Regulations Won't Help Your Records Program
By January 2025, the cumulative total of GDPR fines has reached approximately €5.88 billion. The fines still didn't stop META from collecting biometric data in Texas and getting penalized another $1.4 billion.
The privacy regulations were supposed to help us be safe and improve records management. It was the talk of the town in ARMA circles from 2016, and is still seen as a way to get our field the value it deserves.
Yet, they don't work.
The fines themselves are minor compared to the money made by breaching the laws. META has been penalized a total of $2.7 billion dollars over 2 years. In the same time, they made over $100 billion in profit by selling off your personal data.
Same pattern can be seen in SEC, seemingly built to enforce proper records keeping. In 2022, 16 Wall-Street banks were fined $1.1 billion for failing to capture off channel communications, namely WhatsApp messages. (Thanks Meta)
Their response .......... do nothing. As if to say, "We made more money insider trading and
playing with your future than the measly fine of $1.1 billion."
Fines are seen as part of business usual, not as regulations to be followed. The total cost of the fines are too small and simply can be passed down to customers as in more ads on Facebook, Instagram and WhatsApp.
Cybersecurity is not different either. Most breaches only put a dent in a company unless there is serious reputational damage. This is why security professionals call it the "security posture." It is not there to protect you but to shift the public view. This focus on public relations instead of actual security caused deaths before. According to a Minnesota School of Public Health Study, breaches on health providers killed in between 42 to 67 patients from 2016 to 2021.
As long as you have good posture and don't lose customers, the fines won't hurt you.
As customers and consumers, there is not much we can do either. Over 62% of all assets are managed by top 10 banks in the US. 95% of US Health Insurance is Highly Concentrated, meaning they are owned by monopolies that can spike your insurance premium with no repercussions. All social media is owned by 4 companies. Even if we were to change our banks, go on a social media diet and start flying to Mexico for healthcare, it is just a drop in the bucket. Unless there is public outcry, these shady business practices will continue.
The regulations are not written to be effective either. Privacy regulations across the globe put the responsibility on the customer. It is your job to report your data being mishandled, which is extremely time consuming at best and usually impossible. As the public, we don't learn about breaches until much much later.
At a recent ARMA meeting, I asked about this to Data Practices Office in Minnesota responsible for passing Minnesota Consumer Data Privacy Act. A huge step in the right direction, the act still forces the consumers to be responsible for company crimes. Why was that? Here is the official answer.
"When passing laws, we have to consider employers and organizations within the state. Any law we pass must not harm the well being of companies and our economy, and has to be approved by Minnesota Department of Commerce."
You heard it right. Money talks, ... walks. People in the government representing our best interests are not able to do so. And this is not unique to Minnesota, a beautiful state with great public workers, but across every state and country. All privacy laws hold the consumers
responsible for detecting and reporting the crimes of companies. Minnesota is just an example. They at least took the time to talk with me.
So, how do we change business usual?
There is the obvious. Improve regulations and actually make the fines hurt. But my friend Ramesh K V has a better idea. Hall of shame.
Each business who have been fined has to put a pop-up on their website that stays for at least 30 seconds. You got fined by SEC, you put "We used your money to commit fraud and made billions by risking your economic future. Do you still want to bank with us? Yes or No" You click "No", your bank account can be immediately transferred to a bank of your choosing that hasn't been fined, completely free of charge.
You got fined by GDPR or a Privacy Act, you put "We sold your data illegally and put your safety at risk to make billions of dollars. Do you still want to keep your account with us? Yes or No"
If it is the customer behavior that these companies are afraid of, why don't we help customers make better decisions? Creating a new regulation and increasing the fines might have un-intended side effects, yet a hall of shame? It just lets the customers choose. It is the definition of "Free Market Friendly"
What do you think? Would a hall of shame work? Would it teach companies that proper records management is critical for businesses? Or will we keep it as business usual?
Like this content and want to read more?
