Will all businesses eventually need to be in the business of technology? Will a user be liable for his or her actions or inactions with regard to technology? As data protection laws are created and impose duties on users, it seems that a technology responsibility course could become part of education’s core curriculum: math, science, language arts, social studies and technology responsibility (tech res). Once upon a time, technology was an elective; these days, it seems like a necessity.
Using technology responsibly is about risk management and acting reasonably.
You might wonder who really needs to know about technology. The answer to this question used to be something along the lines of “leave it to the IT department”. These days, the correct answer to the question is, “everyone”. I am confident that everyone is using a computer or smart phone to access data. Thin about all of the Word documents, PDFs and emails you have access to. “Data” is a broad category and includes information that is personal, confidential, related to the company and/or used for entertainment. In the past, even if this information might have been accessible to people, it was not so easily accessed and shared. Entering a filing room to pull a confidential file still required more steps than selecting “send as attachment” or “post” or “tweet” or……you get the point. Basically, everyone is using technology in some form and should know something about the technology they are using. At a bare minimum, users should know about the major risks and liabilities. Unfortunately, in practice, many people ignore warnings about risks and liabilities by scrolling down and clicking “accept”. Blind acceptance could result in the release of rights to your photos, agreeing to share your list of contacts or numerous other things. It wouldn’t hurt for everyone to be more informed before they select “accept”. Hence why “everyone” is included in the need-to know category.
Who needs to care?
Who needs to know is slightly different than who needs to care.
As individuals, most people aren’t going to care who shares their vacation photo or who sees their grocery list. For the most part, if individuals have any information worth worrying about, a breach of information, while unfortunate, would be miniscule and likely only harm that individual. Besides, most individuals willingly divulge information regularly via social media. No one is wondering what’s on your grocery list because we all saw pictures of your meals for the past few weeks.
Then there is the camp of individuals guarding their credit card and social security numbers. Such individuals would be correct that these pieces of information are important, but on a small scale. Credit card companies are great about finding fraudulent charges. Everyone should be monitoring their bank account anyway. Maybe this is harsh, but no matter how many selfies you take, you probably aren’t as important as you would like to think. Of course, feel free to care, but know that you probably do not make the cut for the “need-to-care” group.
Those that really need to care about responsibility using technology are typically those in possession of other people’s information. Don’t get me wrong, it is a great habit for an individual to be cautious and protect his or her own information. This is sort of like locking your doors. It’s your house.
If you lock the doors, great for you. If you don’t lock the doors and someone steals your belongings, I might feel sorry for you, but my belongings are still safe.
However, if you are holding a lot of my belongings and fail to lock the doors, I will be very upset if my stuff is stolen. The same concept applies to the data. If you have the information or access to data, you have a responsibility to provide security. The people who really need to care are those involved with business. Businesses tend to have information including contact information, financial information and confidential information. I use the term “business” very broadly because all types of businesses are included. This even includes non-profits, education, consumer goods, healthcare, sales, services, etc. Do not assume you are exempt. Businesses must have security in place to protect the information of others. Think of it as if your house is holding their valuables. YOU, the business, should ensure that the doors are locked.
Businesses should care, but who is the business?
For fear of a tragedy of the commons, an elaboration about who within the business should be accountable for caring about data protection.
The structure is flexible and could include a variety of different models depending on what works best for your business. If there is a board of directions, the responsibility could begin with them. If there is a partnership, the partners could be accountable. The important point is that someone is made accountable for monitoring and implementing protection. What you don’t want to happen is that everyone assumes someone else is dealing with it. (A tragedy of the commons.) You don’t want to assume that your partner password-protected his computer. As a business owner, it is your duty to think through these issues and plan ahead. Either monitor things yourself or assign the duty to another person or to an entire department. Perhaps hire a technology expert to report back to you. Create a policy and follow a particular procedure. Educate each of your employees about what is expected and precisely how they can follow protocol. As a partner in a business, ask questions and raise concerns if you do not see these policies in place. Regularly check to see if the policies are being executed correctly. After all, just because a door has locks doesn’t mean people are always using them.
With breach requirements at the state level and new legislation incentivizing the disclosure of breaches to the federal government, it is only a matter of time before required duties arise demanding a proactive approach. Similar to requirements for book-keeping to help protect against future problems, we will eventually see requirements for safe-guarding data.
Reasonable care standards are already being incentivized, if not implemented. It would be wise to create good habits now. If tech responsibility is eventually added to the elementary school curriculum, it is only a matter of time before a failure to use basic protections will constitute gross negligence, from which there will be little insulation from liability.
You should care earlier rather than later.