first New England winter and turkeys would be forever thankful.
These fillips do not aim at stopping progress. Highlighting risks is but a call for action, if not to eliminate, at least to mitigate them. Some measures will be technical. Others must be regulatory to compensate for market failures. The issue about eprivacy? Innovation rewards flow to organizations holding consumer data while corresponding risks are mainly born by the consumer. This is why the Federal Trade Commission should not rely on behavioral advertisers' benevolence to protect consumer confidential data. Why should they, unless compelled by official rules?
Opponents will say rules cost money. True, but by an accounting legerdemain. Were society to consolidate the consumers with the organizations subject to privacy prescriptions, associated costs would be more than covered by a diminution in risk and corresponding losses. Since such a consolidation is impractical, other mechanisms must be found. I have suggested organizations pay consumers for the risk they incur. The adoption of technical privacy measures would lower the premium as well as the risk, replacing benevolence with self-interest.
Class action lawsuits are an alternative. How efficient is it, though, to let organizations gamble on the difficulty to link them to an actual loss born by a consumer? Whether in matter of pollution prevention or credit derivative instruments, many companies have been bankrupted by poor gambling.
Eliminating risks altogether is desirable but not always achievable. What is reasonable is to improve best practices with experience (3). Assuming the blackmailer's claims are verified, was Express Scripts diligent in its HIPAA compliance, a set of rules designed for the healthcare industry to insure the security of processes and the privacy of consumers (4)? Was there an unknown weakness in some information system component? in the HIPAA auditing? in the rules themselves? Perhaps the plot involved an unlikely confederation of rogue employees?
But what about the true nature of the rewards modern Prometheus has brought us? In the name of fairness, a topic fit for a future fillip.
- (*) ....... Wall Street's Extreme Sport, by Steve Lohr (The New York Times) - November 5, 2008
- (**) ..... FBI warned presidential runners of hacking by foreign entity, by Demetri Sevastopulo (The Financial Times) - November 7, 2008
- (***) ... Bowing to Attorneys General, Craigslist Plans to Curb Prostitution Ads, by Brad Stone (The New York Times) - November 7, 2008
- (****) . F.B.I. Looks Into a Threat To Reveal Patient Data, by John Markoff (The New York Times) - November 7, 2008
- (1) see lectures on Liabilities and Vulnerabilities in the Information Age
- (2) compare this plot with the case study used for my lecture on the Handling of Medical Records.
- (3) for more information on risk management, see this paper by Siegel, Sagallo and Serritella
- (4) for more information on HIPAA, see the documentation for my lecture on the Handling of Medical Records.